---
_id: '65529'
abstract:
- lang: eng
  text: We present our discovery of a group of side-channel vulnerabilities in implementations
    of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified
    smartcard chip and five cryptographic libraries (libgcrypt, wolfSSL, MatrixSSL,
    SunEC/OpenJDK/Oracle JDK, Crypto++). Vulnerable implementations leak the bit-length
    of the scalar used in scalar multiplication via timing. Using leaked bit-length,
    we mount a lattice attack on a 256-bit curve, after observing enough signing operations.
    We propose two new methods to recover the full private key requiring just 500
    signatures for simulated leakage data, 1200 for real cryptographic library data,
    and 2100 for smartcard data. The number of signatures needed for a successful
    attack depends on the chosen method and its parameters as well as on the noise
    profile, influenced by the type of leakage and used computation platform. We use
    the set of vulnerabilities reported in this paper, together with the recently
    published TPM-FAIL vulnerability [MSE+20] as a basis for real-world benchmark
    datasets to systematically compare our newly proposed methods and all previously
    published applicable lattice-based key recovery methods. The resulting exhaustive
    comparison highlights the methods’ sensitivity to its proper parametrization and
    demonstrates that our methods are more efficient in most cases. For the TPM-FAIL
    dataset, we decreased the number of required signatures from approximately 40
    000 to mere 900.
citation:
  ama: 'Minerva: The curse of ECDSA nonces. Published online 2020. doi:<a href="https://doi.org/10.13154/TCHES.V2020.I4.281-308">10.13154/TCHES.V2020.I4.281-308</a>'
  apa: '<i>Minerva: The curse of ECDSA nonces</i>. (2020). <a href="https://doi.org/10.13154/TCHES.V2020.I4.281-308">https://doi.org/10.13154/TCHES.V2020.I4.281-308</a>'
  bibtex: '@article{Minerva: The curse of ECDSA nonces_2020, DOI={<a href="https://doi.org/10.13154/TCHES.V2020.I4.281-308">10.13154/TCHES.V2020.I4.281-308</a>},
    year={2020} }'
  chicago: '“Minerva: The Curse of ECDSA Nonces,” 2020. <a href="https://doi.org/10.13154/TCHES.V2020.I4.281-308">https://doi.org/10.13154/TCHES.V2020.I4.281-308</a>.'
  ieee: '“Minerva: The curse of ECDSA nonces,” 2020, doi: <a href="https://doi.org/10.13154/TCHES.V2020.I4.281-308">10.13154/TCHES.V2020.I4.281-308</a>.'
  mla: '<i>Minerva: The Curse of ECDSA Nonces</i>. 2020, doi:<a href="https://doi.org/10.13154/TCHES.V2020.I4.281-308">10.13154/TCHES.V2020.I4.281-308</a>.'
  short: (2020).
date_created: 2026-04-30T09:26:50Z
date_updated: 2026-04-30T09:32:54Z
doi: 10.13154/TCHES.V2020.I4.281-308
language:
- iso: en
status: public
title: 'Minerva: The curse of ECDSA nonces'
type: journal_article
user_id: '125442'
year: '2020'
...
