Journal of Cryptology

, Volume 14, Issue 2, pp 101–119 | Cite as

On the Importance of Eliminating Errors in Cryptographic Computations

  • Dan Boneh
  • Richard A. DeMillo
  • Richard J. Lipton


We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a black-box containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time to time the box is affected by a random hardware fault causing it to output incorrect values. For example, the hardware fault flips an internal register bit at some point during the computation. We show that for many digital signature and identification schemes these incorrect outputs completely expose the secrets stored in the box. We present the following results: (1) The secret signing key used in an implementation of RSA based on the Chinese Remainder Theorem (CRT) is completely exposed from a single erroneous RSA signature, (2) for non-CRT implementations of RSA the secret key is exposed given a large number (e.g. 1000) of erroneous signatures, (3) the secret key used in Fiat—Shamir identification is exposed after a small number (e.g. 10) of faulty executions of the protocol, and (4) the secret key used in Schnorr's identification protocol is exposed after a much larger number (e.g. 10,000) of faulty executions. Our estimates for the number of necessary faults are based on standard security parameters such as a 1024-bit modulus, and a 2 -40 identification error probability. Our results demonstrate the importance of preventing errors in cryptographic computations. We conclude the paper with various methods for preventing these attacks.

Key words. Hardware faults, Cryptanalysis, RSA, CRT, Fiat—Shamir identification, Schnorr identification, Public key systems, Identification protocols. 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Criptologic Research 2001

Authors and Affiliations

  • Dan Boneh
    • 1
  • Richard A. DeMillo
    • 2
  • Richard J. Lipton
    • 3
  1. 1.Department of Computer Science, Stanford University, Stanford, CA 94305-9045, U.S.A. dabo@cs.stanford.eduUS
  2. 2.Telcordia, 445 South Street, Morristown, NJ 07960, U.S.A. rad@telcordia.comUS
  3. 3.Princeton University, 35 Olden Street, Princeton, NJ 08544, U.S.A. rjl@cs.princeton.eduUS

Personalised recommendations