Differential Attacks on Deterministic Signatures

  • Christopher Ambrose
  • Joppe W. BosEmail author
  • Björn Fay
  • Marc JoyeEmail author
  • Manfred Lochter
  • Bruce Murray
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


Deterministic signature schemes are becoming more popular, as illustrated by the deterministic variant of ECDSA and the popular EdDSA scheme, since eliminating the need for high-quality randomness might have some advantages in certain use-cases. In this paper we outline a range of differential fault attacks and a differential power analysis attack against such deterministic schemes. This shows, contrary to some earlier works, that such signature schemes are not naturally protected against such advanced attacks. We discuss different countermeasures and propose to include entropy for low-cost protection against these attacks in scenarios where these attack vectors are a real threat: this does not require to change the key generation or the verification methods and results in a signature scheme which offers high performance and security for a wide range of use-cases.


Public-key algorithms Elliptic curve cryptography Digital signatures Implementation attacks and defenses Hardware security 



We would like to thank Laurie Genelle for her comments on an earlier version of this paper.


  1. 1.
    American National Standards Institute: Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), ANSI X9.62-2005 (2005)Google Scholar
  2. 2.
    Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)CrossRefGoogle Scholar
  3. 3.
    Barenghi, A., Bertoni, G.M., Breveglieri, L., Pelosi, G., Sanfilippo, S., Susella, R.: A fault-based secret key retrieval method for ECDSA: Analysis and countermeasure. ACM J. Emerg. Technol. Comput. Syst. 13(1), 8:1–8:26 (2016)CrossRefGoogle Scholar
  4. 4.
    Barenghi, A., Pelosi, G.: A note on fault attacks against deterministic signature schemes. In: Ogawa, K., Yoshioka, K. (eds.) IWSEC 2016. LNCS, vol. 9836, pp. 182–192. Springer, Cham (2016). CrossRefGoogle Scholar
  5. 5.
    Belaïd, S., Bettale, L., Dottax, E., Genelle, L., Rondepierre, F.: Differential power analysis of HMAC SHA-2 in the Hamming weight model. In: Samarati, P. (ed.) SECRYPT, pp. 230–241. IEEE (2013)Google Scholar
  6. 6.
    Bernstein, D.J.: Curve25519: new diffie-hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., van Someren, N.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J., Josefsson, S., Lange, T., Schwabe, P., Yang, B.Y.: EdDSA for more curves. Cryptology ePrint Archive, Report 2015/677 (2015).
  10. 10.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  11. 11.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  12. 12.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). CrossRefGoogle Scholar
  13. 13.
    Blömer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 36–52. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  14. 14.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    BSI: Minimum requirements for evaluating side-channel attack resistance of elliptic curve implementations (2016).
  16. 16.
    “Bushing”, Cantero, H., Boessenkool, S., Peter, S.: PS3 epic fail (2010).
  17. 17.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Cryptograph. 36(1), 33–43 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44, 393–422 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Fan, J., Verbauwhede, I.: An updated survey on secure ECC implementations: attacks, countermeasures and cost. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 265–282. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  21. 21.
    Fouque, P.A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: FDTC 2008. pp. 92–98. IEEE Computer Society (2008)Google Scholar
  22. 22.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  23. 23.
    Gartner: Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016. (Feb 2017)
  24. 24.
    Genkin, D., Valenta, L., Yarom, Y.: May the fourth be with you: A microarchitectural side channel attack on several real-world applications of Curve25519. In: ACM CCS 2017, pp. 845–858. ACM Press (2017). ePrint 2017/806.
  25. 25.
    Gueron, S., Krasnov, V.: Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptograph. Eng. 5(2), 141–151 (2015)CrossRefGoogle Scholar
  26. 26.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: USENIX Security Symposium, pp. 205–220. USENIX, Bellevue, WA (2012)Google Scholar
  27. 27.
    Joye, M., Tunstall, M. (eds.): Fault Analysis in Cryptography. Information Security and Cryptography. Springer, Heidelberg (2012). zbMATHGoogle Scholar
  28. 28.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Google Scholar
  29. 29.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). Google Scholar
  30. 30.
    Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  31. 31.
    M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999). CrossRefGoogle Scholar
  32. 32.
    National Institute of Standards and Technology: Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4 (2013).
  33. 33.
    National Institute of Standards and Technology: Public Comments Received on FIPS 186–4: Digital Signature Standard (DSS) (2015).
  34. 34.
    National Institute of Standards and Technology: SP 800–90A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (2015).
  35. 35.
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptograph. 30(2), 201–217 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Perrin, T.: The XEdDSA and VXEdDSA signature schemes. Unpublished manuscript (Oct 2016). Revision 1.
  37. 37.
    Poddebniak, D., Schinzel, S., Somorovsky, J., Lochter, M., Roesler, P.: Attacking deterministic signature schemes using fault attacks. In: EuroS&P 2018. IEEE Computer Society (to appear)Google Scholar
  38. 38.
    Pornin, T.: Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA). RFC 6979 (2013).
  39. 39.
    Romailler, Y., Pelissier, S.: Practical fault attack against the Ed25519 and EdDSA signature schemes. In: FDTC 2017, pp. 17–24. IEEE Computer Society (2017)Google Scholar
  40. 40.
    Samwel, N., Batina, L., Bertoni, G., Daemen, J., Susella, R.: Breaking Ed25519 in WolfSSL. Cryptology ePrint Archive, Report 2017/985 (2017).
  41. 41.
    Schmidt, J.M., Medwed, M.: A fault attack on ECDSA. In: Breveglieri, L., et al. (eds.) FDTC 2009, pp. 93–99. IEEE Computer Society (2009)Google Scholar
  42. 42.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.NXP SemiconductorsHamburgGermany
  2. 2.NXP SemiconductorsLeuvenBelgium
  3. 3.NXP SemiconductorsSan JoseUSA
  4. 4.Bundesamt für Sicherheit in der Informationstechnik (BSI)BonnGermany

Personalised recommendations