Secret Key Leakage from Public Key Perturbation of DLP-Based Cryptosystems

  • Alexandre Berzati
  • Cécile Canovas-Dumas
  • Louis Goubin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6805)


Finding efficient countermeasures for cryptosystems against fault attacks is challenged by a constant discovery of flaws in designs. Even elements, such as public keys, that do not seem critical must be protected. From the attacks against RSA [5,4], we develop a new attack of DLP-based cryptosystems, built in addition on a lattice analysis [26] to recover DSA public keys from partially known nonces. Based on a realistic fault model, our attack only requires 16 faulty signatures to recover a 160-bit DSA secret key within a few minutes on a standard PC. These results significantly improves the previous public element fault attack in the context of DLP-based cryptosystems [22].


Signature Scheme Fault Model Quadratic Residue Candidate Pair Modular Exponentiation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ajtai, M., Kumar, R., Sivakumar, D.: A Sieve Algorithm for the Shortest Lattice Vector Problem. In: ACM Symposium on Theory on Computation (STOC 2001), pp. 601–610 (2001)Google Scholar
  2. 2.
    Armknecht, F., Meier, W.: Fault Attacks on Combiners with Memory. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 36–50. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Babai, L.: On Lovász lattice reduction and the nearest point problem. Combinatorica 6, 1–13 (1986)MathSciNetzbMATHCrossRefGoogle Scholar
  4. 4.
    Berzati, A., Canovas, C., Dumas, J.-G., Goubin, L.: Fault Attacks on RSA Public Keys: Left-To-Right Implementations Are Also Vulnerable. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 414–428. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Berzati, A., Canovas, C., Goubin, L.: Perturbating RSA Public Keys: An Improved Attack. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 380–395. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Biehl, I., Meyer, B., Müller, V.: Differential Fault Attacks on Elliptic Curve Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Blömer, J., Otto, M.: Wagner’s Attack on a secure CRT-RSA Algorithm Reconsidered. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 13–23. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Blömer, J., Otto, M., Seifert, J.-P.: A New CRT-RSA Algorithm Secure Against Bellcore Attack. In: ACM Conference on Computer and Communication Security (CCS 2003), pp. 311–320. ACM Press, New York (2003)CrossRefGoogle Scholar
  10. 10.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  11. 11.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Eliminating Errors in Cryptographic Computations. Journal of Cryptology 14(2), 101–119 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  12. 12.
    Boneh, D., Venkatesan, R.: Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)Google Scholar
  13. 13.
    Brier, E., Chevallier-Mames, B., Ciet, M., Clavier, C.: Why One Should Also Secure RSA Public Key Elements. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 324–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Brumley, D., Boneh, D.: Remote Timing Attacks are Practical. In: 12th Usenix Security Symposium, pp. 1–14 (2003)Google Scholar
  15. 15.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  16. 16.
    Coron, J.-S.: Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  18. 18.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Hoch, J., Shamir, A.: Fault Analysis of Stream Ciphers. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 240–253. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    Howgrave-Graham, N.A., Smart, N.P.: Lattice Attacks on Digital Signature Schemes. Design, Codes and Cryptography 23, 283–290 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Kim, C.H., Bulens, P., Petit, C., Quisquater, J.-J.: Fault Attacks on Public Key Elements: Application to DLP-Based Schemes. In: Mjølsnes, S.F., Mauw, S., Katsikas, S.K. (eds.) EuroPKI 2008. LNCS, vol. 5057, pp. 182–195. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  24. 24.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring Polynomials with Rational Coefficients. Mathematische Annalem 261(4), 515–534 (1986)CrossRefGoogle Scholar
  25. 25.
    Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A., Rivest, R.L.: Handbook of Applied Cryptography (1997)Google Scholar
  26. 26.
    Nguyen, P.Q., Shparlinski, I.E.: The Insecurity of the Digital Signature Algorithm with Partially Known Nonces. Journal of Cryptology 15(3), 151–176 (2002)MathSciNetzbMATHCrossRefGoogle Scholar
  27. 27.
    National Institute of Standards and Technology (NIST). FIPS PUB 186-2: Digital Signature Standard (DSS) (January 2000)Google Scholar
  28. 28.
    Schnorr, C.P., Euchner, M.: Lattice Basis Reduction: Improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  29. 29.
    Shoup, V.: Number Theory C++ Library (NTL)Google Scholar
  30. 30.
    Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: Proceedings of the 11th ACM Conference on Computer Security (CCS 2004), pp. 92–97. ACM, New York (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Alexandre Berzati
    • 1
  • Cécile Canovas-Dumas
    • 2
  • Louis Goubin
    • 3
  1. 1.INVIAMeyreuilFrance
  2. 2.CEA-LETI/MINATECGrenoble Cedex 9France
  3. 3.UVSQ Versailles Saint-Quentin-en-Yvelines UniversityVersailles CedexFrance

Personalised recommendations