Cryptography Reference
In-Depth Information
operation
B
−
1
is computed. In the second round,
B
−
1
and the com-
puted
C
are the inputs of the multiplier and the result is expected to
be
A
. A comparison between the output of the second round and
A
can detect the possible errors. The technique for the squaring opera-
tion is very similar and the only difference is that both inputs of the
multiplier in the first round are connected to
A
to compute
A
2
.
The overall architecture presented in [387] uses the inversion block, which is free
most of the time during the scalar multiplication, to provide the inputs for the error
detection algorithm. It should be noted that this approach requires a separate inverter
since it is very common to implement inversion in ECC using multiplication and
squaring without having a separate module for inversion.
In [16], a method has been proposed against fault attacks on ECC which is known
as point validation. In this approach, the point is verified to be on the elliptic curve
assuming that the attack might change the results so that the resulting point is no
longer on the curve. This approach fails if the attack is a Sign Change Fault attack
[54], because the points will not leave the elliptic curve.
Different fault detection approaches have been proposed in [123] for the scalar
multiplication using input randomization to also provide countermeasures against
sign change fault attacks. Two properties, introduced in [102] as countermeasures
against differential power analysis, are used in [123] to construct a randomized input.
Property 10.5
Let
(
X
,
Y
,
Z
)
be the projective representation of
P
. It can be verified
c
X
d
Y
2
m
that
(γ
,γ
,γ
Z
)
also represents
P
, where
γ
∈
GF
(
)
,
c
=
1, and
d
=
2for
the López and Dahab representation, and
γ
∈
GF
(
p
)
,
c
=
2, and
d
=
3forthe
Jacobian representation [102].
Property 10.6
Let
k
be a positive integer,
j
be a at least 20-bit random integer, and
#
E
be the order of the elliptic curve
E
. Now, one can define
k
=
k
+
j
(
#
E
)
and
use it to compute
k
P
. This can be written as
k
P
=
(
k
+
j
(
#
E
))
P
, and since
k
P
[102].
(
#
E
)
P
=∞
, it is concluded that
kP
=
One of the approaches proposed in [123] is based on time redundancy and recom-
putation. In this approach, one scalar multiplication module is used; however, the
scalar multiplication is performed using the parameters
γ
0
and
j
0
in the first round,
and
γ
1
and
j
1
in the second round, to obtain different inputs based on Properties 10.5
and 10.6. The output of the first round is stored in a register and compared with the
output of the second round.
The drawback of this recomputation is that the scalar multiplication is done twice,
and therefore this approach has a large time overhead. To reduce this overhead; a
modified approach has been proposed in [123]. In the modified approach (partial
recomputation), the point
P
is encoded twice, similarly to the original approach;
however, the scalar
k
is encoded once and used in the first round. In the second round,
l
least significant bits of the encoded
k
is used and the output of the second round is
compared with the output of the first round after
l
iterations. This results in reducing
the time overhead as the second round is not a complete scalar multiplication.
