I think they are mixing attacks. "Checking input/output points" has to do with when you have a fault when you're computing scalar multiplication, or in a protocol where an attacker can send you a point that isn't actually on the curve you're expecting. So its a false curve attack or fault attack depending on the scenario. (OpenSSL checks the input point BTW.)
Then they start talking about (I believe) the Barenghi et al paper "Fault Attack to the Elliptic Curve Digital Signature Algorithm with Multiple Bit Faults" that really has to do faults in the second half of an (EC)DSA signature. If you want to know what kind of faults they need, read all about it in Sec 3. I haven't fully read the paper but I'm gussing verifying the signature before you release it is the no-brainer countermeasure. There are surely more clever ways to prevent it. What cryptosystems, and furthermore protocols, you can attack and how you carry out the attack very much depend on the nature of the fault/defect and the details of the protocol. Shameless self promotion: https://eprint.iacr.org/2011/633 BBB On Sun, Jun 29, 2014 at 1:25 PM, Ondrej Mikle <[email protected]> wrote: > Could anyone give an example what flaws a secp256k1 implementation needs to > have > in order to succumb to the fault attack described in this tweet: > https://twitter.com/pbarreto/status/392415079934615552 ? > > It mentions that an implementation is susceptible "unless the implementation > checks everything", but doesn't go into details. > > I don't understand the fault attacks much, but IIRC it requires a raw point > that > is not on the curve to enter an incorrectly written algorithm. I don't see > where > the problematic raw point comes into play. > > Regards, > Ondrej > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
