Fault Attack on Elliptic Curve Montgomery Ladder Implementation

Fouque, Pierre-Alain; Lercier, Reynald; Réal, Denis; Valette, Frédéric

doi:10.1109/fdtc.2008.15

Cited by 67 publications

(53 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Superficially, E is what we would normally call twist-secure (in the sense of Bernstein [3] and Fouque-Réal-Lercier-Valette [13]), since its twist E has a similar security level. Indeed, E (and the whole class of curves from which it was drawn) was designed with this notion of twist-security in mind.…”

Section: The Curvementioning

confidence: 99%

“…We saw in §2 that DLPs on E and its twist E have essentially the same difficulty, while Proposition 3 shows that the real DLP instances presented to an adversary by 127-bit multiscalar multiplications are not biased into a significantly more attackable range. But there is an additional subtlety when we consider the fault attacks considered in [3] and [13]: If we try to compute [m]P for P on E, but an adversary sneaks in a point P on the twist E instead, then in the classical context the adversary can derive m after solving the discrete logarithm …”

Section: Theorem 1 Given An Integer M Let (A B) Be the Multiscalarmentioning

confidence: 99%

See 1 more Smart Citation

Faster Compact Diffie–Hellman: Endomorphisms on the x-line

Costello

Hışıl

Smith

2014

Advances in Cryptology – EUROCRYPT 2014

View full text Add to dashboard Cite

Abstract.We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie-Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side-channel resistance. (For comparison, we also implement two faster but non-constant-time algorithms.) The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Q-curve reductions over F p 2 with p = 2 127 − 1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication.

show abstract

Section: The Curvementioning

confidence: 99%

Section: Theorem 1 Given An Integer M Let (A B) Be the Multiscalarmentioning

confidence: 99%

Faster Compact Diffie–Hellman: Endomorphisms on the x-line

Costello

Hışıl

Smith

2014

Advances in Cryptology – EUROCRYPT 2014

View full text Add to dashboard Cite

show abstract

“…Sign change fault attacks were also described against PBC [180]. In 2008, an attack tailored to the Montgomery ladder was presented [69]. The authors state that they can reveal the secret scalar with only one or two faults, even in the presence of countermeasures which aim at preventing fault attacks.…”

Section: Elliptic Curve Cryptographymentioning

confidence: 99%

Why cryptography should not rely on physical attack complexity

Krämer

2016

It - Information Technology

View full text Add to dashboard Cite

Ich versichere an Eides statt, dass ich diese Dissertation selbständig verfasst und nur die angegebenen Quellen und Hilfsmittel verwendet habe. Datum Für meine Eltern AbstractEver since the first side channel attacks and fault attacks on cryptographic devices were introduced in the mid-nineties, new possibilities of physical attacks have been consistently explored. The risk that these attacks pose is reduced by reacting to known attacks and by developing and implementing countermeasures against them. For physical attacks whose theory is known but which have not been conducted yet, however, the situation is different. Attacks whose physical realization is assumed to be very complex are taken less seriously. The trust that these attacks will not be realized due to their physical complexity means that no countermeasures are developed at all. This leads to unprotected devices once the assessment of the complexity turns out to be wrong.This thesis presents two practical physical attacks whose theory is known for several years. Since neither attack has previously been successfully implemented in practice, however, they were not considered a serious threat. Their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, we introduce the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its first realization, it has not been taken seriously. We show both simple and differential photonic side channel analyses. Then, we present a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has also not been taken seriously. We show how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these physical attacks. We present countermeasures on the software and the hardware level, which help to prevent these attacks in the future.Based on these two presented attacks, this thesis shows that the assessment of physical attack complexity is error-prone. Hence, cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, have they already been realized or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is understood.

show abstract

“…Another attack, directly targeted at the ECC structure, is described in [55], where the authors notice that a fault injected into the point coordinates during the scalar multiplication may move the point into a subgroup of the main group of curve points (called a twist of the curve), which has a smaller number of points. The authors show that their attack technique is able to successfully break curves standardized by both NIST [56] and IEEE [57] up to a security level equivalent to the one provided by the AES with a 128-bit key.…”

Section: Attacks On Eccmentioning

confidence: 99%

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

et al. 2012

View full text Add to dashboard Cite

Abstract-Implementations of cryptographic algorithms continue to proliferate in consumer products due to the increasing demand for secure transmission of confidential information. Although the current standard cryptographic algorithms proved to withstand exhaustive attacks, their hardware and software implementations have exhibited vulnerabilities to side channel attacks, e.g., power analysis and fault injection attacks. This paper focuses on fault injection attacks that have been shown to require inexpensive equipment and a short amount of time. The paper provides a comprehensive description of these attacks on cryptographic devices and the countermeasures that have been developed against them.After a brief review of the widely used cryptographic algorithms, we classify the currently known fault injection attacks into low cost ones (which a single attacker with a modest budget can mount) and high cost ones (requiring highly skilled attackers with a large budget). We then list the attacks that have been developed for the important and commonly used ciphers and indicate which ones have been successfully used in practice. The known countermeasures against the previously described fault injection attacks are then presented, including intrusion detection and fault detection. We conclude the survey with a discussion on the interaction between fault injection attacks (and the corresponding countermeasures) and power analysis attacks.

show abstract

Fault Attack on Elliptic Curve Montgomery Ladder Implementation

Cited by 67 publications

References 20 publications

Faster Compact Diffie–Hellman: Endomorphisms on the x-line

Faster Compact Diffie–Hellman: Endomorphisms on the x-line

Why cryptography should not rely on physical attack complexity

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

Contact Info

Product

Resources

About