Cryptography Reference
In-Depth Information
equality test becomes implicit and is no longer dependent on the value of a single
bit. This way, the attacker cannot use the faulty result since it is no longer correlated
with the secret information.
9.6 Summary of Countermeasures Against Fault Attacks
As discussed earlier, fault attacks on elliptic curve cryptosystems can be divided
into various classes, and each class has its corresponding countermeasures. Gen-
erally, these countermeasures work by preventing the injection of faults, detecting
the resulting errors, or masking the faulty result randomly. While some of these
techniques are only applicable to ECC or to specific classes of faults, others apply
more generally. In this section, we briefly review the known countermeasures for
fault attacks and comment on their effectiveness and limitations. A more elaborate
discussion of these countermeasures is the subject of the next chapter.
The occurrence of some types of faults can be prevented through physical means
like sensors and metal shields [21]. Moreover, sign change fault attacks can be pre-
vented using the Montgomery ladder [294] since it does not use the
y
-coordinate,
and hence does not allow sign change.
As for detection, checksums can be used to detect errors in system parameters.
Moreover, point validation can be used to detect invalid-curve errors as the represen-
tation of an elliptic curve point has some inherent information redundancy [44]. It is
also possible to use time and/or hardware redundancy, accompanied by comparison,
to detect faulty results [123]. Randomization can also be used in a variety of ways
while encoding the scalar, base point or curve parameters. Combined with hardware
or time redundancy, it prevents similar errors from generating similar faulty results,
thus aiding in the detection of errors [123]. Most notably, some algorithms involve
redundant computations that allow for detecting errors by checking the coherency
of the results. For example, in Algorithm 9.4, intermediate variables satisfy a set
of invariants that can be used to check for coherency. These invariants allow for
detection of a wide range of errors, including those resulting from the three classes
of FAAs discussed earlier [124].
It is also possible to use some techniques to mask the faulty results. For exam-
ple, randomization is effective in masking some types of errors, particularly those
resulting from sign change faults [54]. Moreover, since a validation test is a logical
test, its outcome can be manipulated by flipping a single bit, effectively becoming
a single point of failure. Infective computation, as presented in [430], circumvents
this problem by masking faulty results randomly.
