Lattice-based weak curve fault attack on ECDSA

Abstract

ECDSA algorithm is usually used in ICT system to achieve communication authenticity. But weakness in various implementations of the algorithm may make its security deviate from theoretical guarantee. This paper proposes a new lattice-based weak curve fault attack on ECDSA. An elliptic curve is weak if the problem of ECDLP in a \emph{subgroup} of the point group $\langle G \rangle$ is computationally solvable in practice, where $G$ is the specified basis point of ECDSA algorithm. Since ECDLP is not required to be computationally practical in the whole group of $\langle G \rangle$, our approach extends the known existing attacks along this line. In detail, the proposed attack assumes a fault injection process can perturb a segment of consecutive bits of the curve parameter $a$ in the Weierstrass equation of ECDSA. An analysis on the density of smooth numbers indicates the faulty value $a\u27$ parameterized elliptic curve is weak in high probability. Then we show the faulty value $a\u27$ can be recovered by a dedicated quadratic residue distinguisher, which makes it possible to collect enough side channel information about the nonce used in the ECDSA signature generation process. With the help of these information, we can construct a lattice to recover the private key with lattice basis reduction techniques. Further, we show the same strategy can defeat the nonce masking countermeasure if the random mask is not too long, and makes the commonly employed countermeasures ineffective. To our knowledge, the problem remains untractable to the existing weak curve fault attacks. Thus the proposed approach can find more applications than the existing ones. This is demonstrated by the experimental analysis