Easily Overlooked Vulnerability in Implementation: Practical Fault Attack on ECDSA Round Counter

Elliptic curve cryptographic is a widely used public-key cryptosystem. Though it has good theoretical security, it is still vulnerable to some physical attacks due to the implementation weakness. To resist the attacks, a number of physical countermeasures have been proposed. However, there are still some implementation vulnerabilities that may be overlooked, leading to more practical and effective attacks. In this article, we construct a new fault attack on round counter which is a component of scalar multiplications in ECDSA. The attack is divided into two parts. In the first part, the partial bits of nonce in each signature can be recovered by the fault injection on round counter. In the second part, an efficient lattice attack can be constructed to recover the private key by combining the recovered bits. Compared with other lattice-based fault attacks, our attack has the advantage of practicability and effectiveness. Especially, it has less requirement of moment precision and wide applicability of scalar multiplications, which is the critical factors for practicability and effectiveness. To verify the strength of our attack, we carry on the laser injection experiments, respectively, on an AVR MCU (ATmega163L) and a Kintex-7 FPGA (XC7K325T). The experimental results verify the practicability and effectiveness of the attack in both software and hardware platforms. Finally, we also propose two directions for efficient countermeasures against our attack.