Lattice-Based Fault Attacks on Deterministic Signature Schemes of ECDSA and EdDSA

Abstract

The deterministic ECDSA and EdDSA signature schemes have found plenty of applications since their publication, e.g., block chain and Internet of Thing, and have been stated in RFC 6979 and RFC 8032 by IETF respectively. Their theoretical security can be guaranteed within certain well-defined models, and since no randomness is required by the algorithms anymore their practical risks from the flaw of random number generators are mitigated. However, the situation is not really optimistic, since it has been gradually found that delicately designed fault attacks can threaten the practical security of the schemes.

In this paper, based on the random fault models of intermediate values during signature generation, we propose a lattice-based fault analysis method to the deterministic ECDSA and EdDSA algorithms. By virtue of the algebraic structures of the deterministic algorithms, we show that, when providing with some faulty signatures and an associated correct signature of the same input message, some instances of SVP or CVP problems in some lattice can be constructed to recover the signing key. The allowed faulty bits in the method are close to the size of the signing key, and obviously bigger than that allowed by the existing differential fault attacks. In addition, the lattice-based approach supports more alternative targets of fault injection, which further improves its applicability when comparing with the existing approaches.

We perform some experiments to demonstrate the effectiveness of the key recovery method. In particular, for deterministic ECDSA/EdDSA algorithm with 256-bit signing key, the key can be recovered efficiently with significant probability even if the targets are affected by 250/247 faulty bits. However, this is impractical for the existing enumerating approaches.

AAppendix

This appendix will introduce the attacks with the remaining targets listed in Table 1 to deterministic ECDSA and EdDSA, including the attacks with targets k, \(k^{-1}\), e, rd, \(e+rd\) and d during the calculation of s and the attacks taking the hash functions generating e and r as fault targets.

1.1 A.1Fault Attacks with Target k During the Calculation of s to Deterministic ECDSA

Suppose the adversary decides to inject a fault to k before using it during the calculation of s. Then after getting a correct signature for a message m (chosen by the adversary in advance), the adversary can try to get \(N-1\) faulty signatures with the same message m as input, and k as the target.

Step 1: inject fault to k during the calculation of s

When k is injected with a fault, we have \(k_i=k+\varepsilon _i2^{l_i}\) for \(i=1, ..., N-1\), where \(\varepsilon _i\) satisfying \(-2^w< \varepsilon _i< 2^w < n\) is a random number and \( l_i =f-w \text { or } 0\) (see Sect. 3.1). The correct signature \((r, s_0)\) and \(N-1\) faulty ones \((r, s_i)\) for the same input message m can be represented as

$$\begin{aligned} \left\{ \begin{array}{l} k = {s_0}^{ - 1}\left( {e + rd} \right) \bmod n\\ k + {\varepsilon _i 2^{l_i}} = {s_i}^{ - 1}\left( {e + rd} \right) \bmod n (i = 1,...,N - 1) \end{array} \right. . \end{aligned}$$

(18)

Step 2: recover the private key d by solving SVP

After reduction, Eq. (18) can be transformed as

$$\begin{aligned} {\varepsilon _i} = \left( {{s_i}^{ - 1} - {s_0}^{ - 1}} \right) 2^{-l_i}\left( {e + rd} \right) \bmod n. \end{aligned}$$

(19)

Let \(A_i=({{s_i}^{ - 1} - {s_0}^{ - 1}})2^{-l_i}\bmod n\) and \(D= e + rd\mod n\). There must exist \(h_i\in \mathbb {Z}\) for \(i = 1,...,N - 1\) such that

$$\begin{aligned} {\varepsilon _i} = A_iD +h_in, \end{aligned}$$

(20)

where D is a fixed value due to the same input message m for all the signature queries.

Equation (20) is exactly Eq. (4). Then following the general strategy described in Sect. 3.2, if \({{w<f - \log \sqrt{2\pi e}}}\) and \(N \gg 1 + \frac{{f + \log \sqrt{2\pi e}}}{{f - w - \log \sqrt{2\pi e}}}\), D can be found by solving an instance of SVP and subsequently the private key d can be recovered by virtue of the equation

$$\begin{aligned} d = r^{-1}(D - e)\bmod n. \end{aligned}$$

1.2 A.2Fault Attacks with Target \(k^{-1}\bmod n\) During the Calculation of s to Deterministic ECDSA

Suppose the adversary decides to inject a fault to \(k^{-1}\bmod n\) (after being generated by modular inversion of k) before using it during the calculation of s. Then after getting a correct signature for a message m, the adversary can try to get \(N-1\) faulty signatures with the same message m as input, and \(k^{-1}\) as the target.

Step 1: inject fault to \(k^{-1}\bmod n\) during the calculation of s

When \(k^{-1}\bmod n\) derived by k is injected with a fault, we have \(k^{-1}_i=k^{-1}+\varepsilon _i2^{l_i}\bmod n\) for \(i=1, ..., N-1\), where \(\varepsilon _i\) satisfying \(-2^w< \varepsilon _i < 2^w\) is a random number, w is a preset value and \( l_i =f-w \text { or } 0\) (see Sect. 3.1). The correct signature \((r, s_0)\) and \(N-1\) groups of faulty \((r, s_i)\) for the same input message m can be represented as

$$\begin{aligned} \left\{ \begin{array}{l} {s_0} = k^{-1}\left( {e + rd} \right) \bmod n\\ {s_i} = \left( {k^{-1} + {\varepsilon _i}2^{l_i}} \right) \left( {e + rd} \right) \bmod n(i = 1,...,N - 1). \end{array} \right. \end{aligned}$$

(21)

Step 2: recover the private key d by solving SVP

After reduction, Eq. (21) can be transformed as

$$\begin{aligned} {\varepsilon _i} = {\left( {e + rd} \right) ^{ - 1}}\left( {{s_i} - {s_0}} \right) 2^{-l_i}\bmod n. \end{aligned}$$

(22)

Let \(A_i=({s_i} - {s_0})2^{-l_i} \bmod n\) and \(D={(e + rd)}^{-1}\bmod n\). There must exist \(h_i\in \mathbb {Z}\) for \(i = 1,...,N - 1\) such that

$$\begin{aligned} {\varepsilon _i} = A_iD +h_in, \end{aligned}$$

(23)

where D is a fixed value due to the same input message m for all the signature queries.

Equation (23) is exactly Eq. (4). Then following the general strategy described in Sect. 3.2, if \({{w<f - \log \sqrt{2\pi e}}}\) and \(N \gg 1 + \frac{{f + \log \sqrt{2\pi e}}}{{f - w - \log \sqrt{2\pi e}}}\), D can be found by solving an instance of SVP and subsequently the private key d can be recovered by virtue of the equation

$$\begin{aligned} d = r^{-1}(D^{-1} - e) \bmod n. \end{aligned}$$

1.3 A.3Fault Attacks with Target d During the Calculation of s to Deterministic ECDSA

Suppose the adversary decides to inject a fault to d before using it during the calculation of s. Then after getting a correct signature for a message m, the adversary can try to get \(N-1\) faulty signatures with the same message m as input, and d as the target.

Step 1: inject fault to d during the calculation of s

When d is injected with a fault, we have \(d_i=d +\varepsilon _i 2^{l_i}\) for \(i=1, ..., N-1\), where \(\varepsilon _i\) satisfying \(-2^w< \varepsilon _i < 2^w\) is a random number, w is a preset value and \( l_i =f-w \text { or } 0\) (see Sect. 3.1). The correct signature \((r, s_0)\) and \(N-1\) groups of faulty \((r, s_i)\) for the same input message m can be represented as

$$\begin{aligned} \left\{ \begin{array}{l} {s_0} = {k^{ - 1}}\left( {e + rd} \right) \,\bmod \,n\\ {s_i} = {k^{ - 1}}\left( {e + r(d + {\varepsilon _i}2^{l_i})} \right) \,\bmod \,n(i = 1,...,N - 1). \end{array} \right. \end{aligned}$$

(24)

Step 2: recover the private key d by solving SVP

After reduction, Eq. (24) can be transformed as

$$\begin{aligned} {\varepsilon _i} = \left( {{s_i} - {s_0}} \right) 2^{-l_i}{r^{ - 1}}k\bmod n. \end{aligned}$$

(25)

Let \(A_i=\left( {{s_i} - {s_0}} \right) {r^{ - 1}}2^{-l_i}\bmod n\) and \(D=k\bmod n\). There must exist \(h_i\in \mathbb {Z}\) for \(i = 1,...,N - 1\) such that

$$\begin{aligned} {\varepsilon _i} = A_iD +h_in, \end{aligned}$$

(26)

where D is a fixed value due to the same input message m for all the signature queries.

Equation (26) is exactly Eq. (4). Then following the general strategy described in Sect. 3.2, if \({{w<f - \log \sqrt{2\pi e}}}\) and \(N \gg 1 + \frac{{f + \log \sqrt{2\pi e}}}{{f - w - \log \sqrt{2\pi e}}}\), D can be found by solving an instance of SVP and subsequently the private key d can be recovered by virtue of the equation

$$\begin{aligned} d = {r^{ - 1}}\left( {D{s_0} - e} \right) \bmod n. \end{aligned}$$

1.4 A.4Fault Attacks with Targets e, rd and \(e+rd\) During the Calculation of s to Deterministic ECDSA

If the targets e, rd and \(e+rd\) targets are disturbed by fault injection, a same model of key recovery can be constructed. Therefore, for simplicity, we define mv as any one of the three targets, that is, mv could be e, rd or \(e+rd\). Suppose the adversary decides to inject a fault to mv before using it during the calculation of s. Then after getting a correct signature for a message m, the adversary can try to get \(N-1\) faulty signatures with the same message m as input, and mv as the target.

Step 1: inject fault to mv during the calculation of s

When mv is injected with a fault, we have \(mv_i=mv +\varepsilon _i2^{l_i}\) for \(i=1, ..., N-1\), where \(\varepsilon _i\) satisfying \(-2^w< \varepsilon _i < 2^w\) is a random number, w is a preset value and \( l_i =f-w \text { or } 0\) (see Sect. 3.1). The correct signature \((r, s_0)\) and \(N-1\) faulty ones \((r, s_i)\) for the same input message m can be represented as

$$\begin{aligned} \left\{ \begin{array}{l} {s_0} = {k^{ - 1}}\left( {e + rd} \right) \,\bmod \,n\\ {s_i} = {k^{ - 1}}\left( {e + rd + {\varepsilon _i}2^{l_i}} \right) \,\bmod \,n(i = 1,...,N - 1). \end{array} \right. \end{aligned}$$

(27)

Step 2: recover the private key d by solving SVP

After reduction, Eq. (27) can be transformed as

$$\begin{aligned} {\varepsilon _i} = \left( {{s_i} - {s_0}} \right) 2^{-l_i}{k}\bmod n. \end{aligned}$$

(28)

Let \(A_i=\left( {{s_i} - {s_0}} \right) 2^{-l_i}\bmod n\) and \(D=k\bmod n\). There must exist \(h_i\in \mathbb {Z}\) for \(i = 1,...,N - 1\) such that

$$\begin{aligned} {\varepsilon _i} = A_iD + h_in, \end{aligned}$$

(29)

where D is a fixed value due to the same input message m for all the signature queries.

Equation (29) is exactly Eq. (4). Then following the general strategy described in Sect. 3.2, if \({{w<f - \log \sqrt{2\pi e}}}\) and \(N \gg 1 + \frac{{f + \log \sqrt{2\pi e}}}{{f - w - \log \sqrt{2\pi e}}}\), D can be found by solving an instance of SVP. Naturally, as mentioned above, the private key d can be recovered by virtue of D.

1.5 A.5Fault Attacks with Targets During the Calculation of e to Deterministic ECDSA

As introduced in Appendix A.4, if injecting a fault into e before using it during the calculation of s to obtain some valid \(e_i\)s satisfying \(e_i=e+\varepsilon _i2^{l_i}\) (\(-2^w< \varepsilon _i < 2^w\) and \( l_i =f-w \text { or } 0\)), then Eq. (4) can be constructed to recover the private key in deterministic ECDSA.

Similarly, besides directly injecting fault into the target “e during the calculation of s”, there still exist two other fault targets during the calculation of e which can generate some valid faulty \(e_i\)s for key recovery, including “registers before outputting the hash value H(m)” and “last modular additions before outputting the hash value H(m)”. The models of fault injection with these two targets are similar to the ones introduced in Sects. 4.3.2 and 4.3.3, and thereby Eq. (4) which is similar to that with target “e during the calculation of s”, can be constructed to recover the private key in deterministic ECDSA.

1.6 A.6Fault Attacks with targets During the Calculation of r to EdDSA

As introduced in Sect. 4.1.2, if injecting a fault into r before using it during the calculation of s to obtain some valid \(r_i\)s satisfying \(r_i=r+\varepsilon _i2^{l_i}\) (\(-2^w< \varepsilon _i < 2^w\), \({{w<f - \log \sqrt{2\pi e}}}\) and \(l_i + w \le f\)), Eq. (4) can be constructed to recover the private key in EdDSA.

Similarly, besides directly injecting fault into the target “r during the calculation of s”, there still exist another three fault targets during the calculation of r which can generate some valid faulty \(r_i\)s for key recovery, including “registers before outputting hash value H(R, P, m)”, “last modular additions before outputting hash value H(R, P, m)” and “hash value H(R, P, m) during the reduction of r”. The models of fault injection with these three targets are similar to the ones in Sects. 4.3.2, 4.3.3 and 4.3.4, and thereby Eq. (4) which is similar to that with target “r during the calculation of s”, can be constructed to recover the private key in EdDSA.