Bit-Flip Faults on Elliptic Curve Base Fields, Revisited

  • Taechan Kim
  • Mehdi Tibouchi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8479)


As part of their investigation of fault attacks on elliptic curve cryptosystems, Ciet and Joye showed, back in 2003, that perturbing the value representing the cardinality of the base field in a physical implementation of ECC could result in a partial key recovery. They had to assume, however, that the perturbed computation would “succeed” in some sense, and that is rather unlikely to happen in practice.

In this paper, we extend their analysis and show that, in a somewhat stronger fault model, full key recovery is possible with a single fault. For example, our fault attack typically reduces 256-bit ECDLP to solving discrete logarithm problems in a few random elliptic curves over fields of less than 60 bits, which typically takes a matter of seconds. More generally, the asymptotic complexity of ECDLP becomes heuristically subexponential under our fault attack.

Our attack also extends to a very efficient full key recovery attack on ECDSA with two faulty signatures.


Elliptic Curve Cryptography Fault Analysis ECDSA 


  1. 1.
    Agoyan, M., Dutertre, J.-M., Mirbaha, A.-P., Naccache, D., Ribotta, A.-L., Tria, A.: How to flip a bit? In: IOLTS 2010, pp. 235–239. IEEE (2010)Google Scholar
  2. 2.
    Alkhoraidly, A., Domínguez-Oviedo, A., Hasan, M.A.: Fault attacks on elliptic curve cryptosystems. In: Joye, M., Tunstall, M. (eds.) Fault Analysis in Cryptography. Information Security and Cryptography, pp. 137–155. Springer (2012)Google Scholar
  3. 3.
    ANSI X9.63:2001. Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography. ANSI, Washington DC, USA (2001)Google Scholar
  4. 4.
    ANSSI. Publication d’un paramétrage de courbe elliptique visant des applications de passeport électronique et de l’administration électronique française (November 2011),
  5. 5.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J., Lange, T.: SafeCurves: choosing safe curves for elliptic-curve cryptography (2013), (accessed December 1, 2013)
  7. 7.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptology 14(2), 101–119 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    Brier, É., Naccache, D., Nguyen, P.Q., Tibouchi, M.: Modulus fault attacks against RSA-CRT signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 192–206. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Cryptography 36(1), 33–43 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  12. 12.
    Coron, J.-S., Naccache, D., Tibouchi, M.: Fault attacks against emv signatures. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 208–220. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Dickman, K.: On the frequency of numbers containing prime factors of a certain relative magnitude. Arkiv för Matematik, Astronomi och Fysik 22A(10), 1–14 (1930)Google Scholar
  14. 14.
    Fan, J., Guo, X., Mulder, E.D., Schaumont, P., Preneel, B., Verbauwhede, I.: State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures. In: HOST 2010, pp. 76–87 (2010)Google Scholar
  15. 15.
    Fan, J., Verbauwhede, I.: An updated survey on secure ECC implementations: Attacks, countermeasures and cost. In: Naccache, D. (ed.) Quisquater Festschrift. LNCS, vol. 6805, pp. 265–282. Springer, Heidelberg (2012)Google Scholar
  16. 16.
    Farashahi, R.R., Joye, M.: Efficient arithmetic on Hessian curves. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 243–260. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Fernández, J.L., Fernández, P.: On the probability distribution of the gcd and lcm of r-tuples of integers. arXiv (2013),
  18. 18.
    FIPS PUB 186-3. Digital Signature Standard (DSS). NIST, USA (2009)Google Scholar
  19. 19.
    Fouque, P.-A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC, pp. 92–98 (2008)Google Scholar
  20. 20.
    Gekeler, E.-U.: The distribution of group structures on elliptic curves over finite prime fields. Documenta Mathematica 11, 119–142 (2006)zbMATHMathSciNetGoogle Scholar
  21. 21.
    Granville, A.: Smooth numbers: computational number theory and beyond. Algorithmic Number Theory, MSRI Publications 44, 267–323 (2008)MathSciNetGoogle Scholar
  22. 22.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer (2004)Google Scholar
  23. 23.
    IEEE Std 1363-2000. Standard Specifications for Public-Key Cryptography. IEEE (2000)Google Scholar
  24. 24.
    ISO/IEC 18033-2:2006. Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers. ISO, Geneva, Switzerland (2006)Google Scholar
  25. 25.
    ISO/IEC JTC1 SC17 WG3/TF5. Supplemental Access Control for Machine Readable Travel Documents, version 1.01. ICAO (2010),
  26. 26.
    Joye, M., Tibouchi, M., Vergnaud, D.: Huff’s model for elliptic curves. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS-IX. LNCS, vol. 6197, pp. 234–250. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  27. 27.
    Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Kim, T., Tibouchi, M.: Bit-flip faults on elliptic curve base fields, revisited. Cryptology ePrint Archive (2014), Full version of this paper,
  29. 29.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comp. 48, 203–209 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  30. 30.
    Lochter, M., Merkle, J.: Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. RFC 5639 (Informational) (March 2010)Google Scholar
  31. 31.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  32. 32.
    National Security Agency. The case for elliptic curve cryptography (2005),
  33. 33.
    Stein, W., et al.: Sage Mathematics Software (Version 5.11). The Sage Development Team (2013),
  34. 34.
    Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  35. 35.
    Wang, M., Zhan, T.: Analysis of the fault attack ECDLP over prime field. Journal of Applied Mathematics, 1–11 (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Taechan Kim
    • 1
  • Mehdi Tibouchi
    • 2
  1. 1.Seoul National UniversitySouth Korea
  2. 2.NTT Secure Platform LaboratoriesJapan

Personalised recommendations