Math Error Could Compromise Cryptographic Systems
The increasing sophistication of computer chip design raises the risk that undetected bugs could be used to crack public key encryption systems, security luminary Adi Shamir says.
A highly respected cryptographer warned on Friday that the increasing sophistication of computer chip design raises the risk that undetected bugs could be used to crack public key encryption systems.
The warning was issued by Adi Shamir, a professor at Israel's Weizmann Institute of Science. The "S" in RSA, one such public key encryption algorithm, belongs to Shamir.
"With the increasing word size and sophisticated optimizations of multiplication units in modern microprocessors, it becomes increasingly likely that they contain some undetected bugs," Shamir said in his note. "This was demonstrated by the accidental discovery of the obscure Pentium division bug in the mid 1990's, and by the recent discovery of a multiplication bug in the Microsoft Excel program."
Shamir goes on to warn that if some intelligence organization discovers the existence of such a flaw, or perhaps secretly plants one, then any public key encryption scheme on any computer can be "trivially broken with a single chosen message."
The notion of intelligence agencies influencing chip design to create a secret back door, or simply exploiting one that's already there, may sound like paranoia. But with questions surrounding the origins of a recently discovered flaw in a random number generation algorithm backed by the National Security Agency and National Institute of Standards and Technology coming from respected cryptographers like Bruce Schneier, not to mention the escalating sophistication of cyberattacks in general, such worries sound less loopy.
Shamir likens this "bug attack" to a fault attack method described in 1996, which might involve, for example, using a sudden power spike to exploit an electrical device. The bug attack, however, appears to pose a theoretical risk of greater scope. It might allow millions of PCs to be attacked simultaneously.
While a major chip designer like Intel may have learned from previous design errors, Shamir says that smaller chip design companies may not be so meticulous. And the problem could extend beyond PCs to cell phones, which also may rely on vulnerable silicon.
"As we have demonstrated in this note, even a single (innocent or intentional) bug in any one of these multipliers can lead to a huge security disaster, which can be secretly exploited in an essentially undetectable way by a sophisticated intelligence organization," Shamir concludes.
Among cryptographers such risks are known. In a post to Google Groups about Shamir's note, Wei Dai, co-creator of the VMAC message authentication code and author of Crypto++, a free C++ class library of cryptographic algorithms, said that there are ways to protect against CPU math errors and that "the RSA implementation in Crypto++ is already protected against this attack..."
Still, it's not every day that a crypto luminary issues such a warning.
About the Author
You May Also Like