1 / 24

In The Name of Allah Fault attacks on ECC

In The Name of Allah Fault attacks on ECC. Fereshte Mozafari Arezoo Dabaghi. FLOW. Introduction Fault attacks Differential fault attack & its countermeasure Sign change fault attack & its countermeasure References. Introduction. An EC over Fp (p > 3) satisfy with:

isolde
Download Presentation

In The Name of Allah Fault attacks on ECC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. In The Name of AllahFault attacks on ECC FereshteMozafari ArezooDabaghi

  2. FLOW • Introduction • Fault attacks • Differential fault attack & its countermeasure • Sign change fault attack & its countermeasure • References Hardware Security and Trust, CE, SUT

  3. Introduction • An EC over Fp (p > 3) satisfy with: Y2 = x3 + ax2 + b (mod p) • In cryptosystems based on EC, a crucial computation is the scalar multiplication of a public base point P with a secret scalar factor k. Q = kP • Attacks aim to recover the value of k. Hardware Security and Trust, CE, SUT

  4. Fault Attacks • Differential Fault Attack(DFA) • Sign Change Fault Attack(SCFA) • M Safe- Error Analysis • C Safe- Error Analysis • Invalid Curve Analysis • Invalid Point Analysis Hardware Security and Trust, CE, SUT

  5. Differential fault attack(0) Scalar multiplication Q = k.P P, , p

  6. Differential fault attack(1) • Preliminaries • If enforce a fault randomly in a register than can recover secret key in expected polynomial time • binary length of n is k • value stored in variable Qbefore iteration I • e Hardware Security and Trust, CE, SUT

  7. Differential fault attack(2) • Method • Run ECSM once and collect the correct result () • Enforce register fault in a register holding the variable Q , in iteration n-m < j < n n-1 j 0 Hardware Security and Trust, CE, SUT

  8. Differential fault attack(3) 3. Find the index of the first iteration j’ with j’ > j and =1 n-1 j’ j 0 Hardware Security and Trust, CE, SUT

  9. Differential fault attack(4) 4.find candidate for the disturbed Q-value 1. check each i with ( n-m < i < n) as candidate for j’ 2. x = as candidate for the n-i most significant bit of k j n-1 j’=i 0 Hardware Security and Trust, CE, SUT

  10. Differential fault attack(4) 4.find candidate for the disturbed Q-value j n-1 j’=i 0 . .P)’ = - . .P Hardware Security and Trust, CE, SUT

  11. Differential fault attack(5) 5. For each choice of x and i we consider all disturbed Q- values () with can derive from by flipping one bit. 6. calculate by : Hardware Security and Trust, CE, SUT

  12. Differential fault attack(6) 7. if is identical by of device • i as a candidate for j’ • as a candidate for • binary representation of x as a candidate for upper n-j’ of k Hardware Security and Trust, CE, SUT

  13. Countermeasure for DFA • intermediate results (Qi , Hi)should be regularly checked • randomize the scalar k Hardware Security and Trust, CE, SUT

  14. SCFA on ECC(1) • Over NAF-based left-to-right doubling algorithm Hardware Security and Trust, CE, SUT

  15. SCFA on ECC(2) • Basic idea: recover the bits of k in pieces of 1 ≤ r ≤ m bits • A SCF changes the sign of y-coordinate of an attacked point Q  Qf Hardware Security and Trust, CE, SUT

  16. SCFA on ECC(3) • the only unknown part is Li (k) • This allows to recover bits of k starting from the LSB + - Hardware Security and Trust, CE, SUT

  17. Injection of SCF on Qi ‘(1) • Input: access to algorithm1 n the length of private key, k > 0 in NAF Q = kP, m a parameter for acceptable amount of offline work • Output: k with probability at least 1/2 • #Step1: Collect faulty output collect the set S by including SCF on Qi’ Hardware Security and Trust, CE, SUT

  18. Injection of SCF on Qi‘(2) • #step2: Inductive Retrieval of Secret Key Bits 1. Set s := -1 2. While(s < n-1) do 3.Set 4. For all lengths of r = 1,2,…,m do 5. For all valid NAF-patterns x = (xs+1,xs+2,…,xs+r) do S+1 LSBs of k are known Compute known LSB part Try all possible bit pattern with length r Hardware Security and Trust, CE, SUT

  19. Injection of SCF on Qi‘(3) 6. Set 7. For all do 8. If then 9. conclude ks+1 = xs+1, ks+2 = xs+2,…, ks+r= xs+r , set s := s + r Compute test condidateTx Verify Tx Hardware Security and Trust, CE, SUT

  20. Injection of SCF on Qi‘(4) 10. If no test candidate satisfies the verification step,then assume that ks+1 = 0, set s := s + 1 11. continue at Line 2 12. Verify Q = kP If this fails then output ”failure” 13. Output “k” Hardware Security and Trust, CE, SUT

  21. Countermeasure for SCFA(1) • Uses a second elliptic curve whose order is a small prime number(t) to verify the final results E = Ep:= E( Fp ) Et:= E( Ft ) Eptis defined with parameters Aptand Bpt Apt≡ Apmod p, Apt≡ At mod t Bpt≡ Bpmod p, Bpt≡ Btmod t Qpt = k Ppt Hardware Security and Trust, CE, SUT

  22. Countermeasure for SCFA(2) • Attacks in Line 4 cannot yield a faulty output Hardware Security and Trust, CE, SUT

  23. References 1. J. Blomer, M. Otto, J. Seifert“Sign Change Fault Attacks On Elliptic Curve Cryptosystems,” Fault Diagnousis and Tolerance iv Cryptograghy , pp. 36-52, 2006. 2. J. Fan, I. Verbouwhede, “An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost,” Cryptography and Security, pp. 265-282, 2012. 3. J. Fan, X. Gue, E. Mulder, “State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures,” International Symposium on Hardware-Oriented Security and Trust , pp. 165-171, 2010. 4. I. Biehel, B. Meyer, V. Muller, "Diferential Fault Attacks on Elliptic Curve Cryptosystems," Advance in Cryptography, pp. 131-141, 2000. 5. B. Johannes, O. Martin, S. Jean-Pierre, ‘Sign Change Fault Attacks on Elliptic Curve Cryptosystems” Hardware Security and Trust, CE, SUT

  24. When that you think every thing is hidden and no one can see within , remember my friend , God can

More Related