Abstract
ECDSA algorithm is usually used in ICT system to ensure the authenticity of communication. But the weaknesses in various implementations of ECDSA may make its security deviate from theoretical guarantee. This paper proposes a new lattice-based weak curve fault attack on ECDSA. Since the ECDLP is not required to be computationally practical on the whole group of \(\langle G \rangle \) (G is the specified base point of ECDSA), our approach extends the existing attacks along this line. In detail, the proposed attack assumes a segment of consecutive bits of the curve parameter a in the Weierstrass equation of ECDSA can be disturbed randomly by fault injection and thus is changed into \(a'\). An analysis about the density of smooth numbers demonstrates the faulty parameter \(a'\) can be used for our attack with high probability. Then we show \(a'\) can be recovered by a dedicated quadratic residue distinguisher. Some reduced information about the nonce used in ECDSA signature generation can be obtained by solving the instances of ECDLP on the new curve about \(a'\). With the help of these information, we can construct a new model of lattice to recover the private key with the lattice basis reduction techniques. Further, we show the same strategy can defeat the nonce masking countermeasure if the random mask is not too long, and makes the commonly employed countermeasures ineffective. To our knowledge, the problem remains untraceable to the existing weak curve fault attacks. Thus the proposed approach can find more applications than the existing ones. This is demonstrated by the experimental analysis.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Aranha, D.F., Novaes, F.R., Takahashi, A., Tibouchi, M., Yarom, Y.: Ladderleak: breaking ECDSA with less than one bit of nonce leakage. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 225–242 (2020)
Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_8
Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_20
Cao, W., et al.: Two lattice-based differential fault attacks against ECDSA with wNAF algorithm. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 297–313. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30840-1_19
Certicom Research. Recommended Elliptic Curve Domain Parameters Standards for Efficient Cryptography (SEC) 2 (2000). https://www.iso.org/standard/76382.html
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Cryptogr. 36(1), 33–43 (2005)
Coppersmith, D., Odlzyko, A.M., Schroeppel, R.: Discrete logarithms in GF(p). Algorithmica 1(1–4), 1–15 (1986)
Elkies, N.D., et al.: Elliptic and modular curves over finite fields and related computational issues. AMS IP Stud. Adv. Math. 7, 21–76 (1998)
Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, New York (2006). https://doi.org/10.1007/b97644
Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr. 23(3), 283–290 (2001)
International Standard ISO/IEC 14888–3:2006(E): IT Security techniques Digital signatures with appendix Part 3: Discrete logarithm based mechanisms (2018). https://www.iso.org/standard/76382.html
Karaklajić, D., Schmidt, J.-M., Verbauwhede, I.: Hardware designer’s guide to fault attacks. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 21(12), 2295–2306 (2013)
Kim, T., Tibouchi, M.: Bit-flip faults on elliptic curve base fields, revisited. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 163–180. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07536-5_11
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)
MIRACL Ltd.: Multiprecision Integer and Rational Arithmetic Cryptographic Library (2019). https://github.com/miracl/MIRACL
Micciancio, D., Goldwasse, S.: Complexity of Lattice Problems: A Cryptographic Perspective, vol. 671. Springer, New York (2002). https://doi.org/10.1007/978-1-4615-0897-7
Naccache, D., Nguyên, P.Q., Tunstall, M., Whelan, C.: Experimenting with faults, lattices and the DSA. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 16–28. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_3
Nguyen, P.Q.: Hermites constant and lattice algorithms. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 19–69. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1_2
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002). https://doi.org/10.1007/s00145-002-0021-3
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Designs Codes Cryptogr. 30(2), 201–217 (2003). https://doi.org/10.1023/A:1025436905711
Nguyen, P.Q., Tibouchi, M.: Lattice-based fault attacks on signatures. In: Joye, M., Tunstall, M. (eds.) Fault Analysis in Cryptography, pp. 201–220. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29656-7_12
Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.). IEEE Trans. Inf. Theory 24(1), 106–110 (1978)
Schmidt, J., Medwed, M.: A fault attack on ECDSA. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 93–99. IEEE (2009)
Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994). https://doi.org/10.1007/BF01581144
Schnorr, C.P., Hörner, H.H.: Attacking the chor-rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_1
Shoup, V.: Number Theory C++ Library (NTL) version 9.6.4 (2016). http://www.shoup.net/ntl/
Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)
Acknowledgments
This work is supported by the National Key Research and Development Program of China (No. U1936209), the National Cryptography Development Fund of China (No. MMJJ20170214, MMJJ20170211) and the National Natural Science Foundation of China (No. 61802439).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Cao, W., Shi, H., Chen, H., Wei, W., Chen, J. (2021). Lattice-Based Weak Curve Fault Attack on ECDSA. In: Jøsang, A., Futcher, L., Hagen, J. (eds) ICT Systems Security and Privacy Protection. SEC 2021. IFIP Advances in Information and Communication Technology, vol 625. Springer, Cham. https://doi.org/10.1007/978-3-030-78120-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-78120-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78119-4
Online ISBN: 978-3-030-78120-0
eBook Packages: Computer ScienceComputer Science (R0)
