using modular extension to provably protect edwards
play

Using Modular Extension to Provably Protect Edwards Curves Against - PowerPoint PPT Presentation

Nov 07, 2023 •107 likes •726 views

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA Introduction Eve Communications Alice Bob Channel

  1. Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA

  2. Introduction Eve Communications Alice Bob Channel We need : Encryption/Decryption Key exchange Signature ⇒ Asymmetric cryptography 2/24 Margaux Dugardin PROOFS 2016

  3. Introduction Eve Decryption ciphertext plaintext with secret key Eve is able to: observe the Alice’s computation change the input have the output inject a fault during the computation 3/24 Margaux Dugardin PROOFS 2016

  4. Fault attacks Fault attacks: Safe-error attacks Cryptosystems parameters alteration Differential Fault Analysis (DFA) e.g. BellCoRe attack, sign-change attacks. Fault model: Randomizing faults (Boneh et al, EUROCRYPT 1997) Zeroing faults (Clavier, CHES 2007) Instruction skip faults (Moro et al, JCE 2014) 4/24 Margaux Dugardin PROOFS 2016

  5. Classical Algorithm Scalar Multiplication Algorithm 1 Double and Add Left-to-Right Input: P ∈ E ( F p ) , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: Q ← O ⊲ the point at infinity 2: for i = n − 1 downto 0 do Q ← 2 Q ⊲ EC-DBL 3: if k i = 1 then 4: Q ← Q + P ⊲ EC-ADD 5: end if 6: 7: end for 5/24 Margaux Dugardin PROOFS 2016

  6. Fault Attack: Invalid input point Biehl et al, CRYPTO 2000 Algorithm 1 Double and Add Left-to-Right P ∈ weak curve , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Input: Output: [ k ] P 1: Q ← O ⊲ the point at infinity 2: for i = n − 1 downto 0 do Q ← 2 Q ⊲ EC-DBL 3: if k i = 1 then 4: Q ← Q + P ⊲ EC-ADD 5: end if 6: 7: end for 5/24 Margaux Dugardin PROOFS 2016

  7. Fault Attack: Invalid input point Biehl et al, CRYPTO 2000 Algorithm 1 Double and Add Left-to-Right Input: P ∈ weak curve , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: if P is not on the curve E ( F p ) then error 2: Q ← O ⊲ the point at infinity 3: for i = n − 1 downto 0 do Q ← 2 Q ⊲ EC-DBL 4: if k i = 1 then 5: Q ← Q + P ⊲ EC-ADD 6: 7: end if 8: end for 9: if Q is not on the curve E ( F p ) then error else return Q Countermeasure: Verify the input/output point and the curve parameters 5/24 Margaux Dugardin PROOFS 2016

  8. Sign-change fault attack Blömer et al, LNCS 2006 Algorithm 1 Double and Add Left-to-Right Input: P ∈ E ( F p ) , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: if P is not on the curve E ( F p ) then error 2: Q ← O ⊲ the point at infinity 3: for i = n − 1 downto 0 do 4: Q ← 2 Q ⊲ Sign-change fault at i = 0 if k i = 1 then 5: Q ← Q + P ⊲ EC-ADD 6: end if 7: 8: end for 9: if Q is not on the curve E ( F p ) then error else return Q Countermeasure: Verify the input/output point and the curve parameters ⇒ INEFFECTIVE 5/24 Margaux Dugardin PROOFS 2016

  9. Sign-change fault attack Blömer et al, LNCS 2006 Algorithm 1 Double and Add Left-to-Right Input: P ∈ E ( F p ) , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: if P is not on the curve E ( F p ) then error 2: Q ← O ⊲ the point at infinity 3: for i = n − 1 downto 0 do Q ← 2 Q ⊲ Sign-change fault at i = 0 4: if k i = 1 then 5: Q ← Q + P ⊲ EC-ADD 6: end if 7: 8: end for 9: if Q is not on the curve E ( F p ) then error else return Q � [ k 0 + 2 � n − 1 i = 1 k i 2 i − 1 ] P = Q ⇒ Q + Q ∗ = [ 2 k 0 ] P . [ k 0 − 2 � n − 1 = Q ∗ i = 1 k i 2 i − 1 ] P = 5/24 Margaux Dugardin PROOFS 2016

  10. Sign-change fault attack Blömer et al, LNCS 2006 Algorithm 1 Double and Add Left-to-Right Input: P ∈ E ( F p ) , k = ( k n − 1 k n − 2 . . . k 0 ) 2 , ∀ i , k i ∈ { 0 , 1 } Output: [ k ] P 1: if P is not on the curve E ( F p ) then error 2: Q ← O ⊲ the point at infinity 3: for i = n − 1 downto 0 do Q ← 2 Q ⊲ Sign-change fault at i = 1 4: if k i = 1 then 5: Q ← Q + P ⊲ EC-ADD 6: end if 7: 8: end for 9: if Q is not on the curve E ( F p ) then error else return Q � [ 2 k 1 + k 0 + 4 � n − 1 i = 2 k i 2 i − 2 ] P = Q ⇒ Q + Q ∗ = [ 2 ( 2 k 1 + k 0 )] P . [ 2 k 1 + k 0 − 4 � n − 1 = Q ∗ i = 2 k i 2 i − 2 ] P = 5/24 Margaux Dugardin PROOFS 2016

  11. Shamir countermeasures Computional protections against fault injection: ⇒ Modular extension F p Z pr output F p true F p F r = error F r false 6/24 Margaux Dugardin PROOFS 2016

  12. BOS countermeasure Blömer et al, LNCS 2006 Algorithm 2 ECSM protected with BOS countermeasure Input: P ∈ E ( F p ) , k ∈ { 1 , . . . , ord ( P ) − 1 } Output: Q = [ k ] P ∈ E ( F p ) 1: Choose a small prime r , a curve E ( F r ) , and a point P r on that curve. 2: Determine the combined curve E ( Z pr ) and point P pr using the CRT. 3: ( X pr : Y pr : Z pr ) = ECSM ( P pr , k , pr ) 4: ( X r : Y r : Z r ) = ECSM ( P r , k , r ) 5: if ( X pr mod r : Y pr mod r : Z pr mod r ) = ( X r : Y r : Z r ) then return ( X pr mod p : Y pr mod p : Z pr mod p ) 6: 7: else return error 8: 9: end if 7/24 Margaux Dugardin PROOFS 2016

  13. BOS countermeasure Blömer et al, LNCS 2006 Algorithm 3 ECSM protected with BOS countermeasure Input: P ∈ E ( F p ) , k ∈ { 1 , . . . , ord ( P ) − 1 } Output: Q = [ k ] P ∈ E ( F p ) 1: Choose a small prime r , a curve E ( F r ) , and a point P r on that curve. 2: Determine the combined curve E ( Z pr ) and point P pr using the CRT. 3: ( X pr : Y pr : Z pr ) = ECSM ( P pr , k , pr ) 4: ( X r : Y r : Z r ) = ECSM ( P r , k , r ) 5: if ( X pr mod r : Y pr mod r : Z pr mod r ) = ( X r : Y r : Z r ) then return ( X pr mod p : Y pr mod p : Z pr mod p ) 6: 7: else return error 8: 9: end if 7/24 Margaux Dugardin PROOFS 2016

  14. BOS countermeasure Blömer et al, LNCS 2006 Algorithm 4 ECSM protected with BOS countermeasure Input: P ∈ E ( F p ) , k ∈ { 1 , . . . , ord ( P ) − 1 } Output: Q = [ k ] P ∈ E ( F p ) 1: Choose a small prime r , a curve E ( F r ) , and a point P r on that curve. 2: Determine the combined curve E ( Z pr ) and point P pr using the CRT. 3: ( X pr : Y pr : Z pr ) = ECSM ( P pr , k , pr ) 4: ( X r : Y r : Z r ) = ECSM ( P r , k , r ) ⊲ without test in EC-ADD 5: if ( X pr mod r : Y pr mod r : Z pr mod r ) = ( X r : Y r : Z r ) then return ( X pr mod p : Y pr mod p : Z pr mod p ) 6: 7: else return error 8: 9: end if 7/24 Margaux Dugardin PROOFS 2016

  15. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  16. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  17. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  18. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  19. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  20. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  21. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  22. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  23. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  24. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  25. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r 8/24 Margaux Dugardin PROOFS 2016

  26. BOS is incorrect in Weierstrass curve Elliptic curve on Z pr Elliptic curve on F r Without fault injection, there are an error because O � = [ k ] P mod r 8/24 Margaux Dugardin PROOFS 2016

  27. Our contributions Security analysis of modular extension countermeasure Correct the BOS countermeasure using Edwards and Twisted Edward curve 9/24 Margaux Dugardin PROOFS 2016

  28. Security Analysis of Modular Extension Definition 1: Fault model We consider an attacker who can fault data by randomizing or zeroing any intermediate variable, and fault code by skipping any number of consecutive instructions. Definition 2: Attack order We call order of the attack the number of faults (in the sense of Def. 1) injected during the target execution. Definition 3: Secure algorithm An algorithm is said secure if it is correct and if it either returns the right result or an error constant when faults have been injected, with an overwhelming probability. 10/24 Margaux Dugardin PROOFS 2016

  29. Security Analysis of Modular Extension Theorem 1: Security of test-free modular extension Test-free algorithms protected using the modular extension technique, are secure as per Def. 3 . In particular, the probability of non-detection is inversely proportional to the security parameter r . 11/24 Margaux Dugardin PROOFS 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PROTECT WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes Evaluated

PROTECT WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes Evaluated

PROTECT WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes Evaluated in PROTECT- WP5 Presented by: Andrea Beyer, EMA Outline Challenges in medical decision making About IMI-PROTECT PROTECT Work Package 5

591 views • 29 slides
PROTECT WP5/WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes

PROTECT WP5/WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes

PROTECT WP5/WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes Evaluated in PROTECT- WP5 Presented by: Andrea Beyer, EMA PROTECT- Work Package Overview One WP concerned with all aspects of the organisation

248 views • 10 slides
Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco

Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco

Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco (joint work with P . Jipsen, F. Liang, A. Palmigiano) Prague, 28 June TACL 2017 Multi-type methodology Syntax meets semantics: the wider picture

461 views • 32 slides
Programmable modular safety controller PROTECT PSC1 Introduction Heinz and Philip Schmersal,

Programmable modular safety controller PROTECT PSC1 Introduction Heinz and Philip Schmersal,

Programmable modular safety controller PROTECT PSC1 Introduction Heinz and Philip Schmersal, managing directors of the Schmersal Group and Michael Mandel (l.), managing director of K.A. Schmersal GmbH & Co. KG With its comprehensive range

361 views • 16 slides
What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/

What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/

What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/ edu/course/homepage/bkp/vt09 Instructor Lars-Henrik Eriksson lhe@it.uu.se, http://www.it.uu.se/katalog/lhe?lang=en Provably Correct Software Page 1 Updated

545 views • 18 slides
A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics

A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics

A Set that is Streamless and Not Provably Noetherian A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics University of Bergen (joint work with Keiko Nakata and Tarmo Uustalu) December 2011 A Set that is

135 views • 10 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian

Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian

Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian Graves, Adam Procter, Bill Harrison & Gerard Allwein FPT 2015 Introduction Provably Correct Development, Bird-Wadler Style Reference

397 views • 24 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik

Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik

Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik Vercauteren 1 , 3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE

717 views • 54 slides
Competition Law Strategies: - Protect Your Brand - - Protect Your Retail Partners - - Protect

Competition Law Strategies: - Protect Your Brand - - Protect Your Retail Partners - - Protect

Competition Law Strategies: - Protect Your Brand - - Protect Your Retail Partners - - Protect Your Revenue - Brussels, Geneva Luxury Law New York Summit David Hull 14 November 2018

461 views • 19 slides
Edwards Metropolitan District Highway, Sidewalk and Trail/Path Needs And Funding Sources Edwards

Edwards Metropolitan District Highway, Sidewalk and Trail/Path Needs And Funding Sources Edwards

Edwards Metropolitan District Highway, Sidewalk and Trail/Path Needs And Funding Sources Edwards Metropolitan District is seeking feedback on the need for highway improvements to the Edwards Spur Road (Edwards Village Boulevard between I-70 and

602 views • 14 slides
Assist primary care providers, critical access/rural hospitals and

Assist primary care providers, critical access/rural hospitals and

Rob Edwards, MBA Executive Director, Kentucky Regional Extension Center Director of Strategic Initiatives and Regulatory Affairs UK HealthCare Rob.Edwards@uky.edu Assist primary care providers, critical access/rural hospitals

462 views • 21 slides
Emergency Operations Summary Emergency Preparedness Goal is to protect Life Property

Emergency Operations Summary Emergency Preparedness Goal is to protect Life Property

Emergency Operations Summary Emergency Preparedness Goal is to protect Life Property Environment National Incident Management System (NIMS) Common Terminology Modular Organization Integrated Communications Unity of

342 views • 17 slides
1 TEMPORARY MODULAR HOUSING Meeting Purpose Learn how Temporary Modular Housing will allow

1 TEMPORARY MODULAR HOUSING Meeting Purpose Learn how Temporary Modular Housing will allow

TEMPORARY MODULAR HOUSING Temporary Modular Housing Community Information Session 7430 7460 Heather Street ( formerly 650 West 57 th Avenue) ) 1 TEMPORARY MODULAR HOUSING Meeting Purpose Learn how Temporary Modular Housing will allow

701 views • 32 slides
The National Diabetes Prevention Program Zena Edwards Food Safety & Nutrition Faculty WSU

The National Diabetes Prevention Program Zena Edwards Food Safety & Nutrition Faculty WSU

The National Diabetes Prevention Program Zena Edwards Food Safety & Nutrition Faculty WSU Clark County Extension The cost of diabetes per person is 2 to 3 times higher for people 65 years of age or older. Diabetes cannot be cured. But

551 views • 16 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e

White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e

White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e Informatique Paris, 31 mai 2017 Outline Context: white-box crypto: big trend in the industry cryptographic obfuscation: big trend in the

1.41k views • 46 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information

Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information

Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information Security Agency) Saturday, December 20 th , 2014 Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections|

817 views • 71 slides
Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G.

Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G.

Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G. Karpovsky, Alexander Taubin, Zhen Wang, Adrian Kulikowski Boston University Reliable Computing Laboratory 6/27/2008 Outline Side Channel

293 views • 18 slides

More recommend