Alexandre Berzati1, Cécile Canovas-Dumas1, Louis Goubin2
1 CEA-LETI/MINATEC, 17 rue des Martyrs, 38054 Grenoble Cedex 9, France,
2 Versailles Saint-Quentin-en-Yvelines University,
45 avenue des Etats-Unis, 78035 Versailles Cedex, France
Finding efficient countermeasures for cryptosystems against
fault attacks is challenged by a constant discovery of flaws in designs.
Even elements, such as public keys, that do not seem critical must be
protected. From the attacks against RSA [5,4], we develop a new attack
of DLP-based cryptosystems, built in addition on a lattice analysis 
to recover DSA public keys from partially known nonces. Based on a realistic
fault model, our attack only requires 16 faulty signatures to recover
a 160-bit DSA secret key within a few minutes on a standard PC. These
results significantly improves the previous public element fault attack in
the context of DLP-based cryptosystems .
Keywords: DSA, exponentiation, fault injection, public modulus, lattice