[cryptography] Fault attacks on Bitcoin's secp256k1

Ondrej Mikle ondrej.mikle at nic.cz
Sun Jun 29 16:25:36 EDT 2014

Could anyone give an example what flaws a secp256k1 implementation needs to have
in order to succumb to the fault attack described in this tweet:
https://twitter.com/pbarreto/status/392415079934615552 ?

It mentions that an implementation is susceptible "unless the implementation
checks everything", but doesn't go into details.

I don't understand the fault attacks much, but IIRC it requires a raw point that
is not on the curve to enter an incorrectly written algorithm. I don't see where
the problematic raw point comes into play.


More information about the cryptography mailing list