Cryptography Reference
In-Depth Information
Chapter 9
Fault Attacks on Elliptic Curve Cryptosystems
Abdulaziz Alkhoraidly, AgustÃn DomÃnguez-Oviedo and M. Anwar Hasan
Abstract
While there is no known subexponential algorithm for the elliptic curve
discrete logarithm problem, elliptic curve cryptosystems have been shown to be
vulnerable to a wide range of attacks that target their implementation rather than their
mathematical foundation. Fault analysis attacks exploit faults that can occur in the
implementation of an elliptic curve cryptosystem to discover the secret information
partially or fully. Faults can be injected in a variety of ways and almost all parts of the
system can be targeted, e.g., the base point, system parameters, intermediate results,
dummy operations and validation tests. In this chapter, we review a collection of the
known fault analysis attacks on elliptic curve cryptosystems. We also briefly discuss
the known countermeasures to various attacks and comment on their effectiveness.
9.1 Introduction
Elliptic curves were first employed in cryptography by Miller and Koblitz as an
alternative to many of the dominant public-key cryptosystems [233, 288]. The group
of points on an elliptic curve defined over a finite field has many interesting properties
that make it suitable for cryptographic applications. Most importantly, the discrete
logarithm problem on that group appears to be hard to solve, more so than similar
problems like integer factoring and finding discrete logarithms over finite fields.
As such, a comparable security level can be achieved using significantly smaller
system parameters, which gives elliptic curve cryptography (ECC) an advantage in
terms of efficiency for both software and hardware implementations.
