Fault attacks on RSA in libgcrypt
fweimer at redhat.com
Mon Nov 7 15:39:23 CET 2016
On 08/22/2016 07:42 PM, Jeff Burdges wrote:
> Dear gcrypt-devel,
> I implemented the protection against fault attacks recommended in
> "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
> Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
> Mehdi Tibouchi and Jean-Christophe Zapalowicz.
> It worries that a targeted fault attack could subvert the conditional
> currently used to protect against fault attacks.
Their fault model seems to assume a Harvard architecture, where it is
conceivable that powerful attacks targeting data are available, but no
such attacks exist for code. Most current systems have a unified memory
subsystem which provides pages for both code and data, so this
assumption does not seem very realistic. This means that their security
proof does not apply to current systems.
More information about the Gcrypt-devel