Fault Attacks on ECC Signature Verification

Signature verification operations used in secure boot or firmware updates are the foundation of trusted devices. ECC-based signature schemes are preferred for these applications due to their smaller key and signature sizes. Despite their widespread use, we would like to highlight that there is no research available that analyzes the resilience of ECC-based signature verification operations against fault attacks. Therefore, we thoroughly investigate the feasibility of fault attacks on ECC-based signature verification. We cover both theoretical and implementation-specific attacks. We demonstrate that faults in elliptic curve points and parameters allow an adversary to forge signatures in ECGDSA and ECSDSA, while ECDSA and EdDSA remain resilient. The weakness lies in the Weierstraß curves used in the affected schemes. This allows an adversary to perform cryptographic operations on much weaker curves by corrupting at least a single bit. To assess the severity in practice, we evaluate two open-source secure boot implementations—MCUboot and wolfBoot—that use fault injection hardening. Interestingly, these examples do not employ any hardening within the underlying cryptographic libraries. We discovered several attacks on the implementation of the ECDSA and EdDSA verification algorithms. Here, a single instruction skip is sufficient to accept trivially forged signatures. To improve these and future implementations, we propose effective and efficient countermeasures. Our work fills a critical gap to motivate further research for more resilient cryptographic implementations.