{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:14:08Z","timestamp":1750306448076,"version":"3.41.0"},"reference-count":55,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2016,4,20]],"date-time":"2016-04-20T00:00:00Z","timestamp":1461110400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["J. Emerg. Technol. Comput. Syst."],"published-print":{"date-parts":[[2017,1,31]]},"abstract":"<jats:p>Elliptic curve cryptosystems proved to be well suited for securing systems with constrained resources like embedded and portable devices. In a fault-based attack, errors are induced during the computation of a cryptographic primitive, and the results are collected to derive information about the secret key safely stored in the device. We introduce a novel attack methodology to recover the secret key employed in implementations of the Elliptic Curve Digital Signature Algorithm. Our attack exploits the information leakage induced when altering the execution of the modular arithmetic operations used in the signature primitive and does not rely on the underlying elliptic curve mathematical structure, thus being applicable to all standardized curves. We provide both a validation of the feasibility of the attack, even employing common off-the-shelf hardware to perform the required computations, and a low-cost countermeasure to counteract it.<\/jats:p>","DOI":"10.1145\/2767132","type":"journal-article","created":{"date-parts":[[2016,4,22]],"date-time":"2016-04-22T13:53:06Z","timestamp":1461333186000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["A Fault-Based Secret Key Retrieval Method for ECDSA"],"prefix":"10.1145","volume":"13","author":[{"given":"Alessandro","family":"Barenghi","sequence":"first","affiliation":[{"name":"Politecnico di Milano, Milano, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Guido M.","family":"Bertoni","sequence":"additional","affiliation":[{"name":"STMicroelectronics, Agrate Brianza, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Luca","family":"Breveglieri","sequence":"additional","affiliation":[{"name":"Politecnico di Milano, Milano, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gerardo","family":"Pelosi","sequence":"additional","affiliation":[{"name":"Politecnico di Milano, Milano, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stefano","family":"Sanfilippo","sequence":"additional","affiliation":[{"name":"Politecnico di Milano, Milano, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ruggero","family":"Susella","sequence":"additional","affiliation":[{"name":"STMicroelectronics, Agrate Brianza, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2016,4,20]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITNG.2010.43"},{"key":"e_1_2_1_2_1","unstructured":"ANSI. 2005. Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standard: ANS X9.62-2005.  ANSI. 2005. Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standard: ANS X9.62-2005."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2011.5955015"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2013.02.021"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2070425.2070438"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2007.09.022"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.5555\/646765.704124"},{"key":"e_1_2_1_8_1","volume-title":"Blake and Gadiel Seroussi","author":"Ian","year":"1999","unstructured":"Ian F. Blake and Gadiel Seroussi . 1999 . Elliptic Curves in Cryptography. Cambridge University Press . Ian F. Blake and Gadiel Seroussi. 1999. Elliptic Curves in Cryptography. Cambridge University Press."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/11889700_4"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.5555\/646761.706148"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.5555\/646139.680803"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10623-003-1160-8"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1147\/sj.294.0526"},{"key":"e_1_2_1_14_1","volume-title":"Cox et al","author":"Mark","year":"2014","unstructured":"Mark J. Cox et al . 2014 . The OpenSSL Project, ver.1.0.1j. Retrieved from http:\/\/www.openssl.org\/. Mark J. Cox et al. 2014. The OpenSSL Project, ver.1.0.1j. Retrieved from http:\/\/www.openssl.org\/."},{"volume-title":"Cryptography and Security: From Theory to Applications (LNCS)","author":"Fan Junfeng","key":"e_1_2_1_15_1","unstructured":"Junfeng Fan and Ingrid Verbauwhede . 2012. An updated survey on secure ECC implementations: Attacks, countermeasures and cost . In Cryptography and Security: From Theory to Applications (LNCS) , David Naccache (Ed.), Vol. 6805 . Springer , 265--282. DOI:http:\/\/dx.doi.org\/10.1007\/978-3-642-28368-0_18 10.1007\/978-3-642-28368-0_18 Junfeng Fan and Ingrid Verbauwhede. 2012. An updated survey on secure ECC implementations: Attacks, countermeasures and cost. In Cryptography and Security: From Theory to Applications (LNCS), David Naccache (Ed.), Vol. 6805. Springer, 265--282. DOI:http:\/\/dx.doi.org\/10.1007\/978-3-642-28368-0_18"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2008.15"},{"volume-title":"Mathematics of Public Key Cryptography","author":"Galbraith Steven D.","key":"e_1_2_1_17_1","unstructured":"Steven D. Galbraith . 2012. Mathematics of Public Key Cryptography . Cambridge University Press . Steven D. Galbraith. 2012. Mathematics of Public Key Cryptography. Cambridge University Press."},{"key":"e_1_2_1_18_1","volume-title":"Keller","author":"Hall Timothy A.","year":"2014","unstructured":"Timothy A. Hall and Sharon S . Keller . 2014 . The FIPS 186-4 Elliptic Curve Digital Signature Algorithm Validation System. NIST. Retrieved from http:\/\/csrc.nist.gov\/groups\/STM\/cavp\/documents\/dss2\/ecdsa2vs.pdf. Timothy A. Hall and Sharon S. Keller. 2014. The FIPS 186-4 Elliptic Curve Digital Signature Algorithm Validation System. NIST. Retrieved from http:\/\/csrc.nist.gov\/groups\/STM\/cavp\/documents\/dss2\/ecdsa2vs.pdf."},{"key":"e_1_2_1_19_1","volume-title":"An Introduction to the Theory of Numbers","author":"Hardy Godfrey H.","unstructured":"Godfrey H. Hardy , Edward M. Wright , and Andrew Wiles . 2008. An Introduction to the Theory of Numbers ( 6 th ed.). Oxford Mathematics Press . Godfrey H. Hardy, Edward M. Wright, and Andrew Wiles. 2008. An Introduction to the Theory of Numbers (6th ed.). Oxford Mathematics Press.","edition":"6"},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of WISA\u201908 (LNCS)","volume":"5379","author":"Herbst Christoph","year":"2008","unstructured":"Christoph Herbst and Marcel Medwed . 2008 . Using templates to attack masked montgomery ladder implementations of modular exponentiation . In Proceedings of WISA\u201908 (LNCS) , Vol. 5379 . Springer, 1--13. DOI:http:\/\/dx.doi.org\/10.1007\/978-3-642-00306-6_1 10.1007\/978-3-642-00306-6_1 Christoph Herbst and Marcel Medwed. 2008. Using templates to attack masked montgomery ladder implementations of modular exponentiation. In Proceedings of WISA\u201908 (LNCS), Vol. 5379. Springer, 1--13. DOI:http:\/\/dx.doi.org\/10.1007\/978-3-642-00306-6_1"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.5555\/2017824.2017839"},{"key":"#cr-split#-e_1_2_1_22_1.1","doi-asserted-by":"crossref","unstructured":"Marc Joye and Michael Tunstall (Eds.). 2012. Fault Analysis in Cryptography. Springer. DOI:http:\/\/dx.doi.org\/10.1007\/978-3-642-29656-7 10.1007\/978-3-642-29656-7","DOI":"10.1007\/978-3-642-29656-7"},{"key":"#cr-split#-e_1_2_1_22_1.2","doi-asserted-by":"crossref","unstructured":"Marc Joye and Michael Tunstall (Eds.). 2012. Fault Analysis in Cryptography. Springer. DOI:http:\/\/dx.doi.org\/10.1007\/978-3-642-29656-7","DOI":"10.1007\/978-3-642-29656-7"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the 4th International Workshop on Cryptographic Hardware and Embedded Systems (CHES\u201902)","volume":"2523","author":"Joye Marc","year":"2002","unstructured":"Marc Joye and Sung-Ming Yen . 2002 . The montgomery powering ladder . In Proceedings of the 4th International Workshop on Cryptographic Hardware and Embedded Systems (CHES\u201902) , Revised Papers (LNCS), Burton S. Kaliski Jr., \u00c7etin Kaya Ko\u00e7, and Christof Paar (Eds.) , Vol. 2523 . Springer, 291--302. DOI:http:\/\/dx.doi.org\/10.1007\/3-540-36400-5_22 10.1007\/3-540-36400-5_22 Marc Joye and Sung-Ming Yen. 2002. The montgomery powering ladder. In Proceedings of the 4th International Workshop on Cryptographic Hardware and Embedded Systems (CHES\u201902), Revised Papers (LNCS), Burton S. Kaliski Jr., \u00c7etin Kaya Ko\u00e7, and Christof Paar (Eds.), Vol. 2523. Springer, 291--302. DOI:http:\/\/dx.doi.org\/10.1007\/3-540-36400-5_22"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2008.20"},{"key":"e_1_2_1_25_1","unstructured":"Khronos. 2014. The OpenCL Specification Version: 2.0 Document Revision: 22. Retrieved from https:\/\/www.khronos.org\/registry\/cl\/specs\/opencl-2.0.pdf.  Khronos. 2014. The OpenCL Specification Version: 2.0 Document Revision: 22. Retrieved from https:\/\/www.khronos.org\/registry\/cl\/specs\/opencl-2.0.pdf."},{"volume-title":"The Art of Computer Programming: Seminumerical Algorithms","author":"Knuth Donald E.","key":"e_1_2_1_26_1","unstructured":"Donald E. Knuth . 1981. The Art of Computer Programming: Seminumerical Algorithms . Addison-Wesley . Donald E. Knuth. 1981. The Art of Computer Programming: Seminumerical Algorithms. Addison-Wesley."},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO\u201996)","volume":"1109","author":"Ed Neal Koblitz","year":"1996","unstructured":"Neal Koblitz ( Ed .). 1996 . Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO\u201996) (LNCS), Vol. 1109 . Springer. Neal Koblitz (Ed.). 1996. Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO\u201996) (LNCS), Vol. 1109. Springer."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.5555\/646761.706156"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-011-0006-y"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2014.11"},{"key":"e_1_2_1_31_1","unstructured":"Israel Koren. 2002. Computer Arithmetic Algorithms. A. K. Peters.   Israel Koren. 2002. Computer Arithmetic Algorithms. A. K. Peters."},{"volume-title":"Finite Fields","author":"Lidl Rudolf","key":"e_1_2_1_32_1","unstructured":"Rudolf Lidl and Harald Niederreiter . 2008. Finite Fields . Cambridge University Press . Rudolf Lidl and Harald Niederreiter. 2008. Finite Fields. Cambridge University Press."},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-00306-6_2"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/18.259647"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1090\/S0025-5718-1985-0777282-X"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1090\/S0025-5718-1987-0866113-7"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30580-4_3"},{"key":"e_1_2_1_38_1","unstructured":"NIST. 2010. Mathematical Routines for the NIST Prime Elliptic Curves. Retrieved from https:\/\/www.nsa.gov\/ia\/_files\/nist-routines.pdf.  NIST. 2010. Mathematical Routines for the NIST Prime Elliptic Curves. Retrieved from https:\/\/www.nsa.gov\/ia\/_files\/nist-routines.pdf."},{"key":"#cr-split#-e_1_2_1_39_1.1","doi-asserted-by":"crossref","unstructured":"NIST. 2013. Digital Signature Standard (DSS). Federal Information Processing Standards Publication (FIPS) 186-4 - National Institute of Standards and Technology (NIST) - U.S. Department of Commerce. http:\/\/dx.doi.org\/10.6028\/NIST.FIPS.186-4. (2013). 10.6028\/NIST.FIPS.186-4","DOI":"10.6028\/NIST.FIPS.186-4"},{"key":"#cr-split#-e_1_2_1_39_1.2","doi-asserted-by":"crossref","unstructured":"NIST. 2013. Digital Signature Standard (DSS). Federal Information Processing Standards Publication (FIPS) 186-4 - National Institute of Standards and Technology (NIST) - U.S. Department of Commerce. http:\/\/dx.doi.org\/10.6028\/NIST.FIPS.186-4. (2013).","DOI":"10.6028\/NIST.FIPS.186-4"},{"volume-title":"Guide to FIPS 186-3 (ECDSA)","author":"NSA-CSS.","key":"e_1_2_1_40_1","unstructured":"NSA-CSS. 2010. Suite B Implementers \u2019 Guide to FIPS 186-3 (ECDSA) . National Security Agency\/Central Security Service (NSA\/CSS) . Retrieved from http:\/\/www.nsa.gov\/ia\/_files\/ecdsa.pdf. NSA-CSS. 2010. Suite B Implementers\u2019 Guide to FIPS 186-3 (ECDSA). National Security Agency\/Central Security Service (NSA\/CSS). Retrieved from http:\/\/www.nsa.gov\/ia\/_files\/ecdsa.pdf."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1978.1055817"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1017\/S0305004100049252"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2008.10"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2009.38"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1090\/pspum\/020\/0316385"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/s001459900052"},{"key":"e_1_2_1_47_1","volume-title":"Encyclopedia of Cryptography and Security","author":"Solinas Jerome A.","unstructured":"Jerome A. Solinas . 2011. Generalized Mersenne prime . In Encyclopedia of Cryptography and Security ( 2 nd Ed.), Henk C. A. van Tilborg and Sushil Jajodia (Eds.). Springer , 509--510. DOI:http:\/\/dx.doi.org\/10.1007\/978-1-4419-5906-5_32 10.1007\/978-1-4419-5906-5_32 Jerome A. Solinas. 2011. Generalized Mersenne prime. In Encyclopedia of Cryptography and Security (2nd Ed.), Henk C. A. van Tilborg and Sushil Jajodia (Eds.). Springer, 509--510. DOI:http:\/\/dx.doi.org\/10.1007\/978-1-4419-5906-5_32","edition":"2"},{"key":"e_1_2_1_48_1","doi-asserted-by":"crossref","unstructured":"Thomas Pornin. 2013. Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). IETF RFC 6979. Retrieved from http:\/\/tools.ietf.org\/html\/rfc6979.  Thomas Pornin. 2013. Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). IETF RFC 6979. Retrieved from http:\/\/tools.ietf.org\/html\/rfc6979.","DOI":"10.17487\/rfc6979"},{"key":"e_1_2_1_49_1","volume-title":"Hash Function for Text in C. Usenetmessage &lt","author":"Torek Chris","year":"1990","unstructured":"Chris Torek . 1990. Hash Function for Text in C. Usenetmessage &lt ; 27038mimsy.umd.edu &gt; in comp.lang.c. ( Oct. 1990 ). Chris Torek. 1990. Hash Function for Text in C. Usenetmessage &lt; 27038mimsy.umd.edu &gt; in comp.lang.c. (Oct. 1990)."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1007\/PL00003816"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/12.210181"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.5555\/1388394"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/12.869328"}],"container-title":["ACM Journal on Emerging Technologies in Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2767132","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2767132","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T05:43:02Z","timestamp":1750225382000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2767132"}},"subtitle":["Analysis and Countermeasure"],"short-title":[],"issued":{"date-parts":[[2016,4,20]]},"references-count":55,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,1,31]]}},"alternative-id":["10.1145\/2767132"],"URL":"https:\/\/doi.org\/10.1145\/2767132","relation":{},"ISSN":["1550-4832","1550-4840"],"issn-type":[{"type":"print","value":"1550-4832"},{"type":"electronic","value":"1550-4840"}],"subject":[],"published":{"date-parts":[[2016,4,20]]},"assertion":[{"value":"2014-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2015-04-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-04-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}