Fault attacks on RSA in libgcrypt

Florian Weimer fweimer at redhat.com
Mon Nov 7 15:39:23 CET 2016

On 08/22/2016 07:42 PM, Jeff Burdges wrote:
> Dear gcrypt-devel,
> I implemented the protection against fault attacks recommended in
> "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
> Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
> Mehdi Tibouchi and Jean-Christophe Zapalowicz.
>   https://eprint.iacr.org/2014/252
> It worries that a targeted fault attack could subvert the conditional
> currently used to protect against fault attacks.

Their fault model seems to assume a Harvard architecture, where it is 
conceivable that powerful attacks targeting data are available, but no 
such attacks exist for code.  Most current systems have a unified memory 
subsystem which provides pages for both code and data, so this 
assumption does not seem very realistic.  This means that their security 
proof does not apply to current systems.


More information about the Gcrypt-devel mailing list