Differential Fault Analysis on Elliptic Curve Cryptosystems Spyridon Antakis Eindhoven University of - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Differential Fault Analysis on Elliptic Curve Cryptosystems Spyridon Antakis Eindhoven University of

Description:

Based on: ... point P' that lies on a different curve from the one is used by the tamper-proof ... do not satisfy the proper conditions, not to let them leave ... – PowerPoint PPT presentation

Number of Views:202
Avg rating:3.0/5.0
Slides: 17
Provided by: present420
Category:

less

Transcript and Presenter's Notes

Title: Differential Fault Analysis on Elliptic Curve Cryptosystems Spyridon Antakis Eindhoven University of


1
Differential Fault Analysis on Elliptic Curve
CryptosystemsSpyridon AntakisEindhoven
University of TechnologySeminar Information
Security Technology2008-2009
2
Overview
  • What is Differential Fault Analysis (DFA).
  • Elliptic Curves Basics.
  • 3 Different types of attacks on Elliptic Curves
    Cryptosystems.
  • Suggested Countermeasures.

Based on I.Biehl, B.Meyer and V.Mueller
Differential Fault Attacks on Elliptic Curve
Cryptosystems, Advances in Cryptology, Springer
Berlin/Heidelberg, Vol. 1880, pag.131-146,(2000).
3
Differential Fault Analysis (DFA)
  • DFA is A type of a side channel attack.
  • The basic principle Create faults or take
    advantage of unexpected events into cryptographic
    impleme-ntations and then try to reveal their
    internal states (e.g. secret key).

4
Elliptic Curves (1)
  • I remind you that A group of points on an
    elliptic curve E is given by
  • ,where K is a finite field,
  • O 8,8 and ai K.
  • Important We will see that coefficient a5 does
    not occur in the addition formulas.

5
Elliptic Curves (2)
  • Important Operations
  • PE OE OE PE PE.
  • PE (x,y), PE(x,-y-a1x-a3)E.
  • PE (-PE) OE.
  • P1 P2 P3
  • Pseudo-addition P1 P2.
  • Pseudo-subtraction P1 P2 P1 (-P2).
  • Pseudo-multiplication n P1
  • (n-1) pseudo-additions of P1.

6
Security Concept
  • Elliptic Curve Cryptosystems (ECC) are based on
    the difficulty of the Discrete Logarithm (DL)
    problem.
  • A cryptographically strong elliptic curve (SEC)
    is an elliptic curve that leads to a difficult DL
    problem.
  • ECC implementations should always use
    cryptographically strong curves.

7
Attack Concept
  • Scenario
  • A strong elliptic curve is publicly known as part
    of the public key.
  • The secret key d is stored inside a tamper-proof
    device, usually a smartcard.
  • On the input of a point P the output is the point
    d?P.
  • Is assumed, access to the tamper-proof device and
    that we can compute d?P for given points P.
  • Main Ideas
  • Faults at the begging of the multiplication or
    faults at random moments of the multiplication.
  • Insert a point P that lies on a different curve
    from the one is used by the tamper-proof device.
  • Simplify the DL problem by finding using a curve
    for calculations.

8
1st Type of Attack
9
How does it work?
We choose the input P for the attack carefully,
such that with a5 y2 a1xy a3y x3 a2x2
a4x the tuple a1,a2,a3,a4,a5 defines an
elliptic curve E, whose order has a small
divisor r, such that ord(P) r. Then, it is
proved that,
This is even more efficient, if we first
construct the E and then compute the P.
10
How can we find d?
So, we end up with a DL problem in the subgroup
of ord(P) r generated by P E. Thus, we
find d mod(r). Let this value be d. If we
repeat the procedure for different Ps, we can
create for example, the following system d
d1 mod(r1) d d2 mod(r2) d d3
mod(r3) This system can be solved with Chinese
Theorem.
11
2nd Type of Attack
No Output, Input Check Failed
Apply Register Fault, then P becomes P
12
How does it work?
  • We determine a5 such that the output d?P
    satisfies the curve equation with coefficients
    a1,a2,a3,a4,a5.
  • If with these coefficients, we define an elliptic
    curve E, then, we successfully decreased the
    original DL problem.
  • We check for all possible candidates P(since is
    unknown), whether is a point on E, if so, we try
    to solve the DL problem on E.

13
How can we find d?
  • First we compute ord(E), number of points on E.
  • If ord(E) has a small divisor r, we solve the DL
    problem for points (ord(E)/r)?P and
    d?(ord(E)/r)?P.
  • This gives d c mod(r), for some value c.
  • We repeat for different rs and then we solve the
    created system (Chinese Theorem).

14
Countermeasures
  • All the described DFA techniques for EC depend
    on the ability to disturb a point on E in order
    to become an ordinary pair.
  • Most cryptosystems, based on EC, check the input
    points for correctness.
  • It is also important, for the tamper-proof
    device to check the computed and output points
    and if they do not satisfy the proper conditions,
    not to let them leave the device.

15
Interesting Papers
  • Attacking RSA,
  • 1 D.Boneh, R.A.DeMillo and R.J.Lipton On the
    Importance of Checking Cryptographic Protocols
    for Faults, Proceedings of EUROCRYPT97,
    Springer, pp. 3751,(1997).
  • Attacking Unknown Cryptosystems,
  • 2 P.Paillier Evaluation Differential Fault
    Unknown Cryptosystems, Proceedings of the Second
    International Workshop on Practice and Theory in
    Public Key Cryptography, Springer/Heidelberg,
    Vol. 1560, pag. 235 - 244,(1999).
  • Attacking AES,
  • 3 P.Dusart, G.Letourneux and O.Vivolo
    Differential Fault Analysis on A.E.S,(2003).

16
Questions ??
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Differential Fault Analysis on Elliptic Curve Cryptosystems Spyridon Antakis Eindhoven University of" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!