The Carry Leakage on the Randomized Exponent Countermeasure

Implementations of cryptographic primitives are vulnerable to physical attacks. While the adversary only needs to succeed in one out of many attack methods, the designers have to consider all the known attacks, whenever applicable to their system, simultaneously. Thus, keeping an organized, complete and up-to-date table of physical attacks and countermeasures is of paramount importance to system designers.This paper summarizes known physical attacks and countermeasures on Elliptic Curve Cryptosystems. Instead of repeating the details of different attacks, we focus on a systematic way of organizing and understanding known attacks and countermeasures. Three principles of selecting countermeasures to thwart multiple attacks are given. This paper can be used as a road map for countermeasure selection in a first design iteration.

show abstract

“…The carry-based attack [4], reported by Fouque et al, does not attack the scalar multiplication itself but its countermeasures.…”

Section: F Carry-based Attackmentioning

confidence: 97%

“…This paper, however, differs from previous work in at least three aspects. Firstly, it includes recently reported attacks such as carry-based attack [4]. Secondly, we focus on the interaction of known attacks and countermeasures in a systematic way.…”

Section: Introductionmentioning

confidence: 99%

State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures

Fan

Guo

Mulder

et al. 2010

2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)

124

View full text Add to dashboard Cite

show abstract

“…The matching phase comprises the actual attack. Another attack is the Carry-based Attack (CBA) [17]; it does not attack the ECSM itself but its countermeasures. The CBA depends on the carry propagation occurring when long-integer additions are performed as repeated sub-word additions.…”

Section: B Differential Power Analysis Attack (Dpaa)mentioning

confidence: 99%

Power Analysis Attacks on ECC: A Major Security Threat

Houssain¹,

Badra²,

Al-Somani³

2012

IJACSA

View full text Add to dashboard Cite

Abstract-Wireless sensor networks (WSNs) are largely deployed in different sectors and applications, and Elliptic Curve Cryptography (ECC) is proven to be the most feasible PKC for WSN security. ECC is believed to provide same level of security such as RSA with a much shorter key length, and thus they seem to be ideal for applications with small resources such a sensor network, smartcard, RFID, etc. However, like any other cryptographic primitive, ECC implementations are vulnerable to Power Analysis Attacks (PAAs) that may reveal the secret keys by exploiting leaked power consumption from running cryptographic devices (e.g. smart cards, mobile phones etc.). In this paper, we present a comprehensive study of major PAAs and its countermeasures on ECC cryptosystems. In addition, this paper describes critical concerns to be considered in designing PAAs on ECC particular for WSNs, and illustrates the need to conduct, in the near future, intensive researches for the development of these specific PAAs.

show abstract

“…Instead of exploiting the physical leakage due to the execution of a modular exponentiation, like in previous attacks, P.-A. Fouque et al proposed at CHES 2008 [9] to focus on the leakage induced by the computation of the random exponent itself. Since the secret exponent and the blinding part are cut into words, spying on the carries of the adder may reveal information that is used to guess the most significant bits of each word of the secret key.…”

Section: Introductionmentioning

confidence: 99%

Public Key Perturbation of Randomized RSA Implementations

Berzati

Dumas

Goubin

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Among all countermeasures that have been proposed to thwart side-channel attacks against RSA implementations, the exponent randomization method -also known as exponent blinding -has been very early suggested by P. Kocher in 1996, and formalized by J.-S. Coron at CHES 1999. Although it has been used for a long time, some authors pointed out the fact that it does not intrinsically remove all sources of leakage. At CHES 2003, P.-A. Fouque and F. Valette devised the socalled "Doubling Attack" that can recover the blinded secret exponent from an SPA analysis. In this paper, we consider the case of fault injections. Although it was conjectured by A. Berzati et al. at CT-RSA 2009 that exponent randomization avoids fault attacks, we describe here how to recover the RSA private key under a practical fault model. Our attack belongs to the family of public key perturbations and is the first fault attack against RSA implementations with the exponent randomization countermeasure. In practice, for a 1024-bit RSA signature algorithms, the attack succeeds from about 1000 faulty signatures.

show abstract

The Carry Leakage on the Randomized Exponent Countermeasure

Cited by 21 publications

References 20 publications

State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures

State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures

Power Analysis Attacks on ECC: A Major Security Threat

Public Key Perturbation of Randomized RSA Implementations

Contact Info

Product

Resources

About