Methods of Fault Analysis Attacks on Elliptic Curve Cryptosystems

I would like to thank Prof. Johannes Buchmann for his interesting and also entertaining introduction to cryptography and the opportunity to carry on research on fault attacks. I enjoyed the relaxed and friendly atmosphere in his research group. I would also like to thank Daniel Schepers for helpful discussions on fault attacks and for his hints how to improve my work. I really enjoyed the years of my studies with my friends from university and would like to thank Matthias Heidrich, Michelle Seipp, Dörte Beigel and Chris Hellberg, especially, for good questions and discussions how to improve explanations in this thesis. Introduction This thesis presents a special class of attacks on elliptic curve cryptosystems (ECC), called Fault Analysis Attacks (FAA). They belong to the class of Side Channel Attacks (SCA) and try to get information about the secret key by exploiting faults. The attacks are based on the assumption that a fault during a cryptographic computation leads to a faulty result. If the system does not detect the fault and hence prevents the output, the result can be exploited by an adversary: Using the knowledge of correct results, faulted results and the precise place of induced faults an adversary is able to compute the secret key. In Chapter 1 we will give an introduction to arithmetic on elliptic curves. Chapter 2 gives an overview on cryptography based on elliptic curves. We will present the elliptic curve discrete logarithm problem, which provides security of an elliptic curve cryptosystem. Then, we will describe some methods to solve the discrete logarithm problem in order to get the secret key. This leads to security attributes and conditions for a secure ECC. In Chapter 3 we will present different Fault Analysis Attacks assuming an attack on an ECC, which is implemented on a security device, by inducing faults during a computation that uses a private key. If an attacker is able to repeatedly mount attacks on the device, he can successively derive the bit-values of the secret key. We present different approaches of Fault Analysis Attacks and discuss countermeasures to prevent these attacks. A complete overview of countermeasures against FAA is given at the end of Chapter 3. Furthermore, we will analyze other Side Channel Attacks that exploit power consumption of the device and give effective countermeasures in Chapter 4. We will present a model to compare countermeasures with respect to performance, use of registers …

[1]  Mihir Bellare,et al.  Hash Function Balance and Its Impact on Birthday Attacks , 2004, EUROCRYPT.

[2]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[3]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[4]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[5]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[6]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[7]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[8]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[9]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[10]  Bryan Weeks,et al.  Hardware Performance Simulations of Round 2 Advanced Encryption Standard Algorithms , 2000, AES Candidate Conference.

[11]  Wieland Fischer,et al.  Masking at Gate Level in the Presence of Glitches , 2005, CHES.

[12]  Kouichi Itoh,et al.  DPA Countermeasures by Improving the Window Method , 2002, CHES.

[13]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[14]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[15]  Sergei P. Skorobogatov,et al.  Data Remanence in Flash Memory Devices , 2005, CHES.

[16]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[17]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[18]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[19]  Kouichi Itoh,et al.  A Practical Countermeasure against Address-Bit Differential Power Analysis , 2003, CHES.

[20]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[21]  Atsuko Miyaji,et al.  Efficient Countermeasures against RPA, DPA, and SPA , 2004, CHES.

[22]  Daisuke Suzuki,et al.  DPA Leakage Models for CMOS Logic Circuits , 2005, CHES.

[23]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[24]  G.E. Moore,et al.  Cramming More Components Onto Integrated Circuits , 1998, Proceedings of the IEEE.

[25]  C. Paar,et al.  Universal Exponentiation Algorithm – A First Step Towards Provable SPA-resistance – , 2001 .

[26]  Jean-Pierre Seifert,et al.  Sign Change Fault Attacks on Elliptic Curve Cryptosystems , 2006, FDTC.

[27]  R. Balasubramanian,et al.  The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes—Okamoto—Vanstone Algorithm , 1998, Journal of Cryptology.

[28]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[29]  Elena Trichina,et al.  Combinational Logic Design for AES SubByte Transformation on Masked Data , 2003, IACR Cryptol. ePrint Arch..

[30]  T. May,et al.  A New Physical Mechanism for Soft Errors in Dynamic Memories , 1978, 16th International Reliability Physics Symposium.

[31]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[32]  Ingrid Verbauwhede,et al.  A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[33]  Paul Dischamp,et al.  Power Analysis, What Is Now Possible , 2000, ASIACRYPT.

[34]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[35]  Stefan Mangard,et al.  Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints , 2005, CHES.

[36]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[37]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[38]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[39]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[40]  A. Enge,et al.  Elliptic Curves and Their Applications to Cryptography , 1999, Springer US.

[41]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[42]  Donald E. Knuth,et al.  Analysis of a Simple Factorization Algorithm , 1976, Theor. Comput. Sci..

[43]  Louis Goubin,et al.  A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems , 2003, Public Key Cryptography.

[44]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[45]  Kouichi Sakurai,et al.  Power Analysis Breaks Elliptic Curve Cryptosystems even Secure against the Timing Attack , 2000, INDOCRYPT.

[46]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[47]  James A. Muir,et al.  Seifert's RSA Fault Attack: Simplified Analysis and Generalizations , 2006, ICICS.

[48]  Tsuyoshi Takagi,et al.  Zero-Value Point Attacks on Elliptic Curve Cryptosystem , 2003, ISC.

[49]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.

[50]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[51]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[52]  Marc Joye,et al.  Protections against Differential Analysis for Elliptic Curve Cryptography , 2001, CHES.

[53]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[54]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[55]  Simon W. Moore,et al.  Security evaluation against electromagnetic analysis at design time , 2005, Tenth IEEE International High-Level Design Validation and Test Workshop, 2005..

[56]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[57]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[58]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[59]  Jean-Pierre Seifert,et al.  On authenticated computing and RSA-based authentication , 2005, CCS '05.

[60]  Donald E. Knuth The Art of Computer Programming 2 / Seminumerical Algorithms , 1971 .

[61]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.