Common Points on Elliptic Curves: The Achilles’ Heel of Fault Attack Countermeasures

  • Alberto BattistelloEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8622)


Elliptic curve cryptosystems offer many advantages over RSA-like cryptography, such as speed and memory saving. Nonetheless the advent of side-channel and fault-injection attacks mined the security of such implementations. Several countermeasures have been devised to thwart these threats, so that simple attacks on state-of-the-art secured implementations seem unlikely. We took up the challenge and show that a simple fault attack using a very relaxed fault model can defeat well known countermeasures. After introducing the notion of common points, we exhibit a new fault-injection attack that breaks state-of-the-art secured implementations. Our new attack is particularly dangerous since no control on the injected error is required and only one fault is sufficient to retrieve the secret.


Elliptic curves Fault attack Common points 



I am grateful to Christophe Giraud for the many fruitful discussions and the time he spent to help me writing this paper. I would also like to thank Guillaume Barbu, Laurie Genelle, Emmanuelle Dottax, Franck Rondepierre and the anonymous reviewers of COSADE 2014 for their helpful comments.


  1. 1.
    Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  2. 2.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  3. 3.
    Blömer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 36–52. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  4. 4.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  5. 5.
    Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. IJACT 2(3), 212–228 (2012)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Crypt. 36(1), 33–43 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  8. 8.
    Fan, J., Gierlichs, B., Vercauteren, F.: To infinity and beyond: combined attack on ECC using points of low order. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 143–159. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  9. 9.
    Faugère, J.-C., Goyet, C., Renault, G.: Attacking (EC)DSA given only an implicit hint. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 252–274. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. 10.
    FIPS PUB 186–4. Digital Signature Standard. National Institute of Standards and Technology, July 2013Google Scholar
  11. 11.
    Fouque, P., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve montgomery ladder implementation. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.-P. (eds.) Fault Diagnosis and Tolerance in Cryptography - FDTC 2008, pp. 92–98. IEEE Computer Society (2008)Google Scholar
  12. 12.
    Goubin, L.: A refined power-analysis attack on elliptic curve cryptosystem. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–211. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  13. 13.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Kocher, P., Jaffe, J., Jun, B.: Introduction to differential power analysis and related attacks. Technical report, Cryptography Research Inc. (1998)Google Scholar
  15. 15.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  16. 16.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  17. 17.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986) CrossRefGoogle Scholar
  18. 18.
    Pollard, J.: Monte Carlo methods for index computation (mod p). Math. Comput. 32, 918–924 (1978)zbMATHMathSciNetGoogle Scholar
  19. 19.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)CrossRefzbMATHMathSciNetGoogle Scholar
  20. 20.
    Schoof, R., Schoof, P.R.E.: Counting points on elliptic curves over finite fields. J. Théor. Nombres Bordeaux 7(1), 219–254 (1995)CrossRefzbMATHMathSciNetGoogle Scholar
  21. 21.
    Standards for Efficient Cryptography Group (SECG). SEC 2 Ver 2.0 : Recommended Elliptic Curve Domain Parameters. Certicom Research, January 2010Google Scholar
  22. 22.
    The PARI-Group. Pari/gp, version 2.5.3, Bordeaux (2013).

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Cryptography and Security GroupOberthur TechnologiesPessacFrance
  2. 2.Versailles Saint-Quentin-en-Yvelines UniversityVersailles CedexFrance

Personalised recommendations