Upload
isolde
View
19
Download
1
Embed Size (px)
DESCRIPTION
In The Name of Allah Fault attacks on ECC. Fereshte Mozafari Arezoo Dabaghi. FLOW. Introduction Fault attacks Differential fault attack & its countermeasure Sign change fault attack & its countermeasure References. Introduction. An EC over Fp (p > 3) satisfy with: - PowerPoint PPT Presentation
Citation preview
In The Name of Allah
Fault attacks on ECC
Fereshte MozafariArezoo Dabaghi
FLOWIntroductionFault attacksDifferential fault attack & its countermeasureSign change fault attack & its
countermeasureReferences
Hardware Security and Trust, CE, SUT 2
Introduction An EC over Fp (p > 3) satisfy with:
Y2 = x3 + ax2 + b (mod p)In cryptosystems based on EC, a crucial
computation is the scalar multiplication of a public base point P with a secret scalar factor k.
Q = kP
Attacks aim to recover the value of k. Hardware Security and Trust, CE, SUT 3
Fault AttacksDifferential Fault Attack(DFA) Sign Change Fault Attack(SCFA)M Safe- Error AnalysisC Safe- Error AnalysisInvalid Curve AnalysisInvalid Point Analysis
Hardware Security and Trust, CE, SUT 4
Differential fault attack(0)
5
Scalar multiplication
P, , p
Q = k.P
Differential fault attack(1)Preliminaries
If enforce a fault randomly in a register
than can recover secret key in expected
polynomial time
binary length of n is k
value stored in variable Q before iteration
I
e Hardware Security and Trust, CE, SUT 6
Differential fault attack(2)Method
1.Run ECSM once and collect the correct result ()
2.Enforce register fault in a register holding the variable Q , in iteration n-m < j < n
Hardware Security and Trust, CE, SUT 7
j
𝑄 ′ 𝑗
0n-1
Differential fault attack(3)3. Find the index of the first iteration j’ with j’ > j and =1
Hardware Security and Trust, CE, SUT 8
j
𝑄 ′ 𝑗 ′
0n-1 j’
Differential fault attack(4)4. find candidate for the disturbed Q-value
1. check each i with ( n-m < i < n) as candidate for j’ 2. x = as candidate for the n-i most significant bit of k
Hardware Security and Trust, CE, SUT 9
j 0n-1 j’=i
𝑥𝑥
Differential fault attack(4)4. find candidate for the disturbed Q-value
Hardware Security and Trust, CE, SUT 10
j
𝑄 ′𝑥𝑖=𝑄 ′ 𝑗 ′
0n-1 j’=i
. .P)’
= - . .P
Differential fault attack(5)5. For each choice of x and i we consider all
disturbed Q- values () with can derive from by flipping
one bit.6. calculate by :
Hardware Security and Trust, CE, SUT 11
Differential fault attack(6)7. if is identical by of device
i as a candidate for j’ as a candidate for binary representation of x as a candidate for upper n-j’ of k
Hardware Security and Trust, CE, SUT 12
Countermeasure for DFAintermediate results (Qi , Hi )should be
regularly checkedrandomize the scalar k
Hardware Security and Trust, CE, SUT 13
SCFA on ECC(1)Over NAF-based left-to-right doubling
algorithm
14Hardware Security and Trust, CE, SUT
SCFA on ECC(2)Basic idea: recover the bits of k in pieces of 1
≤ r ≤ m bitsA SCF changes the sign of y-coordinate of an
attacked point
Q Qf
Hardware Security and Trust, CE, SUT 15
SCFA on ECC(3)
the only unknown part is Li (k)This allows to recover bits of k starting from
the LSB
Hardware Security and Trust, CE, SUT 16
+ -
Injection of SCF on Qi ‘(1)Input: access to algorithm1 n the length of private key, k > 0 in NAF
Q = kP, m a parameter for acceptable amount of offline workOutput: k with probability at least 1/2#Step1: Collect faulty output collect the set S by including SCF on Qi
’
Hardware Security and Trust, CE, SUT 17
Injection of SCF on Qi ‘(2)#step2: Inductive Retrieval of Secret Key Bits
1. Set s := -12. While(s < n-1) do 3. Set
4. For all lengths of r = 1,2,…,m do 5. For all valid NAF-patterns x = (xs+1,xs+2,…,xs+r) do
Hardware Security and Trust, CE, SUT 18
S+1 LSBs of k are known
Compute known LSB part
Try all possible bit pattern with length r
Injection of SCF on Qi ‘(3)6. Set
7. For all do 8. If then 9. conclude ks+1 = xs+1,
ks+2 = xs+2,…, ks+r = xs+r ,
set s := s + r
Hardware Security and Trust, CE, SUT 19
Compute test condidate Tx
Verify Tx
Injection of SCF on Qi ‘(4)10. If no test candidate satisfies the verification step,then assume that ks+1 = 0, set s := s + 1
11. continue at Line 212. Verify Q = kP If this fails then output ”failure”13. Output “k”
Hardware Security and Trust, CE, SUT 20
Countermeasure for SCFA(1)Uses a second elliptic curve whose order
is a small prime number(t) to verify the final results E = Ep := E( Fp )
Et := E( Ft )
Ept is defined with parameters Apt and Bpt
Apt ≡ Ap mod p, Apt ≡ At mod t
Bpt ≡ Bp mod p, Bpt ≡ Bt mod t
Qpt = k Ppt
Hardware Security and Trust, CE, SUT 21
Countermeasure for SCFA(2)Attacks in Line 4 cannot yield a faulty output
Hardware Security and Trust, CE, SUT 22
References1. J. Blomer, M. Otto, J. Seifert“Sign Change Fault Attacks On Elliptic Curve Cryptosystems,” Fault Diagnousis and Tolerance iv Cryptograghy , pp. 36-52, 2006.2. J. Fan, I. Verbouwhede, “An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost,” Cryptography and Security, pp. 265-282, 2012.3. J. Fan, X. Gue, E. Mulder, “State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures,” International Symposium on Hardware-Oriented Security and Trust , pp. 165-171, 2010.4. I. Biehel, B. Meyer, V. Muller, "Diferential Fault Attacks on Elliptic Curve Cryptosystems," Advance in Cryptography, pp. 131-141, 2000.5. B. Johannes, O. Martin, S. Jean-Pierre, ‘Sign Change Fault Attacks on Elliptic Curve Cryptosystems”
Hardware Security and Trust, CE, SUT 23
When that you think every thing is hidden and no one can see within , remember my friend , God
can