Title: Differential Fault Analysis on Elliptic Curve Cryptosystems Spyridon Antakis Eindhoven University of
1Differential Fault Analysis on Elliptic Curve
CryptosystemsSpyridon AntakisEindhoven
University of TechnologySeminar Information
Security Technology2008-2009
2Overview
- What is Differential Fault Analysis (DFA).
- Elliptic Curves Basics.
- 3 Different types of attacks on Elliptic Curves
Cryptosystems. - Suggested Countermeasures.
Based on I.Biehl, B.Meyer and V.Mueller
Differential Fault Attacks on Elliptic Curve
Cryptosystems, Advances in Cryptology, Springer
Berlin/Heidelberg, Vol. 1880, pag.131-146,(2000).
3Differential Fault Analysis (DFA)
- DFA is A type of a side channel attack.
- The basic principle Create faults or take
advantage of unexpected events into cryptographic
impleme-ntations and then try to reveal their
internal states (e.g. secret key).
4Elliptic Curves (1)
- I remind you that A group of points on an
elliptic curve E is given by - ,where K is a finite field,
- O 8,8 and ai K.
- Important We will see that coefficient a5 does
not occur in the addition formulas.
5Elliptic Curves (2)
- Important Operations
- PE OE OE PE PE.
- PE (x,y), PE(x,-y-a1x-a3)E.
- PE (-PE) OE.
- P1 P2 P3
- Pseudo-addition P1 P2.
- Pseudo-subtraction P1 P2 P1 (-P2).
- Pseudo-multiplication n P1
- (n-1) pseudo-additions of P1.
-
-
6Security Concept
- Elliptic Curve Cryptosystems (ECC) are based on
the difficulty of the Discrete Logarithm (DL)
problem. - A cryptographically strong elliptic curve (SEC)
is an elliptic curve that leads to a difficult DL
problem. - ECC implementations should always use
cryptographically strong curves.
7Attack Concept
- Scenario
- A strong elliptic curve is publicly known as part
of the public key. - The secret key d is stored inside a tamper-proof
device, usually a smartcard. - On the input of a point P the output is the point
d?P. - Is assumed, access to the tamper-proof device and
that we can compute d?P for given points P.
- Main Ideas
- Faults at the begging of the multiplication or
faults at random moments of the multiplication. - Insert a point P that lies on a different curve
from the one is used by the tamper-proof device. - Simplify the DL problem by finding using a curve
for calculations.
81st Type of Attack
9How does it work?
We choose the input P for the attack carefully,
such that with a5 y2 a1xy a3y x3 a2x2
a4x the tuple a1,a2,a3,a4,a5 defines an
elliptic curve E, whose order has a small
divisor r, such that ord(P) r. Then, it is
proved that,
This is even more efficient, if we first
construct the E and then compute the P.
10How can we find d?
So, we end up with a DL problem in the subgroup
of ord(P) r generated by P E. Thus, we
find d mod(r). Let this value be d. If we
repeat the procedure for different Ps, we can
create for example, the following system d
d1 mod(r1) d d2 mod(r2) d d3
mod(r3) This system can be solved with Chinese
Theorem.
112nd Type of Attack
No Output, Input Check Failed
Apply Register Fault, then P becomes P
12How does it work?
- We determine a5 such that the output d?P
satisfies the curve equation with coefficients
a1,a2,a3,a4,a5. - If with these coefficients, we define an elliptic
curve E, then, we successfully decreased the
original DL problem. - We check for all possible candidates P(since is
unknown), whether is a point on E, if so, we try
to solve the DL problem on E.
13How can we find d?
- First we compute ord(E), number of points on E.
- If ord(E) has a small divisor r, we solve the DL
problem for points (ord(E)/r)?P and
d?(ord(E)/r)?P. - This gives d c mod(r), for some value c.
- We repeat for different rs and then we solve the
created system (Chinese Theorem).
14Countermeasures
- All the described DFA techniques for EC depend
on the ability to disturb a point on E in order
to become an ordinary pair. - Most cryptosystems, based on EC, check the input
points for correctness. - It is also important, for the tamper-proof
device to check the computed and output points
and if they do not satisfy the proper conditions,
not to let them leave the device.
15Interesting Papers
- Attacking RSA,
- 1 D.Boneh, R.A.DeMillo and R.J.Lipton On the
Importance of Checking Cryptographic Protocols
for Faults, Proceedings of EUROCRYPT97,
Springer, pp. 3751,(1997). - Attacking Unknown Cryptosystems,
- 2 P.Paillier Evaluation Differential Fault
Unknown Cryptosystems, Proceedings of the Second
International Workshop on Practice and Theory in
Public Key Cryptography, Springer/Heidelberg,
Vol. 1560, pag. 235 - 244,(1999). - Attacking AES,
- 3 P.Dusart, G.Letourneux and O.Vivolo
Differential Fault Analysis on A.E.S,(2003).
16 Questions ??