Fault Analysis Attacks and Its Countermeasure using Elliptic Curve Cryptography
The International Journal of Computer Science and Information Security is a monthly periodical on research articles in general computer science and information security which provides a distinctive technical perspective on novel technical research work, whether theoretical, applicable, or related to implementation. Target Audience: IT academics, university IT faculties; and business people concerned with computer science and security; industry IT departments; government departments; the financial industry; the mobile industry and the computing industry. Coverage includes: security infrastructures, network security: Internet security, content protection, cryptography, steganography and formal methods in information security; multimedia systems, software, information systems, intelligent systems, web services, data mining, wireless communication, networking and technologies, innovation technology and management. Thanks for your contributions in July 2010 issue and we are grateful to the reviewers for providing valuable comments. IJCSIS July 2010 Issue (Vol. 8, No. 4) has an acceptance rate of 36 %.
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 Fault Analysis Attacks and Its Countermeasure using Elliptic Curve Cryptography M.Prabu R.Shanmugalakshmi Research Scholar Assistant Professor/CSE Anna University Coimbatore Government College of Technology Tamil Nadu, India Tamil Nadu, India +91 99422 71899 +91 422 2432221 firstname.lastname@example.org email@example.com Abstract-In the last decade, many researchers had published the the transient faults. It accesses the program counter and overall analysis attacks of cryptographic devices against different execution might be executed. implementation on elliptic curve attacks. Usually such type of information is not sufficient to learn about the individual attacks. III. MODEL OF FAULT ATTACKS Now in this article, we indisputably concentrated on fault analysis attack and its countermeasure. A. Bit versus Byte errors The frequency to alter a value of one bit or one byte. Key words-components: Byte model directly affects the whole memory storage. Elliptic Curve, Implementation Attacks, Individual attack, Compare to the bit model, bit model is not induced. Because it Fault analysis attack is tedious to identify the bit level errors.  B. Specific versus Random values I. INTRODUCTION The frequencies of possibility to alter the value of In research field, the embedded based devices made an data in specify or random but as a binary values. A random enormous role on security. A lot of attention has been paid to values execution is easier to induce. the problem of errors occurring in cryptographic devices, such C. Static versus Computational errors as crypto processors. The cryptographic security is mainly activated through the field of study and the study of Normally, the attackers can make errors in execution or implementation. The implementation is a major obsession to computation period. After that execution, the errors are static known about the overall performance clearly. When can’t able to change . Computation error is easy to add in comparing the real world applications, the embedded devices the real time process. At the similar time, it is tough to add the use cryptographic algorithm to achieve a chief safety. modified value in memory Fault analysis attacks take advantage of errors that occur D. Data versus Control errors while cryptographic device is performing a private- key A control error occurs when some iteration are stopped generation. Fault analysis is one kind of side channel analysis because of faults. Control error is more powerful than data that collects data such as time and power consumption emitted error. It can be very prevailing while execution period. by the device during computation with private key. IV. FAULT ATTACKS AND FAULT INJECTION II.TYPES OF FAULT In which place or in what type of situation Fault Injection has The fault types can be classified as permanent and been discovered  transient Laser produce similar effects as multi chromatic light A. Permanent but allow targeting a more precise circuit area. Photoelectric effects due to intense light induce In a permanent fault, it directly affects to or change ROM currents in the electric circuit . and code can be damaged. It is more powerful than temporary faults . It is very hard to recover the permanent fault and it very hard to change or modify the damaged part. To protect Fault analyses attacks, the following countermeasure could be realized in hardware or software B.Transient faults In a transient faults , it can disturb the code of Light Detectors execution of a particular event. It is a tedious work to defeat Supply Voltage Detectors 260 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 Frequency Detectors C. Invalid Curve Attack Hardware redundancy with comparison The collection of small subgroup attacks are called Checksum. Invalid curve attack, which can be developed by Differential Fault Attack of Bihel, Meyer and Muller Standardized elliptic V. TYPES OF FAULT ATTACKS curve key establishment and public key encryption protocols such as EC-DH, DC-IES and IC-MQV [4 ], which are A. Biehl-Major –Muller Attacks effective if the receiver of an elliptic curve point doesn’t verify By inserting or disturbing representation of a point on that the point lies on the appropriate elliptic curve. a strong elliptic curve E, and insert a random register fault on the device. Its computation to a value which is not a point on D. Small subgroup Attack curve E but on different curve. The result of these Small Subgroup Attack Lim and Lee demonstrated in  computations is a point on the new, but not less the importance of public key validation by presenting small cryptographically strong curve. This can be exploited to subgroup attacks on discrete-logarithm Key-agreement and compute the secret key d. The incorrect output values are used encryption protocols such as Diffie-Hellman-type key to compute possible intermediate values of the computation exchange protocols and applications of El-Gamal encryption and part of the secret key. and signature schemes. The attacks succeed if the receiver of a B. Random access of the multiplication Algorithm group element does not verify that the element belongs to the desired group of high order. Their attacks are effective if the The cryptographically strong elliptic curve E is cofactor has many small factors . The attacker can then defined over Fq. E(Fq) contains a subgroup of prime order p determine the victim’s secret key modulo of these small with p > q/log q. The multiplication operation dP =Q is factors and combine the results using CRT.The attacks that use done by the Binary method (Algorithm 1) a faulted public key can be prevented by public key validation or by partial validation as recommended in  . Algorithm 1(Binary method) Input: d = (dn−1. . . d0), P€ E(Fq) VI. SIGN CHANGE FAULTS Output: dP Sign changes of points can be used to recover the secret Initialize: scalar factor d: Q = dP .The sign change curve scalar factor H=P was identified by biomer, Otto and Seifert showed in . The Q=O faulty output is a valid point on the curve and the secret scalar for i = 0 to n − 1 do factor can be recovered in polynomial time. They also if di == 1 then presented a countermeasure that is motivated by a similar Q=Q+H countermeasure by Shamir . end H = 2H return Q Algorithm: end Set n: = l(k) Set Qn: = O 2 for i from n-1 to 0 do Qi and Hi are the values stored in Q, H before interaction i. Set Q′i := 2 · Qi+1………………………………………. Q′i The following steps are using to iterate the process = − Q′i If (ki = 1) then set Qi: = Q′i + P step 1: 4 If (ki = 1) else set Qi: = Q′i Q=Qn=dP where n=log2d Return Q0 step 2: Step 1: Describe faulty final result The computation with P and enforce a fault and get a Qi= −Qi + 2 · Li(k), fault out put Qn. Step 2: Collect many faulty final results Qn a bit flip in a random iteration i, such that Qj Choose block size m € O(2m) operations: -Qj.[ ] Mount (n/m) log (2n) many attacks to hit every possible block with Probability. At least 1/2 step 3: Step 3: incremental computation of k Guessing and comparing with the know values Qn,- Assumption: all s lowest bits of k are known try all Qn, and Countermeasures for Multiplication Algorithm: possibilities with up to s + m bits: Consistency of output point Qi !=−Qi + 2 · Ls+m−1(k) Any point which serves as basis for the computation. Compare to gathered faulty final results 261 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 VII. COUNTERMEASURES AGAINST FAULT  Certicom Research. Standards for Efficient Cryptography Group (SECG), SEC 1: Elliptic Curve Cryptography, September 2000. ATTACKS http://www.secg.org/collateral/sec1 final.pdf. Run the encryption twice and out put the results only  ANSI X9.63. Public Key Cryptography For The Financial Services if these two are identical. The main approach is that increases Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, January 1999. computation time, also the probability that fault will not occur http://grouper.ieee.org/groups/1363/private/x9- 63-01-08-99.pdf. twice is not sufficiently small. The probability of fault  Chae Hoon Lim and Pil Joong Lee. A key recovery attack on discrete occurrence makes twice the functions such as encryption and log-based schemes using a prime order subgroup. Volume 1294, pages decryption , this level of countermeasure is hard to 249–263. Springer-Verlag, 1997 implement but not impossible. AUTHORS PROFILE VIII.CONCLUSION This article provides a brief explanation about the fault analysis attacks, basic performance and their countermeasures implementations. It also provides guidance for further researchers by refereeing each subtopic with more clearly. REFERENCES M.Prabu is working as a Lecturer in the Department of Computer Science and Engineering in Adhiyamaan college of Engineering, . Mathieu Ciet and Marc Joye. Elliptic curve cryptosystems in the Hosur, Tamil Nadu, India. He has published more than 5 presence of permanent and transient faults. 2003. International/National journals.He is presently doing his Ph.D in Anna http://eprint.iacr.org/2003/028 University, Coimbatore, India. His area of interest are computer Networks,  C. Clavier and M. Joye. Universal exponentiation algorithm a first step Information Security and Cryptography. He is life member of ISTE. towards provable spa-resistance. In Cryptographic Hardware and Embedded Systems - CHES 2001, volume 2162 of Lecture Notes in Computer Science, page 300308. Springer-Verlag, 2001.  Ingrid Biehl, Bernd Meyer, and Volker M¨uller. Differential fault attacks on elliptic curve cryptosystems. In CRYPTO ’00: Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology, pages 131–146, London, UK, 2000. Springer-Verlag . N.B. Smart. The discrete logarithm problem on elliptic curves of trace one. Journal of Cryptology, 12:193–196, 1999. Dr. R.Shanmugalakshmi is working as an Assistant . Eli Biham and Adi Shamir. Differential fault analysis of secret key Professor in the Department of Computer Science and Engineering in cryptosystems. In CRYPTO ’97: Proceedings of the 17th Annual Government College of Technology, Coimbatore, India. She has published International Cryptology Conference on Advances in Cryptology, pages more than 40 International/National journals. Her research area includes 513–525, London, UK, 1997. Springer-Verlag Image Processing, Neural Networks, Information Security and Cryptography. . F. Crowe, A. Daly, and W. Marnane, “A Scalable Dual Mode She has received Vijya Ratna Award from India International Friendship Arithmetic Unit for Public Key Cryptosystems,” IEEE International Society in the year of 1996, she has received Mahila Jyothi Award from Conference on Information Technology: Coding and Computing Integrated Council for Socio-Economic Progress in the year of 2001 and she (ITCC), vol. 1, pp. 568 – 573, 2005. has received Eminent Educationalist Award from International Institute of . C. Giraud. An rsa implementation resistant to fault attacks and to Management, New Delhi in the year of 2008.She is member of Computer simple power analysis. Volume 55, pages 1116–1120, 2006 Society of India, ISTE and FIE. . Sung-Ming Yen and Marc Joye. Checking before output may not be enough against fault based cryptanalysis. IEEE Trans. Computers, 49(9):967–970, 2000 . D. Knuth and A. Yao, “Analysis of the subtractive algorithm for greatest common divisors,” Proc. Nat. Acad. Sct, vol. 72, no. 12, pp. 4720–4722, 1987 . H. Bar-El, H. Choukri, M. Tunstall, and C. Whelan. The sorcerer’s apprentice guide to fault attacks. Workshop on Fault Detection and Tolerance in Cryptography - FDTC 2004, 2004 . Chen Z, Zhou Y. Dual-rail random switching logic: a countermeasure to reduce side channel leakage. In: Cryptographic hardware and embedded systems – CHES 2006. Lecture notes in computer science, vol. 4249. Springer; 2006. p. 242–54  Johannes Bl¨omer, Martin Otto, and Jean-Pierre Seifert. Sign change fault attacks on elliptic curve cryptosystems. Cryptology ePrint Archive, Report 2004/227, 2004. .  A. Shamir. Method and apparatus for protecting public key schemes from timing and fault attacks. November 1999. US Patent No. 5,991,415.. 262 http://sites.google.com/site/ijcsis/ ISSN 1947-5500