CryptoDB
Experimenting with Faults, Lattices and the DSA
| Authors: | |
|---|---|
| Download: | |
| Abstract: | We present an attack on DSA smart-cards which combines physical fault injection and lattice reduction techniques. This seems to be the first (publicly reported) physical experiment allowing to concretely pull-out DSA keys out of smart-cards. We employ a particular type of fault attack known as a glitch attack, which will be used to actively modify the DSA nonce k used for generating the signature: k will be tampered with so that a number of its least significant bytes will flip to zero. Then we apply well-known lattice attacks on El Gamal-type signatures which can recover the private key, given sufficiently many signatures such that a few bits of each corresponding k are known. In practice, when one byte of each k is zeroed, 27 signatures are sufficient to disclose the private key. The more bytes of k we can reset, the fewer signatures will be required. This paper presents the theory, methodology and results of the attack as well as possible countermeasures. |
BibTeX
@misc{eprint-2004-12243,
title={Experimenting with Faults, Lattices and the DSA},
booktitle={IACR Eprint archive},
keywords={implementation / DSA, public key, smart cards, faults, attacks},
url={http://eprint.iacr.org/2004/277},
note={To be presented at PKC 2005 david.naccache@gemplus.com 12741 received 24 Oct 2004, last revised 19 Nov 2004},
author={David Naccache and Phong Q. Nguyen and Michael Tunstall and Claire Whelan},
year=2004
}