Experimenting with Faults, Lattices and the DSA

We present an attack on DSA smart-cards which combines physical fault injection and lattice reduction techniques. This seems to be the first (publicly reported) physical experiment allowing to concretely pull-out DSA keys out of smart-cards. We employ a particular type of fault attack known as a glitch attack, which will be used to actively modify the DSA nonce k used for generating the signature: k will be tampered with so that a number of its least significant bytes will flip to zero. Then we apply well-known lattice attacks on El Gamal-type signatures which can recover the private key, given sufficiently many signatures such that a few bits of each corresponding k are known. In practice, when one byte of each k is zeroed, 27 signatures are sufficient to disclose the private key. The more bytes of k we can reset, the fewer signatures will be required. This paper presents the theory, methodology and results of the attack as well as possible countermeasures.

[1]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[2]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[3]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[4]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[5]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[6]  T. May,et al.  A New Physical Mechanism for Soft Errors in Dynamic Memories , 1978, 16th International Reliability Physics Symposium.

[7]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[8]  Christophe Giraud,et al.  Fault Attacks on Signature Schemes , 2004, ACISP.

[9]  Ramesh Karri,et al.  Concurrent Error Detection Schemes for Involution Ciphers , 2004, CHES.

[10]  Phong Q. Nguyen Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3 , 2004, EUROCRYPT.

[11]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[12]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[13]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[14]  Adi Shamir,et al.  Fault Analysis of Stream Ciphers , 2004, CHES.

[15]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[16]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[17]  Emmanuelle Dottax Fault Attacks on NESSIE Signature and Identification Schemes , 2002 .