[cryptography] Fault attacks on Bitcoin's secp256k1
bbrumley at gmail.com
Mon Jun 30 11:49:58 EDT 2014
I think they are mixing attacks. "Checking input/output points" has to
do with when you have a fault when you're computing scalar
multiplication, or in a protocol where an attacker can send you a
point that isn't actually on the curve you're expecting. So its a
false curve attack or fault attack depending on the scenario. (OpenSSL
checks the input point BTW.)
Then they start talking about (I believe) the Barenghi et al paper
"Fault Attack to the Elliptic Curve Digital Signature Algorithm with
Multiple Bit Faults" that really has to do faults in the second half
of an (EC)DSA signature. If you want to know what kind of faults they
need, read all about it in Sec 3. I haven't fully read the paper but
I'm gussing verifying the signature before you release it is the
no-brainer countermeasure. There are surely more clever ways to
What cryptosystems, and furthermore protocols, you can attack and how
you carry out the attack very much depend on the nature of the
fault/defect and the details of the protocol.
Shameless self promotion: https://eprint.iacr.org/2011/633
On Sun, Jun 29, 2014 at 1:25 PM, Ondrej Mikle <ondrej.mikle at nic.cz> wrote:
> Could anyone give an example what flaws a secp256k1 implementation needs to have
> in order to succumb to the fault attack described in this tweet:
> https://twitter.com/pbarreto/status/392415079934615552 ?
> It mentions that an implementation is susceptible "unless the implementation
> checks everything", but doesn't go into details.
> I don't understand the fault attacks much, but IIRC it requires a raw point that
> is not on the curve to enter an incorrectly written algorithm. I don't see where
> the problematic raw point comes into play.
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography