Don’t Get Knocked Off the Curve: Fault Injection on Elliptic Curve Cryptosystems

Elliptic Curve Cryptography (ECC) is a core component in securing digital systems, widely used in applications ranging from internet communications to embedded devices. It supports key cryptographic protocols such as the Elliptic Curve Digital Signature Algorithm (ECDSA) and Elliptic Curve Diffie-Hellman (ECDH), both of which rely on the presumed difficulty of underlying mathematical problems. However, while ECC is mathematically strong, its real-world implementations often expose critical vulnerabilities when faced with fault injection attacks. These attacks exploit the behavior of hardware or software under abnormal or manipulated operating conditions to recover secrets or bypass security controls.

This white paper presents a comprehensive overview of how fault injection attacks compromise ECC-based systems, focusing specifically on ECDSA and ECDH implementations. It explores how attackers can use faults to exploit weaknesses in the control flow, data handling, or parameter validation of cryptographic computations. These techniques do not break the underlying mathematics of ECC but instead manipulate its execution to extract or infer sensitive values such as private keys or nonces.

One major target in ECC implementations is scalar multiplication, the process by which a secret value is multiplied by a base point on the curve to produce a public point. This operation is central to both ECDSA signing and ECDH key agreement. Scalar multiplication must be implemented with great care to prevent leakage through timing, power consumption, or faults. In practice, a variety of optimizations and countermeasures are applied, including constant-time algorithms, dummy operations, and coordinate transformations. However, these countermeasures themselves can introduce new vulnerabilities when subjected to carefully crafted fault injection.

Several classes of fault injection attacks are discussed in the paper. These include attacks that analyze differences between faulty and correct outputs, attacks that observe whether errors occur or not, and attacks that manipulate the input parameters used in computations. Some attacks recover parts of secrets gradually, using statistical or algebraic techniques, while others rely on triggering specific computational paths to reveal information in a single step. Each type of attack varies in complexity, but all depend on gaps in implementation, such as insufficient validation, reuse of key material, or unprotected fault-sensitive operations.

The paper also emphasizes that these attacks are not purely theoretical. They have been demonstrated successfully in real-world systems, leading to the compromise of cryptographic keys in widely deployed technologies. Attackers do not necessarily need full physical access to a device. In some cases, software-based fault injection techniques or logical side channels are enough to induce the necessary conditions. This makes the threat highly relevant even for server-side systems and cloud environments, not just for embedded or IoT devices.

In systems using ECDH, the risk is particularly elevated because the attacker often controls some of the input parameters. This opens up possibilities to manipulate those inputs in ways that cause the system to perform cryptographic operations on insecure or unintended parameters. When those manipulations are not caught by proper validation, the resulting operations can produce weak outputs or allow for key recovery through indirect analysis. Even when point and parameter validation is in place, faults can be used to bypass these checks, allowing the system to unknowingly process malicious data.

To effectively mitigate these risks, the paper outlines a set of practical questions that designers and security teams should ask when evaluating the resilience of their ECC implementations. These questions cover key aspects such as the types of curves supported, how and when validation is performed, how ephemeral values are managed, and whether known countermeasures are in place and correctly applied. Particular attention is given to how scalar multiplication is implemented, since it is the most common target of fault injection attacks.

In addition to identifying vulnerabilities, the paper provides guidance on how to address them. This includes best practices for validating inputs and outputs, strategies for managing key reuse, and the importance of architectural decisions that minimize exposure to faults. It also highlights the role of defensive programming, fault-tolerant design patterns, and system-level monitoring to detect and respond to abnormal behavior.

The document concludes by emphasizing the value of comprehensive threat modeling and expert review. Preventing fault injection vulnerabilities requires understanding how attackers think and how they can manipulate real-world systems. It is not enough to implement mathematically sound algorithms. Developers must consider how their code and hardware will behave under stress, error, or manipulation, and design accordingly.

Overall, the paper provides a strategic and technically grounded understanding of how fault injection can undermine the security of elliptic curve cryptosystems, and how to effectively protect against it through thoughtful implementation, validation, and testing.