A novel fault attack against ECDSA is proposed in this work. It allows to retrieve the secret signing key, by means of injecting faults during the computation of the signature primitive. The proposed method relies on faults injected during a multiplication employed to perform the signature recombination at the end of the ECDSA signing algorithm. Exploiting the faulty signatures, it is possible to reduce the size of the group of the discrete logarithm problem warranting the security margin up to a point where it is computationally treatable. The amount of faulty signatures requested to perform the attack is relatively small, ranging from 4 to a few tenths. The key retrieval can be applied to any key length, like those standardised by NIST, including the ones mandated for top secret documents by NSA suite B. The required post processing of the obtained faulty values is practical on a common consumer grade desktop. The procedure does not rely on any particular structure of the employed curve and may easily be extended to the regular DSA based on modular arithmetics.
A novel fault attack against ECDSA
BARENGHI, ALESSANDRO;
2011-01-01
Abstract
A novel fault attack against ECDSA is proposed in this work. It allows to retrieve the secret signing key, by means of injecting faults during the computation of the signature primitive. The proposed method relies on faults injected during a multiplication employed to perform the signature recombination at the end of the ECDSA signing algorithm. Exploiting the faulty signatures, it is possible to reduce the size of the group of the discrete logarithm problem warranting the security margin up to a point where it is computationally treatable. The amount of faulty signatures requested to perform the attack is relatively small, ranging from 4 to a few tenths. The key retrieval can be applied to any key length, like those standardised by NIST, including the ones mandated for top secret documents by NSA suite B. The required post processing of the obtained faulty values is practical on a common consumer grade desktop. The procedure does not rely on any particular structure of the employed curve and may easily be extended to the regular DSA based on modular arithmetics.| File | Dimensione | Formato | |
|---|---|---|---|
|
05955015.pdf
Accesso riservato
Descrizione: Articolo principale
:
Publisher’s version
Dimensione
283.12 kB
Formato
Adobe PDF
|
283.12 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
