Bug Attacks

  • Eli Biham
  • Yaniv Carmeli
  • Adi Shamir
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5157)


In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig-Hellman, elliptic curve cryptography, and several other schemes, such bugs can be a security disaster: Decrypting ciphertexts on any computer which multiplies even one pair of numbers incorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext.


Bug attack Fault attack RSA Pohlig-Hellman ECC 


  1. 1.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption – How to encrypt with RSA (Extended Abstract). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  2. 2.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and Secure Message Authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 215–233. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Boesgaard, M., Vesterager, M., Pedersen, T., Christiansen, J., Scavenius, O.: Rabbit: A New High Performance Stream Cipher. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 307–329. Springer, Heidelberg (2003)Google Scholar
  4. 4.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On The Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    Burwick, C., Coppersmith, D., D’Avignon, E., Gennaro, R., Halevi, S., Jutla, C., Matyas Jr., S.M., O’Connor, L., Peyravian, M., Safford, D., Zunic, N.: MARS: A Candidate Cipher for AES. In: AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings (1998)Google Scholar
  6. 6.
    Gilbert, H., Girault, M., Hoogvorst, P., Noilhan, F., Pornin, T., Poupard, G., Stern, J., Vaudenay, S.: Decorrelated Fast Cipher: An AES Candidate. In: AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings (1998)Google Scholar
  7. 7.
    King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and Implementing Malicious Hardware, presented in LEET 08,
  8. 8.
    Lai, X., Massey, J.L., Murphy, S.: Markov Ciphers and Differential Cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991)Google Scholar
  9. 9.
    Markoff, J.: F.B.I. Says the Military Had Bogus Computer Gear, New York Times (May 9, 2008),
  10. 10.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)Google Scholar
  11. 11.
    Pohlig, S.C., Hellman, M.E.: An Improved Algorithm for Computing Logarithms Over GF(p) and Its Cryptographic Significance. IEEE Transactions on Information Theory 24(1), 106–111 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Rivest, R.L., Robshaw, M.J.B., Sidney, R., Yin, Y.L.: The RC6 Block Cipher. In: AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings (1998)Google Scholar
  13. 13.
    Rivest, R.L., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Screamer, B.: Microsoft’s Digital Rights Management Scheme – Technical Details (October 2001),
  15. 15.
    Shamir, A., Rivest, R.L., Adleman, L.M.: Mental Poker. In: Klarner, D.A. (ed.) The Mathematical Gardner, pp. 37–43. Wadsworth (1981)Google Scholar
  16. 16.
    Shoup, V.: OAEP Reconsidered (Extended Abstract). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    U.S.D. of Defense, Defense science board task force on high performance microchip supply (February 2005),
  18. 18.
    Warner Machado, A.: The Nimbus Cipher: A Proposal for NESSIE, NESSIE Proposal (September 2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Eli Biham
    • 1
  • Yaniv Carmeli
    • 1
  • Adi Shamir
    • 2
  1. 1.Computer Science DepartmentTechnion - Israel Institute of TechnologyHaifaIsrael
  2. 2.Computer Science DepartmentThe Weizmann Institute of ScienceRehovotIsrael

Personalised recommendations