fault attacks on rsa and elliptic curve cryptosystems
Post on 25-Dec-2021
5 Views
Preview:
TRANSCRIPT
Fault Attacks on RSA and Elliptic Curve Cryptosystems
by
Mohammed Kahlil Ibrahim Amain
M. Sc. in Computer
B. Sc. In Control and Systems Engineering
Submitted in fulfilment of the requirements for the degree of
Doctor of Philosophy
Deakin University
July, 2018
Acknowledgment
I would like to express my great respect and gratitude to Prof. John Yearwood for
the kindness and support he offered me through his participation in my supervisory
committee.
I am very grateful to Prof. Lynn Margaret Batten for her excellent supervision
throughout my PhD study. I have the honour to be a student of such a brilliant,
highly experienced professor in security research fields. I really appreciate her
patient guidance and valuable advice which improved my knowledge and
developed my skill in this research area.
I am also indebted to Prof. Yong Xiang, Prof. Jemal Abawajy and Associate Prof.
Gang Li for their participation in my supervisory committee.
I would like to thank Ms. Judy Chow and Mr. Nghia Dang for their technical
support throughout my research work in Deakin University. I am also grateful to
Sophie Dougall and my aunt Faiza M. Taki for their efforts in editing and
proofreading my thesis material.
I would like to express special thanks to the Iraqi Government represented by the
Ministry of Higher Education and Scientific Research for granting me a scholarship
to pursue my Ph.D studies in Deakin University.
I will always be grateful to my family members, particularly my wife Noor, my
mother and my brother Anmar, for their unlimited love, support and encouragement
which inspired me to exert all my time and energy to the completion of this thesis.
I am also thankful to my friends Mr. Ahmed Mohammed, Dr. Majeed Alajeely and
Dr. Baker Alrubaiey for their support and suggestions which helped me to complete
my research work.
List of publications
Published
1. Amain, M & Batten, LM 2015, ‘Cryptographic Public Key Length Prediction’,
in W Niu, G Li, J Liu, J Tan, L Guo, Z Han & L Batten (eds), Proceedings of
Applications and Techniques in Information Security, Berlin, Heidelberg, pp. 27-
35.
2. Batten, LM & Amain, MK 2016, ‘A New Sign-Change Attack on the
Montgomery Ladders’, in L Batten & G Li (eds), Proceedings of Applications and
Techniques in Information Security, Singapore, pp. 3-14.
Hirschfeld, STE, Batten, LM & Amain, MK 2018, May.’ Efficiencies in Binary
Elliptic Curves’. In 2018 International Conference on Computational Science and
Its Applications.
Accepted
Amain, MK & Batten, LM 2018, ‘Fault Attack Simulations on Elliptic Curve
Scalar Multiplication Algorithms to Retrieve the Secret Key’, In the Kangacrypt
2018 Australian Workshop on Offensive Cryptography.
i
Abstract
The considerable growth in world population represents a constantly increasing
demand for electronic services. The fast development of internet services and
communication methods provide a promising communication environment to be
used for human interaction. However, data transmitted through this extensive
communication environment are often exposed to the threat of attackers, and
therefore, they should be well protected against unauthorized access of intruders by
utilizing reliable, firmly established security systems. Over many years
cryptography was being used to ensure the security and authentication of data being
exchanged among clients in different communication networks. The two major
public key cryptosystems commonly considered as reliable and trustworthy for
security and authentication purposes are RSA and elliptic curve cryptosystems
ECC. RSA and ECC algorithms are currently used to secure and authenticate
information stored in hardware devices or transferred throughout networks.
In future years, IoT hardware devices are expected to play a vital role in any
communication environment. These hardware devices can be locally used to
organise a specific location like smart home. They can also provide communication
through a wide area network with data servers by using internet technique. In both
ways IoT devices use and transfer information that may be confidential and
personal like medical records and bank accounts details. The small size and limited
resources of these IoT devices will restrict the choices of designers who try to work
out efficient mechanisms to secure and authenticate information stored or
transferred through these devices. One of the solutions suggested by experts is the
use of RSA and ECC as protective techniques.
In this thesis, I focus on examining the suitability and reliability of the current RSA
and elliptic curve authentication techniques implemented on small devices with
limited power. One of the security risks RSA and ECC may encounter are fault
attacks. The aim of fault attacks is to inject faults inside hardware devices like IoT
in order to retrieve the secret information stored inside these devices through the
faults generated in their computations. I consider an IoT device as an example of a
hardware device of small size and limited power. Developers of IoT hardware
devices usually try to protect their devices from all risks which threaten the
hardware components, but they give less attention to risks against the software used
ii
to program and update their devices. In this thesis, I will concentrate on the security
risks against hardware devices which threaten the software used to program these
devices by proposing various forms of fault attacks against them. I propose a
factoring attack and a retrieve secret key attack against RSA cryptosystems, and a
fault point attack against elliptic curve cryptosystems (ECC), which are used to
secure hardware devices. The attacks proposed in this research work are based on
the concept of safe error attack. The three fault attacks proposed here target the
software used to program and update EEPROM devices inside the hardware devices
through injecting faults in the hardware devices by modifying cryptography
algorithms.
I demonstrate the security risks against IoT hardware devices through a number of
steps. Firstly, I carry out a full investigation of previous research projects that
focused on fault attacks against hardware devices that use RSA and ECC to secure
them. Secondly, I build an implementation platform by using Intel (R) Core (TM)
i7-4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform and Windows 7 as
the operating system and Maple software to implement the proposed attacks.
Thirdly, the full review I have made of EEPROM devices support the concept I
have suggested in this thesis, namely that the hardware device may be attacked by
means of targeting the software used to program EEPROM inside the hardware
device. I utilize this basic concept to get control over EEPROM inside the hardware
device, and then modify the original cryptography algorithm stored in EEPROM
after it is loaded in the RAM of the same device by injecting a fault value and using
it instead of the correct value in the computation in order to deduce the secret
information in view of the fault result. Furthermore, I eliminate the generated fault
result in order to render any countermeasures, used to check free-error procedures,
quite useless. Finally, I verify that my proposed attacks can be applied on hardware
devices with limited resources by implementing all the attacks suggested in this
research work on Arduino Mega2560 with Microcontroller ATmega2560, Flash
Memory 256 KB of which 8 KB are used by the bootloader (firmware),
SRAM 8KB and EEPROM 4KB as a hardware platform and MATLAB 2017b
as a software platform.
In addition, I provide a short comparison between Maple and MATLAB
concerning implementation of RSA and ECC algorithms. In view of the result of
iii
this comparison, I recommend Maple to be used in this operation as it is more
powerful than MATLAB when implementing RSA algorithms with high numbers
3072 bits long digits or implementing ECC algorithms with high numbers 384 bits
long digits.
The main contribution of this research work is that it offers, for the first time, a fault
attack which targets the software used to program an EEPROM by injecting an error
inside the hardware device through modifying the cryptography algorithm stored in
EEPROM inside the hardware device. Furthermore, the concept of safe error is
improved as I eliminate the fault result, I generated so that the attacks proposed here
will be more effective against the currently used countermeasures.
iv
Table of contents
Table of contents ................................................................................................... iv
List of Figures ..................................................................................................... xiii
List of Algorithms ............................................................................................... xiv
List of Tables ........................................................................................................ xv
List of Acronyms ................................................................................................ xvi
Chapter One Introduction .................................................................................... 1
1.1 Background ................................................................................................... 1
1.2 Example Application .................................................................................... 2
1.3 Problem Overview ........................................................................................ 4
1.4 Thesis Aims and Significance ...................................................................... 5
1.5 Thesis Contributions ..................................................................................... 6
1.6 Chapter Summary ......................................................................................... 8
Chapter Two Literature Review ........................................................................ 10
2.1 Introduction ................................................................................................. 10
2.2 Background ................................................................................................. 10
2.2.1 Triangular Fuzzy Number TFN .......................................................... 10
2.2.2 Residue Number System (RNS) ......................................................... 10
2.2.3 Side-Channel attacks ........................................................................... 10
2.2.4 Differential Fault Analysis DFA ......................................................... 11
2.2.5 Differential power analysis DPA ........................................................ 11
2.2.6 Simple power analysis SPA ................................................................ 11
2.3 Public key Cryptosystems........................................................................... 11
2.3.1 RSA Cryptosystems ............................................................................ 11
2.3.2 Elliptic Curve Cryptosystems (ECC) .................................................. 12
2.4 Fault Attacks on Public Key Cryptosystem ................................................ 13
2.4.1 Physical Types of Fault Attacks .......................................................... 14
v
2.4.1.1 Below-Powering ............................................................................. 14
2.4.1.2 Clock Faults .................................................................................... 14
2.4.1.3 Temperature Variation ................................................................... 14
2.4.1.4 Optical Fault ................................................................................... 15
2.4.1.5 Electromagnetic Fault ..................................................................... 15
2.4.2 Fault Attacks Goals ............................................................................. 15
2.4.2.1 Fault Attacks on Input Parameters ................................................. 15
2.4.2.2 Fault Attacks on Data Processing Section ...................................... 16
2.4.2.3 Fault Attacks on Storage Section ................................................... 16
2.4.2.4 Fault Attacks on Instruction Processing Section ............................ 16
2.4.3 Summary ............................................................................................. 16
2.5 Fault Attacks on RSA Cryptosystems ........................................................ 16
2.5.1 Specific Algorithm Fault Attacks ....................................................... 17
2.5.1.1 RSA - CRT Algorithm ................................................................... 17
2.5.1.2 Modular Exponentiation Algorithms .............................................. 22
2.5.2 Tampering with the Program Flow of Fault Attacks .......................... 24
2.5.3 Safe-Error Fault Attacks ..................................................................... 25
2.5.4 Summary ............................................................................................. 25
2.6 RSA Countermeasures against Fault Attack............................................... 26
2.6.1 RSA Countermeasures against Fault Attack ....................................... 26
2.6.2 Summary ............................................................................................. 29
2.7 Fault Attacks on Elliptic Curve Cryptosystems (ECC) .............................. 29
2.7.1 Safe-Error Fault Attacks ..................................................................... 29
2.7.1.1 Computation Safe-Error ................................................................. 30
2.7.1.2 Memory Safe-Error ........................................................................ 35
2.7.2 Weak Curve Based Attacks ................................................................. 35
2.7.2.1 Invalid Point Attacks ...................................................................... 35
vi
2.7.2.2 Invalid Curve Attacks ..................................................................... 36
2.7.3 Sign Change Fault Attacks .................................................................. 38
2.7.4 Summary ............................................................................................. 38
2.8 Fault Attack on ECC Countermeasures ...................................................... 39
2.8.1 Fault Attack on ECC Countermeasures .............................................. 39
2.8.2 Summary ............................................................................................. 41
Chapter Three EEPROM Environment ........................................................... 43
3.1 Introduction ................................................................................................. 43
3.2 EEPROM Architecture ............................................................................... 43
3.2.1 General Configuration ......................................................................... 43
3.2.2 EEPROM Memory Cell Design .......................................................... 44
3.3 EEPROM Programming ............................................................................. 46
3.3.1 Analogous Programming of EEPROM Cell ....................................... 46
3.3.2 Digital Programming of EEPROM Cell ............................................. 46
3.4 Attacks on EEPROM Memory Devices ..................................................... 47
3.4.1 Software Attack ................................................................................... 47
3.4.2 Laser Attack ........................................................................................ 48
3.4.3 Optical Fault Masking Attacks ........................................................... 49
3.4.4 Extraction and Analysis of Non-Volatile Memory of the ZW0301
Module IoT Device ...................................................................................... 49
3.4.5 Microprobing Attacks ......................................................................... 49
3.5 Implications for Attacks Proposed in the Thesis ........................................ 50
3.6 Summary ..................................................................................................... 50
Chapter Four Proposed Fault Attacks against RSA ........................................ 52
4.1 Introduction ................................................................................................. 52
4.2 Background of RSA Cryptosystem ............................................................ 54
4.2.1 Classical RSA ..................................................................................... 54
vii
4.2.2 RSA Encryption .................................................................................. 54
4.2.3 RSA Decryption .................................................................................. 54
4.2.4 RSA Signature ..................................................................................... 54
4.2.5 RSA-CRT Signature ........................................................................... 54
4.2.6 RSA-CRT Signature Gauss’s Algorithm ............................................ 55
4.2.7 RSA-CRT Signature Garner’s Algorithm ........................................... 55
Example 1. ................................................................................................... 55
4.2.8 RSA-CRT Signature Cryptanalysis .................................................... 56
Example 2. ................................................................................................... 56
4.2.9 RSA-CRT Garner’s Signature Algorithm Protected by Modified
Shamir’s Countermeasure ............................................................................ 57
Example 3 .................................................................................................... 58
4.2.10 RSA-CRT Garner’s Signature Algorithm Protected by Simplified
Vigilant’s Countermeasure .......................................................................... 59
Example 4 .................................................................................................... 61
4.3 Fault Factoring Attack ................................................................................ 63
4.3.1 RSA-CRT Signature Using Garner’s Algorithm Protected by Modified
Shamir’s Countermeasure ............................................................................ 64
4.3.2 FF Attack against RSA-CRT with Garner’s Algorithm and Protected
by Modified Shamir’s Countermeasure ....................................................... 65
Example 5 .................................................................................................... 66
4.3.3 RSA-CRT Signature with Garner’s Algorithm Protected by Simplified
Vigilant’s Countermeasure .......................................................................... 66
4.3.4 FF Attack against RSA-CRT Signature with Garner’s Algorithm
Protected by Simplified Vigilant’s Countermeasure ................................... 66
Example 6 .................................................................................................... 67
4.4 Retrieve Secret Key Attack ........................................................................ 68
4.4.1 Protected Montgomery Ladder RSA Left-to-Right Algorithm ........... 68
viii
4.4.2 RSK Attack against the Protected Montgomery Ladder RSA Left-to-
Right Algorithm ........................................................................................... 68
Example 7 .................................................................................................... 70
4.4.3 Protected Montgomery Ladder RSA Right-to-Left Algorithm ........... 70
4.4.4 RSK Attack against the Protected Montgomery Ladder RSA Right-to-
Left Algorithm ............................................................................................. 71
Example 8 .................................................................................................... 72
4.5 Summary ..................................................................................................... 72
Chapter Five Proposed Fault Attack against Elliptic Curve Cryptosystem .. 74
5.1 Introduction ................................................................................................. 74
5.2 Mathematical Background .......................................................................... 76
5.2.1 ECC Key Generation .......................................................................... 76
5.2.2 ECC Encryption .................................................................................. 77
5.2.3 ECC Decryption .................................................................................. 77
5.2.4 ECC Signature ..................................................................................... 77
5.2.5 General Weierstrass Elliptic Curves Background ............................... 78
5.2.6 Montgomery Elliptic Curves Background .......................................... 79
5.3 Montgomery Ladder Algorithms ................................................................ 81
5.3.1 Left-to-Right Montgomery Ladder Algorithms .................................. 81
5.3.2 The Fault Point Attack against Left-to-Right Montgomery Ladder
Algorithm ..................................................................................................... 82
Example 1 .................................................................................................... 84
5.3.3 The Right-to-Left Montgomery Ladder Algorithm ............................ 84
5.3.4 Fault Point Attack against Right-to-Left Montgomery Ladder
Algorithm ..................................................................................................... 84
Example 2 .................................................................................................... 86
5.4 Coron’s Algorithms .................................................................................... 86
5.4.1 Left-to-Right Coron Algorithm ........................................................... 87
ix
5.4.2 Fault Point Attack against Left-to-Right Coron Algorithm ................ 87
Example 3 .................................................................................................... 89
5.4.3 Right-to-Left Coron Algorithm ........................................................... 89
5.4.4 Fault Point Attack against Right-to-Left Coron Algorithm ................ 90
Example 4 .................................................................................................... 92
5.5 Joye’s Algorithms ....................................................................................... 92
5.5.1 The Left-to-Right Joye-Yen Algorithm .............................................. 92
5.5.2 Fault Point Attack against Left-to-Right Joye-Yen Algorithm ........... 92
Example 5 .................................................................................................... 94
5.5.3 The Right-to-Left Joye Algorithm ...................................................... 94
5.5.4 Fault Point Attack against the Right-to-Left Joye Algorithm ............. 95
Example 6 .................................................................................................... 96
5.6 Summary ..................................................................................................... 97
Chapter Six Implementation of Proposed Attacks on RSA and ECC by
Arduino Mega2560 Hardware ........................................................................... 98
6.1 Introduction ................................................................................................. 98
6.2 Hardware Implementation of proposed RSK attack on RSA Algorithm by
using Arduino Mega2560 ................................................................................. 99
6.2.1 Description of a general IoT device .................................................... 99
6.2.2 Preparing the victim device ................................................................. 99
6.2.3 Generic plan to attack an IoT device ................................................ 101
6.2.4 Implementation Time of RSK Attack against RSA Program ........... 109
6.3 Maple and MATLAB: A Comparison ...................................................... 110
Example ..................................................................................................... 111
6.4 Summary ................................................................................................... 111
Chapter Seven Summary, Conclusion & Future work .................................. 113
7.1 Summary ................................................................................................... 113
7.2 Conclusion ................................................................................................ 114
x
7.3 Future work ............................................................................................... 115
References .......................................................................................................... 117
Appendices ......................................................................................................... 138
Appendix A ..................................................................................................... 138
A.1 Example 5 ............................................................................................ 138
A.2 Example 6 ............................................................................................ 139
A.3 Example 7 ............................................................................................ 140
A.4 Example 8 ............................................................................................ 142
Appendix B ..................................................................................................... 144
B.1 example 1 ............................................................................................ 144
B.2 Example 2 ............................................................................................ 145
B.3 Example 3 ............................................................................................ 147
B.4 Example 4 ............................................................................................ 149
B.5 Example 5 ............................................................................................ 151
B.6 Example 6 ............................................................................................ 154
Appendix C ..................................................................................................... 157
C.1 Implementation Examples of Fault Factoring (FF) Attack Algorithms
against RSA-CRT by Using Arduino Hardware ............................................ 157
C.1.1 Implementation of FF Attack against RSA-CRT Signature Algorithm
Protected by Modified Shamir’s Countermeasure ..................................... 157
FF Attack Algorithm against RSA-CRT Signature Algorithm Protected by
Modified Shamir’s Countermeasure ........................................................ 157
Example of the Implementation Process .................................................. 158
C.1.2 Implementation of the FF Attack against RSA-CRT Signature
Algorithm Protected by Simplified Vigilant’s Countermeasure ................ 160
FF Attack Algorithm against RSA-CRT Signature Algorithm Protected by
Simplified Vigilant’s Countermeasure ..................................................... 160
Example of the Implementation Process .................................................. 161
xi
C.2 Implementation Examples of RSK Attack against Protected RSA
Montgomery Ladder Algorithms by using Arduino Hardware ...................... 164
C.2.1 Implementation of RSK Attack Algorithm against Protected RSA
Montgomery Ladder Left-to-Right Algorithm .......................................... 164
RSK Attack Algorithm against Protected RSA Montgomery Ladder Left-
to-Right Algorithm ................................................................................... 164
Example of the Implementation Process .................................................. 165
C.2.2 Implementation of RSK Attack against Protected RSA Montgomery
Ladder Right-to-Left Algorithm ................................................................ 167
RSK Attack Algorithm against Protected RSA Montgomery Ladder Right-
to-Left Algorithm ..................................................................................... 167
Example of the Implementation Process .................................................. 168
C.3 Implementation Examples of Proposed Attacks against ECC by Using
Arduino Hardware .......................................................................................... 170
C.3.1 Implementation of Fault Point Attack against Left-to-Right ECC
Montgomery Ladder Algorithm ................................................................. 171
Fault Point Attack against Left-to-Right ECC Montgomery Ladder
Algorithm ................................................................................................. 171
Example of the Implementation Process .................................................. 172
C.3.2 Implementation of Fault Point Attack against Right–to-Left ECC
Montgomery Ladder Algorithm ................................................................. 174
Fault Point Attack against Right–to-Left ECC Montgomery Ladder
Algorithm ................................................................................................. 174
Example of the Implementation Process .................................................. 176
C.3.3 Implementation of the Fault Point Attack against Left-to-Right Coron
Algorithm ................................................................................................... 178
Fault Point Attack against Left-to-Right Coron Algorithm ..................... 178
Example of the Implementation Process .................................................. 179
C.3.4 Implementation of Fault Point Attack against Right-to-Left Coron
Algorithm ................................................................................................... 181
xii
Fault Point Attack against Right-to-Left Coron Algorithm ..................... 181
Example of the Implementation Process .................................................. 182
C.3.5 Implementation of Fault Point Attack against Left-to-Right Joye-Yen
Algorithm ................................................................................................... 184
Fault Point Attack against Left-to-Right Joye-Yen Algorithm ................ 184
Example of the Implementation Process .................................................. 185
C.3.6 Implementation of the Fault Point Attack against Right-to-Left Joye
Algorithm ................................................................................................... 188
Fault Point Attack against Right-to-Left Joye Algorithm ........................ 188
Example of the Implementation Process .................................................. 189
Appendix D ..................................................................................................... 192
Appendix E ..................................................................................................... 197
Appendix F ..................................................................................................... 209
Appendix G ..................................................................................................... 216
xiii
List of Figures
Figure 1.1 Scenario 1 of fault injection attack ........................................................ 2
Figure 1.2 Scenario 2 of Fault Injection Attack ...................................................... 3
Figure 3.1 General Architecture of EEPROM ...................................................... 44
Figure 3.2 EEPROM Cell Configuration .............................................................. 45
Figure 3.3 Floating Gate Operation. ...................................................................... 45
Figure 6.1 Handshake Program. ............................................................................ 99
Figure 6.2 RSA MATLAB Script. ...................................................................... 100
Figure 6.3 ECC MATLAB Script. ...................................................................... 101
Figure 6.4 the Main Components of Arduino Mega2560 ................................... 102
Figure 6.5 Block Diagram of the Plan of Attack. ................................................ 103
Figure 6.6 Screen Shot of the First 26 Locations of EEPROM Content. ............ 105
Figure 6.7 RSK Attack Algorithm against RSA Algorithm ................................ 108
xiv
List of Algorithms
Algorithm 2.1 RSA-CRT Signature Using Garner’s Algorithm Protected by
Modified Shamir’s Countermeasure ..................................................................... 17
Algorithm 2.2 RSA-CRT Signature with Garner’s Algorithm Protected by
Simplified Vigilant’s Countermeasure .................................................................. 18
Algorithm 2.3 Protected Montgomery Ladder RSA Left-to-Right Algorithm ..... 22
Algorithm 2.4 Protected Montgomery Ladder RSA Right-to-Left Algorithm ..... 23
Algorithm 2.5 The Left-to-Right Montgomery Ladder Algorithm ....................... 30
Algorithm 2.6 The Right-to-Left Montgomery Ladder Algorithm ....................... 31
Algorithm 2.7 The Left-to-Right Coron Algorithm. ............................................. 31
Algorithm 2.8 The Right-to-Left Coron Algorithm .............................................. 32
Algorithm 2.9 The Left-to-Right Joye-Yen Algorithm ......................................... 32
Algorithm 2.10 The Right-to-Left Joye Algorithm ............................................... 33
Algorithm 4.1 FF Attack against Algorithm 2.1 ................................................... 65
Algorithm 4.2 FF Attack against Algorithm 2.2 ................................................... 66
Algorithm 4.3 RSK Attack against Algorithm 2.3 ................................................ 69
Algorithm 4.4 RSK Attack against Algorithm 2.4 ................................................ 71
Algorithm 5.1 Fault Point Attack against Algorithm 2.5 ...................................... 83
Algorithm 5.2 Fault Point Attack against Algorithm 2.6 ...................................... 85
Algorithm 5.3 Fault Point Attack against Algorithm 2.7 ...................................... 88
Algorithm 5.4 Fault Point Attack against Algorithm 2.8 ...................................... 90
Algorithm 5.5 Fault Point Attack against Algorithm 2.9 ...................................... 93
Algorithm 5.6 Fault Point Attack against Algorithm 2.10 .................................... 96
Algorithm C.1.1 The FF Attack Algorithm against RSA-CRT Signature
Algorithm Protected by Modified Shamir’s Countermeasure ............................. 157
Algorithm C.1.2 FF Attack Algorithm against RSA-CRT Signature Algorithm
Protected by Simplified Vigilant’s Countermeasure ........................................... 160
Algorithm C.2.1 RSK Attack against Protected RSA Montgomery ladder Left-to-
Right Algorithm .................................................................................................. 164
Algorithm C.2.2 RSK Attack against Protected RSA Montgomery ladder Right-
to-Left Algorithm ................................................................................................ 167
Algorithm C.3.1 The Fault Point Attack against Left-to-Right ECC Montgomery
Ladder Algorithm ................................................................................................ 171
Algorithm C.3.2 Fault Point Attack against Right–to-Left ECC Montgomery
ladder algorithm .................................................................................................. 175
Algorithm C.3.3 Fault Point Attack against Left-to-Right Coron Algorithm ..... 178
Algorithm C.3.4 Fault Point Attack against Right-to-Left Coron Algorithm ..... 181
Algorithm C.3.5 Fault Point Attack against Left-to-Right Joye-Yen Algorithm 184
Algorithm C.3.6 Fault Point Attack against the Right-to-Left Joye Algorithm .. 188
xv
List of Tables
Table 2.1 Comparison of Six Original ECC Algorithms ...................................... 34
xvi
List of Acronyms
AES ………………. Advanced Encryption Standard
Alg ……………….. Algorithm
AMQP …………….. Advanced Message Queuing Protocol
ANSI ……………… American National Standards Institute
ANSSI …………….. Information Security Agency
ARM Cortex M3 ….. A 32-bits Processor from ARM Company
Chap ……………….. Chapter
CNSA ……………… Commercial National Security Algorithm
CoAP ………………. Constrained Application Protocol
CPU ………………... Central Processing Unit
CRT ………………... Chinese Remainder Theorem
DFA ………………... Differential Fault Analysis
DPA ………………... Differential Power Analysis
EBNS ………………. Elevated Binary Number System
EC ………………….. Elliptic Curve
ECC ………………... Elliptic Curve Cryptosystems
ECDLP ……………. Elliptic Curve Discrete Logarithm Problem
ECDSA ……………. Elliptic Curve Digital Signature Algorithm
ECSM ……………… Elliptic Curve Scalar Multiplication
EdDSA …………….. Edwards-Curve Digital Signature Algorithm
EEPROM …………... Electrically Erasable Programmable Read-
Only Memory
EM …………………. External Electromagnetic
ES ………………….. Exponent Splitting
FA ………………….. Fault Attack
FF …………………... Fault Factoring Attack
FGT ………………... Floating Gate Transistor
FPGA ………………. Field-Programmable Gate Array
GMP ……………….. Good Manufacturing Practice
HAL ………………... Hardware Abstraction Layer
I/O ………………….. Input / Output
IoT …………………. Internet Of Things
xvii
LS-designs …………. Bitslice S-Box S And L-Box L Block Cipher Family-
designs
MCU ……………….. Microcontroller Unit
MOS ……………….. Metal Oxide Semiconductor
MQTT ……………… Queue Telemetry Transport
NIST ……………….. National Institute Of Standards And Technology
NP ………………….. Non Complete
NVM ……………….. Non-Volatile Memory
OSCCA …………….. Chinese Commercial Cryptography Administration
Office
PA ………………….. Power Attacks
PD ………………….. Phase Detector
PR ………………….. Point Randomization
PRIDE ……………... Lightweight Block Cipher
PUF ………………… Physical Unclonable Functions
RAM ……………….. Random Access Memory
RFID ……………….. Radio Frequency Identification
RNS ………………... Residue Number System
RNSMMM …………. Residue Number System Montogmery Modular
Multiplication
RO …………………. Ring-Oscillator
ROM ……………….. Read Only Memory
RPL ………………… Routing Protocol For Low Power And Lossy Networks
RSA ………………... Rivest–Shamir–Adleman
RSA-CRT ………….. Rivest–Shamir–Adleman with Chinese Remainder
Theorem
RSK ………………... Retrieve Secret Key
Scrt .……………….. Signature with Chinese Remainder Theorem
SCAs ………………. Side Channels Attacks
Scrte ……………….. Fault Signature with Chinese Remainder Theorem
SDRAM …………… Synchronous Dynamic Random-Access Memory
SM .……………… Sequence Masking
SOCs ..…………… System On Chip
xviii
SPA ..….………….. Simple Power Attack
SRAM …………….. Static Random Access Memory
SSL/TLS ………….. Secure Sockets Layer/ Transport Layer Security are
cryptographic protocols designed to provide
communications security over a computer network
ST …………………. Select Transistor
TANOS ..…………. Tan/Al2O3/Si3N4/Sio2/Si
TFN ………..……… Triangular Fuzzy Number
U.S. ……………….. United States
VT ………………… Threshold Voltage
WolfSSL …………... is an embedded SSL/TLS library providing secure
communication for IoT
WSN ………………. Wireless Sensor Network
1
Chapter One Introduction
1.1 Background
Public key cryptography systems especially RSA and ECC were being used for the
protection of the data stored in hardware devices for many years and they are still
being used until now. In this thesis, IoT devices have been taken as an example of
hardware devices with small size and limited resources.
IoT represents a future worldwide information network system that will be used to
promote advanced technological activities and services. This information network
will make use of numerous instruments such as sensors, actuators, RFID tags or
mobile devices for the purpose of sensing, tracing, detecting and gathering data
about the user’s environment [YZV 2014].
The widespread deployment of IoT has a positive impact on everyday human life.
It enhances human interaction with the natural and social environment. It increases
our interest in other people and objects. Developing efficient applications for the
IoT is generally considered a difficult and complicated task for several reasons:
(i) The complex nature of distributed computing.
(ii) The absence of any basic principles or commonly acceptable guidelines that
control the process of low-level communication or facilitate high level
implementation.
(iii) The lack of a unified programming language and diversity in communication
protocols.
These complications have led IoT experts to consider developing new techniques
that can provide proper solutions to the above-mentioned difficulties [ARC 2018,
p. 8]. Cisco considers that IoT will grow to nearly 50 billion installed units by 2020
[Eva 2011].
Bashir in [BM 2018] considers that IoT architecture consists of three layers [MJ
2015], namely physical/perception layer, network layer and application layer. The
physical or perception layer has sensors for collecting data from the environment.
It senses physical parameters and transmits this accumulated data to other smart
objects. Low energy communication protocols and technologies such as IEEE
802.15.4 [IEEE 802 2011], ZigBee [ZigBee 2006], ISA 100.1a [ISA 2009] and
Wireless HART [KHPD 2008] are exploited to convey collected data to other IoT
2
objects. The network layer consists of low-power protocols such as RPL (Routing
Protocol for Low Power and Lossy Networks) [Win 2012] for interchange of data
with other IoT nodes.
The application layer consists of IoT middleware and includes various applications
like (smart cities, industries, transportation, etc) in which IoT information network
can be employed. Some protocols used at the application layer include CoAP
(Constrained Application Protocol) [BCS 2012], MQTT (Message Queue
Telemetry Transport) [Loc 2010] and AMQP (Advanced Message Queuing
Protocol) [AMQP 2012]. These protocols are specially designed for resource
constrained networks like IoT.
1.2 Example Application
The Internet of Things (IoT) plays a vital role in modern societies. It covers many
areas of human daily life and activities such as medical services, transportation,
household appliances, entertainments, sports, etc. Figure 1.1 demonstrates scenario
1 of fault injection attack proposed in this thesis.
Figure 1.1 Scenario 1 of fault injection attack
Sender Receiver
Scenario 1
1. Sends
Message 5. Receives
Verified Message
Signature
algorithm Verification
algorithm
3. Signed Message
sent by attacker
4. Message is
verified as the
attacker uses
the secret
components of
the sender in
signing the
message
2. Injects a fault
on the signature
algorithm
computations to
factorize RSA
modulus n Attacker
Verification
Device
Signature
Device
3
In scenario 1 a sender sends a message to the receiver but for authentication purpose
he will sign it. Therefore, he will send his message to the signature device so a
signature will be added to the message. The attacker who has an access to the
signature device will try to retrieve the secret components of this device. To achieve
his goal, the attacker will inject a fault in the computations of the signature
algorithm, and by using this fault result he will factorize modulus n of RSA
cryptography systems. Then he will use the secret components p and q to sign a
new message and send it instead of the sender’s message. The verification device
will verify the message as the attacker will use the same secret components of the
sender. Finally, the receiver will receive a verified message from the attacker
instead of the sender.
Figure 1.2 Scenario 2 of Fault Injection Attack
Figure 1.2 demonstrates scenario 2 of the fault injection attack proposed in this
thesis. In scenario 2 a sender wants to send an encrypted message to the receiver.
Therefore, he will send the message to the encryption device. The message will be
encrypted by using the public key components of the receiver. Then the message
will be sent to the decryption device on the other side. The attacker who has an
Scenario 2
Sender Receiver
1. Sends
Message
5. Receives
decrypted Message
Encryption
algorithm
Decryption
algorithm
Decryption
Device Encryption
Device
3. Encrypt Message
sent by sender
4. Attacker injects a
fault in the
computation of
decryption algorithm
and retrieve secret
key and decrypts the
received message Attacker
2. Encrypts
the message
by using the
public key of
the receiver
4
access to the decryption device will try to retrieve the secret components of this
device. The attacker will inject a fault in the computation of decryption algorithm
and by using this fault result he will retrieve the components of the secret key of
cryptography systems. Then he will use the secret key components to decrypt the
message he gets and any other message he gets in the future. Finally, the decryption
device will decrypt the message and send it to the receiver.
I have used Internet of Things (IoT) devices to implement my proposed attacks on
them. Internet of Things (IoT) includes a big number of smart devices that can swap
sensed data by using online services. Smart devices can collect healthcare
information about human beings and send them to a health center. Since such
healthcare information may be very confidential or crucial, the process of
transferring data must be secured. Signature-based schemes are one of the
techniques which can be used to secure this communication process. Smart devices
need a special type of signature-based schemes with lightweight calculations
because these devices have restricted resources.
Mughal et.al in [MLUUM 2018] demonstrate a light-weight reduced complicated
digital signature algorithm for transferring secure data between smart devices in
human centred IoT. Mughal and his fellow researchers have utilized less wide
operations to accomplish signature and verification processes. They have also
presented multiple options in the choice of the parameter to utilize a signature
verification pair of expressions at specific index to ensure the security of critical
documents. They claim that their approach improves the security level against
traffic analysis attacks. To test the efficiency of their technique, they have subjected
their scheme and a number of existing digital signature schemes to an experimental
operation. The results show the superiority of their scheme to other existing
schemes.
1.3 Problem Overview
The main objective of this research work is to examine the suitability of current
RSA and elliptic curve security techniques implemented on small devices with
limited resources by highlighting the security risks that threaten these hardware
devices through the software used to program and control them rather than their
hardware components. Most designers of hardware devices concentrate on
developing countermeasures that can provide full protection to their hardware
5
against fault and side-channel attacks, yet they do not pay due attention to software
attacks against their devices. This issue is gaining more attention in consequence of
the fast development of IoT devices and the highly important and confidential
information that is stored in them or interchanged between them. Most IoT devices
such as mobile phones, WSN nodes etc. can be reprogrammed and updated through
wired or wireless connections. If an intruder has the opportunity to get control over
the software that is used to program or update these devices, then that may threaten
all the information inside them. Therefore, the research question will be
Research Question: How can a fault attack utilizing software used to program
EEPROM threaten hardware devices like IoT devices?
Answer: To answer this question I propose new fault attacks against two
cryptosystems RSA and ECC by using the technique of safe error fault attack and
the software used to program EEPROM where algorithms of these cryptosystems
are stored. The new proposed fault attacks will warn designers of hardware devices
of the security risks their devices may face on the programming level.
1.4 Thesis Aims and Significance
The aims of this thesis can be summarized into the following:
• Investigating the security of hardware devices as far as the software used
to program them is concerned.
According to chapter 2 (sections 2.5.2 and 2.7.1.1) and chapter 3 (sections
3.4.1, 3.4.4 and 3.4.5) of this thesis there were attempts to apply fault attacks
against hardware devices by targeting the software used to program them.
However, such attacks were very limited and constrained as attackers
focused more on the hardware level than the software level.
• Exploring any attempts to inject faults in cryptography algorithms stored
in EEPROM by utilizing the software used to program the EEPROM
No one has tried this approach yet. The researchers tried to introduce a
hardware fault by changing register values or memory locations. However,
some researchers try to utilize the software level when attacking hardware
devices but they usually target the processing stage of a program by making
it skip some instructions and thus generating the fault value they need.
6
• Examining the possibility of the process of injecting a fault in
cryptography algorithm stored in EEPROM by utilizing the software used
to program the EEPROM.
According to the analyses on EEPROM explicated in chapter 3 of this
research work, this process is possible. This conclusion is based on the first
concept in section 3.5 which states that “a specific portion of EEPROM
memory devices can be reprogrammed without any need to remove the
EEPROM from its original position. The reprogamming process can be
achieved without resort to erasing all memory cells [Lan 2015, chap. 6].
The significance of this research lies in the fact that it proposes, for the first time, a
fault attack against two public key cryptosystems RSA and Elliptic Curve through
attacking the software used to program EEPROM. The proposed fault attacks reveal
the security risks that could threaten hardware devices through the software used to
program and update them. The attacker may try a connection with a victim hardware
device through wired or wireless connection depending on the physical
environment. In either case he can use a suitable software to deal with hardware
devices to get the information he wants. The victim hardware devices may be an
IoT device which has critical information like bank accounts or any kind of
important personal or confidential information.
1.5 Thesis Contributions
The contributions of this thesis may be summarized as follows:
1. I built a programming platform to implement two public key systems (RSA and
Elliptic Curve) by using Maple 2017. I used this software platform to analyse the
procedures of these cryptographic systems.
2. I studied and analysed attacks against RSA and Elliptic Curve by reviewing
previous related work.
3. I reviewed existing literature on EEPROM hardware devices to achieve the
second and third aims of this thesis.
4. I proposed two new fault attacks against RSA cryptosystems to highlight security
issues against hardware devices through the software used to program them. The
first one was the fault factorizing attack (FF) which factorized the RSA modulus by
applying a fault attack on the two RSA-CRT Signature Garner’s algorithms. I also
7
proposed a retrieve secret key (RSK) attack which was able to retrieve the secret
key d by applying a fault attack on both versions of Protected Montgomery Ladder
RSA: “Left-to-Right” and “Right-to-Left” algorithms.
5. I implemented the two attacks FF and RSK by using Intel (R) Core (TM) i7-
4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform and Windows 7 as the
operating system. Maple 2017 was chosen as the software platform as it contains a
cryptography package designed for cryptographic arithmetic operations.
6. I proposed a fault point attack on six scalar multiplications algorithms of ECC
which include both versions “Left-to-Right” and “Right-to-Left” of Montgomery,
Coron and Joye algorithms. The fault attack proposed is used to demonstrate
security issues against hardware devices through software used to program them.
7. I also made a comparison between General Weierstrass and Montgomery Elliptic
Curves equations. I used the General Weierstrass Elliptic Curves equations because
they compute the two coordinates x and y of the point in the same step.
8. I implemented a fault point attack on six ECC algorithms by using Intel (R) Core
(TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform and Windows
7 as the operating system. I selected Maple 2017 as a software platform because it
contains a cryptography package designed for cryptographic computation
operations.
9. I complemented the implementation of all attack algorithms against RSA and
ECC by using Arduino Mega2560 hardware. The total number of attack algorithms
which had been implemented were ten: four against RSA algorithms and six against
Elliptic Curve Cryptosystem (ECC) algorithms.
10. All the fault attacks I proposed inject a fault in the computations of a
cryptography algorithm stored in EEPROM after it is loaded in the RAM of the
same hardware device by modifying the original algorithm through utilizing the
software used to program EEPROM. I used the fault result generated to retrieve the
secret key.
11. I improved the efficacy of safe error attack by eliminating the fault result I have
generated. Therefore, any test-free procedures cannot detect my proposed fault
attacks, and therefore, they will fail to protect algorithms against such attacks.
8
1.6 Chapter Summary
The thesis is organized into the following chapters:
Chapter 1 provides a background of IoT devices by highlighting the impact of their
low resources features and EEPROM circuits used inside them on their information
security. It also presents an IoT application example, followed by a thorough
discussion of the thesis problem. Then, the thesis aims and significance are
discussed. Next, the thesis contributions are clarified. Finally, the chapter summary
of the thesis is presented in section 1.6.
Chapter 2 presents a literature review of the RSA and ECC public key
cryptosystems. It also refers to the related research works that deal with fault attacks
against these public key cryptosystems including physical types of fault attacks and
fault attack goals. This chapter also offers a review of fault attacks against RSA,
ECC and their countermeasures.
Chapter 3 provides a review of EEPROM including EEPROM architecture,
EEPROM programming and attacks on EEPROM memory devices.
Chapter 4 presents two fault attacks proposed against RSA cryptosystems. I propose
the fault factoring attack (FF) which factorizes the RSA modulus by applying a fault
attack on two RSA-CRT Signature Garner’s algorithms. The first one is protected
by Modified Shamir’s Countermeasure and the second one is protected by
Simplified Vigilant’s Countermeasure. I also propose a retrieve secret key (RSK)
attack which can retrieve the secret key d by applying a fault attack on both
Protected Montgomery Ladder RSA versions “Left-to-Right” and “Right-to-Left”
algorithms. All attack algorithms proposed in this chapter are implemented using
Maple software.
Chapter 5 demonstrates the proposed fault point attacks on both versions “Left-to-
Right” and “Right-to-Left” of Montgomery, Coron and Joye algorithms. It also
includes a comparison between General Weierstrass Elliptic Curves and
Montgomery Elliptic Curves equations. All attack algorithms proposed in this
chapter are implemented using Maple software.
9
Chapter 6 describes the implementation examples of ten attack algorithms proposed
in chapters four and five against RSA and ECC cryptosystems by using Arduino
Mega2560 hardware and MATLAB 2017b as a software platform.
Chapter 7 provides the summary, conclusions and future work of the thesis.
10
Chapter Two Literature Review
2.1 Introduction
This chapter includes numerous references to related literature for the sake of
comparison and contrast, and in order to enrich this thesis with expert ideas,
techniques and approaches used in previous research projects.
2.2 Background
2.2.1 Triangular Fuzzy Number TFN
A triangular fuzzy number [ABKA 2017] denoted by M=<m, α, β> has the
membership function
𝜇𝑀(𝑥) =
{
0 𝑓𝑜𝑟 𝑥 ≤ 𝑚−∝
1 −𝑚 − 𝑥
𝛼 𝑓𝑜𝑟 𝑚−∝< 𝑥 < 𝑚
1 𝑓𝑜𝑟 𝑥 = 𝑚
1 − 𝑥 − 𝑚
𝛽 𝑓𝑜𝑟 𝑚 < 𝑥 < 𝑚 + 𝛽
0 𝑓𝑜𝑟 𝑥 ≥ 𝑚 + 𝛽
The point m, with membership function grade of 1 is called the mean value while
α and β are the left-hand and the right-hand spreads of M respectively.
2.2.2 Residue Number System (RNS)
An RNS [SS 2017] base B defines a set of L relatively prime base components m1,
m2, …, mL called “moduli.”. Each base is linked with a corresponding range M,
given by the product of all moduli, i.e.,
𝑀 =∏𝑚𝑖
𝐿
𝑖=1
Any integer X ϵ [0,M-1] has a unique RNS representation �⃗� = {𝑥1, 𝑥2, … , 𝑥𝐿} = {⟨𝑋⟩𝑚1
, ⟨𝑋⟩𝑚2, … , ⟨𝑋⟩𝑚𝐿
}, where ⟨𝑋⟩𝑚𝑖 denotes the operation X mod mi.
2.2.3 Side-Channel attacks
This kind of attacks use monitoring of changes which happen to the physical
parameters, such as calculation of timings or power utilisation, which are analysed
utilizing statistical tools to infer links between physical measurements and internal
secret values. [AT 2018].
11
2.2.4 Differential Fault Analysis DFA
DFA is a specific physical attack that compares the outcomes of a correct
calculation to one faulty outcome which has been made by an attacker at a particular
time, in order to deduce information about the secret key bits. [LCFS 2017].
2.2.5 Differential power analysis DPA
DPA which is proposed by Kocher et al. [KJJ 1999] is a kind of extensively used
side-channel attack that effectively recovers the secret key from several (normally
noisy) power utilisation measurements. [WYSLGG 2018].
2.2.6 Simple power analysis SPA
SPA provides information about a cryptography system by inspecting a single
power trace. SPA can retrieve two types of information. SPA high level can
recognize various instructions or block of instructions that are executed on the
device. On the other hand, the lower level of SPA can retrieve the values of the
operands included in each elementary instruction specifically for load and store
operations, when this data is read from or written to the bus. [CMW 2014].
2.3 Public key Cryptosystems
2.3.1 RSA Cryptosystems
I present in this section some research papers which deal with the latest
developments that have been made on RSA algorithms to make them more resistant
to side-channel and fault attacks. These recent papers confirm that RSA algorithms
are still considered as important techniques that can be effectively used to secure
multiple applications like IoT devices. These papers can be summarized as follows:
Abdullah et al. in [ABKA 2017] propose RSA algorithm that depends on fuzzy set
theory and uses Triangular Fuzzy Number TFN to represent encryption and
decryption texts. The benefit of using TFN mathematical functions in encrypting
plaintext and decrypting cipher text is to create difficulty to the attacker when
dealing with these cryptosystems. The authors claim in their paper that the same
concept can be applied on other cryptosystems.
Schinianakis and Stouraitis in [SS 2017, chap. 12], demonstrate how Residue
Number System (RNS) can be used to enhance the security of public-key
cryptography algorithms (RSA and ECC). The most recent developments in the
12
Residue Number System RNS which is used in RSA and ECC cryptography
systems are based on the research efforts of Bigou and Tisserand [BT 2015].
The First, they explain the meaning of RNS and provide all mathematical
background required to deal with this number system. Then they illustrate a
complete RNS Montgomery modular multiplication RNSMMM algorithm which is
based on utilizing RNS in his mathematical computations. Finally, they implement
the RNSMMM in both RSA and ECC cryptography schemas and show how they
will enhance their resistance against fault attacks as the modulus set is changed.
2.3.2 Elliptic Curve Cryptosystems (ECC)
I present in this section some research papers which deal with the latest
improvements that have been made on ECC algorithms to make them more resistant
to side- channel and fault attacks. These recent papers state that ECC cryptosystems
can still be used to secure multiple applications like IoT devices. These papers can
be summarized as follows:
Chen in [Che 2017] proposes an effective hardware architecture for Montgomery
powering ladder (MPL) protected by a countermeasure that utilizes a mix of
sequence masking (SM), exponent splitting (ES) and point randomization (PR) [He
2013]. He also implements his proposed hardware architecture on FPGA. The SM
technique [FV 2006] appends a mask to the base point P to create a masked MPL.
The ES technique [CJ 2001] splits the scalar d into two parts by using a random
number, so that dP will be the result of (rP + (d-r)P). The PR is the first
countermeasure proposed by Coron [Cor 1999]. In this technique, the
representation of the secret exponent d is changed to 𝑑′ = 𝑑 + 𝑘#𝜀, where k is a
random number and #𝜀 is number of all points on the curve E. The author shows
that simple power, computation safe-error and doubling attacks have no effect on
MPL. However, relative doubling, memory safe-error and comparative power
analysis attacks are effective on MPL. Nevertheless, the author states that MPL,
when protected by SM, ES and PR, can resist SCAs, relative doubling, comparative
power analysis, and high-order attacks.
Huang in [Hua 2017] develops some scalar multiplication algorithms based on an
elevated binary number system (EBNS) proposed by him to enhance their resistance
against side-channel attacks. The EBNS is a number system similar to the binary
system, but it deals with the set {1, 2} instead of set {0, 1} in the normal binary
13
system. The author studies two scalar multiplication algorithms which are doubling-
and-add always and Montgomery powering ladder (MPL) algorithms. He shows
that doubling-and-add always algorithm is vulnerable to doubling [FV 2003] and
computation safe-error [SKLM 2001] attacks. He also demonstrates that MPL
algorithm is vulnerable to relative doubling [YKMH 2006] and memory safe-error
[YJ 2000] attacks. The author also investigates some countermeasures like
exponent splitting [CJRR 1999] and [FV 2006], masked MPL [FV 2006] and
sequence masking [Cor 1999]. He discusses the level of protection that each
countermeasure can provide and the kinds of attacks that can affect them. Then, he
proposes one left-to-right and five right-to-left algorithms. Their mathematical
computations depend on EBNS. The proposed algorithms have the same level of
security compared with other existing algorithms and a higher calculation
efficiency. He claims that one of his proposed right-to-left algorithms is not affected
by Park’s fault attack [PBMCKH 2009]. He also extended all above algorithms to
deal with elevated high radix number system. The elevated high radix number
system is an extension of ENBS as its base is integer m and its set is {1,2,…,m}.
He presents a detailed discussion about the security and efficiency of his proposed
algorithms confirming that they provide a significant improvement in security and
performance levels compared with other existing algorithms.
Lalonde in [Lal 2017] builds a platform to analyse and test side-channel attacks
against an extensive range of cryptosystems to highlight vulnerabilities of
cryptographic hardware on various levels. The author implements a successful
differential power analysis against AES-128. He also examines a range of scalar
multiplication algorithms in terms of security and efficiency. He states that m-ary
Joye [Joy 2009a] algorithm is more powerful than Montgomery’s Ladder [JY 2002]
as it is regular and can resist timing, computation and memory safe-error attacks.
Furthermore, m-ary Joe algorithm resists power analysis.
2.4 Fault Attacks on Public Key Cryptosystem
Fault attacks are a kind of attacks that try to inject a fault into the computation of a
cryptographic device to get fault result which may help an attacker to retrieve
private information. A physical type of fault injection, elementary fault properties,
and fault attack goals will be depicted in this section.
14
2.4.1 Physical Types of Fault Attacks
A fault attack is classified as an active attack. In this kind of attacks two categories
of fault injection techniques can be identified. The first one is the global fault
injection techniques which use low cost equipment and create troubles on global
parameters like power supply, voltage, etc. The attacker who uses the global
techniques needs to perform several injections to get the required fault. However,
the second one is the local fault injection techniques which are more expensive as
they use high cost equipment but they are more precise in identifying fault location
[PBR 2017].
Various techniques are used to inject a fault into cryptographic devices. Some of
them are described below.
2.4.1.1 Below-Powering
One of the low-cost fault injection methods is the underpowering of a device power
[KSV 2013, p. 2296]. The fault obtained in such kind of fault injection has no
precise time. Therefore, faults occur uniformly throughout the calculations, and the
attacker must have the ability to eliminate any unwanted result that does not support
his goal.
Power spikes [KK 1999], [BGV 2011] and [ABFHS 2002] is another method of
inducing a fault in the computation by changing power of a device. This kind of
fault, which tampers with the power supply of the device, is more precise. Power
spikes may cause a memory fault or a skip of an instruction when a processor
executes a program. However, it is essential for the attacker who tries this kind of
fault injection to have access to the power supply of a device.
2.4.1.2 Clock Faults
A fault can be generated by supplying the devices with clock signals that contain
one or several pulses that are much shorter than the standard clock signal [KSV
2013, p. 2296]. This kind of fault may cause a processor to overlap by executing
two instructions or storing a wrong data in a memory location or register [KK 1999].
This kind of fault cannot be introduced in a device that uses an internal clock.
2.4.1.3 Temperature Variation
Increasing or reducing temperature out of a specific range of temperatures may
cause some electronic devices to cease operating properly, and therefore produce
15
fault results [Pet 1997] and [Sko 2002]. This kind of fault is used to alter data stored
in a memory location but cannot attack a specific portion of stored data [KSV 2013,
p. 2296].
2.4.1.4 Optical Fault
A hardware chip exposure to an intense light source can cause optical faults [KSV
2013, p. 2296]. The intense light source may be a photo flash or a laser beam [SA
2002]. A focused laser beam can cause a change in transistors state which means a
single bit in memory location can set or reset. The attacker can target the chip on
either the front side or back side. The location of the transistors is on the front side,
but since they are protected by metal layers, it is better to attack the back side of the
device. However, the attack on the backside needs a proper wavelength of the laser
beam that confirms sufficient breakthrough depth to be used. Another optical attack
is introduced by Skorobogatov in [Sko 2009]. His optical attack is based on the use
of a laser beam for the purpose of changing an EEPROM cell value.
2.4.1.5 Electromagnetic Fault
A fault can appear in function of a hardware chip or a change in memory content in
case of the hardware chip exposure to external electromagnetic (EM) field [KSV
2013, p. 2296]. This fault can cause a single bit fault [QS 2002]. The cheap way to
induce this kind of fault is by using a gas lighter [SH 2007].
2.4.2 Fault Attacks Goals
The main component which is targeted by fault attacks in a hardware configuration
is the generic processor. According to the literature [KSV 2013, p. 2297], the four
main parts of the generic processor targeted by fault attacks are inputs, data, storage
and control parts.
2.4.2.1 Fault Attacks on Input Parameters
A fault result can be obtained if a fault input is supplied to computation in a device
[Sei 2005], [BCCC 2006], [KIK 2008], [KBPQ 2008] and [BCG 2010]. This kind
of fault is very precise, but it depends on the device and its uses. One has to consider
that this kind of fault will fail in case the device is programmed to test and discover
if the input is valid or the input is taken from a non-volatile memory instead of I/O
port.
16
2.4.2.2 Fault Attacks on Data Processing Section
A fault can be introduced during computations performed by the device [BDL
1997], [BMM 2000], [BOS 2006], [FLRV 2008], [JY 2002], [JQBD 1997], [KSQL
2007], [PV 2006], [PBA 2010], [SM 2009], [SH 2008], [SM 2010] and [Wan 2004].
This kind of fault depends on the mathematical process performed by a device and
the kind of cryptosystem implemented. The same effect can be obtained if the fault
is introduced during the transfer operation of data, or stored in register or memory.
2.4.2.3 Fault Attacks on Storage Section
The storage part is more distinguishable than other parts of a hardware chip.
Therefore, it is easier for an attacker to target this part. The fault in a volatile storage
can change the intermediate results of calculations. A fault in a nonvolatile storage
can alter system parameter [KSV 2013, p. 2297].
2.4.2.4 Fault Attacks on Instruction Processing Section
A fault attack can target the flow of program execution instead of the calculations
performed by the device. In this kind of attack, the attacker targets the control part
of the process [YJ 2000], [YMH 2002] and [WW 2005]. The attack will try to
change the execution sequence of instructions or faults causing misconstruction of
specific instructions.
2.4.3 Summary
In this section, I presented some of the physical techniques used to inject a fault in
a hardware device such as below-powering, clock faults, temperature variation,
optical fault and electromagnetic fault. These techniques were used to change the
status of one or more of storage locations in memory or processor, and consequently
causing an error in the computation’s operations performed by the hardware device.
I also pointed out four main parts of generic processor which were mostly targeted
by fault attacks, i.e. inputs, data, storage and control parts.
2.5 Fault Attacks on RSA Cryptosystems
RSA is one of the widely used public-key cryptosystems in securing systems as it
can be used in both encryption and signature processes. A fault attack is one of the
methods used to extract secret information of RSA cryptosystem. According to the
literature, fault attacks against RSA can be classified into: specific algorithm fault
17
attacks, tampering with the program flow fault attacks and safe-error fault attacks
[KSV 2013, p. 2298].
2.5.1 Specific Algorithm Fault Attacks
The fault attacks in this category are directed against a specific algorithm. RSA
algorithm represents the most common target of fault attacks.
2.5.1.1 RSA - CRT Algorithm
Algorithm 2.1 represents the RSA-CRT signature using Garner’s algorithm
protected by modified Shamir’s countermeasure [RG 2014, Alg. 10] of which the
outline is presented in section 4.2.9. This algorithm has been targeted by fault
attacks proposed in this thesis. All details concerning this algorithm and the fault
attack proposed against it are given in sections 4.3.1 and 4.3.2.
Algorithm 2.1 RSA-CRT Signature Using Garner’s Algorithm Protected
by Modified Shamir’s Countermeasure
Internal INPUT (loaded from firmware): p, q, d, 𝑖𝑞 ≡q-1 mod p.
INPUT by user: message M.
OUTPUT: The CRT signature scrt of message m or error.
1. Choose a small random integer r.
2. pr p*r.
3. qr q*r.
4. If pr ≢ 0 mod p or qr ≢ 0 (mod q) then return error.
5. 𝑆𝑝𝑟 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑝𝑟) (𝑚𝑜𝑑 𝑝𝑟).
6. 𝑆𝑞𝑟 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑞𝑟) (𝑚𝑜𝑑 𝑞𝑟).
7. if 𝑆𝑝𝑟 ≢ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑟) then return error.
8. 𝑆𝑝 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝).
9. 𝑆𝑞 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞).
10. 𝑆𝑐𝑟𝑡 𝑆𝑞 + 𝑞 ∗ [(i𝑞 ∗ (𝑆𝑝 − 𝑆𝑞) )(𝑚𝑜𝑑 𝑝)].
11. if 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑝𝑟 𝑚𝑜𝑑 𝑝 𝑜𝑟 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑞𝑟( 𝑚𝑜𝑑 𝑞) then return error.
12. return S.
Algorithm 2.2 represents the RSA-CRT signature with Garner’s algorithm
protected by simplified Vigilant’s countermeasure, the outline of which is presented
18
in section 4.2.10. This algorithm which is proposed by Rauzy and Guilley [RG
2014] represents a modification of the countermeasure suggested by Vigilant [Vig
2008]. This algorithm has been targeted by fault attacks proposed in this thesis. All
details concerning this algorithm and the fault attack proposed against it are given
in sections 4.3.3 and 4.3.4.
Algorithm 2.2 RSA-CRT Signature with Garner’s Algorithm Protected by
Simplified Vigilant’s Countermeasure
Internal INPUT (loaded from firmware): p, q, dp, dq, 𝑖𝑞 ≡q-1 mod p.
INPUT by user: message M.
OUTPUT: Message M Singing result S ≡𝑀𝑑 𝑚𝑜𝑑 𝑛, or a random value.
1. Choose a small random integer r.
2. n p*q.
3. 𝑝𝑑𝑎𝑠ℎ 𝑝 ∙ 𝑟2.
4. 𝑖𝑝𝑟 𝑝−1(𝑚𝑜𝑑 𝑟2).
5. 𝑀𝑝 𝑀 (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
6. 𝐵𝑝 𝑝 ∙ 𝑖𝑝𝑟.
7. 𝐴𝑝 1 − 𝐵𝑝 (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
8. 𝑀𝑝𝑑𝑎𝑠ℎ 𝐴𝑝 ∙ 𝑀𝑝 + 𝐵𝑝 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
9. 𝑞𝑑𝑎𝑠ℎ 𝑞 ∙ 𝑟2.
10. 𝑖𝑞𝑟 𝑞−1(𝑚𝑜𝑑 𝑟2).
11. 𝑀𝑞 𝑀 (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
12. 𝐵𝑞 𝑞 ∙ 𝑖𝑞𝑟.
13. 𝐴𝑞 1 − 𝐵𝑞 (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
14. 𝑀𝑞𝑑𝑎𝑠ℎ 𝐴𝑞 ∙ 𝑀𝑞 + 𝐵𝑞 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
15. 𝑆𝑝𝑑𝑎𝑠ℎ 𝑀𝑝𝑑𝑎𝑠ℎ
𝑑𝑝 (𝑚𝑜𝑑 𝜑(𝑝𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
16. 𝑆𝑝𝑟 1 + 𝑑𝑝 ∙ 𝑟.
17. 𝑐𝑝 𝑀𝑝𝑑𝑎𝑠ℎ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑝).
18. 𝑆𝑞𝑑𝑎𝑠ℎ 𝑀𝑞𝑑𝑎𝑠ℎ
𝑑𝑝 (𝑚𝑜𝑑 𝜑(𝑞𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
19. 𝑆𝑞𝑟 1 + 𝑑𝑞 ∙ 𝑟.
20. 𝑐𝑞 𝑀𝑞𝑑𝑎𝑠ℎ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑞).
19
21. 𝑆𝑑𝑎𝑠ℎ 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑞𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ) ).
22. 𝑆𝑟 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ) ).
23. 𝑐𝑠 𝑆𝑑𝑎𝑠ℎ − 𝑆𝑟 + 1 (𝑚𝑜𝑑 𝑟2).
24. Return 𝑆 ≡ 𝑆𝑑𝑎𝑠ℎ𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛).
Other related research works are summarized below.
Boneh et al. in [BDL 1997] present a fault attack which is implemented on several
cryptosystems and makes use of hardware faults. They show that their attack can
be implemented on cryptosystems use Chinese remainder theorem (CRT) like RSA
and Rabin signature and can be extended to other systems with more faults. They
state that the same idea can be applied on authentication schemas like Fiat Shamir
and Schnorr identification protocols. They suggest error detection bits as a
countermeasure to prevent their attack and verify computation and protect internal
storage.
Joye et al. in [JLQ 1999] present some remarks on the security of cryptosystems
which use CRT. Their results show that careless implementation of such
cryptosystems could make them vulnerable. Their method improves Bellcore’s
result published in [BDL 1997] as Bellcore’s method requires two signatures, one
correct and one faulty, to retrieve the secret information. However, their method
needs a one fault signature and known message which means their method is more
efficient.
The presence of faults in cryptosystems could be the result of applying active
attacks on these systems by inducing errors in the behaviour of their computational
hardware devices, for example, changing ROM content, EEPROM content
updating [AK 1996], [AK 1997], [Gut 1996], [Koc 1996], [Pet 1997] and [Qui
1997]. The main goal of Joye and his team is to show the importance of the cautious
implementation of cryptosystems.
Yen et al. in [YKM 2006] try a fault attack with only one fault induced in the
computation phase to make RSA cryptosystem susceptible to factorising RSA
modulus. They show that the two protocols suggested by [YKLM 2003] to protect
RSA-CRT is still vulnerable to factorising fault attacks.
20
Schmidt and Hutter in [SH 2007] present an optical and electromagnetic fault attack
on the implementation of RSA with CRT. They inject a fault by using light beams
which switch values in SRAM of a microcontroller and that leads to fault results in
the calculation of RSA signature. The other scenario is to use spark gaps which
induce high-voltage pulses that will generate a high electromagnetic field. This
electromagnetic field will lead microcontroller to give fault results of RSA
signature computation phase. They also apply their attack to three different
decapsulation techniques. They mention that all attacks are implemented at low
cost.
Berzati et al. in [BCG 2008] present a fault injection attack which can defeat the
secure implementation of RSA-CRT proposed by Ciet and Joye [CJ 2005a]. Their
attack principle is injecting an error in one of the bytes that represent the sub
signature value Sp related to prime p which is one of the factors of modulus n of
RSA cryptosystems. They can retrieve secret exponent of 1024-bit modulus by
using 13 fault signatures and with a probability of success of 50%. They can also
improve the probability of success of their attack to 99% if they use 83 faulty
signatures instead of 13. They finally concluded that the countermeasure proposed
to secure RSA-CRT signature is not secure.
Trichina and Korkikyan in [TK 2010] describe two fault laser attacks on 32 bit
ARM Cortex M3 uses RSA-CRT as a cryptosystem to protect its information. The
laser attack is more accurate to targeting a specific area on a hardware device and
changes a specific variable.
Two conclusions can be drawn from the author’s experimental work. Firstly, their
laser attack can be applied on a chip even if a complex system on chip (SOCs) is
used and the kind of laser is a multi-layer metal technology front side laser.
Secondly, the main effect of their laser attack is to change the flow of program
execution by skipping instructions instead of changing values in hardware registers.
A fault induced in the flow of the program can attack cryptosystems protected by a
countermeasure depending on conditional instructions like modified Ciet-Joye
scheme and modified Giraud scheme which are presented in [KQ 2007a] and
improved in [KQ 2007b]. In view of these experiments, one can conculde that the
fault attacks explained in [DGRS 2009] can be successfully implemented.
21
The authors indicate that the attack equipment may have some limitations that must
be taken into consideration when they design countermeasures to prevent this
attack. The first limitation is the fact that the laser beam can only shoot twice on the
same spot during the program execution. The second limitation is that the attacker
cannot specify the time of attack according for two reasons: the recharge time of
laser beam and the delay time between the trigger signal and the shot is the same
for one run. Their experiment shows that their attack is feasible on undefended 32-
bit ARM Cortex M3. They also believe in protecting cryptosystems from laser
attacks through applying countermeasures that include a combination of
algorithmic-level software with hardware (shields, sensors, alternative logic styles).
Brier et al. in [BNNT 2011] present a key-recovery fault attack against RSA-CRT
signatures by injecting error on the value of RSA modulus n before implementing
CRT instead of targeting one of the subdivisions of RSA-CRT Sp or Sq. This attack
depends on orthogonal lattice techniques proposed by Nguyen and Stern [NS 1997]
which is used to factorize RSA-CRT modulus n. The authors claim that they need
five faulty signatures to make their attack succeed if they know the values of
incorrect moduli for five different messages. However, they will need 45 faulty
signatures to factorize RSA-CRT modulus n when they do not know the faulty
moduli, and the faulty moduli differ from the correct one by only one byte or
multiple bytes restricted to the least bytes only.
Fouque et. al in [FGLTZ 2013] proposed a number of effective fault attacks against
implementations of RSA-CRT signatures that utilize modular exponentiation
depending on Montgomery scalar multiplication. These attacks can be operated on
any padding function like randomized paddings and they were the first efficient
fault attacks against RSA-PSS. The new proposed attacks depend on the
supposition that a value of a small register can be forced to either zero, constant or
with zero high order bits. Fouque and his team consider that these prototypes are
quite naturalistic as these faults can be accomplished against many suggested
hardware designs for RSA signatures.
Kong et al. in [KZJSY 2017] proposed an attack against Lee’s improved RSA-CRT
algorithm [LCC 2014]. Lee et al. in [LCC 2014] used modulus chaining method to
protect RSA-CRT algorithm by ensuring that the three primes p, q and r are not
changed during computations. Kong and his team proposed two attacks against
22
Lee’s improved RSA-CRT algorithm. The first one injects a permanent fault in Spr,
and as a result of this fault, they can factorize modulus n of RSA-CRT algorithm.
The second attack injects a transient error in prime p, and by using the fault result
generated by this error they can get the same result as in the first attack. However,
the modulus chaining method used by Lee cannot prevent the two attacks
mentioned above.
All the fault attacks proposed in the research works discussed above depended on
generating an error on the hardware level while the fault attacks proposed by this
thesis target the software level.
2.5.1.2 Modular Exponentiation Algorithms
Algorithm 2.3 is the algorithm I have chosen to attack (which is known as Protected
Montgomery Ladder RSA algorithm Left-to-Right [JY 2002, Fig. 9]). All details
concerning this algorithm and the fault attack proposed against it are given in
sections 4.4.1 and 4.4.2.
Algorithm 2.3 Protected Montgomery Ladder RSA Left-to-Right Algorithm
Internal INPUT (loaded from firmware): d = (dt, dt-1,… , d1)2, size of secret key
t.
INPUT by user: message g, modulus n.
OUTPUT: gd (mod n).
1. R(0) 1, R(1) g.
2. For i from t to 1 do
2.1 b ¬ di.
2.2 R(b) (R(b) * R(di)) (mod n).
2.3 R(di) R(di)2(mod n) .
End for.
3. Return R(0).
Algorithm 2.4 represents Right-to-Left version of algorithm 2.3 which I have
constructed by myself. All details concerning this algorithm and the fault attack
proposed against it are given in sections 4.4.3 and 4.4.4.
23
Algorithm 2.4 Protected Montgomery Ladder RSA Right-to-Left Algorithm
Internal INPUT (loaded from firmware): d = (dt, dt-1,… , d1)2, key size t.
INPUT by user: message g, modulus n.
OUTPUT: gd (mod n).
1. R(0) 1, R(1) g.
2. For i from 1 to t do
2.1 b ¬ di .
2.2 R(b) R(b)2(mod n).
2.3 R(b) R(b) * R(di) (mod n).
End for.
3. Return R(0).
Other related research works are summarized below.
Berzati et al. in [BCG 2008] introduce a fault attack against modular
exponentiation: "Right-To-Left" algorithm. The target of this attack is to recover
the secret key d by using Differential Fault Analysis and injecting error in RSA
modulus n. The authors present a theoretical analysis that shows their attack is
efficient compared to the attacks published by [Sei 2005], [Mui 2006] and [BCCC
2006]. They also use Good Manufacturing Practice (GMP) implementation to
demonstrate that their attack represents a real threat to RSA cryptosystem.
Berzati et al. in [BCDG 2009] provide an improvement of previous attacking
techniques published by [BCG 2008]. These techniques are based on modular
attack exponentiation “Right-To-Left” algorithm. The authors in their modified
attack overcome the problem of complexity of decomposing modular
exponentiation “Left-To-Right” into fractional multiplications by adjusting the
RSA modulus to a number with recognised factorisation. A full study of faulty
prime numbers with a fixed size vindicated the fault model in this article.
The fault attacks proposed in related research works outlined above depended on
analysing processes (such as DFA), while the fault attacks proposed by this thesis
depend on improving safe error attacks. The fault attacks proposed in the thesis
generate an error in the computations of algorithms by using the software used to
update hardware where these algorithms are stored.
24
2.5.2 Tampering with the Program Flow of Fault Attacks
Amiel et al. in [AVFM 2007] describe a new general attack which is a combination
of side channel attack and fault attack. This new class of attacks allow an attacker
to retrieve the secret key with a single power consumption curve. The attacker will
inject a fault in the flow of program execution which makes the processor skip an
instruction which assigns a value to one of the registers used in the program.
Therefore, this register will set with zero value and the result which is calculated
according to that value can easily be distinguished in power consumption curve. As
a result, the secret key can be recover. The authors show practical results which
prove that this attack is not only a theoretical threat. They state that the classical
countermeasures cannot prevent their attack. Finally, they suggest possible ways to
prevent their attack which are simple to apply and have no significant impact on the
complexity of the original cryptosystem.
Schmidt and Herbst in [SH 2008] present a fault attack on the square and multiply
algorithm based on inducing a fault in the control flow. The attacker tries in this
attack to change program flow computation by skipping a square operation. The
faulty result obtained can indicate the value of an equivalent bit of exponent. The
authors implemented their attack by using non-invasive spike attack and they
showed the effects of different side channel analysis countermeasures on their
attack. They used a low-cost equipment in their attack.
Barenghi et al. in [BBPP 2009] describe a fault attack based on the effects of under
power supplied to ARM general purpose CPU. The fault model is implemented on
an ARM9 microprocessor with RSA cryptosystems. The authors show that
decreasing the power of the ARM 9 CPU power supply will induce double faults.
The first one will be a fault data since it appears with data load instruction from
memory. The second fault will be swap instructions which differ with a single bit
in their opcode in the flow of the program. The main advantages of this attack are
its low cost and easy implementation. To prove the efficiency of the fault model,
the authors suggest two attacks methods, Bellcore [BDL 1997] and the earth root
extraction attacks [Sho 2001], to demonstrate practical implementation of the attack
and verify that they can recover the secret information with a reasonable number of
faults.
25
Bhattacharya and Mukhopadhyay in [BM 2017] improve the official differential
fault analysis on the 2-bit branch predictor performance under the influence of
faults. Their fault model is based on the ability of the attacker to introduce a bit-flip
error into the private keystream. The result of their analysis demonstrates that
differences of branch misses under the impact of fault can leak information about
private key bits. The authors claim that this kind of attack can threaten RSA
modular exponentiation and RSA-CRT algorithms. It can also threaten algorithms
protected by a countermeasure which halts or randomizes the final result if a fault
has been detected. This attack can be adjusted to attack processers with embedded
soft-core by introducing practical errors through a skip instruction technique.
2.5.3 Safe-Error Fault Attacks
Yen and Joye in [YJ 2000] describe a fault attack based on the concept of safe error
attack. In this kind of attack, the secret key bits leak depends on the information
whether the device had a fault result or correct one after the fault is injected. This
kind of attack cannot event prevent a check made before the output is delivered to
another stage. The authors state that their proposed attack is more powerful as it has
small computational complexity than other existing attacks. The primary target of
this article is to show that a hardware error-based cryptanalysis cannot be prevented
even if a check is made on the correctness of the outcomes. The authors advise the
cryptosystems hardware designers to deal cautiously with each detail when
improving the secure system.
2.5.4 Summary
In this section, I presented some fault attacks which targeted RSA cryptosystems.
The fault attacks could be classified into three major types: a specific algorithm,
tampering with the program flow and safe error. The aim of these attacks was to
inject an error into the computation process and use the fault result to deduce the
secret key which might be a key used in information encryption or signing a
message. The two kinds of fault attacks which were related to the proposed fault in
my thesis were fault attacks against specific algorithms and safe error fault attacks.
I discussed some articles that presented fault attacks against specific algorithms like
RSA-CRT and modular exponentiation. These articles suggested multiple ways to
inject faults such as laser, light beams, spark gaps and other methods which differed
from my approach which is based on targeting the software used to program
26
EEPROM and changing the cryptography algorithm stored in it. On the other hand,
I discussed the safe error concept which was suggested by Yen and Joye [YJ 2000]
as they tried to guess the secret key by checking the fault result of an injected error.
I modified their concept in my research work and made an additional operation
which eliminated the fault result after I deduced the secret key. This modification
makes any countermeasure, using verification process to search for fault values in
the computation process, quite useless.
2.6 RSA Countermeasures against Fault Attack
2.6.1 RSA Countermeasures against Fault Attack
Aumüller et al. in [ABFHS 2002] show that the standard Bellcore fault attack is in
principle feasible when using completely unprotected microcontrollers. Moreover,
they also indicate that unskilled implementations of countermeasures are not always
reliable. They again answer the question of Kaliski and Robshaw [KR 1997] and
show that these attacks are indeed practical. Their investigation also reveals that
one should test any conceivable countermeasures in reality against all possible
attack scenarios before trusting them. This approach was specially made with their
newly developed software countermeasures.
Although their software countermeasure seems to be very promising, they are
firmly convinced that cryptographic hardware should never be used without
appropriate hardware countermeasures in combination with software
countermeasures. As a result, they finish with the advice given by Kaliski and
Robshaw [KR 1997] from the RSA Laboratories stating that good engineering
practices in the design of secure hardware are essential.
Kim and Quisquater in [KQ 2007a] claim that exponentiation algorithm suggesed
by Fumaroli and Vigilant [FV 2006] is defeated by fault attack (FA), simple power
analysis (SPA) and differential power analysis (DPA). They also claim that the fault
attack against the exponentiation algorithm injects a fault during the calculation of
exponentiation and uses the fault result to deduce the secret key. Then, they propose
a powerful countermeasure that can resist SPA, DPA and FA based on the concept
of randomising all intermediate variables.
Boscher et al. in [BNP 2007] suggest a modular exponentiation algorithm which
can neither be attacked by fault attack (FA) nor by simple power analysis (SPA).
27
Their algorithm is verified by a practical fault model. The authors’ algorithm differs
from the classical modular exponentiation only by two additional modular
multiplications. The main idea of their proposed algorithm is inserting some
coherence test at the end of an algorithm to make it resistant to FA and SPA.
Vigilant in [Vig 2008] presents a countermeasure against Bellcore attack. His
proposed countermeasure is suitable to be implemented on devices with restricted
resources which include: execution time, memory utilisation, personalisation
management and code size. The countermeasure depends on the concept of
inserting a random integer in the computation of intermediate variables used in
modular exponentiation algorithm.
Joye in [Joy 2009b] proposes a countermeasure which embeds the public key e in
the verification of final signature result and the representation of the key object of
RSA. In RSA-CRT mode, the key object can be obtained from the {p, q, 𝑑𝑝 ≡
𝑑(𝑚𝑜𝑑 𝑝 − 1), 𝑑𝑞 ≡ 𝑑(𝑚𝑜𝑑 𝑞 − 1), iq}. However, in the RSA-standard mode,
the key object can be obtained from {N, d}. His countermeasure returns the final
signature S if a verification process which depends on public key e is successful.
The author claims that his proposed countermeasure is suitable for RSA
cryptosystem applied in Java Cards.
Coron et al. in [CGMPV 2010] investigate the fault resistance of Vigilant's
proposed efficient way of implementing an RSA-CRT resistance against fault
analysis [Vig 2008], and they show that it is not immune to fault injection. Indeed,
they highlight two weaknesses which can help an attacker to recover the whole
private key by using only one faulty signature. They also suggest some
modifications with a negligible cost to improve the fault resistance of Vigilant’s
scheme. Therefore the scheme, including modifications, remains suitable for
embedded device constraints.
Kim et al. in [KKHH 2011] made an investigation on countermeasures against
simple power and fault attacks concerning security and efficiency. They found that
the countermeasures they analysed are vulnerable to improved power and fault
attacks. They claim that utilising checksums operations decreases the security of
RSA-CRT cryptosystems against fault attacks. They proposed a countermeasure
28
which is resistant to the power and fault attacks as it uses logical operations instead
of arithmetic ones to check fault values in the RSA-CRT combination.
Fournaris and Koufopavlou in [FK 2012] proposed a hardware architecture which
is based on Montgomery modular exponentiation and multiplications which utilizes
the basics of parallelism to provide a high level of efficiency in space and time
complexity. They claim that their suggested hardware design is resistant to simple
power and fault attack. They built a testing platform to test their hardware design.
They also implemented their proposed hardware in FPGA technology.
Rauzy and Guilley in [RG 2014] carried out an analytical study on existing
countermeasures against fault injection attacks to understand how they work. The
intermediate results they got can be summarized as follows. Firstly, all
countermeasures they have studied had common features, but they optimize in
different ways. Secondly, there is no conceptual distinction between experiment-
based and infected countermeasures and how either one can be converted to the
other one. Thirdly, faults on data can represent a fault on the code (skipping
instruction error). After considering the above intermediate results, they managed
to improve the countermeasures they have studied through fixing Shamir's
countermeasure (which is known to be insecure), enhancing Vigilant's
countermeasure by reducing its nine tests into three, and thus achieving a higher
security level, and they were able to produce an updated countermeasure which is
resistant to an unspecified number of faults.
Kim in [Kim 2017] proposes a countermeasure to protect RSA algorithms based on
utilizing additive blinding technique. Additive blinding technique uses exponent or
modulus blinding approaches. The blinding approach is based on using random
variables to prevent an attacker from getting information about the parameters
through using exponent or modulus blinding approaches. The author proves the
efficiency of his proposed countermeasure by making security and performance
analyses. He claims that his countermeasure is low cost and faster than other
countermeasures that use multiplicative blinding. He also shows that his
countermeasure is resistant to various power attacks and it can be used to improve
the security of RSA and RSA-CRT algorithms against fault attacks.
29
2.6.2 Summary
According to the above literature, various forms of countermeasures were
introduced by experts to protect RSA cryptosystems against fault attacks. The
techniques used in these countermeasures could be summarized as follows:
randomization of the initial values or intermediate variables used in the computation
process, modification of modular exponentiation algorithm by inserting coherence
tests, verification of final results by using public key e, and using logical checksums
instead of numeric ones. All these techniques cannot prevent attacks proposed in
this thesis. I started by injecting a fault into the computation algorithm used to
encrypt or sign information which was stored in EEPROM and then I checked the
value of the key used in the algorithm according to the injected fault. Finally, I
eliminated the fault result I had generated, and therefore, any free error test
procedures could not detect any error in the calculations. Furthermore, even
randomizing variables could not undermine the proposed attacks in this thesis as
the attacker would generate an intermediate fault result by replacing one of the
components of the adding process by the fault value he injected. He would be able
to deduce the secret value according to this fault result.
2.7 Fault Attacks on Elliptic Curve Cryptosystems (ECC)
The main attack against elliptic curve cryptosystems aims to recover the secret
integer k given points P and Q such that Q = kP is computed on a known curve E
over a known field GF(q). The mathematical recovery of k is believed to be an NP-
complete problem [GG 2016]). However, many so-called ‘fault attacks’ have been
produced, taking various forms and serving different purposes, but I am only
concerned with fault attacks on the ECDH, and in this section, I review the current
state of such attacks.
According to the literature, most fault attacks can be classified into safe error, weak
curve-based and sign change attacks. In all cases, there is an assumption that the
attacker has sufficient access to the device to be able to perform the attack.
2.7.1 Safe-Error Fault Attacks
Safe error attacks induce temporary faults in cryptographic computations with the
aim of leaking key bits. Yen and Joye in [YJ 2000] presented such an attack based
on inducing an error in the temporary calculation of the addition step of the scalar
30
multiplication algorithm by changing the value of one of the registers which take
part in the calculation. The authors assume that the attacker should at least have a
minimum degree of the required controllability of hardware fault position in order
to be able to inject a fault in an exact register.
Timing and power attacks are likely to distinguish between point doubling and
point addition formulas and thus reveal bits of the secret key. However, if these are
adjusted by the use of ‘dummy operations’ this may lead to safe error attacks
[GJMRV 2011] and [FV 2012].
2.7.1.1 Computation Safe-Error
Algorithm 2.5 (taken from [FV 2012, alg. 1] where it is presented in additive form)
represents the Montgomery powering ladder with Left-to-Right scalar
multiplication beginning the point additions from the second bit from the left. All
details concerning this algorithm and the fault attack proposed against it are given
in sections 5.3.1 and 5.3.2.
Algorithm 2.5 The Left-to-Right Montgomery Ladder Algorithm
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size, where
kt = 1.
INPUT by user: P ϵ E(Fq).
OUTPUT: k*P.
1. R(0) P, R(1) 2P.
2. For i from t-1 down to 1 do
2.1 R(¬ ki) R(0)+R(1).
2.2 R(ki) 2R(ki).
End for.
3. Return R(0).
While there appears to be no algorithm in the literature cited as being the Right-to-
Left equivalent of algorithm 2.5, I have used the Right-to-Left version of the EC
(protected) equivalent [JY 2002, Fig 6(b)] which I have modified to make it suitable
to be implemented for elliptic curves. Algorithm 2.6 represents the Right-to-Left
Montgomery Ladder algorithm. All details concerning this algorithm and the fault
attack proposed against it are given in sections 5.3.3 and 5.3.4.
31
Algorithm 2.6 The Right-to-Left Montgomery Ladder Algorithm
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size.
INPUT by user: P ϵ E(Fq).
OUTPUT: Q= k*P.
1. R(0) O.
2. R(1) P.
3. For i from 1 up to t do
3.1 G R(1).
3.2 b 1– ki.
3.3 R(b) R(0) + R(1).
3.4 R(1) G.
3.5 R(1) 2R(1).
End for.
4. Return R(0).
Algorithm 2.7 represents Coron Left-to-Right [DHB 2016, Alg 5]. All details
concerning this algorithm and the fault attack proposed against it are presented in
sections 5.4.1 and 5.4.2.
Algorithm 2.7 The Left-to-Right Coron Algorithm.
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size, where
kt = 1.
INPUT by user: P ϵ E(Fq).
OUTPUT: kP.
1. W(0) P.
2. For i from t-1 down to 1 do
2.1 W(0) 2W(0).
2.2 W(1) W(0)+P.
2.3 W(0) W(ki).
3. Return W(0)
Algorithm 2.8 represents a corresponding Right-to-Left version of algorithm 2.7,
which I have personally developed and introduced in this thesis. All details
concerning this algorithm and the fault attack proposed against it are given in
sections 5.4.3 and 5.4.4.
32
Algorithm 2.8 The Right-to-Left Coron Algorithm
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,
INPUT by user: P ϵ E(Fq).
OUTPUT: kP.
1. W(0) O, R P
2. For i from 1 down to t do
2.1 W(1) R.
2.2 W(1) W(0)+ W(1).
2.3 W(0) W(ki).
2.4 R 2R.
End For.
3. Return W(0).
Algorithm 2.9 is in fact the Joye-Yen ‘Left-to-Right’ version [JY 2002, Fig. 7],
working from the most to the least significant bits (I have modified this algorithm
to get the output Q=kP instead of gk). All details concerning this algorithm and the
fault attack proposed against it are given in sections 5.5.1 and 5.5.2.
Algorithm 2.9 The Left-to-Right Joye-Yen Algorithm
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size, where
kt = 1.
INPUT by user: P ϵ E(Fq).
OUTPUT: Q= kP.
1. R(0) O.
2. R(1) P.
3. For i from t to 1 do
3.1 R(¬ ki) R(0) +R(1).
3.2 R(ki) 2R(ki).
End for.
4. Return R(0).
33
Algorithm 2.10 represents the ‘Right-to-Left’ version [Joy 2007, Alg. 3] working
in the opposite direction. All details concerning this algorithm and the fault attack
proposed against it are given in sections 5.5.3 and 5.5.4.
Algorithm 2.10 The Right-to-Left Joye Algorithm
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,
INPUT by user: P ϵ E(Fq).
OUTPUT: kP.
1. R(0) O.
2. R(1) P.
3. For i from 1 to t do
3.1 b 1- ki.
3.2 R(b) 2R(b).
3.3 R(b) R(b) + R(ki).
End for.
4. Return R(0).
A comparison of the six algorithms, which are targeted by the fault point attack
proposed by this thesis, is shown in table 2.1 below.
Algorithm
name
Position of
first bit in
memory word
to be accessed
Number of
temporary
variables used
in Algorithm
Initial values used in
Algorithm
Left-to-Right
Montgomery
Ladder
Second bit
from the left
2 R(0) = P and R(1)= 2P
Right-to-Left
Montgomery
Ladder
First bit from
the right
4 R(0) = O and R(1)= P.
Left-to-Right
Coron
Second bit
from the left
2 W(0) = P.
34
Right-to-Left
Coron
First bit from
the right
3 W(0) = O and R =P
Left-to-Right
Joye-Yen
Second bit
from the left
2 R(0)= O and R(1)= P.
Right-to-Left
Joye
First bit from
the right
3 R(0) = O and R(1) = P.
Table 2.1 Comparison of Six Original ECC Algorithms
Where:
O= identity point =[ infinity, infinity]
P=Base point
2P= Double of base point=P+P
Other related research works are summarized below.
Schmidt and Medwed in [SM 2009] present a fault attack on elliptic curve digital
signature algorithm (ECDSA). Their attack depends on the concept of computation
safe error.Their attack is achieved by inducing a fault relying on the possibility of
skipping instructions in the execution of double and add or Montgomery ladder
algorithms. The attacker repeats his attack number of times and uses the faulty result
he gets to obtain a sufficient number of bits of the secret key which enable him to
use lattice attacks [HS 2001], [NS 2003] to find the rest of the secret key.
The authors also propose a countermeasure which uses check value and redundancy
to modify the system, based on ECC, to be resistant to their attack.
Poddebniak e,t al in [PSSLR 2018] investigate the security of deterministic ECDSA
and EdDSA signature schemes and show that removing of random number
generators in these schemes make them vulnerable to new types of fault attacks.
They present a practical attack against EdDSA utilizing the Rowhammer fault
attack. They claim that there are a number of protocols, (such as TLS, SSH, and
IPSec) which utilize EdDSA, that cannot be victimized by their practical attack.
They also specify the features of protocols utilizing these deterministic signature
schemes which make them vulnerable to their attack. Finally, they discuss
alleviation strategies and their consequence on fault attacks against deterministic
signature schemes.
35
2.7.1.2 Memory Safe-Error
Yen and Joye in [YJ 2000] proposed a memory safe error attack for the first time.
Their attack is based on the assumption that if a fault in register or memory location
can be cleared depending on specific binary value component of the secret key, then
the attacker can deduce the value of this secret key by considering the result of the
above process. The attack is repeated number of times depending on some binary
bits of the secret key value. The authors show how their attack can be implemented
on RSA cryptosystems. They also claim that this attack can be implemented on
Elliptic Curve Scalar Multiplication (ECSM).
2.7.2 Weak Curve Based Attacks
In such attacks, the assumption is that a strong elliptic curve is chosen for the
cryptosystem but that the attack moves the computations onto a weak elliptic curve,
where it is hoped that it will be easier for the attacker to retrieve the secret key
values by solving the ECDLP. In this type of attack, fault injection can make use of
invalid points, invalid curves, and twisted curves.
2.7.2.1 Invalid Point Attacks
Biehl et al. in [BMM 2000] demonstrated such an attack by showing how an invalid
point which does not belong to the original elliptic curve can be used in the scalar
multiplication algorithm to solve the ECDLP on a weaker curve, and this process
will help the attacker to find the key. As a countermeasure, they suggest that the
processor should check the validity of each point produced during the execution of
the algorithm. However, their countermeasure can be circumvented by the attacker
if the invalid point is introduced precisely after the checkpoint.
Jager et al. in [JSS 2015] claim that some popular cryptographic libraries they have
investigated did not check whether the points used in their calculation belong to the
curves or not. ECC implementations of Oracle and Bouncy Castle miss the check
above. The authors investigate the impact of missing the checking process on
Oracle’s default Java TLS execution (JSSE with a SunEC provider) and TLS
servers using the Bouncy Castle library. They define an attack which retrieves the
long-term secret key from a TLS server which uses vulnerable Bouncy Castle
library.
36
2.7.2.2 Invalid Curve Attacks
Ciet and Joye in [CJ 2005b] identify two models of fault attacks: permanent and
transient. The permanent model assumes that there is a fault in the system
parameters which is stored in non-volatile memory (EPROM) before its transfer to
the working memory, RAM, to be used in the computations. On the other hand, the
transient model assumes that a fault in the system parameters is induced during the
transfer from EPROM to RAM. The authors show that both fault models can be
used to retrieve information about the secret key k.
Barenghi et al. in [BBPS 2011] demonstrate a fault attack against elliptic curve
digital signature algorithm (ECDSA). The target of this attack is the signature
recombination part of the algorithm, which is not analysed yet by any known fault
attack on ECDSA at that time. The attack utilises a low-cost device to inject the
fault and does not cause any damage to the device under attack [NS 2003], [SH
2007]. The attack succeeds to retrieve the secret key as it reduces the size of ECDLP
version, and consequently transfer the process to a weaker curve configuration, and
thus the problem is solved in shorter time.
Belgarric et.al in [BFMMT 2016] analyse the side-channel resistance of the
execution of the ECDSA signature system in Android’s typical cryptographic
library. They show that the secret key of elliptic curves over prime fields can be
recovered very effectively on smartphones utilizing electromagnetic side channel
and famous lattice reduction techniques. They practically demonstrate that elliptic
curve operations (doublings and additions) can be differentiated in multiple cores
CPU clocking over the Giga-hertz. They then expand the typical lattice attack on
ECDSA over prime fields to binary Koblitz curves. They claim that they were the
first experts who tried to implement an attack against Koblitz curves. These curves,
which can be found in Bouncy Castle that uses a sliding windows algorithm, allow
very effective execution utilizing the Frobenius operation. This leads to signal
processing challenges since the number of obtainable points are decreased. These
experts also examine practical side channel, clarifying the concrete risk of such
implementations. The attacks proposed in their research benefit from visible
architectural characteristics, like specific instructions calculations or memory
accesses of previous works targeting smartphones.
Serraj et al. in [SIA 2017] demonstrate that elliptic curve criterions suggested by
international security institutes such as National Institute of Standards and
37
Technology (NIST) [NIST 2013], the American National Standards Institute
(ANSI) [ANSI 2010] and the Chinese Commercial Cryptography Administration
Office (OSCCA) [OSCCA 2010] cannot resist random fault attacks. The main aim
of random fault attack is to transfer the calculations of ECDLP problem from a
strong curve to a weaker curve with less points by inducing faults [BMM 2000] &
[FLRV 2008]. The fault model of this attack is based on its effects, position and the
number of faults needed to make the attack succeed. The attacker in such kind of
attack faces great difficulty if he tries to induce a fault in a specific bit or when
choosing a proper faulty value. The authors offer a full mathematical description of
random fault attack against ECDLP implemented on PARI/GP system.
Samwel and Batina in [SB 2018] enhance and generalize preceding attacks against
Ed25519 by utlizing realstic targert platform. They state that their attack is
achievable with a high degree of success by utilizing voltage Fault Injection (FI)
and Electromagnetic Fault Injection (EMFI). They claim that an attacker can
recover the key by using their proposed attack with only one successful fault. They
affirm that their attack can achieve a high degree of success (close to 100%). The
attack remains effective even with adding redundancy to the implemenation.
Adding some randomness in the creation of the ephemeral scalar can be considered
a countermeasure against this attack. They also proposed an attack against the
implementation of WolfSSL and extended their attack to other implementations of
Ed25519.2.7.2.3 Twist Curve Based Fault Attack.
Fouque et al. in [FLRV 2008] present a fault attack targeting Montgomery-like
methods when the y-coordinate is not used. Using the twist of the given curve,
which is often weaker than the initial one, they can recover the secret key. The fault
model used in this attack is typical and reasonable, and by injecting a few faults,
the attacker can retrieve the secret key. The authors claim that to develop a
countermeasure to this attack, the designer needs to repeat the verifications enough
number of times to reduce the possibility of the attack success, since the probability
to find a random point on the curve is very high.
Romailler and Pelissier in [RP 2017] present a fault attack against Edwards-curve
digital signature algorithm (EdDSA). EdDSA is based on edwards25519 (the
Edward twist of Curve25519 [BDLSY 2011]). EdDSA is a signature system used
38
instead of elliptic curve digital signature (ECDSA) to sign messages in embedded
devices as it provides better performance and security. EdDSA branch and lookup
operations are not based on private key values during the signature process.
Therefore, EdDSA is considered resistant to various side-channel attacks. The
authors propose a fault attack against EdDSA by inducing a fault on hash function
involved in its signature algorithm. This fault will generate a fault signature that
can be used by the attacker to retrieve sufficient information about the secret key.
This will enable the attacker to form useful signatures for any message. They also
offer a practical execution of their attack against an implementation on Arduino
Nano. Samwel et al. in [SBBDS 2018] claim that EdDSA is not resistant to side-
channel attacks.
2.7.3 Sign Change Fault Attacks
Sign change attacks work directly on the original curve and introduce sign changes
to points used in the computation. Blömer et al. in [BOS 2006] demonstrate how
sign changes of intermediate points can be used to recover the unknown scalar
factor. Their attack leads to a faulty output that is a valid point on the original
elliptic curve. They base their approach on what is known as the ‘left to right
repeated doubling’ method of computing point multiples where the scalar target
multiple is represented in non-adjacent form. The authors state that they believe this
approach can also be employed against other scalar multiplication algorithms,
including the right to left version, binary expansion based repeated doubling, and
the Montgomery ladder [Mont 1987].
2.7.4 Summary
In consequence of investigating related literature, I enumerated and briefly
discussed, in this section, various forms of fault attacks against ECC, such as safe
error, weak curve based and sign change fault attacks. The attacker, in most of the
attacks reviewed, tried to make a hardware fault by changing register value and
memory location through using special equipment like a laser beam. Changing
values, which aim at producing faulty results, could be done by means of converting
positive base point into a negative one, or changing a single bit or multiple bits of
the register value which takes part in the calculation. The attacker analysed the fault
results he got to guess the secret key value. Other approaches were based on using
a weaker elliptic curve, points which do not belong to the original curve or twist
39
curve. Such approaches enabled an attacker to solve ECDLP in an easier
environment. The attacker might also try to make a fault software attack by skipping
single or multiple instructions which led to a fault in the algorithm being executed
and thus produced fault results. All the attacks against ECC, referred to in my
summarized review of related literature, differ from the attacks proposed in the
thesis as I targeted the software used to program the EEPROM. The attacker would
change the algorithm stored in the EEPROM by injecting a fault value and using it
instead of the correct value, and thus produced a fault value. Then the attacker
would use the fault result to retrieve the secret value.
2.8 Fault Attack on ECC Countermeasures
2.8.1 Fault Attack on ECC Countermeasures
In the previous section, I have presented fault-based attacks against ECC. In this
section, I will discuss relevant countermeasures.
Algorithms in which the computations made take the same amount of time,
without the use of dummy operations, are referred to as ‘regular’. Such algorithms
are resistant to power, timing, and safe error attacks, and therefore, all algorithms
should be designed to be regular.
Biehl et al. in [BMM 2000] and Ciet and Joye [CJ 2005b] suggest verifying that
points produced during an elliptic curve computation are the same points on the
curve. Ciet and Joye [CJ 2005b] suggest the use of cyclic redundancy checks to
look for faults in curve parameters. Giraud [Gir 2006] suggests a coherence
verification which compares the intermediate or final result with some acceptable
pattern.
Blömer et al. in [BOS 2006] propose the use of an elliptic curve over a ring
constructed by ‘combining’ two elliptic curves, one the ‘target’ curve and the other
a ‘dummy’ curve, over different fields; if the point to be signed has sufficient order
on both curves, then an algorithm computing elliptic curve additions on both the
combined curve and the dummy curve will produce the required result for the target
curve. This method is used as a countermeasure against sign change attacks.
Fournaris and Sklavos [FS 2015] explore effective algorithmic methods that can
resist fault attacks (FA) and power attacks (PA). They claim that there are trade-
40
offs between hardware efficiency concerning (space and calculation speed) and
level of resistance against FA and PA. They suggest a countermeasure combining
countermeasures against power attacks group and fault attacks group. Their
proposed countermeasure protects cryptography system (RSA/ECC) from (simple
power attack, comparative simple power attack, refined power attack and
differential power attack) by using Montgomery power ladder base point blinding
and randomization extension (which means using of two random variables B and
B-1 to mask the message). The proposed countermeasure also protects RSA and
ECC from FA and differential fault attack by using infective calculation and error
detection.
Rauzy et al. in [RMGN 2015] have studied the modular extension protection
technique, and they found that this technique is wrong, and therefore, they propose
another version of the same technique after they fix it. They prove the efficiency of
their improved technique especially the inverse relation between security
parameters and fault non-detection parameters. They implemented their techniques
on scalar multiplication of ARM Cortex-M4 microcontroller.
Fournaris et al. in [FPBS 2016] investigate Residue Number system RNS capability
to design a countermeasure against fault attacks and power attacks. They also
propose a scalar multiplication algorithm that resists fault attacks and power attacks
by using RNS. According to their analyses, they are able to verify their
countermeasure. They claim that the merging of classical PA and FA
countermeasures with lightweight RNS countermeasure can produce a powerful
cryptography system which resists FA and PA.
Seysen in [Sey 2017] presents a modification on modular extension of a curve
countermeasure which is used to protect point multiplication in elliptic curve.
Seysen claims that this modification will make the countermeasure more secure
against faults attacks. This modified countermeasure operates by utilizing a small
curve to make the point multiplication on modular extension of the main curve.
After that, the result is compared to the same point multiplication recomputed on
the small curve. If they are equal, then the system is secure. The above comparison
can be defective or worthless if a point in the infinity on the small curve can be
accessed with acceptable probability. The author suggests an alternative modular
extension countermeasure which does not suffer from the above problem.
41
Dugardin et al. in [DGMNR 2017] study the modular extension technique used to
protect elliptic curve scalar multiplication (ECSM) algorithms. They discover that
the existing countermeasure based on modular extension is faulty. Therefore, they
develop a test-free countermeasure to replace the previous one. Their
countermeasure makes use of Edwards’s curves and twisted Edwards’s curves in
its computation as the addition law of these curves is complete. The addition of a
curve is said to be complete when it deals with all pairs of input points but it does
not deal with any point at infinity. A point at infinity can be accessed as intermediate
point and therefore it may leak information about the secret key. Edwards’s curves
share with Weierstrass curve the advantage that the addition law for these curves is
unified and the same formula can be used for adding and doubling. This ensures
that their countermeasures will be more resistant to side-channel attacks.
Ambrose et.al in [ABFJLM 2018] demonstrate a number of differential fault attacks
and one differential power analysis attack against deterministic signature schemes.
These attacks show that eliminating randomness from the equation does
unavoidably remove all attacks vectors. The researches examine varied
countermeasures and propose a new one which involve entropy for low-cost
defence against these attacks. Their proposed countermeasure does not require
altering the key generation or the verification procedures and consequences in a
signature scheme. This countermeasure provides high performance and security for
an extensive range of use-cases.
Audrey and Tisserand in [AT 2018] study the protections of scalar multiplication
against both observation and perturbation attacks. The observation attack (side
channel attack) is the attack that targets scalar multiplication through observing
changes in physical parameters. The perturbation attack (fault attack) is the attack
that generates a fault by using perturbations of the system such as variation of power
supply. They propose two countermeasures to protect scalar multiplication against
these two attacks and they implemented them on a Cortex-M0 microcontroller. The
finite field operation over point coordinates is protected by the first proposed
countermeasure. The second countermeasure protects key bits.
2.8.2 Summary
Investigation of literature related to the countermeasure techniques, which were
recommended by experts to protect ECC against fault attacks, revealed some basic
42
concepts. One important concept confirmed by many experts was that all algorithms
must be regular and do not use dummy operations in their computations. Another
important concept was checking and ensuring that all the points used in the
computation should belong to the original curves before beginning with the
computations process. The countermeasures suggested by many experts were cyclic
redundancy checks, comparing the intermediate or final results with some
acceptable patterns, using two curves instead of one and comparing the final results
between them, using RNS, and using randomization techniques. However, after
considering all the above countermeasures techniques, I came to the conclusion that
they cannot prevent attacks proposed in this thesis.
43
Chapter Three EEPROM Environment
3.1 Introduction
EEPROM hardware devices store what is essentially 'metadata' needed to run,
change or secure another hardware device. Such metadata may include secret key
and algorithms used to encrypt and decrypt information or add a signature to this
information. Many research projects deal with different aspects of EEPROM. This
chapter is a review of EEPROM in three directions: EEPROM Architecture,
EEPROM Programming and Attacks on EEPROM Memory Devices. The thesis
work deals with attacks against algorithms stored in EEPROM and used to secure
information. The proposed attacks on EEPROM in this research work target the
software used to program EEPROM instead of attacking its physical layer.
Therefore, the importance of this chapter is to show how EEPROM is constructed
and programmed from the view related to the thesis work. Furthermore, I present
some attacks on EEPROM proposed in related research projects and compare them
to attacks proposed in this thesis.
The rest of the chapter is organised as follows: Section 3.2 shows the EEPROM
architecture. Section 3.3 presents EEPROM programming. Section 3.4 shows
attacks on EEPROM memory devices. Section 3.5 gives the implications of
proposed attacks in the thesis. Finally, a summary is given in section 3.6.
3.2 EEPROM Architecture
EEPROM architecture has a general configuration consisting of EEPROM array
with its periphery devices which connect EEPROM with the outer world and
control its operations. In this section, I present the general configuration of
EEPROM. Furthermore, I present main components of EEPROM cell.
3.2.1 General Configuration
The EEPROM can be organised as an array of cells with m rows, n columns and z
bits (cells) in each column. The size of EEPROM can be measured by bits or bytes.
As an example, 16 rows by 16 columns with 8 bits in each column construct an
EEPROM with size 2Kb where K represents 1024 bits. Periphery circuits connect
the EEPROM with its environment. These periphery circuits are: X decoder is used
for selecting the effective row. Y decoder is used for selecting the effective column.
Page latches (asynchronous sequential circuits with two stable states 0 and 1 with
44
capability to switch between them) are used as data and address bit storage units. A
high voltage power supplies Vcc and Vss. Sense amplifier is used for reading and
writing control operation [DXFM 2006]. The location of cryptography algorithms
which I implement my propose attack against them is stored on EEPROM array.
The general EEPROM architecture is shown in Figure 3.1 [Ros 1998].
Figure 3.1 General Architecture of EEPROM
3.2.2 EEPROM Memory Cell Design
Each memory cell consists of two transistors: the first one is a memory transistor
which is MOS transistor with an extra floating gate called floating gate transistor
(FGT). The floating gate acts as the main component of the erasing and
programming section of EEPROM cell. When the floating gate is charged with a
negative charge, it is said to be erased. While, when the floating gate is charged
with a positive charge then the EEPROM cell is programmed [AD 2008]. The
second transistor is the select transistor (ST) which is connected with the first
transistor serially and also connected with periphery circuits in order to control the
operations (Read, Erase and Write) of EEPROM cell and ensure that no mistakes
will happen during the writing operations [DXFM 2006] and [YYK 1971]. The
MOS and ST transistor can be shown in Figure 3.2.
Figure 3.2 shows the EEPROM cell configuration derived from [Was 2012]. Figure
3.3 driven from [Lee 2016] demonstrates the functioning of the floating gate.
45
Figure 3.2 EEPROM Cell Configuration
Figure 3.3 Floating Gate Operation.
According to the literature, many articles show different models for EEPROM cell
design which differ in the material size used and values of capacitance connected
to FGT and ST transistors. This difference affects the time of programming and life
of EEPROM cell. As I will consider the programming level of EEPROM in thesis
work, then I will not go deeper on this subject. For more information the reader can
refer to these articles [DXFM 2006], [LS 2007], [AD 2008], [RLBBRM 2008],
[WSCH 2008], [DRSFLN 2009], [LCK 2010], [DLDJLTZ 2012], [TMRCPK
2013], [SASOMKOKN 2014], [BKS 2015], [CC 2015], [MJ 2015],
[PNKKLCCKKKP 2015], [XHXYK 2016] and [YZWSL 2017].
WL
VDD
BL
Normal MOS transistor
E2PROM transistor
Word line
Control Gate / programming Gate
Floating Gate
Vdd
Weak
pullup of
some kind
Bitline
Data out
1-Not programmed
- No electronic trapped on
floating gate.
- WL=1 turns on the
transistor, Pulling Bitline low
-Data Out=1
-As floating gate has no effect
2- Programmed
- Electronic is trapped on
floating gate.
-Increase threshold voltage
- Transistor remain off when
WL=1
-Bitline=1 and Data Out=0
46
3.3 EEPROM Programming
The EEPROM is a modified generation of EPROM devices. EPROM devices must
be removed from their hardware circuit and connected to a special device, so that
they can be erased or reprogrammed. On the other hand, the EEPROM, or even a
particular part of it, can be erased and reprogrammed without any need to remove
it from its original circuit [Lan 2015, chap. 6].
Programming an EEPROM cell is a process of charging the floating gate of FGT in
EEPROM cell by threshold voltage VT, and this can be done analogously or
digitally.
3.3.1 Analogous Programming of EEPROM Cell
According to the literature, EEPROM cell can be analogously programmed by
connecting it to a controller which can provide a stable threshold voltage 14
volts.This method is presented by Barnett and Liu in [BL 2008] as they propose a
controller with a gated clock which generates a constant programming voltage
during a wide range of received RF input power, whereas Compagnoni et al. in
[CMAMS 2009] present a model that can explain how TaN/Al2O3/Si3N4/SiO2/Si
(TANOS) memory cell can be programmed and this physical model can reproduce
a threshold voltage VT that remains constant over a wide range of programming
prejudices and times.
3.3.2 Digital Programming of EEPROM Cell
Langbridge in [Lan 2015, Chap. 6] presents a programming system that enables one
to access EEPROM memory and digitally read, i.e. get data, and also write, i.e.
change data in the memory, by using a special EEPROM library included in
Arduino Uno hardware device. EEPROM library is a group of routines that can
access EEPROM memory. These routines can read and write bytes, bits, strings and
other values. For more information, the reader can refer to Wiley eBook [Lan 2015,
Chap. 6].
Beningo in [Ben 2017, chap. 9] presents a hardware abstraction layer (HAL) that
manages internal and external EEPROM devices. HAL is an interface that gives the
applications designers a set of functions that can be used to deal with hardware
functions. The author uses five different brands and sizes of EEPROMs to develop
his HAL. The sizes of EEPROMs used during his work is range from 16Kb to 1Mb.
47
The author generates a basic spreadsheet to list all the functions he needs to deal
with all kinds of EEPROMs he chooses for his work. The author suggests four main
categories of functions of HAL for EEPROM which initialization are, writing data,
reading data and writing and reading the status registers. Then, he provides codes
which show how the above four categories can be represented as functions that can
deal with EEPROM. He also presents the codes of implementation of his HAL
design on an external EEPROM.
Microchip Company provides a manual for programming EEPROM devices.
Section 5.5 in this manual explains how one can erase and program EEPROM
blocks. According to the manual EEPROM can be accessed by utilizing table read
and write. The manual lists some operations that can be applied on the data
EEPROM, for instance, erase one word, erase one row (16 words), erase entire data
EEPROM, program one word and program one row (16 words). During data
EEPROM normal operation any read and write operations can be performed on it.
NVMCON and NVMKEY registers are being utilized during erase and program
operations on data EEPROM. The programming software waits for each operation,
erase or program, to be complete, and then begins another one. The three
approaches are: used to inform the software that the pervious operation is complete
when WR bit in NVMCOM register is cleared, NVMIF bit is set or enable NVM
interrupts. The screen shots of all five operations will be shown in Appendix A. For
further information you can check a pdf in [Mic 2005].
3.4 Attacks on EEPROM Memory Devices
3.4.1 Software Attack
Hogenboom and Mostowski in [HM 2009] present a software attack on open Java
Card smart card which aims to give the attacker a random access to the whole
memory locations of the cards. An open Java Card means the card can install new
applets. Their attack depends on the use of exploitable bug in the limited Java
Virtual Machine running on the card to give the attacker the possibility of reading
or modifying other applet’s data and code on the card. They cannot confirm that the
card used in their work is exactly the card still utilised in the market. The attack
proposed by this article is similar to the attack proposed by the thesis in the point
that it has the same nature which targets the software level instead of hardware
48
level. However, the proposed attack in the thesis differs from their own, since our
proposed attack is more directed to get specific data. It is also more universal as it
can work with any device and has no restriction on the kind of software, whereas
the attack proposed by Hogenboom and Mostowski works only with a smart card
with specific software type (Java Card) and it works only with the open card and
gets all the information stored in EEPROM without a classification of data types
which they extract from EEPROM.
3.4.2 Laser Attack
Skorobogatov in [Sko 2009] shows how a laser beam can be used to change an
EEPROM cell value. In his attack, he used low-cost laser-diode module mounted
by a microscope. He claims that if a memory cell is being heated by using a laser
beam that will change its value, even if this operation cannot change all memory
cells because of their small size. However, he claims that cryptographic key can be
recovered by using a brute force attack. The attack proposed by Skorobogatov is a
permanent fault injection, and even this process may damage the device because of
the heating. The proposed attack by the thesis deals with software level of
EEPROM instead of physical layer. Furthermore, the injection fault result is
eliminated and causes no damage to the device.
Sakamoto et al. in [SFM 2016] introduce an attack technique which combines the
laser irradiation and power analysis techniques. This attack aims to extract data
while reading data from the EEPROM. The proposed attack method uses the laser
irradiation to extract multiple bits from sense amplifier when it is operating in real
time. The power analysis techniques are used to specify the time of executing the
decryption operation. The secret key must be read at the beginning of decryption
operation so the attacker can know the time of extracting critical information
according to the information provided by power attack. The attack proposed by the
article is working on hardware level, and needs to combine two types of hardware
attacks for extracting secret data. Furthermore, this attack requires special hardware
devices to be implemented. The proposed attack by the thesis deals with
programming level and it is simpler in implementation and directed to get the secret
data.
49
3.4.3 Optical Fault Masking Attacks
Skorobogatov in [Sko 2010] introduces an optical attack against EEPROM memory
called fault masking attacks. The aim of these attacks is to cripple regular memory
process through stopping changes of the memory contents. The objective of this
attack is to write-protect specific memory areas when required. The attack is applied
on two kinds of PIC microcontrollers: old (larger size like PIC16F84 which is
constructed with 1.2 µm technology), and new (smaller size like PIC16F628A built
with 0.5 μm technology with two metal layers). The attack has been improved by
attacking the backside and applied on PIC and MSP430 microcontrollers. The
benefit of this attack is to help data analysis and other types of fault injection attack.
However, the author does not give a clear view of how this attack assists in
retrieving secret information stored in EEPROM.
The attack proposed in this article is working on the hardware level, whereas the
attack proposed in the thesis is working on the software level. Also, it gives a clear
and accurate method to retrieve the secret key in cryptography systems.
3.4.4 Extraction and Analysis of Non-Volatile Memory of the ZW0301
Module IoT Device
Badenhop et al. in [BRMM 2016] analysed EEPROM and flash memory of Z-wave
devices which are used as IoT devices. In their work, they identified the hardware
and software of Z-wave devices. Furthermore, they proposed methods for
extracting information from memory. They also examined this information to find
the source code and compiler. Also, they discovered information related to the data
structure of EEPROM memory used in the Z-wave devices. Finally, they made their
tools (which they updated during their research) available under Github
AFITWiSec group. The attack proposed by Badenhop et al. is similar to thesis
attack as both of them are working with software level but they differ as article
attack works against EEPROM found on specific IoT devices while thesis attack is
a universal attack which works against EEPROM on any device.
3.4.5 Microprobing Attacks
Skorobogatov in [Sko 2017] indicates that encryption of embedded memory
devices inside secure microcontrollers is not enough to protect information from
attackers. He claims that if the memory has been accessed by a CPU, then the data
under process will be insecure. His claim is based on the fact that many CPU
50
instructions disclose data on the address bus. The author offers a practical
implementation of his claim through an encrypted on-Chip Mask ROM in a secure
microcontroller. He claims that the CPU instructions, in addition to its leaking
information during the program execution, may pass decrypted data in the address
bus or disclose information through conditional instructions. He advises the
designers of semiconductor devices, particularly those which are used in sensitive
applications like banking, not only to use a powerful encryption scheme, but also
to check the integrity of the codes to be used in these devices.
3.5 Implications for Attacks Proposed in the Thesis
There are important concepts that can be extracted from this chapter and related to
the thesis work. The first one is: a specific portion of EEPROM memory devices
can be reprogramed without any need to remove the EEPROM from its original
position; and also we do not need to erase all memory cells to do that. This concept
supports the application of the proposed attacks in the thesis which target
algorithms stored in EEPROM since they will change algorithms content in a way
that helps to retrieve secret information.
The second concept is: the previous attempts to attack EEPROM by targeting the
software system used to program EEPROM were limited to specific types of
hardware devices such as Java smart cards and Z-wave. Under specific conditions,
this concept supports the ability of attacking the software system used to program
EEPROM for purpose of retrieving the data stored in it.
The proposed attacks in the thesis target cryptography algorithms stored in
EEPROM by inserting fault value and generating a fault result in the computations
of algorithm, and consequently deducing the secret key according to this error.
These attacks are universal as they can be implemented on any hardware device
which contains EEPROM memory regardless of device type or EEPROM. These
attacks differ from those found in the literature, which can only be applied in
specific conditions.
3.6 Summary
In this chapter, I presented an overview of EEPROM memory devices. I gave a
short description of EEPROM general architecture and cell configuration. Then I
showed that EEPROM memory cells could be programmed analogously and
51
digitally. Furthermore, I presented some attacks on EEPROM memory. One of
them was a software attack against Java Smart Card by [HM 2009]. In the next
chapter, I will present the proposed attacks and their implementation on RSA
algorithms.
52
Chapter Four Proposed Fault Attacks against RSA
The proposed fault factoring attack and retrieve secret key attack against RSA
cryptosystems show security issues that threaten these cryptosystems. These attacks
inject a programming fault in algorithms stored in EEPROM. This fault will be used
to factorize RSA modulus or recover the secret key of RSA cryptosystem. The
importance of this chapter is to make developers of RSA cryptography systems
aware of the security risks which threaten the software used to program hardware
devices when they choose RSA cryptosystems to secure these devices. This chapter
is related to the thesis goals as it suggests new fault attacks on RSA, which is
considered one of the widely used public-key cryptosystems.
4.1 Introduction
I assume a scenario that Alice has an RSA system and she chooses parameters p, q
as two prime numbers. She also chooses a small integer e and computes 𝑛 = 𝑝 ∗ 𝑞,
d as 𝑒 ∗ 𝑑 ≡ 1 (𝑚𝑜𝑑 𝜑(𝑛)). The public key part of her RSA system will be (e, n)
and her private key part will be (p, q and d). She wants to use her RSA system to
encrypt and sign messages implemented on hardware. In order to carry out the two
operations mentioned above, Alice has to choose appropriate algorithms from the
algorithms which are currently used for this purpose. She chooses two RSA-CRT
signature Garner’s algorithms. The first one is protected by modified Shamir’s
countermeasure and the second one is protected by simplified Vigilant’s
countermeasure. She chooses these algorithms because they have higher speed of
process than other algorithms, and they are more resistant to multi fault attacks [RG
2014] and [BD 2017]. She will use these algorithms alternatively in her work
concerning sign messages. On the other hand, she chooses two Montgomery Ladder
RSA Left-to-Right and Right-to-Left algorithms to encrypt her messages. She
chooses these algorithms in the encryption process as they are regular algorithms
(they do not use dummy operations) and they are resistant to fault attacks [BD
2017]. She will use these algorithms alternatively in her work concerning
encrypting messages. More details about the importance of RSA can be found in
section 2.3.1 of chapter 2.
Depending on the mathematical background of RSA which is outlined in section
4.2 and the RSA algorithms which Alice chooses in the above scenario, two types
53
of attack are proposed in this chapter. The aim of the fault factoring attack (FF) is
to factorize the RSA modulus by applying a fault attack on the RSA-CRT signature
cryptosystem. In this attack, I chose according to Alice chose in above scenario,
two RSA-CRT Signature Garner’s algorithms. The first one is protected by
modified Shamir’s countermeasure and the second one is protected by simplified
Vigilant’s countermeasure, taking into consideration that these algorithms are
already resistant to fault attacks [RG 2014]. The mathematical background of the
FF attack is outlined in section 4.2.8. The details of this attack, which include
algorithms to be attacked, proposed attacks algorithms and a practical example, are
shown in section 4.3. The aim of the retrieve secret key (RSK) attack is to retrieve
the secret key d by applying a fault attack on both protected Montgomery Ladder
RSA versions “Left-to-Right and Right-to-Left” algorithms according to above
scenario. The details of the RSK attack which include algorithms to be attacked,
proposed attacks algorithms and a practical example, are shown in section 4.4.
In all proposed attack algorithms, I assume that the algorithm to be attacked is
stored in EEPROM inside the victim device to which the attacker has access, and
therefore, he can induce faults during the computation process of the algorithm.
EEPROM sits on a victim hardware device and can be erased, read and written to
[Lan 2015, chap. 6], [YouTube 2014] and [YouTube 2015]. The FF and RSK
attacks try to deal with a fault in software used to program EEPROM instead of a
fault in register level. The proposed fault attacks will enter a fault value, by
changing the algorithm written in the EEPROM and using this value in the
computation instead of correct values, and consequently deduce the secret key
according to the fault in the computation. Finally, the attacker will eliminate the
error result in the computation. Therefore, any checking procedure will confirm that
all the elements used in the computations are a free of error. The retrieve of secret
exponent d or factorize modulus n of RSA cryptosystem will have the same effect
as any of success of implementation of either of two operations will break RSA
cryptosystem.
All examples showing the implementation of the FF and RSK attacks in software
are done by using Intel (R) Core (TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as
a hardware platform and Windows 7 as the operating system. Maple 2017b [Maple
54
2017] was chosen as the software platform as it contains a cryptography package
designed for elliptic curve arithmetic operations.
4.2 Background of RSA Cryptosystem
4.2.1 Classical RSA
The standard RSA cryptosystem [BNP 2007, p. 230] is constructed by choosing
two prime numbers p and q, computing a modulus n = p*q and selecting a public
exponent e which is relatively prime to 𝜑(𝑛). The private exponent d can be
calculated as
𝑒 ∗ 𝑑 ≡ 1 (𝑚𝑜𝑑 𝜑(𝑛)). (1)
4.2.2 RSA Encryption
The equation used to encrypt a plain text M with e and n components of classical
RSA described above is shown below [BNP 2007, p. 230]
𝑐 ≡ 𝑀𝑒 (𝑚𝑜𝑑 𝑛). (2)
4.2.3 RSA Decryption
The equation used to decrypt a cipher c with d and n components of classical RSA
described above is shown below [BNP 2007, p. 230]
𝑀 ≡ 𝑐𝑑 (𝑚𝑜𝑑 𝑛). (3)
4.2.4 RSA Signature
The equation used to sign a message M with d and n components of classical RSA
described above is shown below [BNP 2007, p. 230]
𝑆 ≡ 𝑀𝑑 (𝑚𝑜𝑑 𝑛). (4)
4.2.5 RSA-CRT Signature
In general, because very large values for n are used to ensure security from a brute-
force attack, this exponentiation computation is inefficient. However, the system
owner who knows p and q can speed up the calculation of S by using the Chinese
Remainder Theorem (CRT) [YKM 2006, p. 55].
The values p and q are required to do this along with the solution to the equations
shown below:
Firstly, a value of dp and dq is computed by using (5) and (6)
55
𝑑𝑝 ≡ 𝑑(𝑚𝑜𝑑 𝑝 − 1). (5)
𝑑𝑞 ≡ 𝑑(𝑚𝑜𝑑 𝑞 − 1). (6)
Then Sp and Sq is computed by using (7) and (8)
𝑆𝑝 ≡ 𝑚𝑑𝑝(𝑚𝑜𝑑 𝑝). (7)
𝑆𝑞 ≡ 𝑚𝑑𝑞(𝑚𝑜𝑑 𝑞). (8)
Either Gauss’s algorithm or Garner’s algorithm can be used to find CRT signature
Scrt which is shown in 4.2.6 and 4.2.7.
4.2.6 RSA-CRT Signature Gauss’s Algorithm
The equation used to find the RSA-CRT signature Scrt by implementing Gauss’s
equation and using (7) and (8) [MVV 1996, pp. 612–613] is
𝑆𝑐𝑟𝑡 ≡ [(𝑆𝑝 ∗ 𝑞 ∗ (𝑞−1(𝑚𝑜𝑑 𝑝)) + (𝑆𝑞 ∗ 𝑝 ∗ (𝑝
−1(𝑚𝑜𝑑 𝑞))](𝑚𝑜𝑑 𝑛) (9)
4.2.7 RSA-CRT Signature Garner’s Algorithm
Another equation which is used to find the RSA-CRT signature Scrt by
implementing Garner’s equation and using (7) and (8) [MVV 1996, p. 68] is
𝑆𝑐𝑟𝑡 ≡ 𝑆𝑞 + 𝑞 ∗ [((𝑆𝑝 − 𝑆𝑞) ∗ (𝑞−1(𝑚𝑜𝑑 𝑝))) ∗ (𝑚𝑜𝑑 𝑝)]. (10)
Example 1.
James wants to sign a message M =24 and send it to Alice by using RSA-CRT
scheme. He chooses two prime numbers p=13 and q=23. He computes
n=p*q=13*23=299 then finds 𝜑(𝑛) where 𝜑(𝑛)= (p-1)*(q-1) =12*22=264.
After that James chooses e=7 where gcd (e,𝜑(𝑛)) =1.
James needs to compute secret key d, which is used in the signature of the message
where
𝑑 ≡ 𝑒−1𝑚𝑜𝑑 𝜑(𝑛) ≡ 7−1𝑚𝑜𝑑 264 ≡ 151.
Then he tries two methods to sign his message M. Firstly, he uses the direct equation
(4)
𝑆 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝑛 ≡ 24151 𝑚𝑜𝑑 299 ≡ 93.
Secondly, James tries another method to speed up the computation. He uses an
RSA-CRT scheme. Therefore, he computes dp and dq by using (5) and (6)
56
𝑑𝑝 ≡ 𝑑(𝑚𝑜𝑑 𝑝 − 1) ≡ 151 𝑚𝑜𝑑 12 ≡ 7.
𝑑𝑞 ≡ 𝑑(𝑚𝑜𝑑 𝑞 − 1) ≡ 151 𝑚𝑜𝑑 22 ≡ 19.
Next, he computes Sp and Sq by using (7) and (8)
𝑆𝑝 ≡ 𝑀𝑑𝑝(𝑚𝑜𝑑 𝑝) ≡ 247(𝑚𝑜𝑑 13) ≡ 2.
𝑆𝑞 ≡ 𝑀𝑑𝑝(𝑚𝑜𝑑 𝑝) ≡ 2419(𝑚𝑜𝑑 23) ≡ 1.
Now James can use either (9) or (10) to find the final result of signature message
M. He chooses to use (9) where
𝑆𝑐𝑟𝑡 ≡ [(𝑆𝑝 ∗ 𝑞 ∗ (𝑞−1(𝑚𝑜𝑑 𝑝)) + (𝑆𝑞 ∗ 𝑝 ∗ (𝑝
−1(𝑚𝑜𝑑 𝑞))](𝑚𝑜𝑑 𝑛)
≡ [2 ∗ 23 ∗ (23−1(𝑚𝑜𝑑 13)) + 1 ∗ 13 ∗ (13−1(𝑚𝑜𝑑 23))](𝑚𝑜𝑑 299)
≡ 93.
4.2.8 RSA-CRT Signature Cryptanalysis
In an RSA cryptosystem, with two prime numbers p and q and secret key d, a
message can be signed by using (4). This process can be sped up by using a CRT
approach. Instead of computing signature S, a two-value Sp, and Sq are calculated
by using (7) and (8). After that, Sp and Sq are combined to find Scrt by using either
(9) or (10).
Now if a fault occurs in the Sp computation process, then Spe is calculated instead
of Sp while Sq is still error-free. Then a fault signature Scrte is computed by
combining Spe and Sq. According to [BDL 1997], [Len 1996] and [JLQ 1999], a
cryptanalysis can find the factor q by implementing one of two following equations:
𝑞 ≡ 𝑔𝑐𝑑((𝑆𝑐𝑟𝑡𝑒 − 𝑆𝑐𝑟𝑡), 𝑛). (11)
Or
𝑞 ≡ 𝑔𝑐𝑑((𝑆𝑐𝑟𝑡𝑒𝑒 −𝑀), 𝑛). (12)
Example 2.
By using information from numeric example 1, Bob wants to factorize n used by
James and find factors p and q by injecting a fault in the computation
of the message signature calculation done by James.
57
Firstly Bob will use the same result that James gets in example 1. He will use (9) to
compute a fault result of the CRT signature by using fault Spe=17 instead of the
correct one Sp=2 where
𝑆𝑐𝑟𝑡 ≡ [(𝑆𝑝𝑒 ∗ 𝑞 ∗ (𝑞−1(𝑚𝑜𝑑 𝑝)) + (𝑆𝑞 ∗ 𝑝 ∗ (𝑝
−1(𝑚𝑜𝑑 𝑞))](𝑚𝑜𝑑 𝑛)
≡ [(17 ∗ 23 ∗ (23−1(𝑚𝑜𝑑 13)) + (1 ∗ 13 ∗ (13−1(𝑚𝑜𝑑 23))](𝑚𝑜𝑑 299)
≡ 277.
Now, after Bob gets faulted signature Scrte, he can use either (11) or (12) to find
factor q, since e, M, and Scrt are already known from example 1. Bob chooses (11)
to find factor q where
𝑞 = 𝑔𝑐𝑑((𝑆𝑐𝑟𝑡𝑒 − 𝑆𝑐𝑟𝑡), 𝑛) = 𝑔𝑐𝑑((277 − 93), 299) = 23.
4.2.9 RSA-CRT Garner’s Signature Algorithm Protected by Modified
Shamir’s Countermeasure
Rauzy and Guilley [RG 2014] modify Shamir’s countermeasure [Sha 1997] which
is applied for a patent in [Sha 1999] to protect RSA-CRT signature by verifying the
integrity of the partial components and final result of computing the final signature
by using RSA-CRT. They take new verifications from Aumüller et al.’s
countermeasure [ABFHS 2002]. The modified Shamir’s countermeasure can be
summarised as follows:
Rauzy and Guilley assume that Garner’s algorithm is used in the computations of
the RSA-CRT signature, and I assume that the firmware in victim device stores the
four values, prime numbers p and q, secret key d and the parameter 𝑖𝑞 ≡
𝑞−1 𝑚𝑜𝑑 𝑝 which are to be used in the the computations of the RSA-CRT
signature [BFM 2017].
The next step is to choose a random small integer r, which the algorithm will use
in computations as follows:
𝑝𝑟 = 𝑝 ∗ 𝑟. (13)
𝑞𝑟 = 𝑞 ∗ 𝑟. (14)
Now the algorithm will return the error value to the user instead of the final result
if one of two conditions is verified; otherwise the computation process will continue
until the final result is obtained and returned to the user
𝑝𝑟 ≢ 0 𝑚𝑜𝑑 𝑝 𝑜𝑟 𝑞𝑟 ≢ 0 𝑚𝑜𝑑 𝑞. (15)
58
Next step algorithm will compute
𝑆𝑝𝑟 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑝𝑟) (𝑚𝑜𝑑 𝑝𝑟). (16)
𝑆𝑞𝑟 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑞𝑟) (𝑚𝑜𝑑 𝑞𝑟). (17)
Now the algorithm will verify the components
𝑆𝑝𝑟 ≢ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑟). (18)
If the result is true then the algorithm will return error; otherwise the algorithm will
continue.
In the next step, a partial signature will be calculated
𝑆𝑝 ≡ 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝). (19)
𝑆𝑞 ≡ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞). (20)
In case of using Garner’s equation, the algorithm computes proper signature Scrt by
using
𝑆𝑐𝑟𝑡 ≡ 𝑆𝑞 + 𝑞 ∗ [(i𝑞 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))]. (21)
Finally, the algorithm will return the error if one of the two conditions is verified;
otherwise it will return 𝑆𝑐𝑟𝑡
𝑆𝑐𝑟𝑡 ≢ 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝) 𝑜𝑟 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑞𝑟( 𝑚𝑜𝑑 𝑞 ). (22)
Example 3
Tony wants to implement modified Shamir’s countermeasure, which is suggested
by Rauzy and Guilley, to protect a message signed by using RSA-CRT scheme.
Therefore, he chooses two random prime numbers p=17, q=37, and small integer r
=7. Next, he chooses message M=36 Then he computes n=p*q=629. After that, he
chooses e=5 where gcd (e, 𝜑(𝑛))=1.
Tony needs to compute secret key d where d≡e-1 mod 𝜑(𝑛)≡ 5-1 mod 576≡461.
He also needs to compute 𝑖𝑞 ≡ 𝑞−1 𝑚𝑜𝑑 𝑝 ≡ 37−1 𝑚𝑜𝑑 17 ≡ 6.
After that, he needs to compute pr by using (13) and qr, by using (14) where
𝑝𝑟 = p ∗ 𝑟 = 17 ∗ 7 = 119.
𝑞𝑟 = 𝑞 ∗ 𝑟 = 37 ∗ 7 = 259.
59
Then Tony will check
𝑝𝑟 𝑚𝑜𝑑 𝑝 ≡ 119 𝑚𝑜𝑑 17 ≡ 0.
𝑞𝑟 𝑚𝑜𝑑 𝑞 ≡ 259 𝑚𝑜𝑑 37 ≡ 0.
As the two conditions have a 0 result, then Tony will proceed with computing 𝑆𝑝𝑟
and 𝑆𝑞𝑟 by using (16) and (17)
𝑆𝑝𝑟 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑝𝑟)( 𝑚𝑜𝑑 𝑝𝑟) ≡ 36
461 𝑚𝑜𝑑 ((17−1)∗(7−1)) 𝑚𝑜𝑑 119 ≡ 15.
𝑆𝑞𝑟 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑞𝑟) (𝑚𝑜𝑑 𝑝𝑟) ≡ 36461 𝑚𝑜𝑑 ((37−1)∗(7−1)) 𝑚𝑜𝑑 259 ≡ 36.
Tony now checks the condition below
𝑆𝑝𝑟𝑚𝑜𝑑 𝑟 ≡ 𝑆𝑞𝑟 𝑚𝑜𝑑 𝑟 ≡ 15 mod 7 ≡ 36 mod 7≡1.
When the condition is verified, then Tony proceeds with computing 𝑆𝑝, 𝑆𝑞 and 𝑆𝑐𝑟𝑡
by using (19), (20) and (21) as shown below
𝑆𝑝 ≡ 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝) ≡ 15 𝑚𝑜𝑑 17 ≡15.
𝑆𝑞 ≡ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞) ≡ 36 𝑚𝑜𝑑 37 ≡ 36.
𝑆𝑐𝑟𝑡 ≡ 𝑆𝑞 + 𝑞 ∗ [(i𝑞 ∗ (𝑠𝑝 − 𝑠𝑞) )(𝑚𝑜𝑑 𝑝)] ≡ 36 + 37 ∗ [(6*(15-36)) mod 17]
≡ 406.
Finally, Tony will verify 𝑆𝑐𝑟𝑡 by verifying the conditions
𝑆𝑐𝑟𝑡 𝑚𝑜𝑑 𝑝 ≡ 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝) ≡ 15.
𝑆𝑐𝑟𝑡 𝑚𝑜𝑑 𝑝 ≡ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞) ≡ 37.
The conditions are verified, then Tony will be able to use the final signature 𝑆𝑐𝑟𝑡 .
4.2.10 RSA-CRT Garner’s Signature Algorithm Protected by
Simplified Vigilant’s Countermeasure
Rauzy and Guilley [RG 2014] simplify Vigilant’s countermeasure [Vig 2008] to
protect RSA-CRT signature by reducing the number of verifications from 9 to 3
and enhancing the countermeasure in speed and decreasing its need for randomness.
The simplified Vigilant’s countermeasure can be summarised as follows:
60
Rauzy and Guilley assume that Garner’s algorithm is used in the computations of
the RSA-CRT signature, and I assume that the firmware of the victim device stores
the five values: prime numbers p and q, secret key dp, secret key dq and the
parameter 𝑖𝑞 ≡ 𝑞−1 𝑚𝑜𝑑 𝑝,which are to be used in the computations of the RSA-
CRT signature [BFM 2017].
In the beginning, the algorithm chooses a small random integer r and compute n =
p * q. In the next step, the algorithm will compute verification 𝑐𝑝 for the partial
prime p by applying the equations below:
𝑝′ = 𝑝 ∙ 𝑟2. (23)
𝑖𝑝𝑟 ≡ 𝑝−1(𝑚𝑜𝑑 𝑟2). (24)
𝑀𝑝 ≡ 𝑀 (𝑚𝑜𝑑 𝑝′). (25)
𝐵𝑝 = 𝑝 ∙ 𝑖𝑝𝑟 . (26)
𝐴𝑝 ≡ 1 − 𝐵𝑝 (𝑚𝑜𝑑 𝑝′). (27)
𝑀𝑝′ ≡ 𝐴𝑝 ∙ 𝑀𝑝 + 𝐵𝑝 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑝
′). (28)
𝑆𝑝′ ≡ 𝑀𝑝
′ 𝑑𝑝 𝑚𝑜𝑑 𝜑(𝑝′) (𝑚𝑜𝑑 𝑝′). (29)
𝑆𝑝𝑟 = 1 + 𝑑𝑝 ∙ 𝑟. (30)
𝑐𝑝 ≡ 𝑀𝑝′ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑝). (31)
After that, the algorithm will calculate verification term 𝑐𝑞for the partial prime q by
applying the equations below:
𝑞′ = 𝑞 ∙ 𝑟2. (32)
𝑖𝑞𝑟 ≡ 𝑞−1(𝑚𝑜𝑑 𝑟2). (33)
𝑀𝑞 ≡ 𝑀 (𝑚𝑜𝑑 𝑞′). (34)
𝐵𝑞 = 𝑞 ∙ 𝑖𝑞𝑟. (35)
𝐴𝑞 ≡ 1 − 𝐵𝑞 (𝑚𝑜𝑑 𝑞′). (36)
𝑀𝑞′ ≡ 𝐴𝑞 ∙ 𝑀𝑞 + 𝐵𝑞 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑞
′). (37)
𝑆𝑞′ ≡ 𝑀𝑞
′ 𝑑𝑞 𝑚𝑜𝑑 𝜑(𝑞′) (𝑚𝑜𝑑 𝑞′). (38)
61
𝑆𝑞𝑟 = 1 + 𝑑𝑞 ∙ 𝑟. (39)
𝑐𝑞 ≡ 𝑀𝑞′ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑞). (40)
The next step will be the algorithm computing the final signature as follows:
𝑆′ ≡ 𝑆𝑞′ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝
′ − 𝑆𝑞′ )(𝑚𝑜𝑑 𝑝′)). (41)
𝑆𝑟 ≡ 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝′)). (42)
Then them algorithm calculates verification term 𝑐𝑠 for final signature
𝑐𝑠 ≡ 𝑆′ − 𝑆𝑟 + 1 (𝑚𝑜𝑑 𝑟
2). (43)
Finally, the algorithm will return signature S if the equation below is verified
𝑆 ≡ 𝑆′𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛). (44)
Example 4
Jim wants to apply simplified Vigilant’s countermeasure to protect a signature for
a message by using RSA-CRT which is suggested by Rauzy and Guilley. Therefore,
he chooses two random prime numbers p=59, q=53, and small integer r=4. Next,
Jim chooses message M=56. Then he computes n=p*q=3127. After that, he chooses
e=5 where gcd (e, 𝜑(𝑛)) =1 and calculates d=e-1 mod 𝜑(𝑛) ≡ 5-1 mod 𝜑(3127) ≡
5-1 mod 3016 ≡2413.
He also needs to compute secret keys dp and dq and the parameter 𝑖𝑞 by using the
following equations:
𝑑𝑝 ≡ 𝑑 𝑚𝑜𝑑 (𝑝 − 1) ≡ 2413 𝑚𝑜𝑑 58 ≡ 35.
𝑑𝑞 ≡ 𝑑 𝑚𝑜𝑑 (𝑞 − 1) ≡ 2413 𝑚𝑜𝑑 52 ≡ 21.
𝑖𝑞 ≡ 𝑞−1 (𝑚𝑜𝑑 𝑝) ≡ 53−1 𝑚𝑜𝑑 59 ≡ 49.
After that, Jim chooses a small random integer r = 4. In the next step, Jim will
compute verification 𝑐𝑝 for the partial prime p by applying the equations below:
𝑝′ = 𝑝 ∙ 𝑟2 = 59 ∙ 42 = 944.
𝑖𝑝𝑟 ≡ 𝑝−1(𝑚𝑜𝑑 𝑟2) ≡ 59−1𝑚𝑜𝑑 42 ≡ 3.
𝑀𝑝 ≡ 𝑀 (𝑚𝑜𝑑 𝑝′) ≡ 56 𝑚𝑜𝑑 944 ≡ 56.
𝐵𝑝 = 𝑝 ∙ 𝑖𝑝𝑟 = 59 ∙ 3 ≡ 177.
62
𝐴𝑝 ≡ 1 − 𝐵𝑝 (𝑚𝑜𝑑 𝑝′) ≡ 1 − 177 𝑚𝑜𝑑 944 ≡ 768.
𝑀𝑝′ ≡ 𝐴𝑝 ∙ 𝑀𝑝 + 𝐵𝑝 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑝
′) ≡ 768 ∙ 56 + 177 ∙ (1 + 4) 𝑚𝑜𝑑 944.
≡ 469.
𝑆𝑝′ ≡ 𝑀𝑝
′ 𝑑𝑝 𝑚𝑜𝑑 𝜑(𝑝′) (𝑚𝑜𝑑 𝑝′) ≡ 46935 𝑚𝑜𝑑 𝜑(944) 𝑚𝑜𝑑 944
≡ 46935 𝑚𝑜𝑑 464 𝑚𝑜𝑑 944 ≡ 333.
𝑆𝑝𝑟 = 1 + 𝑑𝑝 ∙ 𝑟 = 1 + 35 ∙ 4 = 141.
𝑐𝑝 ≡ 𝑀𝑝′ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑝) ≡ 469 + 3127 − 56 + 1 𝑚𝑜𝑑 59 ≡ 1.
Then Jim will calculate verification term 𝑐𝑞for the partial prime q by applying the
equations below:
𝑞′ = 𝑞 ∙ 𝑟2 = 53 ∙ 42 = 848.
𝑖𝑞𝑟 ≡ 𝑞−1(𝑚𝑜𝑑 𝑟2) ≡ 53−1𝑚𝑜𝑑 42 ≡ 13.
𝑀𝑞 ≡ 𝑀 (𝑚𝑜𝑑 𝑞′) ≡ 56 𝑚𝑜𝑑 848 ≡ 56.
𝐵𝑞 = 𝑞 ∙ 𝑖𝑞𝑟 = 53 ∙ 13 = 689.
𝐴𝑞 ≡ 1 − 𝐵𝑞 (𝑚𝑜𝑑 𝑞′) ≡ 1 − 689 𝑚𝑜𝑑 848 ≡ 160.
𝑀𝑞′ ≡ 𝐴𝑞 ∙ 𝑀𝑞 + 𝐵𝑞 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑞
′) ≡ 160 ∙ 56 + 689 ∙ (1 + 4) 𝑚𝑜𝑑 848.
≡ 533.
𝑆𝑞′ ≡ 𝑀𝑞
′ 𝑑𝑞 𝑚𝑜𝑑 𝜑(𝑞′) (𝑚𝑜𝑑 𝑞′) ≡ 53321 𝑚𝑜𝑑 𝜑(848) 𝑚𝑜𝑑 848
≡ 53321 𝑚𝑜𝑑 416 𝑚𝑜𝑑 848 ≡ 677.
𝑆𝑞𝑟 = 1 + 𝑑𝑞 ∙ 𝑟 = 1 + 21 ∙ 4 = 85.
𝑐𝑞 ≡ 𝑀𝑞′ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑞) ≡ 533 + 3127 − 56 + 1 𝑚𝑜𝑑 53 ≡ 1.
The next step Jim takes will be computing the final signature as follows:
𝑆′ ≡ 𝑆𝑞′ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝
′ − 𝑆𝑞′ )(𝑚𝑜𝑑 𝑝′) )
≡ 677 + 53 ∙ (49 ∙ (333 − 677)𝑚𝑜𝑑 944 ) ≡ 7885.
𝑆𝑟 ≡ 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝′) )
≡ 85 + 53 ∙ (49 ∙ (141 − 85)𝑚𝑜𝑑 944 ) ≡ 45453.
63
Then Jim calculates verification term 𝑐𝑠 for final signature
𝑐𝑠 ≡ 𝑆′ − 𝑆𝑟 + 1 𝑚𝑜𝑑 𝑟
2 ≡ 7885 − 45453 + 1 𝑚𝑜𝑑 16 ≡ 1.
Finally, the algorithm will return signature S if the equation below is verified
𝑆 𝑚𝑜𝑑 𝑛 ≡ 𝑆′𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛)
562413 𝑚𝑜𝑑 3127 ≡ 78851∙1∙1 𝑚𝑜𝑑 3127
1631 ≡ 1631.
4.3 Fault Factoring Attack
In the related literature, there are some attacks against RSA-CRT cryptosystems.
Kong et al. in [KZJSY 2017] proposed an attack against Lee’s improved RSA-CRT
algorithm [LCC 2014]. Lee et al. in [LCC 2014] used modulus chaining method to
protect RSA-CRT algorithm by ensuring that the three primes p, q and r are not
changed during computations. Kong and his team proposed two attacks against
Lee’s improved RSA-CRT algorithm. The first one injects a permanent fault in Spr,
and as a result of this fault, they can factorize modulus n of RSA-CRT algorithm.
The second attack injects a transient error in prime p, and by using the fault result
generated by this error they can get the same result as in the first attack. However,
the modulus chaining method used by Lee cannot prevent the two attacks
mentioned above.
Bhattacharya and Mukhopadhyay [BM 2017] improve the official differential fault
analysis on the 2-bit branch predictor performance under the influence of faults.
Their fault model is based on the ability of the attacker to introduce a bit-flip error
into the private keystream. The result of their analysis demonstrates that differences
of branch misses under the impact of fault can leak information about private key
bits. The authors claim that this kind of attack can threaten RSA modular
exponentiation and RSA-CRT algorithms. It can also threaten algorithms protected
by a countermeasure which halts or randomizes the final result if a fault has been
detected. This attack can be adjusted to attack processers with embedded soft-core
by introducing practical errors through a skip instruction technique.
In this section, I show how the fault factoring (FF) attacks are used to factorize the
RSA modulus n=p*q. The FF attacks try to deal with a fault in the programming
level of EEPROM instead of a fault in register level. The new fault attack will enter
64
a fault value by changing the algorithm written in the EEPROM [Lan 2015, chap.
6], [YouTube 2014] and [YouTube 2015], and then use this value in the
computation instead of the correct values, and thus deduce the secret key according
to the fault in the computation. Moreover, the attacker will eliminate the fault result
in the computation. Therefore, any checking procedure will confirm that all
elements used in the computations are free of error. This section will also include
algorithms that I choose to attack and the proposed attack algorithms to be used
against them, as well as practical examples that will show the implementation of
these attacks.
In this section, the FF attack will be implemented on a signature system using RSA-
CRT and protected by countermeasures. Section 4.3.2 will show the
implementation of an FF attack against the signature system using RSA-CRT
cryptosystem and protected by modified Shamir’s countermeasure [RG 2014, Alg.
10]. Section 4.3.4 will show the implementation of an FF attack against a signature
system also using RSA-CRT cryptosystem but protected by simplified Vigilant’s
countermeasure [RG 2014, alg. 11].
4.3.1 RSA-CRT Signature Using Garner’s Algorithm Protected by
Modified Shamir’s Countermeasure
Algorithm 2.1 in section 2.5.1.1 of chapter 2 represents the RSA-CRT signature
using Garner’s algorithm protected by modified Shamir’s countermeasure of which
the outline is shown in section 4.2.9. This algorithm is used to speed up the
computation time of the message signature by using RSA-CRT scheme. Shamir
modified this algorithm to be resistant to a fault attack by increasing the randomness
of this algorithm through adding more items to the computation process to make it
more difficult for an attacker to guess the secret key when using a fault attack.
Shamir achieved that by inserting a small integer r in the computation; however, he
did not specify how to choose random prime numbers. In the related literature,
several methods are proposed by researchers for generating random numbers such
as the software method presented by [AA 2016] which is based on the use of
congruence equations, and the hardware method, suggested by [KCLP 2016] which
generates a prime number by merging Fermat test and trial division in parallel. In
my implementation of these algorithms, I use the direct command from Maple to
generate a prime random number which is
65
Random_prime_number ≡ nextprime (rand (21 .. 2n)).
where n is the number of bits.
Also, Rauzy and Guilley suggest a modification to Shamir’s countermeasure which
protects the signature system using RSA-CRT by fixing the checksum operations.
4.3.2 FF Attack against RSA-CRT with Garner’s Algorithm and
Protected by Modified Shamir’s Countermeasure
Algorithm 4.1 is the proposed attack against algorithm 2.1. The aim of algorithm
4.1 is to factorize RSA-CRT modulus n. In algorithm 4.1, a fault value X is injected
to be used instead of the stored value 𝑖𝑞 ≡q-1 mod p to compute a CRT-RSA
signature S, so that a fault signature 𝑆𝑐𝑟𝑡𝑒 will be computed instead of the correct
one. This fault CRT-RSA signature 𝑆𝑐𝑟𝑡𝑒 can be used to factorize RSA-CRT
modulus n=p*q by computing the factor q= gcd ((𝑆𝑐𝑟𝑡𝑒-𝑆𝑐𝑟𝑡), n) [BDL 1997], [Len
1996] and [JLQ 1999]. Algorithm 4.1 is shown below.
Algorithm 4.1 FF Attack against Algorithm 2.1
Internal INPUT (loaded from firmware): p, q, d, 𝑖𝑞 ≡q-1 mod p.
INPUT by user: message M, fault value X.
OUTPUT: The factor q.
1. Choose a small random integer r.
2. pr p*r.
3. qr q*r.
4. If pr ≢ 0 (mod p) or qr ≢ 0 (mod q ) then return error.
5. 𝑆𝑝𝑟 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑝𝑟) (𝑚𝑜𝑑 𝑝𝑟).
6. 𝑆𝑞𝑟 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑞𝑟) (𝑚𝑜𝑑 𝑞𝑟).
7. if 𝑆𝑝𝑟 ≢ 𝑆𝑞𝑟 𝑚𝑜𝑑 𝑟 then return error.
8. 𝑆𝑝 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝).
9. 𝑆𝑞 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞).
10. 𝑆𝑐𝑟𝑡 𝑆𝑞 + 𝑞 ∗ [(𝑖𝑞 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))].
11. Comment: use X instead of 𝑖𝑞 in the computation of Scrt so we get Scrte.
12. 𝑆𝑐𝑟𝑡𝑒 𝑆𝑞 + 𝑞 ∗ [(𝑋 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))].
13. n p*q
14. To get q, we compute 𝑞𝑡 gcd((𝑆𝑐𝑟𝑡𝑒-𝑆𝑐𝑟𝑡) ,n).
66
15. Eliminate 𝑆𝑐𝑟𝑡𝑒.
16. if 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑝𝑟 𝑚𝑜𝑑 𝑝 𝑜𝑟 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑞𝑟( 𝑚𝑜𝑑 𝑞) then return error.
17. return q≡ 𝑞𝑡.
Example 5
See appendix A.1
4.3.3 RSA-CRT Signature with Garner’s Algorithm Protected by
Simplified Vigilant’s Countermeasure
Algorithm 2.2 in section 2.5.1.1 of chapter 2 represents the RSA-CRT signature
with Garner’s algorithm protected by simplified Vigilant’s countermeasure the
outline of which is shown in section 4.2.10. This algorithm which is proposed by
Rauzy and Guilley [RG 2014] represents a modification of the countermeasure
suggested by Vigilant [Vig 2008].
4.3.4 FF Attack against RSA-CRT Signature with Garner’s Algorithm
Protected by Simplified Vigilant’s Countermeasure
Algorithm 4.2 is the proposed attack against algorithm 2.2. The aim of algorithm
4.2 is to factorize RSA modulus n. In algorithm 4.2, a fault value X is injected to
be used instead of stored value 𝑖𝑞 ≡ 𝑞−1 𝑚𝑜𝑑 𝑝 to compute a CRT-RSA signature
S, so that a fault signature 𝑆𝑐𝑟𝑡𝑒 is computed instead of the correct one. This fault
CRT-RSA signature 𝑆𝑐𝑟𝑡𝑒 can be used to factorize RSA modulus n=p*q by
computing the factor 𝑞 = 𝑔𝑐𝑑((𝑆𝑐𝑟𝑡𝑒𝑒 −𝑀), 𝑛) [BDL 1997], [Len 1996] and [JLQ
1999]. Algorithm 4.2 shows that even if a more complicated check sum is used, the
FF attack can factorize RSA-CRT modulus n. In addition, it does not need to
compute a correct CRT signature as attackers do not need it in computing factor q.
The only two items attackers need to find are factor q are a fault CRT signature Scrte
and message M. Algorithm 4.2 is shown below.
Algorithm 4.2 FF Attack against Algorithm 2.2
Internal INPUT (loaded from firmware): p, q, dp, dq, 𝑖𝑞 ≡q-1 mod p.
INPUT by user: message M, fault value X.
OUTPUT: The factor q.
1. Choose a small random integer r.
2. n p*q.
67
3. 𝑝𝑑𝑎𝑠ℎ 𝑝 ∙ 𝑟2.
4. 𝑖𝑝𝑟 𝑝−1(𝑚𝑜𝑑 𝑟2).
5. 𝑀𝑝 𝑀 (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
6. 𝐵𝑝 𝑝 ∙ 𝑖𝑝𝑟.
7. 𝐴𝑝 1 − 𝐵𝑝( 𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
8. 𝑀𝑝𝑑𝑎𝑠ℎ 𝐴𝑝 ∙ 𝑀𝑝 + 𝐵𝑝 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
9. 𝑞𝑑𝑎𝑠ℎ 𝑞 ∙ 𝑟2.
10. 𝑖𝑞𝑟 𝑞−1(𝑚𝑜𝑑 𝑟2).
11. 𝑀𝑞 𝑀 (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
12. 𝐵𝑞 𝑞 ∙ 𝑖𝑞𝑟.
13. 𝐴𝑞 1 − 𝐵𝑞 (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
14. 𝑀𝑞𝑑𝑎𝑠ℎ 𝐴𝑞 ∙ 𝑀𝑞 + 𝐵𝑞 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
15. 𝑆𝑝𝑑𝑎𝑠ℎ 𝑀𝑝𝑑𝑎𝑠ℎ
𝑑𝑝 (𝑚𝑜𝑑 𝜑(𝑝𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
16. 𝑆𝑝𝑟 1 + 𝑑𝑝 ∙ 𝑟.
17. 𝑐𝑝 𝑀𝑝𝑑𝑎𝑠ℎ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑝).
18. 𝑆𝑞𝑑𝑎𝑠ℎ 𝑀𝑞𝑑𝑎𝑠ℎ
𝑑𝑝( 𝑚𝑜𝑑 𝜑(𝑞𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
19. 𝑆𝑞𝑟 1 + 𝑑𝑞 ∙ 𝑟.
20. 𝑐𝑞 𝑀𝑞𝑑𝑎𝑠ℎ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑞).
21. 𝑆𝑑𝑎𝑠ℎ 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ)).
22. Comment: use X instead of 𝑖𝑞 in the computation of Sdash so we get Sdashe..
23. 𝑆𝑑𝑎𝑠ℎ𝑒 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑋 ∙ (𝑆𝑝𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ) ).
24. To get q, we compute 𝑞𝑡 gcd((𝑆𝑑𝑎𝑠ℎ𝑒𝑒 −𝑀),n).
25. Eliminate 𝑆𝑐𝑟𝑡𝑒 .
26. 𝑆𝑟 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ)).
27. 𝑐𝑠 𝑆𝑑𝑎𝑠ℎ − 𝑆𝑟 + 1 (𝑚𝑜𝑑 𝑟2).
28. 𝑆 ≡ 𝑀𝑑 (𝑚𝑜𝑑 𝑛).
29. 𝑆 ≢ 𝑆𝑑𝑎𝑠ℎ𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛) then return error.
30 return q=𝑞𝑡.
Example 6
See appendix A.2
68
4.4 Retrieve Secret Key Attack
In this section, I present the retrieve secret key (RSK) attack, which uses a fault
attack to retrieve RSA secret key d, which may be a key utilised in the signature or
decryption process. This section will include algorithms I choose to attack (which
are known as Protected Montgomery Ladder RSA algorithms Left-to-Right [JY
2002, Fig. 9] and Right-to-Left which I constructed by myself), the proposed
attacks of algorithms against them as well as practical examples to show the
implementation of these attacks.
The retrieved secret key attack is based on ideas concerning the ‘safe error attack’
on RSA cryptosystems described in [YJ 2000], in which the attacker injects a fault
into the intermediate calculation values of the multiplication process, and from this,
deduces a bit value of d. As mentioned previously, we assume that the attacker can
access the chip on which the algorithm was run. The simple and differential power
attacks as well as the computational and memory safe-error fault attacks are not
applicable on protected Montgomery Ladder RSA. In the same time, the new RSK
attack I proposed is applicable on protected Montgomery Ladder RSA. My new
RSK attack can be classified as computational safe-error fault attack.
4.4.1 Protected Montgomery Ladder RSA Left-to-Right Algorithm
The internal inputs (loaded from the firmware) to algorithm 2.3 in section 2.5.1.2
of chapter 2 are the secret key d = (dt, dt-1, …,d1)2 in binary form and size of secret
key t. The inputs by the user to algorithm 2.3 are the message g and modulus n.
The output is gd (mod n). Algorithm 2.3 uses R(0) and R(1) to compute gd,
initialising R(0) to 1 and R(1) to g. Then the algorithm enters a loop running from
t to 1. In each iteration, a reverse binary value of di is stored in b, R(b) multiplied
by R(di), the result is stored in R(b) and the value of R(di) is doubled. When the
loop ends, the value in R(0) will be the desired result gd.
4.4.2 RSK Attack against the Protected Montgomery Ladder RSA Left-
to-Right Algorithm
Algorithm 4.3 is a modification of algorithm 2.3. Therefore, algorithm 4.3 has the
same internal inputs loaded from the firmware of the victim device (the secret key
d = (dt, dt-1, …,d1)2 in binary form and the size of secret key t). The inputs by the
attacker are the message g, fault value X and modulus n. I assume that the attacker
does not know d, but does know that it is stored in the firmware of the victim device
69
in binary form and was used in processing the output gd. Algorithm 4.3 access the
bits of d in order, from most to least. In algorithm 4.3, the variable k is used to store
the captured binary values of d.
Algorithm 4.3 is initialised by setting R(0) to 1 and R(1) to message g and key size
counter z to 1. The idea behind the attack is based on the introduction of the error
using X at some points in the multiplication process. In each iteration of for loop of
algorithm 4.3, the reversed binary value of di is stored in b. The result of multiplied
R(b) by the introduced fault point X is stored in H, and the value of R(b) is stored
in T. In the next step, the value of di is checked: if it is 1 then R(b) is multiplied by
fault point X and stored in the R(b). At this point, the algorithm compares R(b) with
H and if they are equal, algorithm 4.3 will deduce that the value of the secret key
bit in this iteration is 1. In this case, the error in R(b) is eliminated by replacing its
value with T. However, if R(b) is not equal to G, then the algorithm deduces that
the value of the secret key bit is 0 in this iteration.
In the subsequent step, R(b) is multiplied by R(di) and stored in R(b), while R(di)
is doubled and stored in R(di). Then, the counter z is incremented by one. The
iterations are continued until the for-loop is ended. Then, k contains the estimated
bits of d, and v is the size of the final value of z-1 which represents the bit-size t of
d.
Algorithm 4.3 RSK Attack against Algorithm 2.3
Internal INPUT (loaded from firmware): d = (dt, dt-1,… , d1)2, size of secret key
t.
INPUT by attacker: message g, fault value X, modulus n.
OUTPUT: d in binary form and v size of secret key.
1. R(0) 1, R(1) g.
COMMENT: Assign key size counter label z 1.
2. z 1.
COMMENT: Inject error by using X instead of R(di) in multiplication operations.
3. For i= t to 1 do
3.1 b ¬ dz.
3.2 H R(b) *X (mod n).
3.3 T R(b) (mod n).
70
3.4 If di = 1 then
R(b) R(b) * X (mod n).
End IF.
COMMENT: The loops store the bits of d in order in the (t)-tuple d.
3.5 If R(b) = H then
{ki 1.
COMMENT: Eliminate the error in R(b) by replacing the fault value by a value
stored in T
R(b) T.
Else
ki 0.
End If.
3.6 R(b) R(b)*R(di) (mod n).
3.7 R(di) R(di)2(mod n).
3.8 z z+1.
End For loop.
4. Set v z-1.
5. d= (kv, kv-1, . . . , k2, k1).
Example 7
See appendix A.3
4.4.3 Protected Montgomery Ladder RSA Right-to-Left Algorithm
The internal inputs (loaded from the firmware) to algorithm 2.4 in section 2.5.1.2
of chapter 2 are the secret key d = (dt, dt-1, …, d1)2 in binary form and size of secret
key t. The inputs by the user to algorithm 2.4 are the message g and modulus n. The
output is gd. Algorithm 2.4 uses R(0) and R(1) to compute gd, initialising R(0) to 1
and R(1) to g . Then the algorithm enters a loop running from 1 to t. In each iteration,
a reverse binary value of di is stored in b, R(b) is doubled, R(di) is multiplied by
R(b) and the result is stored in R(b). When the loop ends, the value in R(0) will be
the desired result gd.
71
4.4.4 RSK Attack against the Protected Montgomery Ladder RSA
Right-to-Left Algorithm
Algorithm 4.4 is a modification of algorithm 2.4. Therefore, algorithm 4.4 has the
same internal inputs loaded from the firmware of the victim device (the secret key
d = (dt, dt-1, …, d1)2 in binary form and size of the secret key t). The inputs by the
attacker are the message g and fault value X and modulus n. I assume that the
attacker does not know d but does know that it is stored in the firmware of the victim
device in binary form and was used in processing the output gd. Algorithm 4.4
access the bits of d in order, from least to most. In algorithm 4.4, the variable k is
used to store the captured binary values of d.
Algorithm 4.4 is initialised by setting R(0) to 1, R(1) to message g and the key size
counter z to 1. The idea behind the attack is based on the introduction of the error
using X at some points in the multiplication process. In each iteration of algorithm
4.4, a reversed value of di is stored in b. The result of multiplying R(b) by the
introduced fault point X is stored in H and the value of R(b) is stored in T. In the
next step, the value of di is checked: if it is 1 then the result of R(b) multiplied by
the introduced fault point X is stored in the R(b). At this point, the algorithm
compares R(b) with H, and if they are equal, deduces that the value of the secret
key bit in this iteration is 1. In this case, the error in R(b) is eliminated by replacing
it with T. However, if R(b) is not equal to H, then the algorithm deduces that the
value of the secret key bit is 0 in this iteration.
In the subsequent step, R(b) is doubled and stored in R(b) and then the new value
of R(b) is multiplied by R(di) and the result is stored in R(b). Then the counter z is
incremented by one. The iterations are continued until the for-loop is ended. Then,
k contains the estimated bits of d, and v is the size of the final value of z-1 which
represents the bit-size t of d.
Algorithm 4.4 RSK Attack against Algorithm 2.4
Internal INPUT (loaded from firmware): d = (dt, dt-1,… , d1)2, size of secret key
t.
INPUT by attacker: message g, fault value X, modulus n.
OUTPUT: d in binary form and v size of secret key.
1. R(0) 1, R(1) g.
72
COMMENT: assign key size counter label z 1.
2. z 1.
COMMENT: Inject error by using X instead of R(di) in multiplication operations.
3. For i= 1 to t do
3.1 b ¬ di.
3.2 H R(b) *X(mod n).
3.3 T R(b) (mod n).
3.4 If di = 1 then
R(b) R(b) * X (mod n).
End IF.
COMMENT: The loops store the bits of d in order in the (t)-tuple d.
3.5 If R(b) = H then.
{ki 1.
COMMENT: Eliminate the error in R(b) by replacing fault value by a value
stored in T.
R(b) T.
Else
ki 0.
End If.
3.6 R(b) R(b)2 (mod n).
3.7 R(b) R(b)*R(di) (mod n).
3.8 z z+1.
End While loop.
4. Set v z-1.
5. d= (kv, kv-1, k3, . . . , k2, k1).
Example 8
See appendix A.4
4.5 Summary
In this chapter, two fault attacks were proposed to recover RSA cryptosystem secret
information. The FF attack was applied to RSA-CRT signature algorithms, and it
aimed to factorize RSA-CRT modulus n. The RSK attack was implemented on the
protected Montgomery Ladder RSA “Left-to-Right and Right-to-Left” algorithms,
and its goal was to recover the d secret key which might represent a decryption key
73
or a signature key. The two attacks depended on the concept of safe error attack.
All the attacks proposed in this chapter posed challenges to the designer of RSA
cryptosystems to take into consideration all the security issues highlighted here.
74
Chapter Five Proposed Fault Attack against Elliptic
Curve Cryptosystem
ECC is used to secure data in devices with restricted resources like smart card. The
fault attack technique proposed here inject a programming fault in algorithms stored
in EEPROM. This fault will be used to retrieve the secret key of ECC. This chapter
is closely related to the thesis goals as it suggests fault attack on ECC.
5.1 Introduction
In this chapter we focus on six algorithms for scalar multiplication suggested by
Montgomery ([JY 2002] and [FV 2012]), Coron [DHB 2016] and Joye ([JY 2002]
and [Joy 2007]). All six algorithms are regular and thus resistant to power, timing,
and safe error attacks (e.g., [FRV 2014], [Che 2017] & [Lal 2017]).
ECC is one of the most widespread cryptography systems currently used to deal
with devices with low or constrained resources like IoT devices. The main
advantage of this kind of cryptography systems is that they provide high level
security with smaller key size. ECC needs only a key size of 384 bits long digits to
give the same level of security of RSA with key size of 3072 bits long digits for the
year 2018 according to BlueKrypt website for both. Bluekrypt website [Gir 2017]
is a site which gives recommendations for key size according to the requirements
of different security institutes over the world such as Commercial National Security
Algorithm (CNSA) Suite, French Network and Information Security Agency
(ANSSI) and non-regulatory federal agency within the U.S. Commerce
Department's Technology Administration (NIST), etc. More details about important
ECC systems can be found in section 2.3.2 of chapter 2.
In this chapter, I propose a fault point attack against six algorithms to recover the
secret key used to secure data in ECC. Such attacks on ECC can help designers to
enhance the security level of ECC implemented on hardware devices by taking into
consideration the security issues involved in these attacks. The mathematical
background of the proposed attacks is outlined in section 5.2.
Any algorithm for point scalar multiplication enters a secret multiplier in bit format;
the algorithm may then begin with either the most significant bit or the least
significant one. Left-to-Right versions have some advantages; one being that the
first bit can be assumed to be 1, and so the algorithm can begin with the second bit.
75
Typically, in Right-to-Left algorithms, only one variable needs storage while in
Left-to-Right algorithms, storage is needed for two variables. This fact may have
some impact on the available resources but appears to have been mainly ignored in
real-world implementations for other factors such as security.
While the curve, field, and points P and Q are public knowledge and available on
the chip, I do not know k nor its number of bits t, but I do know that the bits of k
are stored inside the firmware of the victim device and were used in processing the
output Q. The aim of this chapter is to attack elliptic curve cryptosystem and try
solve the ECDLP which can be defined: for any positive integer k and point P on
the elliptic curve E, by kP we mean, P added to itself k times. The underlying
security of the use of elliptic curves in cryptography is based on the difficulty,
believed to be mathematically NP-hard [GG 2015], of finding the scalar multiple k
when P and Q = kP are known. The elliptic curve E modulo large prime number p
and a base point P on elliptic curve E represent the public key part of ECC. While,
the secret part of ECC is represent by a k in a range [2, p-2] and calculates Q=k*P
mod p. However, the public key in RSA is (e, N). While, the secret part in RSA is
d. Therefore, to decrypt a message c in RSA we use M =cd mod n.
The approach used to attack six algorithms is based on ideas concerning the ‘safe
error attack’ on elliptic curve cryptosystems described in [YJ 2000], in which the
attacker injects a fault into the intermediate calculation values of multiples of a
point, and from this, deduces a bit value of secret key. As mentioned previously,
the attack scenario assumed that the attacker could access the chip on which the
algorithm was run.
I assume that each algorithm is stored in EEPROM on a victim device to which I
have access and on which I can induce faults during the processing of the algorithm.
EEPROM sits on a hardware device and can be erased, read or written to [YouTube
2014], [Lan 2015, chap. 6], [YouTube 2015], and [Ard 2018]. All proposed attacks
in this chapter try to deal with a fault in the programming level of EEPROM instead
of a fault in the register level. The proposed fault attack will inject a fault value by
changing the algorithm written in the EEPROM after it is loaded into the RAM and
then this value is used in the computation instead of the correct values. This will
enable the attacker to deduce the secret key according to the fault result in the
76
computation. In addition, the attacker will eliminate the fault result in the
computation, therefore, any checking procedure will confirm that all elements used
in the computations are free of error.
All examples showing the implementation of the fault point attack in software are
done by using Intel (R) Core (TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as a
hardware platform and Windows 7 as the operating system. Maple 2017b [Maple
2017] was chosen as the software platform as it contains a cryptography package
designed for elliptic curve arithmetic operations.
In section 5.3 the Montgomery ladder algorithms are presented together with the
proposed fault point attack against them. Section 5.4 deals with the Coron
algorithms and the proposed fault point attack against them. Then in section 5.5 the
Joye algorithms are presented and also the proposed fault point attack against them.
Finally, section 5.6 will be the summary of this chapter.
5.2 Mathematical Background
Elliptic curves form the basis of an efficient cryptosystem which is often chosen for
implementation on small devices, such as those which would be used to authenticate
messages in an IoT scenario. Some mathematical models represent elliptic curve
according to the types of curve used and mathematical equations used to add and
double points. In this section, I will show how the elliptic curve can be used in
cryptography and signatures systems by offering a detailed presention of the
processes of key generation, encryption, decryption and signing a message by using
ECC.
I also focus on general Weierstrass and Montgomery elliptic curves because the
proposed fault attack against elliptic curve cryptosystem use general Weierstrass
and Montgomery elliptic curves in their operations.
5.2.1 ECC Key Generation
I assume that two users, Sam and Lauren, want to set up an ECC to sign messages
and to secure the interchange of messages between them.
The First step, for a setup of ECC, is the key generation. Each one of them must
choose an elliptic curve E modulo prime p, and a base point P on the same curve E.
Each one of them must also choose a private random a in [2, 𝑝 − 2] and
computes 𝑄 ≡ 𝑎𝑃 (𝑚𝑜𝑑 𝑝). Sam’s and Lauren’s public key is (p, P, Q) and their
77
private key is a. The message chosen by Sam or Lauren must be a point on the
elliptic curve of the two parties. [Bat 2013].
5.2.2 ECC Encryption
I assume that Sam wants to send a message to Lauren and he uses the keys
generated in 5.2.1 to encrypt it.
Sam creates a message as a point K on Lauren’s elliptic curve E.
He gets Lauren’s public key (p, P, Q) where 𝑄 ≡ 𝑐𝑃 (𝑚𝑜𝑑 𝑝), c is Lauren’s
secret.
He chooses 𝑑 ∈ [2, 𝑝 − 2] arbitrarily.
He calculates dP and K + dQ (mod p).
He sends the cipher ≡ (dP, K + dQ) (mod p). [Bat 2013]
5.2.3 ECC Decryption
Lauren receives the cipher message (dP, K + dQ) (mod p) from Sam. She retrieves
K by calculating (K+dQ)-cdP≡K+dcP-cdP≡K(mod p), where c is her arbitrary
secret [Bat 2013].
5.2.4 ECC Signature
Lauren wants to sign a message G and send it to Sam. She chooses a private key h.
She calculates N which represents number of points on her curve E and V=hP=(x,
y). Her public key will be (p, E, N, P, V). She signs the message G by taking the
following steps:
1. She arbitrarily chooses an integer t with 1 ≤ t < N and gcd (t, N)=1, and calculates
F=tP=(x, y).
2. She calculates u ≡ t -1 (G−hx) (mod N).
3. She sends the signed message (G, F, u) to Sam.
Sam verifies the signature of Lauren by taking the following steps:
1. Sam obtains Lauren’s public key p, E, N, P and V.
2. He calculates Z1=xV + uF and Z2=GP.
3. If Z1=Z2 then the signature is valid [Tra 2006].
78
5.2.5 General Weierstrass Elliptic Curves Background
The general affine version of the elliptic curve equation, as taken from the
monograph [BSS 1999, p. 30] by Blake, Seroussi and Smart, is known as the
Weierstrass elliptic curve equation and is given by:
𝑦2 + 𝑎1𝑥𝑦 + 𝑎2𝑦 = 𝑥3 + 𝑎3𝑥
2 + 𝑎4𝑥 + 𝑎5. (1)
Where the constants ai are from a fixed finite field GF(q) of any characteristic ≥ 2,
and q is a prime power (I have taken the liberty of labelling the coefficients in a
slightly different way than that of equation (3) in [BSS 1999, Chap. III]. Using E to
refer to such a curve, I then use the notation E(Fq) to indicate that the coefficients
are from GF(q).
The points of such a curve, along with an additional ‘point at infinity’, which acts
as the identity and for which I use the symbol O, form an abelian group under an
operation ‘+’ on the points defined algebraically by the equations (3) and (4) given
below [BSS 1999, Chap. III]. This ‘+’ operation can be defined regardless of the
characteristic of the field. Points on the curve are represented as affine pairs (x, y)
where each of x and y come from GF(q) and satisfy the equation (1).
For any point P = (x, y) on E, the negative of P is defined to be the point
−𝑃 = (𝑥, −𝑦 − 𝑎1𝑥 − 𝑎2). (2)
As mentioned on [BSS 1999, p. 33], this definition applies to all finite field
characteristics. I define P + (– P) to be O.
To define the addition of two points (other than the pair P and –P) on E, I introduce
some further notation to simplify the formulas. Let P1 = (x1, y1) and P2 = (x2, y2)
be distinct points on E.
In case x1 ≠ x2, let 𝛼 = (𝑦2 − 𝑦1)/(𝑥2 − 𝑥1) and 𝛽 = (𝑦1𝑥2 − 𝑦2𝑥1)/(𝑥2 − 𝑥1).
In case x1 = x2 but P2 ≠ –P1 (the case P1 = P2),
let 𝛼 = (3(𝑥1)2 + 2𝑎3𝑥1 + 𝑎4 − 𝑎1𝑦1)/(2𝑦1 + 𝑎1𝑥1 + 𝑎2) and 𝛽 = (−(𝑥1)
3 +
𝑎4𝑥1 + 2𝑎5 − 𝑎2𝑦1)/(2𝑦1 + 𝑎1𝑥1 + 𝑎2).
79
Letting P1 + P2 = (x3, y3), then the coordinates of this sum in both cases above are
given by:
𝑥3 = 𝛼2 + 𝑎1𝛼 − 𝑎3 − 𝑥1 − 𝑥2, (3)
And
𝑦3 = −(𝛼 + 𝑎1)𝑥3 − 𝛽 − 𝑎2. (4)
5.2.6 Montgomery Elliptic Curves Background
In the late 1980s, Montgomery developed a revised form of (1) to speed up elliptic
curve factorisation methods [Mont 1987], [CS 2017] and [OLR 2017]. The generic
version of these Montgomery curves for prime order fields of characteristic >3 in
affine form is given by:
𝐵𝑦2 = 𝑥3 + 𝐴𝑥2 + 𝑥. (5)
where A and B are elements of the underlying field.
As pointed out by Hamburg in [Ham 2015], over fields of prime characteristic
congruent to 3 modulo 4, the curve in (5) is equivalent to one with B = 1, whereas
this is not the case for fields of prime characteristic congruent to 1 modulo 4.
Hamburg also points out that where the order of the Montgomery curve is h*q for
a large prime q, the factor h is always divisible by 4, which leads to some possible
attacks. His paper describes how to eliminate factors by using ‘point compression’.
The Montgomery curve equation (5) over a field of prime order congruent to 3
modulo 4, can be transformed into a Montgomery curve with B = 1, in which case,
the curve is referred to as ‘untwisted’.
Computations on an elliptic curve can be performed in affine or projective
coordinates. Using projective coordinates has the advantage that field inversions in
point operations are simplified by the introduction of the additional coordinate.
However, the authors of [KFSV 2011] claim that points should be converted from
projective back to affine before outputting the result as this saves the cost of
transferring a coordinate. Not transferring back to affine coordinates before output
also provides an adversary with the opportunity of capturing some side-channel
information from the projection as has been shown in [NSS 2004]. In this section,
I will keep using affine point representation.
Based on the equation (5), the x-coordinate only values are computed as follows
[Mont 1987]:
80
For 2(x, y): 𝑥2𝑝 = [(𝑥2 − 𝑎)2 − 8𝑏𝑥]/[4(𝑥3 + 𝑎𝑥 + 𝑏)] . (6)
for P1 = (x1, y1) and P2 = (x2, y2) with x1 ≠ x2, letting xR be the x-coordinate of
the sum and 𝑥𝑅′ be the x-coordinate of the difference P1 – P2:
𝑥𝑅 = [2(𝑥1 + 𝑥2)(𝑥1𝑥2 + 𝑎) + 4𝑏]/(𝑥1 − 𝑥2)2 − 𝑥𝑅
′ . (7)
Although Montgomery curves have proved to be efficient for use in elliptic curve
factorisation methods, especially in conjunction with the Montgomery ladders
[Ham 2015], the curves have been found to be too specialised for general use in
most international standards used today, including ANSI, IEEE and SEC (e.g.,. [IT
2002]). The efficiency benefit of equations (6) and (7) is that only the x-coordinate
of points is used at each stage; however, the major drawback to using (7) for the
addition of two general points on a Montgomery curve, is that it requires that I
should be able to produce a difference of two points. Izu, Möller and Takagi
comment on this issue in [IMT 2002] and in [IT 2002], where the doubling and
addition operations are separated. Their aim is to gain as much efficiency as
possible, and this is achieved by writing the multiplier k as a sum of powers of 2
and producing repeated doublings of the point using (6) until the required sufficient
amount has been obtained. At this stage, however, to generate the value for Q = kP,
point additions of random points must be made, rather than point doublings, and
thus the need for point differences becomes problematic. The authors of [IMT
2002] deal with this situation by the use of a ‘YRecovering’ algorithm given in
Appendix A.5 of their paper. A simpler method usable in case the underlying field
has characteristically a prime congruent to 3 modulo 4, is a basic result found in
many elementary number theory and cryptography texts (for example [BJ 2002, p.
86]) which states: ‘If p ≡ 3 (mod 4) is prime and x ≡ y(p+1)/4 (mod p), then either y
or –y has square roots x and –x.’ Alternatively, equations (3) and (4) can be used
throughout instead of (6) and (7).
Nonetheless, the ‘Right-to-Left’ and ‘Left-to-Right’ algorithms produced by
Montgomery for point additions (first proposed in the context of RSA), and made
explicit on [JY 2002, p. 7], are still much in demand for point doubling which is the
major phase of the fast exponentiation procedure in point scalar multiplication. In
81
particular, their use in computing scalar multiples over curves with form (5) is
particularly efficient.
In our case, I focus on an attack in which many additions, which are not doublings
are required. In this case, the assumption that I have the x-coordinate x(P1 – P2) of
P1 – P2 is unreasonable; in fact to find this using (7) requires x(P1 – (–P2)) = x(P1 +
P2) leading us into an infinite loop computationally. In the proposed attack against
the Montgomery power ladder algorithm, I, therefore, use the addition formulas of
(3) and (4); an additional benefit for me is that these provide both coordinates of
the sum which I can then compare with my target point.
5.3 Montgomery Ladder Algorithms
The Montgomery powering ladder was introduced in [Mont 1987], [CS 2017] and
[OLR 2017] to assist in speeding up elliptic curve factorisation methods; it has been
analysed in many papers in the last twenty years, and is still used as one of the
benchmarks of elliptic curve computations of point multiples (e.g., [FV 2012]).
While it was initially introduced for use with the Montgomery curve equations, the
authors of [Cor 1999] and [JY 2002] explain how it can be adapted to work with
any abelian group, and also to any elliptic curve group represented by the form (1)
in section 5.2.5.
The aim of this section is to attack the ECDLP on both Right-to-Left and Left-to-
Right versions of the Montgomery powering ladder. I deal with the Left-to-Right
version in sections (5.3.1 and 5.3.2) and the Right-to-Left version in sections (5.3.3
and 5.3.4). When using bits of k from Left-to-Right (most to least significant), I can
always assume that the first bit is 1. In this case, there are two ways to establish the
algorithm computing multiples of P: either begin from the left-most bit or begin
from the second bit from the left. For small values of k, the latter method saves one
round in the loop and so is more efficient than the former method; however, for
very large values of k, there is little saving in efficiency between the two methods.
5.3.1 Left-to-Right Montgomery Ladder Algorithms
Algorithm 2.5 in section 2.7.1.1 of chapter 2 (taken from [FV 2012, alg. 1] where
it is presented in additive form) represent the Montgomery powering ladder with
Left-to-Right scalar multiplication beginning the point additions from the second
bit from the left.
82
The internal inputs (loaded from the firmware) to algorithm 2.5 are the secret key
k = (kt, kt-1,…, k1)2 in binary form and size of the secret key t. The input by the user
to algorithm 2.5 is the known base point P, which belongs to the known curve E(Fq)
over the field GF(q). The output is the known point Q = k*P. Algorithm 5.1 assumes
that kt = 1 and does not use this bit. Algorithm 2.5 initiates R(0) which is an
intermediate variable used to store the scalar additions of P with P value, and
initiates R(1) with 2P value. Then, algorithm 2.5 enters in loop starting from t-1
down to 1. In each iteration, R(0) is added to R(1) and the result is stored in R(¬ ki)
and R(ki) is doubled. When the loop ends, the value in R(0) is the final result of kP.
The addition operation used here is that of scalar addition and with equations (3)
and (4) since we do not require the efficiency provided by (6) and (7).
5.3.2 The Fault Point Attack against Left-to-Right Montgomery
Ladder Algorithm
On accessing the RAM of the victim device where algorithm 2.5 is loaded from the
EEPROM of the same device, I assume that the bits of k (kt-1,…, k1) are accessible
in order, from Left-to-Right (most to least). The proposed attack makes changes to
produce algorithms that capture the binary values of k and the attack approach is
based on ideas concerning the ‘safe error attack’ on elliptic curve cryptosystems
described above.
Algorithm 5.1 is a modification of algorithm 2.5. Therefore, I assume that the bits
(kt-1, … k2, k1) of the secret key k are stored in the firmware of the victim device
and loaded into the RAM of the victim device by algorithm 5.1 while it is being
executed in the RAM of the same device. The attacker has no direct access to the
secret key, nor to its size. Only algorithm 5.1 can access it and deal with it as an
internal input. Along the way, the captured bits of k are stored in values check (dt,
dt-1, …, d2, d1). The attack is based on the introduction of a significant error, using
any fault point X chosen by the attacker instead of P at some points in the point
addition process. To avoid legal discovery of this error, I correct it at line 3.4.
Algorithm 5.1 is initialised by setting R(0) to the point P, R(1) to the point 2P and
the key size counter e to 2. In each iteration of algorithm 5.1, R(0) is stored in Z
and the result of adding R(0) to the introduced fault point X is stored in N. In the
next step, the value of ki is checked: if it is 1 then the result of adding R(0) to the
83
introduced fault point X is stored in R(¬ki). At this stage, algorithm 5.1 compares
R(¬ ki) with N, and if they are equal, it deduces that the value of the secret key bit
in this iteration is 1; in which case, the error in R(¬ki) is eliminated by replacing it
with Z. However, if R(¬ki) is not equal to N, then the algorithm deduces that the
value of the secret key bit is 0 in this iteration.
In the next step, R(0) is added to R(1) and stored in R(¬ki) while R(ki) is doubled.
The key size counter e is incremented by one. The iterations are continued until the
loop ends. As a result of this process, the estimated bits of k are stored in d, and
the final value of e-1 represents the bit-size v of k.
Algorithm 5.1 Fault Point Attack against Algorithm 2.5
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size, where
kt = 1.
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. R(0) P, R(1) 2P, e 2.
COMMENT: Assign key size counter label e 2 and through the loop
store the bits of k in order in the (t-1)-tuple d.
2. Use X as a fault point.
COMMENT: Inject error by using X instead of P in addition operations.
3. For i from t-1 down to 1 do
3.1 Z R(0).
3.2 N R(0) + X.
3.3 If ki=1 then
R(¬ki) R(0) +X.
End if.
3.4 If R(¬ ki) = N then
di 1.
COMMENT: Eliminate the error in R(¬ ki) by replacing fault value by a
correct value stored in Z.
R(¬ ki) Z.
Else
84
di 0.
End If.
3.5 R(¬ki) R(0) + R(1).
3.6 R(ki) 2R(ki).
3.7 e e+1.
End While loop.
4. set v e–1.
5. k= (1, dt-1, dt-2 … d2, d1).
Example 1
See appendix B.1
5.3.3 The Right-to-Left Montgomery Ladder Algorithm
Algorithm 2.6 in section 2.7.1.1 of chapter 2 represent the Right-to-Left
Montgomery Ladder algorithm. Because the algorithm begins from the right, it
must start with the least significant bit.
The internal inputs (loaded from the firmware) to algorithm 2.6 are the secret key
k = (kt, kt-1,…, k1)2 in binary form and size of the secret key t. The input by the user
to algorithm 2.6 is the known base point P, which belongs to the known curve E(Fq)
over the field GF(q). The output is the known point Q = k*P. Algorithm 2.6 initiates
R(0) which is an intermediate variable used to store the scalar additions of P with
identity value O and, initiates R(1) with P value. Then, algorithm 2.6 enter in loop
starting from 1 up to t. In each iteration, R(1) is stored in G, the result of (1 - ¬ ki)
is stored in b, R(0) is added to R(1) and the result is stored in R(b), G is stored in
R(1) and R(1) is doubles. When the loop ends, the value in R(0) is the final result
of kP. As in the previous section, addition is based on equations (3) and (4).
5.3.4 Fault Point Attack against Right-to-Left Montgomery Ladder
Algorithm
On accessing the RAM of the victim device where the algorithm 2.6 is loaded from
the EEPROM of the same device, I assume that the bits of k (kt, kt-1,…, k1) are
accessible in order from Right-to-Left (least to most). The proposed attack makes
changes to produce algorithms that capture the binary values of k and the attack
approach is based on ideas concerning the ‘safe error attack’ on elliptic curve
cryptosystems described above.
85
Algorithm 5.2 is a modification of algorithm 2.6. Therefore, I assume that the bits
(kt, kt-1, … k2, k1) of the secret key k are stored in the firmware of the victim device
and loaded into the RAM of the victim device by algorithm 5.2 while it is being
executed in the RAM of the same device. The attacker has no direct access to the
secret key nor to its size. Only algorithm 5.2 can access it and deal with it as an
internal input. Along the way, the captured bits of k are stored in values (dt, dt-1 …
d2, d1). The attack is based on the introduction of a significant error, using any fault
point X chosen by the attacker instead of P at some points in the point addition
process. To avoid legal discovery of this error, I correct it at line 3.6.
Algorithm 5.2 is initialised by setting R(0) to the point O, R(1) to the point P and
the key size counter e to 1. In each iteration of algorithm 5.2, R(0) is stored in E,
R(1) is stored in G, the result of (1 - ¬ ki) is stored in b, and the result of adding
R(0) to the introduced fault point X is stored in N. In the next step, the value of b is
checked: if it is 0 then the result of adding R(0) to the introduced fault point X is
stored in R(b). At this stage, the algorithm compares R(b) with N, and if they are
equal, it deduces that the value of the secret key bit in this iteration is 1; in which
case, the error in R(b) is eliminated by replacing it with E. However, if R(b) is not
equal to N, then the algorithm deduces that the value of the secret key bit is 0 in this
iteration.
In the next step, R(0) is added to R(1) and stored in R(b), G is stored in R(1), R(1)
is doubled. The key size counter e is incremented by one. The iterations are
continued until the loop ends. As a result of this process the estimated bits of k are
stored in d, and the final value of e-1 represents the bit-size v of k.
Algorithm 5.2 Fault Point Attack against Algorithm 2.6
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. R(0) O, R(1) P, e 1.
COMMENT: Assign key size counter label e 1 and through the loop store
the bits of k in order in the (t-1)-tuple d.
2. Use X as a fault point.
86
COMMENT: Inject error by using X instead of P in addition operations.
3. For i from 1 up to t do
3.1 E R(0).
3.2 G R(1).
3.3 b 1– ki.
3.4 N R(0) + X.
3.5 If b=0 then
R(b) R(0) + X.
End If.
3.6 If R(b) = N then
{di 1.
COMMENT: Eliminate the error in R(¬ ke) by replacing the fault value by a
correct value stored in E.
R(b) E}.
Else
di 0.
End If
3.7 R(b) R(0) +R(1).
3.8 R(1) G.
3.9 R(1) 2R(1).
3.10 e e+1.
End While loop.
4. set v e-1.
5. k= (dt, dt-1, . . . , d2, d1).
Example 2
See appendix B.2
5.4 Coron’s Algorithms
The Coron Left-to-Right and Right-to-Left algorithms are resistant to simple power
and timing attacks and do not require a large amount of storage and computing
power. Algorithm 2.7 in section 2.7.1.1 of chapter 2 represents Coron Left-to-Right
[DHB 2016, Alg 5]. Algorithm 2.8 in section 2.7.1.1 of chapter 2 represents a
87
corresponding Right-to-Left version, which I personally developed and introduced
in this research.
5.4.1 Left-to-Right Coron Algorithm
The internal inputs (loaded from the firmware) to algorithm 2.7 are the secret key
k = (1, kt-1,…, k1)2 in binary form and size of the secret key t. The input by the user
to algorithm 2.7 is the known base point P, which belongs to the known curve E(Fq)
over the field GF(q). The output is kP. This algorithm initiates the place-holder
W(0) to P and updates it with new multiples of P as the algorithm progresses
through the loop from t-1 down to 1. In each iteration, W(0) is doubled and added
to P, and the result is stored in the place-holder W(1), and W(ki) is stored in W(0).
The final result of kP is stored in W(0) after the loop is complete.
The addition operation used her is that of scalar addition and with equations (3) and
(4) since we do not require the efficiency provided by (6) and (7).
5.4.2 Fault Point Attack against Left-to-Right Coron Algorithm
On accessing the RAM of the victim device where algorithm 2.7 is loaded from the
EEPROM of the same device, I assume that the bits of k (kt-1,… k2, k1) are
accessible in order, from Left-to-Right (most to least). The proposed attack makes
changes to produce algorithms that capture the binary values of k and the attack
approach is based on ideas concerning the ‘safe error attack’ on elliptic curve
cryptosystems described above.
Algorithm 5.3 is a modification of algorithm 2.7. Therefore, I assume that the bits
(kt-1, … k2, k1 ) of the secret key k are stored in the firmware of the victim device
and then loaded into the RAM of the victim device by algorithm 5.3 while it is being
executed in the RAM of the same device. The attacker has no direct access to the
secret key nor to its size. Only algorithm 5.3 can access it and deal with it as an
internal input. Along the way, the captured bits of k are stored in values (dt, dt-1 …
d2, d1). The attack is based on the introduction of a significant error, using any fault
point X chosen by the attacker instead of P at some points in the point addition
process. To avoid legal discovery of this error, I correct it at line 3.5.
In algorithm 5.3, I use P and the fact that kt = 1. Then I use new variables to store
data which are collected from the registers or computed in addition steps. I use W(0)
88
to store accumulated multiples of P and the variable d to store the captured binary
values of k.
Algorithm 5.3 Fault Point Attack against Algorithm 2.7
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. W(0) P.
COMMENT: Assign key size counter label e 2 the loop store the bits of k
in order in the (t-1)-tuple d.
2. Use X as a fault point, e 2.
COMMENT: Inject error by using X instead of P in addition operations
3. For i from t-1 down to 1 do
3.1 W(0) 2W(0).
3.2 R W(0) + X.
3.3 W(1) W(0)+X.
COMMENT: The loop stores the bits of k in order in the (t-1)-tuple d.
3.4 If W(ki) = R then
di 1.
Else
di 0.
End If.
COMMENT: Eliminate the error in W(1) by replacing fault value by a result of
addition W(0)+P.
3.5 W(1) W(0)+P.
3.6 W(0) W(ki).
3.7 e e+1.
End While loop.
4. Set v e-1.
5. k= (1, dt-1, dt-2, . . . , d2, d1.).
Algorithm 5.3 is initialised by setting W(0) to the point P and the counter key size
e to 2. In each iteration of algorithm 5.3, the value of W(0) is doubled and the result
89
of adding W(0) to the introduced fault point X is stored in R. In the next step, the
result of adding W(0) to the introduced fault point X is stored in W(1). At this
point, algorithm 5.3 compares W(ki) with R; if they are equal, it deduces that the
value of the secret key bit in this iteration is 1; otherwise, the algorithm deduces
that the value of the secret key bit is 0. In the next step, the result of adding P to
W(0) is stored in W(1). This operation eliminates the fault value in W(1). Then
W(ki) is stored in W(0). Next, the counter size e is incremented by one. The
iterations are continued until the loop ends. As a result of this process the estimated
bits of k are stored in d, and the final value of e-1 represents the bit-size v of k.
Example 3
See appendix B.3
5.4.3 Right-to-Left Coron Algorithm I rebuild the Right-to-Left Coron algorithm 2.8 in section 2.7.1.1 of chapter 2 which
is the reverse way of dealing with bits of the secret key in Left-to-Right Coron. I
use the same equation used by Coron Left-to-Right (W(0)= W(ki)) and build the
rest of the algorithm depending on this equation. I use a new variable R so that I
can get the final output kP. I refer to this algorithm as Right-to-Left Coron because
I need a Left-to-Right and Right-to-Left algorithm for Montgomery, Coron and
Joye as my attack is applied on two versions: Left-to Right and Right-to-Left
algorithms. Coron Right-to-Left algorithm is similar to the Right-to-Left Joye in
that it begins by setting O to W(0) and P to R. I could not find the Right-to-Left
version of Coron algorithm in any of the references I have searched, so I rebuild the
Right-to-Left Coron algorithm by myself.
The internal inputs (loaded from the firmware) to algorithm 2.8 are the secret key
k = (1, kt-1,…, k1)2 in binary form and size of the secret key t. The input by the user
to algorithm 2.8 is the known base point P, which belongs to the known curve E(Fq)
over the field GF(q). The output is kP. Algorithm 2.8 initiates the place-holder W(0)
to O and a second place-holder R to P. Then the algorithm enters a loop running
from 1 up to t. In each iteration, it stores R in W(1), adds W(0) to W(1) and stores
the result in W(1); it also stores W(ki) in W(0), and stores 2R in R. When the loop
ends, the value in W(0) is the final result of kP.
90
5.4.4 Fault Point Attack against Right-to-Left Coron Algorithm
On accessing the RAM of the victim device where algorithm 2.8 is loaded from the
EEPROM of the same device, I assume that the bits of k (kt, kt-1,…, k1) are
accessible in order, from Right-to-Left ( least to most). The proposed attack makes
changes to produce algorithms that capture the binary values of k, and the attack
approach is based on ideas concerning the ‘safe error attack’ on elliptic curve
cryptosystems described above.
Algorithm 5.4 is a modification of algorithm 2.8. Therefore, I assume that the bits
(kt, kt-1, … k2, k1 ) of the secret key k are stored in the firmware of the victim device
and loaded into the RAM of the victim device by algorithm 5.4 while it is being
executed in the RAM of the same device. The attacker has no direct access to the
secret key nor to its size. Only algorithm 5.4 can access it and deal with it as an
internal input. Along the way, the captured bits of k are stored in values (dt, dt-1, …
, d2, d1). The attack is based on the introduction of a significant error, using any
fault point X chosen by the attacker instead of P at some points in the point addition
process. To avoid legal discovery of this error, I correct it at line 3.4.
Algorithm 5.4 Fault Point Attack against Algorithm 2.8
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. W(0) O, R P.
COMMENT: Assign key size counter label e 1.
2. Use X as a fault point, e 1.
COMMENT: Inject error by using X instead of W(1) in addition operations.
3. For i from 1 up to t do
3.1 G W(0) +X.
3.2 If ki = 1 then
W(1) W(0) + X.
End If.
COMMENT: The loop stores the bits of k in order in the de.
91
3.3 If W(1) = G then
di 1.
Else
di 0.
End If.
COMMENT: Eliminate the error in W(1) by replacing fault value by a value
stored in R
3.4 W(1) R.
3.5 W(1) W(0) + W(1).
3.6 W(0) W(ki).
3.7 R 2R.
3.8 e e+1.
End While loop.
4. set v e-1.
5. k= (dt, dt-1, . . . , d2, d1).
Algorithm 5.4 is initialised by setting W(0) to the identity point O, R to the point P
and the key size counter e to 1. As in the previous attack, the idea is based on the
introduction of a significant error, using fault point X instead of P at some stages in
the point addition process. In each iteration of algorithm 5.4, the result of adding
W(0) to the introduced fault point X is stored in G. In the next step, the value of ki
is checked: if it is 1 then the result of adding W(0) to the introduced fault point X
is stored in W(1). At this stage, algorithm 5.4 compares W(1) with G; and if they
are equal, it deduces that the value of the secret key bit in this iteration is 1;
otherwise, it deduces that the value of the secret key bit is 0. In the next step, R is
stored in W(1). This operation erases the fault in W(1). After that, W(0) is added to
W(1) and stored in W(1) while W(ki) is stored in W(0). The value of R is now
doubled, and the counter size e is incremented by one. The iterations are continued
until the loop ends. As a result of this process, the estimated bits of k are stored in
d, and the final value of e-1 represents the bit-size v of k.
The attacks proposed in algorithms 5.3 and 5.4 can retrieve secret key information
even though the original algorithms 2.7 and 2.8 incorporate a countermeasure
against simple power and timing attacks [Cor 1999]. They can also retrieve the
secret if the countermeasure of a combined curve check, suggested in [BOS 2006],
92
is implemented; this is because I eliminate the errors as I run the algorithm (Step
3.5 in algorithm 5.3 and Step 3.4 in algorithm 5.4).
Example 4
See appendix B.4
5.5 Joye’s Algorithms
I now show how to attack Joye’s Add-always algorithm in both directions: Left-to-
Right and Right-to-Left.
Algorithm 2.9 in section 2.7.1.1 of chapter 2 shows the Joye-Yen ‘Left-to-Right’
version [JY 2002, Fig. 7], working from the most to least significant bits( I modify
this algorithm to provide the output Q=kP instead of gk ); while algorithm 2.10 in
section 2.7.1.1 of chapter 2 shows the ‘Right-to-Left’ version [Joy 2007, Alg. 3]
working in the opposite direction.
5.5.1 The Left-to-Right Joye-Yen Algorithm
The fault point attack against algorithm 2.9 involves a modification to the same
algorithm by adding some steps to change the internal operation and the output of
the algorithm. My objective in so doing is to recover each of the bits of secret key
k.
The internal inputs (loaded from the firmware) to algorithm 2.9 are the secret key
k = (kt, kt-1,…, k1)2 in binary form and size of the secret key t. The input by the user
to algorithm 2.9 is the known base point P, which belongs to the known curve E(Fq)
over the field GF(q). The output is the known point Q = k*P. Algorithm 2.9 uses
R(0) and R(1) to accumulate multiples of P, initialising R(0) to O and R(1) to P.
Then the algorithm enters a loop running from t to 1. In each iteration, R(0) is added
to R(1) and the result stored in R(¬ ki) while 2R(ki) is stored in R(ki). When the
loop ends the value in R(0) will be the desired result kP.
5.5.2 Fault Point Attack against Left-to-Right Joye-Yen Algorithm
On accessing the RAM of the victim device where algorithm 2.9 is loaded from the
EEPROM of the same device, I assume that the bits of k (kt-1,…, k1) are accessible
in order, from Left-to-Right. The proposed attack makes changes to produce
algorithms that capture the binary values of k and the attack approach is based on
93
ideas concerning the ‘safe error attack’ on elliptic curve cryptosystems described
above.
Algorithm 5.5 is a modification of algorithm 2.9. Therefore, I assume that the bits
(kt, kt-1, … k2, k1 ) of the secret key k are stored in the firmware of the victim device
and loaded into the RAM of the victim device by algorithm 5.5 while it is being
executed in the RAM of the same device. The attacker has no direct access to the
secret key nor to its size. Only algorithm 5.5 can access it and deal with it as an
internal input. Along the way, the captured bits of k are stored in values (dt, dt-1, …,
d2, d1). The attack is based on the introduction of a significant error, using any fault
point X chosen by the attacker instead of P at some points in the point addition
process. To avoid legal discovery of this error, I correct it at line 3.4.
Algorithm 5.5 is initialised by setting R(0) to the identity point O, R(1) to the point
P and the key size counter e to 1. In each iteration of algorithm 5.5, the result of
adding R(0) to the introduced fault point X is stored in G. In the next step, the value
of R(¬ ki) is stored in T. At this point, algorithm 5.5 compares R(¬ ki) with G; if
they are equal, it deduces that the value of the secret key bit in this iteration is 1, in
which case, the error in R(¬ki) is eliminated by replacing it with T. However, if
R(¬ki) is not equal to G, then the algorithm deduces that the value of the secret key
bit is 0 in this iteration.
In the subsequent step, R(0) is added to R(1) and stored in R(¬ ki), while R(ki) is
doubled. The key size counter e is incremented by one. The iterations are continued
until the loop ends. As a result of this process, the estimated bits of k are stored in
d, and the final value of e-1 represents the bit-size v of k.
Algorithm 5.5 Fault Point Attack against Algorithm 2.9
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. R(0) O, R(1) P.
COMMENT: Assign key size counter label e 1.
2. Use X as a fault point. e 1.
COMMENT: Inject error by using X instead of P in addition operations.
94
3. For i from t down to 1 do
3.1 G R(0) +X.
3.2 T R(¬ ke).
3.3 If ki = 1 then
R(¬ ki) R(0) + X.
End If.
COMMENT: The loop stores the bits of k in order in the (t)-tuple d.
3.4 If R(¬ ki) = G then
{di 1.
COMMENT: Eliminate the error in R(¬ ke) by replacing fault value by a value
stored in T.
R(¬ ki) T.
Else
di 0.
End If.
3.5 R(¬ ki) R(0) + R(1).
3.6 R(ki) 2 R(ki).
3.7 e e+1.
End While loop.
4. Set v e-1.
5. k= (dt, dt-1, . . . , d2, d1).
Example 5
See appendix B.5
5.5.3 The Right-to-Left Joye Algorithm
The fault point attack against the Right-to-Left Joye algorithm 2.10 for scalar
multiplication involves a modification to same algorithm by adding some steps to
change the internal operation and the output of the algorithm. My objective, as
always, is to recover each of the bits of the secret key k.
The internal inputs (loaded from the firmware) to algorithm 2.10 are the secret key
k = (1, kt-1,…, k1)2 in binary form and size of the secret key t. The input by the user
to algorithm 2.10 is the known base point P, which belongs to the known curve
E(Fq) over the field GF(q). The output is kP. Algorithm 2.10 uses R(0) and R(1) to
95
accumulate multiples of P, initialising R(0) to O and R(1) to P. Then the algorithm
enters a loop running from 1 to t. Joye uses a dummy variable b to store ¬ ke. In
each iteration, R(b) is doubled and stored in R(b), and this is then added to R(kj)
with the result again stored in R(b). When the loop ends, the value in R(0) is kP.
5.5.4 Fault Point Attack against the Right-to-Left Joye Algorithm
On accessing the RAM of the victim device where algorithm 2.10 is loaded from
the EEPROM of the same device, I assume that the bits of k (kt, kt-1,…, k1) are
accessible in order, from Right-to-Left (least to most). The proposed attack makes
changes to produce algorithms that capture the binary values of k and the attack
approach is based on ideas concerning the ‘safe error attack’ on elliptic curve
cryptosystems described above.
Algorithm 5.6 is a modification of algorithm 2.10. Therefore, I assume that the bits
(kt, kt-1, … k2, k1 ) of the secret key k are stored in the firmware of the victim device
and loaded into the RAM of the victim device by algorithm 5.6 while it is being
been executed in the RAM of the same device. The attacker has no direct access to
the secret key nor to its size. Only algorithm 5.6 can access it and deal with it as an
internal input. Along the way, the captured bits of k are stored in values (dt, dt-1, …
d3, d2, d1). The attack is based on the introduction of a significant error, using any
fault point X chosen by the attacker instead of P at some points in the point addition
process. To avoid legal discovery of this error, I correct it at line 3.7
Algorithm 5.6 is initialised by setting R(0) to the identity point O, R(1) to the point
P and the key size counter e to 1. In each iteration of algorithm 5.6, the variable b
is set to 1- ki, the value of R(b) is doubled, the result of adding R(0) to the introduced
fault point X is stored in G, and the value of R(b) is stored in T.
In Step 3.5, the result of adding R(b) to the fault point X is stored in R(b). At this
point, algorithm 5.6 compares R(b) with G. If they are equal, it deduces that the
value of the secret key bit in this iteration is 1; otherwise algorithm 5.6 deduces that
the value of the secret key bit is 0. Step 3.7 eliminates the error in R(b) by replacing
it with T. Step 3.8 again replaces the value of R(b) with R(b) + R(ki). The key size
counter e is incremented by one. The iterations are continued until the loops ends.
As a result of this process, the estimated bits of k are stored in d, and the final value
of e-1 represents the bit-size v of k.
96
Algorithm 5.6 Fault Point Attack against Algorithm 2.10
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. R(0) O, R(1) P.
COMMENT: Assign pointer label e 1.
2. Use X as a fault point, e 1.
COMMENT: Inject error by using X instead of P in addition operations.
3. For i from 1 up to t do
3.1 b 1- ki.
3.2 R(b) 2 R(b).
3.3 G R(0) + X.
3.4 T R(b).
3.5 R(b) R(b)+ X .
COMMENT: The loop stores the bits of k in order in the de.
3.6 If R(b) = G then
di 1.
Else
di 0.
End If.
COMMENT: Eliminate the error in R(b) by replacing fault value by a value
stored in T.
3.7 R(b) T.
3.8 R(b) R(b) + R(ke).
3.9 e e+1.
End While loop.
4. set v e-1.
5. k= (dt, dt-1, . . . , d2, d1).
Example 6
See appendix B.6
97
5.6 Summary
This chapter showed a new fault point attack implemented on six different scalar
multiplications algorithms. The aim of this attack was to retrieve the secret key k
bits used in these algorithms to find the result of Q=kP. Fault point attack was based
on ideas concerning the ‘safe error attack’ on elliptic curve cryptosystems described
in [YJ 2000], in which the attacker injected a fault into the intermediate calculation
values of multiples of P, and from this, deduced a bit value of k. The attack was
simulated successfully by Maple 2017b on all six algorithms with low numbers and
big numbers (384 bits long digits).
98
Chapter Six Implementation of Proposed Attacks on RSA
and ECC by Arduino Mega2560 Hardware
Arduino Mega2560 hardware is an open hardware and software product used as an
experimental tool to support developers in different applications like IoT devices.
The Arduino Mega2560 acts as a mini laptop computer with restricted resources.
The implementation of attacks proposed in this thesis against RSA and ECC by
using Arduino Mega2560 demonstrates the possibility of applying my attacks to
recover secret keys from hardware devices with restricted resources. This chapter
is related to the thesis goals as it focuses on the implementation of attacks proposed
against RSA and ECC.
6.1 Introduction
In this chapter I implement ten attack algorithms proposed in chapters four and five
against RSA and ECC cryptosystems by using Arduino Mega2560 hardware. I
present in section 6.2 a full description of the implementation process of RSK attack
against protected Montgomery Ladder RSA Left-to-Right algorithm [Chap. 4,
section 4.4.1] which is one of the fault attacks proposed against RSA algorithms in
this thesis. Section 6.2 offers a detailed description of implementation procedures
which represent a model that is applied in all the other implementation examples of
fault attacks proposed in this thesis against RSA and ECC cryptography algorithms.
The aim of this chapter is to demonstrate the possibility of implementation of
attacks proposed in this thesis against RSA and ECC in devices with low and
restricted hardware resources. This chapter also includes a short comparison
between Maple and MATLAB concerning the implementation of attack algorithms
and the difficulty I face when implementing high numbers (3072 bits long digits)
for RSA and high numbers (384 bits long digits) for ECC with MATLAB software.
The rest of chapter six is organized as follows: Section 6.2 deals with hardware
implementation procedures of proposed RSK attack on RSA algorithm by using
Arduino Mega2560. Section 6.3 presents a comparison between Maple and
MATLAB. Finally, a summary of the chapter is given in section 6.4
99
6.2 Hardware Implementation of proposed RSK attack on RSA
Algorithm by using Arduino Mega2560
Implementation of my proposed RSK attack on RSA algorithm can be summarised
as follows:
6.2.1 Description of a general IoT device
An average device component of the IoT has an internal EEPROM and RAM and
uses a suitable cipher suite to authenticate data being exchanged with other devices
in the same information network through a handshake protocol.
6.2.2 Preparing the victim device
I assume that the victim device is an average device component of the IoT with
internal (readable and writable) EEPROM and RAM memories. In particular, it
should be equivalent to the Arduino Mega2560 model of the Arduino series devices,
which has an internal EEPROM of size 4 KB, making it suitable for implementing
my proposed attacks.
In preparing the victim device for the attack, I chose an Arduino Mega2560 and
provided its EEPROM with three algorithms: a handshake program, and RSA and
ECC algorithms as follows: handshake [CT 2014], Protected Montgomery Ladder
RSA Left-to-Right algorithm [Chap. 4, section 4.4.1] and The Right-to-Left Coron
ECC algorithm [chap. 5, section 5.4.3].
The handshake program is used to establish connection with other devices. It also
checks for cipher suite used for authenticating data and the compatibility of
cryptography algorithm used to secure data exchange between the two devices. The
RSA and ECC algorithms are used to secure data being exchanged. The handshake
program and the MATLAB script of the two algorithms of RSA and ECC inside
the internal EEPROM are shown in Figures 6.1, 6.2 and 6.3.
Program 1 Handshake Program
The device sends a TCP Synchronize packet to Destination,
The device sends the cryptography suite used
The device receives Destination's SYN-ACK, cryptography suite ACK
The device sends Acknowledge,
TCP socket connection is ESTABLISHED.
Figure 6.1 Handshake Program.
100
MATLAB Script of Protected Montgomery Ladder RSA Left-to-Right
Algorithm
Internal INPUT (loaded from firmware): Secret key d, Secret key size t.
INPUT by user: Modulus n, Message g.
a = arduino('COM5','Mega2560')
r=[1 g];
for i=1:t
if d(i)==1
b=1;
else
b=2;
end
if d(i)==1
u=2;
else
u=1;
end
r(b)=mod(r(b)*r(u),n)
r(u)=powermod(r(u),2,n)
end
r(1)
clear arduino
clearvars a;
Figure 6.2 RSA MATLAB Script.
MATLAB Script of Right-to- Left-to- Coron ECC Algorithm
Internal INPUT (loaded from Firmware): Secret key d, Secret key d size
t.
INPUT by user: Coefficients of ECC equation a4 and a5, prime p, Base
point P1.
a = arduino(‘COM5’,’Mega2560’)
W=[0 0;0 0]
W(1, :)=[inf,inf]
R=P1
101
for i=t:1
if d(i)==1
u=2;
else
u=1;
end
W(2,:)=R
W(2,:)=addell([W(1,1),W(1,2)],[W(2,1),W(2,2)],a4,a5,p);
W(1, :)=W(u,:)
R=multell([R(1),R(2)],2,a4,a5,p)
end
W(1, :)
clear arduino
clearvars a;
Figure 6.3 ECC MATLAB Script.
6.2.3 Generic plan to attack an IoT device
The generic plan to attack an IoT device is based on establishing a wired connection
between the computer of the attacker and the IoT device in the absence of the owner
of the device for a period of time. The attacker must have full access to the IoT
device, reads the internal EEPROM of the device and finds the cryptographic
algorithm he wants to target and loads it into the RAM of the same device. Finally,
the attacker modifies the target cryptographic algorithm according to his attack,
executes the modified algorithm inside the RAM of the same device and retrieves
the secret key.
I assume that I am an attacker. I enter a room in which an information network is
operating through various IoT devices. I also assume that the administrator of the
information network is out of room for a period of time. I choose one of the IoT
devices in the network, which is Arduino Mega2560 model of the Arduino series
devices, to be a victim device because it has an internal EEPROM of the size of 4
KB which is suitable for implementing my proposed attacks in the thesis. The
Manufacturing Company of Arduino provides an Arduino Desktop IDE which can
be used to program this hardware device. The Arduino Desktop IDE software is
based on C++ software environment. The Arduino hardware device is also
102
supported by MATLAB 2017b which offers a particular software package dealing
with this device. The MATLAB 2017b also provides built-in functions that
facilitate executing cryptography algorithms. The Arduino Mega2560 is
characterized by the following specifications: Microcontroller ATmega2560,
Flash Memory 256 KB of which 8 KB are used by the bootloader
(firmware), SRAM 8KB and EEPROM 4KB. Figure 6.4 shows the main
components of Arduino Mega2560 [Chu 2018].
Figure 6.4 the Main Components of Arduino Mega2560
I assume that the EEPROM in the victim device is both readable and writable such
as the EEPROM 24LC256 chip, and that a suite of cryptographic algorithms as well
as a hand-shake protocol are stored there. For example, as described in [Neto2018],
a suite of protocols such as those recommended by NIST [PMC 2014, Section 3.3]
could be loaded during its manufacturing process.
I assume that when a key is needed, it is generated on some secondary computing
device of the victim owner and securely (via hardware) stored in firmware on the
Arduino device to be called when the associated algorithm is run.
When running one of the cryptographic algorithms, it loads into RAM along with
the appropriate pre-set key; I suppose that the key is not refreshed each time the
103
algorithm is used but used for a time period covering several deployments of the
authentication.
Figure 6.5 shows the diagram of hardware implementation of a fault attack
proposed in this thesis against RSA cryptography algorithm stored in the internal
EEPROM of the victim device.
Figure 6.5 Block Diagram of the Plan of Attack.
The implementation procedures of proposed fault attacks can be summarized in the
following steps:
1. I establish a connection between my computer laptop with the victim device
through a USB wire. I use the standard EEPROM library included in the Arduino
Desktop IDE software to deal with internal EEPROM of the victim device. I use
the command EEPROM.read (address) to read a byte from EEPROM. I read 4096
bytes since the size of internal EEPROM inside the victim device is 4 kB. The
results of reading are printed in serial output console of the victim device as a stream
Victim Device
3. Execute
modified
RSA to
retrieve
key d with
two inputs
from
firmware
and
attacker
Input
modulus
n, fault X
and
message
g
Flash
memory
Attack
er
Input key d and its
size t t
SRAM EEPROM
Modifying
RSA
1. Reading
contents
of
EEPROM
2. Checking contents of EEPROM to
specify original RSA algorithm.
104
of characters. Figure 6.6 shows the screen shot of the first 26 locations of EEPROM
content. I use the sketch below to get all values stored in the internal EEPROM.
#include <EEPROM.h>
int addr = 0;
byte value;
void setup() {
// put your setup code here, to run once:
Serial.begin(9600);
// initialise serial and wait for the port to open:
while (!Serial) {
; // wait for serial port to connect. Needed for native USB port only
}
}
void loop() {
// put your main code here, to run repeatedly:
value = EEPROM.read(addr);
Serial.print(addr);
Serial.print("\t");
Serial.write(value);
Serial.println();
addr = addr + 1;
if (addr == EEPROM.length()) {
for(;;){}
}
delay(10);
105
}
Figure 6.6 Screen Shot of the First 26 Locations of EEPROM Content.
The result of the above operation is presented as symbols from the characters set of
ASCII codes instead of hexadecimal values because I used the command
Serial.write (value) to show the output in serial output console of the victim device.
The command Serial.write (value) prints the character equivalent to the
hexadecimal code of ASCII codes. Figure 6.6 shows only the first 26 locations of
4096 locations where the handshake program is stored.
106
2. I copy the results I get from step one and paste them it on a word document. I
read the stream of characters inside the word document and search for the keyword
powermod which indicates the location of RSA program.
3. Depending on my knowledge and experience I rebuild the MATLAB script of
RSA algorithm from the equivalent characters I get from step two for the whole
RSA algorithm and load it into the RAM of the victim device. The MATLAB script
will be as follows:
Internal INPUT: Secret key d, Secret key size t.
INPUT by user: Modulus n, Message g.
OUTPUT: y=gd mod n
a = arduino('COM5','Mega2560')
r=[1 g];
for i=1:t
if d(i)==1
b=1;
else
b=2;
end
if d(i)==1
u=2;
else
u=1;
end
r(b)=mod(r(b)*r(u),n)
r(u)=powermod(r(u),2,n)
end
107
y=r(1)
clear arduino
clearvars a;
The first step of the MATLAB script is internal input which loads the values of the
secret key d and its size t from firmware inside the flash memory of the victim
device into the RAM of the same device. This operation is executed by RSA
algorithm and I have no control over it. I can only input the modulus n and message
g inside the algorithm.
The MATLAB script considers the first value from left when dealing with For-
Loop. Therefore, the MATLAB script defines Left-to-Right in the For-Loop as “For
i=1:t ” where t represents the size of the secret key d. However, the For-Loop in
RSA algorithm from Left-to-Right is defined as “For i from t to 1 do”.
4. I modify the original MATLAB script I got from step three according to Figure
6.7 which represents the RSK attack algorithm against RSA algorithm.
RSK Attack Algorithm against RSA Algorithm
Internal INPUT: Secret key d, Secret key size t.
INPUT by attacker: Fault value X, Modulus n, Message g.
OUTPUT: k in binary form.
1. R(0) 1, R(1) g.
COMMENT: Inject error by using X instead of R(di) in multiplication
operations.
2. For i from t to 1 do
2.1 b ¬ di.
2.2 H R(b) *X (mod n).
2.3 S R(b) (mod n).
2.4 If di = 1 then
R(b) R(b) * X (mod n).
End IF.
COMMENT: The loops store the bits of d in order in the (t)-tuple d.
2.5 If R(b) = H then
ki 1.
108
COMMENT: Eliminate the error in R(b) by replacing the fault value by a
value stored in T
R(b) S.
Else
ki 0.
End If.
2.6 R(b) R(b)*R(di) (mod n).
2.7 R(di) R(di)2(mod n).
End for
3. d= (kt, kt-1, . . . , k3 , k2, k1).
Figure 6.7 RSK Attack Algorithm against RSA Algorithm
5. The final result of modifying the original RSA MATLAB script carried out in
step 4 will be:
Internal INPUT: Secret key d, Secret key size t.
INPUT by attacker: fault value X, modulus n, message g.
a = arduino('COM5','Mega2560')
r=[1 g];
Comment: The function sym() used to deal with high integers more than 64 bit.
k =sym ('k', [1 t])
for i=1:t
if d(i)==1
b=1;
else
b=2;
end
if d(i)==1
u=2;
else
u=1;
end
h=mod(r(b)*X,n);
s=r(b);
109
if d(i)== 1
r(b)=mod(r(b)*X,n)
end
if r(b)==h
k(i)=1
r(b)=s
else
k(i)=0
end
r(b)=mod(r(b)*r(u),n)
r(u)=powermod(r(u),2,n)
end
clear arduino
clearvars a;
I execute the modified algorithm in the RAM of the victim device, and the result I
get is the secret key value which is shown below.
The retrieved value of the secret key k will be [kt, kt-1 , . . , k2, k1]
6.2.4 Implementation Time of RSK Attack against RSA Program
The time required for the attack to be completed is 20.08 minutes. This time is
calculated for implementing the following steps:
1. Getting control of the victim device by connecting it to my computer and
preparing Arduino Desktop IDE software to be operated.
2. Reading all the contents of EEPROM of the victim device.
3. Checking the output of step 2 and specifying the location of RSA original
algorithm to be attacked. The time needed to carry out this step depends on the
experience of the attacker.
4. Running MATLAB 2017b and rebuilding the RSA original MATLAB script.
5. Modifying the result of step 4 according to the attack algorithm.
6. Getting the key by running the final modified MATLAB script according to the
attack algorithm.
110
More experienced attackers usually spend less implementation time.
The implementation is done with
Message g=124.
Modulus n=143.
Secret key d = 1 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1
Columns 17 through 32
1 0 0 0 1 0 1 1 1 0 0 0 0 0 1 1
Columns 33 through 35
1 1 1.
Size of key t=35.
Fault value X=66.
Appendix C provides ten implementation examples which demonstrate how the
attacks proposed by this thesis can be implemented on RSA and ECC cryptography
algorithms by using Arduino Mega2560.
6.3 Maple and MATLAB: A Comparison
In chapters four and five, I have used Maple 2017 as a software platform in
implementation of attack algorithms which I proposed against RSA and ECC
cryptosystems. In this chapter, I have chosen MATLAB 2017b [MATLAB 2017]
as a software platform to implement all attacks proposed against RSA and ECC by
using Arduino mega2560. Now, I want to point out some significant similarities
and differences, which I have noticed, between Maple and MATLAB in the
implementation of cryptography algorithms.
Firstly, Maple is similar to MATLAB as each of the two software platforms has a
special cryptography package containing built-in functions to simplify applying
cryptography algorithms.
Secondly, Maple can deal with high numbers like (3072 bits long digits) in RSA
and (384 bits long digits) in case of ECC directly. However, MATLAB converts
the same high numbers mentioned above in floating point’s representation which is
not defined for cryptography package. I have solved this problem by using sym
111
function which converts high numbers from floating point’s representation into
special high numbers. The sym function represents one of the functions define in
the symbolic toolbar of MATLAB.
Finally, Maple uses fast modular exponentiation to deal with high numbers
mentioned above for RSA and ECC when dealing with modular inverse functions.
However, MATLAB lacks fast modular exponentiation to deal with high numbers.
Therefore, MATLAB gives an error when using high numbers with modular
inverse.
In spite of all the restriction of MATLAB, I have succeeded to factorize RSA
modulus and retrieve the secret key in RSA with high numbers (3072 bits long
digits). I have also succeeded to retrieve the secret keys d in all six attack
algorithms proposed against ECC with high numbers (384 bits long digits).
Example
In this example I demonstrate how MATLAB and MAPLE deal with high numbers.
I will use the result of x=2100 as an example to show the difference between
MATLAB and Maple when dealing with result x.
In Maple
x := 2100;
x := 1267650600228229401496703205376
In MATLAB
x=2100
x =1.2677e+30
By using sym() function
>> x=sym(x)
x =
1267650600228229401496703205376
6.4 Summary
In this chapter, I described the implementation of all the attacks proposed in this
thesis against RSA and ECC by using Arduino Mega2560 as a hardware platform
and MATLAB 2017b as a software platform. The aim of demonstrating the
112
implementation process was to prove the possibility of applying my proposed
attacks on a restricted hardware device like Arduino Mega2560 which represents
an example of IoT devices. The implementation is conducted successfully with
small numbers (two to three digits), high numbers (3072 bits long digits) in RSA
and (384 bits long digits) in case of ECC. Furthermore, I made a short comparison
between MAPLE and MATLAB software concerning implementing cryptography
algorithms. I also explained the difficulty I had faced when using MATLAB in my
implementation and then I offered some solutions to the problems I had faced in
my work.
113
Chapter Seven Summary, Conclusion & Future work
In this chapter, I present an overall summary of my research work. The chapter also
includes the main findings and conclusions that may be derived from this research
work. Finally, I offer my suggestions for future work.
7.1 Summary
This research work may be summarized as follows:
1. I built a programming platform to implement two public key systems (RSA and
Elliptic Curve) by using Maple 2017. I used this software platform to analyse the
procedures of these cryptographic systems.
2. I have studied and analysed attacks against RSA and Elliptic Curve by reviewing
previous related work. I have developed different scenarios of attacks for different
protocols i.e. ECDH, encryption or signature. The attacks proposed in this thesis
only target the modular exponential and scalar multiplication.
3. I reviewed existing literature on EEPROM hardware devices. However, my
proposed attacks are based on idea of attacking software used to program EEPROM
and trying to change EEPROM content in a way that simplifies the detection of the
secret key value. My review of EEPROM devices supported the idea of my
proposed attacks and helped me to achieve my goal. Therefore, I included a whole
chapter to my thesis under the name of ‘EEPROM Environment’.
4. I proposed two new fault attacks on RSA cryptosystems. The first one was the
fault factorizing attack (FF) which factorized the RSA modulus by applying a fault
attack on the two RSA-CRT Signature Garner’s algorithms. The first algorithm was
protected by modified Shamir’s countermeasure and the second one was protected
by simplified Vigilant’s countermeasure. It can be clearly noted that the proposed
FF attacks induce a fault into the computation of i_q. I also proposed a retrieve
secret key (RSK) attack which was able to retrieve the secret key d by applying a
fault attack on both protected Montgomery Ladder RSA versions: “Left-to-Right
and Right-to-Left” algorithms. I implemented the two attacks FF and RSK by using
Intel (R) Core (TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform
and Windows 7 as the operating system. Maple 2017 was chosen as the software
platform as it contains a cryptography package designed for cryptographic
arithmetic operations.
114
5. I proposed a fault point attack on six scalar multiplications algorithms of ECC
which are both versions “Left-to-Right and Right-to-Left” of Montgomery, Coron
and Joye algorithms. I also made a comparison between General Weierstrass and
Montgomery Elliptic Curves equations. I used the General Weierstrass Elliptic
Curves equations because they compute the two coordinates x and y of the point in
the same step. I implemented the fault point attack on six ECC algorithms by using
Intel (R) Core (TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform
and Windows 7 as the operating system. I selected Maple 2017 as a software
platform because it contains a cryptography package designed for cryptographic
computation operations.
6. I complemented the implementation of all attack algorithms against RSA and
ECC by using Arduino Mega2560 hardware. The number of attack algorithms
which had been implemented were ten: four against RSA algorithms and six against
Elliptic Curve Cryptosystem (ECC) algorithms.
The Arduino Mega2560 is characterized by the following specifications:
Microcontroller ATmega2560, Flash Memory 256 KB of which 8 KB are
used by the bootloader (firmware), SRAM 8KB and EEPROM 4KB. The
software platform used in the implementation was MATLAB 2017b. I faced some
problems in programming these attack algorithms by using MATLAB 2017b,
especially when I used high numbers: (3072 bits long digits) for RSA and (384 bits
long digits) for ECC. However, I was able to solve these problems and I managed
to complete implementation of attack algorithms with high numbers for all ten
attack algorithms.
7.2 Conclusion
My research work has revealed certain facts and conclusions that can be specified
as follows:
1. A fault attack can be implemented on hardware devices not only by targeting
their hardware components but, also by attacking the software used to program and
update these hardware devices.
115
2. Use of devices with readable/writable/ EEPROM should be avoided in the IoT
in order to circumvent attacks such as mine.
3. The PUF security techniques which are used to generate secret key in real time
cannot prevent the proposed attacks in this thesis. The proposed attacks in this thesis
change algorithms stored in EEPROM and retrieve secret keys during algorithms
operations in real time instead of retrieving keys generated previously and stored in
EEPROM memory.
4. The attacks proposed in this research work can be implemented on a device with
limited resources such as a Arduino Mega2560 hardware device. These attacks can
retrieve the secret key for ECC with key size 384 bits long digits and factorize
modulus n and also retrieve the secret key for RSA with key size 3072 bits long
digits. The key sizes recommended for the year 2018 are 384 bits long digits for
ECC and 3072 bits long digits for RSA according to BlueKrypt web site. Bluekrypt
website [Gir 2017] is a site which gives recommendations for key size according to
the requirements of different security institutes all over the world.
5. Maple software provides more powerful functions to deal with high numbers like
3072 bits long digits than MATLAB. Therefore, it is more suitable to use Maple
instead of MATLAB when implementing cryptography algorithms.
7.3 Future work
In this section I will offer few suggestions for future work which can be summarized
as follows:
1. Extending the Implementation of the attacks proposed in this research work to
other cryptosystems which are used to secure IoT devices including lightweight
cryptography algorithms.
2. This thesis deals with hardware implementation of proposed FF, RSK and fault
point attacks against RSA and ECC cryptography algorithms in case of direct access
(wired connection between attacker computer and victim device) and leaves
indirect access (wireless connection) as future work. The attacker can target a
victim device even if he has no direct access to it. He can establish a connection
with the victim device remotely. The Bluetooth and NFC techniques can provide
116
the attacker with the opportunity to get control over a hardware device without
being observed by the device owner.
3. The attacks proposed in this thesis target (modular exponentiation in the case for
RSA) or (scalar multiplication in the case of ECC). An approach which combines
the two techniques in dealing with both algorithms, i.e. RSA and ECC, can be
considered for a future work. The two algorithms typically perform both kinds of
computations, i.e. modular exponentiation and scalar multiplication.
4. This thesis offers some ideas for empowering and upgrading the countermeasures
resistance to fault attacks proposed in this thesis. These ideas deal with two aspects
of protection. The first one concerns the physical access of an attacker to the victim
hardware device which can be prevented by protecting these hardware devices from
unauthorized, direct access (wired connection). Furthermore, owners of hardware
device are advised to disable any facility of remote connection via Bluetooth or near
field communication (NFC) technology and enable these facilities only when they
need them for an authorized information transfer (wireless connection). The second
aspect is related to the software used to program and update hardware devices. This
software must be obtained from a known source and which has the authority to
perform program or update processes. This may prevent any malware software or
unknown source software to make any modifications on the hardware content.
5. Modifying the attack algorithms proposed in this thesis to overcome any
countermeasures proposed against them in future.
6. I plan to include the implementation of fault point attack against Edwards’s
curves in a future work.
7. In the near future, I plan to submit a selection of results of this thesis to a
respected journal in the field.
117
References
[AA 2016] Agarwal, R, & Agarwal, G 2016,’ An Efficient Method of Generating
Random Numbers from Congruence Equations for Cryptographic Applications’,
International Journal of Science, Engineering and Computer Technology, vol. 6,
no.7, pp. 290.
[ABFHS 2002] Aumüller C, Bier P, Fischer W, Hofreiter P, Seifert J, P 2002,’
Fault Attacks on RSA with CRT: Concrete Results and Practical
Countermeasures’, in B S Kaliski, K Koç, & C Paar (eds), Proceedings of
Cryptographic Hardware and Embedded Systems - CHES 2002, CHES 2002,
Springer, Berlin, Heidelberg, pp. 260-275.
[ABFJLM 2018] Ambrose, C, Bos, JW, Fay, B, Joye, M, Lochter, M & Murray, B
2018, 'Differential attacks on deterministic signatures', in Cryptographers’ Track
at the RSA Conference, pp. 339-53.
[ABKA 2017] Abdullah, K, Bakar, SA, Kamis, NH & Aliamis, H 2017, 'RSA
cryptosystem with fuzzy set theory for encryption and decryption', AIP Conference
Proceedings, vol. 1905, no. 1, p. 030001.
[AD 2008] Aziza, H & Delsuc, B 2008, ‘Device and memory array models for flash
EEPROM technology’, Journal of WSEAS transactions on circuits and systems,
vol. 7, no.4, pp. 249-258.
[AK 1996] Anderson, R & Kuhn, M 1996, ‘Tamper resistance-a cautionary note’,
Proceedings of the second Usenix workshop on electronic commerce, pp. 1-11.
[AK 1997] Anderson, R & Kuhn, M 1997, ‘Low cost attacks on tamper resistant
devices’, in B Christianson, B Crispo, M Lomas & M Roe (eds), Proceedings of
International Workshop on Security Protocols 1997, Springer, BerGlin,
Heidelberg, pp.125-136.
[AMQP 2012] Standard, O.A.S.I.S., 2012. Oasis advanced message queuing
protocol (amqp) version 1.0, retrieved 17 November 2017, < http://docs.oasis-
open.org/amqp/core/v1.0/os/amqp-core-complete-v1.0-os.pdf.
118
[ANSI 2010] ANSI X9.63, “Public key cryptography for the financial services
industry: Key agreement and key transport using elliptic curve cryptography,”
Tech. Rep., 2011.
[ARC 2018] Ammar, M, Russello, G & Crispo, B 2018, ‘Internet of Things: A
survey on the security of IoT frameworks’, Journal of Information Security and
Applications, vol. 38, pp.8-27.
[Ard 2018] Arduino Company 2018, EEPROM Read, Arduino Company, retrieved
25 March 2018, < https://www.arduino.cc/en/Tutorial/EEPROMRead>.
[AT 2018] Audrey, L & Tisserand, A 2018, 'Microcontroller Implementation of
Simultaneous Protections Against Observation and Perturbation Attacks for ECC',
in SECRYPT: 15th International Joint Conference on e-Business and
Telecommunications.
[AVFM 2007] Amiel, F, Villegas, K, Feix, B & Marcel, L 2007, ‘passive and active
combined attacks: Combining fault attacks and side channel analysis’, Proceedings
of Fault Diagnosis and Tolerance in Cryptography, FDTC 2007, pp. 92-102.
[Bat 2013] Batten, L M 2013, Public key cryptography: applications and attacks,
John Wiley & Sons, New Jersey, U.S.A.
[BBPP 2009] Barenghi, A, Bertoni, G, Parrinello, E & Pelosi, G 2009, ‘Low
Voltage Fault Attacks on the RSA Cryptosystem’, Proceedings of 2009 Workshop
on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 23-31, IEEE.
[BBPS 2011] Barenghi, A, Bertoni, G, Palomba, A & Susella, R 2011, ‘A novel
fault attack against ECDSA’, Proceedings of 2011 IEEE International Symposium
on Hardware-Oriented Security and Trust, pp. 161-6, IEEE.
[BCCC 2006] Brier, E, Chevallier-Mames, B, Ciet, M & Clavier, C 2006, ‘Why
one should also secure RSA public key elements’, in L Goubin & M Matsui (eds),
Proceedings of Cryptographic Hardware and Embedded Systems - CHES 2006.
CHES 2006. Springer, Berlin, Heidelberg, pp. 324-338.
[BCDG 2009] Berzati, A, Canovas, C, Dumas, J-G & Goubin, L 2009, ‘Fault
attacks on RSA public keys: Left-to-right implementations are also vulnerable’,
119
in M Fischlin (eds), Proceedings of Topics in Cryptology – CT-RSA 2009, CT-
RSA 2009, Springer, Berlin, Heidelberg, pp. 414-28.
[BCG 2008] Berzati, A, Canovas, C & Goubin, L 2008, ‘In(security) Against Fault
Injection Attacks for CRT-RSA Implementations’, Proceedings of 2008 5th
Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 101-7, IEEE.
[BCG 2010] Berzati, A, Canovas-Dumas, C & Goubin, L 2010, ‘Public key
perturbation of randomized RSA implementations’, in S Mangard & FX Standaert
(eds), Proceedings of Cryptographic Hardware and Embedded Systems, CHES
2010. CHES 2010, Springer, Berlin, Heidelberg, pp. 306-319.
[BCS 2012] Bormann, C, Castellani, AP & Shelby, Z 2012, ‘CoAP: An Application
Protocol for Billions of Tiny Internet Nodes’, IEEE Internet Computing, vol. 16,
no. 2, pp. 62-7, IEEE.
[BD 2017] Berlin, K & Dhenakaran, S 2017, ‘An Overview of Cryptanalysis of
RSA Public key System’, International Journal of Engineering and Technology
(IJET), vol. 9, no.5, pp. 3575-3579.
[BDL 1997] Boneh, D, DeMillo, RA & Lipton, RJ 1997, ‘On the importance of
checking cryptographic protocols for faults’, in W Fumy (eds), Proceedings of
Advances in Cryptology — EUROCRYPT ’97, EUROCRYPT 1997, Springer,
Berlin, Heidelberg, pp. 37-51.
[BDLSY 2011] Bernstein, DJ, Duif, N, Lange, T, Schwabe, P & Yang, B-Y 2011,
‘High-speed high-security signatures’, in B Preneel & T Takagi (eds),
Proceedings of Cryptographic Hardware and Embedded Systems – CHES 2011,
CHES 2011, Springer, Berlin, Heidelberg, pp. 124-42.
[Ben 2017] Beningo, J 2017, ‘HAL Design for EEPROM and Memory Devices’,
in Reusable Firmware Development, Springer, Apress, Berkeley, CA, pp. 219-41.
[BFM 2017] Buttigieg, R, Farrugia, M & Meli, C 2017, ‘Security Issues in
Controller Area Networks in Automobiles’, arXiv preprint arXiv:1711.05824.
[BFMMT 2016] Belgarric, P, Fouque, P-A, Macario-Rat, G & Tibouchi, M 2016,
'Side-channel analysis of Weierstrass and Koblitz curve ECDSA on Android
smartphones', in Cryptographers’ Track at the RSA Conference, pp. 236-52.
120
[BGV 2011] Balasch, J, Gierlichs, B & Verbauwhede, I 2011, ‘An In-depth and
Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs’,
Proceedings of 2011 Workshop on Fault Diagnosis and Tolerance in
Cryptography, pp. 105-14, IEEE.
[BJ 2002] Brier, E & Joye, M 2002, ‘Weierstraß elliptic curves and side-channel
attacks’, in D Naccache & P Paillier (eds), Proceedings of Public Key
Cryptography. PKC 2002, Springer, Berlin, Heidelberg, pp. 335-345.
[BKS 2015] Bindal, A, Kumar, A & Sharma, KK 2015,’Modeling a Floating Gate
EEPROM Device using Finite Element Analysis’, Proceedings of IJCA
Proceedings on National Conference on Advancements in Alternate Energy
Resources for Rural Applications AERA 2015, no. 2, pp. 1-3.
[BL 2008] Barnett, RE & Liu, J 2008, ‘An EEPROM Programming Controller for
Passive UHF RFID Transponders With Gated Clock Regulation Loop and Current
Surge Control’, IEEE Journal of Solid-State Circuits, vol. 43, no. 8, pp. 1808-15,
IEEE.
[BM 2017] Bhattacharya, S & Mukhopadhyay, D 2017, ‘Formal fault analysis of
branch predictors: attacking countermeasures of asymmetric key ciphers’, Journal
of Cryptographic Engineering, vol. 7, no.4, pp. 299-310.
[BM 2018] Bashir, A & Mir, A H 2018,’ Internet of Things Security Issues, Threats,
Attacks and Counter Measures’, International Journal of Computing and Digital
Systems, vol. 7, no. 2, pp. 1-10.
[BMM 2000] Biehl, I, Meyer, B & Müller, V 2000, ‘Differential fault attacks on
elliptic curve cryptosystems’, in M Bellare (eds), Proceedings of Advances in
Cryptology — CRYPTO 2000, CRYPTO 2000, Springer, Berlin, Heidelberg, pp.
131-146.
[BNNT 2011] Brier, É, Naccache, D, Nguyen, PQ & Tibouchi, M 2011, ‘Modulus
fault attacks against RSA–CRT signatures’, Journal of Cryptographic Engineering,
vol. 1, no. 3, p. 243.
121
[BNP 2007] Boscher, A, Naciri, R & Prouff, E 2007, ‘CRT RSA algorithm
protected against fault attacks’, in D Sauveron, K Markantonakis A Bilas & JJ
Quisquater (eds), Proceedings of Information Security Theory and Practices.
S,mart Cards, Mobile and Ubiquitous Computing Systems , WISTP 2007,
Springer, Berlin, Heidelberg, pp. 229-243.
[BOS 2006] Blömer, J, Otto, M & Seifert, J-P 2006, ‘Sign change fault attacks on
elliptic curve cryptosystems’, in L Breveglieri, I Koren, D Naccache & JP Seifert
(eds), Proceedings of Fault Diagnosis and Tolerance in Cryptography,
Springer, Berlin, Heidelberg, pp. 36-52.
[BRMM 2016] Badenhop, CW, Ramsey, BW, Mullins, BE & Mailloux, LO 2016,
‘Extraction and analysis of non-volatile memory of the ZW0301 module, a Z-Wave
transceiver’, Digital Investigation, vol. 17, pp. 14-27.
[BSS 1999] Blake, I, Seroussi, G & Smart, N 1999, Elliptic curves in cryptography,
vol. 265, Cambridge university press.
[BT 2015] Bigou, K & Tisserand, A 2015, 'Single base modular multiplication for
efficient hardware RNS implementations of ECC', in International Workshop on
Cryptographic Hardware and Embedded Systems, pp. 123-40.
[CC 2015] Chung, CP & Chang-Liao, KS 2015, ‘A Highly Scalable Single Poly-
Silicon Embedded Electrically Erasable Programmable Read Only Memory With
Tungsten Control Gate by Full CMOS Process’, IEEE Electron Device Letters, vol.
36, no. 4, pp. 336-338, IEEE.
[CGMPV 2010] Coron, JS, Giraud, C, Morin, N, Piret, G & Vigilant, D 2010, ‘Fault
Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm’, Proceedings of
2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 89-96,
IEEE.
[Che 2017] Chen, C 2017, ‘FPGA IMPLEMENTATION FOR ELLIPTIC CURVE
CRYPTOGRAPHY OVER BINARY EXTENSION FIELD’, M A Sc, University
of Windsor, retrieved 10 December 2017, Electronic Theses and Dissertations.
[Chu 2018] Chuan, C H 2018, ‘Getting Started with Arduino’, Nanyang
Technological University (NTU Singapore), retrieved 3 May 2018,
<https://www.ntu.edu.sg/home/ehchua/programming/arduino/Arduino.html>.
122
[CJ 2001] Clavier, C & Joye, M 2001, ‘Universal Exponentiation Algorithm A First
Step towards Provable SPA-Resistance’, in ÇK Koç, D Naccache & C Paar (eds),
Proceedings of Cryptographic Hardware and Embedded Systems — CHES 2001,
Springer, Berlin, Heidelberg, pp. 300-308.
[CJ 2005a] Ciet, M & Joye, M 2005, ‘Practical fault countermeasures for chinese
remaindering based RSA’, Proceedings of Workshop on Fault Diagnosis and
Tolerance in Cryptography–FDTC, pp. 124-32.
[CJ 2005b] Ciet, M & Joye, M 2005, ‘Elliptic Curve Cryptosystems in the Presence
of Permanent and Transient Faults’, Designs, Codes and Cryptography, vol. 36, no.
1, pp. 33-43.
[CJRR 1999] Chari, S, Jutla, CS, Rao, JR & Rohatgi, P 1999, ‘Towards Sound
Approaches to Counteract Power-Analysis Attacks’, in M Wiener (ed.),
Proceedings of Advances in Cryptology — CRYPTO’ 99, Springer, Berlin,
Heidelberg, pp. 398-412.
[CMAMS 2009] Compagnoni, CM, Mauri, A, Amoroso, SM, Maconi, A &
Spinelli, AS 2009, ‘Physical Modeling for Programming of TANOS Memories in
the Fowler-Nordheim Regime’, IEEE Transactions on Electron Devices, vol. 56,
no. 9, pp. 2008-2015, IEEE.
[CMW 2014] Clavier, C, Marion, D & Wurcker, A 2014, 'Simple power analysis
on AES key expansion revisited', in International Workshop on Cryptographic
Hardware and Embedded Systems, pp. 279-97.
[Cor 1999] Coron, J-S 1999, ‘Resistance Against Differential Power Analysis For
Elliptic Curve Cryptosystems’, in ÇK Koç & C Paar (eds), Proceedings of
Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, pp.
292-302.
[CS 2017] Costello, C & Smith, B 2017, ‘Montgomery curves and their arithmetic:
The case of large characteristic fields’, IACR Cryptology ePrint Archive, vol. 2017,
p. 212.
[CT 2014] Chen, Y-C & Towsley, D 2014, “On bufferbloat and delay analysis of
multipath TCP in wireless networks”, proceeding in Networking Conference, 2014
IFIP, pp. 1-9.
123
[DGMNR 2017] Dugardin, M, Guilley, S, Moreau, M, Najm, Z & Rauzy, P 2017,
‘Using modular extension to provably protect Edwards curves against fault attacks’,
Journal of Cryptographic Engineering, vol. 7, no. 4, pp. 321-330.
[DGRS 2009] Dottax, E, Giraud, C, Rivain, M & Sierra, Y 2009, ‘On Second-Order
Fault Analysis Resistance for CRT-RSA Implementations’, in O Markowitch, A
Bilas, J-H Hoepman, CJ Mitchell & J-J Quisquater (eds), Proceedings of
Information Security Theory and Practice. Smart Devices, Pervasive Systems, and
Ubiquitous Networks, Springer, Berlin, Heidelberg, pp. 68-83.
[DHB 2016] Dubeuf, J, Hely, D & Beroulle, V 2016, ‘ECDSA Passive Attacks,
Leakage Sources, and Common Design Mistakes’, ACM Trans,Des. Autom,
Electron, Syst, vol. 21, no. 2, pp. 1-24.
[DLDJLTZ 2012] Du, Y, Li, X, Dai, L, Jing, X, Li, Z, Tang, H & Zhuang, Y 2012,
‘A new type of low power read circuit in EEPROM for UHF RFID’,
Microelectronics Journal, vol. 43, no. 6, pp. 364-369.
[DRSFLN 2009] Di Bartolomeo, A, Rücker, H, Schley, P, Fox, A, Lischke, S &
Na, K-Y 2009, ‘A single-poly EEPROM cell for embedded memory applications’,
Solid-State Electronics, vol. 53, no. 6, pp. 644-8.
[DXFM 2006] Dong-Sheng, L, Xue-Cheng, Z, Fan, Z & Min, D 2006,’ Embeded
EEPROM Memory Achieving Lower Power - New design of EEPROM memory
for RFID tag IC’, IEEE Circuits and Devices Magazine, vol. 22, no. 6, pp. 53-59,
IEEE.
[Eva 2011] Evans, D 2011, ‘The internet of things: How the next evolution of the
internet is changing everything’, CISCO white paper, vol. 1, no. 2011, pp. 1-11.
[FGLTZ 2013] Fouque, P-A, Guillermin, N, Leresteux, D, Tibouchi, M &
Zapalowicz, J-C 2013, 'Attacking RSA–CRT signatures with faults on Montgomery
multiplication', Journal of Cryptographic Engineering, vol. 3, no. 1, pp. 59-72
[FK 2012] Fournaris, AP & Koufopavlou, O 2012, ‘CRT RSA Hardware
Architecture with Fault and Simple Power Attack Countermeasures’, Proceedings
of 2012 15th Euromicro Conference on Digital System Design, pp. 661-667, IEEE.
124
[FLRV 2008] Fouque, PA, Lercier, R, Réal, D & Valette, F 2008, ‘Fault Attack on
Elliptic Curve Montgomery Ladder Implementation’, Proceedings of 2008 5th
Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 92-98, IEEE.
[FPBS 2016] Fournaris, AP, Papachristodoulou, L, Batina, L & Sklavos, N 2016,
‘Residue Number System as a side channel and fault injection attack
countermeasure in elliptic curve cryptography’, Proceedings of 2016 International
Conference on Design and Technology of Integrated Systems in Nanoscale Era
(DTIS), pp. 1-4, IEEE.
[FRV 2014] Feix, B, Roussellet, M & Venelli, A 2014, ‘Side-Channel
Analysis on Blinded Regular Scalar Multiplications', in W Meier & D
Mukhopadhyay (eds), Proceedings of Progress in Cryptology -- INDOCRYPT
2014, Cham, pp. 3-20.
[FS 2015] Fournaris, A & Sklavos, N 2015,‘Public key cryptographic
primitive design and protection against fault and power analysis attacks',
Proceedings of DATE 2015 conference Workshop on trustworthy
manufacturing and utilization of secure devices, pp. 1-4.
[FV 2003] Fouque, P-A & Valette, F 2003, 'The Doubling Attack – Why Upwards
Is Better than Downwards’, in CD Walter, ÇK Koç & C Paar (eds), Proceedings of
Cryptographic Hardware and Embedded Systems - CHES 2003, Springer, Berlin,
Heidelberg, pp. 269-80.
[FV 2006] Fumaroli, G & Vigilant, D 2006, ‘Blinded Fault Resistant
Exponentiation’, in L Breveglieri, I Koren, D Naccache & J-P Seifert (eds),
Proceedings of Fault Diagnosis and Tolerance in Cryptography, Springer, Berlin,
Heidelberg, pp. 62-70.
[FV 2012] Fan, J & Verbauwhede, I 2012, ‘An Updated Survey on Secure ECC
Implementations: Attacks, Countermeasures and Cost’, in D Naccache (ed.),
Proceedings of Cryptography and Security: From Theory to Applications: Essays
Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday,
Springer, Berlin, Heidelberg, pp. 265-282.
125
[GG 2015] Galbraith, SD & Gaudry, P 2016, ‘Recent progress on the elliptic curve
discrete logarithm problem’, Designs, Codes and Cryptography, vol. 78, no. 1, pp.
51-72.
[GG 2016] Galbraith, S D & Gaudry, P 2016, ‘Recent progress on the elliptic curve
discrete logarithm problem’, Designs, Codes and Cryptography, vol. 78 no. 1,
pp.51-72.
[Gir 2006] Giraud, C 2006, ‘An RSA Implementation Resistant to Fault Attacks
and to Simple Power Analysis’, IEEE Transactions on Computers, vol. 55, no. 9,
pp. 1116-1120, IEEE.
[Gir 2017] Giry, D 2017, cryptographic key Length Recommendation, BlueKrypt,
retrieved 10 September 2017, < https://www.keylength.com/>.
[GJMRV 2011] Goundar, RR, Joye, M, Miyaji, A, Rivain, M & Venelli, A 2011,
‘Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic’, Journal
of Cryptographic Engineering, vol. 1, no. 2, p. 161.
[Gut 1996] Gutmann, P 1996, ‘Secure deletion of data from magnetic and solid-
state memory’, Proceedings of the Sixth USENIX Security Symposium, San Jose,
CA, vol. 14, pp. 77-89.
[Ham 2015] Hamburg, M 2015, ‘Decaf: Eliminating Cofactors Through Point
Compression’, in R Gennaro & M Robshaw (eds), Proceedings of Advances in
Cryptology -- CRYPTO 2015, Springer, Berlin, Heidelberg, pp. 705-723.
[He 2013] He, Y 2013, ‘Highly secure cryptographic computations against side-
channel attacks’, M A Sc, University of Windsor, retrieved 12 December
2017, Electronic Theses and Dissertations.
[HM 2009] Hogenboom, J & Mostowski, W 2009, ‘Full memory read attack on a
java card’, Proceedings of 4th Benelux Workshop on Information and System
Security Proceedings (WISSEC’09).
[HS 2001] Howgrave-Graham, NA & Smart, NP 2001, ‘Lattice attacks on digital
signature schemes’, Designs, Codes and Cryptography, vol. 23, no. 3, pp. 283-290.
126
[Hua 2017] Huang, Y 2017, ‘Efficient scalar multiplication against side channel
attacks using new number representation’, M A Sc, University of Windsor,
retrieved 12 December 2017, Electronic Theses and Dissertations.
[IEEE 802 2011] IEEE 802 Working Group 2011, ‘IEEE Standard for Local and
Metropolitan Area Networks—Part 15.4: Low-Rate Wireless Personal Area
Networks (LR-WPANs)', IEEE Std, vol. 802, pp. 4-2011, IEEE.
[IMT 2002] Izu, T, Möller, B & Takagi, T 2002, ‘Improved Elliptic Curve
Multiplication Methods Resistant against Side Channel Attacks’, in A Menezes &
P Sarkar (eds), Proceedings of Progress in Cryptology — INDOCRYPT 2002,
Springer, Berlin, Heidelberg, pp. 296-313.
[ISA 2009] ISA, I 2009, ‘100.11 a-2009: Wireless systems for industrial
automation: Process control and related applications’, International Society of
Automation: Research Triangle Park, NC, USA.
[IT 2002] Izu, T & Takagi, T 2002, ‘A Fast Parallel Elliptic Curve Multiplication
Resistant against Side Channel Attacks’, in D Naccache & P Paillier (eds),
Proceedings of Public Key Cryptography, Springer, Berlin, Heidelberg, pp. 280-
296.
[JLQ 1999] Joye, M, Lenstra, AK & Quisquater, J-J 1999, ‘Chinese remaindering
based cryptosystems in the presence of faults’, Journal of cryptology, vol. 12, no.
4, pp. 241-245.
[Joy 2007] Joye, M 2007, ‘Highly Regular Right-to-Left Algorithms for Scalar
Multiplication’, in P Paillier & I Verbauwhede (eds), Proceedings of
Cryptographic Hardware and Embedded Systems - CHES 2007, Springer, Berlin,
Heidelberg, pp. 135-147.
[Joy 2009a] Joye, M 2009, ‘Highly Regular m-Ary Powering Ladders’, Selected
Areas in Cryptography: 16th Annual International Workshop, Proceedings of SAC
2009, Revised Selected Papers, Springer-Verlag, Berlin, Heidelberg, pp. 135-147.
[Joy 2009b] Joye, M 2009, ‘Protecting RSA against Fault Attacks: The Embedding
Method’, Proceedings of 2009 Workshop on Fault Diagnosis and Tolerance in
Cryptography (FDTC), pp. 41-45, IEEE.
127
[JQBD 1997] Joye, M, Quisquater, J-J, Bao, F & Deng, RH 1997, ‘RSA-type
signatures in the presence of transient faults’, in M Darnell (ed.), Proceedings of
Crytography and Coding, Springer, Berlin, Heidelberg, pp. 155-160.
[JSS 2015] Jager, T, Schwenk, J & Somorovsky, J 2015, ‘Practical Invalid Curve
Attacks on TLS-ECDH’, in G Pernul, P Y A Ryan & E Weippl (eds), Proceedings
of Computer Security -- ESORICS 2015, Springer, Cham, pp. 407-425.
[JY 2002] Joye, M & Yen, S-M 2003, ‘The Montgomery Powering Ladder’, in BS
Kaliski, çK Koç & C Paar (eds), Proceedings of Cryptographic Hardware and
Embedded Systems - CHES 2002, Springer, Berlin, Heidelberg, pp. 291-302.
[KBPQ 2008] Kim, CH, Bulens, P, Petit, C & Quisquater, J-J 2008, ‘Fault Attacks
on Public Key Elements: Application to DLP-Based Schemes’, in SF Mjølsnes, S
Mauw & SK Katsikas (eds), Proceedings of Public Key Infrastructure, Springer,
Berlin, Heidelberg, pp. 182-195.
[KCLP 2016] Kim, DK, Choi, P, Lee, M-K & Park, H 2016, ‘Design and Analysis
of Efficient Parallel Hardware Prime Generators’, JOURNAL OF
SEMICONDUCTOR TECHNOLOGY AND SCIENCE, vol. 16, no. 5, pp. 564-581.
[KFSV 2011] Karaklajić, D, Fan, J, Schmidt, JM & Verbauwhede, I 2011, ‘Low-
cost fault detection method for ECC using Montgomery powering ladder’,
Proceedings of 2011 Design, Automation & Test in Europe, pp. 1-6, IEEE.
[KHPD 2008] Kim, AN, Hekland, F, Petersen, S & Doyle, P 2008, ‘When HART
goes wireless: Understanding and implementing the WirelessHART standard’,
Proceedings of 2008 IEEE International Conference on Emerging Technologies
and Factory Automation, pp. 899-907, IEEE.
[KIK 2008] Kara-Ivaniov, M, Iceland, E & Kipnis, A 2008, ‘Attacks on
Authentication and Signature Schemes Involving Corruption of Public Key
(Modulus)’, Proceedings of 2008 5th Workshop on Fault Diagnosis and Tolerance
in Cryptography, pp. 108-115, IEEE.
[Kim 2017] Kim, H 2017,‘Thwarting side-channel analysis against RSA
cryptosystems with additive blinding’, Information Sciences, vol. 412-413, pp. 36-
49.
128
[KK 1999] Kömmerling, O & Kuhn, MG 1999, ‘Design Principles for Tamper-
Resistant Smartcard Processors’, Smartcard, vol. 99, pp. 9-20.
[KKHH 2011] Kim, S-K, Kim, TH, Han, D-G & Hong, S 2011, ‘An efficient CRT-
RSA algorithm secure against power and fault attacks’, Journal of Systems and
Software, vol. 84, no. 10, pp. 1660-1669.
[Koc 1996] Kocar, O 1996, ‘Hardwaresicherheit von mikrochips in chipkarten’,
Datenschutz und Datensicherheit, vol. 20, no. 7, pp. 421-424.
[KJJ 1999] Kocher, P, Jaffe, J & Jun, B 1999, 'Differential power analysis', in
Annual International Cryptology Conference, pp. 388-97.
[KQ 2007a] Kim, CH & Quisquater, J-J 2007, ‘Fault Attacks for CRT Based RSA:
New Attacks, New Results, and New Countermeasures’, in D Sauveron, K
Markantonakis, A Bilas & J-J Quisquater (eds), Proceedings of Information
Security Theory and Practices, Smart Cards, Mobile and Ubiquitous Computing
Systems, Springer, Berlin, Heidelberg, pp. 215-28.
[KQ 2007b] Kim, CH & Quisquater, JJ 2007, ‘How can we overcome both side
channel analysis and fault attacks on RSA-CRT?’, Proceedings of Workshop on
Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 21-29, IEEE.
[KR 1997] Kaliski Jr, BS & Robshaw, MJ 1997, ‘Comments on some new attacks
on cryptographic devices’, RSA Laboratories Bulletin, vol. 5, pp. 1-5.
[KSQL 2007] Kim, CH, Shin, JH, Quisquater, J-J & Lee, PJ 2007, ‘Safe-Error
Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier’, in
K-H Nam & G Rhee (eds), Proceedings of Information Security and Cryptology -
ICISC 2007, Springer, Berlin, Heidelberg, pp. 273-281.
[KSV 2013] Karaklajić, D, Schmidt, J-M & Verbauwhede, I 2013, ‘Hardware
designer's guide to fault attacks’, IEEE Transactions on Very Large Scale
Integration (VLSI) Systems, vol. 21, no. 12, pp. 2295-2306, IEEE.
[KZJSY 2017] Kong, F, Zhou, D, Jiang, Y, Shang, J & Yu, J 2017, ‘Fault Attack
on an Improved CRT-RSA Algorithm with the Modulus Chaining Method’,
Proceedings of 2017 IEEE International Conference on Computational Science
129
and Engineering (CSE) and IEEE International Conference on Embedded and
Ubiquitous Computing (EUC), vol. 1, pp. 866-869, IEEE.
[Lal 2017] Lalonde, DR 2017, ‘Private and Public-Key Side-Channel Threats
Against Hardware Accelerated Cryptosystems’, M A Sc, University of Windsor,
retrieved 13 December 2017, Electronic Theses and Dissertations.
[Lan 2015] Langbridge, JA 2015, Arduino Sketches: Tools and Techniques for
Programming Wizardry, John Wiley & Sons.
[LCC 2014] Lee, S, Choi, D & Choi, Y 2014, ‘Improved Shamir's CRT-RSA
algorithm: Revisit with the modulus chaining method’, ETRI Journal, vol. 36 no.
3, pp. 469-478.
[LCFS 2017] Lac, B, Canteaut, A, Fournier, J & Sirdey, R 2017, ‘DFA on LS-
Designs with a Practical Implementation on SCREAM’, in S Guilley (eds),
proceedings of Constructive Side-Channel Analysis and Secure Design. COSADE
2017, Springer, Cham, pp. 223-247.
[LCK 2010] Lee, K S, Chun, J H & Kwon, K W, 2010 ‘A low power CMOS
compatible embedded EEPROM for passive RFID tag’, Microelectronics Journal,
vol. 41 no.10, pp.662-668.
[Lee 2016] Lee, Y 2016, Floating Gate operation, Block Diagram, SlidePlayer,
retrieved 20 October 2017, < http://slideplayer.com/slide/6103857/>.
[Len 1996] Lenstra, AK 1996, Memo on RSA signature generation in the presence
of faults.
[Loc 2010] Locke, D 2010, ‘Mq telemetry transport (mqtt) v3. 1 protocol
specification’, IBM developerWorks Technical Library, p. 15.
[LS 2007] Lin, C F & Sun, C Y 2007, ‘A single-poly EEPROM cell structure
compatible to standard CMOS process’, Solid-state electronics, vol. 51 no. 6,
pp.888-893.
[Maple 2017] Maplesoft 2017, Maple User Manual Copyright, Waterloo Maple
Inc, retrieved 10 May 2017,
<https://www.maplesoft.com/documentation_center/maple2017/UserManual.pdf>
130
[MATLAB 2017] MathWorks 2017, MATLAB reference manual, MathWorks,
retrieved 8 August 2017, <
https://au.mathworks.com/help/matlab/index.html?s_tid=gn_loc_drop >.
[Mic 2005] Microchip Company 2005, Section 5. Flash and EEPROM
Programming, Microchip Company, retrieved 28 December 2017, <
http://ww1.microchip.com/downloads/en/DeviceDoc/70052D.pdf >.
[MJ 2015] Milić, L & Jelenković, L 2015, ‘A novel versatile architecture for
Internet of Things’, proceedings of 2015 38th International Convention on
Information and Communication Technology, Electronics and Microelectronics
(MIPRO), pp. 1026-1031, IEEE.
[MLUUM 2018] Mughal, MA, Luo, X, Ullah, A, Ullah, S & Mahmood, Z 2018,
'A Lightweight Digital Signature Based Security Scheme for Human-Centered
Internet of Things', IEEE Access.
[Mont 1987] Montgomery, P L, 1987, ‘Speeding the Pollard and elliptic curve
methods of factorization’, Mathematics of computation, vol. 48 no.177, pp.243-
264.
[Mui 2006] Muir, JA 2006, ‘Seifert’s RSA fault attack: Simplified analysis and
generalizations’, in P Ning, S Qing & N Li (eds), proceedings of Information and
Communications Security. ICICS 2006. Lecture Notes in Computer Science,
Springer, Berlin, Heidelberg, pp. 420-34.
[MVV 1996] Menezes, AJ, Van Oorschot, PC & Vanstone, SA 1996, Handbook of
applied cryptography, CRC press.
[NIST 2013] Gallagher, P & Kerry, C 1993, ‘Fips pub 186-4: Digital signature
standard, dss (2013)’, Halton, JH, & Ribenboim, P.
[NS 1997] Nguyen, P & Stern, J 1997, ‘Merkle-Hellman revisited: a cryptanalysis
of the Qu-Vanstone cryptosystem based on group factorizations’, in B S Kaliski
(eds), proceedings of Advances in Cryptology — CRYPTO '97, CRYPTO 1997,
Springer, Berlin, Heidelberg, pp. 198-212.
131
[NS 2003] Nguyen, P Q, & Shparlinski, I E 2003, ‘The insecurity of the elliptic
curve digital signature algorithm with partially known nonces’, Designs, codes and
cryptography, vol. 30 no. 2, pp.201-217.
[NSS 2004] Naccache, D, Smart, NP & Stern, J 2004, ‘Projective coordinates leak’,
in C Cachin, J L Camenisch (eds), proceedings of Advances in Cryptology -
EUROCRYPT 2004. EUROCRYPT 2004, Springer, Berlin, Heidelberg pp. 257-267.
[OLR 2017] Oliveira, T, López, J & Rodríguez-Henríquez, F 2017, ‘The
Montgomery ladder on binary elliptic curves’, Journal of Cryptographic
Engineering, pp. 1-18.
[OSCCA 2010] OSCCA, “SM 2: A group of ECC public key algorithms,” Tech.
Rep.,
[PBA 2010] Pellegrini, A, Bertacco, V & Austin, T 2010, ‘Fault-based attack of
RSA authentication’, Proceedings of the conference on Design, automation and test
in Europe, European Design and Automation Association, pp. 855-860.
[PBMCKH 2009] Park, J, Bae, K, Moon, S, Choi, D, Kang, Y & Ha, J 2009, ‘A
new fault cryptanalysis on Montgomery ladder exponentiation algorithm’,
Proceedings of the 2nd International Conference on Interaction Sciences:
Information Technology, Culture and Human, pp. 896-9. ACM.
[PBR 2017] Piscitelli, R, Bhasin, S & Regazzoni, F 2017, ‘Fault attacks, injection
techniques and tools for simulation’, Proceedings of Hardware Security and
Trust, Springer, pp. 27-47.
[Pet 1997] Peterson, I 1997, ‘Chinks in digital armor: Exploiting faults to break
smart‐card cryptosystems’, Science News, vol. 151 no. 5, pp.78-79.
[PMC 2014] Polk, T, McKay, K, Chokhani, S 2014, Guidelines for the Selection,
Configuration, and Use of Transport Layer Security (TLS) Implementations, NIST
Special Publication 800-52 Revision 1, retrieved 7 May 2018, <
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf>.
[PNKKLCCKKKP 2015] Park, K T, Nam, S, Kim, D, Kwak, P, Lee, D, Choi, Y
H, Choi, M H, Kwak, D H, Kim, D H, Kim, M S, & Park, H W, 2015, ‘Three-
dimensional 128 Gb MLC vertical NAND flash memory with 24-WL stacked layers
132
and 50 MB/s high-speed programming’, IEEE Journal of Solid-State Circuits, vol.
50 no. 1, pp.204-213, IEEE.
[PSSLR 2018] Poddebniak, D, Somorovsky, J, Schinzel, S, Lochter, M & Rösler,
P 2018, 'Attacking deterministic signature schemes using fault attacks', in 2018
IEEE European Symposium on Security and Privacy (EuroS&P), pp. 338-52.
[PV 2006] Page, D, & Vercauteren, F 2006, ‘A fault attack on pairing-based
cryptography’, IEEE Transactions on Computers, vol. 55 no. 9, pp.1075-1080,
IEEE.
[QS 2002] Quisquater, J-J & Samyde, D 2002, ‘Eddy current for magnetic analysis
with active sensor’, Proceedings of eSMART, vol. 2002.
[Qui 1997] Quisquater, J J 1997, ‘The adolescence of smart cards’, Future
Generation Computer Systems, vol. 13no. 1, pp.3-7.
[RG 2014] Rauzy, P & Guilley, S 2014, ‘Countermeasures against High-Order
Fault-Injection Attacks on CRT-RSA’, Proceedings of 2014 Workshop on Fault
Diagnosis and Tolerance in Cryptography, pp. 68-82, IEEE.
[RLBBRM 2008] Raguet, J R, Laffont, R, Bouchakour, R, Bidal, V, Regnier, A, &
Mirabel, J M 2008, ‘New EEPROM concept for single bit operation’. Solid-State
Electronics, vol. 52 no. 10, pp.1525-1529.
[RMGN 2015] Rauzy, P, Moreau, M, Guilley, S & Najm, Z 2015, Using modular
extension to provably protect ECC against fault attacks, Cryptology ePrint Archive,
Report 2015/882.
[Ros 1998] Ross K 1998, the General Architecture of EEPROM, Block Diagram,
The Newsletter of the seattle Robotics Society: Encoder, retrieved 12 October
2017,< http://www.seattlerobotics.org/encoder/aug99/serialeeprom.html>.
[RP 2017] Romailler, Y & Pelissier, S 2017, ‘Practical Fault Attack against the
Ed25519 and EdDSA Signature Schemes’, Proceedings of 2017 Workshop on Fault
Diagnosis and Tolerance in Cryptography (FDTC), pp. 17-24, IEEE.
[SA 2002] Skorobogatov, SP & Anderson, RJ 2003, ‘Optical Fault Induction
Attacks’, in BS Kaliski, çK Koç & C Paar (eds), Proceedings of Cryptographic
133
Hardware and Embedded Systems - CHES 2002, Springer, Berlin, Heidelberg, pp.
2-12.
[SASOMKOKN 2014] Shukuri, S, Ajika, N, Shimizu, S, Otoi, H, Mihara, M,
Kawajiri, Y, Ogura, T, Kobayashi, K & Nakashima, M 2014, ‘Byte alterable
embedded EEPROM with B4-HE architecture achieving 10usec programming and
57F2 cell size’, Proceedings of 2014 IEEE 6th International Memory Workshop
(IMW), pp. 1-3, IEEE.
[SB 2018] Samwel, N & Batina, L 2018, 'Practical Fault Injection on Deterministic
Signatures: The Case of EdDSA', in International Conference on Cryptology in
Africa, pp. 306-21.
[SBBDS 2018] Samwel, N, Batina, L, Bertoni, G, Daemen, J & Susella, R 2018,
'Breaking Ed25519 in WolfSSL', in Cham, pp. 1-20.
[Sei 2005] Seifert, J-P 2005, ‘On authenticated computing and RSA-based
authentication’, paper presented to Proceedings of the 12th ACM conference on
Computer and communications security, Alexandria, VA, USA, pp. 122-127.
[Sey 2017] Seysen, M 2017, ‘Error-free protection of EC point multiplication by
modular extension’, IACR Cryptology ePrint Archive, vol. 2017, p. 170.
[SFM 2016] Sakamoto, J, Fujimoto, D & Matsumoto, T 2016, ‘Laser irradiation on
EEPROM sense amplifiers enhances side-channel leakage of read bits’,
Proceedings of 2016 IEEE Asian Hardware-Oriented Security and Trust
(AsianHOST), pp. 1-6, IEEE.
[SH 2007] Schmidt, J-M & Hutter, M 2007, Optical and em fault-attacks on crt-
based rsa: Concrete results. Vienna, Austria.
[SH 2008] Schmidt, JM & Herbst, C 2008, ‘A Practical Fault Attack on Square and
Multiply’, Proceedings of 2008 5th Workshop on Fault Diagnosis and Tolerance
in Cryptography, pp. 53-8, IEEE.
[Sha 1997] Shamir, A 1997, ‘How to check modular exponentiation’, rump session
of EUROCRYPT, vol. 97.
[Sha 1999] Shamir, A 1999, ‘Method and apparatus for protecting public key
schemes from timing and fault attacks’, Yeda Research and Development Co. Ltd,
134
At The Weizmann Institute Of Science, U.S. Patent 5,991,415.Embedded Systems,
Springer, Berlin Heidelberg, pp. 2-12.
[Sho 2001] Shoup, V 2001, ‘A proposal for an ISO standard for public key
encryption (version 2.1)’, IACR E-Print Archive, vol. 112.
[SIA 2017] Serraj, T, Ismaili, MC & Azizi, A 2017, ‘On the security of some elliptic
curve standards in the presence of random fault analysis attacks’, Proceedings of
2017 International Conference on Wireless Technologies, Embedded and
Intelligent Systems (WITS), pp. 1-5, IEEE.
[SKLM 2001] Sung-Ming, Y, Kim, S, Lim, S & Moon, S 2002, ‘A Countermeasure
against One Physical Cryptanalysis May Benefit Another Attack’, in K Kim (ed.),
Proceedings of Information Security and Cryptology — ICISC 2001, Springer,
Berlin, Heidelberg, pp. 414-427.
[Sko 2002] Skorobogatov, S 2002, Low temperature data remanence in static RAM,
University of Cambridge, Computer Laboratory, p.11.
[Sko 2009] Skorobogatov, S 2009, ‘Local heating attacks on Flash memory
devices’, Proceedings of 2009 IEEE International Workshop on Hardware-
Oriented Security and Trust, pp. 1-6, IEEE.
[Sko 2010] Skorobogatov, S 2010, ‘Optical Fault Masking Attacks’, Proceedings
of 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 23-9,
IEEE.
[Sko 2017] Skorobogatov, S 2017, ‘How Microprobing Can Attack Encrypted
Memory’, Proceedings of 2017 Euromicro Conference on Digital System Design
(DSD), pp. 244-51, IEEE.
[SM 2009] Schmidt, J M & Medwed, M 2009, ‘A Fault Attack on ECDSA’,
Proceedings of 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography
(FDTC), pp. 93-9, IEEE.
[SM 2010] Schmidt, J-M & Medwed, M 2011, ‘Fault Attacks on the Montgomery
Powering Ladder’, in K-H Rhee & D Nyang (eds), Proceedings of Information
Security and Cryptology - ICISC 2010, Springer, Berlin, Heidelberg, pp. 396-406.
135
[SS 2017] Schinianakis, D & Stouraitis, T 2017, ‘RNS-Based Public-Key
Cryptography (RSA and ECC)’, in AS Molahosseini, LS de Sousa & C-H Chang
(eds), Proceedings of Embedded Systems Design with Special Arithmetic and
Number Systems, Springer International Publishing, Cham, pp. 311-344.
[TK 2010] Trichina, E & Korkikyan, R 2010, ‘Multi Fault Laser Attacks on
Protected CRT-RSA’, Proceedings of 2010 Workshop on Fault Diagnosis and
Tolerance in Cryptography, pp. 75-86, IEEE.
[TMRCPK 2013] Torricelli, F, Milani, L, Richelli, A, Colalongo, L, Pasotti, M, &
Kovacs-Vajna, Z M 2013, ‘Half-MOS single-poly EEPROM cell in standard
CMOS process’, IEEE Transactions on Electron Devices, vol. 60 no. 6, pp.1892-
1897, IEEE.
[Tra 2006] Trappe, W 2006, Introduction to cryptography with coding theory,
Pearson Education India.
[Vig 2008] Vigilant, D 2008, ‘RSA with CRT: A New Cost-Effective Solution to
Thwart Fault Attacks’, in E Oswald & P Rohatgi (eds), Proceedings of
Cryptographic Hardware and Embedded Systems – CHES 2008, Springer, Berlin,
Heidelberg, pp. 130-45.
[Wan 2004] Wagner, D 2004, ‘Cryptanalysis of a provably secure CRT-RSA
algorithm’, paper presented to Proceedings of the 11th ACM conference on
Computer and communications security, Washington DC, USA, pp. 92-97, ACM.
[WYSLGG 2018] Wang, W, Yu, Y, Standaert, F-X, Liu, J, Guo, Z & Gu, D 2018,
“Ridge-Based DPA: Improvement of Differential Power Analysis For Nanoscale
Chips”, IEEE Transactions on Information Forensics and Security, vol. 13, no. 5,
pp. 1301-16.
[Was 2012] Washington, J 2012, EEPROM Cell Configuration, Block Diagram,
SlidePlayer, retrieved 18 October 2017, < http://slideplayer.com/slide/6465527/>.
[Win 2012] Winter, T 2012, ‘RPL: IPv6 routing protocol for low-power and lossy
networks’.
136
[WSCH 2008] Wu, YC, Su, PW, Chang, CW & Hung, MF 2008, ‘Novel Twin
Poly-Si Thin-Film Transistors EEPROM With Trigate Nanowire Structure’, IEEE
Electron Device Letters, vol. 29, no. 11, pp. 1226-1228, IEEE.
[WW 2005] Waddle, J & Wagner, D 2005, ‘Fault attacks on dual-rail encoded
systems’, Proceedings of 21st Annual Computer Security Applications Conference
(ACSAC'05), pp. 10 494, IEEE.
[XHXYK 2016] Xu, Y, Hu, J, Xiao, J, Yang, G & Kong, W 2016, ‘Design
Techniques for a 30-ns Access Time 1.5-V 200-KB Embedded EEPROM
Memory’, IEEE Transactions on Circuits and Systems II: Express Briefs, vol. 63,
no. 11, pp. 1064-1068, IEEE.
[YJ 2000] Yen, S-M & Joye, M 2000, ‘Checking before output may not be
enough against fault-based cryptanalysis’, IEEE Transactions on computers, vol.
49, no. 9, pp. 967-70.IEEE.
[YKLM 2003] Yen, S-M, Kim, S, Lim, S & Moon, S-J 2003, “RSA speedup with
Chinese remainder theorem immune against hardware fault cryptanalysis”, IEEE
Transactions on computers, vol. 52, no. 4, pp. 461-72.IEEE.
[YKM 2006] Yen, S-M, Kim, D & Moon, S 2006, ‘Cryptanalysis of Two Protocols
for RSA with CRT Based on Fault Infection’, in L Breveglieri, I Koren, D Naccache
& J-P Seifert (eds), Proceedings of Fault Diagnosis and Tolerance in
Cryptography, Springer, Berlin, Heidelberg, pp. 53-61.
[YKMH 2006] Yen, S-M, Ko, L-C, Moon, S & Ha, J 2006, ‘Relative Doubling
Attack Against Montgomery Ladder’, in DH Won & S Kim (eds), Proceedings of
Information Security and Cryptology - ICISC 2005, Springer, Berlin, Heidelberg,
pp. 117-28.
[YMH 2002] Yen, S-M, Moon, S & Ha, J-C 2003, ‘Hardware Fault Attack on RSA
with CRT Revisited’, in PJ Lee & CH Lim (eds), Proceedings of Information
Security and Cryptology — ICISC 2002, Berlin, Heidelberg, pp. 374-388.
[YouTube 2014] How to Read, Erase, & Write EProm EEProm Chips Electronic
Fuel injection DIY Tuning GQ-4X Programmer 2014. YouTube, Guns & Gears, 2
May, retrieved 2 August 2016,
<https://www.youtube.com/watch?v=vUDP1XTmF9A>.
137
[YouTube 2015] In system programming 93c56 scenic instrument panel 2015,
YouTube, REVELTRONICS, 12 July, retrieved 2 August 2016, <
https://www.youtube.com/watch?v=bl2FaM1SxK4>.
[YZV 2014] Yan, Z, Zhang, P & Vasilakos, AV 2014, ‘A survey on trust
management for Internet of Things’, Journal of network and computer applications,
vol. 42, pp. 120-34.
[YZWSL 2017] Yang, F, Zheng, Y, Wang, C, Shen, L, & Liao, H 2017, ‘A single-
poly EEPROM with low leakage charge pump and peripheral circuits for passive
RFID tag in a standard CMOS technology’, IEICE Electronics Express, vol. 14
no.10, pp. 20170315-20170315.
[YYK 1971] Yasuo, T, Yutaka H & Kiyoko N 1971, ‘Proposal of electrically
reprogrammable non-volatile semiconductor memory’, Proceedings of the 3rd
Conference on Solid State Devices, Tokyo. The Japan Society of Applied Physics:
155-162
[ZigBee 2006] ZigBee Alliance, ZigBee specification, 344-346, 2006.
138
Appendices
Appendix A
A.1 Example 5
The internal inputs (loaded from the firmware) to algorithm 4.2 are p=31, q=29
d=593 and 𝑖𝑞 ≡ q-1 mod p=15. The input enter by user to algorithm 4.2 are the
message M=23 and the random fault value X=66. I assume that p, q, d and 𝑖𝑞 are
stored in firmware of the victim device, and the attacker does not have any access
to them. The goal of this example is to compute q which has a partial factor of
n=p*q.
Algorithm 4.2 was implemented in Maple code and the steps are shown below.
1. r := (rand(2 .. 2^4))(); r := 11.
2. pr := p*r; pr := 341.
3. qr := q*r; qr := 319.
4. er := "error"; er := "error".
if `mod`(pr, p) <> 0 or `mod`(qr, q) <> 0 then er end if.
5. v := (p-1)*(r-1); v := 300.
Spr: = `mod`(M^(`mod`(d, v)), pr); Spr := 232.
6. u := (q-1)*(r-1); u := 280.
Sqr := `mod`(M^(`mod`(d, u)), qr); Sqr := 199.
7. if `mod`(Spr, r) <> `mod`(Sqr, r) then er end if.
8. Sp := `mod`(Spr, p); Sp := 15.
9. Sq := `mod`(Sqr, q); Sq := 25.
10. Scrt := Sq+q*(`mod`(iq*(Sp-Sq), p)); Scrt := 170.
11 and 12. Scrte := Sq+q*(`mod`(X*(Sp-Sq), p)); Scrte := 663.
13. n=p*q=899.
14. qt := gcd(Scrte-Scrt, n); qt := 29.
139
15. unassign ('Scrte').
16. if `mod`(Scrt, p) <> `mod`(Spr, p) or `mod`(Scrt, q) <> `mod`(Sqr, q) then er
end if.
17. q = qt; q = 29.
A.2 Example 6
The internal inputs (loaded from the firmware) to algorithm 4.4 are p=47, q=37,
dp≡ d mod (p-1) ≡21,dq≡d mod(q-1) ≡23 and 𝑖𝑞 ≡ q-1 mod p=14. The inputs by
the user to algorithm 4.4 are the message M=56 and the random fault value X=34.
I assume that p, q, dp, dq and 𝑖𝑞 are stored in the firmware of the victim device, and
the attacker does not have any access to them. The goal of this example is to
compute q which has a partial factor of n=p*q.
Algorithm 4.4 was implemented in Maple code and the steps are shown below.
1.r := (rand(2 .. 2^4))(); r := 3.
2. n:= p*q; n := 1739.
3. pdash := p*r^2; pdash := 423.
4. ipr := `mod`(1/p, r^2); ipr := 5.
5. Mp := `mod`(M, pdash); Mp := 56.
6. Bp := p*ipr; Bp := 235.
7. Ap := `mod`(1-Bp, pdash); Ap := 189.
8. Mpdash := `mod`(Ap*Mp+Bp*(1+r), pdash); Mpdash := 103.
9. qdash := q*r^2; qdash := 333.
10. iqr := `mod`(1/q, r^2); iqr := 1.
11. Mq := `mod`(M, qdash); Mq := 56.
12. Bq := q*iqr; Bq := 37.
13. Aq := `mod`(1-Bq, qdash); Aq := 297.
14. Mqdash := `mod`(Aq*Mq+Bq*(1+r), qdash); Mqdash := 130.
140
15. eupdash := (p-1)*(r^2-1); eupdash := 368.
Spdash := `mod`(Mpdash^(`mod`(dp, eupdash)), pdash);Spdash := 253.
16. Spr := dp*r+1; Spr := 64.
17. cp := `mod`(Mpdash+n-M+1, p); cp := 1.
18. euqdash := (q-1)*(r^2-1); euqdash := 288.
Sqdash := `mod`(Mqdash^(`mod`(dq, euqdash)), qdash); Sqdash := 52.
19. Sqr := dq*r+1; Sqr := 70.
20. cq := `mod`(Mqdash+n-M+1, q); cq := 1.
21. Sdash := Sqdash+q*(`mod`(iq*(Spdash-Sqdash), pdash)); Sdash := 10264.
22. Comment: use X instead of 𝑖𝑞 in the computation of Sdash so we get Sdashe..
23. Sdashe := Sqdash+q*(`mod`(X*(Spdash-Sqdash), pdash)); Sdashe := 2494.
24. qt := gcd(Sdashe^e-M, n); qt := 37.
25. unassign('Sdashe').
26. Sr := Sqr+q*(`mod`(iq*(Spr-Sqr), pdash)); Sr := 12613.
27. cs := `mod`(Sdash-Sr+1, r^2); cs := 1.
28. Sf := `mod`(M^d, n); Sf := 1569.
29. Sfchk := `mod`(Sdash^(cp*cq*cs), n); Sfchk := 1569 As Sf=Sfchk no error.
30. q = qt; q = 37.
A.3 Example 7
I choose three random prime numbers p=3967, q=1327 and e=37 and compute
n=p*q=5264209, and d=e-1 mod (p-1)*(q-1)= 2131993 in decimal form or
"1000001000100000011001" in binary form. The internal inputs (loaded from the
firmware) to algorithm 4.6 are d= "1000001000100000011001" in binary form and
the size of the secret key t= 22. The inputs by the attacker to algorithm 4.6 are the
message g=12, the random fault value X=8 and modulus n= 5264209. I assume that
the secret key d and size of the secret key t are stored in the firmware of the victim
141
device, and the attacker does not have any access to them. The goal of this example
is to retrieve d which is the secret key of RSA.
Since Maple does not accept indices beginning with 0, as in the binary left to right
attack, we use 1, 2 instead of 0, 1 in the Maple code.
The Maple program considers the first value from left when dealing with For-Loop.
Therefore, the Maple program defines Left-to-Right in the For-Loop as “for i from
1 to t do” where t represents the size of the secret key d. However, the For-Loop in
RSA algorithm from Left-to-Right is defined as “For i from t to 1 do”.
The attack algorithm 4.6 was implemented in Maple code, and the steps are shown
below.
Step1.
> R[1] := 1; R[1] := 1
> R[2] := g; R[2] := 12
Step2.
> z=1; z=1
Step3
for i from 1 to t do
Step 3.1
if d[i] = "1" then b := 1 else b := 2 end if
Step 3.2
H: = R[b]*X mod n
Step 3.3
T := R[b]
Step 3.4
if d[i] = "1" then R[b] := R[b]*X mod n end if
Step 3.5
if R[b] = H then k[i] := 1; R[b] := T else k[i] := 0 end if
Step 3.6
if d[i] = "1" then u := 2 else u := 1end if
R[b]:= R[b]*R[u] mod n
142
Step 3.7
R[u] := R[u]^2 mod n
Step 3.8
z := z+1
End While loop
Step 4
Set v z-1
Step 5
d= [k1, k2, k3, . . . , kv-1, kv]= "1000001000100000011001"
A.4 Example 8
I choose three random prime numbers p=9769, q=10453 and e=29 and compute
n=p*q=102115357, and d=e-1 mod (p-1)*(q-1)= 52807829 in decimal form or
"11001001011100100010010101" in binary form. The internal inputs (loaded from
the firmware) to algorithm 4.8 are d= "11001001011100100010010101" in binary
form and size of the secret key t= 26. The inputs by the attacker to algorithm 4.8
are the message g=16, the random fault value X=12 and modulus n= 5264209. I
assume that the secret key d and size of the secret key t are stored in the firmware
of the victim device, and the attacker does not have any access to them. The goal of
this example is to retrieve d which is the secret key of RSA.
Since Maple does not accept indices beginning from 0, as in the binary left to right
attack, we use 1 and 2 instead of 0 and 1 in the Maple code.
The Maple program considers the first value from left when dealing with For-Loop.
Therefore, the Maple program defines Right-to-Left in the For-Loop as “for i from
t to 1 do” where t represents the size of the secret key d. However, the For-Loop in
RSA algorithm from Right-to-Left is defined as “For i from 1 to t do”.
The attack algorithm 4.8 was implemented in Maple code, and the steps are shown
below.
Step1
> R[1] := 1; R[1] := 1
> R[2] := g; R[2] := 16
Step2
143
> z=1; z=1
Step3
for i from t by -1 to 1 do
Step 3.1
if d[i] = "1" then b := 1 else b := 2 end if
Step 3.2
H: = R[b]*X mod n
Step 3.3
T := R[b]
Step 3.4
if d[i] = "1" then R[b] := R[b]*X mod n end if
Step 3.5
if R[b] = H then k[i] := 1; R[b] := T else k[i] := 0 end if
Step 3.6
if d[i] = "1" then u := 2 else u := 1end if
R[b]:= R[b]^2 mod n
Step 3.7
R[b] := R[b]*R[u] mod n
Step 3.8
z := z+1
End While loop
Step 4
Set v z-1
Step 5
d= [kv, kv-1, . . . , k2, k1]= "11001001011100100010010101"
144
Appendix B
B.1 example 1
Here, I demonstrate the attack on a Weierstrass curve, using point addition formulas
(3) and (4) in the computations, so that both coordinates are evaluated in each step.
I use the curve y2=x3+x+ (3w+3) over GF(52) where w is a solution of the
irreducible polynomial x2+4x+2 over GF(5), and so w2=w+3. Based on points in
affine form, I choose the point P = (0, 2w+1), value k = 6. Based on the general
Weierstrass equation (1), the coefficients are: a1=0, a2=0, a3=0, a4=1, a5=3w+3. I
also need a fault value X which I have chosen arbitrarily with value (0, 3w + 4)
modulo 5.
The internal inputs (loaded from the firmware) to algorithm 5.2 are k="110" in
binary form and the size of the secret key t= 3. The inputs by the attacker to
algorithm 5.2 are the P = (0, 2w+1), the random fault value X=(0, 3w + 4) and the
curve GF(p) values where p=5, a4=1 and a5=3w+3. I assume that the secret key k
and size of the secret key t are stored in the firmware of the victim device, and the
attacker does not have any access to them. The goal of this example is to retrieve k
which is the secret key of ECC.
Maple will not directly compute elliptic curve points using the inbuilt commands.
My options were therefore either to write subroutines in Maple enabling
computation of values such as (w+4)-1 or (w+4)2 in the extension field, or to use as
much of Maple as we could and do the remaining work by hand. I opted for the
latter solution. The four Maple commands ‘solve’, ‘expand’, ‘addell’ and ‘multell’
were used extensively, along with manual manipulation.
Because k is 110 in binary form, algorithm 5.2 will run through two complete
iterations, in each of which it will produce a bit of k. The steps are given below.
Step 1
>R(0)=P=[0, 2w+1];
>R(1)=2P=[3w+4,3w+2];
> e=2;
Step 2
X= [0, 3w+4];
Step 3
145
Iteration 1
i=2
Z= R(0)=[0, 2w+1];
N=R(0)+X=P+(-P)= O;
Since k2=1 then R(¬k2)=R(0) +X= P+(-P)= O;
Since R(¬k2)=R(0)=N we set d2 =1 and ‘eliminate error’: R(¬k2) by R(¬k2)=Z=
P=[0, 2w+1];
R(¬k2)=R(0)=R(0)+R(1)=P+2P=3P=[4w+3,4w+3];
R(k2)=R(1)=2R(k2)=2R(1)=4P=[2w,w+3];
Set e=e+1=3 updating the key size counter;
Iteration 2
i=1
Z= R(0)= 3P=[4w+3,4w+3];
N=R(0)+X=3P+(-P)=2P=[3w+4,3w+2];
Since k3=0 then no value added to X and stored in R(¬k3);
Since R(¬k1)=R(1)≠ N we set d1 =0 and no error occurs in R(¬k3);
R(¬k1)=R(1)=R(0)+R(1)=3P+4P=7P=[2w,4w+2];
R(k1)=R(0)=2R(k1)=2R(0)=6P=[2w+2,3];
Set e=e+1=4 updating the key size counter;
End of loop
Set v = e – 1 = 3.
I obtain the final value of k as the components of the triple (1, d2, d1) which is 110.
B.2 Example 2
I use the same experimental environment and addition operations which I have used
for the attack in the previous section.
The chosen curve is of Montgomery type:
y2 = x3 + 356055934632865372341974084664 x2 + x with P = (737747, 724721),
where k = 8957 in base 10 and is “10001011111101” in base 2, and the field is
GF(p) where p = 1083948976932424618521046268491.
I also need a fault value X which I have chosen arbitrarily with value (737747,
1083948976932424618521045543770).
The internal inputs (loaded from the firmware) to algorithm 5.4 are
k="10001011111101" in binary form and the size of the secret key t= 14. The inputs
146
by the attacker to algorithm 5.4 are the P = (737747, 724721), the random fault
value X=(737747, 1083948976932424618521045543770) and the curve GF(p)
values where p=1083948976932424618521046268491, a4=1 and a5=0. I assume
that the secret key k and size of the secret key t are stored in the firmware of the
victim device, and the attacker does not have any access to them. The goal of this
example is to retrieve k which is the secret key of ECC.
I use point addition formulas (3) and (4) in the computations so that both
coordinates are evaluated in each step.
In the Maple code below, I use R(1) instead of R(0) and R(2) instead of R(1) as
Maple does not use the index 0. Note also that O in Maple is represented as
[“infinity”,”infinity”].
The Maple program considers the first value from left when dealing with For-Loop.
Therefore, the Maple program defines Right-to-Left in the For-Loop as “for i from
t by -1 to t do” where t represents the size of the secret key d. However, the For-
Loop in ECC algorithm from Right-to-Left is defined as “For i from 1 to t do”.
Step 1
> R [1]:= [“infinity”, “infinity”]; R [1]:= [“infinity”, “infinity”];
> R [2]:= [737747, 724721]; R [2]:= [737747, 724721];
> e:=1; e:=1
Step 2
>X:= (737747, 1083948976932424618521045543770); X:= (737747,
1083948976932424618521045543770).
Step 3
for i from t by -1 to 1 do :
Step 3.1
E := R[1]
Step 3.2
G := R[2]
COMMENT: Since b is an index in the next steps, we use b = 1, 2 instead of b =
0, 1
Step 3.3
if k[i] = "1" then b := 1 else b := 2 end if
Step 3.4
147
N := addell([R[1][1], R[1][2]], [X[1], X[2]], a4, a5, p)
Step 3.5
if b = 1 then R[b] := addell([R[1][1], R[1][2]], [X[1], X[2]], a4, a5, p) end if
Step 3.6
c := R[b];
if c = N then d[i] := "1"; R[b] := E else d[i] := "0" end if
Step 3.7
R[b] := addell([R[1][1], R[1][2]], [R[2][1], R[2][2]], a4, a5, p)
Step 3.8
R[2] := G
Step 3.9
R[2] := multell([R[2][1], R[2][2]], 2, a4, a5, p)
Step 3.10
e := e+1
End of Step 3
Step 4
v=e-1; v=14
Step 5 (the bits of k are output)
[d14=1, d13=0, d12=0, d11=0, d10=1, d9=0, d8=1, d7=1, d6=1, d5=1, d4=1, d3=1, d2=0, d1=1]
Concerning the point X on the curve, the Maple notation for the x- (respectively y-
) coordinate of X is given by X[1] (respectively X[2]). So in Step 3 above, where
R[i] is itself a point, the notation R[i][1] refers to its x-coordinate.
B.3 Example 3
I choose the field GF(16708911996216745859) for the elliptic curve y2 = x3 +
9763215x + 16479282469090387564 with point P = (612359, 1000013) given in
affine form. My target is to find k, which I know in advance is 933 in base 10 and
is “1110100101” in base 2. I set p = 16708911996216745859. I also choose
arbitrarily a fault point X:= ( 612359, 16708911996215745846).
Referring to the general Weierstrass equation (1), the corresponding coefficients
are: a1=0, a2=0, a3=0, a4=9763215, a5=16479282469090387564.
The internal inputs (loaded from the firmware) to algorithm 5.6 are
k="1110100101" in binary form and the size of the secret key t= 10. The inputs by
148
the attacker to algorithm 5.6 are the P = (612359, 1000013), the random fault value
X:= (612359, 16708911996215745846)and the curve GF(p) values where
p=16708911996216745859, a4=9763215 and a5=16479282469090387564. I
assume that the secret key k and size of the secret key t are stored in the firmware
of the victim device, and the attacker does not have any access to them. The goal of
this example is to retrieve k which is the secret key of ECC.
Implementation of algorithm 5.6 in Maple code access register bits from Left-to-
Right and the steps for this example are shown below. I begin with counter key size
e=2 as I begin to count from second bit as the first bit is always 1. The notations
P[1] and P[2] refer respectively to the abscissa and ordinate values of the point P.
Since Maple does not accept indices beginning from 0, I use 1 and 2 instead of 0
and 1.
The Maple program considers the first value from left when dealing with For-Loop.
Therefore, the Maple program defines Left-to-Right in the For-Loop as “for i from
1 to t do” where t represents the size of the secret key d. However, the For-Loop in
ECC algorithm from Left-to-Right is defined as “For i from t to 1 do”.
Step 1
> W[1]:= P; W[1]:=[ 612359, 1000013]
> e:=2; e:=2
Step 2
> X:= [ 612359, 16708911996215745846]
COMMENT: Inject error into Step 3 by using X instead of P in addition operations:
Step 3
for i from 1 to t -1 do
Step 3.1
W[1] := multell([W[1][1], W[1][2]], 2, a4, a5, p)
Step 3.2
R := addell([W[1][1], W[1][2]], [X[1], X[2]], a4, a5, p)
Step 3.3
149
W[2]:= addell([W[1][1],W[1][2]],[X[1],X[2]].a4,a5,p);
Step 3.4
if k[i] = "1" then u := 2 else u := 1 end if;
n := W[u];
if n = R then d[i] := "1" else d[i] := "0" end if
Step 3.5
W[2] := addell([W[1][1], W[1][2]], [P[1], P[2]], a4, a5, p)
Step 3.6
W[1] := W[u]
Step 3.7
e := e+1
End of Step 3
Step 4
> v := e-1; v := 10
Step 5 (the bits of k are output)
[d10=1, d9=1, d8=1, d7=0, d6=1, d5=0, d4=0, d3=1, d2=0, d1=1]
B.4 Example 4
I choose the curve y2=x3+x+(3w+3) over GF(52) where w is a solution of the
irreducible polynomial x2+4x+2 over GF(5), and so w2=w+3. Based on points in
affine form, I choose P = (0, 2w+1), the value k = 6.
Based on the general Weierstrass equation (1), the coefficients are: a1=0, a2=0, a3=0,
a4=1, a5=3w+3. I also choose arbitrarily a fault point X= (0, 3w + 4) modulo 5.
The internal inputs (loaded from the firmware) to algorithm 5.8 are k="110" in
binary form and the size of the secret key t= 3. The inputs by the attacker to
algorithm 5.8 are the P = (0, 2w+1), the random fault value X= (0, 3w + 4) and the
curve GF(p) values where p=5, a4=1 and a5=3w+3. I assume that the secret key k
and size of the secret key t are stored in the firmware of the victim device, and the
150
attacker does not have any access to them. The goal of this example is to retrieve k
which is the secret key of ECC.
Maple will not directly compute elliptic curve points for an extension field using
the commands of the previous example. My options were therefore either to write
subroutines for Maple enabling computation of values such as (w+4)-1or (w+4)2 in
the extension field or to use as much of Maple as I could and do the remaining work
by hand. I opted for the latter solution. The four Maple commands ‘solve’, ‘expand’,
‘addell’ and ‘multell’ were used extensively, while their outputs often needed
manual manipulation; in particular, I used equations (3) and (4) from section 5.2.5.
Because k is 110 in binary form, algorithm 5.8 will run through three complete
iterations, in each of which it will produce a bit of k. The description of execution
of algorithm 5.8 is presented below.
Note that Maple represents O as [“infinity”, “infinity”].
Step 1
>W(0)=O=[“infinity”, “infinity”];
>R=P=[0, 2w+1];
> e=1;
Step 2
Choose X= [0, 3w+4];
Step 3
Iteration 1
i=1;
V = W(0) + X = O +(-P) = [0, 3w+4];
Since k=0 then W(1) is not changed;
Since W(1) ≠ V I set d[i] =0;
W(1)=R= P=[0, 2w+1];
W(1)=W(0)+W(1)= O+P = P=[0, 2w+1];
W(0)=W(ki)=W(0)= O =[“infinity”, “infinity”];
151
R=2R=2P=[3w+4, 3w+2];
Set e=e+1;
Iteration 2
i=2;
V = W(0) + X = O +(– P) = [0, 3w+4] ;
Since k=1 then W(1) = W(0) + X = O +(-P) = [0, 3w+4];
Since W(1) = V I set d[i] =1;
W(1)=R= 2P=[3w+4, 3w+2];
W(1)=W(0)+W(1)= O+2P= 2P=[3w+4, 3w+2];
W(0)=W(ki)=W(1)=2P;
R=2R=4P=[2w, w+3];
Set e=e+1=3;
Iteration 3
i=3;
V = W(0) + X = 2P +(-P) = P=[0, 2w+1];
Since k=1 then W(1) = W(0) + X = 2P +(-P) = P=[0, 2w+1];
Since W(1) = V, I set d[i] =1;
W(1)=R= 4P=[3w+4, 3w+2];
W(1)=W(0)+W(1)= 2P+4P= 6P=[2w+2, 3];
W(0)=W(ki)=W(1)=6P=[2w+2, 3];
R=2R=8P;
Set e=e+1=4;
The iterations end.
The final output value of k is equal to (kt, kt-1, …, k1)2 which is represented by the
components of the triple (d[3], d[2], d[1]) which is 110.
B.5 Example 5
I choose the field GF(36028797018963971) for the elliptic curve y2 = x3 +
23049492390237540x + 26353962252453337 with points P =
152
(36028797018963969, 18083753824772429) given in affine form. My target is to
find k, which I know in advance is 1435 in base 10 and is “10110011011” in binary
base. I set p = 36028797018963971. I also choose arbitrarily a fault point X:=
(36028797018963969, 17945043194191542).
Referring to the general Weierstrass equation (1), the corresponding coefficients
are: a1=0, a2=0, a3=0, a4=23049492390237540, a5=26353962252453337.
The internal inputs (loaded from the firmware) to algorithm 5.10 are
k="10110011011" in binary form and the size of the secret key t= 11. The inputs
by the attacker to algorithm 5.10 are the P = (36028797018963969,
18083753824772429), the random fault value X:= ([36028797018963969,
17945043194191542) and the curve GF(p) values where p=36028797018963971,
a4=23049492390237540 and a5=26353962252453337. I assume that the secret key
k and size of the secret key t are stored in the firmware of the victim device, and the
attacker does not have any access to them. The goal of this example is to retrieve k
which is the secret key of ECC.
The attack algorithm 5.10 is implemented in Maple code, and the steps are shown
below. The notations P[1] and P[2] refer respectively to the abscissa and ordinate
values of the point P. Since Maple does not accept indices beginning from 0, as in
the Coron attack, I use 1 and 2 instead of 0 and 1 in the Maple code.
The Maple program considers the first value from the left when dealing with For-
Loop. Therefore, the Maple program defines Left-to-Right in the For-Loop as “for
i from 1 to t do” where t represents the size of the secret key d. However, the For-
Loop in ECC algorithm from Left-to-Right is defined as “For i from t to 1 do”.
Step1
> R[1] := ["infinity", "infinity"]; R[1] := ["infinity", "infinity"]
> R[2] := P ; R[2] := [36028797018963969, 18083753824772429]
> e := 1; e := 1
Step 2
153
> X := [36028797018963969, 17945043194191542]; X := [36028797018963969,
17945043194191542]
Step 3
for i from 1 to t do
Step 3.1
G := addell([R[1][1], R[1][2]],[X[1],X[2]],a4,a5,p);
Step 3.2
if k[i] = "1" then z := 1 else z := 2 end if
T := R[z]
Step 3.3
if k[i] = "1" then u := 2 else u := 1 end if
if u=2 then R[z] := addell([R[1][1], R[1][2]],[X[1],X[2]],a4,a5,p); end if;
Step 3.4
n := R[z];
if n = G then d[i] := "1"; R[z] := T else d[i] := "0" end if
Step 3.5
R[z] := addell([R[1][1], R[1][2]], [R[2][1], R[2][2]], a4, a5, p)
Step 3.6
R[u] := multell([R[u][1], R[u][2]], 2, a4, a5, p)
Step 3.7
e := e+1
End For Loop
Step 4
v:=e-1; v:=11
Step 5 (the bits of k are output)
[d11=1, d10=0, d9=1, d8=1, d7=0, d6=0, d5=1, d4=1, d3=0, d2=1, d1=1]
154
B.6 Example 6
In this example, I choose an elliptic curve over the extension field GF(28) of GF(2)
using a solution w of the irreducible polynomial x8+ x4 + x3 +x+1 over GF(2). I use
the elliptic curve y2+xy=x3 + (w4+w+1) where the coefficients are polynomials in
GF(28). Based on points in affine form, I choose the point P = (w, w2 +1), value k
= 6. Based on the general Weierstrass equation (1), the coefficients are: a1=1, a2=0,
a3=0, a4=0, and a5= w4+w+1. I also choose arbitrarily a fault point X = (w, w2 +w+1)
modulo 2.
The internal inputs (loaded from the firmware) to algorithm 5.12 are k="110" in
binary form and the size of the secret key t= 3. The inputs by the attacker to
algorithm 5.12 are the P = (w, w2 +1), the random fault value X = (w, w2 +w+1)
and the curve GF(p) values where p=2, a4=0 and a5= w4+w+1. I assume that the
secret key k and size of the secret key t are stored in the firmware of the victim
device, and the attacker does not have any access to them. The goal of this example
is to retrieve k which is the secret key of ECC.
I face here the same Maple problem as in the previous field extension example:
Maple will not directly compute elliptic curve points using the commands. So I use
as many Maple commands as possible in combination with manual manipulation;
in particular, I use equations (3) and (4) from Section 5.2.5.
Because k is 110 in binary form, the attack algorithm will run through three
complete iterations, in each of which it will produce a bit of k.
Step 1
>R(0)= O;
>R(1)=P=[ w, w2 +1];
> e=1;
Step 2
X= - P = [w, w2 +w+1];
Step 3
Iteration 1
155
i=1
Since k =0 then b=1-0=1;
R(b)=R(1)=2R(1)=2P=[w6+w2+w, w6+w5+1];
G = R(0) + X = O +(-P) = -P= [w, w2 +w+1];
T= R(b)= 2P=[w6+w2+w, w6+w5+1];
R(b)= R(b) + X = R(1)+X=2P+(-P) =P= [w, w2+1];
Since R(b)= R(1)≠G I set d[i] =0;
R(b)=T=2P=[w6+w2+w, w6+w5+1] which eliminates the error in R(b)=R(1);
R(b)=R(b)+R(ki)=R(1)=R(1)+R(0)=2P+O = 2P = [w6+w2+w, w6+w5+1];
Set e=e+1=2;
Iteration 2
i=2
R(b)=R(0)=2R(0)= O;
G = R(0) + X = O + (-P) = [w, w2 +w+1];
T= R(b)= O;
R(b)= R(b) + X = R(0)=R(0)+X= O +(-P) = [w, w2 +w+1];
Since R(b) = R(0) = G I set d[i] =1;
R(b)=T= O which eliminates the error in R(b)=R(0);
R(b)=R(b)+R(ki)=R(0)=R(0)+R(1)= O + 2P = 2P = [w6+w2+w, w6+w5+1];
Set e=e+1=3;
Iteration 3
i=3
Since k =1 then b=1-1=0;
R(b)=R(0)=2R(0)=4P=[w6+1, w7+w5+w4+w3+1];
G = R(0) + X = 4P+(-P) = 3P=[w7+w5+w3+w2, w5+w2+w];
T= R(b)=4P=[w6+1, w7+w5+w4+w3+1];
R(b)= R(b) + X = R(0)=R(0)+X4P+(-P) = 3P=[w7+w5+w3+w2, w5+w2+w];
Since R(b) = R(0) = G I set d[i] =1;
156
R(b)= T=4P=[w6+1, w7+w5+w4+w3+1]which eliminates the error in R(b)=R(0);
R(b)=R(b)+R(ki)=R(0)=R(0)+R(1)=4P+ 2P=6P=[w+1, w2];
Set e=e+1=3;
Ends of iterations
Iteration 4
v=e-1=3
The final output value of k is equal to (kt, kt-1,…, k1)2 as the components of the
triple (d[3], d[2], d[1]) = (1,1,0).
157
Appendix C
C.1 Implementation Examples of Fault Factoring (FF) Attack
Algorithms against RSA-CRT by Using Arduino Hardware
In this appendix I present the implementation examples of FF attack against RSA-
CRT algorithms by using Arduino Mega2560 hardware. This appendix is arranged
as follows: appendix C.1.1 focuses on the implementation example of FF attack
against RSA-CRT signature protected by modified Shamir’s countermeasure.
Appendix C.1.2 presents the implementation example of FF attack against RSA-
CRT signature protected by Simplified Vigilant’s Countermeasure.
C.1.1 Implementation of FF Attack against RSA-CRT Signature
Algorithm Protected by Modified Shamir’s Countermeasure
FF Attack Algorithm against RSA-CRT Signature Algorithm Protected by
Modified Shamir’s Countermeasure
The details of the FF attack algorithm against RSA-CRT signature algorithm
protected by modified Shamir’s countermeasure can be found in section 4.3.2.
Algorithm C.1.1 shows the FF attack algorithm against RSA-CRT Signature
algorithm protected by modified Shamir’s countermeasure.
Algorithm C.1.1 The FF Attack Algorithm against RSA-CRT Signature
Algorithm Protected by Modified Shamir’s Countermeasure
Internal INPUT (loaded from firmware): p, q, d, 𝑖𝑞 ≡q-1 mod p.
INPUT by user: message M, fault value X.
OUTPUT: The factor q.
1. Choose a small random integer r.
2. pr p*r.
3. qr q*r.
4. If pr ≢ 0 (mod p) or qr ≢ 0 (mod q ) then return error.
5. 𝑆𝑝𝑟 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑝𝑟) (𝑚𝑜𝑑 𝑝𝑟).
6. 𝑆𝑞𝑟 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑞𝑟) (𝑚𝑜𝑑 𝑞𝑟).
7. if 𝑆𝑝𝑟 ≢ 𝑆𝑞𝑟 𝑚𝑜𝑑 𝑟 then return error.
8. 𝑆𝑝 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝).
9. 𝑆𝑞 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞).
10. 𝑆𝑐𝑟𝑡 𝑆𝑞 + 𝑞 ∗ [(𝑖𝑞 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))].
158
11. Comment: use X instead of 𝑖𝑞 in the computation of Scrt so we get Scrte.
12. 𝑆𝑐𝑟𝑡𝑒 𝑆𝑞 + 𝑞 ∗ [(𝑋 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))].
13. n p*q
14. To get q, we compute 𝑞𝑡 gcd((𝑆𝑐𝑟𝑡𝑒-𝑆𝑐𝑟𝑡) ,n).
15. Eliminate 𝑆𝑐𝑟𝑡𝑒.
16. if 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑝𝑟 𝑚𝑜𝑑 𝑝 𝑜𝑟 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑞𝑟( 𝑚𝑜𝑑 𝑞) then return error.
17. return q= 𝑞𝑡.
Example of the Implementation Process
The internal inputs (loaded from the firmware) to algorithm C.1.1 are p=67, q=71
d=1777 and 𝑖𝑞 ≡ q-1 mod p=17. The inputs by the attacker to algorithm C.1.1 are
the message M=23 and the random fault value X=66. I assume that p, q, d and 𝑖𝑞
are stored in the firmware of the victim device, and the attacker does not have any
access to them. The goal of this example is to compute q which has a factor of
n=p*q. The attacker also chooses a small integer r=5.
The implementation program in MATLAB 2017b is:
a = arduino('COM5','Mega2560')
pr=p*r;
qr=q*r;
if mod(pr,p)~= 0 || mod(qr,q)~= 0 disp('error'); end
v=(p-1)*(r-1);
u=(q-1)*(r-1);
spr=powermod(M,mod(d,v),p)
sqr=powermod(M,mod(d,u),q)
if mod(spr,r)~= mod(sqr,r) disp('error'); end
sp=mod(spr,p)
sq=mod(sqr,q)
scrt=sq+(q*mod(iq*(sp-sq),p))
n=p*q
scrte=sq+(q*mod(X*(sp-sq),p));
qt=gcd((scrte-scrt),n)
clear scrte;
159
sfinal=powermod(M,d,n)
if mod(scrt,p)~= mod(spr,p) || mod(scrt,q)~= mod(sqr,q) disp('error'); end
q=qt
clear arduino
clearvars a;
The results of the implementation program are:
RSAshmair_Arduino
a =
arduino with properties:
Port: 'COM5'
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
Libraries: {'I2C', 'Servo', 'SPI'}
pr = 335
qr = 355
spr = 39
sqr = 34
sp = 39
sq = 34
n = 4757
scrt = 1312
qt = 71
q = 71
160
C.1.2 Implementation of the FF Attack against RSA-CRT Signature
Algorithm Protected by Simplified Vigilant’s Countermeasure
FF Attack Algorithm against RSA-CRT Signature Algorithm Protected by
Simplified Vigilant’s Countermeasure
The details of the FF attack algorithm against RSA-CRT signature algorithm
protected by Simplified Vigilant’s Countermeasure can be found in section 4.3.4
Algorithm C.1.2 shows the FF attack algorithm against RSA-CRT Signature
algorithm protected by Simplified Vigilant’s Countermeasure.
Algorithm C.1.2 FF Attack Algorithm against RSA-CRT Signature
Algorithm Protected by Simplified Vigilant’s Countermeasure
Internal INPUT (loaded from firmware): p, q, dp, dq, 𝑖𝑞 ≡q-1 mod p.
INPUT by user: message M, fault value X.
OUTPUT: The factor q.
1. Choose a small random integer r.
2. n p*q.
3. 𝑝𝑑𝑎𝑠ℎ 𝑝 ∙ 𝑟2.
4. 𝑖𝑝𝑟 𝑝−1(𝑚𝑜𝑑 𝑟2).
5. 𝑀𝑝 𝑀 (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
6. 𝐵𝑝 𝑝 ∙ 𝑖𝑝𝑟.
7. 𝐴𝑝 1 − 𝐵𝑝( 𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
8. 𝑀𝑝𝑑𝑎𝑠ℎ 𝐴𝑝 ∙ 𝑀𝑝 + 𝐵𝑝 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
9. 𝑞𝑑𝑎𝑠ℎ 𝑞 ∙ 𝑟2.
10. 𝑖𝑞𝑟 𝑞−1(𝑚𝑜𝑑 𝑟2).
11. 𝑀𝑞 𝑀 (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
12. 𝐵𝑞 𝑞 ∙ 𝑖𝑞𝑟.
13. 𝐴𝑞 1 − 𝐵𝑞 (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
14. 𝑀𝑞𝑑𝑎𝑠ℎ 𝐴𝑞 ∙ 𝑀𝑞 + 𝐵𝑞 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
15. 𝑆𝑝𝑑𝑎𝑠ℎ 𝑀𝑝𝑑𝑎𝑠ℎ
𝑑𝑝 (𝑚𝑜𝑑 𝜑(𝑝𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).
16. 𝑆𝑝𝑟 1 + 𝑑𝑝 ∙ 𝑟.
17. 𝑐𝑝 𝑀𝑝𝑑𝑎𝑠ℎ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑝).
18. 𝑆𝑞𝑑𝑎𝑠ℎ 𝑀𝑞𝑑𝑎𝑠ℎ
𝑑𝑝( 𝑚𝑜𝑑 𝜑(𝑞𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).
161
19. 𝑆𝑞𝑟 1 + 𝑑𝑞 ∙ 𝑟.
20. 𝑐𝑞 𝑀𝑞𝑑𝑎𝑠ℎ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑞).
21. 𝑆𝑑𝑎𝑠ℎ 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ)).
22. Comment: use X instead of 𝑖𝑞 in the computation of Sdash so we get Sdashe..
23. 𝑆𝑑𝑎𝑠ℎ𝑒 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑋 ∙ (𝑆𝑝𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ) ).
24. To get q, we compute 𝑞𝑡 gcd((𝑆𝑑𝑎𝑠ℎ𝑒𝑒 −𝑀),n).
25. Eliminate 𝑆𝑐𝑟𝑡𝑒 .
26. 𝑆𝑟 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ)).
27. 𝑐𝑠 𝑆𝑑𝑎𝑠ℎ − 𝑆𝑟 + 1 (𝑚𝑜𝑑 𝑟2).
28. 𝑆 ≡ 𝑀𝑑 (𝑚𝑜𝑑 𝑛).
29. 𝑆 ≢ 𝑆𝑑𝑎𝑠ℎ𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛) then return error.
30 return q=𝑞𝑡.
Example of the Implementation Process
The internal inputs (loaded from the firmware) to algorithm C.1.2 are p=131,
q=137, dp≡ d mod (p-1) ≡87, dq≡d mod(q-1) ≡91 and 𝑖𝑞 ≡ q-1 mod p=22. The
inputs by the attacker to algorithm C.1.2 are the message M=31 and the random
fault value X=77. I assume that p, q, dp, dq and 𝑖𝑞 are stored in the firmware in
victim device, and the attacker does not have any access to them. The goal of this
example is to compute q which has a factor of n=p*q. The attacker also chooses a
small integer r=6.
The implementation in program MATLAB 2017b is:
a = arduino('COM5','Mega2560')
n=p*q
pdash=p*(r^2)
ipr=powermod(p,-1,r^2)
Mp=mod(M,pdash)
Bp=p*ipr
Ap=1-mod(Bp,pdash)
Mpdash=Ap*Mp+mod(Bp*(1+r),pdash)
qdash=q*(r^2)
162
iqr=powermod(q,-1,r^2)
Mq=mod(M,qdash)
Bq=q*iqr
Aq=1-mod(Bq,qdash)
Mqdash=Aq*Mq+mod(Bq*(1+r),qdash)
eupdash=(p-1)*(r^2-1)
Spdash=powermod(Mpdash,mod(dp,eupdash),pdash)
Spr=1+dp*r
cp=mod(Mpdash+n-M+1,p)
euqdash=(q-1)*(r^2-1)
Sqdash=powermod(Mqdash,mod(dq,euqdash),qdash)
Sqr=1+dq*r
cq=mod(Mqdash+n-M+1,q)
Sdash=Sqdash+q*mod(iq*(Spdash-Sqdash),pdash)
Sr=Sqr+q*mod(iq*(Spr-Sqr),pdash)
Sdashe=Sqdash+q*mod(X*(Spdash-Sqdash),pdash)
qt=gcd((Sdashe-Sdash),n)
clear Sdashe;
cs=mod(Sdash-Sr+1,r^2)
sfinal=powermod(M,d,n)
if mod(sfinal, n)~= powermod(Sdash,(cp*cq*cs),n) disp('error'); end
q=qt
clear arduino
clearvars a;
The results of the implementation program are:
RSAvirlag_Arduino
a =
arduino with properties:
Port: 'COM5'
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
163
Libraries: {'I2C', 'Servo', 'SPI'}
n = 17947
pdash = 3275
ipr = 21
Mp = 31
Bp = 2751
Ap = -2750
Mpdash = -85119
qdash = 3425
iqr = 23
Mq = 31
Bq = 3151
Aq = -3150
Mqdash = -95869
eupdash = 3120
Spdash = 2736
Spr = 436
cp = 1
euqdash = 3264
Sqdash = 3231
Sqr = 456
cq = 1
Sdash = 306001
Sr = 388851
164
Sdashe = 165576
qt = 137
cs = 1
q = 137
C.2 Implementation Examples of RSK Attack against Protected
RSA Montgomery Ladder Algorithms by using Arduino
Hardware
In this appendix I present the implementation of the RSK attack against RSA
algorithms by using Arduino Mega2560. This appendix is arranged as follows:
appendix C.2.1 deals with the implementation example of retrieve secret key attack
against protected RSA Montgomery ladder Left-to-Right algorithm. Appendix
C.2.2 presents the implementation example of retrieve secret key attack against
protected RSA Montgomery ladder Right –to-Left algorithm.
C.2.1 Implementation of RSK Attack Algorithm against Protected RSA
Montgomery Ladder Left-to-Right Algorithm
RSK Attack Algorithm against Protected RSA Montgomery Ladder Left-to-
Right Algorithm
The details of RSK attack algorithm against protected RSA Montgomery ladder
Left-to-Right algorithm can be found in section 4.4.2. Algorithm C.2.1 presents the
retrieve secret attack algorithm against protected RSA Montgomery ladder Left-to-
Right algorithm.
Algorithm C.2.1 RSK Attack against Protected RSA Montgomery ladder
Left-to-Right Algorithm
Internal INPUT (loaded from firmware): d = (dt, dt-1,… , d1)2, size of secret key
t.
INPUT by attacker: message g, fault value X, modulus n.
OUTPUT: d in binary form and v size of secret key.
1. R(0) 1, R(1) g.
COMMENT: Assign key size counter label z 1.
2. z 1.
COMMENT: Inject error by using X instead of R(di) in multiplication operations.
165
3. For i= t to 1 do
3.1 b ¬ dz.
3.2 H R(b) *X (mod n).
3.3 T R(b) (mod n).
3.4 If di = 1 then
R(b) R(b) * X (mod n).
End IF.
COMMENT: The loops store the bits of d in order in the (t)-tuple d.
3.5 If R(b) = H then
{ki 1.
COMMENT: Eliminate the error in R(b) by replacing the fault value by a value
stored in T
R(b) T.
Else
ki 0.
End If.
3.6 R(b) R(b)*R(di) (mod n).
3.7 R(di) R(di)2(mod n).
3.8 z z+1.
End For loop.
4. Set v z-1.
5. d= (kv, kv-1, . . . , k2, k1).
Example of the Implementation Process
I choose three random prime numbers p=257, q=263 and e=17 and compute
n=p*q=67591, and d=e-1 mod (p-1)*(q-1)= 47345 in decimal form or
"1011100011110001" in binary form. The internal inputs (loaded from the
firmware) to algorithm C.2.1 are d= "1011100011110001" in binary form and the
size of the secret key t= 16. The inputs by the attacker to algorithm C.2.1 are the
message g=124, the random fault value X=66 and modulus n= 67591. I assume that
the secret key d and size of the secret key t are stored in the firmware of the victim
device, and the attacker does not have any access to them. The goal of this example
is to retrieve d which is the secret key of RSA.
166
The implementation program in MATLAB 2017b is:
a = arduino('COM5','Mega2560')
r=[1 g];
z=1;
k= [1 t]
for i=1:t
if d(i)==1
b=1;
else
b=2;
end
if d(i)==1
u=2;
else
u=1;
end
h=mod(r(b)*X,n);
T=mod(r(b),n);
if d(i)==1
r(b)=mod(r(b)*X,n)
end
if r(b)==h
k(i)=1
r(b)=T
else
k(i)=0
end
r(b)=mod(r(b)*r(u),n)
r(u)=powermod(r(u),2,n)
z=z+1
end
v=z-1
clear arduino;
167
clearvars a;
The results of the implementation program are:
RSAmontLR
a =
arduino with properties:
Port: 'COM5'
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
Libraries: {'I2C', 'Servo', 'SPI'}p =257
r(1) = 1 % initial value for r(1) and r(2)
r(2)=124
r = 20578 50805 % Final value of r(1) and r(2)
d =[ k16, k15, …., k3, k2, k1]
=[ 1, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1] % retrieve secret key
C.2.2 Implementation of RSK Attack against Protected RSA
Montgomery Ladder Right-to-Left Algorithm
RSK Attack Algorithm against Protected RSA Montgomery Ladder Right-
to-Left Algorithm
The details of RSK attack algorithm against protected RSA Montgomery ladder
Right-to-Left algorithm can be found in section 4.4.4. Algorithm C.2.2 shows the
Retrieve secret attack algorithm against protected RSA Montgomery ladder Right-
to-Left algorithm.
Algorithm C.2.2 RSK Attack against Protected RSA Montgomery ladder
Right-to-Left Algorithm
Internal INPUT (loaded from firmware): d = (dt, dt-1,… , d1)2, size of secret key
t.
INPUT by attacker: message g, fault value X, modulus n.
168
OUTPUT: d in binary form and v size of secret key.
1. R(0) 1, R(1) g.
COMMENT: assign key size counter label z 1.
2. z 1.
COMMENT: Inject error by using X instead of R(di) in multiplication operations.
3. For i= t to 1 do
3.1 b ¬ di.
3.2 H R(b) *X(mod n).
3.3 T R(b) (mod n).
3.4 If di = 1 then
R(b) R(b) * X (mod n).
End IF.
COMMENT: The loops store the bits of d in order in the (t)-tuple d.
3.5 If R(b) = H then.
{ki 1.
COMMENT: Eliminate the error in R(b) by replacing fault value by a value
stored in T.
R(b) T.
Else
ki 0.
End If.
3.6 R(b) R(b)2 (mod n).
3.7 R(b) R(b)*R(di) (mod n).
3.8 z z+1.
End While loop.
4. Set v z-1.
5. d= (kv, kv-1, k3, . . . , k2, k1).
Example of the Implementation Process
I choose three random prime numbers p=521, q=523 and e=37 and compute
n=p*q=272483, and d=e-1 mod (p-1)*(q-1)= 168733 in decimal form or
"101001001100011101" in binary form. The internal inputs (loaded from the
firmware) to algorithm C.2.2 are d= "101001001100011101" in binary form and
169
the size of the secret key t= 18. The inputs by the attacker to algorithm C.2.2 are
the message g=143, the random fault value X=78 and modulus n= 272483. I assume
that the secret key d and size of the secret key t are stored in the firmware of the
victim device, and the attacker does not have any access to them. The goal of this
example is to retrieve d which is the secret key of RSA.
The implementation program in MATLAB 2017b is:
a = arduino('COM5','Mega2560')
r=[1 g];
z=1;
k = [1 t]
for i=1:t
if d(i)==1
b=1;
else
b=2;
end
if d(i)==1
u=2;
else
u=1;
end
h=mod(r(b)*X,n);
T=mod(r(b),n);
if d(i)==1
r(b)=mod(r(b)*X,n)
end
if r(b)==h
k(i)=1
r(b)=T
else
k(i)=0
end
r(b)=mod(r(b)*r(u),n)
170
r(u)=powermod(r(u),2,n)
z=z+1
end
v=z-1
clear arduino;
clearvars a;
The results of the implementation program are
RSAmontRL
a =
arduino with properties:
Port: 'COM5'
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
Libraries: {'I2C', 'Servo', 'SPI'}p =257
r(1) = 1 % initial value for r(1) and r(2)
r(2)=143
y = 197597 % final value gd
r = 197597 190622 % Final value of r(1) and r(2)
d = [k18, k17, …., k3, k2, k1]
= [ 1, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1] % retrieve secret key
C.3 Implementation Examples of Proposed Attacks against ECC
by Using Arduino Hardware
In this appendix I will present the implementation of fault point attacks against ECC
algorithms by using Arduino Mega2560. This appendix is arranged as follows:
appendix C.3.1 focuses on the implementation of fault point attack against Left-to-
Right ECC Montgomery ladder algorithm. Appendix C.3.2 presents the
implementation of fault point attack against Right–to-Left ECC Montgomery
ladder algorithm. Appendix C.3.3 shows the implementation of fault point attack
171
against Left-to-Right Coron algorithm. Appendix C.3.4 deals with the
implementation of fault point attack against Right–to-Left Coron algorithm.
Appendix C.3.5 presents the implementation of fault point attack against Left-to-
Right Joye-Yen algorithm. Appendix C.3.6 focuses on the implementation of fault
point attack against Right–to-Left Joye algorithm.
C.3.1 Implementation of Fault Point Attack against Left-to-Right ECC
Montgomery Ladder Algorithm
Fault Point Attack against Left-to-Right ECC Montgomery Ladder
Algorithm
The details of the fault point attack against Left-to-Right ECC Montgomery ladder
algorithm can be found in section 5.3.2. Algorithm C.3.1 shows the fault point
attack against Left-to-Right ECC Montgomery ladder Left-to-Right algorithm.
Algorithm C.3.1 The Fault Point Attack against Left-to-Right ECC
Montgomery Ladder Algorithm
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size, where
kt = 1.
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. R(0) P, R(1) 2P, e 2.
COMMENT: Assign key size counter label e 2 and through the loop store
the bits of k in order in the (t-1)-tuple d.
2. Use X as a fault point.
COMMENT: Inject error by using X instead of P in addition operations.
3. For i from t-1 down to 1 do
3.1 Z R(0).
3.2 N R(0) + X.
3.3 If ki=1 then
R(¬ki) R(0) +X.
End if.
3.4 If R(¬ ki) = N then
172
di 1.
COMMENT: Eliminate the error in R(¬ ki) by replacing fault value by a correct
value stored in Z.
R(¬ ki) Z.
Else
di 0.
End If.
3.5 R(¬ki) R(0) + R(1).
3.6 R(ki) 2R(ki).
3.7 e e+1.
End While loop.
4. set v e–1.
5. k= (1, dt-1, dt-2 … d2, d1).
Example of the Implementation Process
I choose a curve of Montgomery type:
y2 = x3 + 1024 x2 + x with P = (1029, 208), where k = 522 and the field is
GF(p) where p = 1031. I arbitrarily choose a fault point X=(1029,823).
Referring to the general Weierstrass equation (1), the corresponding coefficients
are: a1=0, a2=0, a3=0, a4=1, & a5=0.
The internal inputs (loaded from the firmware) to algorithm C.3.1 are
k="1000001010" in binary form and the size of the secret key t= 10. The inputs by
the attacker to algorithm C.3.1 are the P = (1029, 208), the random fault value
X=(1029,823) and the curve GF(p) values where p=1013, a4=1 & a5=0. I assume
that the secret key k and size of the secret key t are stored in the firmware of the
victim device, and the attacker does not have any access to them. The goal of this
example is to retrieve k which is the secret key of ECC.
Implementation of algorithm C.3.1 in MATLAB code access register bits from
Left-to-Right and the steps for this example are shown below. I begin with e=2 as
the first bit is always 1. The notations P[1] and P[2] refer respectively to the abscissa
and ordinate values of the point P. Since MATLAB does not accept indices
beginning from 0, I use 1 and 2 instead of 0 and 1.
173
The MATLAB script considers the first value from the left when dealing with For-
Loop. Therefore, the MATLAB script defines Left-to-Right in the For-Loop as “for
i from 1 to t do” where t represents the size of the secret key d. However, the For-
Loop in ECC algorithm from Left-to-Right is defined as “For i from t to 1 do”.
The implementation program in MATLAB 2017b is:
a = arduino('COM5','Mega2560')
R=[0 0;0 0]
d(1)=1
e=2
R(1,:)=P
dp=multell([P(1),P(2)],2,a4,a5,p)
R(2,:)=dp
for i=2:t
Z=R(1,:)
if k(i)==1
u=1;
else
u=2;
end
if k(i)==1
z=2;
else
z=1;
end
N=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p)
if u==1
r11(u,:)=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p);
end
if r11(u,:)==N
d(i)=1;
r11(u,:)=Z;
else
d(i)=0;
174
end
R(u,:)=addell([R(1,1),R(1,2)],[R(2,1),R(2,2)],a4,a5,p)
r11(z,:)=multell([R(z,1),R(z,2)],2,a4,a5,p)
e=e+1
end
v=e-1
clear arduino;
clearvars a;
The results of the implementation program are:
ECCMontLRArduino
a =
arduino with properties:
Port: 'COM5'
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
Libraries: {'I2C', 'Servo', 'SPI'}p =257
R(1 , :) = [1029 208] % initial value for r(1,1) and r(1, 2)
R(2, :)= [593 450] % initial value for r(2,1) and r(2, 2)
R(1 , :) = [398 641] % Final value of r(1)
k = [1, d9, d8, … d2, d1]
= [1, 0, 0, 0, 0, 0, 1, 0, 1, 0] % retrieve secret key
C.3.2 Implementation of Fault Point Attack against Right–to-Left ECC
Montgomery Ladder Algorithm
Fault Point Attack against Right–to-Left ECC Montgomery Ladder
Algorithm
The details of the fault point attack against Right–to-Left ECC Montgomery ladder
algorithm can be found in section 5.3.4. Algorithm C.3.2 shows the fault point
attack against Right–to-Left ECC Montgomery ladder algorithm.
175
Algorithm C.3.2 Fault Point Attack against Right–to-Left ECC
Montgomery ladder Algorithm
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. R(0) O, R(1) P, e 1.
COMMENT: Assign key size counter label e 1 and through the loop store
the bits of k in order in the (t-1)-tuple d.
2. Use X as a fault point.
COMMENT: Inject error by using X instead of P in addition operations.
3. For i from 1 up to t do
3.1 E R(0).
3.2 G R(1).
3.3 b 1– ki.
3.4 N R(0) + X.
3.5 If b=0 then
R(b) R(0) + X.
End If.
3.6 If R(b) = N then
{di 1.
COMMENT: Eliminate the error in R(¬ ke) by replacing the fault value by a
correct value stored in E.
R(b) E}.
Else
di 0.
End If
3.7 R(b) R(0) +R(1).
3.8 R(1) G.
3.9 R(1) 2R(1).
3.10 e e+1.
End While loop.
4. set v e-1.
176
5. k= (dt, dt-1, . . . , d2, d1).
Example of the Implementation Process
I choose a curve of Montgomery type:
y2 = x3 + 2048 x2 + x with P = (2061, 972), where k = 1129 and the field is
GF(p) where p = 2063. I arbitrarily choose a fault point X=(2061,1091).
Referring to the general Weierstrass equation (1), the corresponding coefficients
are: a1=0, a2=0, a3=2048, a4=1, & a5=8192.
The internal inputs (loaded from the firmware) to algorithm C.3.2 are
k="10001101001" in binary form and the size of the secret key t= 11. The inputs
by the attacker to algorithm C.3.2 are the P = (2061, 972), the random fault value
X=(2061,1091) and the curve GF(p) values where p=2063, a4=1 & a5=0. I assume
that the secret key k and size of the secret key t are stored in the firmware of the
victim device, and the attacker does not have any access to them. The goal of this
example is to retrieve k which is the secret key of ECC.
Implementation of algorithm C.3.2 in MATLAB code access register bits from
Right-to-Left and the steps for this example are shown below. The notations P[1]
and P[2] refer respectively to the abscissa and ordinate values of the point P. Since
MATLAB does not accept indices beginning from 0, I use 1 and 2 instead of 0 and
1.
The MATLAB script considers the first value from left when dealing with For-
Loop. Therefore, the MATLAB script defines Right-to-Left in the For-Loop as “for
i from t by -1 to t do” where t represents the size of the secret key d. However, the
For-Loop in ECC algorithm from Right-to-Left is defined as “For i from 1 to t do”.
The Implementation Program in MATLAB 2017b is:
a = arduino('COM5','Mega2560')
R=[0 0;0 0]
e=1
R(1,:)=[inf,inf]
R(2,:)=P
for i=t:-1:1
177
E=R(1,:)
G=R(2,:)
if k(i)==1
b=1;
else
b=2;
end
if k(i)==1
z=2;
else
z=1;
end
N=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p)
if b==1
R(b,:)=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p);
end
if R(b,:)==N
d(i)=1;
R(b,:)=E;
else
d(i)=0;
end
R(b,:)=addell([R(1,1),R(1,2)],[R(2,1),R(2,2)],a4,a5,p)
R(2,:)=G
R(2,:)=multell([R(2,1),R(2,2)],2,a4,a5,p)
e=e+1
end
v=e-1
clear arduino;
clearvars a;
The results of the implementation program are:
ECCMontRLArduino
178
R(1 , :) = [Inf Inf] % initial value for R(1,1) and R(1, 2)
R(2, :)= [2061 972] % initial value for R(2,1) and R(2, 2)
R(1,:) = [799 284] % Final value of R(1,1) and R(1,2)
k = [d11, d10, d9, … d2, d1]
= [ 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1] % retrieve secret key.
C.3.3 Implementation of the Fault Point Attack against Left-to-Right
Coron Algorithm
Fault Point Attack against Left-to-Right Coron Algorithm
The details of fault point attack against Coron algorithm can be found in section
5.4.2. Algorithm C.3.3 shows the fault point attack against Left-to-Right Coron
algorithm.
Algorithm C.3.3 Fault Point Attack against Left-to-Right Coron Algorithm
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. W(0) P.
COMMENT: Assign key size counter label e 2 the loop store the bits of k
in order in the (t-1)-tuple d.
2. Use X as a fault point, e 2.
COMMENT: Inject error by using X instead of P in addition operations
3. For i from t-1 down to 1 do
3.1 W(0) 2W(0).
3.2 R W(0) + X.
3.3 W(1) W(0)+X.
COMMENT: The loop stores the bits of k in order in the (t-1)-tuple d.
3.4 If W(ki) = R then
di 1.
Else
di 0.
End If.
179
COMMENT: Eliminate the error in W(1) by replacing fault value by a result of
addition W(0)+P.
3.5 W(1) W(0)+P.
3.6 W(0) W(ki).
3.7 e e+1.
End While loop.
4. Set v e-1.
5. k= (1, dt-1, dt-2, . . . , d2, d1.).
Example of the Implementation Process
I choose a curve:
y2 = x3 + 4096x + 8192 with P = (8217, 8062), where k=1679 and the field is
GF(8219) where p=8219. I arbitrarily choose a fault point X=(8217,157).
Referring to the general Weierstrass equation (1), the corresponding coefficients
are: a1=0, a2=0, a3=0, a4=4096, & a5=8192.
The internal inputs (loaded from the firmware) to algorithm C.3.3 are
k="11010001111" in binary form and the size of the secret key t= 11. The inputs
by the attacker to algorithm C.3.3 are the P = (8217, 8062), the random fault value
X=(8217,157) and the curve GF(p) values where p=8219, a4=4096 & a5=8192. I
assume that the secret key k and size of the secret key t are stored in the firmware
of the victim device, and the attacker does not have any access to them. The goal of
this example is to retrieve k which is the secret key of ECC.
Implementation of algorithm C.3.3 in MATLAB code access register bits from
Left-to-Right and the steps for this example are shown below. I begin with e=2 as
the first bit is always 1. The notations P[1] and P[2] refer respectively to the abscissa
and ordinate values of the point P. Since MATLAB does not accept indices
beginning from 0, I use 1 and 2 instead of 0 and 1.
The MATLAB script considers the first value from the left when dealing with For-
Loop. Therefore, the MATLAB script defines Left-to-Right in the For-Loop as “for
i from 1 to t do” where t represents the size of the secret key d. However, the For-
Loop in ECC algorithm from Left-to-Right is defined as “For i from t to 1 do”.
The implementation program in MATLAB 2017b is:
180
a = arduino('COM5','Mega2560')
W=[0 0;0 0]
e=2
W(1,:)=P
d(1)=1
for i=2:t
W(1,:)=multell([W(1,1),W(1,2)],2,a4,a5,p)
R=addell([W(1,1),W(1,2)],[X(1),X(2)],a4,a5,p)
W(2,:)=addell([W(1,1),W(1,2)],[X(1),X(2)],a4,a5,p)
if k(i)==1
u=2;
else
u=1;
end
n=W(u,:)
if n==R
d(i)=1;
else
d(i)=0;
end
W(2,:)=addell([W(1,1),W(1,2)],[P(1),P(2)],a4,a5,p)
W(1,:)=W(u,:)
e=e+1
end
v=e-1
clear arduino;
clearvars a;
The results of the implementation program are:
CoronLRArduino
a =
arduino with properties:
Port: 'COM5'
181
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
Libraries: {'I2C', 'Servo', 'SPI'}p =257
W(1 , :) = [8217, 8062] % initial value for W(1,1) and W(1, 2)
W(1 , :)= [7919 4758] % Final value of W(1,1) and W(1,2)
k = [1, d10, d9, … d2, d1]
= [ 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1] % retrieve secret key
C.3.4 Implementation of Fault Point Attack against Right-to-Left
Coron Algorithm
Fault Point Attack against Right-to-Left Coron Algorithm
The details of fault point attack against Right-to-Left Coron algorithm can be found
in section 5.4.4. Algorithm C.3.4 shows the fault point attack against Right-to-Left
Coron algorithm.
Algorithm C.3.4 Fault Point Attack against Right-to-Left Coron Algorithm
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. W(0) O, R P.
COMMENT: Assign key size counter label e 1.
2. Use X as a fault point, e 1.
COMMENT: Inject error by using X instead of W(1) in addition operations.
3. For i from 1 up to t do
3.1 G W(0) +X.
3.2 If ki = 1 then
W(1) W(0) + X.
End If.
COMMENT: The loop stores the bits of k in order in the de.
3.3 If W(1) = G then
di 1.
182
Else
di 0.
End If.
COMMENT: Eliminate the error in W(1) by replacing fault value by a value
stored in R
3.4 W(1) R.
3.5 W(1) W(0) + W(1).
3.6 W(0) W(ki).
3.7 R 2R.
3.8 e e+1.
End While loop.
4. set v e-1.
5. k= (dt, dt-1, . . . , d2, d1).
Example of the Implementation Process
I choose a curve :
y2 = x3 + 2048 x2 + x with P = (131109, 34349), where k = 4790 and the field
is GF(131111) where p = 131111. I arbitrarily choose a fault point
X=(7919,126353).
Referring to the general Weierstrass equation (1), the corresponding coefficients
a1=0, a2=0, a3=0, a4=13621, & a5=13162.
The internal inputs (loaded from the firmware) to algorithm C.3.4 are
k="1001010110110" in binary form and the size of the secret key t= 13. The inputs
by the attacker to algorithm C.3.4 are the P = (131109, 34349), the random fault
value X=(7919,126353) and the curve GF(p) values where p=131111, a4=13621 &
a5=13621. I assume that the secret key k and size of the secret key t are stored in
the firmware of the victim device, and the attacker does not have any access to
them. The goal of this example is to retrieve k which is the secret key of ECC.
Implementation of algorithm C.3.4 in MATLAB code access register bits from
Right-to-Left and the steps for this example are shown below. The notations P[1]
and P[2] refer respectively to the abscissa and ordinate values of the point P. Since
183
MATLAB does not accept indices beginning from 0, I use 1 and 2 instead of 0 and
1.
The MATLAB script considers the first value from left when dealing with For-
Loop. Therefore, the MATLAB script defines Right-to-Left in the For-Loop as “for
i from t by -1 to t do” where t represents the size of the secret key d. However, the
For-Loop in ECC algorithm from Right-to-Left is defined as “For i from 1 to t do”.
The implementation program in MATLAB 2017b is:
a = arduino ('COM5','Mega2560')
W=[0 0;0 0]
e=1
W(1,:)=[inf,inf]
R=P
for i=t:-1:1
G=addell([W(1,1),W(1,2)],[X(1),X(2)],a4,a5,p)
if k(i)==1
u=2;
else
u=1;
end
if u==2
W(2,:)=addell([W(1,1),W(1,2)],[X(1),X(2)],a4,a5,p);
end
if W(2,:)==G
d(i)=1;
else
d(i)=0;
end
W(2,:)=R
W(2,:)=addell([W(1,1),W(1,2)],[W(2,1),W(2,2)],a4,a5,p);
W(1,:)=W(u,:)
R=multell([R(1),R(2)],2,a4,a5,p)
e=e+1
184
end
v=e-1
clear arduino;
clearvars a;
The results of the implantation program are:
CoronRLsecond_Arduino
a =
arduino with properties:
Port: 'COM5'
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
Libraries: {'I2C', 'Servo', 'SPI'}p =257
W(1 , :) = [Inf, Inf] % initial value for W(1,1) and W(1, 2)
W(1 , :)= [16866, 26161] % Final value of W(1,1) and W(1,2)
k = [d13, d12, d11, … d2, d1]
= [ 1, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0] % retrieve secret key
C.3.5 Implementation of Fault Point Attack against Left-to-Right Joye-
Yen Algorithm
Fault Point Attack against Left-to-Right Joye-Yen Algorithm
The details of fault point attack against Left-to-Right Joye-Yen algorithm can be
found in section 5.5.2. Algorithm C.3.5 shows the fault point attack against Left-
to-Right Joye algorithm.
Algorithm C.3.5 Fault Point Attack against Left-to-Right Joye-Yen
Algorithm
Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
185
1. R(0) O, R(1) P.
COMMENT: Assign key size counter label e 1.
2. Use X as a fault point. e 1.
COMMENT: Inject error by using X instead of P in addition operations.
3. For i from t down to 1 do
3.1 G R(0) +X.
3.2 T R(¬ ke).
3.3 If ki = 1 then
R(¬ ki) R(0) + X.
End If.
COMMENT: The loop stores the bits of k in order in the (t)-tuple d.
3.4 If R(¬ ki) = G then
{di 1.
COMMENT: Eliminate the error in R(¬ ke) by replacing fault value by a value
stored in T.
R(¬ ki) T.
Else
di 0.
End If.
3.5 R(¬ ki) R(0) + R(1).
3.6 R(ki) 2 R(ki).
3.7 e e+1.
End While loop.
4. Set v e-1.
5. k= (dt, dt-1, . . . , d2, d1).
Example of the Implementation Process
I choose a curve:
y2 = x3 + 173541x + 109093 with P = (524345, 19732), where k=8892 and the field
is GF(524347) where p=524347. I arbitrarily choose a fault point
X=(524345,504615).
Referring to the general Weierstrass equation (1), the corresponding coefficients
are: a1=0, a2=0, a3=0, a4=173541, & a5=109093.
186
The internal inputs (loaded from the firmware) to algorithm C.3.5 are
k="10001010111100" in binary form and the size of the secret key t= 14. The inputs
by the attacker to algorithm C.3.5 are the P = (524345, 19732), the random fault
value X=(524345,504615) and the curve GF(p) values where p=524347, a4=173541
& a5=109093. I assume that the secret key k and size of the secret key t are stored
in the firmware of the victim device, and the attacker does not have any access to
them. The goal of this example is to retrieve k which is the secret key of ECC.
Implementation of algorithm C.3.5 in MATLAB code access register bits from
Left-to-Right and the steps for this example are shown below. The notations P[1]
and P[2] refer respectively to the abscissa and ordinate values of the point P. Since
MATLAB does not accept indices beginning from 0, I use 1 and 2 instead of 0 and
1.
The MATLAB script considers the first value from the left when dealing with For-
Loop. Therefore, the MATLAB script defines Left-to-Right in the For-Loop as “for
i from 1 to t do” where t represents the size of the secret key d. However, the For-
Loop in ECC algorithm from Left-to-Right is defined as “For i from t to 1 do”.
The implementation program in MATLAB 2017b is:
a = arduino('COM5','Mega2560')
R=[0 0;0 0]
R(1,:)=[inf,inf]
R(2,:)=P
e=1
for i=1:t
G=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p)
if k(i)==1
u=2;
else
u=1;
end
if k(i)==1
z=1;
else
187
z=2;
end
T=R(z,:)
if u==2
R(z,:)=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p);
end
n=R(z,:)
if n==G
d(i)=1;
R(z,:)=T;
else
d(i)=0;
end
R(z,:)=addell([R(1,1),R(1,2)],[R(2,1),R(2,2)],a4,a5,p)
R(u,:)=multell([R(u,1),R(u,2)],2,a4,a5,p)
e=e+1
end
v=e-1
clear arduino;
clearvars a;
The results of the implementation program are:
JoyeLRArduino
R(1 , :) = [Inf, Inf] % initial value for R(1,1) and R(1, 2)
R(2 , :) = [524345, 19732] % initial value for R(2,1) and R(2, 2)
R(1 , :)= [383934 479120] % Final value of R(1,1) and R(1,2)
k = [d14, d13, d12, … d2, d1]
= [ 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0] % retrieve secret key
188
C.3.6 Implementation of the Fault Point Attack against Right-to-Left
Joye Algorithm
Fault Point Attack against Right-to-Left Joye Algorithm
The details of the fault point attack against Right-to-Left Joye algorithm can be
found in section 5.5.4. Algorithm C.3.6 shows the fault point attack against Right-
to-Left Joye algorithm.
Algorithm C.3.6 Fault Point Attack against the Right-to-Left Joye
Algorithm
Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,
INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault
point X.
OUTPUT: k in binary form and v size of secret key.
1. R(0) O, R(1) P.
COMMENT: Assign pointer label e 1.
2. Use X as a fault point, e 1.
COMMENT: Inject error by using X instead of P in addition operations.
3. For i from 1 up to t do
3.1 b 1- ki.
3.2 R(b) 2 R(b).
3.3 G R(0) + X.
3.4 T R(b).
3.5 R(b) R(b)+ X .
COMMENT: The loop stores the bits of k in order in the de.
3.6 If R(b) = G then
di 1.
Else
di 0.
End If.
COMMENT: Eliminate the error in R(b) by replacing fault value by a value
stored in T.
3.7 R(b) T.
3.8 R(b) R(b) + R(ke).
3.9 e e+1.
189
End While loop.
4. set v e-1.
5. k= (dt, dt-1, . . . , d2, d1).
Example of the Implementation Process
I choose a curve :
y2 = x3 + 427149x + 474895 with P = (2097209, 1489440), where k = 11469
and the field is GF(2097211) where p = 2097211. I arbitrarily choose a fault
point X =(2097209,607771).
Referring to the general Weierstrass equation (1), the corresponding coefficients
a1=0, a2=0, a3=0, a4=427149, & a5=474895.
The internal inputs (loaded from the firmware) to algorithm C.3.6 are
k="10110011001101" in binary form and the size of the secret key t= 14. The inputs
by the attacker to algorithm C.3.6 are the P = (2097209, 1489440), the random fault
value X =(2097209,607771) and the curve GF(p) values where p = 2097211,
a4=427149 & a5=474895. I assume that the secret key k and size of the secret key t
are stored in the firmware of the victim device, and the attacker does not have any
access to them. The goal of this example is to retrieve k which is the secret key of
ECC.
Implementation of algorithm C.3.6 in MATLAB code access register bits from
Right-to-Left and the steps for this example are shown below. The notations P[1]
and P[2] refer respectively to the abscissa and ordinate values of the point P. Since
MATLAB does not accept indices beginning from 0, I use 1 and 2 instead of 0 and
1.
The MATLAB script considers the first value from left when dealing with For-
Loop. Therefore, the MATLAB script defines Right-to-Left in the For-Loop as “for
i from t by -1 to t do” where t represents the size of the secret key d. However, the
For-Loop in ECC algorithm from Right-to-Left is defined as “For i from 1 to t do”.
The implementation program in MATLAB 2017b is:
a = arduino('COM5','Mega2560')
R=[0 0;0 0]
190
R(1,:)=[inf,inf]
R(2,:)=P1
e=1
for i=t:-1:1
b=1-k(i)
if b==1
u=2;
else
u=1;
end
if k(i)==1
z=2;
else
z=1;
end
R(u,:)=multell([R(u,1),R(u,2)],2,a4,a5,p)
G=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p)
T=R(u,:)
R(u,:)=addell([R(u,1),R(u,2)],[X(1),X(2)],a4,a5,p)
n=R(u,:)
if n==G
d(i)=1;
else
d(i)=0;
end
R(u,:)=T;
R(u,:)=addell([R(u,1),R(u,2)],[R(z,1),R(z,2)],a4,a5,p)
e=e+1
end
v=e-1
clear arduino;
clearvars a;
The results of the implementation program are:
191
JoyeRLArduino
R(1 , :) = [Inf, Inf] % initial value for R(1,1) and R(1, 2)
R(2 , :) = [2097209, 1489440] % initial value for R(2,1) and R(2, 2)
R(1 , :)= [971536 81621] % Final value of R(1,1) and R(1,2)
k = [d14, d13, d12, … d2, d1]
= [ 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1] % retrieve secret key
192
Appendix D
In this appendix I present screen shots for some operations on data EEPROM
provided by Microchip Company.
193
194
195
196
197
Appendix E
I present here two implementation examples which show how I apply RSK
proposed in chapter four against “Left-to-Right” and “Right-to-Left” RSA
Montgomery algorithms with a private key size 3072 bits long digits.
Example 1
In the implementation of RSK against protected Montgomery Ladder RSA “Left-
to-Right” algorithm I choose a three random prime numbers
p=1163603031671925599536121850942724354878673317495800969327483540
023830390261362267571099520255825457644727094348532522232753490897
056409220262210459339557609926199043267219425156016607293534152960
992279407428669020825425632042006704380965619767418163055163946368
057604059053416792183528470457560825370422913494318276423494444546
795767104938152854187821670562979117801566249209877284117036522220
804894975178989290012463424982702090973772475299331142830354513877
60297,
q=5114017202906162834225114490694101835101718744158939158227478374
505364051549333807004015722326092910851385550332803615396003342024
541702972434868437520753306647602690654135134224638535551947371947
335244445483621237441772963633194593768776031726542888922757777888
107321971138590135738663656295893205944696858160238748614766839774
303423711503307559480255021437406091614785052108644059897658937071
239997051287235412532645874009217001460067465348080538407747937868
3913 and
e=103 and compute
n=p*q=59506859213239921575846581294469119076843978644651413757443
740054366261430373329415204843081389427660058444832810324168007403
002535396755303643027938927664809633602701420410547978330933054166
467687851545926103087218956406827938438065920119694223001126760735
399875157639137462934900852698489091684531390521655094282864547193
591274556583238073006146638977539477171171953187059696508965952283
665368734436694692817395256067382905013775912036950705881316516292
198
956276566441741303865724496262251405901631375546630509512313877125
989897853121490381316987979349738588499360667594982798506567294778
599863739458716083671468393874301356567542286667743426999797593323
890028407774647320024510920735838920774971598022264498274435613682
709709110175884556921906446749759234815130153715715168232854060177
484249129041683326939369184665925085729107227059940472869112554547
766694808400652776596183536380303761437320073039490122131655772896
12574002161, and
d≡e-1 mod (p-1)*(q-1) ≡
236871963858527843165991245929440182733068264507835724665552751672
720069771388981167320249158928789714795751276235270960029468262519
540482276637295679226626912133758326042410919137045461671924774291
447901259245298638564337858784073854633486161470198659921373921833
151767440386439896598120199296996678350620180472388101595624974976
390282792329441942931852341608157092240841693937559961557634007778
457466454602477010242598320301511146834321842615644075453204971586
325770504721168008460723140033152366050822252235109260065146223236
459120630443288827963281018456567872761835210687809808196059783042
076121081718149590038048135086401692050041456193135223934795630561
161242971753662914601597022440136031208479679988959352457860427926
399555802327717488180927363985850907936092014579953282891598115021
458273834638513215631220276460134426293652682343419836927918386547
772790764196525965349198441406830552144045728136669011958489275834
8311 in decimal form.
The internal inputs (loaded from the firmware) to the attack algorithm are d in
binary form:
"11001011110111001100000110110110001110101111101100001010000101100
010110011101100010011000011010111110100001001100011011101110110111
111010100111111011110111101010010110101110110000000111010101101011
011010100001101100111110110101001101110110100101010001011000100111
010101010100001011100011011100100110110001011011011110001110110001
100101110111010001001101001010000101001111100101111111110000010110
199
011001110100111111010001100100111011111001000111001111010011000010
010001010010011001100100001111101000110111001101011111111011100100
101011110101100100010011001010101011111010100000000101001000111010
101101011110001010111101011011001001100111111000010111100111100111
011001111100101011100011011101010111101011000011100000000110000100
100100111110001100011000101110101010111000000001101100100011111010
100100100110010101010001110101111110110110000011111110001100101000
111101000101101010110110110111110010100010111000111100101001011110
011111011000000100110111110101001011100100010100111011011100101100
101110101011110011001100111010010011101001000010010000011110010101
000101001100111101101011110011001000011011111011111010100000000001
100000011110010010100100111010110111111100111000001010110101001011
101101101010000011111001100100011110000101101110110110001010010100
100110010100011111100100111011010000110010111100010100011001111000
101000101100100101100101101110000010000101011100110000101101110101
100100101001110100101011010101010111001110001010100100101001110110
100000011001100100001000111000001011101000100011010110111100100110
001011111011101000100000100010001111011111100010100100011001001111
011001001011110110011110110001101000101000101100000011111110110101
110111110010011001010000110011101010110101111111011010001100111010
010010110110101101100100110110110011101011001111011011101100010010
111111001111011010101010000010001111001110011111001011111011111110
111001111111110000101100000000101001110111000011110101000111101110
100100111101110010000001110101011001010111000100110011100000100001
000110001110010000000000001101001011011011010100110011100101100101
101010101010011000000101111001011111011111111111000011001100100101
011000111100101010001010100001011000101011011111011110111001000011
010111110101011000100100110011101000010110110101010100111011100001
001010010011111111111110111101011001100100100010111110101111011011
010100010010111101011001100101101101000111001111001000000111001011
011000110001111110001100011110011000110010111111000010011011101001
001011101110010000011111011000001100101100000101011011100001111000
000011111110110110010010011001100101011110101011100001010011111100
001110001001011100000100011111010110110001110011100111010010001111
200
000011010110110110001100011011110100000010101101101010010000100001
010011000111011011101000101000101011111000001110011101011111010110
001001011111011001000100110000001010000101100011001001100110001010
001011000001111000011110100001000111010010111110101110010011101001
011010000111101101000111011100010111010100110101100111110111110000
110110101100101101101111110110110011010001000110111000100000011011
1111101000100011100010101001010101001000010111" and size of the secret
key t= 3081. The inputs by the attacker to attack algorithm are the message g=222,
the random fault value X=352 and modulus n which its value is given above. I
assume that the secret key d and size of the secret key t are stored in the firmware
of the victim device, and the attacker does not have any access to them. The goal of
this example is to retrieve d which is the secret key of RSA..
Since Maple does not accept indices beginning with 0, as in the binary left to right
attack, we use 1, 2 instead of 0, 1 in the Maple code.
The attack algorithm was implemented in Maple code, and the steps are shown
below.
Step1.
> R[1] := 1; R[1] := 1
> R[2] := g; R[2] := 222
Step2.
> z=1; z=1
Step3
for i from 1 to t do
Step 3.1
if d[i] = "1" then b := 1 else b := 2 end if
Step 3.2
H: = R[b]*X mod n
Step 3.3
T := R[b]
Step 3.4
201
if d[i] = "1" then R[b] := R[b]*X mod n end if
Step 3.5
if R[b] = H then k[i] := 1; R[b] := T else k[i] := 0 end if
Step 3.6
if d[i] = "1" then u := 2 else u := 1end if
R[b]:= R[b]*R[u] mod n
Step 3.7
R[u] := R[u]^2 mod n
Step 3.8
z := z+1
End While loop
Step 4
Set v z-1
Step 5
d= [kv, kv-1, . . . , k2, k1]=
"11001011110111001100000110110110001110101111101100001010000101100
010110011101100010011000011010111110100001001100011011101110110111
111010100111111011110111101010010110101110110000000111010101101011
011010100001101100111110110101001101110110100101010001011000100111
010101010100001011100011011100100110110001011011011110001110110001
100101110111010001001101001010000101001111100101111111110000010110
011001110100111111010001100100111011111001000111001111010011000010
010001010010011001100100001111101000110111001101011111111011100100
101011110101100100010011001010101011111010100000000101001000111010
101101011110001010111101011011001001100111111000010111100111100111
011001111100101011100011011101010111101011000011100000000110000100
100100111110001100011000101110101010111000000001101100100011111010
100100100110010101010001110101111110110110000011111110001100101000
111101000101101010110110110111110010100010111000111100101001011110
011111011000000100110111110101001011100100010100111011011100101100
101110101011110011001100111010010011101001000010010000011110010101
000101001100111101101011110011001000011011111011111010100000000001
100000011110010010100100111010110111111100111000001010110101001011
101101101010000011111001100100011110000101101110110110001010010100
202
100110010100011111100100111011010000110010111100010100011001111000
101000101100100101100101101110000010000101011100110000101101110101
100100101001110100101011010101010111001110001010100100101001110110
100000011001100100001000111000001011101000100011010110111100100110
001011111011101000100000100010001111011111100010100100011001001111
011001001011110110011110110001101000101000101100000011111110110101
110111110010011001010000110011101010110101111111011010001100111010
010010110110101101100100110110110011101011001111011011101100010010
111111001111011010101010000010001111001110011111001011111011111110
111001111111110000101100000000101001110111000011110101000111101110
100100111101110010000001110101011001010111000100110011100000100001
000110001110010000000000001101001011011011010100110011100101100101
101010101010011000000101111001011111011111111111000011001100100101
011000111100101010001010100001011000101011011111011110111001000011
010111110101011000100100110011101000010110110101010100111011100001
001010010011111111111110111101011001100100100010111110101111011011
010100010010111101011001100101101101000111001111001000000111001011
011000110001111110001100011110011000110010111111000010011011101001
001011101110010000011111011000001100101100000101011011100001111000
000011111110110110010010011001100101011110101011100001010011111100
001110001001011100000100011111010110110001110011100111010010001111
000011010110110110001100011011110100000010101101101010010000100001
010011000111011011101000101000101011111000001110011101011111010110
001001011111011001000100110000001010000101100011001001100110001010
001011000001111000011110100001000111010010111110101110010011101001
011010000111101101000111011100010111010100110101100111110111110000
110110101100101101101111110110110011010001000110111000100000011011
1111101000100011100010101001010101001000010111".
Example 2
In the implementation of RSK against protected Montgomery Ladder RSA “Right-
to-Left” algorithm I choose a three random prime numbers
203
p=2925029103012206221626292552601223949661602997874593350342750082
447217051181303453670406961218222062493928278243690351543617470402
684057616773788184726531684024550090682743518517551145669362151962
105898161350757374675290163709399324202147786226262152877389966061
255405961191243141515193385138854884803431102164660869203754171140
840553724275241402544367008171654210123031586936268988373990976602
477546123535775804867537950020333156188536342764542769128420674434
6911,
q=1628826500287324368994561500492174487412170434849390548276053784
075406405966191657612062746930557343602294153042785604625796477267
741505999075777905437117158546504689464627489334163162757601266851
769894145053398815811937372213967628482840015328789262584052155816
845920039620790188696761359542321850199629498511799703019955649846
565291277163931734479298121566305135282458505569765190147653966893
590648458531923724791373289441510004516999501659021211252449753631
6823,
and e=43 and compute
n=p*q=
476436491709794345856348878901905897903342965253726007618923541068
890253291899306090616801075806374511337075010335376948201592945989
975357301955813511125974083401380731028647904024151337590252433452
172510839081012654311956793349899515632612725759110114652213976335
132808392789369433535701649039637378654803306859966162026420921855
016689061741791996664386353963316833482957427596042062205686618940
426999033724523326116316353607231309624337515159318684722811514880
992638710513252891351723914838495040382151382501695420853862192065
096364941711229225216475202513693516068494032881849469488996226218
180660956461870435974634045230020820620187181222272059076791213013
132312962414274023935121201268932534780907963552798144922045526081
787878852172027551417276401164884814468974435018513660238514110979
280380531456348210388838728689460422024040332117453672974230302110
204
682709579450898815491175833850275439302802852852546304982075517383
753
and d≡e-1 mod (p-1)*(q-1) ≡
886393472948454596942044425864010972843428772565071642081718215942
121401473301034587194048513128138625743395368065817578049475248353
442525212941048392792509922607219964704461216789118767609771969213
344206212243744473138524266697487470944395768854158352841328328065
363364451701152434485026323794674192846145687181332394467759854613
984537789287054877515137402722449922758990562969380580847789058493
817672620882834095100123448571593134184813981691755692507556306755
250418892056293182224214649874532197230537019859452245335207727255
572335572532610441659122085629580381593059944217841688920663720025
907022879937134017373294175850182361202748098056053906617966557905
812818415577138826163434124716768386848427810236807423828138246140
976035058700826510321356194145334817559755215356107791630541211358
552428868957426679352906848948589707849561687548115140014476031906
978165132602611197957327328803430385576640760217500467299295324130
27 in decimal form.
The internal inputs (loaded from the firmware) to the attack algorithm are d in
binary form:
"11110100000111100011011100001110100001100001011101011010011011100
101011010001110001001111110110000001010010100111111010000101111100
001001100000100010011001011111010010100000000111100010100011111101
100100011010101110101010011100100101111011000010101101101110110101
100110000010101101110010110001101010000011001001100110110000101000
100001111100110100011110010011101000110011011001111110001100011110
001101110101011000011011101100010111110110110000111101011001100111
110001001000000111111011000100101101001101000011110101101011000101
111111000111100100110111110011000101100100100111101110110111101001
000000010000011001110110101010111011010010110101100011100000010001
001101011010000000011000000111110110100011010111101001111001011001
100001011100111010111011110101000010011100000000001000100101011101
205
001011100011001000100101010010010001001100100010011110001111001001
010000011011010111110000011101111101001100111100001111010000001011
111010011110010011010101011000101011101110101111110101100101010110
100010000010011001011000000111111100000001010011100010100010000101
100101001011100010100001010010101101010000000111001011001000001111
011000100001100111011000111000011110011011000101000010000001110110
001000111111000100011011011100001000000000011110110100001101110011
001110001000100111101011001010011100000000000100111111000000001000
001100000101100110011001101011000111100101011110000001101001101001
000010011110010100100001011010011100111111100101110101011101000100
011111000000001100101101011101011111100110100111010010011001001111
001010001010101000110000011100111001001000000111000110011111001100
111011010011010110100000101111111000101110011000001100110111000100
000100111101001010001111111000111011000010100101101001100001111101
110010001111000101101000010110101100101101001110100101001010000110
001111100000110110011100000011100000100010100110110000000111010100
111010011100001001010110111101101110011100110101000011111010110100
000010110001100111011001101110111011011001011100110011101000010110
101000000010000011100110000010000101111001011100010111010010001001
101000100011011001000010100111100010000111100010100011001000000010
010100110001101000001101101110010111101001110000111101111010010001
110001010110110101111011001110011001010011111010000100010011101111
000000011000110111110101111110010001110000101101100011100110110100
011000111111100101000101110101111010011111001111101100100001100011
111111110010011001111000111110110101001010111011001101100011100101
000100000010011001001010010000101100111101101011010110010111001011
111111101111001111100011011110101011110011011001100101110000000001
001111110000101100100010000111111001101110001100000111001101110001
111110010001001000100110101101101111101110000001000010011111000100
011101100001011001000111100001010010100110110011111100001010000010
101010101010110001111111110010111101100010110001001111010101110010
100101110101010111000101000011001101010010011100000101011110011001
000011001011001110111101100000100000101110110010001110011111110010
011111011100010101100110010111010101011110011000011011111110000110
206
10100111000001000010000001001010001100011" and size of the secret key t=
3076. The inputs by the attacker to attack algorithm are the message g=260, the
random fault value X=787 and modulus n which its value is given above. I assume
that the secret key d and size of the secret key t are stored in the firmware of the
victim device, and the attacker does not have any access to them. The goal of this
example is to retrieve d which is the secret key of RSA..
Since Maple does not accept indices beginning from 0, as in the binary left to right
attack, we use 1 and 2 instead of 0 and 1 in the Maple code.
The attack algorithm was implemented in Maple code, and the steps are shown
below.
Step1
> R[1] := 1; R[1] := 1
> R[2] := g; R[2] := 260
Step2
> z=1; z=1
Step3
for i from t by -1 to 1 do
Step 3.1
if d[i] = "1" then b := 1 else b := 2 end if
Step 3.2
H: = R[b]*X mod n
Step 3.3
T := R[b]
Step 3.4
if d[i] = "1" then R[b] := R[b]*X mod n end if
Step 3.5
if R[b] = H then k[i] := 1; R[b] := T else k[i] := 0 end if
Step 3.6
if d[i] = "1" then u := 2 else u := 1end if
R[b]:= R[b]^2 mod n
207
Step 3.7
R[b] := R[b]*R[u] mod n
Step 3.8
z := z+1
End While loop
Step 4
Set v z-1
Step 5
d= [kt, kt-1,. . . , k2, k1]=
"11110100000111100011011100001110100001100001011101011010011011100
101011010001110001001111110110000001010010100111111010000101111100
001001100000100010011001011111010010100000000111100010100011111101
100100011010101110101010011100100101111011000010101101101110110101
100110000010101101110010110001101010000011001001100110110000101000
100001111100110100011110010011101000110011011001111110001100011110
001101110101011000011011101100010111110110110000111101011001100111
110001001000000111111011000100101101001101000011110101101011000101
111111000111100100110111110011000101100100100111101110110111101001
000000010000011001110110101010111011010010110101100011100000010001
001101011010000000011000000111110110100011010111101001111001011001
100001011100111010111011110101000010011100000000001000100101011101
001011100011001000100101010010010001001100100010011110001111001001
010000011011010111110000011101111101001100111100001111010000001011
111010011110010011010101011000101011101110101111110101100101010110
100010000010011001011000000111111100000001010011100010100010000101
100101001011100010100001010010101101010000000111001011001000001111
011000100001100111011000111000011110011011000101000010000001110110
001000111111000100011011011100001000000000011110110100001101110011
001110001000100111101011001010011100000000000100111111000000001000
001100000101100110011001101011000111100101011110000001101001101001
000010011110010100100001011010011100111111100101110101011101000100
011111000000001100101101011101011111100110100111010010011001001111
001010001010101000110000011100111001001000000111000110011111001100
208
111011010011010110100000101111111000101110011000001100110111000100
000100111101001010001111111000111011000010100101101001100001111101
110010001111000101101000010110101100101101001110100101001010000110
001111100000110110011100000011100000100010100110110000000111010100
111010011100001001010110111101101110011100110101000011111010110100
000010110001100111011001101110111011011001011100110011101000010110
101000000010000011100110000010000101111001011100010111010010001001
101000100011011001000010100111100010000111100010100011001000000010
010100110001101000001101101110010111101001110000111101111010010001
110001010110110101111011001110011001010011111010000100010011101111
000000011000110111110101111110010001110000101101100011100110110100
011000111111100101000101110101111010011111001111101100100001100011
111111110010011001111000111110110101001010111011001101100011100101
000100000010011001001010010000101100111101101011010110010111001011
111111101111001111100011011110101011110011011001100101110000000001
001111110000101100100010000111111001101110001100000111001101110001
111110010001001000100110101101101111101110000001000010011111000100
011101100001011001000111100001010010100110110011111100001010000010
101010101010110001111111110010111101100010110001001111010101110010
100101110101010111000101000011001101010010011100000101011110011001
000011001011001110111101100000100000101110110010001110011111110010
011111011100010101100110010111010101011110011000011011111110000110
10100111000001000010000001001010001100011".
209
Appendix F
I present here two implementation examples to show how I apply a fault point attack
proposed in chapter five against “Left-to- Right” and “Right-to-Left” Coron
algorithms with a private key size 384 bits long digits.
Example 1
In this example I implement fault point attack against “Left-to- Right” Coron
algorithm.
I choose the field
GF(39402006196394479212279040100143613805079739270465446667948293
404245721771497210611414266254884915640806627990307047)
for the elliptic curve y2 = x3 +
279503974009108680717862289403158754920875853053263116892722308031
51023644068552761279886225476177281403352866529296 x +
468874730229678858229705420347854345750284847257991630749736540585
7008329225735853833551903436306437780786411000956.
With point P =
(39402006196394479212279040100143613805079739270465446667948293404
245721771497210611414266254884915640806627990307045,
363771486838893820567360406595479978658686802834037313031960150946
68485388524198850095479870062155363105961434073471) given in affine
form. My target is to find k, which I know in advance is
312145579408803855624250154864117785886180357951470178931020154986
51020161929235784873730223985639746019018329134118 in base 10. I also
choose arbitrarily a fault point X :=
(39402006196394479212279040100143613805079739270465446667948293404
245721771497210611414266254884915640806627990307045,
302485751250509715554299944059561593921105898706171536475227830957
7236382973011761318786384822760277700666556233576).
I set p =
394020061963944792122790401001436138050797392704654466679482934042
45721771497210611414266254884915640806627990307047.
210
Referring to the general Weierstrass equation (1), the corresponding coefficients
are:
a1=0, a2=0, a3=0, a4=
279503974009108680717862289403158754920875853053263116892722308031
51023644068552761279886225476177281403352866529296,
a5=
468874730229678858229705420347854345750284847257991630749736540585
7008329225735853833551903436306437780786411000956.
The internal inputs (loaded from the firmware) to attack algorithm are
k="110010101100111000011001011010011110000011100000110101001010110
111110101101000010100101110101011100000001111000000001001100010001
010011111011110100111110100110011001100010001010000110010111010000
010010010010001100110100011110101110001111101110000111000000011011
001011000001000100111000101001101100100000010101100010011001110111
100011010001011100110110110101110011011011001010000100110" in binary
form and the size of the secret key t= 384. The inputs by the attacker to attack
algorithm are the point P, the random fault value X and the curve GF(p) with p, a4
and a5 values which are given above. I assume that the secret key k and size of the
secret key t are stored in the firmware of the victim device, and the attacker does
not have any access to them. The goal of this example is to retrieve k which is the
secret key of ECC.
Implementation of attack algorithm in Maple code access register bits from left-to-
right and the steps for this example are shown below. I begin with e≡2 as the first
bit is always 1. The notations P[1] and P[2] refer respectively to the abscissa and
ordinate values of the point P. Since Maple does not accept indices beginning from
0, I use 1 and 2 instead of 0 and 1.
Step 1
W[1] := P;
W[1] :=
[3940200619639447921227904010014361380507973927046544666794829\
3404245721771497210611414266254884915640806627990307045,
211
36377\148683889382056736040659547997865868680283403731303196015094
66\ 8485388524198850095479870062155363105961434073471]
> e:=2; e:=2
Step 2
> X:=
(39402006196394479212279040100143613805079739270465446667948293404
245721771497210611414266254884915640806627990307045,
302485751250509715554299944059561593921105898706171536475227830957
7236382973011761318786384822760277700666556233576). COMMENT:
Inject error into Step 3 by using X instead of P in addition operations:
Step 3
for i from 1 to t -1 do
Step 3.1
W[1] := multell([W[1][1], W[1][2]], 2, a4, a5, p)
Step 3.2
R := addell([W[1][1], W[1][2]], [X[1], X[2]], a4, a5, p)
Step 3.3
W[2]:= addell([W[1][1],W[1][2]],[X[1],X[2]].a4,a5,p);
Step 3.4
if k[i] = "1" then u := 2 else u := 1 end if;
n := W[u];
if n = R then d[i] := "1" else d[i] := "0" end if
Step 3.5
W[2] := addell([W[1][1], W[1][2]], [P[1], P[2]], a4, a5, p)
Step 3.6
W[1] := W[u]
212
Step 3.7
e := e+1
End of Step 3
Step 4
> v := e-1; v := 384
Step 5
d="110010101100111000011001011010011110000011100000110101001010110
111110101101000010100101110101011100000001111000000001001100010001
010011111011110100111110100110011001100010001010000110010111010000
010010010010001100110100011110101110001111101110000111000000011011
001011000001000100111000101001101100100000010101100010011001110111
100011010001011100110110110101110011011011001010000100110".
Example 2
In this example I implement fault point attack against “Right-to-Left” Coron
algorithm.
I choose the field
GF(32084455814733133929866525925776603080359232331786713678343824
090925198070759290328067047552719758075416655999797491) for the
elliptic curve y2 = x3 +
296014293675709371137141008288369891812888028854582502243128659064
50280284253852165313477896069518623196309402260394x +
215613898409263492591999663353449584532916113593045307505915268240
47792017039748312539842693274838003686591478584484 with points
P =
(32084455814733133929866525925776603080359232331786713678343824090
925198070759290328067047552719758075416655999797489,
150867710108893037920764455710588886357925659569076627910312164579
20884355336392184814449583312490007665225852854054) and
X=
[32084455814733133929866525925776603080359232331786713678343824090
925198070759290328067047552719758075416655999797489,
213
169976848038438301377900803547177144445666663748790508873126076330
04313715422898143252597969407268067751430146943437] given in affine
form. My target is to find k, which is stored in the firmware of the victim device
with value
377142980861484771443397232925800706395029897715451815076746512408
10586220276942828529839697747780788088213766375431 in base 10.
I set p ≡
320844558147331339298665259257766030803592323317867136783438240909
25198070759290328067047552719758075416655999797491.
Referring to the general Weierstrass equation (1), the corresponding coefficients
are:
a1=0, a2=0, a3=0, a4=
296014293675709371137141008288369891812888028854582502243128659064
50280284253852165313477896069518623196309402260394, a5=
296014293675709371137141008288369891812888028854582502243128659064
50280284253852165313477896069518623196309402260394.
The internal inputs (loaded from the firmware) to algorithm 5.8 are
k="111101010000100011100100101010100001110000011111111001100101001
001111100010000011001010000011000110011000101000010101010010110011
100110011011111001011100101110001001100000010100001111100111011001
001000101001010101001110111000000000100111001011111011000110101101
011111110001000110000110001000111001100101001111001011110101110101
001101101101001001010111010100011110001111000100000000111" in binary
form and the size of the secret key t= 384. The inputs by the attacker to attack
algorithm are the point P, the random fault value X and the curve GF(p) with p, a4
and a5 values which are given above. I assume that the secret key k and size of the
secret key t are stored in the firmware of the victim device, and the attacker does
not have any access to them. The goal of this example is to retrieve k which is the
secret key of ECC.
The notations P[1] and P[2] refer respectively to the abscissa and ordinate values
of the point P. Since Maple does not accept indices beginning from 0, I use 1 and
2 instead of 0 and 1.
214
Step 1
W[1] := ["infinity", "infinity"]; W[1] := ["infinity", "infinity"]
R := P;
R :=
[3208445581473313392986652592577660308035923233178671367834382\
4090925198070759290328067047552719758075416655999797489, 15086\
77101088930379207644557105888863579256595690766279103121645792\
0884355336392184814449583312490007665225852854054]
Step 2
X :=
X=
[32084455814733133929866525925776603080359232331786713678343824090
925198070759290328067047552719758075416655999797489,
169976848038438301377900803547177144445666663748790508873126076330
04313715422898143252597969407268067751430146943437]
COMMENT: Inject error into Step 3 by using X instead of P in addition operations.
e := 1; e := 1
Step 3
for i from t by -1 to 1 do :
Step 3.1
G := addell([W[1][1], W[1][2]], [X[1], X[2]], a4, a5, p)
Step 3.2
if k[i] = "1" then u := 2 else u := 1 end if
if u = 2 then W[2] := addell([W[1][1], W[1][2]], [X[1], X[2]], a4, a5, p) end if
Step 3.3
if W[2] = G then d[i] := "1" else d[i] := "0" end if
Step 3.4
215
W[2] := R
Step 3.5
W[2] := addell([W[1][1], W[1][2]], [P[1], P[2]], a4, a5, p)
Step 3.6
W[1] := W[u]
Step 3.7
R := multell([R[1], R[2]], 2, a4, a5, p)
Step 3.8
e := e+1
End of Step 3
Step 4
> v := e-1; v := 384
Step 5
d="111101010000100011100100101010100001110000011111111001100101001
001111100010000011001010000011000110011000101000010101010010110011
100110011011111001011100101110001001100000010100001111100111011001
001000101001010101001110111000000000100111001011111011000110101101
011111110001000110000110001000111001100101001111001011110101110101
001101101101001001010111010100011110001111000100000000111"
216
Appendix G
I demonstrate here two implementation examples which to how I apply FF attack
proposed in chapter 4 against RSA-CRT signature protected by modified Shamir’s
countermeasure and Simplified Vigilant’s Countermeasure algorithms by using
Arduino Mega2560. This appendix shows how attacks can factorize the modulus n
with size 3072 bits long digits on Arduino Mega2560 hardware device.
Example 1
In this example I implement FF attack against RSA-CRT signature protected by
modified Shamir’s countermeasure.
I choose three random prime numbers
p=5809605995369958062859502533304574370686975176362895236661486152
287203730997110225737336044533118407251326157754980517443990529594
540047121662885672187032401032111639706440498844049850989051627200
244765807041812394729680540024104827976584369381522292361208779044
769892743225751738076979568811309579125511333093243519553784816306
381580161860200247492568448150242515304449577187604136428738580990
172551573934146255830366405915000869643732053218566832545291107903
722831634138599586406690325959725187447169059540805012310209639011
750748760017095360734234945757416272994856013308616958529958304677
637019181594088528345061285863898271763457294883546638879554311615
446446330199254382340016292057090751175533888161918987295591531536
698701292267685465517437915790823154844634780260102891718032495396
075041899485513811126977307478969074857043710716150121315922024556
759241239013152919710956468406379442914941614357107914462567329694
509,
q=5809605995369958062859502533304574370686975176362895236661486152
287203730997110225737336044533118407251326157754980517443990529594
540047121662885672187032401032111639706440498844049850989051627200
244765807041812394729680540024104827976584369381522292361208779044
769892743225751738076979568811309579125511333093243519553784816306
381580161860200247492568448150242515304449577187604136428738580990
217
172551573934146255830366405915000869643732053218566832545291107903
722831634138599586406690325959725187447169059540805012310209639011
750748760017095360734234945757416272994856013308616958529958304677
637019181594088528345061285863898271763457294883546638879554311615
446446330199254382340016292057090751175533888161918987295591531536
698701292267685465517437915790823154844634780260102891718032495396
075041899485513811126977307478969074857043710716150121315922024556
759241239013152919710956468406379442914941614357107914462567329694
573 and e=3
and compute n=p*q=
337515218214385611849111744886826404774824526906135437899871151084
665003784674132416503098237599152146135462950863521351172060726207
028052137864298272611904952952097250362148614445522452710018844423
313364638411836590291565871784390447510515700543762037763420971108
976401193279180123374243133559193596396525678717812867692707110267
091573529243487775155745125792074301249607450177138114756335603617
462402313721869876332818900039751245174104362327517860532580309042
489897843433735800204290643997239816292100396861998120170599620408
941456496131418993734579901361101240330822684452997592142705570206
978374447296284704455535973834352324658581243318792909226969802227
356673323935612163123006229898288296485668393765657478972738362500
087728995623901601898523186831764997784754495348973021510834485352
883671335921984444102440129030706195384760231210870118216027271303
420623602926941969150307534755710471876215776777340159710612862760
590101323749905857040042217480237801141901467826506088250466013974
849048604238998325271030832094431183778754662545905563690188222970
085147724189358012388859237720764945954374202277501197089806912740
140516507532823657759605485842833495687835894949361459772142847155
001069128577748216700197598571813825899279561538283138904752627787
058295214338608978736235674716718816095220744300616960521325579242
351123476048878446641682125214142387185165674673688652259102777485
823350481420862478973733905214758923215221560777097459336365178428
977713867825174226168535500680825347801422177983602371590304449830
218
031095385678973725024437810440752674458910837190961024737495468228
529278822604626497800471743542974694380456685728536020348379794835
995928585157043405307016098619710464912134861843885356291383489908
871458287843917804744417954127424628639705301708437699006750433251
113611007226025572385284078570528352436558521218956861919843651996
57, d≡e-1 mod (p-1)*(q-1) ≡
270012174571508489479289395909461123819859621524908350319896920867
732003027739305933202478590079321716908370360690817080937648580965
622441710291438618089523962361677800289718891556417962168015075538
650691710729469272233252697427512358008412560435009630210736776887
181120954623344098699394506847354877117220542974250294154165688213
673258823394790220124596100633659440999685960141710491805068482893
969921850977495901066255120031800996139283489862014288426064247233
991918274746988640163432515197791853033680317489598496136479696327
153165196905135194987663921088880992264658147562398073714164456165
582699557837027763564428779067481859726864994655034327381575841781
885338659148489730498404983918630637188534715012525983178190690000
070183196499121281518818549465411998227803596279178417208667588282
306937068737587555281952103224564956307808184968696094572821817042
736498882341553575320246027804568377500972621421872127768490290208
379127363074005356626281733451317050982529571439398546813789032743
283979187437435048419447953145650431001785205957036171848302104863
427364232745315654918568973662825721460451380317203341847019494988
196160293357260610532795748288589548924918805855132490038373813007
682571411250170764128484977876497794711242319738730198263245041327
541353581707683223107893369369494808004983360438827385557243167551
120073597892762664027483205531299995448419688241881601082624495529
093374238919096600671941908816204139417472295968797770505737918555
170190933986613609187069268425999910323441529449010560792910685021
832569403037762526498569674530229791351811951616022597717127388735
680281774895631080800116721920927736695823137992125019549239331281
617522191842667275966606226242597894415551405313462017544586865589
896496238506913265763897443638434505199064869908348218150647953692
743028981570373742532923768354351595310180987261438858134797646484
219
61, 𝑖𝑞= q-1 mod p where
p=2450927529296701057768852631237867312633567652528096427966564470
496164074014405876482938643787409328059153222802882405796683504672
696582379451529892953904294185422098001154585449833530886006155225
103260574845764604026583977822669224302621530832829717089884953659
512298501048364014501225755592271228693575093648712109811752969379
254729130784771979410927314063383561144064665376020495055874088855
229045195253467951678435827495390991880949459951582882480044686146
883069595652221700515322481264259063454274446993777114568369691458
082347133132212105309755367741409990169704880614572779379826159785
878117467235006097895572729973832083400208546278996238277311975212
766469545552810442549694373211585160652178359068309572765327677367
044764607675429805765169120724253518450080297922230907443544958995
219158301345451139069193551592690078455315315458375832430154604109
882804897708673888003059760108941327479740993556904901413895592214
871. I also choose arbitrarily a small integer r=13
The internal inputs (loaded from the firmware) to the attack algorithm are p, q d
and 𝑖𝑞 values which are given above. The input enter by attacker to the attack
algorithm 4.2 are the message M=23 and the random fault value X=66. I assume
that p, q, d and 𝑖𝑞 are stored in firmware of the victim device, and the attacker does
not have any access to them. The goal of this example is to compute q which has a
partial factor of n=p*q.
The implementation in program MATLAB 2017b is:
a = arduino('COM5','Mega2560')
pr=p*r;
qr=q*r;
if mod(pr,p)~= 0 || mod(qr,q)~= 0 disp('error'); end
v=(p-1)*(r-1);
u=(q-1)*(r-1);
spr=powermod(M,mod(d,v),p)
sqr=powermod(M,mod(d,u),q)
if mod(spr,r)~= mod(sqr,r) disp('error'); end
220
sp=mod(spr,p)
sq=mod(sqr,q)
scrt=sq+(q*mod(iq*(sp-sq),p))
n=p*q
scrte=sq+(q*mod(X*(sp-sq),p));
qt=gcd((scrte-scrt),n)
clear scrte;
sfinal=powermod(M,d,n)
if mod(scrt,p)~= mod(spr,p) || mod(scrt,q)~= mod(sqr,q) disp('error'); end
q=qt
clear arduino
clearvars a;
The results of the implementation program are:
a =
arduino with properties:
Port: 'COM5'
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
Libraries: {'I2C', 'Servo', 'SPI'}
n =
337515218214385611849111744886826404774824526906135437899871151084
665003784674132416503098237599152146135462950863521351172060726207
028052137864298272611904952952097250362148614445522452710018844423
313364638411836590291565871784390447510515700543762037763420971108
976401193279180123374243133559193596396525678717812867692707110267
091573529243487775155745125792074301249607450177138114756335603617
462402313721869876332818900039751245174104362327517860532580309042
489897843433735800204290643997239816292100396861998120170599620408
941456496131418993734579901361101240330822684452997592142705570206
221
978374447296284704455535973834352324658581243318792909226969802227
356673323935612163123006229898288296485668393765657478972738362500
087728995623901601898523186831764997784754495348973021510834485352
883671335921984444102440129030706195384760231210870118216027271303
420623602926941969150307534755710471876215776777340159710612862760
590101323749905857040042217480237801141901467826506088250466013974
849048604238998325271030832094431183778754662545905563690188222970
085147724189358012388859237720764945954374202277501197089806912740
140516507532823657759605485842833495687835894949361459772142847155
001069128577748216700197598571813825899279561538283138904752627787
058295214338608978736235674716718816095220744300616960521325579242
351123476048878446641682125214142387185165674673688652259102777485
823350481420862478973733905214758923215221560777097459336365178428
977713867825174226168535500680825347801422177983602371590304449830
031095385678973725024437810440752674458910837190961024737495468228
529278822604626497800471743542974694380456685728536020348379794835
995928585157043405307016098619710464912134861843885356291383489908
871458287843917804744417954127424628639705301708437699006750433251
113611007226025572385284078570528352436558521218956861919843651996
57
spr =
350923587821522061492508324524331947827255643115003504699070037661
210872174512287986416310423881268699565786584462559619275749434255
261112997775744484080885990323430668466384201563843825618388610868
085032184811244187737816688043042715296479133124875549947807817048
251876930717929165068685356923511237769172408505407249900626918604
987831097690680600052699744016721079602206815741987842408485637867
953313516656098625529265395569567144371617827505372363171395626868
928068785890610418135387952125002676328134312510743681453799373942
603639667366943599220466313918246715373822050305278317884150592108
064832529941972160041778207181536232920883464229675481704127784421
138812665916597844896318207869711240340093320709372917097557513539
972902235863292229573508428819901273380698060333712131116106884579
310147301557482420958281783641489559206245197307631385684367530035
222
281783976155947350741775616487329945073835434629148574953532921622
8
sqr =
476075575399175848137562888974467897883540967646377608693020993783
261413213832119896791484541461556862871452460256060529390833411664
137206035403522676174723262337886122292508313770402448866465898824
820859391239337479595187130225256984449577471621013560365640129721
486870588999427972620316784961405768178338632389406997904508630746
635982998229048889325267581672347369522114186031602028071509569270
732026692017727577011326006197065328718666651810454133238972948683
447232776843341691362072448435329936992481512015792783597815156719
769676431367534449049216941251045087280252065158880107411660274326
778014180841297043771922266803035911881975345024815357601711659136
496844027646036487905628225086138646193138364207898125498732836321
627175786310066350060960366721054025293316846285770953082487974620
909446393186696410377563887883430972575208913312580797638404215685
706398966708809408247061354437746429851275445179549353413978230514
sp =
350923587821522061492508324524331947827255643115003504699070037661
210872174512287986416310423881268699565786584462559619275749434255
261112997775744484080885990323430668466384201563843825618388610868
085032184811244187737816688043042715296479133124875549947807817048
251876930717929165068685356923511237769172408505407249900626918604
987831097690680600052699744016721079602206815741987842408485637867
953313516656098625529265395569567144371617827505372363171395626868
928068785890610418135387952125002676328134312510743681453799373942
603639667366943599220466313918246715373822050305278317884150592108
064832529941972160041778207181536232920883464229675481704127784421
138812665916597844896318207869711240340093320709372917097557513539
972902235863292229573508428819901273380698060333712131116106884579
310147301557482420958281783641489559206245197307631385684367530035
223
281783976155947350741775616487329945073835434629148574953532921622
8
sq =
476075575399175848137562888974467897883540967646377608693020993783
261413213832119896791484541461556862871452460256060529390833411664
137206035403522676174723262337886122292508313770402448866465898824
820859391239337479595187130225256984449577471621013560365640129721
486870588999427972620316784961405768178338632389406997904508630746
635982998229048889325267581672347369522114186031602028071509569270
732026692017727577011326006197065328718666651810454133238972948683
447232776843341691362072448435329936992481512015792783597815156719
769676431367534449049216941251045087280252065158880107411660274326
778014180841297043771922266803035911881975345024815357601711659136
496844027646036487905628225086138646193138364207898125498732836321
627175786310066350060960366721054025293316846285770953082487974620
909446393186696410377563887883430972575208913312580797638404215685
706398966708809408247061354437746429851275445179549353413978230514
scrt =
343954058138733778560556825177617362867807685324919380373090060125
302020955118666240627018828645271226090883288455059419112159826688
537447836385788864289577598233110202227858737904659082881991711118
374504514863088713614741186032363760363286329675502793863993554184
809521868180718065889695272041853809049199985765429730207703646225
770978040908420331822615554629180943776702091375557799810674396169
682882068130959961321263272549066013781521564839760970120751529680
639537565222931996729289036922343784119904425684449000281057955046
512604102143613618294594146229636800642249579717458781469782065360
811490551849010285338441263482471236858195226884575840335449287552
140714051383813140937294706150540994475567895188451649376024050934
285906534247787810714303066946242497737107847625632211838502054443
086673299183104314367496766518920649053811248507547576234741374603
473523799833592056319975785102073215070249987162092801886924087303
936573934477029687426730109671610765947174384490120720468033567341
893035609985755026393287169437585562015688022719636856951039833877
224
734580725490423637069978162926922123561522871223502453246067672365
546009281463262070193565563287388295076760299020375819878431468643
789539160011690541462016122104183997695753704964399151935135343472
990564200969488826925465826862532945841530575126630687844631754522
461907131146858040472157346177975487626855617599338344512135008099
164194885469690155975837964296907353949156108506145139076679936438
180535209513346746196698216076360399637128379668795586667710267559
927986322338086218818218479458538500795487570095583096637530176254
547986365059286516771870741782277409552356882891268995792074860155
566822084940940837527226123006842396745490989049373621579081577481
115639747580508122261710004356168230764252760621386757351701841304
367831516332887254836264573141231713138223220552327606574463912939
0
qt =
580960599536995806285950253330457437068697517636289523666148615228
720373099711022573733604453311840725132615775498051744399052959454
004712166288567218703240103211163970644049884404985098905162720024
476580704181239472968054002410482797658436938152229236120877904476
989274322575173807697956881130957912551133309324351955378481630638
158016186020024749256844815024251530444957718760413642873858099017
255157393414625583036640591500086964373205321856683254529110790372
283163413859958640669032595972518744716905954080501231020963901175
074876001709536073423494575741627299485601330861695852995830467763
701918159408852834506128586389827176345729488354663887955431161544
644633019925438234001629205709075117553388816191898729559153153669
870129226768546551743791579082315484463478026010289171803249539607
504189948551381112697730747896907485704371071615012131592202455675
924123901315291971095646840637944291494161435710791446256732969457
3
q =
580960599536995806285950253330457437068697517636289523666148615228
720373099711022573733604453311840725132615775498051744399052959454
225
004712166288567218703240103211163970644049884404985098905162720024
476580704181239472968054002410482797658436938152229236120877904476
989274322575173807697956881130957912551133309324351955378481630638
158016186020024749256844815024251530444957718760413642873858099017
255157393414625583036640591500086964373205321856683254529110790372
283163413859958640669032595972518744716905954080501231020963901175
074876001709536073423494575741627299485601330861695852995830467763
701918159408852834506128586389827176345729488354663887955431161544
644633019925438234001629205709075117553388816191898729559153153669
870129226768546551743791579082315484463478026010289171803249539607
504189948551381112697730747896907485704371071615012131592202455675
924123901315291971095646840637944291494161435710791446256732969457
3.
Example 2
In this example I implement FF attack against RSA-CRT signature protected by
Simplified Vigilant’s Countermeasure algorithms.
I choose three random prime numbers
p=
464768479629596645028760202664365949654958014109031618932918892182
976298479768818058986883562649472580106092620398441395519242367563
203769733030853774962592082568931176515239907523988079124130176019
581264563344991578374443201928386238126749550521783388896702323581
591419458060139046158365504904766330040906647459481564302785304510
526412948816019799405475852019401224355966175008330914299086479213
804125914731700466429312473200069571498564257485346603623288632297
826530731087966912535226076778014995773524763264400984816771120940
059900801367628858738795660593301839588481064689356682396664374210
961534527527082267604902869111861741076583590683731110364344929235
715706415940350587201303364567260094042711052953518983647322522935
896103381414837241395033263265852387570782420808231337442599631686
003351958841104890158184598317525988563496857292009705273761964540
226
739299121052233576876517472510355433195329148568633157005386375507
59,
q=
464768479629596645028760202664365949654958014109031618932918892182
976298479768818058986883562649472580106092620398441395519242367563
203769733030853774962592082568931176515239907523988079124130176019
581264563344991578374443201928386238126749550521783388896702323581
591419458060139046158365504904766330040906647459481564302785304510
526412948816019799405475852019401224355966175008330914299086479213
804125914731700466429312473200069571498564257485346603623288632297
826530731087966912535226076778014995773524763264400984816771120940
059900801367628858738795660593301839588481064689356682396664374210
961534527527082267604902869111861741076583590683731110364344929235
715706415940350587201303364567260094042711052953518983647322522935
896103381414837241395033263265852387570782420808231337442599631686
003351958841104890158184598317525988563496857292009705273761964540
739299121052233576876517472510355433195329148568633157005386375527
53 and e=3 and compute
n=p*q=
216009739657206791583431516727568899055887697219926680255917536694
185602422191444746561982872063457373526696288552653664750118864772
497953368233150894471619169889342240231775113245134369734412060430
920553368583575417786602157942009886406730048348007704168589421509
744896763698675278959515605477883901693776434379400235323332550570
938607058715832176099676880506927552799748768113368393444054786315
175937480781996720853004096025440796911426791889611430740851397787
193534619797590912130746012158233482426944253991678796909183757061
722532157524108155990131136871104793811726518049918458971331564932
466159646269622210851543023253985487781491995724027461905260673425
508270927318791784398723987134904509750827772010020786542552552000
056146557199297025215054839572329598582242877023342733766934070625
845549654990070044225561682579651965046246547974956875658257453634
189199105873242860256196822243654702000778097137497702214792232124
227
279235069869622527075794087557729756281456129279112661254194747732
550658116652235614412826763872663232717293774795898354482198372721
501790155139919945349449882038222784857262345464130811027013128923
179098892554977214407061126607775822930236073055718253539710953878
481288997270644477967184694594127629635035075689506969052353437341
182108897439859288754478923164652087191394233590616051225180711404
855445381604591555554344010722689509969790327331067302132313240277
668974257425657504322117238755754497326637446000516322329722415435
468407598352128661672387515784208010622201638714730479466804470040
897183849758140634223321847093444107610899403681842324116296770352
414543772881303264905122259837240805137993596796487188311791571436
697701097927790426234648710087072378071421752875413132275175112173
531230187789476238972027820486975368083258762312032677131526239675
511199415608418096737824123938237334178500108464316515056169757768
9527,
d≡e-1 mod (p-1)*(q-1) ≡
172807791725765433266745213382055119244710157775941344204734029355
348481937753155797249586297650765898821357030842122931800095091817
998362694586520715577295335911473792185420090596107495787529648344
736442694866860334229281726353607909125384038678406163334871537207
795917410958940223167612484382307121355021147503520188258666040456
750885646972665740879741504405542042239799014490694714755243829052
140749984625597376682403276820352637529141433511689144592681118229
754827695838072729704596809726586785941555403193343037527347005649
378025726019286524792104909496883835049381214439934767177065251945
972927717015697768681234418603188390225193596579221969524208538740
406616741855033427518979189707923607800662217608016629234042041600
044917245759437620172043871657863678865794301618674187013547256500
676439723992056035380449346063721572036997238379965500526605962907
351359284698594288204957457794923761600622477709998161771833785699
415951760221624475340175106803553949830685575197545623100429095911
112905717645487402586471274095739024892137537910343621257450820296
190171808383442295880158432309475329061566037850920839555624420322
228
229978881030461906271657810055366478534160865636226068609421525925
479568486487553357635213907596825842427373554192253870213038185000
777264510770831114213095524899411250163419928072359546351359185456
463490290647966036980606209006950494831855233745088296047877974105
369954914243118532857130173776155357928933560588182642106709594413
333767665859820867598089282057873579064345613936754676655096946045
342362527366079191096979031768965498231494185494534161527207897414
160183715649997002528876954036716482605711500589933446911076096782
383823224239594945125398435857404264256004883567398804421058495631
848930518890123312935091302816499878649591060132953986420840800307
757130746549898740160235019590424180411674820394355081532849624206
8813,
𝑑𝑝 ≡ 𝑑 𝑚𝑜𝑑 (𝑝 − 1) ≡
278861087777757987017256121598619569792974808465418971359751335309
785779087861290835392130137589683548063655572239064837311545420537
922261839818512264977555249541358705909143944514392847474478105611
748758738006994947024665921157031742876049730313070033338021394148
954851674836083427695019302942859798024543988475688938581671182706
315847769289611879643285511211640734613579705004998548579451887528
282475548839020279857587483920041742899138554491207962173973179378
695918438652780147521135646066808997464114857958640590890062672564
035940480820577315243277396355981103753088638813614009437998624526
576920716516249360562941721467117044645950154410238666218606957541
429423849564210352320782018740356056425626631772111390188393513761
537662028848902344837019957959511432542469452484938802465559779011
602011175304662934094910758990515593138098114375205823164257178724
443579472631340146125910483506213259917197489141179894203231825304
55
𝑑𝑞 ≡ 𝑑 𝑚𝑜𝑑 (𝑞 − 1) ≡
185907391851838658011504081065746379861983205643612647573167556873
190519391907527223594753425059789032042437048159376558207696947025
281507893212341509985036833027572470606095963009595231649652070407
229
832505825337996631349777280771354495250699820208713355558680929432
636567783224055618463346201961906532016362658983792625721114121804
210565179526407919762190340807760489742386470003332365719634591685
521650365892680186571724989280027828599425702994138641449315452919
130612292435186765014090430711205998309409905305760393926708448376
023960320547051543495518264237320735835392425875742672958665749684
384613811010832907041961147644744696430633436273492444145737971694
286282566376140234880521345826904037617084421181407593458929009174
358441352565934896558013305306340955028312968323292534977039852674
401340783536441956063273839327010395425398742916803882109504785816
295719648420893430750606989004142173278131659427453262802154550211
01
𝑖𝑞 ≡ q-1 mod p≡
473159485279880235410422874327313379036893063511200695302821138982
668949806384503841395874439407436979746924784056587779791405218732
850377411260096872203641889475892822630861089405063089579731322627
758258306715312389217712988924084284552307716930401343761437169945
150742978867644064042869596267139242719679285026453147208953945915
932105459426539715543187552457063433020366767937267681056743005418
265985760734880615271566860880712753331035828834129190248383111115
640851245791661400424528052085943049859706754978301905304937500254
925576041512681335626757869109529957053468686719856602439934142250
878593325416237213258752670159016717344766644477419335024884757446
591215659156926625886983866635676023523923489215468172920794745014
979483382282908525592736973134242902090616005135762093785595412398
488868844757995449860137780634191452750199909881032949701974316959
729577339887680120892342261382157236402466485252921418616316119498
7. I also choose arbitrarily a small integer r=28
The internal inputs (loaded from the firmware) to the attack are p, q, dp, dq and 𝑖𝑞
values which are given above. The inputs by the attacker to the attack algorithm are
the message M=55 and the random fault value X=756. I assume that p, q, dp, dq and
230
𝑖𝑞 are stored in the firmware in victim device, and attacker does not have any access
to them. The goal of this example is to compute q which has a factor of n=p*q.
The implementation in program MATLAB 2017b is:
a = arduino('COM5','Mega2560')
n=p*q
pdash=p*(r^2)
ipr=powermod(p,-1,r^2)
Mp=mod(M,pdash)
Bp=p*ipr
Ap=1-mod(Bp,pdash)
Mpdash=Ap*Mp+mod(Bp*(1+r),pdash)
qdash=q*(r^2)
iqr=powermod(q,-1,r^2)
Mq=mod(M,qdash)
Bq=q*iqr
Aq=1-mod(Bq,qdash)
Mqdash=Aq*Mq+mod(Bq*(1+r),qdash)
eupdash=(p-1)*(r^2-1)
Spdash=powermod(Mpdash,mod(dp,eupdash),pdash)
Spr=1+dp*r
cp=mod(Mpdash+n-M+1,p)
euqdash=(q-1)*(r^2-1)
Sqdash=powermod(Mqdash,mod(dq,euqdash),qdash)
Sqr=1+dq*r
cq=mod(Mqdash+n-M+1,q)
Sdash=Sqdash+q*mod(iq*(Spdash-Sqdash),pdash)
Sr=Sqr+q*mod(iq*(Spr-Sqr),pdash)
Sdashe=Sqdash+q*mod(X*(Spdash-Sqdash),pdash)
qt=gcd((Sdashe-Sdash),n)
clear Sdashe;
cs=mod(Sdash-Sr+1,r^2)
sfinal=powermod(M,d,n)
if mod(sfinal, n)~= powermod(Sdash,(cp*cq*cs),n) disp('error'); end
231
q=qt
clear arduino
clearvars a;
The results of the implementation program are:
a =
arduino with properties:
Port: 'COM5'
Board: 'Mega2560'
AvailablePins: {'D2-D53', 'A0-A15'}
Libraries: {'I2C', 'Servo', 'SPI'}
n=
216009739657206791583431516727568899055887697219926680255917536694
185602422191444746561982872063457373526696288552653664750118864772
497953368233150894471619169889342240231775113245134369734412060430
920553368583575417786602157942009886406730048348007704168589421509
744896763698675278959515605477883901693776434379400235323332550570
938607058715832176099676880506927552799748768113368393444054786315
175937480781996720853004096025440796911426791889611430740851397787
193534619797590912130746012158233482426944253991678796909183757061
722532157524108155990131136871104793811726518049918458971331564932
466159646269622210851543023253985487781491995724027461905260673425
508270927318791784398723987134904509750827772010020786542552552000
056146557199297025215054839572329598582242877023342733766934070625
845549654990070044225561682579651965046246547974956875658257453634
189199105873242860256196822243654702000778097137497702214792232124
279235069869622527075794087557729756281456129279112661254194747732
550658116652235614412826763872663232717293774795898354482198372721
501790155139919945349449882038222784857262345464130811027013128923
179098892554977214407061126607775822930236073055718253539710953878
481288997270644477967184694594127629635035075689506969052353437341
232
182108897439859288754478923164652087191394233590616051225180711404
855445381604591555554344010722689509969790327331067302132313240277
668974257425657504322117238755754497326637446000516322329722415435
468407598352128661672387515784208010622201638714730479466804470040
897183849758140634223321847093444107610899403681842324116296770352
414543772881303264905122259837240805137993596796487188311791571436
697701097927790426234648710087072378071421752875413132275175112173
531230187789476238972027820486975368083258762312032677131526239675
511199415608418096737824123938237334178500108464316515056169757768
9527
pdash =
364378488029603769702547998888862904529487083061480789243408411471
453418008138753358245716713117186502803176614392378054087086016169
551755470696189359570672192734042042387948087498806654033318057999
351711417662473397445563470311854810691371647609078176895014621687
967672855119149012188158555845336802752070811608233546413383678736
252707751871759522733893067983210559895077481206531436810483799703
622434717149653165680580978988854544054874377868511737240658287721
496000093172966059427617244193963756686443414399290372096348558817
006962228272221025251215797905148642237369154716455638998984869381
393843069581232497802243849383699605004041535096045190525646424520
801113830097234860365821837820731913729485465515558883179500857981
742545051029232397253706078400428271855493417913653368554998111241
826627935731426233884016725080940375033781536116935608934629380199
939610510904951124271189698448118659625138052477808395092222918397
95056
ipr =
151
Mp =
55
233
Bp =
701800404240690933993427906023192583978986601304637744588707527196
294210704450915269070194179600703595960199856801646507234055975020
437692296876589200193514044679086076538012260361221999477436565789
567709490650937283345409234911863219571391821287892917234020508608
203043381670809959699131912406197158361769037663817162097205809810
894883552712189897102268536549295848777508924262579680591620583612
844230131244867704308261834532105052962832028802873371471165834769
718061403942830037928191375934802643618022392529245487073324392619
490450210065119576695581447495885777778606407680928590418963205058
551917136565894224083403332358911229025641221932433976650160843145
930716688069929386673968080496562742004493689959813665307457009633
203116105936404234506500227531437105231881455420429319538325443845
865061457850068384138858743459464242730880254510934654963380566456
516341672788872701083541383490636704124947014338636067078133427016
4609
Ap =
701800404240690933993427906023192583978986601304637744588707527196
294210704450915269070194179600703595960199856801646507234055975020
437692296876589200193514044679086076538012260361221999477436565789
567709490650937283345409234911863219571391821287892917234020508608
203043381670809959699131912406197158361769037663817162097205809810
894883552712189897102268536549295848777508924262579680591620583612
844230131244867704308261834532105052962832028802873371471165834769
718061403942830037928191375934802643618022392529245487073324392619
490450210065119576695581447495885777778606407680928590418963205058
551917136565894224083403332358911229025641221932433976650160843145
930716688069929386673968080496562742004493689959813665307457009633
203116105936404234506500227531437105231881455420429319538325443845
865061457850068384138858743459464242730880254510934654963380566456
516341672788872701083541383490636704124947014338636067078133427016
4608
234
Mpdash =
364657349117381527689565255010461524099280057869946208214768162806
763203787226614649081108843254776186351240269964617118924397561590
089677732536007871835649747983583401093857231443321046880792536104
963460176400480392392588136233011842434247697339391246928352643082
116627706793985095615853575148279662550095355596709235351965349918
959023599641049134613536353494422200629691060911536435359063251591
150717192698492185960438566472774585797773516423002945202832260900
874696011611618839575138379840030565683907529257249012687238621489
570998168753041602566459075301504623341122243355269253008422868005
920419990297748747162806791105166722048687485250455429191865031478
342543253946799070718142619839472269785911092147330994569689251495
504082713058081299598543098358387783288035887366138307357463671020
838229946906730896818111635839930890626919634231310814757793637378
664054090377582464417315608931624872885055249966949574986426150223
255059
qdash =
364378488029603769702547998888862904529487083061480789243408411471
453418008138753358245716713117186502803176614392378054087086016169
551755470696189359570672192734042042387948087498806654033318057999
351711417662473397445563470311854810691371647609078176895014621687
967672855119149012188158555845336802752070811608233546413383678736
252707751871759522733893067983210559895077481206531436810483799703
622434717149653165680580978988854544054874377868511737240658287721
496000093172966059427617244193963756686443414399290372096348558817
006962228272221025251215797905148642237369154716455638998984869381
393843069581232497802243849383699605004041535096045190525646424520
801113830097234860365821837820731913729485465515558883179500857981
742545051029232397253706078400428271855493417913653368554998111241
826627935731426233884016725080940375033781536116935608934629380199
235
939610510904951124271189698448118659625138052477808395092222918413
58352
iqr =
225
Mq =
55
Bq =
104572907916659245131471045599482338672365553174532114259906750741
169667157947984063272048801596131330523870839589649313991829532701
720848189931942099366583218578009514715928979192897317802929289604
405784526752623105134249720433886903578518648867401262501758022805
858069378063531285385632238603572424259203995678383351968126693514
868442913483604454866232066704365275480092389376874455717294457823
105928330814632604946595306470015653587176957934202985815239942267
010969414494792555320425867275053374049043071734490221583773502211
513477680307716493216229023633492913907408239555105253539249484197
466345268693593510211103145550168891742231307903839499831977609078
036033943586578882120293257027633521159609986914541771320647567660
576623260818338379313882484234816787203426044681852050924584917129
350754190739248600285591534621443347426786792890702183686596442021
666342302236752554797216431314829972468949058427942460326211934493
69425
Aq =
104572907916659245131471045599482338672365553174532114259906750741
169667157947984063272048801596131330523870839589649313991829532701
720848189931942099366583218578009514715928979192897317802929289604
405784526752623105134249720433886903578518648867401262501758022805
858069378063531285385632238603572424259203995678383351968126693514
868442913483604454866232066704365275480092389376874455717294457823
105928330814632604946595306470015653587176957934202985815239942267
236
010969414494792555320425867275053374049043071734490221583773502211
513477680307716493216229023633492913907408239555105253539249484197
466345268693593510211103145550168891742231307903839499831977609078
036033943586578882120293257027633521159609986914541771320647567660
576623260818338379313882484234816787203426044681852050924584917129
350754190739248600285591534621443347426786792890702183686596442021
666342302236752554797216431314829972468949058427942460326211934493
69424
Mqdash =
563392351006997053103863117669744404171740104702968128470484281104
203869017175761251103900254643690661604605474446990659648425597960
115609670380000946009654122490058372171773815900578349514270599370
936408903686798791305500049377589797857245805142505824020582556645
605118667060500551753170665045557745275587038050383552247836346127
660117776554779200839317827817918164164302197345098734313352630102
973361433837767305405612580013124334570559592923737152912150480071
425320552224833491375201050270309777876666718029106873794889952803
540611751417839702563168099771200489949156746616438170401236554418
527572154268329124790663257937398802533034628626818851983658923219
534579317402892981805419938528432685998574338390255711977284362302
893256518951065704019059321730866264213302450503738027247919273529
773263244507187347849751370080505003336670890409374164732854253416
284178394539517541889714480177052856119377993894897112921929364414
471811
eupdash =
363913719549974173057519238686198538579832125047371757624475492579
270441709658984540186729829554537030223070521771979612691566773801
988551700963158505795709600651473111211432847591282665954193927823
332130153099128405867189027109926424453244898058556393506117919364
386081435661088873142000190340432036422029904960774064849080893431
742181338922943502934487592131191158670721515031523105896184713224
408630591234921465214151666515654474483375813611026390637034999089
237
198173562441878092515082018117185741690669889636025971111531787696
066902327470853396392477002244555340397780673651766282316588205007
182881535053705415534638946514587743262964951505361459415282079591
565398123681294509778620534456164653635442754462605364195853535458
806648947647817560012311045137162419467922635492845137217555511610
140624583772585128993858540482622849045218039259643599229355618235
398871211783898890694313180975608304191942723329239761935217532022
43514
Spdash =
234890193780752685593582341053798245342216691894067213673121370754
215601683923491389165035607372761127217131517172261147738614438333
621061890661290253953329994283452502172601118403104068252618998666
084164253701032422815210913798118371579450257243817606015493651389
695457963634825616163029785500214795074466323149924710836446748148
499070029569438486929950626878591707073637214418069470144550552423
402891191328422980928704544871567408908215180410906993050760143854
313050976431805334282693774112638271290070774238372344823068374465
423574162053589188194758738687797405308931050938655346279393136166
290876141134347666637972794466810698452849277233217293628666720112
978586079043882790156013676806500886688544360242603277234473545631
531677671870738495426957554453338548976900167519020344917116254924
483484587509785333553070087708206235823168523439063340572578957605
402148818996253359711804524174756566239727930210538698368860797511
69493
Spr =
780811045777722363648317140476134795420329463703173119807303738867
400181446011614339097964385251113934578235602269381544472327177506
182333151491834341937154698715804376545603044640299972928538695712
896524466419585851669064579239688880052939244876596093346459903617
073584689541033597546054048240007434468723167731929028028679311577
684373754010913263001199431392594056918023174013995936022465285079
190931536749256783601244954976116880117587952575382294087124902260
238
348571628227784413059179808987065192899521602284193654492175483179
300633346297616482681176709796747090508648188678119226426396148674
415378006245498209576236820107927725008660432348668265412099481116
002386778779788986498189652472996957991754568961911892527501838532
305453680776926565543655882286632011118914466957828646903567381232
485631290853056215465750125173443660786674720250576304859920100428
442022523367752409152549353817397127768152969595303703769049110852
741
cp =
1
euqdash =
363913719549974173057519238686198538579832125047371757624475492579
270441709658984540186729829554537030223070521771979612691566773801
988551700963158505795709600651473111211432847591282665954193927823
332130153099128405867189027109926424453244898058556393506117919364
386081435661088873142000190340432036422029904960774064849080893431
742181338922943502934487592131191158670721515031523105896184713224
408630591234921465214151666515654474483375813611026390637034999089
198173562441878092515082018117185741690669889636025971111531787696
066902327470853396392477002244555340397780673651766282316588205007
182881535053705415534638946514587743262964951505361459415282079591
565398123681294509778620534456164653635442754462605364195853535458
806648947647817560012311045137162419467922635492845137217555511610
140624583772585128993858540482622849045218039259643599229355618235
398871211783898890694313180975608304191942723329239761935217532038
04816
Sqdash =
299086069792410282204582350451858994288880046696178348719891511234
731789595365182440017144611180452137547239569661003011174203273066
789792373872326758649253862533541337419628165941493178503739275014
239
380645106650355471642208215095801135700467753321911084888470600768
396641371776161921495446894473320916295110506794920218462504337207
330826262124861523295424094613621312827498846168922011014642682504
909510371732341230863473019667069093457282488387749994902410031712
212574764011282077865442308365232276000307218641398083045734578241
430849676196389484639814159304521522642228969707100261194033328968
015068277981137142754715145186776450044207529104429433747445385995
302932193995521690361603553896352316425194156935097093455709053771
961925175699322596388679244719289125303216240823366088508864803186
618616336261866920521840839941602395334173012358070098973530744506
705555403363240355538476076012353909141698621562776538258325200191
27005
Sqr =
520540697185148242432211426984089863613552975802115413204869159244
933454297341076226065309590167409289718823734846254362981551451670
788222100994556227958103132477202917697068696426866648619025797141
931016310946390567779376386159792586701959496584397395564306602411
382389793027355731697369365493338289645815445154619352019119541051
789582502673942175334132954261729371278682116009330624014976856719
460621024499504522400829969984077920078391968383588196058083268173
565714418818522942039453205991376795266347734856129102994783655452
867088897531744321787451139864498060339098792452079484284264099116
276918670830332139717491213405285150005773621565778843608066320744
001591185853192657665459768315331305327836379307941261685001225688
203635787184617710362437254857754674079276311305219097935711587488
323754193902037476977166750115629107191116480167050869906613400285
628015015578501606101699569211598085178768646396869135846032740590
829
cq =
1
240
Sdash =
232984893843810085293278926443081065552688900367764085872204342752
662580713623980903461421942959010076615483313219928273086125252251
246131357335284860526891635317417742208854512147009072019475970357
579782786878564562108383134158851266563083684981002038315126232527
809994909722681915782024143089262501926730502257009951901531017978
785510546702114473692988140231747503637113709797616212343204620545
554072252265073936503445156362407552270846039836753248944222224566
912645674446583878099630025464456738356544514136767796598907484482
776696207169877129394816249209745799126893473802355439826321590077
769263050055236043298251631125510897024862528167846773628966907750
554887555117065863885938256478332645840357404962348062140524616046
503730899747324326894776592086040421220699292379990045487565419219
916481962550063073513676214196489952946886703082742504109259661518
827732779136552059667984406586134251316307875353032245521604230520
453225842965495646982486911595516394917588566065097540133240008131
239484865191205901041601447008102600105488796829642917899845609078
731805889491178810941095480978467484007056916633016460090733279494
100410710643651053251396589307805188211966712774093781113115305278
901153362981215732547926110250062798232956434404942077713017919077
889880490979439386058655191310101571737477996709672934676014213708
557142095070567514371483835307115077939674102951367524710521809796
854503044671509332799098759284671668231437790483651818593629698796
211517629021015304260498365480696494522164225213348142375516988469
619485123579746538091465757562210670998158799484498882107481293733
236843641235480066598283789158966259244076602229414593027447745226
809498953055469674783679086899762924015138660738577209260517862497
006380189985758139215135098298553354430018522704160068039996649635
847532486558608319293190854579952507481941591906047800110095250447
384325
Sr =
494726868411210019751024936186759474456757806105820200244141694060
712980709829254056923305341614961227198913794159687916141458795536
241
344490134120248024735747660844614817380102089555778017666909791700
758332334321019507608450744538824223568652739056363626794657778915
901474550991914438198564493465550132273637448347126500044018655250
849750891544007255974857552559852124407647673094857135311104445943
921324543497565906021999435285035334011901160031004664065918581290
286618224488639339322853666048596553973111799401916882516292525596
725133560071172756686292037716462464517475486116037318888655659629
499837501265948751936125559180342602200518259590897271096695655966
561183617879332082914753777828967637804727339804711880213929477139
803617473232172926472178778550617282478890359273477885536572448366
131646697687728847488350914472908251997613503058535434975510030929
798770848471341221573808422690254733079471142217133503683970508540
700787409214722298363656703822382142330779240701405933132888769516
702981874250157200881038791824303027387023329878349925992965416688
917223664308236582076576384871606677914061603521860765140550030285
203327927056117125517998825841167293735001424609426754407548859494
666168432158741145633620550115685347791069670368784584427722467343
245253368172193929304431760311711755986888798745059404497849486196
140501576400554826118569744743226646290690439276762539294217395285
797459537869959437460890684447616331471785630350183822299335653898
763181352776108387892854597321281407376647501216049625123425603160
000998650407085099839775756561770852991427584861601266828000400918
448396045962900790649557768476117370473231806205330311381245920894
934138587492589610071919602976318747919961795893401235205681115458
661181348350250425169558974711379801288207212968425386273188788120
785472068385300925950305655216799495094305768283145167627277468540
279813
Sdashe =
136937121951800817461170539181411708350853578926972432911471981903
704623629629875159637746823019153239973653936128657395313242055226
262390596614700029774592685029656637962116343257864620217681212027
617852923382530175734203442260253283996296451574215008853507848884
491035545656047004202730934849722544063761745281106792487306357432
242
467974095770680936192889287679887374908885783100998786363935532253
856713549020681420899161315126901586153518787395414234088440969894
127837617609198940682958609348507400655827555047623830535227373503
157842179127771089376318547074245945684484935586408823740645339431
572739924136403216992953126242692686736000977244776808867838878708
817136064218526715267715141400411836392245830580265142659275509557
027897382967723015712294965671773537062157219201142648504049354178
184669677601380951023653915925448935954089910935102708578352460624
911268459700610129121636965852213215376981943663298231636130064564
302280363950296018390895899037906300072185821701394705120161028213
749665001070827173723246900334704997401176381771272106647838533333
302278426393761026691745272382105528663570306455246334056212221135
951481621205229876500731752712055181130466668201290164476445720875
354343377352592949516404455947293010269191092402753417954543650022
630132117750271485882076783401548953842176113328865856228580991808
005053951277377167446718803111055427270774067659368147403844641789
436952051890667430812691393571408924980197511009742450903904230156
253491645015677999037017033567329944704761465628253674493489427734
994758724358560826705466277192531486916370022943130431810644421947
920826848207514595287357470076043527303131252671460901642360779016
593992642671273505885179574075408500880610262992197044672606917298
901601303287594896453983184333124809079046166680074252071563243473
071048665277181617214609515561284192183791085990042807721809719202
1390301
qt =
464768479629596645028760202664365949654958014109031618932918892182
976298479768818058986883562649472580106092620398441395519242367563
203769733030853774962592082568931176515239907523988079124130176019
581264563344991578374443201928386238126749550521783388896702323581
591419458060139046158365504904766330040906647459481564302785304510
526412948816019799405475852019401224355966175008330914299086479213
804125914731700466429312473200069571498564257485346603623288632297
826530731087966912535226076778014995773524763264400984816771120940
243
059900801367628858738795660593301839588481064689356682396664374210
961534527527082267604902869111861741076583590683731110364344929235
715706415940350587201303364567260094042711052953518983647322522935
896103381414837241395033263265852387570782420808231337442599631686
003351958841104890158184598317525988563496857292009705273761964540
739299121052233576876517472510355433195329148568633157005386375527
53
cs =
1
q =
464768479629596645028760202664365949654958014109031618932918892182
976298479768818058986883562649472580106092620398441395519242367563
203769733030853774962592082568931176515239907523988079124130176019
581264563344991578374443201928386238126749550521783388896702323581
591419458060139046158365504904766330040906647459481564302785304510
526412948816019799405475852019401224355966175008330914299086479213
804125914731700466429312473200069571498564257485346603623288632297
826530731087966912535226076778014995773524763264400984816771120940
059900801367628858738795660593301839588481064689356682396664374210
961534527527082267604902869111861741076583590683731110364344929235
715706415940350587201303364567260094042711052953518983647322522935
896103381414837241395033263265852387570782420808231337442599631686
003351958841104890158184598317525988563496857292009705273761964540
739299121052233576876517472510355433195329148568633157005386375527
53
top related