Abstract
Fault injection attacks are a real-world threat to cryptosystems, in particular, asymmetric cryptography. In this paper, we focus on countermeasures which guarantee the integrity of the computation result, hence covering most existing and future fault attacks. Namely, we study the modular extension protection scheme in previously existing and newly contributed variants of the countermeasure on elliptic curve scalar multiplication (ECSM) algorithms. We find that an existing countermeasure is incorrect and we propose new “test-free” variant of the modular extension scheme that fixes it. We then formally prove the correctness and security of modular extension: specifically, the fault non-detection probability is inversely proportional to the security parameter. Finally, we implement an ECSM protected with test-free modular extension during the elliptic curve operation to evaluate the efficient of this method on Edwards and twisted Edwards curves.
Similar content being viewed by others
Notes
Note that this study does not take correlated faults into account.
Actually, there is in \(\lambda \) only one factor larger than p, of length \(\approx 900\) bits, hence of no practical use—it is indeed more efficient to perform the computation several times or to verify the signature.
References
Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES, Volume 2523 of Lecture Notes in Computer Science, pp. 260–275. Springer, Berlin (2002)
Baek, Y.-J., Vasyltsov, I.: How to prevent DPA and fault attack in a unified way for ECC scalar multiplication-ring extension method. In: Dawson, E., Wong, D.S. (eds.) Information Security Practice and Experience, Volume 4464 of Lecture Notes in Computer Science, pp. 225–237. Springer, Berlin (2007)
Barthe, G., Dupressoir, F., Fouque, P., Grégoire, B., Zapalowicz, J.: Synthesis of fault attacks on cryptographic implementations. In: Ahn, G., Yung, M., Li, N. (eds) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3–7, 2014, pp. 1016–1027. ACM (2014)
Battistello, A.: Constructive Side-Channel Analysis and Secure Design: 5th International Workshop, COSADE 2014, Paris, France, April 13–15, 2014. Revised selected papers, chapter common points on elliptic curves: the achilles’ heel of fault attack countermeasures, pp.69–81. Springer International Publishing, Cham (2014)
Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted edwards curves. In: Vaudenay, S. (ed), Progress in Cryptology - AFRICACRYPT 2008, First International Conference on Cryptology in Africa, Casablanca, Morocco, June 11–14, 2008. Proceedings, Volume 5023 of Lecture Notes in Computer Science, pp. 389–405. Springer(2008)
Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)
Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed) Advances in Cryptology -ASIACRYPT2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2–6, 2007. Proceedings, Volume 4833 of Lecture Notes in Computer Science, pp. 29–50. Springer (2007)
Bernstein, D.J., Lange, T.: Explicit-Formulas Database, March (2015) http://hyperelliptic.org/EFD/
Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds) Progress in Cryptology-LATINCRYPT 2012-2nd International Conference on Cryptology and Information Security in Latin America, Santiago, Chile, October 7–10, 2012. Proceedings, Volume 7533 of Lecture Notes in Computer Science, pp. 159–176. Springer (2012)
Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: CRYPTO ’00: Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology, pp. 131–146. Springer-Verlag, London, UK (2000)
Blömer, J., Gomes Da Silva, R., Gunther, P., Krämer, J., Seifert, J.-P.: A practical second-order fault attack against a real-world pairing implementation. In: Fault Diagnosis and Tolerance in Cryptography (FDTC), 2014 Workshop on, pp. 123–136. Busan, Korea Sept (2014)
Blömer, J., Günther, P., Liske, G.: Tampering attacks in pairing-based cryptography. In: Fault Diagnosis and Tolerance in Cryptography (FDTC), 2014 Workshop on, pp. 1–7. Busan, Korea Sept (2014)
Blömer, J., Otto, M., Seifert, J.-P. : A new CRT-RSA algorithm secure against bellcore attacks. In: Jajodia, S., Atluri, V., Jaeger, T. (eds) ACM Conference on Computer and Communications Security, pp. 311–320. ACM (2003)
Blömer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) Fault Diagnosis and Tolerance in Cryptography, Volume 4236 of Lecture Notes in Computer Science, vol. 4236, pp. 36–52. Springer, Berlin (2006)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults (extended abstract). In: Fumy, W. (ed) EUROCRYPT, Volume 1233 of Lecture Notes in Computer Science, pp. 37–51. Springer (1997)
Boscher, A., Naciri, R., Prouff, E.: CRT RSA algorithm protected against fault attacks. In: Sauveron, D., Markantonakis, C., Bilas, A., Quisquater, J.-J. (eds.) WISTP, Volume 4462 of Lecture Notes in Computer Science, vol. 4462, pp. 229–243. Springer, Berlin (2007)
Ciet, M., Joye, M.: Practical fault countermeasures for chinese remaindering based RSA. In: Fault Diagnosis and Tolerance in Cryptography, pp. 124–131, Friday September 2nd. Edinburgh, Scotland (2005)
Clavier, C.: Secret external encodings do not prevent transient fault analysis. In: CHES, Volume 4727 of Lecture Notes in Computer Science, pp.181–194. Springer, Vienna (2007)
Dottax, E., Girau, C., Rivain, M., Sierra, Y.: On second-order fault analysis resistance for CRT-RSA implementations. In: Markowitch, O., Bilas, A., Hoepman, J.-H., Mitchell, C.J., Quisquater, J.-J. (eds.) WISTP, Volume 5746 of Lecture Notes in Computer Science, pp. 68–83. Springer, Berlin (2009)
Dugardin, M., Guilley, S., Moreau, M., Najm, Z., Rauzy, P.: Using modular extension to provably protect Edwards curves against fault attacks. Cryptology ePrint Archive, Report 2015/882. http://eprint.iacr.org/2015/882 (2015)
Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44, 393–422 (2007)
El Mrabet, N., Fournier, J.J., Goubin, L., Lashermes, R.: A survey of fault attacks in pairing based cryptography. Cryptogr. Commun. 7, 1–21 (2014)
Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Trans. Comput. 55(9), 1116–1120 (2006)
Guillevic, A., Vergnaud, D.: Genus 2 hyperelliptic curve families with explicit jacobian order evaluation and pairing-friendly constructions. In: Abdalla, M., Lange, T. (eds.) Pairing-Based Cryptography—Pairing 2012, Volume 7708 of Lecture Notes in Computer Science, pp. 234–253. Springer, Berlin (2013)
Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)
Joye, M.: Fault-Resistant Calculations on Elliptic Curves, September 15. EP Patent App. EP20,100,155,001; http://www.google.com/patents/EP2228716A1?cl=en (2010)
Joye, M., Paillier, P., Yen, S.-M.: Secure evaluation of modular functions. In: Hwang, R., Wu, C. (eds) International Workshop on Cryptology and Network Security, pp. 227–229, September 26–28 . http://joye.site88.net/papers/JPY01dfa.pdf, Taipei, Taiwan(2001)
Joye, M., Tunstall, M. (eds.): Fault Analysis in Cryptography. Springer Information Security and Cryptography. ISBN 978-3-642-29655-0. doi:10.1007/978-3-642-29656-7 (2012)
Karaklajic, D., Fan, J., Schmidt, J., Verbauwhede, I.: Low-cost fault detection method for ECC using Montgomery powering ladder. In: Design, Automation and Test in Europe, DATE 2011, Grenoble, France, March 14–18, 2011, pp. 1016–1021. IEEE (2011)
Kim, S.-K., Kim, T.H., Han, D.-G., Hong, S.: An efficient CRT-RSA algorithm secure against power and fault attacks. J. Syst. Softw. 84, 1660–1669 (2011)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO, Volume 1666 of Lecture Notes in Computer Science, pp. 388–397. Springer, Berlin (1999)
Lashermes, R., Paindavoine, M., El Mrabet, N., Fournier, J.J., Goubin, L.: Practical validation of several fault attacks against the Miller algorithm. In: Fault Diagnosis and Tolerance in Cryptography (FDTC), 2014 Workshop on, pp. 115–122, Sept. Busan, Korea (2014)
Le, D.-P., Rivain, M., Tan, C.H.: On double exponentiation for securing RSA against fault analysis. In: Benaloh, J. (ed.) CT-RSA, Volume 8366 of Lecture Notes in Computer Science, pp. 152–168. Springer, Berlin (2014)
Leont’ev, V.: Roots of random polynomials over a finite field. Math. Notes 80(1–2), 300–304 (2006)
Moody, D., Shumow, D.: Isogenies on Edwards and Huff curves. In: Computer Security Division. National Institute of Standards and Technology (NIST) (2011)
Moro, N., Heydemann, K., Encrenaz, E., Robisson, B.: Formal verification of a software countermeasure against instruction skip attacks. J. Cryptogr. Eng. 4(3), 145–156 (2014)
Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S. (eds) Progress in Cryptology—LATINCRYPT 2010, Volume 6212 of Lecture Notes in Computer Science, pp. 109–123. Springer, Berlin, updated version: http://cryptojedi.org/papers/#dclxvi(2010)
Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks, November 1999. US Patent Number 5,991,415; also presented at the rump session of EUROCRYPT ’97 (May 11–15, Konstanz, Germany) (1997)
University of Sydney. Magma computational algebra system. http://magma.maths.usyd.edu.au/magma/. Accessed 22 Aug 2014
Vigilant, D.: RSA with CRT: a new cost-effective solution to Thwart fault attacks. In: Oswald, E., Rohatgi, P. (eds.) CHES, Volume 5154 of Lecture Notes in Computer Science, pp. 130–145. Springer, Berlin (2008)
Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: Atluri, V., Pfitzmann, B., McDaniel, P.D. (eds) ACM Conference on Computer and Communications Security, pp. 92–97. ACM (2004)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Dugardin, M., Guilley, S., Moreau, M. et al. Using modular extension to provably protect Edwards curves against fault attacks. J Cryptogr Eng 7, 321–330 (2017). https://doi.org/10.1007/s13389-017-0167-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-017-0167-4