research-article

A Fault-Based Secret Key Retrieval Method for ECDSA: Analysis and Countermeasure

Authors:

Alessandro Barenghi,

Guido M. Bertoni,

Luca Breveglieri,

Gerardo Pelosi,

Stefano Sanfilippo,

Ruggero SusellaAuthors Info & Claims

ACM Journal on Emerging Technologies in Computing Systems (JETC), Volume 13, Issue 1

Article No.: 8, Pages 1 - 26

https://doi.org/10.1145/2767132

Published: 20 April 2016 Publication History

Abstract

Elliptic curve cryptosystems proved to be well suited for securing systems with constrained resources like embedded and portable devices. In a fault-based attack, errors are induced during the computation of a cryptographic primitive, and the results are collected to derive information about the secret key safely stored in the device. We introduce a novel attack methodology to recover the secret key employed in implementations of the Elliptic Curve Digital Signature Algorithm. Our attack exploits the information leakage induced when altering the execution of the modular arithmetic operations used in the signature primitive and does not rely on the underlying elliptic curve mathematical structure, thus being applicable to all standardized curves. We provide both a validation of the feasibility of the attack, even employing common off-the-shelf hardware to perform the required computations, and a low-cost countermeasure to counteract it.

References

[1]

Giovanni Agosta, Alessandro Barenghi, Fabrizio De Santis, and Gerardo Pelosi. 2010. Record setting software implementation of DES using CUDA. In Proceedings of the 7th International Conference on Information Technology: New Generations (ITNG’10), Shahram Latifi (Ed.). IEEE Computer Society, 748--755.

Digital Library

[2]

ANSI. 2005. Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standard: ANS X9.62-2005.

[3]

Alessandro Barenghi, Guido Bertoni, Andrea Palomba, and Ruggero Susella. 2011b. A novel fault attack against ECDSA. In Proceedings of the 2011 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’11). IEEE, 161--166.

[4]

Alessandro Barenghi, Guido Marco Bertoni, Luca Breveglieri, and Gerardo Pelosi. 2013. A fault induction technique based on voltage underfeeding with application to attacks against AES and RSA. Journal of Systems and Software 86, 7 (2013), 1864--1878.

Digital Library

[5]

Alessandro Barenghi, Guido Marco Bertoni, Luca Breveglieri, Gerardo Pelosi, and Andrea Palomba. 2011a. Fault attack to the elliptic curve digital signature algorithm with multiple bit faults. In Proceedings of the 4th International Conference on Security of Information and Networks (SIN’11), Mehmet A. Orgun et al. (Ed.). ACM, 63--72.

Digital Library

[6]

Guido Bertoni, Luca Breveglieri, Liqun Chen, Pasqualina Fragneto, Keith A. Harrison, and Gerardo Pelosi. 2008. A pairing SW implementation for smart-cards. Journal of Systems and Software 81, 7 (2008), 1240--1247.

Digital Library

[7]

Ingrid Biehl, Bernd Meyer, and Volker Müller. 2000. Differential fault attacks on elliptic curve cryptosystems. In Proceedings of CRYPTO. 131--146.

Digital Library

[8]

Ian F. Blake and Gadiel Seroussi. 1999. Elliptic Curves in Cryptography. Cambridge University Press.

Digital Library

[9]

Johannes Blömer, Martin Otto, and Jean-Pierre Seifert. 2006. Sign change fault attacks on elliptic curve cryptosystems. In Proceedings of FDTC’06 (LNCS), Vol. 4236. Springer, 36--52.

Digital Library

[10]

Dan Boneh and Ramarathnam Venkatesan. 1996. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology. 129--142.

Digital Library

[11]

Michael Brown, Darrel Hankerson, Julio López, and Alfred Menezes. 2001. Software implementation of the NIST elliptic curves over prime fields. In Proceedings of Topics in Cryptology (CT-RSA’01), (LNCS), David Naccache (Ed.), Vol. 2020. Springer, 250--265.

Digital Library

[12]

Mathieu Ciet and Marc Joye. 2005. Elliptic curve cryptosystems in the presence of permanent and transient faults. Design Codes Cryptography 36, 1 (2005), 33--43.

Digital Library

[13]

Paul G. Comba. 1990. Exponentiation cryptosystems on the IBM PC. IBM Systems Journal 29, 4 (1990), 526--538.

Digital Library

[14]

Mark J. Cox et al. 2014. The OpenSSL Project, ver.1.0.1j. Retrieved from http://www.openssl.org/.

[15]

Junfeng Fan and Ingrid Verbauwhede. 2012. An updated survey on secure ECC implementations: Attacks, countermeasures and cost. In Cryptography and Security: From Theory to Applications (LNCS), David Naccache (Ed.), Vol. 6805. Springer, 265--282.

Digital Library

[16]

Pierre-Alain Fouque, Reynald Lercier, Denis Réal, and Frédéric Valette. 2008. Fault attack on elliptic curve montgomery ladder implementation. In Proceedings of FDTC’08. IEEE CS, 92--98.

Digital Library

[17]

Steven D. Galbraith. 2012. Mathematics of Public Key Cryptography. Cambridge University Press.

Digital Library

[18]

Timothy A. Hall and Sharon S. Keller. 2014. The FIPS 186-4 Elliptic Curve Digital Signature Algorithm Validation System. NIST. Retrieved from http://csrc.nist.gov/groups/STM/cavp/documents/dss2/ecdsa2vs.pdf.

[19]

Godfrey H. Hardy, Edward M. Wright, and Andrew Wiles. 2008. An Introduction to the Theory of Numbers (6th ed.). Oxford Mathematics Press.

[20]

Christoph Herbst and Marcel Medwed. 2008. Using templates to attack masked montgomery ladder implementations of modular exponentiation. In Proceedings of WISA’08 (LNCS), Vol. 5379. Springer, 1--13.

[21]

Michael Hutter, Martin Feldhofer, and Johannes Wolkerstorfer. 2011. A cryptographic processor for low-resource devices: Canning ECDSA and AES like sardines. In Proceedings of WISTP’11 (LNCS), Vol. 6633. Springer, 144--159.

Digital Library

[22]

Marc Joye and Michael Tunstall (Eds.). 2012. Fault Analysis in Cryptography. Springer.

Digital Library

[23]

Marc Joye and Sung-Ming Yen. 2002. The montgomery powering ladder. In Proceedings of the 4th International Workshop on Cryptographic Hardware and Embedded Systems (CHES’02), Revised Papers (LNCS), Burton S. Kaliski Jr., Çetin Kaya Koç, and Christof Paar (Eds.), Vol. 2523. Springer, 291--302.

Digital Library

[24]

Michael Kara-Ivaniov, Eran Iceland, and Aviad Kipnis. 2008. Attacks on authentication and signature schemes involving corruption of public key (modulus). In Proceedings of FDTC’08. IEEE CS, 108--115.

Digital Library

[25]

Khronos. 2014. The OpenCL Specification, Version: 2.0, Document Revision: 22. Retrieved from https://www.khronos.org/registry/cl/specs/opencl-2.0.pdf.

[26]

Donald E. Knuth. 1981. The Art of Computer Programming: Seminumerical Algorithms. Addison-Wesley.

[27]

Neal Koblitz (Ed.). 1996. Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO’96) (LNCS), Vol. 1109. Springer.

Digital Library

[28]

Paul C. Kocher. 1996. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology. 104--113.

Digital Library

[29]

Paul C. Kocher, Joshua Jaffe, Benjamin Jun, and Pankaj Rohatgi. 2011. Introduction to differential power analysis. Journal of Cryptographic Engineering 1, 1 (2011), 5--27.

[30]

Thomas Korak and Michael Höfler. 2014. On the effects of clock and power supply tampering on two microcontroller platforms. In Proceedings of the 11th International Workshop Fault Diagnosis and Tolerance in Cryptography, (FDTC’14). Luca Breveglieri et al. (Ed.). IEEE CS, 36--52.

Digital Library

[31]

Israel Koren. 2002. Computer Arithmetic Algorithms. A. K. Peters.

Digital Library

[32]

Rudolf Lidl and Harald Niederreiter. 2008. Finite Fields. Cambridge University Press.

[33]

Marcel Medwed and Elisabeth Oswald. 2009. Template attacks on ECDSA. In Proceedings of WISA’09 (LNCS), Vol. 5379. Springer, 14--27.

Digital Library

[34]

Alfred Menezes, Tatsuaki Okamoto, and Scott A. Vanstone. 1993. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory 39, 5 (1993), 1639--1646.

Digital Library

[35]

Peter L. Montgomery. 1985. Modular multiplication w/o trial division. Mathematics of Computation 44 (1985), 519--521.

[36]

Peter L. Montgomery. 1987. Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48, 177 (1987), 243--264.

[37]

David Naccache, Phong Nguyen, Michael Tunstall, and Claire Whelan. 2005. Experimenting with faults, lattices and the DSA. In Public Key Cryptography (PKC’05), Serge Vaudenay (Ed.). LNCS, Vol. 3386. Springer, 16--28. http://dx.doi.org/10.1007/978-3-540-30580-4_3

Digital Library

[38]

NIST. 2010. Mathematical Routines for the NIST Prime Elliptic Curves. Retrieved from https://www.nsa.gov/ia/_files/nist-routines.pdf.

[39]

NIST. 2013. Digital Signature Standard (DSS). Federal Information Processing Standards Publication (FIPS) 186-4 - National Institute of Standards and Technology (NIST) - U.S. Department of Commerce. http://dx.doi.org/10.6028/NIST.FIPS.186-4. (2013).

[40]

NSA-CSS. 2010. Suite B Implementers’ Guide to FIPS 186-3 (ECDSA). National Security Agency/Central Security Service (NSA/CSS). Retrieved from http://www.nsa.gov/ia/_files/ecdsa.pdf.

[41]

Stephen C. Pohlig and Martin E. Hellman. 1978. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (corresp.). IEEE Transactions on Information Theory 24, 1 (1978), 106--110.

Digital Library

[42]

John M. Pollard. 1974. Theorems on factorization and primality testing. Proc. of the Cambridge Philosophical Society 76 (1974), 521--528.

[43]

Jörn-Marc Schmidt and Christoph Herbst. 2008. A practical fault attack on square and multiply. In Proceedings of FDTC’08. IEEE CS, 53--58.

Digital Library

[44]

Jörn-Marc Schmidt and Marcel Medwed. 2009. A fault attack on ECDSA. In Proceedings of FDTC’09. 93--99.

Digital Library

[45]

Donald Shanks. 1971. Class number, a theory of factorization and genera. Proceedings of Symposia on Pure Mathematics, American Mathematical Society 20 (1971), 415--440.

[46]

Nigel P. Smart. 1999. The discrete logarithm problem on elliptic curves of trace one. Journal of Cryptology 12 (1999), 193--196.

Digital Library

[47]

Jerome A. Solinas. 2011. Generalized Mersenne prime. In Encyclopedia of Cryptography and Security (2nd Ed.), Henk C. A. van Tilborg and Sushil Jajodia (Eds.). Springer, 509--510.

[48]

Thomas Pornin. 2013. Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). IETF RFC 6979. Retrieved from http://tools.ietf.org/html/rfc6979.

[49]

Chris Torek. 1990. Hash Function for Text in C. Usenetmessage < 27038mimsy.umd.edu > in comp.lang.c. (Oct. 1990).

[50]

Paul C. van Oorschot and Michael J. Wiener. 1999. Parallel collision search with cryptanalytic applications. Journal of Cryptology 12, 1 (1999), 1--28.

Digital Library

[51]

Colin D. Walter. 1993. Systolic modular multiplication. IEEE Transactions on Computers 42, 3 (1993), 376--378.

Digital Library

[52]

Lawrence C. Washington. 2008. Elliptic Curves: Number Theory and Cryptography, Second Edition (2nd ed.). Chapman & Hall/CRC.

Digital Library

[53]

Sung-Ming Yen and Marc Joye. 2000. Checking before output may not be enough against fault-based cryptanalysis. IEEE Transactions on Computers 49, 9 (2000), 967--970.

Digital Library

Cited By

O'Flynn C(2023)PicoEMP: A Low-Cost EMFI Platform Compared to BBI and Voltage Fault Injection using TDC & External VCC Measurements2023 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)10.1109/FDTC60478.2023.00015(60-71)Online publication date: 10-Sep-2023
https://doi.org/10.1109/FDTC60478.2023.00015
Russon A(2021)Differential Fault Attack on Montgomery Ladder and in the Presence of Scalar RandomizationProgress in Cryptology – INDOCRYPT 202110.1007/978-3-030-92518-5_14(287-310)Online publication date: 12-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-92518-5_14
Lv ZQiao LSong H(2020)Analysis of the Security of Internet of Multimedia ThingsACM Transactions on Multimedia Computing, Communications, and Applications10.1145/339820116:3s(1-16)Online publication date: 17-Dec-2020
https://dl.acm.org/doi/10.1145/3398201
Show More Cited By

Index Terms

A Fault-Based Secret Key Retrieval Method for ECDSA: Analysis and Countermeasure
1. Security and privacy
  1. Cryptography
  2. Security in hardware
    1. Embedded systems security
    2. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures

Recommendations

An improvement of a elliptic curve digital signature algorithm

The elliptic curve digital signature algorithm ECDSA is the first successful algorithm based on elliptic curve and it is elliptic curve analogue of digital signature algorithm DSA. The security of this algorithm relies on intractability of elliptic ...
RFC 4050: Using the Elliptic Curve Signature Algorithm (ECDSA) for XML Digital Signatures
New ECDSA-Verifiable Multi-receiver Generalization Signcryption
HPCC '08: Proceedings of the 2008 10th IEEE International Conference on High Performance Computing and Communications

Multi-receiver signcryption is a new cryptographic primitive that simultaneously fulfills both the functions of signature and multi-receiver encryption. Generalized Multi-Receiver signcryption can provide authenticity or confidentiality separately under ...

Comments

Information & Contributors

Information

Published In

cover image ACM Journal on Emerging Technologies in Computing Systems

ACM Journal on Emerging Technologies in Computing Systems Volume 13, Issue 1

Special Issue on Secure and Trustworthy Computing

January 2017

208 pages

ISSN:1550-4832

EISSN:1550-4840

DOI:10.1145/2917757

Editor:
Yuan Xie
University of California, Santa Barbara, USA

Issue’s Table of Contents

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 20 April 2016

Accepted: 01 April 2015

Revised: 01 March 2015

Received: 01 December 2014

Published in JETC Volume 13, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
313
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

O'Flynn C(2023)PicoEMP: A Low-Cost EMFI Platform Compared to BBI and Voltage Fault Injection using TDC & External VCC Measurements2023 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)10.1109/FDTC60478.2023.00015(60-71)Online publication date: 10-Sep-2023
https://doi.org/10.1109/FDTC60478.2023.00015
Russon A(2021)Differential Fault Attack on Montgomery Ladder and in the Presence of Scalar RandomizationProgress in Cryptology – INDOCRYPT 202110.1007/978-3-030-92518-5_14(287-310)Online publication date: 12-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-92518-5_14
Lv ZQiao LSong H(2020)Analysis of the Security of Internet of Multimedia ThingsACM Transactions on Multimedia Computing, Communications, and Applications10.1145/339820116:3s(1-16)Online publication date: 17-Dec-2020
https://dl.acm.org/doi/10.1145/3398201
Yi HLi JLin QWang HSong HMing ZNie Z(2019)A Rainbow-Based Authentical Scheme for Securing Smart Connected Health SystemsJournal of Medical Systems10.1007/s10916-019-1320-743:8(1-10)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s10916-019-1320-7
Ambrose CBos JFay BJoye MLochter MMurray B(2018)Differential Attacks on Deterministic SignaturesTopics in Cryptology – CT-RSA 201810.1007/978-3-319-76953-0_18(339-353)Online publication date: 7-Mar-2018
https://doi.org/10.1007/978-3-319-76953-0_18
Singh SSharma PPark J(2017)SH-SecNet: An Enhanced Secure Network Architecture for the Diagnosis of Security Threats in a Smart HomeSustainability10.3390/su90405139:4(513)Online publication date: 28-Mar-2017
https://doi.org/10.3390/su9040513
Barenghi APelosi G(2016)A Note on Fault Attacks Against Deterministic Signature Schemes (Short Paper)Advances in Information and Computer Security10.1007/978-3-319-44524-3_11(182-192)Online publication date: 9-Sep-2016
https://doi.org/10.1007/978-3-319-44524-3_11

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents