Fooling primality tests on smartcards [ESORICS 2020]

   Authors: Vladimir Sedlacek, Jan Jancar and Petr Svenda

 Primary contact: Jan Jancar <>

 Conference: ESORICS 2020

Pre-print PDF   Presentation   BiBTeX

  Title         = {Fooling primality tests on smartcards},
  Author        = {Vladimir Sedlacek and Jan Jancar and Petr Svenda},
  BookTitle     = {25th European Symposium on Research in Computer Security (ESORICS) 2020},
  Year          = {2020},
  Publisher     = {Springer},
  crocsweb      = {},
  Keywords      = {ECC, primality, pseudoprimes, smartcards},


We analyse whether the smartcards of the JavaCard platform correctly validate primality of domain parameters. The work is inspired by Albrecht et al.[1], where the authors analysed many open-source libraries and constructed pseudoprimes fooling the primality testing functions. However, in the case of smart-cards, often there is no way to invoke the primality test directly, so we trigger it by replacing (EC)DSA and (EC)DH prime domain parameters by adversarial composites. Such a replacement results in vulnerability to Pohlig-Hellman style attacks, leading to private key recovery.Out of nine smartcards (produced by five major manufacturers) we tested, all butone have no primality test in parameter validation. As the JavaCard platform provides no public primality testing API, the problem cannot be fixed by an extra parameter check, making it difficult to mitigate in already deployed smartcards.