Lattice basis reduction: improved practical algorithms and solving subset sum problems
Mathematical Programming: Series A and B
Lattice Attacks on Digital Signature Schemes
Designs, Codes and Cryptography
Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Differential Fault Analysis of Secret Key Cryptosystems
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults
Proceedings of the 5th International Workshop on Security Protocols
The Two Faces of Lattices in Cryptology
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces
Designs, Codes and Cryptography
Fault Attacks on Public Key Elements: Application to DLP-Based Schemes
EuroPKI '08 Proceedings of the 5th European PKI workshop on Public Key Infrastructure: Theory and Practice
DSA Signature Scheme Immune to the Fault Cryptanalysis
CARDIS '08 Proceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
On Second-Order Fault Analysis Resistance for CRT-RSA Implementations
WISTP '09 Proceedings of the 3rd IFIP WG 11.2 International Workshop on Information Security Theory and Practice. Smart Devices, Pervasive Systems, and Ubiquitous Networks
Efficient use of random delays in embedded software
WISTP'07 Proceedings of the 1st IFIP TC6 /WG8.8 /WG11.2 international conference on Information security theory and practices: smart cards, mobile and ubiquitous computing systems
Fault attacks for CRT based RSA: new attacks, new results and new countermeasures
WISTP'07 Proceedings of the 1st IFIP TC6 /WG8.8 /WG11.2 international conference on Information security theory and practices: smart cards, mobile and ubiquitous computing systems
Fault attack to the elliptic curve digital signature algorithm with multiple bit faults
Proceedings of the 4th international conference on Security of information and networks
Seifert's RSA fault attack: simplified analysis and generalizations
ICICS'06 Proceedings of the 8th international conference on Information and Communications Security
Impossible fault analysis of RC4 and differential fault analysis of RC4
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Fault analysis of DPA-Resistant algorithms
FDTC'06 Proceedings of the Third international conference on Fault Diagnosis and Tolerance in Cryptography
Improved fault analysis of signature schemes
CARDIS'10 Proceedings of the 9th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Application
Practical modifications of leadbitter et al.'s repeated-bits side-channel analysis on (EC)DSA
WISA'05 Proceedings of the 6th international conference on Information Security Applications
Differential fault analysis of AES: Toward reducing number of faults
Information Sciences: an International Journal
Structure-Based RSA fault attacks
ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
Differential fault analysis of ARIA in multi-byte fault models
Journal of Systems and Software
Using bleichenbacher's solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA
CHES'13 Proceedings of the 15th international conference on Cryptographic Hardware and Embedded Systems
| Hi-index | 0.00 |
We present an attack on DSA smart-cards which combines physical fault injection and lattice reduction techniques. This seems to be the first (publicly reported) physical experiment allowing to concretely pull-out DSA keys out of smart-cards. We employ a particular type of fault attack known as a glitch attack, which will be used to actively modify the DSA nonce k used for generating the signature: k will be tampered with so that a number of its least significant bytes will flip to zero. Then we apply well-known lattice attacks on El Gamal-type signatures which can recover the private key, given sufficiently many signatures such that a few bits of each corresponding k are known. In practice, when one byte of each k is zeroed, 27 signatures are sufficient to disclose the private key. The more bytes of k we can reset, the fewer signatures will be required. This paper presents the theory, methodology and results of the attack as well as possible countermeasures.