Cryptography Reference
In-Depth Information
the known countermeasures against fault attacks in elliptic curve cryptosystems is
the subject Sect.
10.2
of this topic.
9.3 Invalid-Curve Fault Attacks
The choice of the elliptic curve and the underlying field is an important one as it
significantly influences the security of the system. The general aim of invalid-curve
fault attacks is to move the computation from a secure curve to a weaker one, enabling
the attacker to use known mathematical attacks against the faulty outputs. This can
be achieved by targeting either the system parameters or the running computation.
In both cases, there are known countermeasures that can be used to detect the attack
and prevent the faulty output.
9.3.1 Targeting the Base Point
The base point is one of the key parameters in a scalar multiplication operation. It is
also relatively easy to target as it is commonly presented to the system as an input.
Various known fault attacks target the base point. Some of which assume that the
attacker knows the faulty value of the base point while others relax this assumption.
9.3.1.1 Known or Chosen Faulty Base Point
In the attacks introduced by [44], the representation of a point
P
on a strong elliptic
curve
E
is modified as a result of a fault to move the computation to a different, often
weaker, curve
E
. The resulting faulty output values can be used to deduce partial
information about the secret key. Usually, the attack has to be performed repeatedly
since in most cases the guessed values are not unique.
Attack description
Let
E
be a strong elliptic curve defined over a finite field
K
as
y
2
x
3
a
2
x
2
E
:
+
a
1
xy
+
a
3
y
=
+
+
a
4
x
+
a
6
and let
P
and
Q
kP
be two points on
E
. To be able to mount this attack, suppose
that the device does not check whether
P
and
Q
are actually on
E
.
According to the ANSI X9.63 and IEEE 1363 standards,
a
6
is not used in the
addition operation. It follows that for a point
P
=
x
,
y
)
with
x
,
y
=
(
∈
K
and
P
E
, the calculation of
Q
kP
occurs over the curve
E
(
a
6
)
∈
=
a
1
,
a
2
,
a
3
,
a
4
,
where
a
6
=
y
2
a
1
x
y
+
a
3
y
−
x
3
a
2
x
2
a
4
x
+
−
−
