In 2000, Biehl et al. proposed a fault-based attack on elliptic curve cryptography. In this paper, we refined the fault attack method. An elliptic curve

In 1996, a fault analysis attack was introduced by Boneh et al. [

In [

In practice, in order to get a better function, the cryptosystem may be based on some special family of elliptic curve. Here, we assume that the fault attack is restricted on the following elliptic curve defined over prime field

In Section

Our analysis depends on the number of

The analysis of our method in this paper shows that the performance of the algorithm is largely determined by the density of numbers built up from small primes in the neighborhood of

Suppose that

The paper is organized as follows. In Section

Let

The fault attack is based on the fact that the curve coefficient

Let

If the order of the base point

(1) For

(1.1)

(1.2)

(1.3) For

(

(

(

(

(2) Use the CRT to solve the system of congruences

This gives us

(3) Return

(1) Randomly choose

(1.1)

(2)

(2.1) Obtain

(2.2) Choose an integer

(3) Apply decryption oracle to compute

(3.1)

(4) If all the prime factors of

(4.1) Utilize Algorithm

(5) Return

Without losing generality, we assume that the order of the base point

In this section, we consider the following EC ElGamal cryptosystem. Let

Encryption: Input message

The fault attack is that the attacker randomly chooses an elliptic curve

In practice, we can compute

Having the points pair

By repeating Algorithm

Let

For giving an elliptic curve

Certainly, of course, we can choose a point

In this section, we count the number of isomorphism classes over

It is easy to see that the discriminant

Given

For any elliptic curve

For the Kronecker class number, the following result is useful.

There exist effectively computable positive constants

Let

In order to apply Algorithm

Let

There exist an effectively computable positive constant

The proof of Theorem

There is a positive effectively computable constant

The number to be estimated equals the number of pairs

There exists a positive effectively computable constant

This can be deduced from Theorem

There exists a positive effectively computable constant

The map

Let

Heuristic Assumption:

By the assumption, one can deduce that

There exists an effectively computable constant

By Theorem

In the case of factoring, the best rigorously analyzed result is Corollary 1.2 of [

Theorem

A theorem of Canfield et al. [

The following identities are useful for our estimation:

With

These arguments lead to the following conjectural running time estimation for solving the discrete logarithm problem on elliptic curve of form (

There is a function

One of the authors gratefully acknowledges the helpful comments and suggestions of the anonymous reviewers, which have improved the presentation. This work was supported by NSFC project under (Grant no. 60873041), Nature Science of Shandong Province (Grant no. Y2008G23), Doctoral Fund of Ministry of Education of China (Grant no. 20090131120012), and IIFSDU (Grant no. 2010ST075).