A Fault Attack on ECDSA

摘要

An advantage of schemes based on elliptic curve cryptography (ECC) is that they require a smaller key size than other public key schemes to guarantee the same level of security. Thus, ECC algorithms are well suited for systems with constrained resources like smart cards or mobile devices. When evaluating those devices, not only the security from a theoretical point of view, but also implementation attacks, like fault attacks, have to be taken into account. In this paper, we present a new fault attack on the elliptic curve digital signature algorithm (ECDSA). We use a modification of the program flow to retrieve parts of the ephemeral key. The retrieved information allows performing a lattice attack to determine the secret signing key. Furthermore, we propose a countermeasure to prevent such an attack.