Memory Tampering Attack on Binary GCD Based Inversion Algorithms

In the field of cryptography engineering, implementation-based attacks are a major concern due to their proven feasibility. Fault injection is one attack vector, nowadays a major research line. In this paper, we present how a memory tampering-based fault attack can be used to severely limit the output space of binary GCD based modular inversion algorithm implementations. We frame the proposed attack in the context of ECDSA showing how this approach allows recovering the private key from only one signature, independent of the key size. We analyze two memory tampering proposals, illustrating how this technique can be adapted to different implementations. Besides its application to ECDSA, it can be extended to other cryptographic schemes and countermeasures where binary GCD based modular inversion algorithms are employed. In addition, we describe how memory tampering-based fault attacks can be used to mount a previously proposed fault attack on scenarios that were initially discarded, showing the importance of including memory tampering attacks in the frameworks for analyzing fault attacks and their countermeasures.

[1]  Burton S. Kaliski,et al.  The Montgomery Inverse and Its Applications , 1995, IEEE Trans. Computers.

[2]  Elena Trichina,et al.  Implementation of Elliptic Curve Cryptography with Built-In Counter Measures against Side Channel Attacks , 2002, CHES.

[3]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[4]  Christof Paar,et al.  Interdiction in practice—Hardware Trojan against a high-security USB flash drive , 2016, Journal of Cryptographic Engineering.

[5]  Cesar Pereida García,et al.  Constant-Time Callees with Variable-Time Callers , 2017, USENIX Security Symposium.

[6]  Xin Chang,et al.  Suitability Analysis of FPGAs for Heterogeneous Platforms in HPC , 2016, IEEE Transactions on Parallel and Distributed Systems.

[7]  Amir Moradi,et al.  Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series , 2016, COSADE.

[8]  Patrick Schaumont,et al.  A Practical Introduction to Hardware/Software Codesign , 2010 .

[9]  David Naccache,et al.  A synthesis of side-channel attacks on elliptic curve cryptography in smart-cards , 2013, Journal of Cryptographic Engineering.

[10]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[11]  Erkay Savas,et al.  Montgomery inversion , 2017, Journal of Cryptographic Engineering.

[12]  Debdeep Mukhopadhyay,et al.  Reconfigurable LUT: A Double Edged Sword for Security-Critical Applications , 2015, SPACE.

[13]  Debdeep Mukhopadhyay,et al.  Fault attack on AES via hardware Trojan insertion by dynamic partial reconfiguration of FPGA over ethernet , 2014, WESS '14.

[14]  Jens-Peter Kaps,et al.  Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs , 2010, 2010 International Conference on Reconfigurable Computing and FPGAs.

[15]  Jean-Pierre Seifert,et al.  Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT , 2016, COSADE.

[16]  Santiago Sánchez-Solano,et al.  AES T-Box tampering attack , 2015, Journal of Cryptographic Engineering.

[17]  Karine Heydemann,et al.  Formal verification of a software countermeasure against instruction skip attacks , 2013, Journal of Cryptographic Engineering.

[18]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[19]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[20]  J. Stein Computational problems associated with Racah algebra , 1967 .

[21]  Ingrid Verbauwhede,et al.  An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[22]  Christof Paar,et al.  Bitstream Fault Injections (BiFI)–Automated Fault Attacks Against SRAM-Based FPGAs , 2018, IEEE Transactions on Computers.

[23]  Tim Güneysu,et al.  Utilizing hard cores of modern FPGA devices for high-performance cryptography , 2011, Journal of Cryptographic Engineering.

[24]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[25]  Jean-Jacques Quisquater,et al.  An improved Montgomery modular inversion targeted for efficient implementation on FPGA , 2004, Proceedings. 2004 IEEE International Conference on Field- Programmable Technology (IEEE Cat. No.04EX921).

[26]  Sylvain Guilley,et al.  Hardware Trojan Horses in Cryptographic IP Cores , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[27]  Santiago Sánchez-Solano,et al.  Side‐channel analysis of the modular inversion step in the RSA key generation algorithm , 2017, Int. J. Circuit Theory Appl..

[28]  Frederik Vercauteren,et al.  To Infinity and Beyond: Combined Attack on ECC Using Points of Low Order , 2011, CHES.

[29]  Juliane Krämer Why cryptography should not rely on physical attack complexity , 2015 .

[30]  Michael Hutter,et al.  Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version , 2014, Journal of Cryptographic Engineering.

[31]  Jean-Pierre Seifert,et al.  New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures , 2007, IMACC.

[32]  Juliane Krämer,et al.  Why cryptography should not rely on physical attack complexity , 2015, it Inf. Technol..

[33]  Christof Paar,et al.  FPGA Trojans Through Detecting and Weakening of Cryptographic Primitives , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[34]  Helena Handschuh,et al.  Blinded Fault Resistant Exponentiation Revisited , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[35]  Christof Paar,et al.  Black-Box Side-Channel Attacks Highlight the Importance of Countermeasures - An Analysis of the Xilinx Virtex-4 and Virtex-5 Bitstream Encryption Mechanism , 2012, CT-RSA.

[36]  Joppe W. Bos Constant time modular inversion , 2014, Journal of Cryptographic Engineering.

[37]  Thomas Popp,et al.  An introduction to implementation attacks and countermeasures , 2009, 2009 7th IEEE/ACM International Conference on Formal Methods and Models for Co-Design.

[38]  Santiago Sánchez-Solano,et al.  SPA vulnerabilities of the binary extended Euclidean algorithm , 2017, Journal of Cryptographic Engineering.