Two lattice-based differential fault attacks against ECDSA with ωNAF algorithm

Abstract

Elliptic curve cryptosystem (ECC) is widely used in cryptographic device. Despite its solid mathematical security, ECC is still vulnerable to many kinds of physical attacks. In this paper, we present two new lattice-based differential fault attacks (DFA) against the famous ECC signature algorithm standard-ECDSA with wNAF algorithm of scalar multiplication. Compared with the fault attack proposed in Crypto’2000, our first attack adopts a different way to deduce parts of the nonce k. The former recovered parts of k mainly by guessing technique, while our attack combines the guessing technique and solving equation with one unknown. So our attack is applicable for the weaker attack scenes allowing more random faulty bits. In our second proposed attack, instead of injecting faults during calculating kG, we focus on injecting faults during calculating ωNAF transformation of k before calculating kG. If the targets during ωNAF transformation of k are skipped by fault injection, we can build some DFA models to retrieve parts of k. In both of the two attacks, the attacker can mount lattice attack to recover the private key in ECDSA with the derived parts of k. Finally, we verify the feasibility of our proposed attacks by experiments.