Cryptography Reference
In-Depth Information
2
m
and
A
−
1
Inversion: The main input and output are
A
∈
GF
(
)
=
1
/
A
,
respectively. The second input is
A
=
A
2
and the corresponding
1
/
A
−
1
. Then, one can take the square root of
C
and
compare it with
C
.
Division: The main inputs are
A
,
B
output is
C
=
2
m
∈
GF
(
)
and the main output is obtained
B
. The second inputs are
A
A
2
,
B
B
2
as
C
=
A
/
=
=
and the
output is
C
=
A
/
B
. Then, one can take the square root of
C
and
compare it with
C
.
10.4 Fault Detection in Elliptic Curve Scalar Multiplication
The fault detection approaches explained in the previous sections can be used to detect
the faults in the ECC scalar multiplication. However, there are other approaches in
the literature which focus on the scalar multiplication. In this section, we explain
the point validation approach proposed in [16], the time redundancy-based approach
proposed in [387], and the input randomization approach proposed in [123].
In [387], fault detection circuits have been proposed for scalar multiplication in
ECC. This approach is based on time redundancy and resembles the approaches
explained in the previous section. Assuming
P
is a point on the elliptic curve
E
and
k
is a positive integer, the operation to compute
kP
P
(
k
times) is
called the scalar multiplication in elliptic curve cryptography. The scalar operation is
performed using point addition and point doubling operations and these operation are
based on finite field arithmetic operations such as addition, multiplication, squaring,
and inversion. The following techniques are used in [387] for fault detection.
=
P
+
P
+···+
2
m
Addition: The addition is done with inputs
A
and
B
in
GF
(
)
and the result
B
. Now, there are two scenarios. In the first one, the
output
C
is added to
B
again and compared with
A
to detect errors.
The other scenario divides the inputs into two halves and the XOR
network is also divided into two sub-networks. In the first round,
the left sub-network processes the left halves of the inputs and the
right sub-network processes the right halves. In the second round,
the inputs to the sub-network are interchanged. Finally the results
are compared to detect any possible errors.
Inversion: Let
is
C
=
A
+
A
−
1
be the inverse of
A
modulo
F
(
x
)
. It is known that
A
−
1
)
−
1
A
. In the first round,
A
is the input of the inverter
and
A
−
1
is the expected output. Now,
A
is stored in a register and
the inversion result becomes the input of the inverter in the second
round. The output of the inverter in the second round is expected
to be
A
. A comparison is performed to compare the second output
with
A
to detect possible errors.
Multiplication: In this operation,
A
and
B
are the inputs and
C
(
=
)
is the output of the multiplier in the first round. In parallel to this
=
A
·
B
mod
F
(
x
