Aarhus University Seal

Degenerate Fault Attacks on Elliptic Curve Parameters in OpenSSL

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review



  • Akira Takahashi
  • ,
  • Mehdi Tibouchi, NTT Secure Platform Laboratories, NTT Corporation

In this paper, we describe several practically exploitable fault attacks against OpenSSL's implementation of elliptic curve cryptography, related to the singular curve point decompression attacks of Blömer and Günther (FDTC2015) and the degenerate curve attacks of Neves and Tibouchi (PKC 2016). In particular, we show that OpenSSL allows to construct EC key files containing explicit curve parameters with a compressed base point. A simple single fault injection upon loading such a file yields a full key recovery attack when the key file is used for signing with ECDSA, and a complete recovery of the plaintext when the file is used for encryption using an algorithm like ECIES. The attack is especially devastating against curves with j-invariant equal to 0 such as the Bitcoin curve secp256k1, for which key recovery reduces to a single division in the base field. Additionally, we apply the present fault attack technique to OpenSSL's implementation of ECDH, by combining it with Neves and Tibouchi's degenerate curve attack. This version of the attack applies to usual named curve parameters with nonzero j-invariant, such as P192 and P256. Although it is typically more computationally expensive than the one against signatures and encryption, and requires multiple faulty outputs from the server, it can recover the entire static secret key of the server even in the presence of point validation. These various attacks can be mounted with only a single instruction skipping fault, and therefore can be easily injected using low-cost voltage glitches on embedded devices. We validated them in practice using concrete fault injection experiments on a Rapsberry Pi single board computer running the up to date OpenSSL command line tools- A setting where the threat of fault attacks is quite significant.

Original languageEnglish
Title of host publication2019 IEEE European Symposium on Security and Privacy (EuroS&P), Proceedings
Number of pages16
Publication yearJun 2019
Article number8806763
ISBN (print)978-1-7281-1149-0
ISBN (Electronic)978-1-7281-1148-3
Publication statusPublished - Jun 2019
EventIEEE European Symposium on Security and Privacy - Stockholm, Sweden
Duration: 17 Jun 201919 Jun 2019
Conference number: 4


ConferenceIEEE European Symposium on Security and Privacy

    Research areas

  • Embedded security, Fault attack, Invalid curve attack, OpenSSL, Singular curve, Supersingular curve

See relations at Aarhus University Citationformats

ID: 163292172