Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson - PDF document

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net Crypto’Puces 2009 − Porquerolles, June 2–6, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures Concluding Remarks

Elliptic Curve Cryptography • Invented [independently] by Neil Koblitz and Victor Miller in 1985 • Useful for key exchange, encryption, digital signature, etc. Basics on Elliptic Curves (1/3) Definition An elliptic curve over a field K is the set of points ( x , y ) ∈ E E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 along with the point O O O at infinity • Char K � = 2 , 3 ⇒ a 1 = a 2 = a 3 = 0 • Char K = 2 (non-supersingular case) ⇒ a 1 = 1 , a 3 = a 4 = 0 Fact The set E ( K ) forms an additive group where • O O O is the neutral element • the group law is given by the “chord-and-tangent” rule

Basics on Elliptic Curves (2/3) E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 • Let P P P = ( x 1 , y 1 ) and Q Q Q = ( x 2 , y 2 ) • Group law P + O O = O O + P P = P P P O O P P P − P P P = ( x 1 , − y 1 − a 1 x 1 − a 3 ) P P P + Q Q Q = ( x 3 , y 3 ) where x 3 = λ 2 + a 1 λ − a 2 − x 1 − x 2 , y 3 = ( x 1 − x 3 ) λ − y 1 − a 1 x 3 − a 3 y 1 − y 2  [addition]  x 1 − x 2  with λ = 3 x 2 1 + 2 a 2 x 1 + a 4 − a 1 y 1 [doubling]   2 y 1 + a 1 x 1 + a 3 Basics on Elliptic Curves (3/3) • Elliptic curves over R y 2 = x 3 − 7 x y 2 = x 3 − 3 x + 5 P P P = ( − 2 . 35 , − 1 . 86) , Q Q Q = ( − 0 . 1 , 0 . 836) P P P = (2 , 2 . 65) R R R = (3 . 89 , − 5 . 62) R R R = (1 . 11 , 2 . 64)

EC Primitive • EC primitive = point multiplication (a.k.a. scalar multiplication) E ( K ) × Z → E ( K ) , ( P P P , k ) �→ Q Q Q = [ k ] P P P one-way function • Cryptographic elliptic curves K = F q with q = p (a prime) or q = 2 m # E ( K ) = h n with h ∈ { 1 , 2 , 3 , 4 } and n prime typical size: | n | 2 = 160 ( ≈ | K | 2 ) Definition (ECDL Problem) Let G = � P P P � ⊆ E ( K ) a subgroup of prime order n . Given points P P P , Q Q Q ∈ G , compute k such that Q Q Q = [ k ] P P P EC Digital Signature Algorithm (1/2) • Elliptic curve variant of the Digital Signature Algorithm a.k.a. Digital Signature Standard – DSS included in IEEE P1363, ANSI X9.62, FIPS 186.2, SECG, and ISO 15946-2 highest security level • Domain parameters finite field F q elliptic curve E / F q with # E ( F q ) = h n • cofactor h � 4 and n prime cryptographic hash function H point G G G ∈ E of prime order n { F q , E , n , h , H , G G G }

EC Digital Signature Algorithm (2/2) $ • Key generation: Y Y Y = [ d ] G G G with d ← { 1 , . . . , n − 1 } pk = { domain params , Y Y Y } and sk = { d } • Signing Input message m and private key sk Output signature S = ( r , s ) 1. pick a random k ∈ { 1 , . . . , n − 1 } 2. compute T T = [ k ] G G and set r = x( T T ) (mod n ) T G T 3. if r = 0 then goto Step 1 4. compute s = ( H ( m ) + d r ) / k (mod n ) 5. return S = ( r , s ) • Verification 1. compute u 1 = H ( m ) / s (mod n ) and u 2 = r / s (mod n ) 2. compute T T T = [ u 1 ] G G G + [ u 2 ] Y Y Y 3. check whether r ≡ x( T T T ) (mod n ) Public Key Validation • For each received pk = { domain params , Y Y Y } , check that 1. Y Y Y ∈ E 2. Y Y Y � = O O O 3. (optional) [ n ] Y Y Y = O O O

EC Diffie-Hellman Key Exchange • ECDH = Elliptic Curve Diffie-Hellman protocol elliptic curve variant of the Diffie-Hellman key exchange Alice Bob R A R A =[ a ] G G R A G − − − − − − → R A a R A R A R B R B R B =[ b ] G G G R B R B R B ← − − − − − − b K A = [ a ] R B K A R B K B K B = [ b ] R A R A K A R B K B R A cofactor variant: � � � � K A K A = [ h ] K A [ a ] R B R B R B and K B K B K B = [ h ] [ b ] R A R A R A suffers from the man-in-the-middle attack • no data-origin authentication • exchanged messages should be signed EC Menezes-Qu-Vanstone Protocol • ECMQV = Elliptic Curve Menezes-Qu-Vanstone protocol implicit authentication Alice Bob { w A , W A W A W A = [ w A ] G G G } { w B , W B W B W B = [ w B ] G G G } R A R A R A a , R A R A R A = [ a ] G G − − − − − − → R A G R A R A R B R B R B R B R B R B ← − − − − − − b , R B R B R B = [ b ] G G G s A = a + R A R A R A w A (mod n ) s B = b + R B R B R B w B (mod n ) K A = [ s A ]( R B K A K A R B R B + [ R B R B R B ] W B W B W B ) K B = [ s B ]( R A K B K B R A + [ R A R A R A R A ] W A W A W A ) � P ) mod 2 | n | 2 / 2 � + 2 | n | 2 / 2 Notation: P P P := x( P P ( � = 0) cofactor variant

ECDH Augmented Encryption (1/2) • ECIES = Elliptic Curve Integrated Encryption System proposed by Michel Abdalla, Mihir Bellare and Phillip Rogaway in 2000 submitted to IEEE P1363a highest security level (IND-CCA2) • Domain parameters finite field F q elliptic curve E / F q with # E ( F q ) = h n “special” hash functions • message authentication code MAC K ( c ) • key derivation function KD( T T T , ℓ ) symmetric encryption algorithm Enc K ( m ) point G G G ∈ E of prime order n { F q , E , n , h , MAC , KD , Enc , G G G } ECDH Augmented Encryption (2/2) $ • Key generation: Y Y Y = [ d ] G G G with d ← { 1 , . . . , n − 1 } pk = { domain params , Y Y Y } and sk = { d } • ECIES encryption 1. pick a random k ∈ { 1 , . . . , n − 1 } 2. compute U U U = [ k ] G G G and T T T = [ k ] Y Y (resp. T T T = [ h ][ k ] Y Y Y ) Y 3. set ( K 1 � K 2 ) = KD( T T T , l ) 4. compute c = Enc K 1 ( m ) and r = MAC K 2 ( c ) 5. return ( U U U , c , r ) • ECIES decryption Input ciphertext ( U U , c , r ) and private key sk U Output plaintext m or ⊥ T ′ = [ d ] U T ′ = [ h ][ d ] U 1. compute T ′ T ′ U (resp. T ′ T ′ U ) U U 2. set ( K ′ 1 � K ′ 2 ) = KD( T ′ T ′ T ′ , l ) 2 ( c ) = r then return m = Enc − 1 3. if MAC K ′ 1 ( c ) K ′

History (1/2) • 1996 September • Attacks on RSA-CRT by Bellcore’s researchers (D. Boneh, R. DeMillo & R. Lipton) • Attack improvements by A. Lenstra October • 18: DFA on DES by E. Biham & A. Shamir • 29: Attacks on RSA and ElGamal by F. Bao & R. Deng • 30: DFA on unknown cryptosystems by E. Biham & A. Shamir November • Attacks on LUC and Demytko by M. Joye & J.-J. Quisquater History (2/2) • 2000 Attacks on ECC by I. Biehl, B. Meyer & V. M¨ uller • 2003 Attacks on AES (5) by J. Bl¨ omer, C.-N. Chen, P. Dusart, C. Giraud, G. Letourneux, G. Piret, J.-J. Quisquater, J.-P. Seifert, O. Vivilo & S.-M. Yen

Methods of Fault Injection (1/2) Glitch attacks • Variations in supply voltage during execution may cause the processor to misinterpret or skip instructions • Variations in the external clock may cause data misread or an instruction miss Temperature attacks • Variations in temperature may cause random modification of RAM cells stopping read operations in NVMs to work Methods of Fault Injection (2/2) Light attacks • Photoelectric effect (duration, power and location of the emission) • White light (flash camera) cheap equipment • Laser allows to precisely target a circuit area Magnetic attacks • Emission of a powerful magnetic pulse near the silicon (duration, power and location of the emission)

Types of Faults • Permanent faults destructive faults the value of a cell is definitely changed • data (EEPROM or RAM) • code (EEPROM) • Transient faults provisional faults the circuit recovers its original behavior after reset or when the fault’s stimulus ceases the code execution or a computation is perturbed: instruction byte a different instruction is executed (call to a routine skipped, test avoided, . . . ) parameter byte a different value or address is considered (operation with another operand, . . . ) (Transient) Fault Models 1. Fault model #1: Precise bit errors The attacker can cause a fault in a single bit Full control over the timing and location of the fault 2. Fault model #2: Precise byte errors The attacker can cause a fault in a single byte Full control over the timing but only partial control over the location (e.g., which byte is affected) • new faulty value cannot be predicted 3. Fault model #3: Unknown byte errors The attacker can cause a fault in a single byte Partial control over the timing and location of the fault • new faulty value cannot be predicted 4. Fault model #4: Random errors Partial control over the timing and no control over the location

Fault Attacks on ECC • Bit-level vs. byte-level attacks • Transient vs. permanent faults • Private vs. public routines • Unsigned vs. signed representations • Fixed vs. variable base point • Basic vs. provably secure systems Forcing-Bit Attack (1/2) • Let d = � ℓ − 1 i =0 d i 2 i • Forcing bit: d j → 0 ECDSA • Check whether S = ( r , s ) is a valid signature if so, then d j = 0 if not, then d j = 1 • (Similarly applies when k j → 0 in Step 4)