Cryptology ePrint Archive: Report 2015/794
Safe-Errors on SPA Protected implementations with the Atomicity Technique
Pierre-Alain Fouque and Sylvain Guilley and CÚdric Murdica and David Naccache
Abstract: ECDSA is one of the most important public-key signature scheme, however it is vulnerable to lattice attack once a few bits of the nonces are leaked. To protect Elliptic Curve Cryptography (ECC) against Simple Power Analysis, many countermeasures have been proposed.
Doubling and Additions of points on the given elliptic curve require several additions and multiplications in the base field and this number is not the same for the two operations.
The idea of the atomicity protection is to use a fixed pattern, i.e. a small number of instructions and rewrite the two basic operations of ECC using this pattern. Dummy operations are introduced so that the different elliptic curve operations might be written with the same atomic pattern. In an adversary point of view, the attacker only sees a succession of patterns and is no longer able to distinguish which one corresponds to addition and doubling.
Chevallier-Mames, Ciet and Joye were the first to introduce such countermeasure.
In this paper, we are interested in studying this countermeasure and we show a new vulnerability since the ECDSA implementation succumbs now to C Safe-Error attacks. Then, we propose an effective solution to prevent against C Safe-Error attacks when using the Side-Channel Atomicity. The dummy operations are used in such a way that if a fault is introduced on one of them, it can be detected. Finally, our countermeasure method is generic, meaning that it can be adapted to all formulae. We apply our methods to different formulae presented for side-channel Atomicity.
Category / Keywords: implementation / Elliptic Curve Cryptography, Side-Channel Atomicity, Fault Attacks, Infective Countermeasure, Lattice Attack
Date: received 7 Aug 2015
Contact author: david naccache at ens fr
Available format(s): PDF | BibTeX Citation
Version: 20150810:142403 (All versions of this report)
Short URL: ia.cr/2015/794
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]