{"id":14109963,"url":"https://github.com/kudelskisecurity/EdDSA-fault-attack","last_synced_at":"2025-08-01T09:32:30.568Z","repository":{"id":80292209,"uuid":"104330903","full_name":"kudelskisecurity/EdDSA-fault-attack","owner":"kudelskisecurity","description":"Fault attack agaisnt EdDSA demonstrated on an Arduino Nano board, allowing for partial key recovery and fake signatures.","archived":false,"fork":false,"pushed_at":"2017-10-05T07:21:48.000Z","size":12,"stargazers_count":69,"open_issues_count":0,"forks_count":5,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-08-14T10:15:39.434Z","etag":null,"topics":["arduino-nano","attack","cryptography","eddsa","fault-attack","faulted-signatures","hardware-security","research"],"latest_commit_sha":null,"homepage":"https://research.kudelskisecurity.com/2017/10/04/defeating-eddsa-with-faults/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kudelskisecurity.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-09-21T09:52:51.000Z","updated_at":"2024-07-30T06:31:13.000Z","dependencies_parsed_at":"2024-01-08T08:05:33.203Z","dependency_job_id":null,"html_url":"https://github.com/kudelskisecurity/EdDSA-fault-attack","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2FEdDSA-fault-attack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2FEdDSA-fault-attack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2FEdDSA-fault-attack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2FEdDSA-fault-attack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kudelskisecurity","download_url":"https://codeload.github.com/kudelskisecurity/EdDSA-fault-attack/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228360505,"owners_count":17907929,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arduino-nano","attack","cryptography","eddsa","fault-attack","faulted-signatures","hardware-security","research"],"created_at":"2024-08-14T10:02:35.562Z","updated_at":"2024-12-05T19:31:20.422Z","avatar_url":"https://github.com/kudelskisecurity.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Fault attack on EdDSA and Ed25519\nWe demonstrated how to recover enough part of the secret key of a device performing EdDSA signatures thanks to a single fault at the right time to be able to produce seemingly valid signature (even though the real signature by the actual secret key holder would not have the same value). This is an inherent weakness of the algorithms and cannot be avoided as long as the algorithms are generating their values through deterministic means. Our paper was presented during [FDTC 2017](www.fdtc-workshop.eu). We give here the code to perform fault signature simulations as well as key recovery from faulted signatures.\n\nIn our example setup, we were able to attack and recover the secret key stored in an Arduino Nano running Ed25519 signature using the [ArduinoLibs](https://rweather.github.io/arduinolibs/crypto.html).\n\nCountermeasures against such fault attacks are detailled in our paper \"Practical fault attack against the Ed25519 and EdDSA signature schemes\".\n\n\n## Requirements\n\n* Python 2.6+\n* gmpy2\n\n## Attack simulation\nThe Python script **test_simulation.py** simulates a fault happening during the signature process and applies the attack to recover the private value `a`:\n\n```bash\n./test_simulation.py -r\nKey generation:\na = 3856099267433939410638934773561861774469861534617912158986655171120805876879\nFirst signature is valid : True\nSecond signature is valid: False\nSame R but not the same S: True\nFound a with error at offset 31\na = 3856099267433939410638934773561861774469861534617912158986655171120805876879\nSigning another message:\nThird signature is valid: True\n```\n\nBy default keys, fault offsets and values are randomly generated. However, deterministic tests may be run:\n```bash\n$ ./test_simulation.py -d -o 12 -e 56\nKey generation:\na = 482006232232683921242586128535238829962455780187631138037190845242801001519\nFirst signature is valid : True\nSecond signature is valid: False\nSame R but not the same S: True\nFound a with error at offset 12\na = 482006232232683921242586128535238829962455780187631138037190845242801001519\nSigning another message:\nThird signature is valid: True\n```\n\n## Arduino attack\nTo perform the attack on Arduino Nano, Arduino Studio must be installed and the Crypto library of the ArduinoLibs project have to be imported. The code executed on Arduino Nano is given in the file **ed25519.ino**. The complete set-up and methodology to obtain faults by voltage glitch are given in the paper.\n\nOnce the proper faults have been found, the script **test_arduino.py** recovers the value `a` from the faulted signatures:\n\n```bash\n$ ./test_arduino.py \nFault from Arduino Nano voltage glitch:\nsignature 1 is valid: True\nsignature 2 is valid: False\nFound value of a thanks to error at offset 6\na = 5261030905596737613781015704137862010759183555703583748072526152929652983426\nsignature 2 is valid: False\nFound value of a thanks to error at offset 4\na = 5261030905596737613781015704137862010759183555703583748072526152929652983426\nsignature 2 is valid: False\nFound value of a thanks to error at offset 2\na = 5261030905596737613781015704137862010759183555703583748072526152929652983426\nsignature 2 is valid: False\nFound value of a thanks to error at offset 1\na = 5261030905596737613781015704137862010759183555703583748072526152929652983426\nsignature 2 is valid: False\nError\nError: the glitch was not at offset 32\n```\n\n## Publication  \nArticle's DOI: [10.1109/FDTC.2017.12](https://doi.org/10.1109/FDTC.2017.12)  \nThe accepted version is [freely available](https://romailler.ch/ddl/10.1109_FDTC.2017.12_eddsa.pdf).\n\n## Copyrights\nOur original source code is copyright © 2017 Nagravision S.A., and was written by Sylvain Pelissier and Yolan Romailler.\n\nThe Ed25519 python implementation is based on DJB's work, the Ed25519 software is in the public domain.\n\nThe software published here is in under the Unlicense. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkudelskisecurity%2FEdDSA-fault-attack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkudelskisecurity%2FEdDSA-fault-attack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkudelskisecurity%2FEdDSA-fault-attack/lists"}