Professional Documents
Culture Documents
E : y 2 = x3 + ax + b a, b ∈ F.
94
Algorithm 3 Sign a Message 4 Fault Attack on ECDSA
Require: Secret Key d, Message m,
Public Key (E(F), P, n, Q) As already mentioned, the calculation of an ECDSA sig-
Ensure: Signature [γ, δ] nature involves an ephemeral key. For each signature, this
1: Select k ∈ [1, · · · , n − 1] randomly key is chosen at random. Hence, as long as the attack does
2: Γ = k · P not target the random generator, the ephemeral is never used
3: γ = xΓ mod n twice1 . Thus, differential fault attacks, which make use of
4: if γ = 0 then the difference between correct and faulty signatures cannot
5: go to first step be applied to ECDSA, since two calculations of a signature
6: end if are always different2 .
7: δ = (H(m) + γd)k −1 mod n However, if an adversary succeeds in determining parts
8: if δ = 0 then of the ephemeral key for several signatures, the secret key
9: go to first step can be calculated using lattice attacks [12, 16]. Tanja Römer
10: end if and Jean-Pierre Seifert showed that for a 160 bit prime n
11: return [γ, δ] and 12 known ephemeral key bits of 50 signatures the suc-
cess probability is 99% [18].
Thus, an attack that determines few bits of an ephemeral
Algorithm 4 Verify a Message key from a signature suffices to retrieve the secret signature
key. The attack is then repeated until enough pairs of signa-
Require: Message m, Signature [γ, δ]
tures and partial ephemeral keys are known.
Public Key (E(F), P, n, Q)
We induce a fault according the model of Section 3 in the
Ensure: Accept or Reject
scalar multiplication that is performed during the signature
1: if δ or γ 6∈ [1, · · · , n − 1] then
calculation, as depicted in Line 2 of Algorithm 3. Hence,
2: return Reject
the injected fault and analysis have to be adapted to the used
3: end if
scalar multiplication algorithm.
4: w = δ −1 mod n
Consider a scalar multiplication with the left-to-right
5: u1 = H(m) · w mod n
double and add algorithm. Assume, that the (t − i)-th dou-
6: u2 = γ · w mod n
bling was skipped. The result is denoted by Γi and the cor-
7: Ω = u1 · P + u2 · Q
responding correct output by Γ. The bits of the scalar af-
8: if Ω 6= O and γ = xΩ mod n then
ter the skipped operation are written as k̃ = (ki , . . . , k0 )2 .
9: return Accept
Doubling the erroneous computation gives
10: end if
11: return Reject t
X i
X
j−1
2Γi = 2( (2 )(kj ) + (2j )(ki ))P
j=i+1 j=0
fault model to attack RSA implementations that use square its corresponding ephemeral key is known or from two signatures that use
and multiply algorithms. In this paper, we skip instruc- the same ephemeral key.
2 Another strategy would be manipulating the random number genera-
tions to attack an ECDSA implementation which involves tor. If some bits of the ephemeral key are set to a known value, a lattice
an ephemeral key. Hence, using an iterative approach as attack can be applied. Naccache et al. demonstrated that for the Digital
in [19] is not possible. Signature Algorithm (DSA) [15]
95
the inner instructions of the loop. Namely Rm̄i = R0 + has a size of at most i bits, a lookup table with all possible
R1 and Rmi = 2Rmi . Thus, one bit of the scalar is not values for all possible values can be created4 . If the fault
processed at all. Using the same notation as above (k̃ = was injected in the intended way, the right k̃ can be found
(ki , . . . , k0 )2 ), skipping the processing of ki results in in the table. For an unsuccessful injection, as well as for a
“wrong” Γi restored from γi , no entry in the lookup table
t i−1
X
j−1
X will be found with high probability.
Γi =( (2 )(kj ) + (2j )(kj ))P.
After applying this attack on several signatures to reveal
j=i+1 j=0
parts of their ephemeral key, the signature key d can be de-
⇒2Γi − Γ = (k̃ − 2i+1 ki )P. (3) rived by a lattice attack. As this attack does not make use
of the Γ = kP relation, the injected fault has no impact on
Unfortunately, a (faulty) ECDSA signature neither con-
it. Thus, 50 faulty signatures are sufficient for a 160 bit n
sists of Γi nor of Γ. Thus, these values have to be computed
using the attack for determining 12 bits at once.
from the signature. Let [γi , δi ] denote a faulty signature that
In order to counteract such attacks, not only the data path
was calculated according to the ECDSA Algorithm 3, using
but also the program flow has to be protected. We present a
Γi instead of Γ in line 2.
way to secure both in the next section.
First, we show how to retrieve Γi from the fist part of the
signature, γi . Second, the value Γ is computed from δi .
Γi can be restored from the signature part γi , since Γi is 5 Protecting ECC Algorithms
a point on the elliptic curve and γi = xΓi mod n holds.
Since γi may be reduced by n during the calculation of the Since every point of a group over an elliptic curve must
signature, there may exist more than one possibility for Γi . fulfill the curve equation, the point tuple contains redun-
For each of these values, the curve equation is evaluated dancy. This allows to check whether an adversary has tam-
with xΓi as x-coordinate, resulting in two possible points pered with the data during the computation of the device.
on the curve for each xΓi . However, it can only be checked, whether the resulting
The point Γ = kP that corresponds to the faulty Γi , point is still valid, i.e. if it is a point on the elliptic curve. An
i.e. uses the same ephemeral key k, cannot be calculated in adversary that manages to skip instructions as in our model
this way. For determining it, the second part of the faulty or to change the sign of an intermediate value as suggested
signature in [6] remains undetected.
δi = k −1 · (H(m) + γi d) mod n Our approach is presented as an extension of the projec-
tive Jacobian coordinates. We chose this coordinate repre-
is exploited. Therefore, the computation of the verification sentation, as it is used in modern implementations. This
step is used: is because it is possible to compute addition and doubling
of points without a field inversion in projective coordinate
wi = δi−1
mod n representations. Furthermore, such a point representation
k allows randomizing the base point to provide side-channel
= mod n
(H(m) + γi d) resistance. The countermeasure can protect ECC algorithms
u1 = H(m) · wi mod n that use an arbitrary point representation.
k · H(m) Since the integrity of the points is provided by their nat-
= mod n ural redundancy, the focus of our countermeasure is pro-
(H(m) + γi d)
tecting the program flow and preventing an adversary from
u2 = γi · w mod n changing the sign of an intermediate value without being
k · γi detected. This countermeasure does not increase the size of
= mod n
(H(m) + γi d) the operands. This is important since already a small in-
Γ = Ω = u1 P + u2 Q crease of the operands results in a significant decrease of
= (u1 + u2 · d)P the performance. Furthermore, no second calculation in an-
k · (H(m) + γi d) other field is required.
= ( mod n)P In addition to the coordinates, the discrete logarithm l of
H(m) + γi d
the point Q = (X : Y : Z) with respect to the base point
= kP.
is part of the point, i.e. Q = (X : Y : Z; l). In this way,
Now, 2Γi − Γ from (2) for all possible values for xΓi can the scalar is an integral part of the point and can be verified
be calculated3 . For the right Γi this results in k̃P . As k̃ before the point (of course without the logarithm l) leaves
3 For an implementation that uses the Montgomery ladder, equation (3) 4 For reducing the size of the table, a baby-step giant-step algorithm
96
the device. In order to keep l correct, the operations have to Algorithm 5 Secure Point Addition
incorporate l: Require: P = (X1 : Y1 : Z1 ; l1 ), Q = (X2 : Y2 : Z2 ; l2 )
in in Jacobian coordinates on E(F) : y 2 = x3 − 3x + b
(X1 : Y1 : Z1 ; l1 ) + (X2 : Y2 : Z2 ; l2 ) Ensure: P + Q = (X3 : Y3 : Z3 ; l3 ) in Jacobian coordi-
= (X3 : Y3 : Z3 ; l1 + l2 ) nates
2(X : Y : Z; l) = (X3 : Y3 : Z3 ; 2l) 1: if Q = O then
2: return (X1 : Y1 : Z1 ; l1 )
−(X : Y : Z; l) = (X : −Y : Z; −l).
3: end if
4: if P = O then
Applying a scalar multiplication algorithm with k to a point
P = (X1 , Y1 , Z1 , 1) results in a point Q = (X3 , Y3 , Z3 , k) 5: return (X2 : Y2 : Z2 ; l2 )
6: end if
that includes the scalar whenever the computation was cor-
7: T1 ← Z12 ; T10 ← Z22 ; T2 ← T1 · Z1 ;
rect. In order to reduce the size of l, it is calculated modulo
a prime r. Since the probability that a fault is not noticed is T20 ← T10 · Z2 ; T1 ← T1 · X2 ; T2 ← T2 · Y2
8: T10 ← T10 · X1 ; T20 ← T20 · Y1 ;
directly related to the size of r, its bit length is the security
parameter of our countermeasure. T1 ← T1 − T10 ; T2 ← T2 − T20
9: if T1 = 0 then
This method also protects against sign change attacks,
10: if T2 = 0 then
presented in [6], as long as non-signed representation of the
11: return (X3 : Y3 : Z3 ; l3 ) ← 2(X2 : Y2 : Z2 ; l2 )
coordinates is used. The chance to flip the sign of a value
using Algorithm 6
modulo p with a modulo length of m bits is 2−m . A ded-
12: else
icated functionality that inverts a coordinate can be rede-
13: return O
fined to invert l at the same time. Hence, a sign change
14: end if
attack is detected. Furthermore, the addition and dou-
15: end if
bling formulas itself must be protected against manipula-
16: Z3 ← Z1 · T1 ; Z3 ← Z3 · Z2 ; T3 ← T12 ;
tions. It must be guaranteed that if the calculation is modi-
T4 ← T3 · T1 ; T3 ← T3 · X1
fied, either the result is not a valid curve point, or the check
17: T1 ← 2T3 ; X3 ← T22 ; X3 ← T22
value l is not correct. This can be achieved by including
18: X3 = CRT(X3 ,l1 );
the logarithm value l into the formulas in an atomic way.
T1 = CRT(T1 ,−l2 );
We propose a small modification of the standard add and
X3 ← X3 − T1
double algorithms for Jacobian coordinates in Algorithm 5
19: l3 ← X3 mod r; X3 ← X3 mod p
and Algorithm 6. Line 5 of Algorithm 6 combines l and the
20: X3 ← X3 − T4 ; T3 ← T3 − X3 ; T3 ← T3 · T2 ;
Y1 coordinate using the Chinese remainder theorem (CRT),
T4 ← T4 · Y1 ; Y3 ← T3 − T4
using the elliptic curve’s filed (Fp ) and the one used for l
21: return (X3 : Y3 : Z3 ; l3 )
(Fu ). The resulting element is doubled and afterwards the
result is transfered into the previous variables and fields us-
ing a modular reduction. Thus, modifying the doubling in
any way influences both, the point coordinates and check der to prevent such attacks, the check value can be blinded
value l. In Algorithm 5 the same protection is guaranteed by a random mask.
by the Lines 18-19. The method can also be used for inver- Furthermore, the addition and doubling formulas can be
sion functionality. Since logP (−Q) = −logP (Q), negating modified to compute on the larger field Z∗pr . Thus, the
both variables at the same time is sufficient. check value l is always part of the coordinates. In this way,
Using these operations, it is ensured that an adversary the check value does not only secure the program flow but
that manipulates the computation either leaves the curve also the data path. This can be used, if it is not possible
or produces a check values l that differs from the intended to check whether the result fulfills the curve equation, e.g.
scalar: If an adversary skips a whole operation, the l value for a Montgomery implementation that involves only the X
differs from the desired one. An adversary that manages and Z coordinates. For this cases, increasing the underlying
to modify values during an operation ends up with a point field is more efficient than calculating the third coordinate
that does not belong to the curve. Both cases can be de- for fault security purposes.
tected easily after the computation. However, this check Table 1 summarizes the success probabilities of an adver-
itself may also be a target for an adversary that can manip- sary for different countermeasures. Note that Baek et al.’s
ulate the program flow. To protect the checking procedure, countermeasure does not protect the program flow. How-
Dottax et al. [9] proposed a multi-stage method. ever, the security of the program flow security is connected
In addition, storing the discrete logarithm of a point to sign change faults: If a functionality that inverts points is
could pose a vulnerability to side channel analysis. In or- used for the manipulation, as suggested in [6], the result is
97
Algorithm 6 Secure Point Doubling Bits Ours Blömer et al. Baek et al.
Require: P = (X1 : Y1 : Z1 ; l1 ) in Jacobian coordinates 192 36% 82% 148%
on E(F) : y 2 = x3 − 3x + b 224 35% 68% 130%
Ensure: 2P = (X3 : Y3 : Z3 ; 2l1 ) in Jacobian coordinates 256 35% 58% 116%
1: if P = O then 384 33% 36% 86%
2: return O 521 32% 26% 72%
3: end if
4: T1 ← Z12 ; T2 ← X1 − T1 ; T1 ← X1 + T1 ; Table 2. Overhead compared to a bare Mont-
T2 ← T2 · T1 ; T2 ← 3T2 gomery ladder algorithm using Jacobian co-
5: Y1 = CRT(Y1 ,l); ordinates with a security parameter of 60 bits.
Y3 ← 2Y1 ; l ← Y3 mod r;
Y3 ← Y3 mod p
Bits Ours Blömer et al. Baek et al.
6: Z3 ← Y3 · Z1 ; Y3 ← Y32 ; T3 ← Y3 · X1 ;
Y3 ← Y32 ; Y3 ← Y3 /2; X3 ← T22 192 33% 36% 95%
7: T1 ← 2T3 ; X3 ← X3 − T1 ; T1 ← T3 − X3 ; 224 32% 30% 85%
T1 ← T1 · T2 ; Y3 ← T1 − Y3 256 32% 26% 78%
8: return (X3 : Y3 : Z3 ; l) 384 31% 17% 63%
521 30% 12% 55%
Table 1. Probability that a fault remains unde- trade expanding the algebra for additional multiplications
tected for different countermeasures. The bit and reductions. A lower bound for the overhead is 29%.
length of the security parameter is denoted Blömer et al.’s countermeasure has an overhead that basi-
by |r|. cally converges to 0, since the number of multiplications is
not changed. However, for standardized curves is has an
overhead between 82% and 26%. The overhead of Baek et
a valid curve point with an inverted sign. In this case, sign al.’s countermeasure increases the number of operations and
change faults cannot be detected unless the program flow is enlarges the used algebra. This results to a runtime over-
checked. head between 148% and 72%.
Our countermeasure is rather independent of the size of
We compared the performance of our approach6 to the
the security factor. Therefore, it performs well for curves
countermeasures proposed by Blömer et al. [6] and the one
commonly used in embedded devices and smart cards where
of Baek and Vasyltsov [1]. The overhead of the different
the added bits are not negligible.
solutions in relation to an unprotected Montogmery ladder
implementation using Jacobian coordinates is depicted in
Table 2 for a security factor of 60 bits. Table 3 shows the 6 Conclusion
overhead compared to an unprotected double and add al-
gorithm using mixed Jacobian coordinates with a security In this paper, we presented a new attack on ECDSA,
parameter of 30 bits. All runtime figures are derived from which is based on the possibility to skip instructions. It
the number of single precision multiplications performed uses the erroneous result to determine enough bits of the
during the algorithm. ephemeral key to launch a lattice attack. We considered
The figures show that our countermeasure has a rather implementations that make use of the double and add al-
constant overhead percentage (36% for the NIST curve P- gorithm or the Montgomery ladder; other algorithms, like
192 and 32% for the 521-bit curve). This is because we fixed-base windowing methods are topic of further research.
We propose a countermeasure to protect against such at-
5 Thereduction by 10 is due to the findings of Joye [14].
6 For
tacks. It implicitly encodes the discrete logarithm in the
performance reasons we do not save l, but CRT(0,l). After
any computation which results in CRT(x,l), x is extracted. Afterwards,
point representation. Hence, a manipulation of the compu-
CRT(x,0) is subtracted from the result. This saves a reduction for each tation is detected. Thus, only a correct result, of course after
manipulation of l. removing the check value, leaves the device.
98
Acknowledgements The final version of this paper will be published in the pro-
ceedings of WISTP 2009.
The work described in this paper has been supported [10] P. Dusart, G. Letourneux, and O. Vivolo. Differential Fault
through Austrian Government funded project ARTEUS es- Analysis on A.E.S. In J. Zhou, M. Yung, and Y. Han, editors,
tablished under the Trust in IT Systems program FIT-IT. Applied Cryptography and Network Security, First Interna-
tional Conference, ACNS 2003. Kunming, China, October
16-19, 2003, Proceedings, volume 2846 of Lecture Notes in
References Computer Science, pages 293–306. Springer, October 2003.
[11] D. Hankerson, A. J. Menezes, and S. Vanstone. Guide to
[1] Y.-J. Baek and I. Vasyltsov. How to Prevent DPA and Fault Elliptic Curve Cryptography. Springer, Berlin, Germany /
Attack in a Unified Way for ECC Scalar Multiplication - Heidelberg, Germany / London, UK / etc., 2004.
Ring Extension Method. In E. Dawson and D. S. Wong, ed- [12] N. Howgrave-Graham and N. P. Smart. Lattice Attacks on
itors, Information Security Practice and Experience, Third Digital Signature Schemes. Designs, Codes and Cryptogra-
International Conference, ISPEC 2007, Hong Kong, China, phy, 23(3):283–290, August 2001. ISSN 0925-1022.
May 7-9, 2007, Proceedings, volume 4464 of Lecture Notes [13] D. B. Johnson, A. J. Menezes, and S. Vanstone. The Elliptic
in Computer Science, pages 225–237. Springer, May 2007. Curve Digital Signature Algorithm (ECDSA). International
[2] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and Journal of Information Security, 1(1):36–63, August 2001.
C. Whelan. The Sorcerer’s Apprentice Guide to Fault At- [14] M. Joye. On the Security of a Unified Countermeasure. In
tacks. Cryptology ePrint Archive (http://eprint. Fault Diagnosis and Tolerance in Cryptography, Workshop
iacr.org/), Report 2004/100, 2004. on, volume 5, pages 87–91, Los Alamitos, CA, USA, 2008.
[3] I. Biehl, B. Meyer, and V. Müller. Differential Fault At- IEEE Computer Society.
tacks on Elliptic Curve Cryptosystems. In M. Bellare, ed- [15] D. Naccache, P. Q. Nguyen, M. Tunstall, and C. Whelan.
itor, Advances in Cryptology - CRYPTO 2000, 20th An- Experimenting with Faults, Lattices and the DSA. In S. Vau-
nual International Cryptology Conference, Santa Barbara, denay, editor, Public Key Cryptography - PKC 2005, 8th In-
California, USA, August 20-24, 2000, Proceedings, volume ternational Workshop on Theory and Practice in Public Key
1880 of Lecture Notes in Computer Science, pages 131–146. Cryptography, Les Diablerets, Switzerland, January 23-26,
Springer, 2000. 2005, Proceedings, volume 3386 of Lecture Notes in Com-
[4] E. Biham and A. Shamir. Differential Fault Analysis of Se- puter Science, pages 16–28. Springer, January 2005.
cret Key Cryptosystems. In B. S. K. Jr., editor, Advances in [16] P. Q. Nguyen and I. E. Shparlinski. The Insecurity of
Cryptology - CRYPTO ’97, 17th Annual International Cryp- the Elliptic Curve Digital Signature Algorithm with Par-
tology Conference, Santa Barbara, California, USA, August tially Known Nonces. Design, Codes and Cryptography,
17-21, 1997, Proceedings, volume 1294 of Lecture Notes in 30(2):201–217, September 2003. ISSN 0925-1022.
Computer Science, pages 513–525. Springer, 1997. [17] J.-J. Quisquater and D. Samyde. Eddy Current for Mag-
[5] I. F. Blake, G. Seroussi, and N. P. Smart. Elliptic Curves in netic Analysis with Active Sensor. In Proceedings of Es-
Cryptography, volume 265 of London Mathematical Society mart, pages 185–194, 2002.
Lecture Notes Series. Cambridge University Press, Cam- [18] T. Römer and J.-P. Seifert. Information Leakage Attacks
bridge, UK, 1999. against Smart Card Implementations of the Elliptic Curve
[6] J. Blömer, M. Otto, and J.-P. Seifert. Sign Change Fault Digital Signature Algorithm. In I. Attali and T. P. Jensen,
Attacks on Elliptic Curve Cryptosystems. In L. Breveg- editors, Smart Card Programming and Security, Interna-
lieri, I. Koren, D. Naccache, and J.-P. Seifert, editors, Fault tional Conference on Research in Smart Cards, E-smart
Diagnosis and Tolerance in Cryptography, Third Interna- 2001, Cannes, France, September 19-21, 2001, Proceed-
tional Workshop, FDTC 2006, Yokohama, Japan, October ings, volume 2140 of Lecture Notes in Computer Science,
10, 2006, Proceedings, volume 4236 of Lecture Notes in pages 211–219. Springer, 2001.
Computer Science, pages 36–52. Springer, October 2006. [19] J.-M. Schmidt and C. Herbst. A Practical Fault Attack on
[7] D. Boneh, R. A. DeMillo, and R. J. Lipton. On the Impor- Square and Multiply. In Fault Diagnosis and Tolerance in
tance of Checking Cryptographic Protocols for Faults (Ex- Cryptography, Third International Workshop, FDTC 2008,
tended Abstract). In W. Fumy, editor, Advances in Cryp- Washington DC, USA, August 10, 2008, Proceedings. IEEE-
tology - EUROCRYPT ’97, International Conference on the CS Press, August 2008.
Theory and Application of Cryptographic Techniques, Kon- [20] S. P. Skorobogatov and R. J. Anderson. Optical Fault Induc-
stanz, Germany, May 11-15, 1997, Proceedings, volume tion Attacks. In B. S. K. Jr., Çetin Kaya Koç, and C. Paar,
1233 of Lecture Notes in Computer Science, pages 37–51. editors, Cryptographic Hardware and Embedded Systems –
Springer, 1997. CHES 2002, 4th International Workshop, Redwood Shores,
[8] M. Ciet and M. Joye. Elliptic Curve Cryptosystems in CA, USA, August 13-15, 2002, Revised Papers, volume 2523
the Presence of Permanent and Transient Faults. Des. of Lecture Notes in Computer Science, pages 2–12. Springer,
Codes Cryptography, 36(1):33–43, 2005. Available online 2003.
at http://eprint.iacr.org/2003/028.pdf.
[9] E. Dottax, C. Giraud, M. Rivain, and Y. Sierra. On Second-
Order Fault Analysis Resistance for CRT-RSA Implementa-
tions. Cryptology ePrint Archive, Report 2009/024, 2009.
99