Various exemplary embodiments disclosed herein relate generally to protecting elliptic curve cryptography (ECC) implementations against fault attacks.
Techniques such as Blomer-Otto-Seifert (BOS) method have been developed for combating fault attacks in ECC systems. The BOS system does add significant additional processing to ECC systems though.
A brief summary of various exemplary embodiments is presented below. Some simplifications and omissions may be made in the following summary, which is intended to highlight and introduce some aspects of the various exemplary embodiments, but not to limit the scope of the invention. Detailed descriptions of an exemplary embodiment adequate to allow those of ordinary skill in the art to make and use the inventive concepts will follow in later sections.
Various embodiments relate to a method for protecting against faults in a computation of a point multiplication Q=[k]P on an elliptic curve E defined over a prime field p, including: defining an integer r and a group ′={γ()|∈/r} represented with elements having a group law that coincides with a group law used in the representation for E(p) and isomorphic to an additive group (/r)+ through isomorphism γ; forming a combined group E(p)×G′E(p)×(/r)+ which is isomorphic to a cross product of the groups E(p) and (/r)+; selecting an element in /r and defining an element P′=γ() in group ′; forming a combined element {circumflex over (P)}=CRT (P, P′) in the group E(p)×′; calculating {circumflex over (Q)}=[k]{circumflex over (P)} in the combined group E(p)×′; calculating k in /r; and checking whether {circumflex over (Q)}≡Q′ (mod r) where Q′=γ(k).
Further various embodiments relate to a non-transitory machine-readable storage medium encoded with instructions for protecting against faults in a computation of a point multiplication Q=[k]P on an elliptic curve E defined over a prime field p, including: instructions for defining an integer r and a group ′={γ()|∈/r} represented with elements having a group law that coincides with a group law used in the representation for E(p) and isomorphic to an additive group (/r)+ through isomorphism instructions for forming a combined group E(p)×′E(p)×(/r)+ which is isomorphic to a cross product of the groups E(p) and (r)+; instructions for selecting an element in /r and defining an element P′=γ() in group ′; instructions for forming a combined element {circumflex over (P)}=CRT (P, P′) in the group E(p)×′; instructions for calculating {circumflex over (Q)}=[k]{circumflex over (P)} in the combined group E(p)×′; instructions for calculating k in/r; and instructions for checking whether {circumflex over (Q)}≡Q′ (mod r) where Q′=γ(k).
Further various embodiments relate to device for protecting against faults in a computation of a point multiplication Q=[k]P on an elliptic curve E defined over a prime field p, including: a memory; and a processor in communication with the memory, the processor configured to: define an integer r and a group ′={γ()|∈/r} represented with elements having a group law that coincides with a group law used in the representation for E(p) and isomorphic to an additive group (/r)+ through isomorphism γ; form a combined group E(p)×′E(p)×(/r)+ which is isomorphic to a cross product of the groups E(p) and (/r)+; select an element in /r and defining an element P′=γ() in group ′; form a combined element {circumflex over (P)}=CRT (P, P′) in the group E(p)×′; calculate {circumflex over (Q)}=[k]{circumflex over (P)} in the combined group E(p)×′; calculate k in /r; and check whether {circumflex over (Q)}≡Q′ (mod r) where Q′=γ(k).
Various embodiments are described, wherein when {circumflex over (Q)}≡Q′ (mod r) output Q={circumflex over (Q)} mod p and otherwise return an error.
Various embodiments are described, wherein ′ is a set of points (, 1) on a twisted Edwards curve.
Various embodiments are described, wherein ′ is a set of points (, 1) on a Jacobi quartic curve.
Various embodiments are described, wherein ′ is a set of points (, 1, 1) on a Jacobi quadratics intersection curve.
Various embodiments are described, wherein ′ is a set of points (, −1) on a Hessian curve.
Various embodiments are described, wherein ′ is a set of points (,
Various embodiments are described, wherein ′ is a set of points (: 1: 3) on a Weierstrass curve.
In order to better understand various exemplary embodiments, reference is made to the accompanying drawings, wherein:
To facilitate understanding, identical reference numerals have been used to designate elements having substantially the same or similar structure and/or substantially the same or similar function.
The description and drawings illustrate the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described or shown herein, embody the principles of the invention and are included within its scope. Furthermore, all examples recited herein are principally intended expressly to be for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Additionally, the term, “or,” as used herein, refers to a non-exclusive or (i.e., and/or), unless otherwise indicated (e.g., “or else” or “or in the alternative”). Also, the various embodiments described herein are not necessarily mutually exclusive, as some embodiments can be combined with one or more other embodiments to form new embodiments.
Elliptic curve cryptography (ECC) is an interesting alternative to Rivest-Shamir-Adleman (RSA) cryptography because the keys are much shorter for a same conjectured security level. Given a point P on an elliptic curve E and an integer k, the basic operation includes computing the scalar multiplication [k]P, that is, P⊕P⊕ . . . ⊕P (k times) where ⊕ denotes the group operation on E. The goal of an attacker is to recover the value of k (or a part thereof) by inducing faults.
For RSA cryptographic systems, Shamir's countermeasure was developed. Shamir's countermeasure generalizes to elliptic curve scalar multiplication and is known as the Blomer-Otto-Seifert (BOS) countermeasure. The BOS countermeasure method is as follows.
Suppose one has to compute Q=[k]P on an elliptic curve E defined over the prime field p and given by the Weierstraß equation y2=x3+ax+b.
The following observations of the BOS countermeasure method are noted. If y2=x3+a′x+b′ is the equation defining the elliptic curve E′ over r, CRT (E, E′) denotes the elliptic curve over /rp given by the equation y2=x3+âx+{circumflex over (b)} where â=CRT (a (modp), a′ (mod r)) and {circumflex over (b)}=CRT (b (mod p), b′ (mod r)); i.e., such that â≡a (mod p) and â≡a′ (mod r), and the same for {circumflex over (b)}. Point {circumflex over (P)} is defined similarly from the coordinates of points P and P′.
In a concrete implementation, prime r, curve E′ and point P′ are precomputed so that the order of point P′ on E′, ordE′(P′), is maximal. The value of n:=ordE′(P′) together with r, the curve parameters, and point P′ may be stored in non-volatile memory. This presents the further advantage in that the calculation of Q′ in Step 4 of the BOS countermeasure method may be performed more efficiently as Q′=[k mod n]P′.
In order to avoid a single point of failure, infective computation is preferred to implement the final test of Step 5 of the BOS countermeasure method. For example, for Step 5, one could perform the following steps instead:
and
As discussed above, the BOS fault countermeasure method requires the prior generation and storage of a prime r, an elliptic curve E′ over r, and a point P′ on E′ of large order. For better performance, the order n of P′ should also be pre-stored.
Another countermeasure is presented in Y.-J. Baek and I. Vasyltsov, “How to prevent DPA and fault attacks in a unified way for ECC scalar multiplication: Ring extension method,” in E. Dawson and D. Wong, editors, Information Security Practice and Experience—ISPEC 2007, volume 4464 of LNCS, pages 225-237. Springer, Heidelberg, 2006. Compared to J. Blömer, M. Otto, and J.-P. Seifert, “Sign change fault attacks on elliptic curve cryptosystems, in L. Breveglieri et al., editors, Fault Diagnosis and Tolerance in Cryptography—FDTC 2006, volume 4236 of LNCS, pages 36-52. Springer, Heidelberg, 2006, Baek-Vasyltsov does not require precomputed values and does not assume that the randomizer r is a prime integer. Numerical experiments conducted in M. Joye, “On the security of a unified countermeasure,” in L. Breveglieri et al., editors, 5th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2008), pages 87-91. IEEE Computer Society, 2008, however show that a non-negligible proportion of faults is undetected and that larger bit-lengths for r should be used.
More effective countermeasures are given in M. Joye, “Edwards curves and fault attack,” presented at the rump session of CRYPTO 2012, Santa Barbara, USA, Aug. 21, 2012, available at http://crypto.2012rump.cr.yp.to/ and S. Neves and M. Tibouchi, “Degenerate curve attacks—extending invalid curve attacks to Edwards curves and other models, in C.-M. Cheng, K.-M. Chung, G. Persiano, and B.-Y. Yang, editors, PKC 2016, Part II, volume 9615 of LNCS, pages 19-35, Springer, Heidelberg, March 2016. They essentially follow the same approach. The idea is to rely on a shortcut for the evaluation of Q′=[k]P′ on E′ by an appropriate choice for E′. In Joye, E′ is chosen as the subgroup of points on an elliptic curve over /r2 that reduce to 0 modulo r. In Neves-Tibouchi, E′ is chosen as the group of points on a degenerate curve over r.
The method in Joye presents the disadvantage that fault attacks whose detection probability depends on the order of point P′ implies a twice longer value for r. Indeed, the subgroup of points considered in Joye for E′ has order r whereas the corresponding curve is defined modulo r2. In turn, the combined curve Ê is defined over /r2p, which is more demanding for the evaluation of {circumflex over (Q)} on Ê.
The combined curve in Neves-Tibouchi is defined over /rp where r is prime. However, most elliptic curve models (the Weierstraß model is a notable exception) do not have an additive degeneration: they either degenerate to the (r−1)-order multiplicative group r* or to the (r+1)-order multiplicative subgroup T2(r) of elements of norm 1 in r
Embodiments for more efficiently implementing a countermeasure method against faults for ECC versus the BOS countermeasure method will now be described. As aforementioned, obtaining a generator of the additive group (/r)+ is fairly easy: any non-zero integer co-prime to r generates (/r)+. Two possible strategies are:
The idea of the embodiment is to replace the combined curve Ê in the BOS countermeasure by the group
E(p)×′E(p)×(/r)+
which is isomorphic to the cross product of the groups E(p) and (/r)+ and where the group ′ is represented with elements having a group law that coincides (i.e., is compatible) with the group law used in the representation for E(p). Such a representation for ′={P′=γ()|∈/r} where
can easily be identified from the group law in E. This is illustrated in the next paragraphs with several elliptic curve models commonly used for cryptographic applications.
Because ′ is selected such that γ(1)⊕γ(2)=γ(1+2), this means that kγ()=γ(k)=kP′. This means that instead of calculating kP′ as a series of point additions on an elliptic curve as in the BOS method, the verification for the presence of faults can be performed from the calculation of k. Because calculating k is a simple arithmetic multiplication modulo integer r, it is a much more efficient calculation versus the point multiplication in the BOS method. Accordingly, Step 4 of the BOS method may be replaced by a much more efficient operation.
This method is fully generic and can readily be adapted to any elliptic curve model and corresponding addition formulas. Also, although focusing on protecting elliptic curve computations over prime fields for the sake of concreteness, this method can be generalized to elliptic curve computations over arbitrary rings, including over binary fields.
Application of the above method will now be described for various elliptic curves that are used as the basis for ECC.
One elliptic curve to consider is a normal form for elliptic curves in a twisted form that is referred to as the twisted Edwards form. The twisted Edwards form, is given by the equation:
E
∈
:ax
2
+y
2=1+dx2y2. (1)
The neutral element for this curve is O=(0,1). The addition law is unified. Given two points (x1, y1) and (x2, y2), their sum (x3, y3)=(x1, y1)⊕(x2, y2) is given by:
Applying the general method above to the twisted Edwards form results in:
(/r)+′={γ()=(,1)|∈/r}⊂{(x,y)∈E∈
In more detail, the group (/r)+ is viewed as the set ′ of points (x, 1) on an Edwards curve (1) with parameters a=d=0, over the ring /r, equipped with the above addition law. When a=d=0, it is easily verified that:
as desired.
Another elliptic curve to consider is the Jacobi quartic model. The (extended) Jacobi quartic model assumes an element of order 2. Its equation is given by:
E
J
:y
2
=dx
4+2ax2+1 (2)
with O=(0,1) as the neutral element. The unified addition of two points (x1, y1) and (x2, y2), (x3, y3)=(x1, y1)⊕(x2, y2), is given by:
The original Jacobi quartics correspond to the case d=k2 and −2a=1+k2 for some k.
Applying the general method above using the Jacobi quartic model results in:
(/r)+′={γ()=(∈,r}⊂{(x,y)∈EJ
As it was for the Edwards model, it is readily verified for the Jacobi quartic model that γ(0)=(0,1)=O and, when a=d=0, that
as desired.
Another elliptic curve to consider is the Jacobi quadratics intersection model which represents an elliptic curve as the intersection of two quadrics in 3. The most general form is as follows:
The neutral element is O=(0,1,1). The unified sum of two points (x1, y1, z1) and (x2, y2, z2) is given by (x3, y2, z3)=(x1, y1, z1) ED (x2, y2, z2) where:
Applying the general method above using the Jacobi quadrics intersection model results in:
(/r)+′={γ()=(,1,1)|∈/r}⊂{(x,y,z)∈EQ
A simple calculation shows that γ(0)=(0,1,1)=O and, when a=b=0, that
as desired.
Another elliptic curve to consider are the Hessian curves. Hessian curves have been generalized, modified, and extended for cryptographic applications. Using for the neutral element the point O=(0, 1), the curve equation is:
:ax3+y3+1=dxy. (4)
The unified sum (x3, y3)=y1)⊕(x2, y2) of two affine points (x1, y1) and (x2, y2) is given by:
Applying the general method above using the Hessian curve above results in:
Again, it can be verified that γ(0)=(0, −1)=0 and that the addition law when a=d=0 yields
as desired.
Another elliptic curve to consider are the Huff curves. The most general form is given by the equation:
E
H
:y(ax2+1)=cx(dy2+1) (5)
with neutral element O=(0,0). The unified addition formula of affine points (x1, y1) and (x2, y2) is given by (x3, y3)=y1)⊕(x2, y2) where:
Applying the general method above using the Huff curve above and by fixing
(/r)+′={γ()=(,
The correctness is verified by observing that γ(0)=(0,0)=0 and, when (a, c, d)=(0,
The Weierstrass model is the most common way to represent an elliptic curve. It is given by the equation:
E
W
:y
2
=x
3
+ax+b, (6)
or using projective coordinates it is given as:
E
W
:Y
2
Z=X
3
aXZ
2
+bZ
3. (7)
The neutral element is the point at infinity O=(0: 1: 0). Unified addition formulas are given by
Applying the general method above using the Hessian curve above results in:
(/r)+′={γ()=(:1:3)|∈/r}⊂{(X:Y:Z)∈EW
Here again, it can be verified that γ(0)=(0: 1: 0)=O and, when a=b=0, that the above addition formulas yield γ(1)⊕γ(2)=(1: 1: 13)⊕(2: 1: 23)=(1+2: 1: (1+2)312+13+23)=(1+2: 1: (1+2)3)=γ(1+2) as desired.
The above embodiments list unified addition formulas; that is, the formulas remain valid when the input points are equal (point doubling). Depending on certain conditions (e.g., field characteristic or curve parameters), the formulas are even complete; that is, they can be used without any exception. It is worth noting that in all the previous embodiments the addition formulas are complete in ′. The identity γ(1)⊕γ(2)=γ(1+2) is always verified. This implies that randomizer r can be used freely in the proposed method; in particular, it is not required to be prime.
The methods described above may be implemented in software which includes instructions for execution by a processor stored on a non-transitory machine-readable storage medium. The processor may include a memory that stores the instructions for execution by the processor.
Any combination of specific software running on a processor to implement the embodiments of the invention, constitute a specific dedicated machine.
As used herein, the term “non-transitory machine-readable storage medium” will be understood to exclude a transitory propagation signal but to include all forms of volatile and non-volatile memory. Further, as used herein, the term “processor” will be understood to encompass a variety of devices such as microprocessors, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), and other similar processing devices. When software is implemented on the processor, the combination becomes a single specific machine.
It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative circuitry embodying the principles of the invention.
Although the various exemplary embodiments have been described in detail with particular reference to certain exemplary aspects thereof, it should be understood that the invention is capable of other embodiments and its details are capable of modifications in various obvious respects. As is readily apparent to those skilled in the art, variations and modifications can be effected while remaining within the spirit and scope of the invention. Accordingly, the foregoing disclosure, description, and figures are for illustrative purposes only and do not in any way limit the invention, which is defined only by the claims.