On Mon, 19 Dec 2005, Travis H. wrote: > He says no mpi/modular arithmetic libraries that he knows of use > this technique
I guess the main reason is that the environments where these libraries are supposed to be used are believed to be immune to the attacks these checks are trying to prevent: the faults attacks are not likely on a PC and especially hard to do remotely :-) OTOH, ICCs (aka. smartcards) are quite vulnerable and usually do employ the countermeasures. > The idea is that if an attacker exploits a bug A fault attack does not exploit a bug, but, say, a power glitch or radiation. > Exactly what you would do in that case, I'm not sure... It depends on what exactly you try to prevent: which information you want to hide. For example, if you calculate RSA signature (with CRT) on an ICC using dummy multiplications (to avoid side channel attacks) and checks correctness only in the end, the fact that no error occurs may suggests that the glitch was introduced during such a dummy operation and thus it does not matter what you do if you detect an error. OTOH if you check error on each arithmetic operation (including the dummy one) you can just stop -- this does not give an attacker any additional information since he might as well guess himself that the power glitch he applied would cause a fault. BTW, fault-based cryptanalysis is not limited to RSA with CRT (or public key in general): block ciphers can be also vulnerable. -- Regards, ASK --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]