A novel fault attack against ECDSA

2011 IEEE International Symposium on Hardware-Oriented Security and Trust Pub Date : 2011-06-05 DOI:10.1109/HST.2011.5955015

Alessandro Barenghi, G. Bertoni, A. Palomba, Ruggero Susella

{"title":"A novel fault attack against ECDSA","authors":"Alessandro Barenghi, G. Bertoni, A. Palomba, Ruggero Susella","doi":"10.1109/HST.2011.5955015","DOIUrl":null,"url":null,"abstract":"A novel fault attack against ECDSA is proposed in this work. It allows to retrieve the secret signing key, by means of injecting faults during the computation of the signature primitive. The proposed method relies on faults injected during a multiplication employed to perform the signature recombination at the end of the ECDSA signing algorithm. Exploiting the faulty signatures, it is possible to reduce the size of the group of the discrete logarithm problem warranting the security margin up to a point where it is computationally treatable. The amount of faulty signatures requested to perform the attack is relatively small, ranging from 4 to a few tenths. The key retrieval can be applied to any key length, like those standardised by NIST, including the ones mandated for top secret documents by NSA suite B. The required post processing of the obtained faulty values is practical on a common consumer grade desktop. The procedure does not rely on any particular structure of the employed curve and may easily be extended to the regular DSA based on modular arithmetics.","PeriodicalId":300377,"journal":{"name":"2011 IEEE International Symposium on Hardware-Oriented Security and Trust","volume":"550 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-06-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 IEEE International Symposium on Hardware-Oriented Security and Trust","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HST.2011.5955015","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 19

Abstract

A novel fault attack against ECDSA is proposed in this work. It allows to retrieve the secret signing key, by means of injecting faults during the computation of the signature primitive. The proposed method relies on faults injected during a multiplication employed to perform the signature recombination at the end of the ECDSA signing algorithm. Exploiting the faulty signatures, it is possible to reduce the size of the group of the discrete logarithm problem warranting the security margin up to a point where it is computationally treatable. The amount of faulty signatures requested to perform the attack is relatively small, ranging from 4 to a few tenths. The key retrieval can be applied to any key length, like those standardised by NIST, including the ones mandated for top secret documents by NSA suite B. The required post processing of the obtained faulty values is practical on a common consumer grade desktop. The procedure does not rely on any particular structure of the employed curve and may easily be extended to the regular DSA based on modular arithmetics.

查看原文本刊更多论文

一种新的ECDSA故障攻击方法

提出了一种新的针对ECDSA的故障攻击方法。它允许通过在签名原语的计算过程中注入错误来检索秘密签名密钥。该方法依赖于在ECDSA签名算法的最后执行签名重组的乘法过程中注入的错误。利用错误签名，可以减少离散对数问题组的大小，保证安全余量达到可计算处理的程度。请求错误签名进行攻击的数量相对较少，在百分之四到十分之一之间。密钥检索可以应用于任何密钥长度，如NIST标准化的密钥长度，包括NSA套件b对绝密文件强制要求的密钥长度。对获得的错误值进行必要的后处理在普通的消费级桌面上是实用的。该过程不依赖于所采用曲线的任何特定结构，并且可以很容易地扩展到基于模块化算法的规则DSA。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2011 IEEE International Symposium on Hardware-Oriented Security and Trust

自引率

0.00%

发文量