On Mon, 19 Dec 2005, Travis H. wrote:
> He says no mpi/modular arithmetic libraries that he knows of use
> this technique

I guess the main reason is that the environments where these libraries
are supposed to be used are believed to be immune to the attacks
these checks are trying to prevent: the faults attacks are not
likely on a PC and especially hard to do remotely :-) OTOH, ICCs
(aka. smartcards) are quite vulnerable and usually do employ the
countermeasures.

> The idea is that if an attacker exploits a bug

A fault attack does not exploit a bug, but, say, a power glitch or
radiation.

> Exactly what you would do in that case, I'm not sure...

It depends on what exactly you try to prevent: which information you
want to hide. For example, if you calculate RSA signature (with CRT)
on an ICC using dummy multiplications (to avoid side channel attacks)
and checks correctness only in the end, the fact that no error occurs
may suggests that the glitch was introduced during such a dummy
operation and thus it does not matter what you do if you detect an
error. OTOH if you check error on each arithmetic operation (including
the dummy one) you can just stop -- this does not give an attacker any
additional information since he might as well guess himself that the
power glitch he applied would cause a fault.

BTW, fault-based cryptanalysis is not limited to RSA with CRT (or
public key in general): block ciphers can be also vulnerable.

-- 
Regards,
ASK

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to