Designs, Codes and Cryptography

, Volume 36, Issue 1, pp 33–43 | Cite as

Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults

  • Mathieu Ciet
  • Marc Joye


Elliptic curve cryptosystems in the presence of faults were studied by Biehl et al., Advances in Cryptology CRYPTO 2000, Springer Verlag (2000) pp. 131–146. The first fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P. But these two latter models are less ‘practical’ in the sense that they assume that only a few bits of error are inserted (typically exactly one bit is supposed to be disturbed) either into P just prior to the point multiplication or during the course of the computation in a chosen location.

This paper relaxes these assumptions and shows how random (and thus unknown) errors in either coordinates of point P, in the elliptic curve parameters or in the field representation enable the (partial) recovery of multiplier d. Then, from multiple point multiplications, we explain how this can be turned into a total key recovery. Simple precautions to prevent the leakage of secrets are also discussed.


elliptic curve cryptography fault analysis fault attacks information leakage 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IEEEStd 1363-2000. IEEE Standard Specifications for Public-Key Cryptography. IEEE Computer Society, August29, 2000.Google Scholar
  2. 2.
    Federal Information Processing Standards PublicationFIPS 186-2. Digital Signature Standard (DSS), appendix 6: “Recommended elliptic curves for federal government use”. National Institute of Standards and Technology, January27, 2000. Available at URL Scholar
  3. 3.
    F. Bao, R. H. Deng,Han Y., A.B. Jeng, A. D. Narasimbalu and T.-H. Ngair. Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In B.Christianson, B.Crispo, M.Lomas and M.Roe (eds), Security Protocols, Volume 1361 ofLecture Notes in Computer Science, Springer-Verlag (1997) pp. 115–124.Google Scholar
  4. 4.
    I. Biehl,Meyer B., and V. Müller. Differential fault attacks on elliptic curve cryptosystems. In M.Bellare (ed.),Advances in Cryptology – CRYPTO2000, Volume 1880 of Lecture Notes in Computer Science, Springer-Verlag (2000) pp. 131–146.Google Scholar
  5. 5.
    E. Biham and Shamir A., Differential fault analysis of secret key cryptosystems. In B. S.Kaliski Jr. (ed.), Advances in Cryptology – CRYPTO ’97, Volume 1294 of Lecture Notes in Computer Science, Springer-Verlag (1997) pp. 513–525.Google Scholar
  6. 6.
    D. Boneh, R. A. DeMillo and R. J. Lipton, On the importance of checking cryptographic protocols for faults. In W.Fumy (ed.),Advances in Cryptology – EUROCRYPT ’97, Volume 1233 ofLecture Notes in Computer Science, Springer-Verlag (1997) pp. 37–51.Google Scholar
  7. 7.
    Boneh, D., DeMillo, R.A., Lipton, R.J. 2001On the importance of eliminating errors in cryptographic computationsJournal of Cryptology14101119An earlier version appears in BDL97Google Scholar
  8. 8.
    E. De Win, Mister S., Preneel B., and Wiener M., On the performance of signature schemes based on elliptic curves. In J.-P. Buhler (ed.),Algorithmic Number Theory Symposium, Volume 1423 ofLecture Notes in Computer Science, Springer-Verlag (1998) pp. 252–266.Google Scholar
  9. 9.
    ElGamal, T. 1985A public key cryptosystem and a signature scheme based on discrete logarithmsIEEE Transactions on Information TheoryIT-31469472Google Scholar
  10. 10.
    S. D. Galbraith, Hess F., and N. P. Smart, Extending the GHS Weil descent attack. In L.Knudsen (ed.),Advances in Cryptology – EUROCRYPT2002, Volume 2332 ofLecture Notes in Computer Science, Springer-Verlag (2002) pp. 29–44.Google Scholar
  11. 11.
    Gaudry, P., Hess, F., Smart, N.P. 2002Constructive and destructive facets of Weil descent on elliptic curvesJournal of Cryptology151946Google Scholar
  12. 12.
    F. Hess, The GHS attack revisited. In E.Biham (ed.),Advances in Cryptology – EUROCRYPT2003, Volume 2656 of Lecture Notes in Computer Science, Springer-Verlag (2003) 374–387.Google Scholar
  13. 13.
    M. Joye, J.-J. Quisquater, Bao F., and R. H. Deng, RSA-type signatures in the presence of transient faults. In M.Darnell, (ed.),Cryptography and Coding, Volume 1355 of Lecture Notes in Computer Science, Springer-Verlag (1997) pp. 155–160.Google Scholar
  14. 14.
    Koblitz, N. 1987Elliptic curve cryptosystemsMathematics of Computation48203209Google Scholar
  15. 15.
    P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In N.Koblitz (ed.),Advances in Cryptology – CRYPTO ’96, Volume 1109 ofLecture Notes in Computer Science, Springer-Verlag (1996) pp. 104–113.Google Scholar
  16. 16.
    P. Kocher, Jaffe J., and Jun B.,, Differential power analysis. In M.Wiener (ed.),Advances in Cryptology – CRYPTO ’99, Volume 1666 ofLecture Notes in Computer Science, Springer-Verlag (1999) pp. 388–397.Google Scholar
  17. 17.
    M. Maurer, A. J. Menezes and Teske E., Analysis of the GHS Weil descent attack on the ECDLP over characteristic two finite fields of composite degree. In C.Pandu Rangan and C.Ding (ed.),Progress in Cryptology – INDOCRYPT2001, Volume 2247 of Lecture Notes in Computer Science, Springer-Verlag (2001) pp. 195–213.Google Scholar
  18. 18.
    A. J. Menezes, Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers (1993).Google Scholar
  19. 19.
    Menezes, A., Okamoto, T., Vanstone, S. 1993Reducing elliptic curve logarithms to logarithms in a finite fieldIEEE Transactions on Information Theory3916391646Google Scholar
  20. 20.
    A. J. Menezes and Qu M.,, Analysis of the Weil descent attack of Gaudry, Hess and Smart. In D.Naccache (ed.), Topics in Cryptology – CT-RSA2001, Volume 2020 of Lecture Notes in Computer Science, Springer (2001) pp.308–318.Google Scholar
  21. 21.
    V. S. Miller, Use of elliptic curves in cryptography. In H. C. Williams (ed.),Advances in Cryptology – CRYPTO ’85, Volume 218 ofLecture Notes in Computer Science, Springer (1986) pp. 417–426.Google Scholar
  22. 22.
    Pollard, J.M. 1978Monte Carlo methods for index computation (mod p)Mathematics of Computation32918924Google Scholar
  23. 23.
    Pollard, J.M. 2000Kangaroos, monopoly and discrete logarithmsJournal of Cryptology13437447Google Scholar
  24. 24.
    N. P. Smart, How secure are elliptic curves over composite extension fields? In B.Pfitzmann (ed.),Advances in Cryptology – EUROCRYPT2001, Volume 2045 of Lecture Notes in Computer Science, Springer-Verlag (2001) pp. 30–39.Google Scholar
  25. 25.
    J.A. Solinas, Generalized Mersenne numbers. Technical Report CORR-99-39, Dept of C&O, University of Waterloo, Canada (1999).Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  1. 1.UCL Crypto GroupUniversité catholique de LouvainLouvain-la-NeuveBelgium
  2. 2.Card Security Group, La VigieGemplusCedexFrance

Personalised recommendations