Journal of Cryptology

, Volume 29, Issue 4, pp 775–805 | Cite as

Bug Attacks

  • Eli Biham
  • Yaniv Carmeli
  • Adi Shamir


In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best-known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig–Hellman and ElGamal encryption such bugs can be a security disaster: decrypting ciphertexts on any computer which multiplies even one pair of numbers incorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext. As shown by recent revelation of top secret NSA documents by Edward Snowden, intentional hardware modifications is a method that was used by the USA to weaken the security of commercial equipment sent to targeted organizations.


Bug attack Fault attack RSA Pohlig–Hellman  ElGamal encryption 



The authors would like to thank Orr Dunkelman for his comments. We also thank the anonymous referees for their valuable comments and suggestions which improved the results of this paper. The first two authors were supported in part by the Israel MOD Research and Technology Unit.


  1. 1.
    AMD, Linux Kernel Issue with Systems Using AGP Graphics—Application Note, August 2002.
  2. 2.
    J. Appelbaum, J. Horchert, C. Stöcker, Shopping for Spy Gear: Catalog Advertises NSA Toolbox, Der Spiegel, 29 December 2013. Online edition:
  3. 3.
    A.D. Balsa, The Cyrix 6x86 Coma Bug.
  4. 4.
    M. Bellare and P. Rogaway, Optimal Asymmetric Encryption—How to Encrypt with RSA (Extended Abstract), Advances in Cryptology, Proceedings of EUROCRYPT’94, LNCS 950 (Springer, Berlin, 1995), pp. 92–111Google Scholar
  5. 5.
    E. Biham, Y. Carmeli, A. Shamir, Bug attacks, in Advances in Cryptology, Proceedings of CRYPTO’08, LNCS 5157 (Springer, Berlin, 2008) pp. 221–240.Google Scholar
  6. 6.
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: fast and secure message authentication, in Advances in Cryptology, Proceedings of CRYPTO’99, LNCS 1666 (Springer, Berlin, 1999) pp. 215–233.Google Scholar
  7. 7.
    M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius, Rabbit: a new high performance stream cipher, in Proceedings of Fast Software Encryption 10, LNCS 2887 (Springer, Berlin, 2004) pp. 307–329.Google Scholar
  8. 8.
    D. Boneh, R.A. DeMillo, R.J. Lipton, On the importance of checking cryptographic protocols for faults, in Advances in Cryptology, Proceedings of EUROCRYPT’97, LNCS 1233 (Springer, Berlin, 1997) pp. 37–51.Google Scholar
  9. 9.
    C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas Jr., L. O’Connor, M. Peyravian, D. Safford, N. Zunic, MARS: a candidate cipher for AES, in AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998.Google Scholar
  10. 10.
    D. Chaum, Blind signatures for untraceable payments, in Advances in Cryptology, Proceedings of CRYPTO’82 (Plenum Press, Berlin, 1983) pp. 199–203.Google Scholar
  11. 11.
    R.R. Collins, Inside the Pentium II Math Bug, Dr. Dobb’s Portal, August 1997.
  12. 12.
    T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985).MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay, Decorrelated fast cipher: an AES candidate, in AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998.Google Scholar
  14. 14.
    T.R. Halfhill, The truth behind the Pentium bug, in BYTE Magazine, March 1995.
  15. 15.
    Intel, FDIV Replacement Program—Statistical Analysis of Floating Point Flaw: Intel White Paper, July 2004.
  16. 16.
    Intel, Intel \({\textregistered }\,Core^{TM}\) 2 Duo Processor E8000 and E7000 Series, July 2004.
  17. 17.
    Intel, Intel \(\textregistered \) Processor—Invalid Instruction Erratum Overview, November 1997.
  18. 18.
    X. Lai and J.L. Massey and S. Murphy, Markov ciphers and differential cryptanalysis, in Advances in Cryptology, Proceedings of EUROCRYPT’91, LNCS 547 (Springer, Berlin, 1992) pp. 17–38.Google Scholar
  19. 19.
    A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996).Google Scholar
  20. 20.
    S. Mueller Upgrading and Repairing PCs, Eighth edition, Que Publishing, 1998.
  21. 21.
    L. Osterman, Remembering Old CPU Bugs, Larry Osterman’s WebLog, February, 2007.
  22. 22.
    S.C. Pohlig, M.E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory 24(1), 106–111 (1978).MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    R.L. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin, The RC6 block cipher, in AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998.Google Scholar
  24. 24.
    R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. of the ACM 21(2), 120–126 (1978).MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    B. Screamer, Microsoft’s Digital Rights Management Scheme—Technical Details, October 2001.
  26. 26.
    A. Shamir, RSA for paranoids. CryptoBytes 1(3), 1–4 (1995).Google Scholar
  27. 27.
    A. Shamir, R.L. Rivest, L.M. Adleman, Mental poker, in D.A. Klarner (ed.), The Mathematical Gardner (Wadsworth, Belmont, 1981) pp. 37–43.CrossRefGoogle Scholar
  28. 28.
    V. Shoup, OAEP Reconsidered (Extended Abstract), Advances in Cryptology, Proceedings of CRYPTO 2001, LNCS 2139 (Springer, Berlin, 2001) pp. 239–259.Google Scholar
  29. 29.
    S. Staff, Inside TAO: Documents Reveal Top NSA Hacking Unit, Der Spiegel, 29 December 2013. Online edition:
  30. 30.
    U.S.D. of Defense, Defense Science Board Tas Force on High Performance Microchip Supply, February 2005.
  31. 31.
    Theo Valich, AMD delays Phenom 2.4 GHz due to TLB errata in The Inquirer, November 2007.
  32. 32.
    A. Warner Machado, The Nimbus cipher: a proposal for NESSIE, in NESSIE Proposal, September 2000.Google Scholar
  33. 33.
    Wikipedia, MOS Technology 6502.

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Computer Science DepartmentTechnion - Israel Institute of TechnologyHaifa Israel
  2. 2.Computer Science DepartmentThe Weizmann Institute of ScienceRehovot Israel

Personalised recommendations