Secret Key Leakage from PK Perturbation of DLP-based Cryptosystems

​​​​​Alexandre Berzati1, Cécile Canovas-Dumas1, Louis Goubin2
1 CEA-LETI/MINATEC, 17 rue des Martyrs, 38054 Grenoble Cedex 9, France,
{alexandre.berzati,cecile.dumas}@cea.fr
2 Versailles Saint-Quentin-en-Yvelines University,
45 avenue des Etats-Unis, 78035 Versailles Cedex, France
louis.goubin@prism.uvsq.fr

Abstract​

​Finding efficient countermeasures for cryptosystems against fault attacks is challenged by a constant discovery of flaws in designs. Even elements, such as public keys, that do not seem critical must be protected. From the attacks against RSA [5,4], we develop a new attack of DLP-based cryptosystems, built in addition on a lattice analysis [26] to recover DSA public keys from partially known nonces. Based on a realistic fault model, our attack only requires 16 faulty signatures to recover a 160-bit DSA secret key within a few minutes on a standard PC. These results significantly improves the previous public element fault attack in the context of DLP-based cryptosystems [22].​

Keywords: DSA, exponentiation, fault injection, public modulus, lattice reduction.​​