PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, - - PowerPoint PPT Presentation

Innovation Centre

PROTECTING ECC AGAINST FAULT ATTACKS

Marc Joye

NutMiC 2019 Paris, June 24–27, 2019

September 26, 1996

Bellcore’s Researchers Break Smart Cards

BELLCORE ATTACK (1/2)

• Computation of a signature S = µ(m)d mod N using CRT

1

˙ m = µ(m) for some padding function µ

2 sp = ˙

mdp mod p

3 sq = ˙

mdq mod q

4 S = CRT(sp, sq) = sq + q[iq(sp − sq) mod p]

where iq = q−1 mod p

dp ˙ m sq dq sp ˙ m S ˙ m

Innovation Centre c 2019 OneSpan Innovation Centre 3

BELLCORE ATTACK (2/2)

• dp

˙ m sq dq ˆ sp ˙ m ˙ m ˆ S

Innovation Centre c 2019 OneSpan Innovation Centre 4

BELLCORE ATTACK (2/2)

• dp

˙ m sq dq ˆ sp ˙ m ˙ m ˆ S

gcd ˆ S − S, N

• = q

Proof:

• ˆ

sp = sp ⇐ ⇒ ˆ S ≡ S (mod p) ⇐ ⇒ p ∤ (ˆ S − S)

• ˆ

S ≡ S (mod q) ⇐ ⇒ q | (ˆ S − S)

Innovation Centre c 2019 OneSpan Innovation Centre 4

FAULT ATTACKS

• Adversary induces faults during the computation
• glitches (supply voltage or external clock)
• temperature
• light emission (white light or laser)
• ...

Innovation Centre c 2019 OneSpan Innovation Centre 5

OUTLINE OF THIS TALK

New countermeasures for preventing fault attacks in elliptic curve cryptosystems

1 Elliptic curve primitive 2 Basic countermeasures 3 Shamir’s trick 4 Ring extension method, revisited

Innovation Centre c 2019 OneSpan Innovation Centre 6

ELLIPTIC CURVE PRIMITIVE

• EC primitive = point multiplication (a.k.a. scalar multiplication)

E(K) × Z → E(K), (P P P, d) → Q Q Q = [d]P P P

• one-way function
• Cryptographic elliptic curves
• K = Fq with q = p (a prime) or q = 2m
• #E(K) = h n with h ∈ {1, 2, 3, 4} and n prime
• typical size: |n|2 = 256 (≈ |K|2)

Innovation Centre c 2019 OneSpan Innovation Centre 7

ELLIPTIC CURVE PRIMITIVE

• EC primitive = point multiplication (a.k.a. scalar multiplication)

E(K) × Z → E(K), (P P P, d) → Q Q Q = [d]P P P

• one-way function
• Cryptographic elliptic curves
• K = Fq with q = p (a prime) or q = 2m
• #E(K) = h n with h ∈ {1, 2, 3, 4} and n prime
• typical size: |n|2 = 256 (≈ |K|2)

Definition (ECDL Problem)

Let G = P P P ⊆ E(K) a subgroup of prime order n Given points P P P,Q Q Q ∈ G, compute d such that Q Q Q = [d]P P P

Innovation Centre c 2019 OneSpan Innovation Centre 7

BASIC COUNTERMEASURES FOR PROTECTING Q Q Q ← [d]P P P

• Add CRC checks
• for private and public parameters
• Randomize the computation
• e.g., d ← d + r n with n = ordE(P

P P)

• Compute the operations twice
• doubles the running time
• Verify the signatures
• ECDSA verification is slower than signing
• Check that the output point Q

Q Q = [d]P P P is in P P P

• Q

Q Q ∈ E

• [h]Q

Q Q = O O O

(only implies of large order)

Innovation Centre c 2019 OneSpan Innovation Centre 8

RING EXTENSION METHOD Shamir’s Trick

1 sp∗ = ˙

md mod (rp)

2 sq∗ = ˙

md mod (rq)

3 S = CRT(sp∗ mod p, sq∗ mod q)

iff sp∗ ≡ sq∗ (mod r)

Innovation Centre c 2019 OneSpan Innovation Centre 9

RING EXTENSION METHOD Shamir’s Trick

1 sp∗ = ˙

md mod (rp)

2 sq∗ = ˙

md mod (rq)

3 S = CRT(sp∗ mod p, sq∗ mod q)

iff sp∗ ≡ sq∗ (mod r)

• Drawbacks
• uses the value of d
• does not detect errors on CRT combination
• e.g., fault on iq
• Variant
• adaptation to RSA in standard mode ring extension method

Innovation Centre c 2019 OneSpan Innovation Centre 9

BOS COUNTERMEASURE (1/2)

Blömer–Otto–Seifert

• Extension of Shamir’s trick to elliptic curves
• Protected computation of Q

Q Q = [d]P P P proceeds in 5 steps:

1 For a (small) prime r, define an elliptic curve E′ over Fr and a point P′

P′ P′ on E′

2 Form the combined curve ˆ

E = CRT(E, E′) over Z/prZ and the combined point ˆ P ˆ P ˆ P = CRT(P P P,P′ P′ P′)

3 Compute ˆ

Q ˆ Q ˆ Q = [d]ˆ P ˆ P ˆ P on ˆ E

4 Compute Q′

Q′ Q′ = [d]P′ P′ P′ on E′

5 Check whether ˆ

Q ˆ Q ˆ Q ≡ Q′ Q′ Q′ (mod r), and

• if so, output Q

Q Q = ˆ Q ˆ Q ˆ Q mod p

• if not, return error

Innovation Centre c 2019 OneSpan Innovation Centre 10

BOS COUNTERMEASURE (2/2)

ˆ Q ˆ Q ˆ Q

?

≡ P′ P′ P′ (mod r) ˆ Q ˆ Q ˆ Q = [d]ˆ P ˆ P ˆ P on ˆ E Q′ Q′ Q′ = [d]P′ P′ P′ on E′ error

no

Q Q Q = ˆ Q ˆ Q ˆ Q mod p

yes

Innovation Centre c 2019 OneSpan Innovation Centre 11

RING EXTENSION METHOD REVISITED

Replace the combined curve ˆ E with E(Fp) × G′ ∼ = E(Fp) × (Z/rZ)+ where group G′ is represented with elements having a group law that coincides with the group law used in the representation of E(Fp) Two realizations:

1 Generalization of an earlier c/measure for Edwards curves (J., 2012) 2 Modification of a recent c/measure due to Neves and Tibouchi (IET Inf. Sec., 2018)

Innovation Centre c 2019 OneSpan Innovation Centre 12

FIRST REALIZATION

Notation: E(R) = set of rational points on an elliptic curve E defined over R

• For the ring R = Z/r2Z, we consider the r-order subgroup

G′ := E1(Z/r2Z) =

• P

P P ∈ E(Z/r2Z) | P P P modulo r reduces to O O O

• ∼

= (Z/rZ)+ where O O O is the identity element on E(Z/rZ)

• Combined curve ˆ

E becomes E(Fp) × E1(Z/r2Z) ⊆ E(Z/pr2Z)

Innovation Centre c 2019 OneSpan Innovation Centre 13

SECOND REALIZATION

• Use a degenerate curve
• drawback: most elliptic curve models (excl. Weierstraß) do not have an additive

degeneration

• For a particular curve equation E′ (i.e., with special curve parameters), we consider

G′ := E′(Z/rZ)[r] =

• P

P P satisfying the curve equation E′ modulo r | [r]P P P = O O O

• ∼

= (Z/rZ)+ (holds true for elliptic curve models commonly used in cryptographic applications)

Innovation Centre c 2019 OneSpan Innovation Centre 14

ILLUSTRATION

Edwards Curves Ea,b/Fp : ax2 + y2 = 1 + bx2y2 where ab(a − b) = 0

• Addition law
• O

O O = (0, 1)

[neutral element]

• −(x1, y1) = (−x1, y1)
• (x1, y1) + (x2, y2) = (x3, y3) where

x3 = x1y2 + x2y1 1 + bx1x2y1y2 , y3 = y1y2 − ax1x2 1 − bx1x2y1y2

• ...also valid for point doubling (and O

O O)

• Addition law is complete if a is a square and b is a non-square

Innovation Centre c 2019 OneSpan Innovation Centre 15

SPECIAL CURVE E′: TAKE a = b = 0

G′ :=

• Υ2(ϑ) = (ϑ, 1) | ϑ ∈ Z/rZ
• ⊆
• (x, y) ∈ E′

0,0(Z/rZ)

• Properties
• G′ ≃ (Z/rZ)+, P1

P1 P1 = (ϑ1, 1)

∼

→ ϑ1

• #G′ = r
• [d]P1

P1 P1 = (d · ϑ1, 1)

Innovation Centre c 2019 OneSpan Innovation Centre 16

SPECIAL CURVE E′: TAKE a = b = 0

G′ :=

• Υ2(ϑ) = (ϑ, 1) | ϑ ∈ Z/rZ
• ⊆
• (x, y) ∈ E′

0,0(Z/rZ)

• Properties
• G′ ≃ (Z/rZ)+, P1

P1 P1 = (ϑ1, 1)

∼

→ ϑ1

• #G′ = r
• [d]P1

P1 P1 = (d · ϑ1, 1)

• Addition law on G′: (x1, y1) + (x2, y2) =
• x1y2+x2y1

1+bx1x2y1y2 , y1y2−ax1x2 1−bx1x2y1y2

• 1 Υ2(0) = (0, 1) = O

O O, and

2 Υ2(ϑ1) + Υ2(ϑ2) = (ϑ1, 1) + (ϑ2, 1)

= ϑ1·1+ϑ2·1

1

, 1·1

1

• = (ϑ1 + ϑ2, 1)

= Υ2(ϑ1 + ϑ2)

Innovation Centre c 2019 OneSpan Innovation Centre 16

PROTECTED ALGORITHM (1/2)

ˆ Q ˆ Q ˆ Q

?

≡ P′ P′ P′ (mod r) ˆ Q ˆ Q ˆ Q = [d]ˆ P ˆ P ˆ P on ˆ E Q′ Q′ Q′ = [d]P′ P′ P′ on E′ error

no

Q Q Q = ˆ Q ˆ Q ˆ Q mod p

yes

multiplication modulo r

[d]P′ P′ P′ = (d · ϑ, 1) with P′ P′ P′ = (ϑ, 1)

Innovation Centre c 2019 OneSpan Innovation Centre 17

PROTECTED ALGORITHM (2/2)

Input: P P P ∈ E, d Output: Q Q Q = [d]P P P

1 Choose a small random r and draw ϑ

$

← (Z/rZ)+

2 Define P′

P′ P′ ← (ϑ, 1) ∈ E′

/(Z/rZ)+

3 Compute

• ˆ

P ˆ P ˆ P ← CRT(P P P,P′ P′ P′) and ˆ E ← CRT(E, E′)

• ˆ

Q ˆ Q ˆ Q ← [d]ˆ P ˆ P ˆ P ∈ E/(Z/prZ)+

• Q′

Q′ Q′ ← (dϑ mod r, 1)

4 If (ˆ

Q ˆ Q ˆ Q ≡ Q′ Q′ Q′ (mod r)) then return error

5 Return Q

Q Q = ˆ Q ˆ Q ˆ Q mod p

Innovation Centre c 2019 OneSpan Innovation Centre 18

SUMMARY

• Ring extension method revisited
• Two approaches are suggested
• Generic algorithms for protecting ECC against fault attacks
• Proposed techniques apply to many elliptic curve models, incl.
• Weierstraß model
• (twisted) Edwards model
• Jacobi quartic model
• Jacobi quadrics intersection model
• Hessian model
• Huff’s model
• Efficient algorithms for protecting ECC against fault attacks
• No need to generate prime numbers
• Verification step boils down to a mere small modular multiplication
• Much faster than BOS algorithm

Innovation Centre c 2019 OneSpan Innovation Centre 19

COMMENTS/QUESTIONS?

Innovation Centre c 2019 OneSpan Innovation Centre 20