2009 Workshop on Fault Diagnosis and Tolerance in Cryptography
A Fault Attack on ECDSA
Jörn-Marc Schmidt
Graz University of Technology
Institute for Applied Information Processing and Communications
Inffeldgasse 16a/1, A-8010 Graz, Austria
E-mail: {joern-marc.schmidt,marcel.medwed}@iaik.tugraz.at
Abstract
An advantage of schemes based on elliptic curve cryp-
tography (ECC) is that they require a smaller key size than
other public key schemes to guarantee the same level of se-
curity. Thus, ECC algorithms are well suited for systems
with constrained resources like smart cards or mobile de-
vices. When evaluating those devices, not only the security
from a theoretical point of view, but also implementation
attacks, like fault attacks, have to be taken into account.
In this paper, we present a new fault attack on the
elliptic curve digital signature algorithm (ECDSA). We
use a modification of the program flow to retrieve parts
of the ephemeral key. The retrieved information allows
performing a lattice attack to determine the secret signing
key. Furthermore, we propose a countermeasure to prevent
such an attack.
Keywords: Fault attack, Countermeasure, ECC, ECDSA
1 Introduction
Since smart cards and mobile devices become part of ev-
eryday life, more and more valuable information is stored
on them. In order to protect this information cryptographic
algorithms are applied.
One popular group of algorithms is based on elliptic
curve cryptography (ECC). These algorithms provide the
same level of security with smaller key length than other
public key algorithms, like RSA. Thus, they are attractive
for devices with constrained resources.
For such devices, not only theoretical considerations and
notions of security for algorithms, but also physical effects
of their implementations have to be taken into account. If
an adversary gains physical access to a device, its correct
functionality is no longer guaranteed. An adversary may
provoke malfunctions to reveal secrets that are stored on the
device. These methods are called fault attacks.
978-0-7695-3824-2/09 $25.00 © 2009 IEEE
DOI 10.1109/FDTC.2009.38
10.1109/FDTC.2009.16
Marcel Medwed
So far, several ways to maliciously modify the behavior
of a device have been presented [2, 17, 20]. On the other
hand, effects of different faults have been analyzed for var-
ious algorithms [4, 7, 10].
Nevertheless, fault attacks on algorithms using ECC are
rare. Only two different approaches have been presented up
to now. One approach is manipulating the group the com-
putation takes place in [3, 8] and taking advantage of weak
security properties of the resulting group. Such an attack
can be thwarted by checking whether the result is a point
of the used elliptic curve. Another approach, presented by
Blömer et al. assumes that the sign of an intermediate value
can be changed by an adversary [6]. In this way, the result
is still a valid curve point. Hence, the modification is not
noticed by the previously mentioned check. Thus, counter-
measures that are more sophisticated are necessary.
In this paper, we present a fault attack on the elliptic
curve digital signature algorithm (ECDSA). The attack is
based on a manipulation of the program flow. An adversary
can derive some bits of the ephemeral key from the erro-
neous result. This information is sufficient to apply a lattice
attack, e.g. as discussed in [12, 16, 18], to determine the
secret key of the implementation.
In addition, we present a countermeasure to protect sys-
tems based on ECC against fault attacks. It uses a check
value together with the redundancy provided by the point
representation to protect the data path and the program flow.
The remaining paper is structured as follows: In Sec-
tion 2, we give a brief introduction to ECC and the ECDSA
algorithm. After describing the used fault model in Sec-
tion 3, we present the attack on ECDSA in Section 4. A
countermeasure is discussed in Section 5. Conclusion is
drawn in Section 6.
2 ECC Basics
In this section, a brief overview of elliptic curves and
the ECDSA is given. For a detailed approach see e.g. [5,
11]. An elliptic curve E over a field F is defined by the
93
Weierstrass equation: Algorithm 1 Double and Add
Require: k = (kt , . . . , k0 )2 , P ∈ E(F)
E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 (1) Ensure: kP
a1 , . . . , a6 ∈ F. 1: Q = O
2: for i = t downto 0 do
The set of points (x, y) ∈ F2 fulfilling (1) together with 3: Q = 2Q
the point at infinity O form an additive abelian group. It 4: if (ki == 1) then
is denoted as E(F). The point O is the neutral element of 5: Q=Q+P
the group. The group operation is called addition for two 6: end if
distinct points and doubling otherwise. An elliptic curve 7: end for
group operation consists of many field operations. For a 8: return Q
field F with a characteristic other than 2 or 3 equation (1)
can be simplified to

E : y 2 = x3 + ax + b a, b ∈ F.

An equivalent representation of the group can be given in Algorithm 2 Montgomery ladder

projective Jacobian coordinates. In Jacobian coordinates, Require: k = (kt , . . . , k0 )2 , P ∈ E(F)
the projective point (X, Y, Z) ∈ F3 , Z 6= 0 corresponds to Ensure: kP
the affine point (x, y) = (X/Z 2 , Y /Z 3 ) ∈ F2 . The point at 1: R0 = O
infinity is represented by (1, 1, 0). In Jacobian coordinates 2: R1 = P
the curve equation is 3: for i = t downto 0 do
4: Rk¯i = R0 + R1
Y 2 = X 3 + aXZ 4 + bZ 6 . 5: Rki = 2Rki
6: end for
The law for addition over this curve is 7: return R0

(X3 , Y3 , Z3 ) = (X1 , Y1 , Z1 ) + (X2 , Y2 , Z2 ) with

X3 = (Y2 Z13 − Y1 Z23 )2 − (X2 Z12 − X1 Z22 )2
(X1 Z22 + X2 Z12 )
Y3 = ((Y2 Z13 − Y1 Z23 )(2X1 Z22 + X2 Z12 ) −
Y1 Z23 (X2 Z12 − X1 Z22 ))
(X2 Z12 − X1 Z22 )2 − (Y2 Z13 − Y1 Z23 )3
Z3 = (X2 Z12 − X1 Z22 )Z1 Z2
A point is doubled by
(X3 , Y3 , Z3 ) = 2(X1 , Y1 , Z1 ) with
X3 = (3X12 + aZ14 )2 − 8X1 Y12
Y3 = (3X12 + aZ14 )(4X1 Y12 − X3 ) − 8Y14
Z3 = 2Y1 Z1
Multiplying a natural number k and an element P ∈
E(F) is called scalar multiplication. It is defined by adding
the point P k times, denoted as kP . In order to calcu-
late kP in an efficient way, the double-and-add algorithm
or the Montgomery ladder can be used. They are depicted
in Algorithms 1 and 2. Furthermore, algorithms that make
use of precomputed values have been proposed. They can
be applied if the base point of the calculation is fixed, e.g.
the fixed-base windowing method proposed by Brickell et
al. (see [11] for a detailed description).
The inverse problem, calculating for two given points
Q, R ∈ E(F) a natural number u with Q = uR is named
Elliptic Curve Discrete Logarithm Problem (ECDLP). For
a general elliptic curve, the best-known algorithms require
exponential time to solve this problem.
The ECDSA is based on the assumption that it is not
possible to solve the ECDLP efficiently [13]:
Let F = Fp for a prime number p > 2. The pub-
lic key consists of (E(F), P, n, Q), the private key is d ∈
[1, . . . , (n − 1)], whereas P ∈ E(F) has order n and
Q = dP . Furthermore, a cryptographic hash function H is
used. The method how to sign a message is depicted in Al-
gorithm 3. An ephemeral key k is chosen at random. This
key must be different for each signature generation. The
point P is multiplied by k, the x-coordinate of the result
modulo n is the first part of the signature. The second part
includes, besides the ephemeral key and the first signature
part, the hashed message and the secret key. In the verifi-
cation phase, this second part and the public key is used to
calculate kP . The x-coordinate of the result is compared to
the first part of the signature. If they match, the signature is
accepted. Algorithm 4 shows the verification process.

94
Algorithm 3 Sign a Message 4 Fault Attack on ECDSA
Require: Secret Key d, Message m,
Public Key (E(F), P, n, Q) As already mentioned, the calculation of an ECDSA sig-
Ensure: Signature [γ, δ] nature involves an ephemeral key. For each signature, this
1: Select k ∈ [1, · · · , n − 1] randomly key is chosen at random. Hence, as long as the attack does
2: Γ = k · P not target the random generator, the ephemeral is never used
3: γ = xΓ mod n twice1 . Thus, differential fault attacks, which make use of
4: if γ = 0 then the difference between correct and faulty signatures cannot
5: go to first step be applied to ECDSA, since two calculations of a signature
6: end if are always different2 .
7: δ = (H(m) + γd)k −1 mod n However, if an adversary succeeds in determining parts
8: if δ = 0 then of the ephemeral key for several signatures, the secret key
9: go to first step can be calculated using lattice attacks [12, 16]. Tanja Römer
10: end if and Jean-Pierre Seifert showed that for a 160 bit prime n
11: return [γ, δ] and 12 known ephemeral key bits of 50 signatures the suc-
cess probability is 99% [18].
Thus, an attack that determines few bits of an ephemeral
Algorithm 4 Verify a Message key from a signature suffices to retrieve the secret signature
key. The attack is then repeated until enough pairs of signa-
Require: Message m, Signature [γ, δ]
tures and partial ephemeral keys are known.
Public Key (E(F), P, n, Q)
We induce a fault according the model of Section 3 in the
Ensure: Accept or Reject
scalar multiplication that is performed during the signature
1: if δ or γ 6∈ [1, · · · , n − 1] then
calculation, as depicted in Line 2 of Algorithm 3. Hence,
2: return Reject
the injected fault and analysis have to be adapted to the used
3: end if
scalar multiplication algorithm.
4: w = δ −1 mod n
Consider a scalar multiplication with the left-to-right
5: u1 = H(m) · w mod n
double and add algorithm. Assume, that the (t − i)-th dou-
6: u2 = γ · w mod n
bling was skipped. The result is denoted by Γi and the cor-
7: Ω = u1 · P + u2 · Q
responding correct output by Γ. The bits of the scalar af-
8: if Ω 6= O and γ = xΩ mod n then
ter the skipped operation are written as k̃ = (ki , . . . , k0 )2 .
9: return Accept
Doubling the erroneous computation gives
10: end if
11: return Reject t
X i
X
j−1
2Γi = 2( (2 )(kj ) + (2j )(ki ))P
j=i+1 j=0

3 Fault Model = kP + k̃P

Fault attacks manipulate the computation of an algorithm
and try to benefit from the erroneous result. Hence, an ad-
versary requires physical access to the device that generates
the signature. Here, we assume that an adversary can skip
instructions of an ECDSA calculation. However, this suc-
ceeds only with a specific probability. Hence, the adversary
must be able to decide by means of the faulty result whether
the fault has been injected in the intended way.
The model was presented and put into practice in [19].
Schmidt and Herbst showed that it is possible to manipu-
late the program flow using a spike attack. They used this
= Γ + k̃P.
Hence, the difference 2Γi − Γ depends only on the point P
and k̃:
2Γi − Γ = k̃P. (2)
Note that the same attack principle works on the variants of
the double and add algorithms, like double and always add
or right-to-left double and add.
If the Montgomery ladder is used, an adversary must skip
two operations at once, to leave out a complete execution of
1 Note that the secret signature key can be computed from a signature if

fault model to attack RSA implementations that use square
and multiply algorithms. In this paper, we skip instruc-
tions to attack an ECDSA implementation which involves
an ephemeral key. Hence, using an iterative approach as
in [19] is not possible.
its corresponding ephemeral key is known or from two signatures that use
the same ephemeral key.
2 Another strategy would be manipulating the random number genera-
tor. If some bits of the ephemeral key are set to a known value, a lattice
attack can be applied. Naccache et al. demonstrated that for the Digital
Signature Algorithm (DSA) [15]

95
the inner instructions of the loop. Namely Rm̄i = R0 + has a size of at most i bits, a lookup table with all possible
R1 and Rmi = 2Rmi . Thus, one bit of the scalar is not values for all possible values can be created4 . If the fault
processed at all. Using the same notation as above (k̃ = was injected in the intended way, the right k̃ can be found
(ki , . . . , k0 )2 ), skipping the processing of ki results in in the table. For an unsuccessful injection, as well as for a
“wrong” Γi restored from γi , no entry in the lookup table
t i−1
X
j−1
X will be found with high probability.
Γi =( (2 )(kj ) + (2j )(kj ))P.
After applying this attack on several signatures to reveal
j=i+1 j=0
parts of their ephemeral key, the signature key d can be de-
⇒2Γi − Γ = (k̃ − 2i+1 ki )P. (3) rived by a lattice attack. As this attack does not make use
of the Γ = kP relation, the injected fault has no impact on
Unfortunately, a (faulty) ECDSA signature neither con-
it. Thus, 50 faulty signatures are sufficient for a 160 bit n
sists of Γi nor of Γ. Thus, these values have to be computed
using the attack for determining 12 bits at once.
from the signature. Let [γi , δi ] denote a faulty signature that
In order to counteract such attacks, not only the data path
was calculated according to the ECDSA Algorithm 3, using
but also the program flow has to be protected. We present a
Γi instead of Γ in line 2.
way to secure both in the next section.
First, we show how to retrieve Γi from the fist part of the
signature, γi . Second, the value Γ is computed from δi .
Γi can be restored from the signature part γi , since Γi is 5 Protecting ECC Algorithms
a point on the elliptic curve and γi = xΓi mod n holds.
Since γi may be reduced by n during the calculation of the Since every point of a group over an elliptic curve must
signature, there may exist more than one possibility for Γi . fulfill the curve equation, the point tuple contains redun-
For each of these values, the curve equation is evaluated dancy. This allows to check whether an adversary has tam-
with xΓi as x-coordinate, resulting in two possible points pered with the data during the computation of the device.
on the curve for each xΓi . However, it can only be checked, whether the resulting
The point Γ = kP that corresponds to the faulty Γi , point is still valid, i.e. if it is a point on the elliptic curve. An
i.e. uses the same ephemeral key k, cannot be calculated in adversary that manages to skip instructions as in our model
this way. For determining it, the second part of the faulty or to change the sign of an intermediate value as suggested
signature in [6] remains undetected.
δi = k −1 · (H(m) + γi d) mod n Our approach is presented as an extension of the projec-
tive Jacobian coordinates. We chose this coordinate repre-
is exploited. Therefore, the computation of the verification sentation, as it is used in modern implementations. This
step is used: is because it is possible to compute addition and doubling
of points without a field inversion in projective coordinate
wi = δi−1
mod n representations. Furthermore, such a point representation
k allows randomizing the base point to provide side-channel
= mod n
(H(m) + γi d) resistance. The countermeasure can protect ECC algorithms
u1 = H(m) · wi mod n that use an arbitrary point representation.
k · H(m) Since the integrity of the points is provided by their nat-
= mod n ural redundancy, the focus of our countermeasure is pro-
(H(m) + γi d)
tecting the program flow and preventing an adversary from
u2 = γi · w mod n changing the sign of an intermediate value without being
k · γi detected. This countermeasure does not increase the size of
= mod n
(H(m) + γi d) the operands. This is important since already a small in-
Γ = Ω = u1 P + u2 Q crease of the operands results in a significant decrease of
= (u1 + u2 · d)P the performance. Furthermore, no second calculation in an-
k · (H(m) + γi d) other field is required.
= ( mod n)P In addition to the coordinates, the discrete logarithm l of
H(m) + γi d
the point Q = (X : Y : Z) with respect to the base point
= kP.
is part of the point, i.e. Q = (X : Y : Z; l). In this way,
Now, 2Γi − Γ from (2) for all possible values for xΓi can the scalar is an integral part of the point and can be verified
be calculated3 . For the right Γi this results in k̃P . As k̃ before the point (of course without the logarithm l) leaves
3 For an implementation that uses the Montgomery ladder, equation (3) 4 For reducing the size of the table, a baby-step giant-step algorithm

is used. could be used to determine k̃.

96
the device. In order to keep l correct, the operations have to Algorithm 5 Secure Point Addition
incorporate l: Require: P = (X1 : Y1 : Z1 ; l1 ), Q = (X2 : Y2 : Z2 ; l2 )
in in Jacobian coordinates on E(F) : y 2 = x3 − 3x + b
(X1 : Y1 : Z1 ; l1 ) + (X2 : Y2 : Z2 ; l2 ) Ensure: P + Q = (X3 : Y3 : Z3 ; l3 ) in Jacobian coordi-
= (X3 : Y3 : Z3 ; l1 + l2 ) nates
2(X : Y : Z; l) = (X3 : Y3 : Z3 ; 2l) 1: if Q = O then
2: return (X1 : Y1 : Z1 ; l1 )
−(X : Y : Z; l) = (X : −Y : Z; −l).
3: end if
4: if P = O then
Applying a scalar multiplication algorithm with k to a point
P = (X1 , Y1 , Z1 , 1) results in a point Q = (X3 , Y3 , Z3 , k) 5: return (X2 : Y2 : Z2 ; l2 )
6: end if
that includes the scalar whenever the computation was cor-
7: T1 ← Z12 ; T10 ← Z22 ; T2 ← T1 · Z1 ;
rect. In order to reduce the size of l, it is calculated modulo
a prime r. Since the probability that a fault is not noticed is T20 ← T10 · Z2 ; T1 ← T1 · X2 ; T2 ← T2 · Y2
8: T10 ← T10 · X1 ; T20 ← T20 · Y1 ;
directly related to the size of r, its bit length is the security
parameter of our countermeasure. T1 ← T1 − T10 ; T2 ← T2 − T20
9: if T1 = 0 then
This method also protects against sign change attacks,
10: if T2 = 0 then
presented in [6], as long as non-signed representation of the
11: return (X3 : Y3 : Z3 ; l3 ) ← 2(X2 : Y2 : Z2 ; l2 )
coordinates is used. The chance to flip the sign of a value
using Algorithm 6
modulo p with a modulo length of m bits is 2−m . A ded-
12: else
icated functionality that inverts a coordinate can be rede-
13: return O
fined to invert l at the same time. Hence, a sign change
14: end if
attack is detected. Furthermore, the addition and dou-
15: end if
bling formulas itself must be protected against manipula-
16: Z3 ← Z1 · T1 ; Z3 ← Z3 · Z2 ; T3 ← T12 ;
tions. It must be guaranteed that if the calculation is modi-
T4 ← T3 · T1 ; T3 ← T3 · X1
fied, either the result is not a valid curve point, or the check
17: T1 ← 2T3 ; X3 ← T22 ; X3 ← T22
value l is not correct. This can be achieved by including
18: X3 = CRT(X3 ,l1 );
the logarithm value l into the formulas in an atomic way.
T1 = CRT(T1 ,−l2 );
We propose a small modification of the standard add and
X3 ← X3 − T1
double algorithms for Jacobian coordinates in Algorithm 5
19: l3 ← X3 mod r; X3 ← X3 mod p
and Algorithm 6. Line 5 of Algorithm 6 combines l and the
20: X3 ← X3 − T4 ; T3 ← T3 − X3 ; T3 ← T3 · T2 ;
Y1 coordinate using the Chinese remainder theorem (CRT),
T4 ← T4 · Y1 ; Y3 ← T3 − T4
using the elliptic curve’s filed (Fp ) and the one used for l
21: return (X3 : Y3 : Z3 ; l3 )
(Fu ). The resulting element is doubled and afterwards the
result is transfered into the previous variables and fields us-
ing a modular reduction. Thus, modifying the doubling in
any way influences both, the point coordinates and check der to prevent such attacks, the check value can be blinded
value l. In Algorithm 5 the same protection is guaranteed by a random mask.
by the Lines 18-19. The method can also be used for inver- Furthermore, the addition and doubling formulas can be
sion functionality. Since logP (−Q) = −logP (Q), negating modified to compute on the larger field Z∗pr . Thus, the
both variables at the same time is sufficient. check value l is always part of the coordinates. In this way,
Using these operations, it is ensured that an adversary the check value does not only secure the program flow but
that manipulates the computation either leaves the curve also the data path. This can be used, if it is not possible
or produces a check values l that differs from the intended to check whether the result fulfills the curve equation, e.g.
scalar: If an adversary skips a whole operation, the l value for a Montgomery implementation that involves only the X
differs from the desired one. An adversary that manages and Z coordinates. For this cases, increasing the underlying
to modify values during an operation ends up with a point field is more efficient than calculating the third coordinate
that does not belong to the curve. Both cases can be de- for fault security purposes.
tected easily after the computation. However, this check Table 1 summarizes the success probabilities of an adver-
itself may also be a target for an adversary that can manip- sary for different countermeasures. Note that Baek et al.’s
ulate the program flow. To protect the checking procedure, countermeasure does not protect the program flow. How-
Dottax et al. [9] proposed a multi-stage method. ever, the security of the program flow security is connected
In addition, storing the discrete logarithm of a point to sign change faults: If a functionality that inverts points is
could pose a vulnerability to side channel analysis. In or- used for the manipulation, as suggested in [6], the result is

97
Algorithm 6 Secure Point Doubling Bits Ours Blömer et al. Baek et al.
Require: P = (X1 : Y1 : Z1 ; l1 ) in Jacobian coordinates 192 36% 82% 148%
on E(F) : y 2 = x3 − 3x + b 224 35% 68% 130%
Ensure: 2P = (X3 : Y3 : Z3 ; 2l1 ) in Jacobian coordinates 256 35% 58% 116%
1: if P = O then 384 33% 36% 86%
2: return O 521 32% 26% 72%
3: end if
4: T1 ← Z12 ; T2 ← X1 − T1 ; T1 ← X1 + T1 ; Table 2. Overhead compared to a bare Mont-
T2 ← T2 · T1 ; T2 ← 3T2 gomery ladder algorithm using Jacobian co-
5: Y1 = CRT(Y1 ,l); ordinates with a security parameter of 60 bits.
Y3 ← 2Y1 ; l ← Y3 mod r;
Y3 ← Y3 mod p
Bits Ours Blömer et al. Baek et al.
6: Z3 ← Y3 · Z1 ; Y3 ← Y32 ; T3 ← Y3 · X1 ;
Y3 ← Y32 ; Y3 ← Y3 /2; X3 ← T22 192 33% 36% 95%
7: T1 ← 2T3 ; X3 ← X3 − T1 ; T1 ← T3 − X3 ; 224 32% 30% 85%
T1 ← T1 · T2 ; Y3 ← T1 − Y3 256 32% 26% 78%
8: return (X3 : Y3 : Z3 ; l) 384 31% 17% 63%
521 30% 12% 55%

Error in Program Flow Table 3. Overhead compared to a Double-

Countermeasure
Data Error and-Always-Add algorithm using mixed Ja-
Ours 2−|p| 2−|r| cobian coordinates with a security parameter
Blömer [6] 2−(|p|+|r|) 2−|r| of 30 bits.
Baek [1]5 2−(|r|−10) -

Table 1. Probability that a fault remains unde-
tected for different countermeasures. The bit
length of the security parameter is denoted
by |r|.
a valid curve point with an inverted sign. In this case, sign
change faults cannot be detected unless the program flow is
checked.
We compared the performance of our approach6 to the
countermeasures proposed by Blömer et al. [6] and the one
of Baek and Vasyltsov [1]. The overhead of the different
solutions in relation to an unprotected Montogmery ladder
implementation using Jacobian coordinates is depicted in
Table 2 for a security factor of 60 bits. Table 3 shows the
overhead compared to an unprotected double and add al-
gorithm using mixed Jacobian coordinates with a security
parameter of 30 bits. All runtime figures are derived from
the number of single precision multiplications performed
during the algorithm.
The figures show that our countermeasure has a rather
constant overhead percentage (36% for the NIST curve P-
192 and 32% for the 521-bit curve). This is because we
5 Thereduction by 10 is due to the findings of Joye [14].
6 For
performance reasons we do not save l, but CRT(0,l). After
any computation which results in CRT(x,l), x is extracted. Afterwards,
CRT(x,0) is subtracted from the result. This saves a reduction for each
manipulation of l.
trade expanding the algebra for additional multiplications
and reductions. A lower bound for the overhead is 29%.
Blömer et al.’s countermeasure has an overhead that basi-
cally converges to 0, since the number of multiplications is
not changed. However, for standardized curves is has an
overhead between 82% and 26%. The overhead of Baek et
al.’s countermeasure increases the number of operations and
enlarges the used algebra. This results to a runtime over-
head between 148% and 72%.
Our countermeasure is rather independent of the size of
the security factor. Therefore, it performs well for curves
commonly used in embedded devices and smart cards where
the added bits are not negligible.
6 Conclusion
In this paper, we presented a new attack on ECDSA,
which is based on the possibility to skip instructions. It
uses the erroneous result to determine enough bits of the
ephemeral key to launch a lattice attack. We considered
implementations that make use of the double and add al-
gorithm or the Montgomery ladder; other algorithms, like
fixed-base windowing methods are topic of further research.
We propose a countermeasure to protect against such at-
tacks. It implicitly encodes the discrete logarithm in the
point representation. Hence, a manipulation of the compu-
tation is detected. Thus, only a correct result, of course after
removing the check value, leaves the device.

98
Acknowledgements
The work described in this paper has been supported
through Austrian Government funded project ARTEUS es-
tablished under the Trust in IT Systems program FIT-IT.
References
[1] Y.-J. Baek and I. Vasyltsov. How to Prevent DPA and Fault
Attack in a Unified Way for ECC Scalar Multiplication -
Ring Extension Method. In E. Dawson and D. S. Wong, ed-
itors, Information Security Practice and Experience, Third
International Conference, ISPEC 2007, Hong Kong, China,
May 7-9, 2007, Proceedings, volume 4464 of Lecture Notes
in Computer Science, pages 225–237. Springer, May 2007.
[2] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and
C. Whelan. The Sorcerer’s Apprentice Guide to Fault At-
tacks. Cryptology ePrint Archive (http://eprint.
iacr.org/), Report 2004/100, 2004.
[3] I. Biehl, B. Meyer, and V. Müller. Differential Fault At-
tacks on Elliptic Curve Cryptosystems. In M. Bellare, ed-
itor, Advances in Cryptology - CRYPTO 2000, 20th An-
nual International Cryptology Conference, Santa Barbara,
California, USA, August 20-24, 2000, Proceedings, volume
1880 of Lecture Notes in Computer Science, pages 131–146.
Springer, 2000.
[4] E. Biham and A. Shamir. Differential Fault Analysis of Se-
cret Key Cryptosystems. In B. S. K. Jr., editor, Advances in
Cryptology - CRYPTO ’97, 17th Annual International Cryp-
tology Conference, Santa Barbara, California, USA, August
17-21, 1997, Proceedings, volume 1294 of Lecture Notes in
Computer Science, pages 513–525. Springer, 1997.
[5] I. F. Blake, G. Seroussi, and N. P. Smart. Elliptic Curves in
Cryptography, volume 265 of London Mathematical Society
Lecture Notes Series. Cambridge University Press, Cam-
bridge, UK, 1999.
[6] J. Blömer, M. Otto, and J.-P. Seifert. Sign Change Fault
Attacks on Elliptic Curve Cryptosystems. In L. Breveg-
lieri, I. Koren, D. Naccache, and J.-P. Seifert, editors, Fault
Diagnosis and Tolerance in Cryptography, Third Interna-
tional Workshop, FDTC 2006, Yokohama, Japan, October
10, 2006, Proceedings, volume 4236 of Lecture Notes in
Computer Science, pages 36–52. Springer, October 2006.
[7] D. Boneh, R. A. DeMillo, and R. J. Lipton. On the Impor-
tance of Checking Cryptographic Protocols for Faults (Ex-
tended Abstract). In W. Fumy, editor, Advances in Cryp-
tology - EUROCRYPT ’97, International Conference on the
Theory and Application of Cryptographic Techniques, Kon-
stanz, Germany, May 11-15, 1997, Proceedings, volume
1233 of Lecture Notes in Computer Science, pages 37–51.
Springer, 1997.
[8] M. Ciet and M. Joye. Elliptic Curve Cryptosystems in
the Presence of Permanent and Transient Faults. Des.
Codes Cryptography, 36(1):33–43, 2005. Available online
at http://eprint.iacr.org/2003/028.pdf.
[9] E. Dottax, C. Giraud, M. Rivain, and Y. Sierra. On Second-
Order Fault Analysis Resistance for CRT-RSA Implementa-
tions. Cryptology ePrint Archive, Report 2009/024, 2009.
99
The final version of this paper will be published in the pro-
ceedings of WISTP 2009.
[10] P. Dusart, G. Letourneux, and O. Vivolo. Differential Fault
Analysis on A.E.S. In J. Zhou, M. Yung, and Y. Han, editors,
Applied Cryptography and Network Security, First Interna-
tional Conference, ACNS 2003. Kunming, China, October
16-19, 2003, Proceedings, volume 2846 of Lecture Notes in
Computer Science, pages 293–306. Springer, October 2003.
[11] D. Hankerson, A. J. Menezes, and S. Vanstone. Guide to
Elliptic Curve Cryptography. Springer, Berlin, Germany /
Heidelberg, Germany / London, UK / etc., 2004.
[12] N. Howgrave-Graham and N. P. Smart. Lattice Attacks on
Digital Signature Schemes. Designs, Codes and Cryptogra-
phy, 23(3):283–290, August 2001. ISSN 0925-1022.
[13] D. B. Johnson, A. J. Menezes, and S. Vanstone. The Elliptic
Curve Digital Signature Algorithm (ECDSA). International
Journal of Information Security, 1(1):36–63, August 2001.
[14] M. Joye. On the Security of a Unified Countermeasure. In
Fault Diagnosis and Tolerance in Cryptography, Workshop
on, volume 5, pages 87–91, Los Alamitos, CA, USA, 2008.
IEEE Computer Society.
[15] D. Naccache, P. Q. Nguyen, M. Tunstall, and C. Whelan.
Experimenting with Faults, Lattices and the DSA. In S. Vau-
denay, editor, Public Key Cryptography - PKC 2005, 8th In-
ternational Workshop on Theory and Practice in Public Key
Cryptography, Les Diablerets, Switzerland, January 23-26,
2005, Proceedings, volume 3386 of Lecture Notes in Com-
puter Science, pages 16–28. Springer, January 2005.
[16] P. Q. Nguyen and I. E. Shparlinski. The Insecurity of
the Elliptic Curve Digital Signature Algorithm with Par-
tially Known Nonces. Design, Codes and Cryptography,
30(2):201–217, September 2003. ISSN 0925-1022.
[17] J.-J. Quisquater and D. Samyde. Eddy Current for Mag-
netic Analysis with Active Sensor. In Proceedings of Es-
mart, pages 185–194, 2002.
[18] T. Römer and J.-P. Seifert. Information Leakage Attacks
against Smart Card Implementations of the Elliptic Curve
Digital Signature Algorithm. In I. Attali and T. P. Jensen,
editors, Smart Card Programming and Security, Interna-
tional Conference on Research in Smart Cards, E-smart
2001, Cannes, France, September 19-21, 2001, Proceed-
ings, volume 2140 of Lecture Notes in Computer Science,
pages 211–219. Springer, 2001.
[19] J.-M. Schmidt and C. Herbst. A Practical Fault Attack on
Square and Multiply. In Fault Diagnosis and Tolerance in
Cryptography, Third International Workshop, FDTC 2008,
Washington DC, USA, August 10, 2008, Proceedings. IEEE-
CS Press, August 2008.
[20] S. P. Skorobogatov and R. J. Anderson. Optical Fault Induc-
tion Attacks. In B. S. K. Jr., Çetin Kaya Koç, and C. Paar,
editors, Cryptographic Hardware and Embedded Systems –
CHES 2002, 4th International Workshop, Redwood Shores,
CA, USA, August 13-15, 2002, Revised Papers, volume 2523
of Lecture Notes in Computer Science, pages 2–12. Springer,
2003.