Sign Change Fault Attacks on Elliptic Curve Cryptosystems

  • Johannes Blömer
  • Martin Otto
  • Jean-Pierre Seifert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4236)


We present a new type of fault attacks on elliptic curve scalar multiplications: Sign Change Attacks. These attacks exploit different number representations as they are often employed in modern cryptographic applications. Previously, fault attacks on elliptic curves aimed to force a device to output points which are on a cryptographically weak curve. Such attacks can easily be defended against. Our attack produces points which do not leave the curve and are not easily detected. The paper also presents a revised scalar multiplication algorithm that protects against Sign Change Attacks.


elliptic curve cryptosystem fault attacks smartcards 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [ABF+02]
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. [AK96]
    Anderson, R.J., Kuhn, M.G.: Tamper resistance — a cautionary note. In: Proceedings of the Second USENIX Workshop on Electronic Commerce, pp. 1–11. USENIX Association (1996)Google Scholar
  3. [BCN+04]
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks, Cryptology ePrint Archive 2004/100 (2004),
  4. [BDL01]
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptology 14(2), 101–119 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  5. [BMM00]
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. [Boo51]
    Booth, A.D.: A signed binary multiplication technique. Quart. Journ. Mech. and Applied Math. IV(2), 236–240 (1951)CrossRefMathSciNetGoogle Scholar
  7. [BSS99]
    Blake, I., Seroussi, G., Smart, N.: Elliptic curves in cryptography. London Mathematical Society Lecture Note Series, vol. 265. Cambridge University Press, Cambridge (1999)zbMATHGoogle Scholar
  8. [CJ03]
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults, Cryptology ePrint Archive 2003/028 (2003),
  9. [CMO98]
    Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  10. [Cor99]
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. [EK90]
    Eg̃eciog̃lu, Ö., Koç, Ç.K.: Fast modular exponentiation. In: Communication, Control, and Signal Processing, pp. 188–194 (1990)Google Scholar
  12. [HP98]
    Handschuh, H., Pailler, P.: Smart card crypto-coprocessors for public-key cryptography. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 372–379. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. [IEE98]
    IEEE P1363/D3 (Draft Version 3), Standard specifications for public key cryptography (May 1998)Google Scholar
  14. [JT01]
    Joye, M., Tymen, C.: Protections against Differential Analysis for Elliptic Curve Cryptography. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. [JY00]
    Joye, M., Yen, S.M.: Optimal left-to-right binary signed-digit recoding. IEEE Trans. on Computers 49(7), 740–748 (2000)CrossRefGoogle Scholar
  16. [JY03]
    Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. [Kor93]
    Koren, I.: Computer arithmetic algorithms. Prentice-Hall, Englewood Cliffs (1993)Google Scholar
  18. [MO90]
    Morain, F., Olivos, J.: Speeding up the computations on an elliptic curve using addition-subtractions chains. Theoretical Informatics and Applications (24), 531–543 (1990)zbMATHMathSciNetGoogle Scholar
  19. [Mon85]
    Montgomery, P.L.: Modular multiplication without trial division. Math. Comp. (44), 519–521 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  20. [Mon87]
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  21. [Ott05]
    Otto, M.: Fault attacks and countermeasures, Ph.D. thesis, University of Paderborn (2005),
  22. [SA02]
    Skorobogatov, S., Anderson, R.: Optical fault induction attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. [SEC00]
    Standards for Efficient Cryptography Group (SECG), SEC 2: Recommended elliptic curve domain parameters (2000),
  24. [Sed87]
    Sedlak, H.: The RSA cryptography processor. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 95–105. Springer, Heidelberg (1988)Google Scholar
  25. [Sha99]
    Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks. US Patent No. 5, 991, 415 (November 23, 1999)Google Scholar
  26. [WQ90]
    de Waleffe, D., Quisquater, J.-J.: CORSAIR, a smart card for public-key cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 502–512. Springer, Heidelberg (1991)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Johannes Blömer
    • 1
  • Martin Otto
    • 1
  • Jean-Pierre Seifert
    • 2
  1. 1.Institute for Computer SciencePaderborn UniversityPaderbornGermany
  2. 2.Virtualization & Trust Lab — CTGIntel CorporationHillsboroUSA

Personalised recommendations