We present a practical lattice-based fault attack against SM2 signature algorithm in a smart card. This seems to be the first combination of the lattice attack presented in SAC'2013 and fault attack against SM2 in practice. We successfully utilize the laser fault attack to skip the instructions of nonces being written into RAM, so that the nonces in signatures share partial same bits from each other. Next, we build the model of lattice attack and recover the private key. The experimental results show we only need 3 faulty signatures to mount lattice attack successfully in about 32 μs. Moreover, we propose a new countermeasure for SM2 signature algorithm to resist lattice-based fault attack by destroying the condition of lattice attack rather than thwarting fault attack. It is proved the countermeasure can guarantee the ability to resist lattice attack, even if some information of the nonces is leaked.
展开▼