Physical security of elliptic curve cryptography

Elliptic Curve Cryptography (ECC) has gained much importance in smart cards because of its higher speed and lower memory needs compared with other asymmetric cryptosystems such as RSA. ECC is believed to be unbreakable in the black box model, where the cryptanalyst has access to inputs and outputs only. However, it is not enough if the cryptosystem is embedded on a device that is physically accessible to potential attackers. In addition to inputs and outputs, the attacker can study the physical behaviour of the device. This new kind of cryptanalysis is called Physical Cryptanalysis. This thesis focuses on physical cryptanalysis of ECC. The first part gives the background on ECC. From the lowest to the highest level, ECC involves a hierarchy of tools: Finite Field Arithmetic, Elliptic Curve Arithmetic, Elliptic Curve Scalar Multiplication and Cryptographie Protocol. The second part exhibits a state-of-the-art of the different physical attacks and countermeasures on ECC.For each attack, the context on which it can be applied is given while, for each countermeasure, we estimate the lime and memory cost. We propose new attacks and new countermeasures. We then give a clear synthesis of the attacks depending on the context. This is useful during the task of selecting the countermeasures. Finally, we give a clear synthesis of the efficiency of each countermeasure against the attacks.

[1]  Denis Réal,et al.  The Carry Leakage on the Randomized Exponent Countermeasure , 2008, CHES.

[2]  D. Chudnovsky,et al.  Sequences of numbers generated by addition in formal groups and new primality and factorization tests , 1986 .

[3]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[4]  Kouichi Itoh,et al.  Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA , 2002, CHES.

[5]  C. D. Walter,et al.  Montgomery's Multiplication Technique: How to Make It Smaller and Faster , 1999, CHES.

[6]  Frédéric Valette,et al.  High-Order Attacks Against the Exponent Splitting Protection , 2006, Public Key Cryptography.

[7]  David Naccache,et al.  Same Values Power Analysis Using Special Points on Elliptic Curves , 2012, COSADE.

[8]  Hisayoshi Sato,et al.  Exact Analysis of Montgomery Multiplication , 2004, INDOCRYPT.

[9]  Christof Paar,et al.  A New Class of Collision Attacks and Its Application to DES , 2003, FSE.

[10]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[11]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[12]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[13]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[14]  Marc Joye,et al.  Memory-Constrained Implementations of Elliptic Curve Cryptography in Co-Z Coordinate Representation , 2011, AFRICACRYPT.

[15]  Jean-Pierre Seifert,et al.  Sign Change Fault Attacks on Elliptic Curve Cryptosystems , 2006, FDTC.

[16]  Atsuko Miyaji,et al.  Efficient Countermeasures against RPA, DPA, and SPA , 2004, CHES.

[17]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[18]  C. D. Walter,et al.  Simple Power Analysis of Unified Code for ECC Double and Add , 2004, CHES.

[19]  M. Anwar Hasan,et al.  Algorithm-level error detection for Montgomery ladder-based ECSM , 2011, Journal of Cryptographic Engineering.

[20]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[21]  Victor Y. Pan,et al.  Acceleration of Euclidean Algorithm and Rational Number Reconstruction , 2003, SIAM J. Comput..

[22]  Christophe Clavier,et al.  Universal Exponentiation Algorithm , 2001, CHES.

[23]  David Naccache,et al.  Low-Cost Countermeasure against RPA , 2012, CARDIS.

[24]  Christophe Clavier,et al.  Improved Collision-Correlation Power Analysis on First Order Protected AES , 2011, CHES.

[25]  Kouichi Itoh,et al.  Efficient Countermeasures against Power Analysis for Elliptic Curve Cryptosystems , 2004, CARDIS.

[26]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[27]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[28]  Tsuyoshi Takagi,et al.  Zero-Value Point Attacks on Elliptic Curve Cryptosystem , 2003, ISC.

[29]  Jean-Charles Faugère,et al.  Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields , 2012, EUROCRYPT.

[30]  Paul Barrett,et al.  Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor , 1986, CRYPTO.

[31]  Jean-Claude Bajard,et al.  An RNS Montgomery Modular Multiplication Algorithm , 1998, IEEE Trans. Computers.

[32]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[33]  Louis Goubin,et al.  A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems , 2003, Public Key Cryptography.

[34]  Marc Joye,et al.  Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves - (Extended Abstract) , 2010, CHES.

[35]  Nicolas Thériault,et al.  Unified Point Addition Formulæ and Side-Channel Attacks , 2006, CHES.

[36]  Jacques Stern,et al.  Projective Coordinates Leak , 2004, EUROCRYPT.

[37]  Kouichi Itoh,et al.  A Practical Countermeasure against Address-Bit Differential Power Analysis , 2003, CHES.

[38]  Marc Joye,et al.  Protections against Differential Analysis for Elliptic Curve Cryptography , 2001, CHES.

[39]  C. D. Walter,et al.  Sliding Windows Succumbs to Big Mac Attack , 2001, CHES.

[40]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[41]  Vincent Verneuil,et al.  Elliptic curve cryptography and security of embedded devices. (Cryptographie à base de courbes elliptiques et sécurité de composants embarqués) , 2012 .

[42]  David Naccache,et al.  A synthesis of side-channel attacks on elliptic curve cryptography in smart-cards , 2013, Journal of Cryptographic Engineering.

[43]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[44]  Christophe Clavier,et al.  ROSETTA for Single Trace Analysis , 2012, INDOCRYPT.

[45]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[46]  Jean-Jacques Quisquater,et al.  Montgomery Exponentiation with no Final Subtractions: Improved Results , 2000, CHES.

[47]  J. Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[48]  Tolga Acar,et al.  Analyzing and comparing Montgomery multiplication algorithms , 1996, IEEE Micro.

[49]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[50]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[51]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[52]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[53]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[54]  By J. M. Pollard Monte Carlo Methods for Index Computation (mod p) , 2010 .

[55]  Brigitte Vallée,et al.  Gauss' Algorithm Revisited , 1991, J. Algorithms.

[56]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[57]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[58]  Tsuyoshi Takagi,et al.  Exceptional Procedure Attack on Elliptic Curve Cryptosystems , 2003, Public Key Cryptography.

[59]  Seungjoo Kim,et al.  A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack , 2001, ICISC.

[60]  Éliane Jaulmes,et al.  Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations , 2013, CT-RSA.

[61]  Victor Y. Pan,et al.  On Rational Number Reconstruction and Approximation , 2004, SIAM J. Comput..

[62]  Kazuo Ohta,et al.  Improved countermeasure against Address-bit DPA for ECC scalar multiplication , 2010, 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010).

[63]  Nicolas Meloni,et al.  New Point Addition Formulae for ECC Applications , 2007, WAIFI.

[64]  Frederik Vercauteren,et al.  To Infinity and Beyond: Combined Attack on ECC Using Points of Low Order , 2011, CHES.

[65]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[66]  Elena Trichina,et al.  Implementation of Elliptic Curve Cryptography with Built-In Counter Measures against Side Channel Attacks , 2002, CHES.

[67]  Marc Joye,et al.  Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic , 2011, Journal of Cryptographic Engineering.

[68]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[69]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[70]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[71]  Marc Joye,et al.  Highly Regular Right-to-Left Algorithms for Scalar Multiplication , 2007, CHES.

[72]  Elisabeth Oswald,et al.  Template Attacks on ECDSA , 2009, WISA.

[73]  D. Shanks Class number, a theory of factorization, and genera , 1971 .

[74]  Éliane Jaulmes,et al.  Horizontal collision correlation attack on elliptic curves , 2014, Cryptography and Communications.

[75]  Vincent Verneuil,et al.  Atomicity Improvement for Elliptic Curve Scalar Multiplication , 2010, CARDIS.

[76]  David Naccache,et al.  Fault Attacks on Projective-to-Affine Coordinates Conversion , 2013, COSADE.

[77]  Marc Joye,et al.  (Virtually) Free Randomization Techniques for Elliptic Curve Cryptography , 2003, ICICS.