Get documents about "Fault Analysis Attacks and Its Countermeasure using Elliptic Curve Cryptography
Description
The International Journal of Computer Science and Information Security is a monthly periodical on research articles in general computer science and information security which provides a distinctive technical perspective on novel technical research work, whether theoretical, applicable, or related to implementation. Target Audience: IT academics, university IT faculties; and business people concerned with computer science and security; industry IT departments; government departments; the financial industry; the mobile industry and the computing industry. Coverage includes: security infrastructures, network security: Internet security, content protection, cryptography, steganography and formal methods in information security; multimedia systems, software, information systems, intelligent systems, web services, data mining, wireless communication, networking and technologies, innovation technology and management. Thanks for your contributions in July 2010 issue and we are grateful to the reviewers for providing valuable comments. IJCSIS July 2010 Issue (Vol. 8, No. 4) has an acceptance rate of 36 %.
Document Sample
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 4, July 2010
Fault Analysis Attacks and Its Countermeasure
using Elliptic Curve Cryptography
M.Prabu R.Shanmugalakshmi
Research Scholar Assistant Professor/CSE
Anna University Coimbatore Government College of Technology
Tamil Nadu, India Tamil Nadu, India
+91 99422 71899 +91 422 2432221
prabu_pdas@yahoo.co.in shanmuga_lakshmi@yahoo.co.in
Abstract-In the last decade, many researchers had published the the transient faults. It accesses the program counter and
overall analysis attacks of cryptographic devices against different execution might be executed.
implementation on elliptic curve attacks. Usually such type of
information is not sufficient to learn about the individual attacks. III. MODEL OF FAULT ATTACKS
Now in this article, we indisputably concentrated on fault
analysis attack and its countermeasure. A. Bit versus Byte errors
The frequency to alter a value of one bit or one byte.
Key words-components: Byte model directly affects the whole memory storage.
Elliptic Curve, Implementation Attacks, Individual attack, Compare to the bit model, bit model is not induced. Because it
Fault analysis attack is tedious to identify the bit level errors. [9]
B. Specific versus Random values
I. INTRODUCTION The frequencies of possibility to alter the value of
In research field, the embedded based devices made an data in specify or random but as a binary values. A random
enormous role on security. A lot of attention has been paid to values execution is easier to induce.
the problem of errors occurring in cryptographic devices, such
C. Static versus Computational errors
as crypto processors. The cryptographic security is mainly
activated through the field of study and the study of Normally, the attackers can make errors in execution or
implementation. The implementation is a major obsession to computation period. After that execution, the errors are static
known about the overall performance clearly. When can’t able to change [8]. Computation error is easy to add in
comparing the real world applications, the embedded devices the real time process. At the similar time, it is tough to add the
use cryptographic algorithm to achieve a chief safety. modified value in memory
Fault analysis attacks take advantage of errors that occur D. Data versus Control errors
while cryptographic device is performing a private- key A control error occurs when some iteration are stopped
generation. Fault analysis is one kind of side channel analysis because of faults. Control error is more powerful than data
that collects data such as time and power consumption emitted error. It can be very prevailing while execution period.
by the device during computation with private key.
IV. FAULT ATTACKS AND FAULT INJECTION
II.TYPES OF FAULT
In which place or in what type of situation Fault Injection has
The fault types can be classified as permanent and been discovered [5]
transient Laser produce similar effects as multi chromatic light
A. Permanent but allow targeting a more precise circuit area.
Photoelectric effects due to intense light induce
In a permanent fault, it directly affects to or change ROM
currents in the electric circuit [5].
and code can be damaged. It is more powerful than temporary
faults [1]. It is very hard to recover the permanent fault and it
very hard to change or modify the damaged part. To protect Fault analyses attacks, the following
countermeasure could be realized in hardware or software
B.Transient faults
In a transient faults [1][2], it can disturb the code of Light Detectors
execution of a particular event. It is a tedious work to defeat Supply Voltage Detectors
260 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 4, July 2010
Frequency Detectors C. Invalid Curve Attack
Hardware redundancy with comparison The collection of small subgroup attacks are called
Checksum. Invalid curve attack, which can be developed by Differential
Fault Attack of Bihel, Meyer and Muller Standardized elliptic
V. TYPES OF FAULT ATTACKS curve key establishment and public key encryption protocols
such as EC-DH, DC-IES and IC-MQV [4 ], which are
A. Biehl-Major –Muller Attacks effective if the receiver of an elliptic curve point doesn’t verify
By inserting or disturbing representation of a point on that the point lies on the appropriate elliptic curve.
a strong elliptic curve E, and insert a random register fault on
the device. Its computation to a value which is not a point on D. Small subgroup Attack
curve E but on different curve. The result of these
Small Subgroup Attack Lim and Lee demonstrated in [16]
computations is a point on the new, but not less
the importance of public key validation by presenting small
cryptographically strong curve[3]. This can be exploited to
subgroup attacks on discrete-logarithm Key-agreement and
compute the secret key d. The incorrect output values are used encryption protocols such as Diffie-Hellman-type key
to compute possible intermediate values of the computation exchange protocols and applications of El-Gamal encryption
and part of the secret key. and signature schemes. The attacks succeed if the receiver of a
B. Random access of the multiplication Algorithm group element does not verify that the element belongs to the
desired group of high order. Their attacks are effective if the
The cryptographically strong elliptic curve E is cofactor has many small factors [15]. The attacker can then
defined over Fq. E(Fq) contains a subgroup of prime order p determine the victim’s secret key modulo of these small
with p > q/log q[7]. The multiplication operation dP =Q is factors and combine the results using CRT.The attacks that use
done by the Binary method (Algorithm 1) a faulted public key can be prevented by public key validation
or by partial validation as recommended in [14] [15].
Algorithm 1(Binary method)
Input: d = (dn−1. . . d0), P€ E(Fq) VI. SIGN CHANGE FAULTS
Output: dP Sign changes of points can be used to recover the secret
Initialize: scalar factor d: Q = dP .The sign change curve scalar factor
H=P was identified by biomer, Otto and Seifert showed in [12]. The
Q=O faulty output is a valid point on the curve and the secret scalar
for i = 0 to n − 1 do factor can be recovered in polynomial time. They also
if di == 1 then presented a countermeasure that is motivated by a similar
Q=Q+H countermeasure by Shamir [13].
end
H = 2H
return Q Algorithm:
end Set n: = l(k)
Set Qn: = O 2 for i from n-1 to 0 do
Qi and Hi are the values stored in Q, H before interaction i. Set Q′i := 2 · Qi+1………………………………………. Q′i
The following steps are using to iterate the process = − Q′i
If (ki = 1) then set Qi: = Q′i + P
step 1: 4 If (ki = 1) else set Qi: = Q′i
Q=Qn=dP where n=log2d Return Q0
step 2: Step 1: Describe faulty final result
The computation with P and enforce a fault and get a Qi= −Qi + 2 · Li(k),
fault out put Qn. Step 2: Collect many faulty final results
Qn a bit flip in a random iteration i, such that Qj Choose block size m € O(2m) operations:
-Qj.[ ] Mount (n/m) log (2n) many attacks to hit every
possible block with Probability[10]. At least 1/2
step 3: Step 3: incremental computation of k
Guessing and comparing with the know values Qn,- Assumption: all s lowest bits of k are known try all
Qn, and Countermeasures for Multiplication Algorithm: possibilities with up to s + m bits:
Consistency of output point Qi !=−Qi + 2 · Ls+m−1(k)
Any point which serves as basis for the computation. Compare to gathered faulty final results
261 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 4, July 2010
VII. COUNTERMEASURES AGAINST FAULT [14] Certicom Research. Standards for Efficient Cryptography Group
(SECG), SEC 1: Elliptic Curve Cryptography, September 2000.
ATTACKS http://www.secg.org/collateral/sec1 final.pdf.
Run the encryption twice and out put the results only [15] ANSI X9.63. Public Key Cryptography For The Financial Services
if these two are identical. The main approach is that increases Industry: Key Agreement and Key Transport Using Elliptic Curve
Cryptography, January 1999.
computation time, also the probability that fault will not occur http://grouper.ieee.org/groups/1363/private/x9- 63-01-08-99.pdf.
twice is not sufficiently small. The probability of fault [16] Chae Hoon Lim and Pil Joong Lee. A key recovery attack on discrete
occurrence makes twice the functions such as encryption and log-based schemes using a prime order subgroup. Volume 1294, pages
decryption [2][11], this level of countermeasure is hard to 249–263. Springer-Verlag, 1997
implement but not impossible.
AUTHORS PROFILE
VIII.CONCLUSION
This article provides a brief explanation about the
fault analysis attacks, basic performance and their
countermeasures implementations. It also provides guidance
for further researchers by refereeing each subtopic with more
clearly.
REFERENCES M.Prabu is working as a Lecturer in the Department of
Computer Science and Engineering in Adhiyamaan college of Engineering,
[1]. Mathieu Ciet and Marc Joye. Elliptic curve cryptosystems in the Hosur, Tamil Nadu, India. He has published more than 5
presence of permanent and transient faults. 2003. International/National journals.He is presently doing his Ph.D in Anna
http://eprint.iacr.org/2003/028 University, Coimbatore, India. His area of interest are computer Networks,
[2] C. Clavier and M. Joye. Universal exponentiation algorithm a first step Information Security and Cryptography. He is life member of ISTE.
towards provable spa-resistance. In Cryptographic Hardware and
Embedded Systems - CHES 2001, volume 2162 of Lecture Notes in
Computer Science, page 300308. Springer-Verlag, 2001.
[3] Ingrid Biehl, Bernd Meyer, and Volker M¨uller. Differential fault
attacks on elliptic curve cryptosystems. In CRYPTO ’00: Proceedings
of the 20th Annual International Cryptology Conference on Advances in
Cryptology, pages 131–146, London, UK, 2000. Springer-Verlag
[4]. N.B. Smart. The discrete logarithm problem on elliptic curves of trace
one. Journal of Cryptology, 12:193–196, 1999. Dr. R.Shanmugalakshmi is working as an Assistant
[5]. Eli Biham and Adi Shamir. Differential fault analysis of secret key Professor in the Department of Computer Science and Engineering in
cryptosystems. In CRYPTO ’97: Proceedings of the 17th Annual Government College of Technology, Coimbatore, India. She has published
International Cryptology Conference on Advances in Cryptology, pages more than 40 International/National journals. Her research area includes
513–525, London, UK, 1997. Springer-Verlag Image Processing, Neural Networks, Information Security and Cryptography.
[6]. F. Crowe, A. Daly, and W. Marnane, “A Scalable Dual Mode She has received Vijya Ratna Award from India International Friendship
Arithmetic Unit for Public Key Cryptosystems,” IEEE International Society in the year of 1996, she has received Mahila Jyothi Award from
Conference on Information Technology: Coding and Computing Integrated Council for Socio-Economic Progress in the year of 2001 and she
(ITCC), vol. 1, pp. 568 – 573, 2005. has received Eminent Educationalist Award from International Institute of
[7]. C. Giraud. An rsa implementation resistant to fault attacks and to Management, New Delhi in the year of 2008.She is member of Computer
simple power analysis. Volume 55, pages 1116–1120, 2006 Society of India, ISTE and FIE.
[8]. Sung-Ming Yen and Marc Joye. Checking before output may not be
enough against fault based cryptanalysis. IEEE Trans. Computers,
49(9):967–970, 2000
[9]. D. Knuth and A. Yao, “Analysis of the subtractive algorithm for
greatest common divisors,” Proc. Nat. Acad. Sct, vol. 72, no. 12, pp.
4720–4722, 1987
[10]. H. Bar-El, H. Choukri, M. Tunstall, and C. Whelan. The sorcerer’s
apprentice guide to fault attacks. Workshop on Fault Detection and
Tolerance in Cryptography - FDTC 2004, 2004
[11]. Chen Z, Zhou Y. Dual-rail random switching logic: a countermeasure
to reduce side channel leakage. In: Cryptographic hardware and
embedded systems – CHES 2006. Lecture notes in computer science,
vol. 4249. Springer; 2006. p. 242–54
[12] Johannes Bl¨omer, Martin Otto, and Jean-Pierre Seifert. Sign change
fault attacks on elliptic curve cryptosystems. Cryptology ePrint
Archive, Report 2004/227, 2004. .
[13] A. Shamir. Method and apparatus for protecting public key schemes
from timing and fault attacks. November 1999. US Patent No.
5,991,415..
262 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
Related docs
Other docs by ijcsiseditor
Digital Images Encryption in Spatial Domain Based on Singular Value Decomposition and Cellular Automata
Views: 0 | Downloads: 0
Agent Behavior in Multiagent Systems: Issues and Challenges in Design, Development and Implementation
Views: 1 | Downloads: 0
Optimizing Cost, Delay, Packet Loss and Network Load in AODV Routing Protocols
Views: 2 | Downloads: 0
