Lattice-Based Fault Attacks Against ECMQV

ECMQV is a standardized key agreement protocol based on ECC with an additional implicit signature authentication. In this paper we investigate the vulnerability of ECMQV against fault attacks and propose two efficient lattice-based fault attacks. In our attacks, by inducing a storage fault to the ECC parameter a before the execution of ECMQV, we can construct two kinds of weak curves and successfully pass the public-key validation step in the protocol. Then, by solving ECDLP and using a guess-and-determine method, some information of the victim’s temporary private key and the implicit-signature result can be deduced. Based on the retrieved information, we build two new lattice-attack models and recover the upper half of the static private key. Compared with the previous lattice-attack models, our models relax the attack conditions and do not require the exact partial knowledge of the nonces. The validity of the attacks is proven by experimental simulations, which show our attacks pose real threats to the unprotected ECMQV implementations since only one permanent fault is sufficient to retrieve half bits of the secret key.

[1]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[2]  Alfred Menezes,et al.  Another look at HMQV , 2007, J. Math. Cryptol..

[3]  Jörn-Marc Schmidt,et al.  A Fault Attack on ECDSA , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[4]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[5]  R. Schoof Journal de Theorie des Nombres de Bordeaux 7 (1995), 219{254 , 2022 .

[6]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[7]  Jean-Pierre Seifert,et al.  Sign Change Fault Attacks on Elliptic Curve Cryptosystems , 2006, FDTC.

[8]  Alberto Battistello,et al.  Common Points on Elliptic Curves: The Achilles' Heel of Fault Attack Countermeasures , 2014, COSADE.

[9]  Jacques Stern,et al.  Lattice Reduction in Cryptology: An Update , 2000, ANTS.

[10]  Mehdi Tibouchi,et al.  Bit-Flip Faults on Elliptic Curve Base Fields, Revisited , 2014, ACNS.

[11]  Frederik Vercauteren,et al.  To Infinity and Beyond: Combined Attack on ECC Using Points of Low Order , 2011, CHES.

[12]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[13]  Alfred Menezes,et al.  On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols , 2006, INDOCRYPT.

[14]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[15]  Nigel P. Smart,et al.  Analysis of the Insecurity of ECMQV with Partially Known Nonces , 2003, ISC.

[16]  Hung-Min Sun,et al.  Improved authenticated multiple-key agreement protocol , 2003 .

[17]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[18]  Arjen K. Lenstra,et al.  Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction , 2012, Int. J. Appl. Cryptogr..

[19]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[20]  Burton S. Kaliski,et al.  An unknown key-share attack on the MQV key agreement protocol , 2001, ACM Trans. Inf. Syst. Secur..

[21]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[22]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.