Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [fault-attack]

Attacks using errors injected at runtime into an implementation of cryptographic algorithms to cause misbehavior that leak information about keys or (plaintext) data, instead of (or additional to) using cryptographic weaknesses. The countermeasures against such attacks also belong here.

Examples include glitching the vcore of a CPU, using electromagnetic glitches, or lasers targeting specific transistors while an implementation performs cryptographic operations.

10 questions
19
votes
3 answers

Can deterministic ECDSA be protected against fault attacks?

In a paper by Barenghi and Pelosi, it was described that fault attacks could be used to derive the secret key when using deterministic ECDSA as described in RFC6979 by @Thomas_Pornin Deterministic (EC)DSA. The purpose of the attacker in this case…
Yustack
  • 361
  • 1
  • 5
5
votes
1 answer

Protecting Ed448 against DPA and fault attacks

There are some papers (1, 2) describing fault attacks in EdDSA. One suggested countermeasure is to add randomness to the input of the first hash call, which outputs a scalar. This paper describes a DPA attack against EdDSA, and suggests a similar…
Conrado
  • 6,614
  • 1
  • 30
  • 45
2
votes
1 answer

Fault attacks inside a loop

I am working on an attack that involves changing a constant inside a loop. Consider the simplified example is as below, For i=1 to n : j=constant; for i=1 to n': Use J here . . exit for; exit for; In my case, I…
Rick
  • 1,305
  • 8
  • 17
2
votes
1 answer

Statistical (innefective) Fault Attacks on DES

I read this paper: Exploiting Ineffective Fault Inductions on Symmetric Cryptography. I was wondering if the same idea is applicable for DES. I know both algorithms are symmetric but the idea is not the same. I thought if an attacker shot the left…
albert
  • 31
  • 2
2
votes
2 answers

Fault attack on RSA-CRT

I am trying to understand fault attack on RSA-CRT, and I found some example, which I don't know how to solve it. I know public modulus $N$, public exponent $e$, a value of faulty signature (where one of the two partial signatures was incorrect) and…
Max
  • 121
  • 1
  • 2
2
votes
1 answer

The Boneh-DeMillo-Lipton fault attack (RSA CRT)

I am trying to understand the Boneh-DeMillo-Lipton fault attack on RSA CRT signature. Suppose that we sign a message $m$ with RSA-CRT : $d_p = d \bmod (p-1)$ and $d_q = d \bmod (q-1)$ $s_p = h(m)^{d_p} \bmod p$ and $s_q \not= h(m)^{d_q} \bmod q$…
Raoul722
  • 3,003
  • 3
  • 23
  • 42
2
votes
2 answers

How to counter fault injections on smartcards?

Fault injections on smartcards or other hardware seem to be an issue for low risk tolerant environments. What are possible countermeasures to fault injections? From my research, it all depends on what attacker can do. Assuming they can do everything…
Molo4
  • 31
  • 1
2
votes
0 answers

Information Leakage Due to Fault Propagation in XOR gates

In the concept of Automatic Test Pattern Generation (ATPG), two events are required to perform in sequence: Fault Activation and Fault Propagation. In the case of a linear 2-input XOR gate, without loss of generality, we consider a stuck-at-0 fault…
Mohammadsadeq Borjiyan
  • 73
  • 5
1
vote
0 answers

Could a private key recovery via modulus fault attacks be optimised by being able to choose the faulty moduli?

The paper 'Why One Should Also Secure RSA Public Key Elements' describes an attack where an adversary can fully recover a private key by injecting faults into the modulus before exponentiation takes place in a signing operation. Two modes are…
Aaron K
  • 11
  • 2
1
vote
0 answers

AES Fault Attack

Induce random fault (non-zero) error in one byte before MixColumns in Round 9 I get last round key with 32 bit (4 bytes) missing (Missing are bytes 1, 8, 11, 14) How can I recover these key bytes without the need of computing 2^32 keys
nWinter
  • 11
  • 2