Lattice-Based Fault Attacks Against ECMQV

  • Weiqiong Cao
  • Hua ChenEmail author
  • Jingyi Feng
  • Limin Fan
  • Wenling Wu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10815)


ECMQV is a standardized key agreement protocol based on ECC with an additional implicit signature authentication. In this paper we investigate the vulnerability of ECMQV against fault attacks and propose two efficient lattice-based fault attacks. In our attacks, by inducing a storage fault to the ECC parameter a before the execution of ECMQV, we can construct two kinds of weak curves and successfully pass the public-key validation step in the protocol. Then, by solving ECDLP and using a guess-and-determine method, some information of the victim’s temporary private key and the implicit-signature result can be deduced. Based on the retrieved information, we build two new lattice-attack models and recover the upper half of the static private key. Compared with the previous lattice-attack models, our models relax the attack conditions and do not require the exact partial knowledge of the nonces. The validity of the attacks is proven by experimental simulations, which show our attacks pose real threats to the unprotected ECMQV implementations since only one permanent fault is sufficient to retrieve half bits of the secret key.


ECC Fault attack Lattice attack ECMQV 



We thank the anonymous reviewers for their careful reading and insightful comments. This work is supported by China’s National Cryptography Development Fund (No. MMJJ20170214 and No. MMJJ20170211), National Natural Science Foundation (No. 61672509) and National Science and Technology Major Project (No. 2014ZX01032401-001).


  1. 1.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). Scholar
  2. 2.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). Scholar
  3. 3.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Crypt. 36(1), 33–43 (2005)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Kim, T., Tibouchi, M.: Bit-flip faults on elliptic curve base fields, revisited. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 163–180. Springer, Cham (2014). Scholar
  5. 5.
    Blömer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 36–52. Springer, Heidelberg (2006). Scholar
  6. 6.
    Schmidt, J., Medwed, M.: A fault attack on ECDSA. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 93–99. IEEE (2009)Google Scholar
  7. 7.
    Fan, J., Gierlichs, B., Vercauteren, F.: To infinity and beyond: combined attack on ECC using points of low order. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 143–159. Springer, Heidelberg (2011). Scholar
  8. 8.
    Elkamchouchi, H.M., Abu Elkair, E.F.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)MathSciNetCrossRefGoogle Scholar
  9. 9.
    IEEE Std: 1363-2000 - IEEE standard specifications for public-key cryptography, pp. 1–228. IEEE Computer Society, August 2000Google Scholar
  10. 10.
    Alberta Teachers’ Association: Public key cryptography for the financial services industry, key agreement and key transport using elliptic curve cryptography. Speculum 81(2), 566–569 (2006)Google Scholar
  11. 11.
    Office of State Commercial Cryptgraphy Administration: Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves (2010, in Chinese).
  12. 12.
    Yeh, H.T., Sun, H.M., Hwang, T.: Improved authenticated multiple-key agreement protocol. Comput. Math. Appl. 46(2), 207–211 (2003)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Kaliski, B.S.: An unknown key-share attack on the MQV key agreement protocol. ACM Trans. Inf. Syst. Secur. 4(3), 275–288 (2001)CrossRefGoogle Scholar
  14. 14.
    Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2003). Scholar
  15. 15.
    Leadbitter, P.J., Smart, N.P.: Analysis of the insecurity of ECMQV with partially known nonces. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 240–251. Springer, Heidelberg (2003). Scholar
  16. 16.
    Menezes, A., Ustaoglu, B.: On the importance of public-key validation in the MQV and HMQV key agreement protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 133–147. Springer, Heidelberg (2006). Scholar
  17. 17.
    Menezes, A.: Another look at HMQV. JMC 1(1), 47–64 (2007)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, Heidelberg (2004). Scholar
  19. 19.
    Lenstra, H.W., Lenstra, A.K., Lovfiasz, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Schnorr, C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2–3), 201–224 (1987)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem (shortened version). Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Nguyen, P.Q., Stern, J.: Lattice reduction in cryptology: an update. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 85–112. Springer, Heidelberg (2000). Scholar
  23. 23.
    Ajtai, M.: Generating random lattices according to the invariant distribution. Draft of March (2006)Google Scholar
  24. 24.
    Battistello, A.: Common points on elliptic curves: the Achilles’ heel of fault attack countermeasures. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 69–81. Springer, Cham (2014). Scholar
  25. 25.
    Schoof, R.: Counting points on elliptic curves over finite fields. J. de Theorie des Nombres de Bordeaux 7(1), 219–254 (1995)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. Appl. Crypt. 2(3), 212–228 (2012)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Shoup, V.: Number Theory C++ Library (NTL) version 9.6.4. (2016).

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Weiqiong Cao
    • 1
  • Hua Chen
    • 1
    Email author
  • Jingyi Feng
    • 1
  • Limin Fan
    • 1
  • Wenling Wu
    • 1
  1. 1.Trusted Computing and Information Assurance Laboratory, Institute of SoftwareChinese Academy of SciencesBeijingPeople’s Republic of China

Personalised recommendations