| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| pgpfan:rsabad [2022/04/02 16:41] – Mostly rewrite. b.walzer | pgpfan:rsabad [2024/07/31 20:12] (current) – Provided a bit of context. b.walzer |
|---|
| >// Instead, developers are encouraged to choose a large d such that Chinese remainder theorem techniques can be used to speed up decryption. However, this approach’s complexity increases the probability of subtle implementation errors, which [[https://www.cs.tau.ac.il/~tromer/courses/infosec11/Boneh%20DeMillo%20Lipton%201997%20---%20On%20the%20importance%20of%20eliminating%20errors%20in%20cryptographic%20protocols.pdf|can lead to key recovery]].// | >// Instead, developers are encouraged to choose a large d such that Chinese remainder theorem techniques can be used to speed up decryption. However, this approach’s complexity increases the probability of subtle implementation errors, which [[https://www.cs.tau.ac.il/~tromer/courses/infosec11/Boneh%20DeMillo%20Lipton%201997%20---%20On%20the%20importance%20of%20eliminating%20errors%20in%20cryptographic%20protocols.pdf|can lead to key recovery]].// |
| |
| The linked article doesn't describe any sort of implementation error. Instead it describes a completely theoretical hardware attack. | The linked article doesn't describe any sort of implementation error. Instead it describes an attack based on hardware faults((This originally used the term "theoretical" to describe the attack. See the more recent [[https://eprint.iacr.org/2023/1711.pdf|Passive SSH Key Compromise via Lattices]], which shows that this sort of weakness existed at the rate of one per million historical SSH records. Almost all of these came from a single version of Zyxel SSH server. See section 4 of the paper.)). |
| | |
| | Almost all RSA implementations check generated signatures to prevent, say, a cosmic ray induced bit flip, from creating the possibility of a secret key leak. So the "implementation error" here would probably be a failure to do such a check. Very few people would consider a hardware failure to be any sort of a software implementation error. Fewer people would feel that the lack of a check for a hardware fault is an implementation error. |
| |
| >//Public Exponent// | >//Public Exponent// |
| Alternatively, it is a completely accurate conception that failing to validate your elliptic curve parameters properly can lead to [[https://research.nccgroup.com/2021/11/18/an-illustrated-guide-to-elliptic-curve-cryptography-validation/|bad outcomes]]. In some cases, failure to properly validate gets an attacker the secret key material. | Alternatively, it is a completely accurate conception that failing to validate your elliptic curve parameters properly can lead to [[https://research.nccgroup.com/2021/11/18/an-illustrated-guide-to-elliptic-curve-cryptography-validation/|bad outcomes]]. In some cases, failure to properly validate gets an attacker the secret key material. |
| |
| Note all the conditional bits covered by the linked article. Different curves have different properties and different issues. There are a bunch of different curves in common use while RSA pretty much always uses 65537 for the one and only implementer controlled parameter (public exponent). | Note all the conditional bits covered by the linked article in the previous paragraph. Different curves have different properties and different issues. There are a bunch of different curves in common use while RSA pretty much always uses 65537 for the one and only implementer controlled parameter (public exponent). |
| |
| [[pgpfan:index|PGP FAN index]]\\ | [[pgpfan:index|PGP FAN index]]\\ |
| [[em:index|Encrypted Messaging index]] | [[em:index|Encrypted Messaging index]] |
| |
