Fault Analysis Attacks and Its Countermeasure using Elliptic Curve Cryptography by ijcsiseditor


More Info
									                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                              Vol. 8, No. 4, July 2010

         Fault Analysis Attacks and Its Countermeasure
               using Elliptic Curve Cryptography
                                   M.Prabu                                            R.Shanmugalakshmi
                           Research Scholar                                            Assistant Professor/CSE
                    Anna University Coimbatore                                     Government College of Technology
                        Tamil Nadu, India                                                Tamil Nadu, India
                        +91 99422 71899                                                   +91 422 2432221
                     prabu_pdas@yahoo.co.in                                        shanmuga_lakshmi@yahoo.co.in

Abstract-In the last decade, many researchers had published the              the transient faults. It accesses the program counter and
overall analysis attacks of cryptographic devices against                    different execution might be executed.
implementation on elliptic curve attacks. Usually such type of
information is not sufficient to learn about the individual attacks.                      III.   MODEL OF FAULT ATTACKS
Now in this article, we indisputably concentrated on fault
analysis attack and its countermeasure.                                      A. Bit versus Byte errors
                                                                                       The frequency to alter a value of one bit or one byte.
Key words-components:                                                        Byte model directly affects the whole memory storage.
     Elliptic Curve, Implementation Attacks, Individual attack,              Compare to the bit model, bit model is not induced. Because it
Fault analysis attack                                                        is tedious to identify the bit level errors. [9]
                                                                             B. Specific versus Random values
                      I. INTRODUCTION                                                 The frequencies of possibility to alter the value of
    In research field, the embedded based devices made an                    data in specify or random but as a binary values. A random
enormous role on security. A lot of attention has been paid to               values execution is easier to induce.
the problem of errors occurring in cryptographic devices, such
                                                                             C. Static versus Computational errors
as crypto processors. The cryptographic security is mainly
activated through the field of study and the study of                            Normally, the attackers can make errors in execution or
implementation. The implementation is a major obsession to                   computation period. After that execution, the errors are static
known about the overall performance clearly. When                            can’t able to change [8]. Computation error is easy to add in
comparing the real world applications, the embedded devices                  the real time process. At the similar time, it is tough to add the
use cryptographic algorithm to achieve a chief safety.                       modified value in memory
    Fault analysis attacks take advantage of errors that occur               D. Data versus Control errors
while cryptographic device is performing a private- key                          A control error occurs when some iteration are stopped
generation. Fault analysis is one kind of side channel analysis              because of faults. Control error is more powerful than data
that collects data such as time and power consumption emitted                error. It can be very prevailing while execution period.
by the device during computation with private key.
                                                                                    IV. FAULT ATTACKS AND FAULT INJECTION
                       II.TYPES OF FAULT
                                                                             In which place or in what type of situation Fault Injection has
    The fault types can be classified as permanent and                       been discovered [5]
transient                                                                             Laser produce similar effects as multi chromatic light
A. Permanent                                                                          but allow targeting a more precise circuit area.
                                                                                      Photoelectric effects due to intense light induce
    In a permanent fault, it directly affects to or change ROM
                                                                                      currents in the electric circuit [5].
and code can be damaged. It is more powerful than temporary
faults [1]. It is very hard to recover the permanent fault and it
very hard to change or modify the damaged part.                              To protect Fault analyses attacks, the following
                                                                             countermeasure could be realized in hardware or software
B.Transient faults
        In a transient faults [1][2], it can disturb the code of                      Light Detectors
execution of a particular event. It is a tedious work to defeat                       Supply Voltage Detectors

                                                                       260                               http://sites.google.com/site/ijcsis/
                                                                                                         ISSN 1947-5500
                                                            (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                 Vol. 8, No. 4, July 2010

          Frequency Detectors                                            C. Invalid Curve Attack
          Hardware redundancy with comparison                                      The collection of small subgroup attacks are called
          Checksum.                                                      Invalid curve attack, which can be developed by Differential
                                                                         Fault Attack of Bihel, Meyer and Muller Standardized elliptic
               V. TYPES OF FAULT ATTACKS                                 curve key establishment and public key encryption protocols
                                                                         such as EC-DH, DC-IES and IC-MQV [4 ], which are
A. Biehl-Major –Muller Attacks                                           effective if the receiver of an elliptic curve point doesn’t verify
         By inserting or disturbing representation of a point on         that the point lies on the appropriate elliptic curve.
a strong elliptic curve E, and insert a random register fault on
the device. Its computation to a value which is not a point on           D. Small subgroup Attack
curve E but on different curve. The result of these
                                                                             Small Subgroup Attack Lim and Lee demonstrated in [16]
computations is a point on the new, but not less
                                                                         the importance of public key validation by presenting small
cryptographically strong curve[3]. This can be exploited to
                                                                         subgroup attacks on discrete-logarithm Key-agreement and
compute the secret key d. The incorrect output values are used           encryption protocols such as Diffie-Hellman-type key
to compute possible intermediate values of the computation               exchange protocols and applications of El-Gamal encryption
and part of the secret key.                                              and signature schemes. The attacks succeed if the receiver of a
B. Random access of the multiplication Algorithm                         group element does not verify that the element belongs to the
                                                                         desired group of high order. Their attacks are effective if the
         The cryptographically strong elliptic curve E is                cofactor has many small factors [15]. The attacker can then
defined over Fq. E(Fq) contains a subgroup of prime order p              determine the victim’s secret key modulo of these small
with p > q/log q[7]. The multiplication operation dP =Q is               factors and combine the results using CRT.The attacks that use
done by the Binary method (Algorithm 1)                                  a faulted public key can be prevented by public key validation
                                                                         or by partial validation as recommended in [14] [15].
Algorithm 1(Binary method)
Input: d = (dn−1. . . d0), P€ E(Fq)                                                        VI. SIGN CHANGE FAULTS
Output: dP                                                                   Sign changes of points can be used to recover the secret
         Initialize:                                                     scalar factor d: Q = dP .The sign change curve scalar factor
         H=P                                                             was identified by biomer, Otto and Seifert showed in [12]. The
         Q=O                                                             faulty output is a valid point on the curve and the secret scalar
         for i = 0 to n − 1 do                                           factor can be recovered in polynomial time. They also
         if di == 1 then                                                 presented a countermeasure that is motivated by a similar
         Q=Q+H                                                           countermeasure by Shamir [13].
         H = 2H
         return Q                                                        Algorithm:
         end                                                              Set n: = l(k)
                                                                          Set Qn: = O 2 for i from n-1 to 0 do
Qi and Hi are the values stored in Q, H before interaction i.             Set Q′i := 2 · Qi+1………………………………………. Q′i
The following steps are using to iterate the process                     = − Q′i
                                                                         If (ki = 1) then set Qi: = Q′i + P
step 1:                                                                  4 If (ki = 1) else set Qi: = Q′i
          Q=Qn=dP where n=log2d                                          Return Q0
step 2:                                                                  Step 1: Describe faulty final result
          The computation with P and enforce a fault and get a                     Qi= −Qi + 2 · Li(k),
fault out put Qn.                                                        Step 2: Collect many faulty final results
          Qn a bit flip in a random iteration i, such that Qj                      Choose block size m € O(2m) operations:
-Qj.[ ]                                                                            Mount (n/m) log (2n) many attacks to hit every
                                                                              possible block with Probability[10]. At least 1/2
step 3:                                                                  Step 3: incremental computation of k
        Guessing and comparing with the know values Qn,-                           Assumption: all s lowest bits of k are known try all
Qn, and Countermeasures for Multiplication Algorithm:                    possibilities with up to s + m bits:
        Consistency of output point                                                Qi !=−Qi + 2 · Ls+m−1(k)
        Any point which serves as basis for the computation.                       Compare to gathered faulty final results

                                                                   261                               http://sites.google.com/site/ijcsis/
                                                                                                     ISSN 1947-5500
                                                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                                Vol. 8, No. 4, July 2010

           VII. COUNTERMEASURES AGAINST FAULT                                           [14] Certicom Research. Standards for Efficient Cryptography Group
                                                                                             (SECG), SEC 1: Elliptic Curve Cryptography, September 2000.
                        ATTACKS                                                              http://www.secg.org/collateral/sec1 final.pdf.
          Run the encryption twice and out put the results only                         [15] ANSI X9.63. Public Key Cryptography For The Financial Services
if these two are identical. The main approach is that increases                              Industry: Key Agreement and Key Transport Using Elliptic Curve
                                                                                             Cryptography,                        January                     1999.
computation time, also the probability that fault will not occur                             http://grouper.ieee.org/groups/1363/private/x9- 63-01-08-99.pdf.
twice is not sufficiently small. The probability of fault                               [16] Chae Hoon Lim and Pil Joong Lee. A key recovery attack on discrete
occurrence makes twice the functions such as encryption and                                  log-based schemes using a prime order subgroup. Volume 1294, pages
decryption [2][11], this level of countermeasure is hard to                                  249–263. Springer-Verlag, 1997
implement but not impossible.
                                                                                                                  AUTHORS PROFILE
         This article provides a brief explanation about the
fault analysis attacks, basic performance and their
countermeasures implementations. It also provides guidance
for further researchers by refereeing each subtopic with more

                              REFERENCES                                                                     M.Prabu is working as a Lecturer in the Department of
                                                                                        Computer Science and Engineering in Adhiyamaan college of Engineering,
[1].    Mathieu Ciet and Marc Joye. Elliptic curve cryptosystems in the                 Hosur, Tamil Nadu, India. He has published more than 5
        presence       of     permanent    and     transient  faults.    2003.          International/National journals.He is presently doing his Ph.D in Anna
        http://eprint.iacr.org/2003/028                                                 University, Coimbatore, India. His area of interest are computer Networks,
[2]     C. Clavier and M. Joye. Universal exponentiation algorithm a first step         Information Security and Cryptography. He is life member of ISTE.
        towards provable spa-resistance. In Cryptographic Hardware and
        Embedded Systems - CHES 2001, volume 2162 of Lecture Notes in
        Computer Science, page 300308. Springer-Verlag, 2001.
[3]     Ingrid Biehl, Bernd Meyer, and Volker M¨uller. Differential fault
        attacks on elliptic curve cryptosystems. In CRYPTO ’00: Proceedings
        of the 20th Annual International Cryptology Conference on Advances in
        Cryptology, pages 131–146, London, UK, 2000. Springer-Verlag
[4].    N.B. Smart. The discrete logarithm problem on elliptic curves of trace
        one. Journal of Cryptology, 12:193–196, 1999.                                                        Dr. R.Shanmugalakshmi is working as an Assistant
[5].    Eli Biham and Adi Shamir. Differential fault analysis of secret key             Professor in the Department of Computer Science and Engineering in
        cryptosystems. In CRYPTO ’97: Proceedings of the 17th Annual                    Government College of Technology, Coimbatore, India. She has published
        International Cryptology Conference on Advances in Cryptology, pages            more than 40 International/National journals. Her research area includes
        513–525, London, UK, 1997. Springer-Verlag                                      Image Processing, Neural Networks, Information Security and Cryptography.
[6].    F. Crowe, A. Daly, and W. Marnane, “A Scalable Dual Mode                        She has received Vijya Ratna Award from India International Friendship
        Arithmetic Unit for Public Key Cryptosystems,” IEEE International               Society in the year of 1996, she has received Mahila Jyothi Award from
        Conference on Information Technology: Coding and Computing                      Integrated Council for Socio-Economic Progress in the year of 2001 and she
        (ITCC), vol. 1, pp. 568 – 573, 2005.                                            has received Eminent Educationalist Award from International Institute of
[7].     C. Giraud. An rsa implementation resistant to fault attacks and to             Management, New Delhi in the year of 2008.She is member of Computer
        simple power analysis. Volume 55, pages 1116–1120, 2006                         Society of India, ISTE and FIE.
[8].    Sung-Ming Yen and Marc Joye. Checking before output may not be
        enough against fault based cryptanalysis. IEEE Trans. Computers,
        49(9):967–970, 2000
[9].    D. Knuth and A. Yao, “Analysis of the subtractive algorithm for
        greatest common divisors,” Proc. Nat. Acad. Sct, vol. 72, no. 12, pp.
        4720–4722, 1987
[10].    H. Bar-El, H. Choukri, M. Tunstall, and C. Whelan. The sorcerer’s
        apprentice guide to fault attacks. Workshop on Fault Detection and
        Tolerance in Cryptography - FDTC 2004, 2004
[11].   Chen Z, Zhou Y. Dual-rail random switching logic: a countermeasure
        to reduce side channel leakage. In: Cryptographic hardware and
        embedded systems – CHES 2006. Lecture notes in computer science,
        vol. 4249. Springer; 2006. p. 242–54
[12]    Johannes Bl¨omer, Martin Otto, and Jean-Pierre Seifert. Sign change
        fault attacks on elliptic curve cryptosystems. Cryptology ePrint
        Archive, Report 2004/227, 2004. .
[13]    A. Shamir. Method and apparatus for protecting public key schemes
        from timing and fault attacks. November 1999. US Patent No.

                                                                                  262                                   http://sites.google.com/site/ijcsis/
                                                                                                                        ISSN 1947-5500

To top