Differential Attacks on Deterministic Signatures

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


Deterministic signature schemes are becoming more popular, as illustrated by the deterministic variant of ECDSA and the popular EdDSA scheme, since eliminating the need for high-quality randomness might have some advantages in certain use-cases. In this paper we outline a range of differential fault attacks and a differential power analysis attack against such deterministic schemes. This shows, contrary to some earlier works, that such signature schemes are not naturally protected against such advanced attacks. We discuss different countermeasures and propose to include entropy for low-cost protection against these attacks in scenarios where these attack vectors are a real threat: this does not require to change the key generation or the verification methods and results in a signature scheme which offers high performance and security for a wide range of use-cases.


Public-key algorithms Elliptic curve cryptography Digital signatures Implementation attacks and defenses Hardware security 



We would like to thank Laurie Genelle for her comments on an earlier version of this paper.


  1. 1.
    American National Standards Institute: Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), ANSI X9.62-2005 (2005)Google Scholar
  2. 2.
    Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)CrossRefGoogle Scholar
  3. 3.
    Barenghi, A., Bertoni, G.M., Breveglieri, L., Pelosi, G., Sanfilippo, S., Susella, R.: A fault-based secret key retrieval method for ECDSA: Analysis and countermeasure. ACM J. Emerg. Technol. Comput. Syst. 13(1), 8:1–8:26 (2016)CrossRefGoogle Scholar
  4. 4.
    Barenghi, A., Pelosi, G.: A note on fault attacks against deterministic signature schemes. In: Ogawa, K., Yoshioka, K. (eds.) IWSEC 2016. LNCS, vol. 9836, pp. 182–192. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-44524-3_11 CrossRefGoogle Scholar
  5. 5.
    Belaïd, S., Bettale, L., Dottax, E., Genelle, L., Rondepierre, F.: Differential power analysis of HMAC SHA-2 in the Hamming weight model. In: Samarati, P. (ed.) SECRYPT, pp. 230–241. IEEE (2013)Google Scholar
  6. 6.
    Bernstein, D.J.: Curve25519: new diffie-hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14 CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., van Someren, N.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42045-0_18 CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23951-9_9 CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J., Josefsson, S., Lange, T., Schwabe, P., Yang, B.Y.: EdDSA for more curves. Cryptology ePrint Archive, Report 2015/677 (2015). http://eprint.iacr.org/2015/677
  10. 10.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_3 CrossRefGoogle Scholar
  11. 11.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_8 CrossRefGoogle Scholar
  12. 12.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052259 CrossRefGoogle Scholar
  13. 13.
    Blömer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 36–52. Springer, Heidelberg (2006).  https://doi.org/10.1007/11889700_4 CrossRefGoogle Scholar
  14. 14.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    BSI: Minimum requirements for evaluating side-channel attack resistance of elliptic curve implementations (2016). http://www.bsi.bund.de/
  16. 16.
    “Bushing”, Cantero, H., Boessenkool, S., Peter, S.: PS3 epic fail (2010). http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf
  17. 17.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Cryptograph. 36(1), 33–43 (2005)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44, 393–422 (2007)MathSciNetCrossRefMATHGoogle Scholar
  19. 19.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Fan, J., Verbauwhede, I.: An updated survey on secure ECC implementations: attacks, countermeasures and cost. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 265–282. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28368-0_18 CrossRefGoogle Scholar
  21. 21.
    Fouque, P.A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: FDTC 2008. pp. 92–98. IEEE Computer Society (2008)Google Scholar
  22. 22.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44709-1_21 CrossRefGoogle Scholar
  23. 23.
    Gartner: Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016. http://www.gartner.com/newsroom/id/3598917 (Feb 2017)
  24. 24.
    Genkin, D., Valenta, L., Yarom, Y.: May the fourth be with you: A microarchitectural side channel attack on several real-world applications of Curve25519. In: ACM CCS 2017, pp. 845–858. ACM Press (2017). ePrint 2017/806. http://eprint.iacr.org/2017/806
  25. 25.
    Gueron, S., Krasnov, V.: Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptograph. Eng. 5(2), 141–151 (2015)CrossRefGoogle Scholar
  26. 26.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: USENIX Security Symposium, pp. 205–220. USENIX, Bellevue, WA (2012)Google Scholar
  27. 27.
    Joye, M., Tunstall, M. (eds.): Fault Analysis in Cryptography. Information Security and Cryptography. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29656-7 MATHGoogle Scholar
  28. 28.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_9 Google Scholar
  29. 29.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25 Google Scholar
  30. 30.
    Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_37 CrossRefGoogle Scholar
  31. 31.
    M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48892-8_6 CrossRefGoogle Scholar
  32. 32.
    National Institute of Standards and Technology: Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4 (2013). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
  33. 33.
    National Institute of Standards and Technology: Public Comments Received on FIPS 186–4: Digital Signature Standard (DSS) (2015). http://csrc.nist.gov/groups/ST/toolkit/documents/Comments-received-FIPS-186-4-Dec2015.pdf
  34. 34.
    National Institute of Standards and Technology: SP 800–90A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (2015). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
  35. 35.
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptograph. 30(2), 201–217 (2003)MathSciNetCrossRefMATHGoogle Scholar
  36. 36.
    Perrin, T.: The XEdDSA and VXEdDSA signature schemes. Unpublished manuscript (Oct 2016). Revision 1. https://signal.org/docs/specifications/xeddsa/
  37. 37.
    Poddebniak, D., Schinzel, S., Somorovsky, J., Lochter, M., Roesler, P.: Attacking deterministic signature schemes using fault attacks. In: EuroS&P 2018. IEEE Computer Society (to appear)Google Scholar
  38. 38.
    Pornin, T.: Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA). RFC 6979 (2013). https://tools.ietf.org/html/rfc6979
  39. 39.
    Romailler, Y., Pelissier, S.: Practical fault attack against the Ed25519 and EdDSA signature schemes. In: FDTC 2017, pp. 17–24. IEEE Computer Society (2017)Google Scholar
  40. 40.
    Samwel, N., Batina, L., Bertoni, G., Daemen, J., Susella, R.: Breaking Ed25519 in WolfSSL. Cryptology ePrint Archive, Report 2017/985 (2017). http://eprint.iacr.org/2017/985
  41. 41.
    Schmidt, J.M., Medwed, M.: A fault attack on ECDSA. In: Breveglieri, L., et al. (eds.) FDTC 2009, pp. 93–99. IEEE Computer Society (2009)Google Scholar
  42. 42.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.NXP SemiconductorsHamburgGermany
  2. 2.NXP SemiconductorsLeuvenBelgium
  3. 3.NXP SemiconductorsSan JoseUSA
  4. 4.Bundesamt für Sicherheit in der Informationstechnik (BSI)BonnGermany

Personalised recommendations