On Fault-based Attacks and Countermeasures for Elliptic Curve Cryptosystems

For some applications, elliptic curve cryptography (ECC) is an attractive choice because it achieves the same level of security with a much smaller key size in comparison with other schemes such as those that are based on integer factorization or discrete logarithm. Unfortunately, cryptosystems including those based on elliptic curves have been subject to attacks. For example, fault-based attacks have been shown to be a real threat in today’s cryptographic implementations. In this thesis, we consider fault-based attacks and countermeasures for ECC. We propose a new fault-based attack against the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. For security reasons, especially to provide resistance against fault-based attacks, it is very important to verify the correctness of computations in ECC applications. We deal with protections to fault attacks against ECSM at two levels: module and algorithm. For protections at the module level, where the underlying scalar multiplication algorithm is not changed, a number of schemes and hardware structures are presented based on re-computation or parallel computation. It is shown that these structures can be used for detecting errors with a very high probability during the computation of ECSM. For protections at the algorithm level, we use the concepts of point verification (PV) and coherency check (CC). We investigate the error detection coverage of PV and CC for the Montgomery ladder ECSM algorithm. Additionally, we propose two algorithms based on the double-and-addalways method that are resistant to the safe error (SE) attack. We demonstrate that one of these algorithms also resists the sign change fault (SCF) attack.

[1]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[2]  Seungjoo Kim,et al.  RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis , 2001, ICISC.

[3]  M. Anwar Hasan,et al.  Fault-Based Attack on Montgomery’s Ladder Algorithm , 2011, Journal of Cryptology.

[4]  Gernot Metze,et al.  Fault Detection Capabilities of Alternating Logic , 1978, IEEE Transactions on Computers.

[5]  Erik Woodward Knudsen,et al.  Elliptic Scalar Multiplication Using Point Halving , 1999, ASIACRYPT.

[6]  Jonathan Lutz,et al.  High Performance Elliptic Curve Cryptographic Co-processor , 2007 .

[7]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[8]  Seyed Ghassem Miremadi,et al.  Dependability analysis using a fault injection tool based on synthesizability of HDL models , 2003, Proceedings 18th IEEE Symposium on Defect and Fault Tolerance in VLSI Systems.

[9]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[10]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[11]  Nicolas Meloni,et al.  Fast and Secure Elliptic Curve Scalar Multiplication Over Prime Fields Using Special Addition Chains , 2006, IACR Cryptol. ePrint Arch..

[12]  Ricardo Dahaby Improved Algorithms for Elliptic Curve Arithmetic in Gf(2 N ) Improved Algorithms for Elliptic Curve Arithmetic in Gf (2 N ) , 1998 .

[13]  D. Shanks Class number, a theory of factorization, and genera , 1971 .

[14]  Martin Otto,et al.  Fault attacks and countermeasures , 2005 .

[15]  M. Anwar Hasan,et al.  Error Detection and Fault Tolerance in ECSM Using Input Randomization , 2009, IEEE Transactions on Dependable and Secure Computing.

[16]  Emmanuel Prouff,et al.  CRT RSA Algorithm Protected Against Fault Attacks , 2007, WISTP.

[17]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[18]  M. Hasan,et al.  Error-Detecting and Fault-Tolerant Structures for ECC , 2005 .

[19]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[20]  Elwyn R. Berlekamp,et al.  On the Solution of Algebraic Equations over Finite Fields , 1967, Inf. Control..

[21]  Alfred Menezes,et al.  Software Implementation of Elliptic Curve Cryptography over Binary Fields , 2000, CHES.

[22]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[23]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[24]  Alfred Menezes,et al.  Analysis of the GHS Weil Descent Attack on the ECDLP over Characteristic Two Finite Fields of Composite Degree , 2001, INDOCRYPT.

[25]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[26]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[27]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[28]  J. von Neumann,et al.  Probabilistic Logic and the Synthesis of Reliable Organisms from Unreliable Components , 1956 .

[29]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[30]  Chin-Long Chen,et al.  Formulas for the solutions of quadratic equations over GF(2m) , 1982, IEEE Trans. Inf. Theory.

[31]  Janak H. Patel,et al.  Concurrent Error Detection in ALU's by Recomputing with Shifted Operands , 1982, IEEE Transactions on Computers.

[32]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[33]  M. Joye,et al.  Practical Fault Countermeasures for Chinese Remaindering Based RSA ( Extended Abstract ) , 2005 .

[34]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[35]  Johannes Blömer,et al.  Wagner's Attack on a Secure CRT-RSA Algorithm Reconsidered , 2006, FDTC.

[36]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.

[37]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[38]  Jean-Jacques Quisquater,et al.  Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures , 2007, WISTP.

[39]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[40]  T. Itoh,et al.  Effective recursive algorithm for computing multiplicative inverses in GF(2m) , 1988 .

[41]  M. Anwar Hasan,et al.  High performance FPGA based elliptic curve cryptographic co-processor , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[42]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[43]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[44]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[45]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[46]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[47]  Barry W. Johnson Fault-Tolerant Microprocessor-Based Systems , 1984, IEEE Micro.

[48]  M. Anwar Hasan,et al.  On Randomizing Private Keys to Counteract DPA Attacks , 2003, Selected Areas in Cryptography.

[49]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[50]  R. Wells Applied Coding and Information Theory for Engineers , 1998 .

[51]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[52]  R. McEliece Finite Fields for Computer Scientists and Engineers , 1986 .

[53]  Seungjoo Kim,et al.  A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack , 2001, ICISC.

[54]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[55]  J. Voloch A note on elliptic curves over finite fields , 1988 .

[56]  Takakazu Satoh,et al.  Fast computation of canonical lifts of elliptic curves and its application to point counting , 2003 .

[57]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[58]  Luigi Carro,et al.  Designing fault tolerant systems into SRAM-based FPGAs , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[59]  David A. Wagner,et al.  Cryptanalysis of a provably secure CRT-RSA algorithm , 2004, CCS '04.

[60]  Jean-Pierre Seifert,et al.  A new CRT-RSA algorithm secure against bellcore attacks , 2003, CCS '03.

[61]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[62]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[63]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[64]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[65]  Guang Gong,et al.  Signal Design for Good Correlation: For Wireless Communication, Cryptography, and Radar , 2005 .

[66]  Kouichi Sakurai,et al.  Efficient Elliptic Curve Cryptosystems from a Scalar Multiplication Algorithm with Recovery of the y-Coordinate on a Montgomery-Form Elliptic Curve , 2001, CHES.

[67]  N. R. Alamelu,et al.  SELF CHECKING AND FAULT TOLERANT DIGITAL DESIGN , 2009 .

[68]  Nevine Maurice Ebeid Key Randomization Countermeasures to Power Analysis Attacks on Elliptic Curve Cryptosystems , 2007 .

[69]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[70]  Marc Joye,et al.  Protections against Differential Analysis for Elliptic Curve Cryptography , 2001, CHES.