On the importance of eliminating errors in cryptographic computations (Q5934142)

Practical cryptanalysis need not be restricted just to searching for weaknesses of a particular cryptographic algorithm. Instead, an attacker can make an attempt to determine a cryptographic secret in a particular implementation of a cryptographic algorithm. The paper discusses a class of such attacks against various cryptographic schemes, namely attacks by taking advantage of hardware faults. The authors first describe a number of environments where such attacks may apply, introduce the attack model, and provide a summary of results. Then sections follow on RSA's vulnerability to hardware faults and attacks on identification protocols. Here it is shown that especially RSA implementations based on the Chinese Remainder Theorem are susceptible to hardware or software errors, but other implementations of RSA can be attacked as well, though the attack is not so practical as in the first case. Also it is shown that the secret key used in the Fiat-Shamir identification protocol is exposed after a small number of faulty executions of the protocol, and that similar results hold for Schnorr's identification protocol though a much larger number of erroneous executions is necessary. Several methods for defending against the attacks are then discussed, and the paper ends with brief summary and some open problems.