[cryptography] NSA Apple DPA Cryptanalysis

ianG iang at iang.org
Wed Mar 11 06:40:05 EDT 2015

On 11/03/2015 05:25 am, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
>> "We will also describe and present results for an entirely new unpublished
>> attack against a Chinese Remainder Theorem (CRT) implementation of RSA that
>> will yield private key information in a single trace."
>> An actual cryptography breach!  Outstanding if true...
> No, just a DPA attack, you've only quoted the last part of the full paragraph,
> which is about DPA attacks.
> (Before I read the full report my reaction was "they specifically mentioned
> RSA CRT, it's either a fault attack or DPA", because if the attack description
> includes "RSA CRT" then it's a sure sign that it'll be one of those two).

Oh I see.  Right that makes sense, they say "implementation" so there is 
something fishy about the code.

OK, something to put on the list of things to do the constant time 
makeover on, or at least the "don't leak bits" pass over.

Maybe a summer internship for a student?

/me musing on likely context of attacking the CRT ... suggests they have 
already breached the inner perimeter to do measurements, and know when 
the key is being made, and can run their evil listener.


ps; Note their pride in expressing the "entirely new unpublished attack" 
... for those who are questioning where the NSA is wrt the open source 
world, such snippets tell us we're not that far away.

More information about the cryptography mailing list