[upofadown]

Well, sure, but the alternatives are more complex and harder to get right. You can literally just pick two random numbers of the right magnitude, find the closest primes, and be good for RSA.

My comments on "Seriously, stop using RSA":

* https://articles.59.ca/doku.php?id=pgpfan:rsabad

[tptacek]

No, the alternatives are less complex, and easier to get right.

Further: the article you linked to describes the attack we are talking about right now on this thread, a fully remote fault attack that harvested keys off random SSH servers on the Internet, as "a completely theoretical hardware attack". (Narrator: it was not; further, this is that "completely theoretical" attack in its most difficult setting.)

[upofadown]

The attack I linked to discussed completely theoretical attacks. No examples were provided. The attack we are commenting on does provide an example.

In context it it obvious that I was addressing the contention that the paper I linked to had something to do with an implementation error.

[tptacek]

Yes, examples of the attack you dismissed. And you cited it as evidence on this thread about that attack. It's just very funny, is all.

[upofadown]

OK, thanks. I have updated the article to remove the term "theoretical" and have added an appropriate footnote that references the new work.

[tptacek]

This is still wrong! Leaving aside that hardware faults are themselves implementation pitfalls for RSA, the fundamental failure here is a software implementation flaw. You really need to understand these attacks before you supply guidance about them.