**Summary / goal**Design a realistic fault-injection that recovers an ECDSA private key d from a signing oracle by inducing faults in the ephemeral nonce generation or in k used during scalar multiplication. I describe the fault model, collection steps, mathematical recovery from faulty signatures, and practical mitigations.**Fault model**- Localized transient fault during nonce generation or scalar multiplication (e.g., EM fault, laser, clock glitch).- Faults flip or zero a small subset of nonce bits, or truncate/replace k with k' = k + Δ where Δ is small or sparse.- Attacker can query the signing oracle on chosen messages before/after inducing faults and obtain both correct and faulty signatures.**Collection steps**1. Obtain baseline correct signature (r, s) on message m with hash z.2. Induce fault during next signing; collect faulty signature (r', s') on same or chosen m'.3. Repeat to get multiple faulty signatures with different Δ patterns if needed.**Mathematical reasoning**ECDSA: signature satisfiestext
s = k^{-1} ( z + d * r ) mod n
Sotext
d = ( s * k - z ) * r^{-1} mod n
If k' = k + Δ and we observe (r', s') and we know k partially (e.g., high bits unchanged) or Δ small, then rearrange:text
s' = (k')^{-1} ( z' + d * r' ) mod n
From correct (r, s) and faulty (r', s') on same z, eliminate d to get linear relation in k and Δ. Practical recovery methods:- If nonce reuse (k = k'), recover d directly: standard two-sig reuse attack.- If Δ small and known sign/size: turn modular equation into integer inequality and solve via lattice (Bleichenbacher-style or Howgrave-Graham lattice) to recover k and thus d.- If low bits zeroed: use Coppersmith/lattice to recover unknown high bits by modeling k = k_high * 2^t and solving for k_high.- With multiple faulty samples having different small Δ, solve for k via multiple linear equations (CRT-style or lattice) to get d.Key formula used when same message and known Δ:text
s' * (k + Δ) - s * k = (z' + d r') - (z + d r) mod n
Which yields linear equations in d and k; eliminate k to solve for d or reduce to short-basis lattice problem.**Practical considerations**- Need enough faulty signatures to make lattice dimension manageable (typically < 6–10).- Ensure r vs r' behavior: faults that alter scalar mult often change r; if r unchanged, recovery simpler.- Noise and modular wrap require treating equations as integer equations with bounded error.**Mitigations**- Deterministic nonces per RFC 6979 or keyed-PRF (HMAC-DRBG) with integrity-protected seed eliminates RNG faults.- Compute nonce and signature twice (redundant computation) with independent hardware/clocks and compare before release.- Verify produced signature locally before output using pubkey; do not leak on verification failure.- Fault sensors / tamper detection: voltage, clock, laser, EM detectors with safe-fail on trigger.- Use constant-time, atomic scalar multiplication with countermeasures (blinding: k' = k + v*n, point blinding, scalar blinding).- Secure boot and hardware security module (HSM) enforcing physical protections.I would choose lattice-based recovery in a lab to validate attack parameters, then recommend implementing deterministic nonces plus signature verification redundancy as highest-impact defenses.