in the name of allah fault attacks on ecc
DESCRIPTION
In The Name of Allah Fault attacks on ECC. Fereshte Mozafari Arezoo Dabaghi. FLOW. Introduction Fault attacks Differential fault attack & its countermeasure Sign change fault attack & its countermeasure References. Introduction. An EC over Fp (p > 3) satisfy with: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/1.jpg)
In The Name of Allah
Fault attacks on ECC
Fereshte MozafariArezoo Dabaghi
![Page 2: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/2.jpg)
FLOWIntroductionFault attacksDifferential fault attack & its countermeasureSign change fault attack & its
countermeasureReferences
Hardware Security and Trust, CE, SUT 2
![Page 3: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/3.jpg)
Introduction An EC over Fp (p > 3) satisfy with:
Y2 = x3 + ax2 + b (mod p)In cryptosystems based on EC, a crucial
computation is the scalar multiplication of a public base point P with a secret scalar factor k.
Q = kP
Attacks aim to recover the value of k. Hardware Security and Trust, CE, SUT 3
![Page 4: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/4.jpg)
Fault AttacksDifferential Fault Attack(DFA) Sign Change Fault Attack(SCFA)M Safe- Error AnalysisC Safe- Error AnalysisInvalid Curve AnalysisInvalid Point Analysis
Hardware Security and Trust, CE, SUT 4
![Page 5: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/5.jpg)
Differential fault attack(0)
5
Scalar multiplication
P, , p
Q = k.P
![Page 6: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/6.jpg)
Differential fault attack(1)Preliminaries
If enforce a fault randomly in a register
than can recover secret key in expected
polynomial time
binary length of n is k
value stored in variable Q before iteration
I
e Hardware Security and Trust, CE, SUT 6
![Page 7: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/7.jpg)
Differential fault attack(2)Method
1.Run ECSM once and collect the correct result ()
2.Enforce register fault in a register holding the variable Q , in iteration n-m < j < n
Hardware Security and Trust, CE, SUT 7
j
𝑄 ′ 𝑗
0n-1
![Page 8: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/8.jpg)
Differential fault attack(3)3. Find the index of the first iteration j’ with j’ > j and =1
Hardware Security and Trust, CE, SUT 8
j
𝑄 ′ 𝑗 ′
0n-1 j’
![Page 9: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/9.jpg)
Differential fault attack(4)4. find candidate for the disturbed Q-value
1. check each i with ( n-m < i < n) as candidate for j’ 2. x = as candidate for the n-i most significant bit of k
Hardware Security and Trust, CE, SUT 9
j 0n-1 j’=i
𝑥𝑥
![Page 10: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/10.jpg)
Differential fault attack(4)4. find candidate for the disturbed Q-value
Hardware Security and Trust, CE, SUT 10
j
𝑄 ′𝑥𝑖=𝑄 ′ 𝑗 ′
0n-1 j’=i
. .P)’
= - . .P
![Page 11: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/11.jpg)
Differential fault attack(5)5. For each choice of x and i we consider all
disturbed Q- values () with can derive from by flipping
one bit.6. calculate by :
Hardware Security and Trust, CE, SUT 11
![Page 12: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/12.jpg)
Differential fault attack(6)7. if is identical by of device
i as a candidate for j’ as a candidate for binary representation of x as a candidate for upper n-j’ of k
Hardware Security and Trust, CE, SUT 12
![Page 13: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/13.jpg)
Countermeasure for DFAintermediate results (Qi , Hi )should be
regularly checkedrandomize the scalar k
Hardware Security and Trust, CE, SUT 13
![Page 14: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/14.jpg)
SCFA on ECC(1)Over NAF-based left-to-right doubling
algorithm
14Hardware Security and Trust, CE, SUT
![Page 15: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/15.jpg)
SCFA on ECC(2)Basic idea: recover the bits of k in pieces of 1
≤ r ≤ m bitsA SCF changes the sign of y-coordinate of an
attacked point
Q Qf
Hardware Security and Trust, CE, SUT 15
![Page 16: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/16.jpg)
SCFA on ECC(3)
the only unknown part is Li (k)This allows to recover bits of k starting from
the LSB
Hardware Security and Trust, CE, SUT 16
+ -
![Page 17: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/17.jpg)
Injection of SCF on Qi ‘(1)Input: access to algorithm1 n the length of private key, k > 0 in NAF
Q = kP, m a parameter for acceptable amount of offline workOutput: k with probability at least 1/2#Step1: Collect faulty output collect the set S by including SCF on Qi
’
Hardware Security and Trust, CE, SUT 17
![Page 18: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/18.jpg)
Injection of SCF on Qi ‘(2)#step2: Inductive Retrieval of Secret Key Bits
1. Set s := -12. While(s < n-1) do 3. Set
4. For all lengths of r = 1,2,…,m do 5. For all valid NAF-patterns x = (xs+1,xs+2,…,xs+r) do
Hardware Security and Trust, CE, SUT 18
S+1 LSBs of k are known
Compute known LSB part
Try all possible bit pattern with length r
![Page 19: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/19.jpg)
Injection of SCF on Qi ‘(3)6. Set
7. For all do 8. If then 9. conclude ks+1 = xs+1,
ks+2 = xs+2,…, ks+r = xs+r ,
set s := s + r
Hardware Security and Trust, CE, SUT 19
Compute test condidate Tx
Verify Tx
![Page 20: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/20.jpg)
Injection of SCF on Qi ‘(4)10. If no test candidate satisfies the verification step,then assume that ks+1 = 0, set s := s + 1
11. continue at Line 212. Verify Q = kP If this fails then output ”failure”13. Output “k”
Hardware Security and Trust, CE, SUT 20
![Page 21: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/21.jpg)
Countermeasure for SCFA(1)Uses a second elliptic curve whose order
is a small prime number(t) to verify the final results E = Ep := E( Fp )
Et := E( Ft )
Ept is defined with parameters Apt and Bpt
Apt ≡ Ap mod p, Apt ≡ At mod t
Bpt ≡ Bp mod p, Bpt ≡ Bt mod t
Qpt = k Ppt
Hardware Security and Trust, CE, SUT 21
![Page 22: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/22.jpg)
Countermeasure for SCFA(2)Attacks in Line 4 cannot yield a faulty output
Hardware Security and Trust, CE, SUT 22
![Page 23: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/23.jpg)
References1. J. Blomer, M. Otto, J. Seifert“Sign Change Fault Attacks On Elliptic Curve Cryptosystems,” Fault Diagnousis and Tolerance iv Cryptograghy , pp. 36-52, 2006.2. J. Fan, I. Verbouwhede, “An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost,” Cryptography and Security, pp. 265-282, 2012.3. J. Fan, X. Gue, E. Mulder, “State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures,” International Symposium on Hardware-Oriented Security and Trust , pp. 165-171, 2010.4. I. Biehel, B. Meyer, V. Muller, "Diferential Fault Attacks on Elliptic Curve Cryptosystems," Advance in Cryptography, pp. 131-141, 2000.5. B. Johannes, O. Martin, S. Jean-Pierre, ‘Sign Change Fault Attacks on Elliptic Curve Cryptosystems”
Hardware Security and Trust, CE, SUT 23
![Page 24: In The Name of Allah Fault attacks on ECC](https://reader036.vdocuments.us/reader036/viewer/2022062517/56813b6c550346895da471e0/html5/thumbnails/24.jpg)
When that you think every thing is hidden and no one can see within , remember my friend , God
can