论文信息 - Bug Attacks

Bug Attacks

In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig-Hellman, elliptic curve cryptography, and several other schemes, such bugs can be a security disaster: Decrypting ciphertexts on anycomputer which multiplies even one pair of numbersincorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext.

Eli Biham | Adi Shamir | Yaniv Carmeli

[1] Martin E. Hellman,et al. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[2] Xuejia Lai,et al. Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[3] Martin Boesgaard,et al. Rabbit: A New High-Performance Stream Cipher , 2003, FSE.

[4] Richard J. Lipton,et al. On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[5] Adi Shamir,et al. A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[6] Hugo Krawczyk,et al. UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[7] Mihir Bellare,et al. Optimal Asymmetric Encryption , 1994, EUROCRYPT.