## Abstract

In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best-known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig–Hellman and ElGamal encryption such bugs can be a security disaster: decrypting ciphertexts on *any* computer which multiplies *even one pair of numbers* incorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext. As shown by recent revelation of top secret NSA documents by Edward Snowden, intentional hardware modifications is a method that was used by the USA to weaken the security of commercial equipment sent to targeted organizations.

## Keywords

Bug attack Fault attack RSA Pohlig–Hellman ElGamal encryption## Notes

### Acknowledgments

The authors would like to thank Orr Dunkelman for his comments. We also thank the anonymous referees for their valuable comments and suggestions which improved the results of this paper. The first two authors were supported in part by the Israel MOD Research and Technology Unit.

## References

- 1.AMD,
*Linux Kernel Issue with Systems Using AGP Graphics—Application Note*, August 2002. http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/26698.pdf - 2.J. Appelbaum, J. Horchert, C. Stöcker,
*Shopping for Spy Gear: Catalog Advertises NSA Toolbox*, Der Spiegel, 29 December 2013. Online edition: http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html - 3.A.D. Balsa,
*The Cyrix 6x86 Coma Bug*. http://www.tux.org/~balsa/linux/cyrix/index.html - 4.M. Bellare and P. Rogaway,
*Optimal Asymmetric Encryption—How to Encrypt with RSA (Extended Abstract), Advances in Cryptology, Proceedings of EUROCRYPT’94, LNCS 950*(Springer, Berlin, 1995), pp. 92–111Google Scholar - 5.E. Biham, Y. Carmeli, A. Shamir, Bug attacks, in
*Advances in Cryptology, Proceedings of CRYPTO’08, LNCS 5157*(Springer, Berlin, 2008) pp. 221–240.Google Scholar - 6.J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: fast and secure message authentication, in
*Advances in Cryptology, Proceedings of CRYPTO’99, LNCS 1666*(Springer, Berlin, 1999) pp. 215–233.Google Scholar - 7.M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius, Rabbit: a new high performance stream cipher, in
*Proceedings of Fast Software Encryption 10, LNCS 2887*(Springer, Berlin, 2004) pp. 307–329.Google Scholar - 8.D. Boneh, R.A. DeMillo, R.J. Lipton, On the importance of checking cryptographic protocols for faults, in
*Advances in Cryptology, Proceedings of EUROCRYPT’97, LNCS 1233*(Springer, Berlin, 1997) pp. 37–51.Google Scholar - 9.C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas Jr., L. O’Connor, M. Peyravian, D. Safford, N. Zunic, MARS: a candidate cipher for AES, in
*AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998*.Google Scholar - 10.D. Chaum, Blind signatures for untraceable payments, in
*Advances in Cryptology, Proceedings of CRYPTO’82*(Plenum Press, Berlin, 1983) pp. 199–203.Google Scholar - 11.R.R. Collins,
*Inside the Pentium II Math Bug*, Dr. Dobb’s Portal, August 1997. http://www.ddj.com/184410254 - 12.T. ElGamal,
*A public key cryptosystem and a signature scheme based on discrete logarithms*. IEEE Trans. Inf. Theory**31**(4), 469–472 (1985).MathSciNetCrossRefMATHGoogle Scholar - 13.H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay, Decorrelated fast cipher: an AES candidate, in
*AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998*.Google Scholar - 14.T.R. Halfhill, The truth behind the Pentium bug, in
*BYTE Magazine*, March 1995. http://www.byte.com/art/9503/sec13/art1.htm - 15.Intel,
*FDIV Replacement Program—Statistical Analysis of Floating Point Flaw: Intel White Paper*, July 2004. http://support.intel.com/support/processors/pentium/sb/CS-013007.htm - 16.Intel,
*Intel*\({\textregistered }\,Core^{TM}\)*2 Duo Processor E8000 and E7000 Series*, July 2004. http://www.intel.com/design/processor/specupdt/318733.pdf - 17.Intel,
*Intel*\(\textregistered \)*Processor—Invalid Instruction Erratum Overview*, November 1997. http://www.intel.com/support/processors/pentium/ppiie/ - 18.X. Lai and J.L. Massey and S. Murphy, Markov ciphers and differential cryptanalysis, in
*Advances in Cryptology, Proceedings of EUROCRYPT’91, LNCS 547*(Springer, Berlin, 1992) pp. 17–38.Google Scholar - 19.A.J. Menezes, P.C. van Oorschot and S.A. Vanstone,
*Handbook of Applied Cryptography*(CRC Press, Boca Raton, 1996).Google Scholar - 20.S. Mueller
*Upgrading and Repairing PCs*, Eighth edition, Que Publishing, 1998. http://www.informit.com/content/downloads/que/upgrading/fourteenth_edition/DVD/PCs8th.pdf - 21.L. Osterman,
*Remembering Old CPU Bugs*, Larry Osterman’s WebLog, February, 2007. http://blogs.msdn.com/larryosterman/archive/2007/02/06/remembering-old-cpu-bugs.aspx - 22.S.C. Pohlig, M.E. Hellman,
*An improved algorithm for computing logarithms over GF(p) and its cryptographic significance*. IEEE Trans. Inf. Theory**24**(1), 106–111 (1978).MathSciNetCrossRefMATHGoogle Scholar - 23.R.L. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin, The RC6 block cipher, in
*AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998*.Google Scholar - 24.R.L. Rivest, A. Shamir, L. Adleman,
*A method for obtaining digital signatures and public-key cryptosystems*. Commun. of the ACM**21**(2), 120–126 (1978).MathSciNetCrossRefMATHGoogle Scholar - 25.B. Screamer,
*Microsoft’s Digital Rights Management Scheme—Technical Details*, October 2001. http://cryptome.org/ms-drm.htm - 26.
- 27.A. Shamir, R.L. Rivest, L.M. Adleman,
*Mental poker,*in D.A. Klarner (ed.),*The Mathematical Gardner*(Wadsworth, Belmont, 1981) pp. 37–43.CrossRefGoogle Scholar - 28.V. Shoup,
*OAEP Reconsidered (Extended Abstract), Advances in Cryptology, Proceedings of CRYPTO 2001, LNCS 2139*(Springer, Berlin, 2001) pp. 239–259.Google Scholar - 29.S. Staff,
*Inside TAO: Documents Reveal Top NSA Hacking Unit*, Der Spiegel, 29 December 2013. Online edition: http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html - 30.U.S.D. of Defense,
*Defense Science Board Tas Force on High Performance Microchip Supply*, February 2005. http://www.acq.osd.mil/dsb/reports/2005-02-HPMS_Report_Final.pdf - 31.Theo Valich, AMD delays Phenom 2.4 GHz due to TLB errata in
*The Inquirer*, November 2007. http://www.theinquirer.net/gb/inquirer/news/2007/11/18/amd-delays-phenom-ghz-due-tlb - 32.A. Warner Machado, The Nimbus cipher: a proposal for NESSIE, in
*NESSIE Proposal*, September 2000.Google Scholar - 33.Wikipedia,
*MOS Technology 6502*. http://en.wikipedia.org/wiki/MOS_Technology_6502