ECDSA Signatures Can Be Cracked With One Good Signature and One Bad One
I have been reading an excellent paper [1] and it outlines the usage of the fault attack on ECDSA signatures. With this we just need one good signature and a bad one, and where a signer has signed the same message, with the same nonce, and with the same private key. It is another worrying attack on ECDSA [2]:
If ECDSA, we generate a signature with:
and where k is a random nonce value, h is the hash of the message, and d is the private key. Now, let’s say we have two signatures. One has a fault and the other one is valid [2]. We then have (r,s) for the valid one, and (r_f,s_f) for the fault. These will be:
and where h is the hash of the message. Now if we subtract the two s values we get:
Then:
This can then be substituted in :
This gives:
We can then rearrange this to derive the private key (d) from:
