using modular extension to provably protect edwards
play

Using Modular Extension to Provably Protect Edwards Curves Against - PowerPoint PPT Presentation

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA Introduction Eve Communications Alice Bob Channel


  1. Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA

  2. Introduction Eve Communications Alice Bob Channel We need : Encryption/Decryption Key exchange Signature ⇒ Asymmetric cryptography 2/24 Margaux Dugardin PROOFS 2016

  3. Introduction Eve Decryption ciphertext plaintext with secret key Eve is able to: observe the Alice’s computation change the input have the output inject a fault during the computation 3/24 Margaux Dugardin PROOFS 2016

  4. Fault attacks Fault attacks: Safe-error attacks Cryptosystems parameters alteration Differential Fault Analysis (DFA) e.g. BellCoRe attack, sign-change attacks. Fault model: Randomizing faults (Boneh et al, EUROCRYPT 1997) Zeroing faults (Clavier, CHES 2007) Instruction skip faults (Moro et al, JCE 2014) 4/24 Margaux Dugardin PROOFS 2016

  5. Classical Algorithm Scalar Multiplication Algorithm 1 Double and Add Left-to-Right Input: P ∈ E ( F p ) , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: Q ← O ⊲ the point at infinity 2: for i = n − 1 downto 0 do Q ← 2 Q ⊲ EC-DBL 3: if k i = 1 then 4: Q ← Q + P ⊲ EC-ADD 5: end if 6: 7: end for 5/24 Margaux Dugardin PROOFS 2016

  6. Fault Attack: Invalid input point Biehl et al, CRYPTO 2000 Algorithm 1 Double and Add Left-to-Right P ∈ weak curve , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Input: Output: [ k ] P 1: Q ← O ⊲ the point at infinity 2: for i = n − 1 downto 0 do Q ← 2 Q ⊲ EC-DBL 3: if k i = 1 then 4: Q ← Q + P ⊲ EC-ADD 5: end if 6: 7: end for 5/24 Margaux Dugardin PROOFS 2016

  7. Fault Attack: Invalid input point Biehl et al, CRYPTO 2000 Algorithm 1 Double and Add Left-to-Right Input: P ∈ weak curve , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: if P is not on the curve E ( F p ) then error 2: Q ← O ⊲ the point at infinity 3: for i = n − 1 downto 0 do Q ← 2 Q ⊲ EC-DBL 4: if k i = 1 then 5: Q ← Q + P ⊲ EC-ADD 6: 7: end if 8: end for 9: if Q is not on the curve E ( F p ) then error else return Q Countermeasure: Verify the input/output point and the curve parameters 5/24 Margaux Dugardin PROOFS 2016

  8. Sign-change fault attack Blömer et al, LNCS 2006 Algorithm 1 Double and Add Left-to-Right Input: P ∈ E ( F p ) , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: if P is not on the curve E ( F p ) then error 2: Q ← O ⊲ the point at infinity 3: for i = n − 1 downto 0 do 4: Q ← 2 Q ⊲ Sign-change fault at i = 0 if k i = 1 then 5: Q ← Q + P ⊲ EC-ADD 6: end if 7: 8: end for 9: if Q is not on the curve E ( F p ) then error else return Q Countermeasure: Verify the input/output point and the curve parameters ⇒ INEFFECTIVE 5/24 Margaux Dugardin PROOFS 2016

  9. Sign-change fault attack Blömer et al, LNCS 2006 Algorithm 1 Double and Add Left-to-Right Input: P ∈ E ( F p ) , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: if P is not on the curve E ( F p ) then error 2: Q ← O ⊲ the point at infinity 3: for i = n − 1 downto 0 do Q ← 2 Q ⊲ Sign-change fault at i = 0 4: if k i = 1 then 5: Q ← Q + P ⊲ EC-ADD 6: end if 7: 8: end for 9: if Q is not on the curve E ( F p ) then error else return Q � [ k 0 + 2 � n − 1 i = 1 k i 2 i − 1 ] P = Q ⇒ Q + Q ∗ = [ 2 k 0 ] P . [ k 0 − 2 � n − 1 = Q ∗ i = 1 k i 2 i − 1 ] P = 5/24 Margaux Dugardin PROOFS 2016

  10. Sign-change fault attack Blömer et al, LNCS 2006 Algorithm 1 Double and Add Left-to-Right Input: P ∈ E ( F p ) , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: if P is not on the curve E ( F p ) then error 2: Q ← O ⊲ the point at infinity 3: for i = n − 1 downto 0 do Q ← 2 Q ⊲ Sign-change fault at i = 1 4: if k i = 1 then 5: Q ← Q + P ⊲ EC-ADD 6: end if 7: 8: end for 9: if Q is not on the curve E ( F p ) then error else return Q � [ 2 k 1 + k 0 + 4 � n − 1 i = 2 k i 2 i − 2 ] P = Q ⇒ Q + Q ∗ = [ 2 ( 2 k 1 + k 0 )] P . [ 2 k 1 + k 0 − 4 � n − 1 = Q ∗ i = 2 k i 2 i − 2 ] P = 5/24 Margaux Dugardin PROOFS 2016

  11. Shamir countermeasures Computional protections against fault injection: ⇒ Modular extension F p Z pr output F p true F p F r = error F r false 6/24 Margaux Dugardin PROOFS 2016

  12. BOS countermeasure Blömer et al, LNCS 2006 Algorithm 2 ECSM protected with BOS countermeasure Input: P ∈ E ( F p ) , k ∈ { 1 , . . . , ord ( P ) − 1 } Output: Q = [ k ] P ∈ E ( F p ) 1: Choose a small prime r , a curve E ( F r ) , and a point P r on that curve. 2: Determine the combined curve E ( Z pr ) and point P pr using the CRT. 3: ( X pr : Y pr : Z pr ) = ECSM ( P pr , k , pr ) 4: ( X r : Y r : Z r ) = ECSM ( P r , k , r ) 5: if ( X pr mod r : Y pr mod r : Z pr mod r ) = ( X r : Y r : Z r ) then return ( X pr mod p : Y pr mod p : Z pr mod p ) 6: 7: else return error 8: 9: end if 7/24 Margaux Dugardin PROOFS 2016

  13. BOS countermeasure Blömer et al, LNCS 2006 Algorithm 3 ECSM protected with BOS countermeasure Input: P ∈ E ( F p ) , k ∈ { 1 , . . . , ord ( P ) − 1 } Output: Q = [ k ] P ∈ E ( F p ) 1: Choose a small prime r , a curve E ( F r ) , and a point P r on that curve. 2: Determine the combined curve E ( Z pr ) and point P pr using the CRT. 3: ( X pr : Y pr : Z pr ) = ECSM ( P pr , k , pr ) 4: ( X r : Y r : Z r ) = ECSM ( P r , k , r ) 5: if ( X pr mod r : Y pr mod r : Z pr mod r ) = ( X r : Y r : Z r ) then return ( X pr mod p : Y pr mod p : Z pr mod p ) 6: 7: else return error 8: 9: end if 7/24 Margaux Dugardin PROOFS 2016

  14. BOS countermeasure Blömer et al, LNCS 2006 Algorithm 4 ECSM protected with BOS countermeasure Input: P ∈ E ( F p ) , k ∈ { 1 , . . . , ord ( P ) − 1 } Output: Q = [ k ] P ∈ E ( F p ) 1: Choose a small prime r , a curve E ( F r ) , and a point P r on that curve. 2: Determine the combined curve E ( Z pr ) and point P pr using the CRT. 3: ( X pr : Y pr : Z pr ) = ECSM ( P pr , k , pr ) 4: ( X r : Y r : Z r ) = ECSM ( P r , k , r ) ⊲ without test in EC-ADD 5: if ( X pr mod r : Y pr mod r : Z pr mod r ) = ( X r : Y r : Z r ) then return ( X pr mod p : Y pr mod p : Z pr mod p ) 6: 7: else return error 8: 9: end if 7/24 Margaux Dugardin PROOFS 2016

  15. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  16. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  17. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  18. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  19. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  20. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  21. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  22. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  23. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  24. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  25. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  26. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r Without fault injection, there are an error because O � = [ k ] P mod r 8/24 Margaux Dugardin PROOFS 2016

  27. Our contributions Security analysis of modular extension countermeasure Correct the BOS countermeasure using Edwards and Twisted Edward curve 9/24 Margaux Dugardin PROOFS 2016

  28. Security Analysis of Modular Extension Definition 1: Fault model We consider an attacker who can fault data by randomizing or zeroing any intermediate variable, and fault code by skipping any number of consecutive instructions. Definition 2: Attack order We call order of the attack the number of faults (in the sense of Def. 1) injected during the target execution. Definition 3: Secure algorithm An algorithm is said secure if it is correct and if it either returns the right result or an error constant when faults have been injected, with an overwhelming probability. 10/24 Margaux Dugardin PROOFS 2016

  29. Security Analysis of Modular Extension Theorem 1: Security of test-free modular extension Test-free algorithms protected using the modular extension technique, are secure as per Def. 3 . In particular, the probability of non-detection is inversely proportional to the security parameter r . 11/24 Margaux Dugardin PROOFS 2016

Recommend


More recommend