A Generic Countermeasure Against Fault Injection Attacks on Asymmetric Cryptography.

We propose a new modular extension based countermeasure for elliptic curve scalar multiplication (ECSM) that we prove correct and secure. The fault non-detection probability of our proposed countermeasure is inversely proportional to the security parameter. We implement an ECSM protected with our countermeasure on an ARM Cortex-M4 microcontroller: a systematic fault injection campaign for several values of the security parameter confirms our theoretical prediction and the security of the obtained implementation and provides figures for practical performance. 1. Modular extension protection scheme Fr Fr = error output Fp false tr ue Fp Zpr Fp Computation integrity. – Verifying signature is costly. – Repeating the whole computation too. Cost-effective redundancy. – Compute in direct product Zpr and in Fr. – Invariant: Zpr mod r = Fr. 2. Elliptic curves and the projective plane Elliptic Curve E(Fp). – A “point at infinity” denoted by O. – A set of points (x, y) satisfying an equation of the form: y2 = x3 + ax + b. Projective coordinates. – To avoid divisions, a third coordinate Z is added. – Projective (X : Y : Z) ⇐⇒ affine (X/Z, Y/Z). – New equation: Y 2Z = X3 + aXZ2 + bZ3. – By convention, O is represented by (X : Y : 0). 3. Test-free elliptic curve scalar multiplication (ECSM) Algorithm: TF-ECDBL(Q, n). Input : Q = (X1 : Y1 : Z1) ∈ E(Zn) Output: (X : Y : Z) = 2Q ∈ E(Zn) if Q is O then return Q A = 3(X2 1 + 2aZ1(X1 + Z1)) X = 2Y1Z1(A 2 − 8X1Z1Y 2 1 ) Y = A(12X1Z1Y 2 1 − A 2)− 8Z2 1Y 4 1 Z = 8Z3 1Y 3 1 return (X : Y : Z) TF-good scalar. Let P ∈ E(Zn), k u003e 0, k is TF-good w.r.t. P if and only if ∀i u003e 1 ∈ N: – ord(P ) 6 | bk/2ic, – ord(P ) 6 | bk/2ic − 1, when ki = 1, – ord(P ) 6 | bk/2ic − 2, when ki = 1. → TF-ECSML2R is partially correct [3]. Let P ∈ E(Zn), and k u003e 0, if k is TF-good wrt P and E(Zn) then: – TF-ECSML2R(P, k, n) = ECSML2R(P, k, n), else: – TF-ECSML2R(P, k, n) = O. Algorithm: TF-ECADD(Q,P, n). Input : Q = (X1 : Y1 : Z1), Q = (X2 : Y2 : Z2) ∈ E(Zn) Output: (X : Y : Z) = Q + P ∈ E(Zn) if Q is O then return P if P is O then return Q if Q = −P then return O if Q = P then return 2P A = Y2Z1 − Y1Z2 B = X2Z1 −X1Z2 C = Z1Z2A 2 − (X1Z2 + X2Z1)B X = BC Y = A(X1Z2B 2 − C)− Y1Z2B Z = Z1Z2B 3 return (X : Y : Z) Algorithm: TF-ECSML2R(P, k, n). Input : P ∈ E(Zn), k u003e 0 Output: Q = [k]P ∈ E(Zn) Q = O for i = dlog2 ke − 1, . . . , 0 do Q = TF-ECDBL(Q, n) if ki then Q = TF-ECADD(Q,P, n) return Q 4. State of the art: BOS [1] and BV [2] Algorithm: ECSM protected with BOS countermeasure BOS(P, k, p). Input : P ∈ E(Fp), k u003e 0 Output: Q = [k]P ∈ E(Fp) Choose a small prime r, a curve E(Fr), and a point Pr on that curve. Determine the combined curve E(Zpr) and point Ppr using the CRT. (Xpr : Ypr : Zpr) = ECSM(Ppr, k, pr) (Xr : Yr : Zr) = ECSM(Pr, k, r) if (Xpr mod r : Ypr mod r : Zpr mod r) = (Xr : Yr : Zr) then return (Xpr mod p : Ypr mod p : Zpr mod p) else return error Algorithm: ECSM protected with BV countermeasure BV(P, k, p). Input : P ∈ E(Fp), k u003e 0 Output: Q = [k]P ∈ E(Fp) Choose a small random integer r. Compute the combined curve E′(Zpr). (Xpr : Ypr : Zpr) = ECSM(P, k, pr) if (Xpr mod r : Ypr mod r : Zpr mod r) ∈ E′(Zpr) mod r then return (Xpr mod p : Ypr mod p : Zpr mod p) else return error → BOS is incorrect. When k is TF-bad (not TF-good) wrt Pr and E(Fr), BOS returns error even without faults. → BV is incorrect. When k is TF-bad wrt P and E′(Fr), BV returns error even without faults in very specific cases. 6. RMGN [4] Algorithm: TF-ECSM with modular extension protection RMGN(P, k, p). Input : P ∈ E(Fp), k u003e 0 Output: Q = [k]P ∈ E(Fp) Choose a small prime r. (Xpr : Ypr : Zpr) = TF-ECSM(P, k, pr) (Xr : Yr : Zr) = TF-ECSM(P mod r, k, r) if (Xpr mod r : Ypr mod r : Zpr mod r) = (Xr : Yr : Zr) then return (Xpr mod p : Ypr mod p : Zpr mod p) else return error → RMGN is correct. RMGN always returns the correct result. However, its resistance to fault attack is weakened in the case of TF-bad scalar. → TF-bad scalar probability is low is practice. The probability of a scalar k to be TF-bad wrt a point P ∈ E(Fr) is PTF-badP (k) ≈ 1− ( 1− 1 ord(P ) )dlog2 ke−dlog2 ord(P )e = O ( 1 ord(P ) ) . In practice when r is on 32 bits, PTF-badP (k) ≈ 10 −8. 7. Formal security analysis of RMGN → Inversion in Zpr is possible in the modular extension context. To invert z in Fp while computing in Zpr, one has: – z = 0 mod r =⇒ (zp−2 mod pr) ≡ z−1 mod p, – otherwise (z−1 mod pr) ≡ z−1 mod p. Fault model. Each injected fault can be: – randomizing or zeroing any intermediate variable; – skipping any number of consecutive instructions. Secure algorithm. An algorithm is secure if: – it returns the good result when there is no faults; and – it return either the good result or error otherwise, with an overwhelming probability. → RMGN is secure. The probability of non-detection Pn.d. = O(1 r). Security parameter. Thus, r is the security parameter. It should be prime, private, and dynamically chosen. 8. Practical case study with RMGN Setup. – ARM Cortex-M4 STM32. – NIST curve P-192. – C and mini-gmp. – Compiled with gcc -O0.