Advertisement

Experimenting with Faults, Lattices and the DSA

  • David Naccache
  • Phong Q. Nguyên
  • Michael Tunstall
  • Claire Whelan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3386)

Abstract

We present an attack on DSA smart-cards which combines physical fault injection and lattice reduction techniques. This seems to be the first (publicly reported) physical experiment allowing to concretely pull-out DSA keys out of smart-cards. We employ a particular type of fault attack known as a glitch attack, which will be used to actively modify the DSA nonce k used for generating the signature: k will be tampered with so that a number of its least significant bytes will flip to zero. Then we apply well-known lattice attacks on El Gamal-type signatures which can recover the private key, given sufficiently many signatures such that a few bits of each corresponding k are known. In practice, when one byte of each k is zeroed, 27 signatures are sufficient to disclose the private key. The more bytes of k we can reset, the fewer signatures will be required. This paper presents the theory, methodology and results of the attack as well as possible countermeasures.

Keywords

DSA fault injection glitch attacks lattice reduction 

References

  1. 1.
    Bao, F., Deng, R., Han, Y., Jeng, A., Narasimhalu, A., Hgair, T.: Breaking Public Key Cryptosystems and Tamper Resistant Devices in the Presence of Transient Faults. In: 5-th Security Protocols Workshop. LNCS, vol. 1361, pp. 115–124. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  2. 2.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerers Apprentice Guide to Fault Attacks. In: Workshop on Fault Diagnosis and Tolerence in Cryptography in association with DSN 2004 – The International Conference on Dependable Systems and Networks, pp. 330–342 (2004)Google Scholar
  3. 3.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Boneh, D., DeMillo, R., Lipton, R.: On the Importance of Checking Cryptographic Protocols for Faults. Journal of Cryptology 14(2), 101–119 (2001)MATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Dottax, E.: Fault Attacks on NESSIE Signature and Identification Schemes, NESSIE Technical Report (October 2002)Google Scholar
  7. 7.
    Giraud, C., Knudsen, E.: Fault Attacks on Signature Schemes. In: Workshop on Fault Diagnosis and Tolerence in Cryptography in association with DSN 2004 – The International Conference on Dependable Systems and Networks (2004)Google Scholar
  8. 8.
    Hoch, J.J., Shamir, A.: Fault analysis of stream ciphers. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 240–253. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Howgrave-Graham, N.A., Smart, N.P.: Lattice Attacks on Digital Signature Schemes. Design, Codes and Cryptography 23, 283–290 (2001)MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Joshi, N., Wu, K., Karri, R.: Concurrent error detection schemes for involution ciphers. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 400–412. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    May, T., Woods, M.: A New Physical Mechanism for Soft Errors in Dynamic Memories. In: Proceedings of the 16-th International Reliability Physics Symposium (April 1978)Google Scholar
  12. 12.
    National Institute of Standards and Technology, FIPS PUB 186-2: Digital Signature Standard (2000)Google Scholar
  13. 13.
    Nguyên, P.Q.: Can we trust cryptographic software? Cryptographic flaws in GNU privacy guard v1.2.3. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 555–570. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Nguyên, P.Q., Shparlinski, I.E.: The Insecurity of the Digital Signature Algorithm with Partially Known Nonces. Journal of Cryptology 15(3), 151–176 (2002)Google Scholar
  15. 15.
    Nguyên, P.Q., Shparlinski, I.E.: The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces. Design, Codes and Cryptography 30, 201–217 (2003)Google Scholar
  16. 16.
    Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)CrossRefMathSciNetMATHGoogle Scholar
  18. 18.
    Shoup, V.: Number Theory C++ Library (NTL), http://www.shoup.net/ntl/

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • David Naccache
    • 1
    • 2
  • Phong Q. Nguyên
    • 3
  • Michael Tunstall
    • 2
    • 4
  • Claire Whelan
    • 5
  1. 1.Gemplus Card InternationalApplied Research & Security CentreFrance
  2. 2.Royal HollowayUniversity of London, Information Security GroupEgham, SurreyUK
  3. 3.Département d’InformatiqueCNRS/École normale supérieureParis Cedex 05France
  4. 4.Gemplus Card InternationalApplied Research & Security CentreLa CiotatFrance
  5. 5.School of ComputingDublin City UniversityBallymun, Dublin 9Ireland

Personalised recommendations