2005
DOI: 10.1007/978-3-540-30580-4_3
|View full text |Cite
|
Sign up to set email alerts
|

Experimenting with Faults, Lattices and the DSA

Abstract: Abstract. We present an attack on DSA smart-cards which combines physical fault injection and lattice reduction techniques. This seems to be the first (publicly reported) physical experiment allowing to concretely pull-out DSA keys out of smart-cards. We employ a particular type of fault attack known as a glitch attack, which will be used to actively modify the DSA nonce k used for generating the signature: k will be tampered with so that a number of its least significant bytes will flip to zero. Then we apply… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

1
44
0

Year Published

2005
2005
2013
2013

Publication Types

Select...
7

Relationship

1
6

Authors

Journals

citations
Cited by 61 publications
(45 citation statements)
references
References 16 publications
1
44
0
Order By: Relevance
“…The lattice-based fault attack was also presented by Naccache et al [17]. Their attack is based on faults inducted into random integer k in order to force a number of the least significant bytes (LSBs) of k to flip to 0.…”
Section: Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…The lattice-based fault attack was also presented by Naccache et al [17]. Their attack is based on faults inducted into random integer k in order to force a number of the least significant bytes (LSBs) of k to flip to 0.…”
Section: Related Workmentioning
confidence: 99%
“…Afterwards the attacker applies lattice attack on the ElGamal-like signature which can recover private key, given sufficiently many signatures such that a few bits of corresponding k are zeroed. As presented in [17], when one LSB of each k is zeroed, then 27 signatures are sufficient to disclose the private key. In their paper Naccache et al presented theory and methodology of the attack as well as possible countermeasures (e.g.…”
Section: Related Workmentioning
confidence: 99%
“…Random Order: If all the functions are conducted in a random order it will not be possible to determine any relationship between a cache hit/miss and the actual values being manipulated, which can either be implemented in hardware [13] or software [9].…”
Section: Countermeasuresmentioning
confidence: 99%
“…An example of this is given in [9] for copying 256 bytes from buffer A to buffer B and is detailed in Algorithm 4. The same principle can be applied to the loop in the ByteSub and MixColumn function so that an attacker does not know which of the 16!…”
Section: Countermeasuresmentioning
confidence: 99%
“…At PKC 2005, Naccache et al [21] employed glitch attacks to ensure that the least significant bytes of the nonces were flipped to zero, allowing the authors to apply the same lattice techniques to recover keys from real smart cards. Recently, Liu and Nguyen [19] developed a new algorithm which allowed them to recover 160-bit keys with only 2 leaked nonce bits.…”
Section: Introductionmentioning
confidence: 99%