Cryptology ePrint Archive: Report 2015/794

Safe-Errors on SPA Protected implementations with the Atomicity Technique

Pierre-Alain Fouque and Sylvain Guilley and CÚdric Murdica and David Naccache

Abstract: ECDSA is one of the most important public-key signature scheme, however it is vulnerable to lattice attack once a few bits of the nonces are leaked. To protect Elliptic Curve Cryptography (ECC) against Simple Power Analysis, many countermeasures have been proposed. Doubling and Additions of points on the given elliptic curve require several additions and multiplications in the base field and this number is not the same for the two operations. The idea of the atomicity protection is to use a fixed pattern, i.e. a small number of instructions and rewrite the two basic operations of ECC using this pattern. Dummy operations are introduced so that the different elliptic curve operations might be written with the same atomic pattern. In an adversary point of view, the attacker only sees a succession of patterns and is no longer able to distinguish which one corresponds to addition and doubling. Chevallier-Mames, Ciet and Joye were the first to introduce such countermeasure. In this paper, we are interested in studying this countermeasure and we show a new vulnerability since the ECDSA implementation succumbs now to C Safe-Error attacks. Then, we propose an effective solution to prevent against C Safe-Error attacks when using the Side-Channel Atomicity. The dummy operations are used in such a way that if a fault is introduced on one of them, it can be detected. Finally, our countermeasure method is generic, meaning that it can be adapted to all formulae. We apply our methods to different formulae presented for side-channel Atomicity.

Category / Keywords: implementation / Elliptic Curve Cryptography, Side-Channel Atomicity, Fault Attacks, Infective Countermeasure, Lattice Attack

Date: received 7 Aug 2015

Contact author: david naccache at ens fr

Available format(s): PDF | BibTeX Citation

Version: 20150810:142403 (All versions of this report)

Short URL: ia.cr/2015/794

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]