fault attacks on rsa and elliptic curve cryptosystems

Fault Attacks on RSA and Elliptic Curve Cryptosystems

by

Mohammed Kahlil Ibrahim Amain

M. Sc. in Computer

B. Sc. In Control and Systems Engineering

Submitted in fulfilment of the requirements for the degree of

Doctor of Philosophy

Deakin University

July, 2018

lswan

Redacted stamp

Acknowledgment

I would like to express my great respect and gratitude to Prof. John Yearwood for

the kindness and support he offered me through his participation in my supervisory

committee.

I am very grateful to Prof. Lynn Margaret Batten for her excellent supervision

throughout my PhD study. I have the honour to be a student of such a brilliant,

highly experienced professor in security research fields. I really appreciate her

patient guidance and valuable advice which improved my knowledge and

developed my skill in this research area.

I am also indebted to Prof. Yong Xiang, Prof. Jemal Abawajy and Associate Prof.

Gang Li for their participation in my supervisory committee.

I would like to thank Ms. Judy Chow and Mr. Nghia Dang for their technical

support throughout my research work in Deakin University. I am also grateful to

Sophie Dougall and my aunt Faiza M. Taki for their efforts in editing and

proofreading my thesis material.

I would like to express special thanks to the Iraqi Government represented by the

Ministry of Higher Education and Scientific Research for granting me a scholarship

to pursue my Ph.D studies in Deakin University.

I will always be grateful to my family members, particularly my wife Noor, my

mother and my brother Anmar, for their unlimited love, support and encouragement

which inspired me to exert all my time and energy to the completion of this thesis.

I am also thankful to my friends Mr. Ahmed Mohammed, Dr. Majeed Alajeely and

Dr. Baker Alrubaiey for their support and suggestions which helped me to complete

my research work.

https://www.facebook.com/majeed.alajeely?fref=%2Freqs.php

https://www.facebook.com/majeed.alajeely?fref=%2Freqs.php

List of publications

Published

1. Amain, M & Batten, LM 2015, ‘Cryptographic Public Key Length Prediction’,

in W Niu, G Li, J Liu, J Tan, L Guo, Z Han & L Batten (eds), Proceedings of

Applications and Techniques in Information Security, Berlin, Heidelberg, pp. 27-

35.

2. Batten, LM & Amain, MK 2016, ‘A New Sign-Change Attack on the

Montgomery Ladders’, in L Batten & G Li (eds), Proceedings of Applications and

Techniques in Information Security, Singapore, pp. 3-14.

Hirschfeld, STE, Batten, LM & Amain, MK 2018, May.’ Efficiencies in Binary

Elliptic Curves’. In 2018 International Conference on Computational Science and

Its Applications.

Accepted

Amain, MK & Batten, LM 2018, ‘Fault Attack Simulations on Elliptic Curve

Scalar Multiplication Algorithms to Retrieve the Secret Key’, In the Kangacrypt

2018 Australian Workshop on Offensive Cryptography.

i

Abstract

The considerable growth in world population represents a constantly increasing

demand for electronic services. The fast development of internet services and

communication methods provide a promising communication environment to be

used for human interaction. However, data transmitted through this extensive

communication environment are often exposed to the threat of attackers, and

therefore, they should be well protected against unauthorized access of intruders by

utilizing reliable, firmly established security systems. Over many years

cryptography was being used to ensure the security and authentication of data being

exchanged among clients in different communication networks. The two major

public key cryptosystems commonly considered as reliable and trustworthy for

security and authentication purposes are RSA and elliptic curve cryptosystems

ECC. RSA and ECC algorithms are currently used to secure and authenticate

information stored in hardware devices or transferred throughout networks.

In future years, IoT hardware devices are expected to play a vital role in any

communication environment. These hardware devices can be locally used to

organise a specific location like smart home. They can also provide communication

through a wide area network with data servers by using internet technique. In both

ways IoT devices use and transfer information that may be confidential and

personal like medical records and bank accounts details. The small size and limited

resources of these IoT devices will restrict the choices of designers who try to work

out efficient mechanisms to secure and authenticate information stored or

transferred through these devices. One of the solutions suggested by experts is the

use of RSA and ECC as protective techniques.

In this thesis, I focus on examining the suitability and reliability of the current RSA

and elliptic curve authentication techniques implemented on small devices with

limited power. One of the security risks RSA and ECC may encounter are fault

attacks. The aim of fault attacks is to inject faults inside hardware devices like IoT

in order to retrieve the secret information stored inside these devices through the

faults generated in their computations. I consider an IoT device as an example of a

hardware device of small size and limited power. Developers of IoT hardware

devices usually try to protect their devices from all risks which threaten the

hardware components, but they give less attention to risks against the software used

ii

to program and update their devices. In this thesis, I will concentrate on the security

risks against hardware devices which threaten the software used to program these

devices by proposing various forms of fault attacks against them. I propose a

factoring attack and a retrieve secret key attack against RSA cryptosystems, and a

fault point attack against elliptic curve cryptosystems (ECC), which are used to

secure hardware devices. The attacks proposed in this research work are based on

the concept of safe error attack. The three fault attacks proposed here target the

software used to program and update EEPROM devices inside the hardware devices

through injecting faults in the hardware devices by modifying cryptography

algorithms.

I demonstrate the security risks against IoT hardware devices through a number of

steps. Firstly, I carry out a full investigation of previous research projects that

focused on fault attacks against hardware devices that use RSA and ECC to secure

them. Secondly, I build an implementation platform by using Intel (R) Core (TM)

i7-4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform and Windows 7 as

the operating system and Maple software to implement the proposed attacks.

Thirdly, the full review I have made of EEPROM devices support the concept I

have suggested in this thesis, namely that the hardware device may be attacked by

means of targeting the software used to program EEPROM inside the hardware

device. I utilize this basic concept to get control over EEPROM inside the hardware

device, and then modify the original cryptography algorithm stored in EEPROM

after it is loaded in the RAM of the same device by injecting a fault value and using

it instead of the correct value in the computation in order to deduce the secret

information in view of the fault result. Furthermore, I eliminate the generated fault

result in order to render any countermeasures, used to check free-error procedures,

quite useless. Finally, I verify that my proposed attacks can be applied on hardware

devices with limited resources by implementing all the attacks suggested in this

research work on Arduino Mega2560 with Microcontroller ATmega2560, Flash

Memory 256 KB of which 8 KB are used by the bootloader (firmware),

SRAM 8KB and EEPROM 4KB as a hardware platform and MATLAB 2017b

as a software platform.

In addition, I provide a short comparison between Maple and MATLAB

concerning implementation of RSA and ECC algorithms. In view of the result of

http://www.atmel.com/Images/Atmel-2549-8-bit-AVR-Microcontroller-ATmega640-1280-1281-2560-2561_datasheet.pdf

iii

this comparison, I recommend Maple to be used in this operation as it is more

powerful than MATLAB when implementing RSA algorithms with high numbers

3072 bits long digits or implementing ECC algorithms with high numbers 384 bits

long digits.

The main contribution of this research work is that it offers, for the first time, a fault

attack which targets the software used to program an EEPROM by injecting an error

inside the hardware device through modifying the cryptography algorithm stored in

EEPROM inside the hardware device. Furthermore, the concept of safe error is

improved as I eliminate the fault result, I generated so that the attacks proposed here

will be more effective against the currently used countermeasures.

iv

Table of contents

Table of contents ................................................................................................... iv

List of Figures ..................................................................................................... xiii

List of Algorithms ............................................................................................... xiv

List of Tables ........................................................................................................ xv

List of Acronyms ................................................................................................ xvi

Chapter One Introduction .................................................................................... 1

1.1 Background ................................................................................................... 1

1.2 Example Application .................................................................................... 2

1.3 Problem Overview ........................................................................................ 4

1.4 Thesis Aims and Significance ...................................................................... 5

1.5 Thesis Contributions ..................................................................................... 6

1.6 Chapter Summary ......................................................................................... 8

Chapter Two Literature Review ........................................................................ 10

2.1 Introduction ................................................................................................. 10

2.2 Background ................................................................................................. 10

2.2.1 Triangular Fuzzy Number TFN .......................................................... 10

2.2.2 Residue Number System (RNS) ......................................................... 10

2.2.3 Side-Channel attacks ........................................................................... 10

2.2.4 Differential Fault Analysis DFA ......................................................... 11

2.2.5 Differential power analysis DPA ........................................................ 11

2.2.6 Simple power analysis SPA ................................................................ 11

2.3 Public key Cryptosystems........................................................................... 11

2.3.1 RSA Cryptosystems ............................................................................ 11

2.3.2 Elliptic Curve Cryptosystems (ECC) .................................................. 12

2.4 Fault Attacks on Public Key Cryptosystem ................................................ 13

2.4.1 Physical Types of Fault Attacks .......................................................... 14

v

2.4.1.1 Below-Powering ............................................................................. 14

2.4.1.2 Clock Faults .................................................................................... 14

2.4.1.3 Temperature Variation ................................................................... 14

2.4.1.4 Optical Fault ................................................................................... 15

2.4.1.5 Electromagnetic Fault ..................................................................... 15

2.4.2 Fault Attacks Goals ............................................................................. 15

2.4.2.1 Fault Attacks on Input Parameters ................................................. 15

2.4.2.2 Fault Attacks on Data Processing Section ...................................... 16

2.4.2.3 Fault Attacks on Storage Section ................................................... 16

2.4.2.4 Fault Attacks on Instruction Processing Section ............................ 16

2.4.3 Summary ............................................................................................. 16

2.5 Fault Attacks on RSA Cryptosystems ........................................................ 16

2.5.1 Specific Algorithm Fault Attacks ....................................................... 17

2.5.1.1 RSA - CRT Algorithm ................................................................... 17

2.5.1.2 Modular Exponentiation Algorithms .............................................. 22

2.5.2 Tampering with the Program Flow of Fault Attacks .......................... 24

2.5.3 Safe-Error Fault Attacks ..................................................................... 25

2.5.4 Summary ............................................................................................. 25

2.6 RSA Countermeasures against Fault Attack............................................... 26

2.6.1 RSA Countermeasures against Fault Attack ....................................... 26

2.6.2 Summary ............................................................................................. 29

2.7 Fault Attacks on Elliptic Curve Cryptosystems (ECC) .............................. 29

2.7.1 Safe-Error Fault Attacks ..................................................................... 29

2.7.1.1 Computation Safe-Error ................................................................. 30

2.7.1.2 Memory Safe-Error ........................................................................ 35

2.7.2 Weak Curve Based Attacks ................................................................. 35

2.7.2.1 Invalid Point Attacks ...................................................................... 35

vi

2.7.2.2 Invalid Curve Attacks ..................................................................... 36

2.7.3 Sign Change Fault Attacks .................................................................. 38

2.7.4 Summary ............................................................................................. 38

2.8 Fault Attack on ECC Countermeasures ...................................................... 39

2.8.1 Fault Attack on ECC Countermeasures .............................................. 39

2.8.2 Summary ............................................................................................. 41

Chapter Three EEPROM Environment ........................................................... 43

3.1 Introduction ................................................................................................. 43

3.2 EEPROM Architecture ............................................................................... 43

3.2.1 General Configuration ......................................................................... 43

3.2.2 EEPROM Memory Cell Design .......................................................... 44

3.3 EEPROM Programming ............................................................................. 46

3.3.1 Analogous Programming of EEPROM Cell ....................................... 46

3.3.2 Digital Programming of EEPROM Cell ............................................. 46

3.4 Attacks on EEPROM Memory Devices ..................................................... 47

3.4.1 Software Attack ................................................................................... 47

3.4.2 Laser Attack ........................................................................................ 48

3.4.3 Optical Fault Masking Attacks ........................................................... 49

3.4.4 Extraction and Analysis of Non-Volatile Memory of the ZW0301

Module IoT Device ...................................................................................... 49

3.4.5 Microprobing Attacks ......................................................................... 49

3.5 Implications for Attacks Proposed in the Thesis ........................................ 50

3.6 Summary ..................................................................................................... 50

Chapter Four Proposed Fault Attacks against RSA ........................................ 52

4.1 Introduction ................................................................................................. 52

4.2 Background of RSA Cryptosystem ............................................................ 54

4.2.1 Classical RSA ..................................................................................... 54

vii

4.2.2 RSA Encryption .................................................................................. 54

4.2.3 RSA Decryption .................................................................................. 54

4.2.4 RSA Signature ..................................................................................... 54

4.2.5 RSA-CRT Signature ........................................................................... 54

4.2.6 RSA-CRT Signature Gauss’s Algorithm ............................................ 55

4.2.7 RSA-CRT Signature Garner’s Algorithm ........................................... 55

Example 1. ................................................................................................... 55

4.2.8 RSA-CRT Signature Cryptanalysis .................................................... 56

Example 2. ................................................................................................... 56

4.2.9 RSA-CRT Garner’s Signature Algorithm Protected by Modified

Shamir’s Countermeasure ............................................................................ 57

Example 3 .................................................................................................... 58

4.2.10 RSA-CRT Garner’s Signature Algorithm Protected by Simplified

Vigilant’s Countermeasure .......................................................................... 59

Example 4 .................................................................................................... 61

4.3 Fault Factoring Attack ................................................................................ 63

4.3.1 RSA-CRT Signature Using Garner’s Algorithm Protected by Modified

Shamir’s Countermeasure ............................................................................ 64

4.3.2 FF Attack against RSA-CRT with Garner’s Algorithm and Protected

by Modified Shamir’s Countermeasure ....................................................... 65

Example 5 .................................................................................................... 66

4.3.3 RSA-CRT Signature with Garner’s Algorithm Protected by Simplified

Vigilant’s Countermeasure .......................................................................... 66

4.3.4 FF Attack against RSA-CRT Signature with Garner’s Algorithm

Protected by Simplified Vigilant’s Countermeasure ................................... 66

Example 6 .................................................................................................... 67

4.4 Retrieve Secret Key Attack ........................................................................ 68

4.4.1 Protected Montgomery Ladder RSA Left-to-Right Algorithm ........... 68

viii

4.4.2 RSK Attack against the Protected Montgomery Ladder RSA Left-to-

Right Algorithm ........................................................................................... 68

Example 7 .................................................................................................... 70

4.4.3 Protected Montgomery Ladder RSA Right-to-Left Algorithm ........... 70

4.4.4 RSK Attack against the Protected Montgomery Ladder RSA Right-to-

Left Algorithm ............................................................................................. 71

Example 8 .................................................................................................... 72

4.5 Summary ..................................................................................................... 72

Chapter Five Proposed Fault Attack against Elliptic Curve Cryptosystem .. 74

5.1 Introduction ................................................................................................. 74

5.2 Mathematical Background .......................................................................... 76

5.2.1 ECC Key Generation .......................................................................... 76

5.2.2 ECC Encryption .................................................................................. 77

5.2.3 ECC Decryption .................................................................................. 77

5.2.4 ECC Signature ..................................................................................... 77

5.2.5 General Weierstrass Elliptic Curves Background ............................... 78

5.2.6 Montgomery Elliptic Curves Background .......................................... 79

5.3 Montgomery Ladder Algorithms ................................................................ 81

5.3.1 Left-to-Right Montgomery Ladder Algorithms .................................. 81

5.3.2 The Fault Point Attack against Left-to-Right Montgomery Ladder

Algorithm ..................................................................................................... 82

Example 1 .................................................................................................... 84

5.3.3 The Right-to-Left Montgomery Ladder Algorithm ............................ 84

5.3.4 Fault Point Attack against Right-to-Left Montgomery Ladder

Algorithm ..................................................................................................... 84

Example 2 .................................................................................................... 86

5.4 Coron’s Algorithms .................................................................................... 86

5.4.1 Left-to-Right Coron Algorithm ........................................................... 87

ix

5.4.2 Fault Point Attack against Left-to-Right Coron Algorithm ................ 87

Example 3 .................................................................................................... 89

5.4.3 Right-to-Left Coron Algorithm ........................................................... 89

5.4.4 Fault Point Attack against Right-to-Left Coron Algorithm ................ 90

Example 4 .................................................................................................... 92

5.5 Joye’s Algorithms ....................................................................................... 92

5.5.1 The Left-to-Right Joye-Yen Algorithm .............................................. 92

5.5.2 Fault Point Attack against Left-to-Right Joye-Yen Algorithm ........... 92

Example 5 .................................................................................................... 94

5.5.3 The Right-to-Left Joye Algorithm ...................................................... 94

5.5.4 Fault Point Attack against the Right-to-Left Joye Algorithm ............. 95

Example 6 .................................................................................................... 96

5.6 Summary ..................................................................................................... 97

Chapter Six Implementation of Proposed Attacks on RSA and ECC by

Arduino Mega2560 Hardware ........................................................................... 98

6.1 Introduction ................................................................................................. 98

6.2 Hardware Implementation of proposed RSK attack on RSA Algorithm by

using Arduino Mega2560 ................................................................................. 99

6.2.1 Description of a general IoT device .................................................... 99

6.2.2 Preparing the victim device ................................................................. 99

6.2.3 Generic plan to attack an IoT device ................................................ 101

6.2.4 Implementation Time of RSK Attack against RSA Program ........... 109

6.3 Maple and MATLAB: A Comparison ...................................................... 110

Example ..................................................................................................... 111

6.4 Summary ................................................................................................... 111

Chapter Seven Summary, Conclusion & Future work .................................. 113

7.1 Summary ................................................................................................... 113

7.2 Conclusion ................................................................................................ 114

x

7.3 Future work ............................................................................................... 115

References .......................................................................................................... 117

Appendices ......................................................................................................... 138

Appendix A ..................................................................................................... 138

A.1 Example 5 ............................................................................................ 138

A.2 Example 6 ............................................................................................ 139

A.3 Example 7 ............................................................................................ 140

A.4 Example 8 ............................................................................................ 142

Appendix B ..................................................................................................... 144

B.1 example 1 ............................................................................................ 144

B.2 Example 2 ............................................................................................ 145

B.3 Example 3 ............................................................................................ 147

B.4 Example 4 ............................................................................................ 149

B.5 Example 5 ............................................................................................ 151

B.6 Example 6 ............................................................................................ 154

Appendix C ..................................................................................................... 157

C.1 Implementation Examples of Fault Factoring (FF) Attack Algorithms

against RSA-CRT by Using Arduino Hardware ............................................ 157

C.1.1 Implementation of FF Attack against RSA-CRT Signature Algorithm

Protected by Modified Shamir’s Countermeasure ..................................... 157

FF Attack Algorithm against RSA-CRT Signature Algorithm Protected by

Modified Shamir’s Countermeasure ........................................................ 157

Example of the Implementation Process .................................................. 158

C.1.2 Implementation of the FF Attack against RSA-CRT Signature

Algorithm Protected by Simplified Vigilant’s Countermeasure ................ 160


Simplified Vigilant’s Countermeasure ..................................................... 160


xi

C.2 Implementation Examples of RSK Attack against Protected RSA

Montgomery Ladder Algorithms by using Arduino Hardware ...................... 164

C.2.1 Implementation of RSK Attack Algorithm against Protected RSA

Montgomery Ladder Left-to-Right Algorithm .......................................... 164

RSK Attack Algorithm against Protected RSA Montgomery Ladder Left-

to-Right Algorithm ................................................................................... 164


C.2.2 Implementation of RSK Attack against Protected RSA Montgomery

Ladder Right-to-Left Algorithm ................................................................ 167

RSK Attack Algorithm against Protected RSA Montgomery Ladder Right-

to-Left Algorithm ..................................................................................... 167


C.3 Implementation Examples of Proposed Attacks against ECC by Using

Arduino Hardware .......................................................................................... 170

C.3.1 Implementation of Fault Point Attack against Left-to-Right ECC

Montgomery Ladder Algorithm ................................................................. 171

Fault Point Attack against Left-to-Right ECC Montgomery Ladder

Algorithm ................................................................................................. 171


C.3.2 Implementation of Fault Point Attack against Right–to-Left ECC

Montgomery Ladder Algorithm ................................................................. 174

Fault Point Attack against Right–to-Left ECC Montgomery Ladder

Algorithm ................................................................................................. 174


C.3.3 Implementation of the Fault Point Attack against Left-to-Right Coron

Algorithm ................................................................................................... 178

Fault Point Attack against Left-to-Right Coron Algorithm ..................... 178


C.3.4 Implementation of Fault Point Attack against Right-to-Left Coron

Algorithm ................................................................................................... 181

xii

Fault Point Attack against Right-to-Left Coron Algorithm ..................... 181


C.3.5 Implementation of Fault Point Attack against Left-to-Right Joye-Yen

Algorithm ................................................................................................... 184

Fault Point Attack against Left-to-Right Joye-Yen Algorithm ................ 184


C.3.6 Implementation of the Fault Point Attack against Right-to-Left Joye

Algorithm ................................................................................................... 188

Fault Point Attack against Right-to-Left Joye Algorithm ........................ 188


Appendix D ..................................................................................................... 192

Appendix E ..................................................................................................... 197

Appendix F ..................................................................................................... 209

Appendix G ..................................................................................................... 216

xiii

List of Figures

Figure 1.1 Scenario 1 of fault injection attack ........................................................ 2

Figure 1.2 Scenario 2 of Fault Injection Attack ...................................................... 3

Figure 3.1 General Architecture of EEPROM ...................................................... 44

Figure 3.2 EEPROM Cell Configuration .............................................................. 45

Figure 3.3 Floating Gate Operation. ...................................................................... 45

Figure 6.1 Handshake Program. ............................................................................ 99

Figure 6.2 RSA MATLAB Script. ...................................................................... 100

Figure 6.3 ECC MATLAB Script. ...................................................................... 101

Figure 6.4 the Main Components of Arduino Mega2560 ................................... 102

Figure 6.5 Block Diagram of the Plan of Attack. ................................................ 103

Figure 6.6 Screen Shot of the First 26 Locations of EEPROM Content. ............ 105

Figure 6.7 RSK Attack Algorithm against RSA Algorithm ................................ 108

xiv

List of Algorithms

Algorithm 2.1 RSA-CRT Signature Using Garner’s Algorithm Protected by

Modified Shamir’s Countermeasure ..................................................................... 17

Algorithm 2.2 RSA-CRT Signature with Garner’s Algorithm Protected by

Simplified Vigilant’s Countermeasure .................................................................. 18

Algorithm 2.3 Protected Montgomery Ladder RSA Left-to-Right Algorithm ..... 22

Algorithm 2.4 Protected Montgomery Ladder RSA Right-to-Left Algorithm ..... 23

Algorithm 2.5 The Left-to-Right Montgomery Ladder Algorithm ....................... 30

Algorithm 2.6 The Right-to-Left Montgomery Ladder Algorithm ....................... 31

Algorithm 2.7 The Left-to-Right Coron Algorithm. ............................................. 31

Algorithm 2.8 The Right-to-Left Coron Algorithm .............................................. 32

Algorithm 2.9 The Left-to-Right Joye-Yen Algorithm ......................................... 32

Algorithm 2.10 The Right-to-Left Joye Algorithm ............................................... 33

Algorithm 4.1 FF Attack against Algorithm 2.1 ................................................... 65

Algorithm 4.2 FF Attack against Algorithm 2.2 ................................................... 66

Algorithm 4.3 RSK Attack against Algorithm 2.3 ................................................ 69

Algorithm 4.4 RSK Attack against Algorithm 2.4 ................................................ 71

Algorithm 5.1 Fault Point Attack against Algorithm 2.5 ...................................... 83





Algorithm 5.6 Fault Point Attack against Algorithm 2.10 .................................... 96

Algorithm C.1.1 The FF Attack Algorithm against RSA-CRT Signature

Algorithm Protected by Modified Shamir’s Countermeasure ............................. 157

Algorithm C.1.2 FF Attack Algorithm against RSA-CRT Signature Algorithm

Protected by Simplified Vigilant’s Countermeasure ........................................... 160

Algorithm C.2.1 RSK Attack against Protected RSA Montgomery ladder Left-to-

Right Algorithm .................................................................................................. 164

Algorithm C.2.2 RSK Attack against Protected RSA Montgomery ladder Right-

to-Left Algorithm ................................................................................................ 167

Algorithm C.3.1 The Fault Point Attack against Left-to-Right ECC Montgomery

Ladder Algorithm ................................................................................................ 171

Algorithm C.3.2 Fault Point Attack against Right–to-Left ECC Montgomery

ladder algorithm .................................................................................................. 175

Algorithm C.3.3 Fault Point Attack against Left-to-Right Coron Algorithm ..... 178

Algorithm C.3.4 Fault Point Attack against Right-to-Left Coron Algorithm ..... 181

Algorithm C.3.5 Fault Point Attack against Left-to-Right Joye-Yen Algorithm 184

Algorithm C.3.6 Fault Point Attack against the Right-to-Left Joye Algorithm .. 188

xv

List of Tables

Table 2.1 Comparison of Six Original ECC Algorithms ...................................... 34

xvi

List of Acronyms

AES ………………. Advanced Encryption Standard

Alg ……………….. Algorithm

AMQP …………….. Advanced Message Queuing Protocol

ANSI ……………… American National Standards Institute

ANSSI …………….. Information Security Agency

ARM Cortex M3 ….. A 32-bits Processor from ARM Company

Chap ……………….. Chapter

CNSA ……………… Commercial National Security Algorithm

CoAP ………………. Constrained Application Protocol

CPU ………………... Central Processing Unit

CRT ………………... Chinese Remainder Theorem

DFA ………………... Differential Fault Analysis

DPA ………………... Differential Power Analysis

EBNS ………………. Elevated Binary Number System

EC ………………….. Elliptic Curve

ECC ………………... Elliptic Curve Cryptosystems

ECDLP ……………. Elliptic Curve Discrete Logarithm Problem

ECDSA ……………. Elliptic Curve Digital Signature Algorithm

ECSM ……………… Elliptic Curve Scalar Multiplication

EdDSA …………….. Edwards-Curve Digital Signature Algorithm

EEPROM …………... Electrically Erasable Programmable Read-

Only Memory

EM …………………. External Electromagnetic

ES ………………….. Exponent Splitting

FA ………………….. Fault Attack

FF …………………... Fault Factoring Attack

FGT ………………... Floating Gate Transistor

FPGA ………………. Field-Programmable Gate Array

GMP ……………….. Good Manufacturing Practice

HAL ………………... Hardware Abstraction Layer

I/O ………………….. Input / Output

IoT …………………. Internet Of Things

xvii

LS-designs …………. Bitslice S-Box S And L-Box L Block Cipher Family-

designs

MCU ……………….. Microcontroller Unit

MOS ……………….. Metal Oxide Semiconductor

MQTT ……………… Queue Telemetry Transport

NIST ……………….. National Institute Of Standards And Technology

NP ………………….. Non Complete

NVM ……………….. Non-Volatile Memory

OSCCA …………….. Chinese Commercial Cryptography Administration

Office

PA ………………….. Power Attacks

PD ………………….. Phase Detector

PR ………………….. Point Randomization

PRIDE ……………... Lightweight Block Cipher

PUF ………………… Physical Unclonable Functions

RAM ……………….. Random Access Memory

RFID ……………….. Radio Frequency Identification

RNS ………………... Residue Number System

RNSMMM …………. Residue Number System Montogmery Modular

Multiplication

RO …………………. Ring-Oscillator

ROM ……………….. Read Only Memory

RPL ………………… Routing Protocol For Low Power And Lossy Networks

RSA ………………... Rivest–Shamir–Adleman

RSA-CRT ………….. Rivest–Shamir–Adleman with Chinese Remainder

Theorem

RSK ………………... Retrieve Secret Key

Scrt .……………….. Signature with Chinese Remainder Theorem

SCAs ………………. Side Channels Attacks

Scrte ……………….. Fault Signature with Chinese Remainder Theorem

SDRAM …………… Synchronous Dynamic Random-Access Memory

SM .……………… Sequence Masking

SOCs ..…………… System On Chip

https://en.wikipedia.org/wiki/Metal_Oxide_Semiconductor

xviii

SPA ..….………….. Simple Power Attack

SRAM …………….. Static Random Access Memory

SSL/TLS ………….. Secure Sockets Layer/ Transport Layer Security are

cryptographic protocols designed to provide

communications security over a computer network

ST …………………. Select Transistor

TANOS ..…………. Tan/Al2O3/Si3N4/Sio2/Si

TFN ………..……… Triangular Fuzzy Number

U.S. ……………….. United States

VT ………………… Threshold Voltage

WolfSSL …………... is an embedded SSL/TLS library providing secure

communication for IoT

WSN ………………. Wireless Sensor Network

https://en.wikipedia.org/wiki/Cryptographic_protocol

https://en.wikipedia.org/wiki/Communications_security

https://en.wikipedia.org/wiki/Computer_network

1

Chapter One Introduction

1.1 Background

Public key cryptography systems especially RSA and ECC were being used for the

protection of the data stored in hardware devices for many years and they are still

being used until now. In this thesis, IoT devices have been taken as an example of

hardware devices with small size and limited resources.

IoT represents a future worldwide information network system that will be used to

promote advanced technological activities and services. This information network

will make use of numerous instruments such as sensors, actuators, RFID tags or

mobile devices for the purpose of sensing, tracing, detecting and gathering data

about the user’s environment [YZV 2014].

The widespread deployment of IoT has a positive impact on everyday human life.

It enhances human interaction with the natural and social environment. It increases

our interest in other people and objects. Developing efficient applications for the

IoT is generally considered a difficult and complicated task for several reasons:

(i) The complex nature of distributed computing.

(ii) The absence of any basic principles or commonly acceptable guidelines that

control the process of low-level communication or facilitate high level

implementation.

(iii) The lack of a unified programming language and diversity in communication

protocols.

These complications have led IoT experts to consider developing new techniques

that can provide proper solutions to the above-mentioned difficulties [ARC 2018,

p. 8]. Cisco considers that IoT will grow to nearly 50 billion installed units by 2020

[Eva 2011].

Bashir in [BM 2018] considers that IoT architecture consists of three layers [MJ

2015], namely physical/perception layer, network layer and application layer. The

physical or perception layer has sensors for collecting data from the environment.

It senses physical parameters and transmits this accumulated data to other smart

objects. Low energy communication protocols and technologies such as IEEE

802.15.4 [IEEE 802 2011], ZigBee [ZigBee 2006], ISA 100.1a [ISA 2009] and

Wireless HART [KHPD 2008] are exploited to convey collected data to other IoT

2

objects. The network layer consists of low-power protocols such as RPL (Routing

Protocol for Low Power and Lossy Networks) [Win 2012] for interchange of data

with other IoT nodes.

The application layer consists of IoT middleware and includes various applications

like (smart cities, industries, transportation, etc) in which IoT information network

can be employed. Some protocols used at the application layer include CoAP

(Constrained Application Protocol) [BCS 2012], MQTT (Message Queue

Telemetry Transport) [Loc 2010] and AMQP (Advanced Message Queuing

Protocol) [AMQP 2012]. These protocols are specially designed for resource

constrained networks like IoT.

1.2 Example Application

The Internet of Things (IoT) plays a vital role in modern societies. It covers many

areas of human daily life and activities such as medical services, transportation,

household appliances, entertainments, sports, etc. Figure 1.1 demonstrates scenario

1 of fault injection attack proposed in this thesis.

Figure 1.1 Scenario 1 of fault injection attack

Sender Receiver

Scenario 1

1. Sends

Message 5. Receives

Verified Message

Signature

algorithm Verification

algorithm

3. Signed Message

sent by attacker

4. Message is

verified as the

attacker uses

the secret

components of

the sender in

signing the

message

2. Injects a fault

on the signature

algorithm

computations to

factorize RSA

modulus n Attacker

Verification

Device

Signature

Device

3

In scenario 1 a sender sends a message to the receiver but for authentication purpose

he will sign it. Therefore, he will send his message to the signature device so a

signature will be added to the message. The attacker who has an access to the

signature device will try to retrieve the secret components of this device. To achieve

his goal, the attacker will inject a fault in the computations of the signature

algorithm, and by using this fault result he will factorize modulus n of RSA

cryptography systems. Then he will use the secret components p and q to sign a

new message and send it instead of the sender’s message. The verification device

will verify the message as the attacker will use the same secret components of the

sender. Finally, the receiver will receive a verified message from the attacker

instead of the sender.

Figure 1.2 Scenario 2 of Fault Injection Attack

Figure 1.2 demonstrates scenario 2 of the fault injection attack proposed in this

thesis. In scenario 2 a sender wants to send an encrypted message to the receiver.

Therefore, he will send the message to the encryption device. The message will be

encrypted by using the public key components of the receiver. Then the message

will be sent to the decryption device on the other side. The attacker who has an

Scenario 2

Sender Receiver

1. Sends

Message

5. Receives

decrypted Message

Encryption

algorithm

Decryption

algorithm

Decryption

Device Encryption

Device

3. Encrypt Message

sent by sender

4. Attacker injects a

fault in the

computation of

decryption algorithm

and retrieve secret

key and decrypts the

received message Attacker

2. Encrypts

the message

by using the

public key of

the receiver

4

access to the decryption device will try to retrieve the secret components of this

device. The attacker will inject a fault in the computation of decryption algorithm

and by using this fault result he will retrieve the components of the secret key of

cryptography systems. Then he will use the secret key components to decrypt the

message he gets and any other message he gets in the future. Finally, the decryption

device will decrypt the message and send it to the receiver.

I have used Internet of Things (IoT) devices to implement my proposed attacks on

them. Internet of Things (IoT) includes a big number of smart devices that can swap

sensed data by using online services. Smart devices can collect healthcare

information about human beings and send them to a health center. Since such

healthcare information may be very confidential or crucial, the process of

transferring data must be secured. Signature-based schemes are one of the

techniques which can be used to secure this communication process. Smart devices

need a special type of signature-based schemes with lightweight calculations

because these devices have restricted resources.

Mughal et.al in [MLUUM 2018] demonstrate a light-weight reduced complicated

digital signature algorithm for transferring secure data between smart devices in

human centred IoT. Mughal and his fellow researchers have utilized less wide

operations to accomplish signature and verification processes. They have also

presented multiple options in the choice of the parameter to utilize a signature

verification pair of expressions at specific index to ensure the security of critical

documents. They claim that their approach improves the security level against

traffic analysis attacks. To test the efficiency of their technique, they have subjected

their scheme and a number of existing digital signature schemes to an experimental

operation. The results show the superiority of their scheme to other existing

schemes.

1.3 Problem Overview

The main objective of this research work is to examine the suitability of current

RSA and elliptic curve security techniques implemented on small devices with

limited resources by highlighting the security risks that threaten these hardware

devices through the software used to program and control them rather than their

hardware components. Most designers of hardware devices concentrate on

developing countermeasures that can provide full protection to their hardware

5

against fault and side-channel attacks, yet they do not pay due attention to software

attacks against their devices. This issue is gaining more attention in consequence of

the fast development of IoT devices and the highly important and confidential

information that is stored in them or interchanged between them. Most IoT devices

such as mobile phones, WSN nodes etc. can be reprogrammed and updated through

wired or wireless connections. If an intruder has the opportunity to get control over

the software that is used to program or update these devices, then that may threaten

all the information inside them. Therefore, the research question will be

Research Question: How can a fault attack utilizing software used to program

EEPROM threaten hardware devices like IoT devices?

Answer: To answer this question I propose new fault attacks against two

cryptosystems RSA and ECC by using the technique of safe error fault attack and

the software used to program EEPROM where algorithms of these cryptosystems

are stored. The new proposed fault attacks will warn designers of hardware devices

of the security risks their devices may face on the programming level.

1.4 Thesis Aims and Significance

The aims of this thesis can be summarized into the following:

• Investigating the security of hardware devices as far as the software used

to program them is concerned.

According to chapter 2 (sections 2.5.2 and 2.7.1.1) and chapter 3 (sections

3.4.1, 3.4.4 and 3.4.5) of this thesis there were attempts to apply fault attacks

against hardware devices by targeting the software used to program them.

However, such attacks were very limited and constrained as attackers

focused more on the hardware level than the software level.

• Exploring any attempts to inject faults in cryptography algorithms stored

in EEPROM by utilizing the software used to program the EEPROM

No one has tried this approach yet. The researchers tried to introduce a

hardware fault by changing register values or memory locations. However,

some researchers try to utilize the software level when attacking hardware

devices but they usually target the processing stage of a program by making

it skip some instructions and thus generating the fault value they need.

6

• Examining the possibility of the process of injecting a fault in

cryptography algorithm stored in EEPROM by utilizing the software used

to program the EEPROM.

According to the analyses on EEPROM explicated in chapter 3 of this

research work, this process is possible. This conclusion is based on the first

concept in section 3.5 which states that “a specific portion of EEPROM

memory devices can be reprogrammed without any need to remove the

EEPROM from its original position. The reprogamming process can be

achieved without resort to erasing all memory cells [Lan 2015, chap. 6].

The significance of this research lies in the fact that it proposes, for the first time, a

fault attack against two public key cryptosystems RSA and Elliptic Curve through

attacking the software used to program EEPROM. The proposed fault attacks reveal

the security risks that could threaten hardware devices through the software used to

program and update them. The attacker may try a connection with a victim hardware

device through wired or wireless connection depending on the physical

environment. In either case he can use a suitable software to deal with hardware

devices to get the information he wants. The victim hardware devices may be an

IoT device which has critical information like bank accounts or any kind of

important personal or confidential information.

1.5 Thesis Contributions

The contributions of this thesis may be summarized as follows:

1. I built a programming platform to implement two public key systems (RSA and

Elliptic Curve) by using Maple 2017. I used this software platform to analyse the

procedures of these cryptographic systems.

2. I studied and analysed attacks against RSA and Elliptic Curve by reviewing

previous related work.

3. I reviewed existing literature on EEPROM hardware devices to achieve the

second and third aims of this thesis.

4. I proposed two new fault attacks against RSA cryptosystems to highlight security

issues against hardware devices through the software used to program them. The

first one was the fault factorizing attack (FF) which factorized the RSA modulus by

applying a fault attack on the two RSA-CRT Signature Garner’s algorithms. I also

7

proposed a retrieve secret key (RSK) attack which was able to retrieve the secret

key d by applying a fault attack on both versions of Protected Montgomery Ladder

RSA: “Left-to-Right” and “Right-to-Left” algorithms.

5. I implemented the two attacks FF and RSK by using Intel (R) Core (TM) i7-

4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform and Windows 7 as the

operating system. Maple 2017 was chosen as the software platform as it contains a

cryptography package designed for cryptographic arithmetic operations.

6. I proposed a fault point attack on six scalar multiplications algorithms of ECC

which include both versions “Left-to-Right” and “Right-to-Left” of Montgomery,

Coron and Joye algorithms. The fault attack proposed is used to demonstrate

security issues against hardware devices through software used to program them.

7. I also made a comparison between General Weierstrass and Montgomery Elliptic

Curves equations. I used the General Weierstrass Elliptic Curves equations because

they compute the two coordinates x and y of the point in the same step.

8. I implemented a fault point attack on six ECC algorithms by using Intel (R) Core

(TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform and Windows

7 as the operating system. I selected Maple 2017 as a software platform because it

contains a cryptography package designed for cryptographic computation

operations.

9. I complemented the implementation of all attack algorithms against RSA and

ECC by using Arduino Mega2560 hardware. The total number of attack algorithms

which had been implemented were ten: four against RSA algorithms and six against

Elliptic Curve Cryptosystem (ECC) algorithms.

10. All the fault attacks I proposed inject a fault in the computations of a

cryptography algorithm stored in EEPROM after it is loaded in the RAM of the

same hardware device by modifying the original algorithm through utilizing the

software used to program EEPROM. I used the fault result generated to retrieve the

secret key.

11. I improved the efficacy of safe error attack by eliminating the fault result I have

generated. Therefore, any test-free procedures cannot detect my proposed fault

attacks, and therefore, they will fail to protect algorithms against such attacks.

8

1.6 Chapter Summary

The thesis is organized into the following chapters:

Chapter 1 provides a background of IoT devices by highlighting the impact of their

low resources features and EEPROM circuits used inside them on their information

security. It also presents an IoT application example, followed by a thorough

discussion of the thesis problem. Then, the thesis aims and significance are

discussed. Next, the thesis contributions are clarified. Finally, the chapter summary

of the thesis is presented in section 1.6.

Chapter 2 presents a literature review of the RSA and ECC public key

cryptosystems. It also refers to the related research works that deal with fault attacks

against these public key cryptosystems including physical types of fault attacks and

fault attack goals. This chapter also offers a review of fault attacks against RSA,

ECC and their countermeasures.

Chapter 3 provides a review of EEPROM including EEPROM architecture,

EEPROM programming and attacks on EEPROM memory devices.

Chapter 4 presents two fault attacks proposed against RSA cryptosystems. I propose

the fault factoring attack (FF) which factorizes the RSA modulus by applying a fault

attack on two RSA-CRT Signature Garner’s algorithms. The first one is protected

by Modified Shamir’s Countermeasure and the second one is protected by

Simplified Vigilant’s Countermeasure. I also propose a retrieve secret key (RSK)

attack which can retrieve the secret key d by applying a fault attack on both

Protected Montgomery Ladder RSA versions “Left-to-Right” and “Right-to-Left”

algorithms. All attack algorithms proposed in this chapter are implemented using

Maple software.

Chapter 5 demonstrates the proposed fault point attacks on both versions “Left-to-

Right” and “Right-to-Left” of Montgomery, Coron and Joye algorithms. It also

includes a comparison between General Weierstrass Elliptic Curves and

Montgomery Elliptic Curves equations. All attack algorithms proposed in this

chapter are implemented using Maple software.

9

Chapter 6 describes the implementation examples of ten attack algorithms proposed

in chapters four and five against RSA and ECC cryptosystems by using Arduino

Mega2560 hardware and MATLAB 2017b as a software platform.

Chapter 7 provides the summary, conclusions and future work of the thesis.

10

Chapter Two Literature Review

2.1 Introduction

This chapter includes numerous references to related literature for the sake of

comparison and contrast, and in order to enrich this thesis with expert ideas,

techniques and approaches used in previous research projects.

2.2 Background

2.2.1 Triangular Fuzzy Number TFN

A triangular fuzzy number [ABKA 2017] denoted by M=<m, α, β> has the

membership function

𝜇𝑀(𝑥) =

{

0 𝑓𝑜𝑟 𝑥 ≤ 𝑚−∝

1 −𝑚 − 𝑥

𝛼 𝑓𝑜𝑟 𝑚−∝< 𝑥 < 𝑚

1 𝑓𝑜𝑟 𝑥 = 𝑚

1 − 𝑥 − 𝑚

𝛽 𝑓𝑜𝑟 𝑚 < 𝑥 < 𝑚 + 𝛽

0 𝑓𝑜𝑟 𝑥 ≥ 𝑚 + 𝛽

The point m, with membership function grade of 1 is called the mean value while

α and β are the left-hand and the right-hand spreads of M respectively.

2.2.2 Residue Number System (RNS)

An RNS [SS 2017] base B defines a set of L relatively prime base components m1,

m2, …, mL called “moduli.”. Each base is linked with a corresponding range M,

given by the product of all moduli, i.e.,

𝑀 =∏𝑚𝑖

𝐿

𝑖=1

Any integer X ϵ [0,M-1] has a unique RNS representation �⃗� = {𝑥1, 𝑥2, … , 𝑥𝐿} = {⟨𝑋⟩𝑚1

, ⟨𝑋⟩𝑚2, … , ⟨𝑋⟩𝑚𝐿

}, where ⟨𝑋⟩𝑚𝑖 denotes the operation X mod mi.

2.2.3 Side-Channel attacks

This kind of attacks use monitoring of changes which happen to the physical

parameters, such as calculation of timings or power utilisation, which are analysed

utilizing statistical tools to infer links between physical measurements and internal

secret values. [AT 2018].

11

2.2.4 Differential Fault Analysis DFA

DFA is a specific physical attack that compares the outcomes of a correct

calculation to one faulty outcome which has been made by an attacker at a particular

time, in order to deduce information about the secret key bits. [LCFS 2017].

2.2.5 Differential power analysis DPA

DPA which is proposed by Kocher et al. [KJJ 1999] is a kind of extensively used

side-channel attack that effectively recovers the secret key from several (normally

noisy) power utilisation measurements. [WYSLGG 2018].

2.2.6 Simple power analysis SPA

SPA provides information about a cryptography system by inspecting a single

power trace. SPA can retrieve two types of information. SPA high level can

recognize various instructions or block of instructions that are executed on the

device. On the other hand, the lower level of SPA can retrieve the values of the

operands included in each elementary instruction specifically for load and store

operations, when this data is read from or written to the bus. [CMW 2014].

2.3 Public key Cryptosystems

2.3.1 RSA Cryptosystems

I present in this section some research papers which deal with the latest

developments that have been made on RSA algorithms to make them more resistant

to side-channel and fault attacks. These recent papers confirm that RSA algorithms

are still considered as important techniques that can be effectively used to secure

multiple applications like IoT devices. These papers can be summarized as follows:

Abdullah et al. in [ABKA 2017] propose RSA algorithm that depends on fuzzy set

theory and uses Triangular Fuzzy Number TFN to represent encryption and

decryption texts. The benefit of using TFN mathematical functions in encrypting

plaintext and decrypting cipher text is to create difficulty to the attacker when

dealing with these cryptosystems. The authors claim in their paper that the same

concept can be applied on other cryptosystems.

Schinianakis and Stouraitis in [SS 2017, chap. 12], demonstrate how Residue

Number System (RNS) can be used to enhance the security of public-key

cryptography algorithms (RSA and ECC). The most recent developments in the

12

Residue Number System RNS which is used in RSA and ECC cryptography

systems are based on the research efforts of Bigou and Tisserand [BT 2015].

The First, they explain the meaning of RNS and provide all mathematical

background required to deal with this number system. Then they illustrate a

complete RNS Montgomery modular multiplication RNSMMM algorithm which is

based on utilizing RNS in his mathematical computations. Finally, they implement

the RNSMMM in both RSA and ECC cryptography schemas and show how they

will enhance their resistance against fault attacks as the modulus set is changed.

2.3.2 Elliptic Curve Cryptosystems (ECC)

I present in this section some research papers which deal with the latest

improvements that have been made on ECC algorithms to make them more resistant

to side- channel and fault attacks. These recent papers state that ECC cryptosystems

can still be used to secure multiple applications like IoT devices. These papers can

be summarized as follows:

Chen in [Che 2017] proposes an effective hardware architecture for Montgomery

powering ladder (MPL) protected by a countermeasure that utilizes a mix of

sequence masking (SM), exponent splitting (ES) and point randomization (PR) [He

2013]. He also implements his proposed hardware architecture on FPGA. The SM

technique [FV 2006] appends a mask to the base point P to create a masked MPL.

The ES technique [CJ 2001] splits the scalar d into two parts by using a random

number, so that dP will be the result of (rP + (d-r)P). The PR is the first

countermeasure proposed by Coron [Cor 1999]. In this technique, the

representation of the secret exponent d is changed to 𝑑′ = 𝑑 + 𝑘#𝜀, where k is a

random number and #𝜀 is number of all points on the curve E. The author shows

that simple power, computation safe-error and doubling attacks have no effect on

MPL. However, relative doubling, memory safe-error and comparative power

analysis attacks are effective on MPL. Nevertheless, the author states that MPL,

when protected by SM, ES and PR, can resist SCAs, relative doubling, comparative

power analysis, and high-order attacks.

Huang in [Hua 2017] develops some scalar multiplication algorithms based on an

elevated binary number system (EBNS) proposed by him to enhance their resistance

against side-channel attacks. The EBNS is a number system similar to the binary

system, but it deals with the set {1, 2} instead of set {0, 1} in the normal binary

13

system. The author studies two scalar multiplication algorithms which are doubling-

and-add always and Montgomery powering ladder (MPL) algorithms. He shows

that doubling-and-add always algorithm is vulnerable to doubling [FV 2003] and

computation safe-error [SKLM 2001] attacks. He also demonstrates that MPL

algorithm is vulnerable to relative doubling [YKMH 2006] and memory safe-error

[YJ 2000] attacks. The author also investigates some countermeasures like

exponent splitting [CJRR 1999] and [FV 2006], masked MPL [FV 2006] and

sequence masking [Cor 1999]. He discusses the level of protection that each

countermeasure can provide and the kinds of attacks that can affect them. Then, he

proposes one left-to-right and five right-to-left algorithms. Their mathematical

computations depend on EBNS. The proposed algorithms have the same level of

security compared with other existing algorithms and a higher calculation

efficiency. He claims that one of his proposed right-to-left algorithms is not affected

by Park’s fault attack [PBMCKH 2009]. He also extended all above algorithms to

deal with elevated high radix number system. The elevated high radix number

system is an extension of ENBS as its base is integer m and its set is {1,2,…,m}.

He presents a detailed discussion about the security and efficiency of his proposed

algorithms confirming that they provide a significant improvement in security and

performance levels compared with other existing algorithms.

Lalonde in [Lal 2017] builds a platform to analyse and test side-channel attacks

against an extensive range of cryptosystems to highlight vulnerabilities of

cryptographic hardware on various levels. The author implements a successful

differential power analysis against AES-128. He also examines a range of scalar

multiplication algorithms in terms of security and efficiency. He states that m-ary

Joye [Joy 2009a] algorithm is more powerful than Montgomery’s Ladder [JY 2002]

as it is regular and can resist timing, computation and memory safe-error attacks.

Furthermore, m-ary Joe algorithm resists power analysis.

2.4 Fault Attacks on Public Key Cryptosystem

Fault attacks are a kind of attacks that try to inject a fault into the computation of a

cryptographic device to get fault result which may help an attacker to retrieve

private information. A physical type of fault injection, elementary fault properties,

and fault attack goals will be depicted in this section.

14

2.4.1 Physical Types of Fault Attacks

A fault attack is classified as an active attack. In this kind of attacks two categories

of fault injection techniques can be identified. The first one is the global fault

injection techniques which use low cost equipment and create troubles on global

parameters like power supply, voltage, etc. The attacker who uses the global

techniques needs to perform several injections to get the required fault. However,

the second one is the local fault injection techniques which are more expensive as

they use high cost equipment but they are more precise in identifying fault location

[PBR 2017].

Various techniques are used to inject a fault into cryptographic devices. Some of

them are described below.

2.4.1.1 Below-Powering

One of the low-cost fault injection methods is the underpowering of a device power

[KSV 2013, p. 2296]. The fault obtained in such kind of fault injection has no

precise time. Therefore, faults occur uniformly throughout the calculations, and the

attacker must have the ability to eliminate any unwanted result that does not support

his goal.

Power spikes [KK 1999], [BGV 2011] and [ABFHS 2002] is another method of

inducing a fault in the computation by changing power of a device. This kind of

fault, which tampers with the power supply of the device, is more precise. Power

spikes may cause a memory fault or a skip of an instruction when a processor

executes a program. However, it is essential for the attacker who tries this kind of

fault injection to have access to the power supply of a device.

2.4.1.2 Clock Faults

A fault can be generated by supplying the devices with clock signals that contain

one or several pulses that are much shorter than the standard clock signal [KSV

2013, p. 2296]. This kind of fault may cause a processor to overlap by executing

two instructions or storing a wrong data in a memory location or register [KK 1999].

This kind of fault cannot be introduced in a device that uses an internal clock.

2.4.1.3 Temperature Variation

Increasing or reducing temperature out of a specific range of temperatures may

cause some electronic devices to cease operating properly, and therefore produce

15

fault results [Pet 1997] and [Sko 2002]. This kind of fault is used to alter data stored

in a memory location but cannot attack a specific portion of stored data [KSV 2013,

p. 2296].

2.4.1.4 Optical Fault

A hardware chip exposure to an intense light source can cause optical faults [KSV

2013, p. 2296]. The intense light source may be a photo flash or a laser beam [SA

2002]. A focused laser beam can cause a change in transistors state which means a

single bit in memory location can set or reset. The attacker can target the chip on

either the front side or back side. The location of the transistors is on the front side,

but since they are protected by metal layers, it is better to attack the back side of the

device. However, the attack on the backside needs a proper wavelength of the laser

beam that confirms sufficient breakthrough depth to be used. Another optical attack

is introduced by Skorobogatov in [Sko 2009]. His optical attack is based on the use

of a laser beam for the purpose of changing an EEPROM cell value.

2.4.1.5 Electromagnetic Fault

A fault can appear in function of a hardware chip or a change in memory content in

case of the hardware chip exposure to external electromagnetic (EM) field [KSV

2013, p. 2296]. This fault can cause a single bit fault [QS 2002]. The cheap way to

induce this kind of fault is by using a gas lighter [SH 2007].

2.4.2 Fault Attacks Goals

The main component which is targeted by fault attacks in a hardware configuration

is the generic processor. According to the literature [KSV 2013, p. 2297], the four

main parts of the generic processor targeted by fault attacks are inputs, data, storage

and control parts.

2.4.2.1 Fault Attacks on Input Parameters

A fault result can be obtained if a fault input is supplied to computation in a device

[Sei 2005], [BCCC 2006], [KIK 2008], [KBPQ 2008] and [BCG 2010]. This kind

of fault is very precise, but it depends on the device and its uses. One has to consider

that this kind of fault will fail in case the device is programmed to test and discover

if the input is valid or the input is taken from a non-volatile memory instead of I/O

port.

16

2.4.2.2 Fault Attacks on Data Processing Section

A fault can be introduced during computations performed by the device [BDL

1997], [BMM 2000], [BOS 2006], [FLRV 2008], [JY 2002], [JQBD 1997], [KSQL

2007], [PV 2006], [PBA 2010], [SM 2009], [SH 2008], [SM 2010] and [Wan 2004].

This kind of fault depends on the mathematical process performed by a device and

the kind of cryptosystem implemented. The same effect can be obtained if the fault

is introduced during the transfer operation of data, or stored in register or memory.

2.4.2.3 Fault Attacks on Storage Section

The storage part is more distinguishable than other parts of a hardware chip.

Therefore, it is easier for an attacker to target this part. The fault in a volatile storage

can change the intermediate results of calculations. A fault in a nonvolatile storage

can alter system parameter [KSV 2013, p. 2297].

2.4.2.4 Fault Attacks on Instruction Processing Section

A fault attack can target the flow of program execution instead of the calculations

performed by the device. In this kind of attack, the attacker targets the control part

of the process [YJ 2000], [YMH 2002] and [WW 2005]. The attack will try to

change the execution sequence of instructions or faults causing misconstruction of

specific instructions.

2.4.3 Summary

In this section, I presented some of the physical techniques used to inject a fault in

a hardware device such as below-powering, clock faults, temperature variation,

optical fault and electromagnetic fault. These techniques were used to change the

status of one or more of storage locations in memory or processor, and consequently

causing an error in the computation’s operations performed by the hardware device.

I also pointed out four main parts of generic processor which were mostly targeted

by fault attacks, i.e. inputs, data, storage and control parts.

2.5 Fault Attacks on RSA Cryptosystems

RSA is one of the widely used public-key cryptosystems in securing systems as it

can be used in both encryption and signature processes. A fault attack is one of the

methods used to extract secret information of RSA cryptosystem. According to the

literature, fault attacks against RSA can be classified into: specific algorithm fault

17

attacks, tampering with the program flow fault attacks and safe-error fault attacks

[KSV 2013, p. 2298].

2.5.1 Specific Algorithm Fault Attacks

The fault attacks in this category are directed against a specific algorithm. RSA

algorithm represents the most common target of fault attacks.

2.5.1.1 RSA - CRT Algorithm

Algorithm 2.1 represents the RSA-CRT signature using Garner’s algorithm

protected by modified Shamir’s countermeasure [RG 2014, Alg. 10] of which the

outline is presented in section 4.2.9. This algorithm has been targeted by fault

attacks proposed in this thesis. All details concerning this algorithm and the fault

attack proposed against it are given in sections 4.3.1 and 4.3.2.

Algorithm 2.1 RSA-CRT Signature Using Garner’s Algorithm Protected

by Modified Shamir’s Countermeasure

Internal INPUT (loaded from firmware): p, q, d, 𝑖𝑞 ≡q-1 mod p.

INPUT by user: message M.

OUTPUT: The CRT signature scrt of message m or error.

1. Choose a small random integer r.

2. pr p*r.

3. qr q*r.

4. If pr ≢ 0 mod p or qr ≢ 0 (mod q) then return error.

5. 𝑆𝑝𝑟 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑝𝑟) (𝑚𝑜𝑑 𝑝𝑟).

6. 𝑆𝑞𝑟 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑞𝑟) (𝑚𝑜𝑑 𝑞𝑟).

7. if 𝑆𝑝𝑟 ≢ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑟) then return error.

8. 𝑆𝑝 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝).

9. 𝑆𝑞 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞).

10. 𝑆𝑐𝑟𝑡 𝑆𝑞 + 𝑞 ∗ [(i𝑞 ∗ (𝑆𝑝 − 𝑆𝑞) )(𝑚𝑜𝑑 𝑝)].

11. if 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑝𝑟 𝑚𝑜𝑑 𝑝 𝑜𝑟 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑞𝑟( 𝑚𝑜𝑑 𝑞) then return error.

12. return S.

Algorithm 2.2 represents the RSA-CRT signature with Garner’s algorithm

protected by simplified Vigilant’s countermeasure, the outline of which is presented

18

in section 4.2.10. This algorithm which is proposed by Rauzy and Guilley [RG

2014] represents a modification of the countermeasure suggested by Vigilant [Vig

2008]. This algorithm has been targeted by fault attacks proposed in this thesis. All

details concerning this algorithm and the fault attack proposed against it are given

in sections 4.3.3 and 4.3.4.

Algorithm 2.2 RSA-CRT Signature with Garner’s Algorithm Protected by

Simplified Vigilant’s Countermeasure

Internal INPUT (loaded from firmware): p, q, dp, dq, 𝑖𝑞 ≡q-1 mod p.

INPUT by user: message M.

OUTPUT: Message M Singing result S ≡𝑀𝑑 𝑚𝑜𝑑 𝑛, or a random value.


2. n p*q.

3. 𝑝𝑑𝑎𝑠ℎ 𝑝 ∙ 𝑟2.

4. 𝑖𝑝𝑟 𝑝−1(𝑚𝑜𝑑 𝑟2).

5. 𝑀𝑝 𝑀 (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).

6. 𝐵𝑝 𝑝 ∙ 𝑖𝑝𝑟.

7. 𝐴𝑝 1 − 𝐵𝑝 (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).

8. 𝑀𝑝𝑑𝑎𝑠ℎ 𝐴𝑝 ∙ 𝑀𝑝 + 𝐵𝑝 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).

9. 𝑞𝑑𝑎𝑠ℎ 𝑞 ∙ 𝑟2.

10. 𝑖𝑞𝑟 𝑞−1(𝑚𝑜𝑑 𝑟2).

11. 𝑀𝑞 𝑀 (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).

12. 𝐵𝑞 𝑞 ∙ 𝑖𝑞𝑟.

13. 𝐴𝑞 1 − 𝐵𝑞 (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).

14. 𝑀𝑞𝑑𝑎𝑠ℎ 𝐴𝑞 ∙ 𝑀𝑞 + 𝐵𝑞 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).

15. 𝑆𝑝𝑑𝑎𝑠ℎ 𝑀𝑝𝑑𝑎𝑠ℎ

𝑑𝑝 (𝑚𝑜𝑑 𝜑(𝑝𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).

16. 𝑆𝑝𝑟 1 + 𝑑𝑝 ∙ 𝑟.

17. 𝑐𝑝 𝑀𝑝𝑑𝑎𝑠ℎ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑝).

18. 𝑆𝑞𝑑𝑎𝑠ℎ 𝑀𝑞𝑑𝑎𝑠ℎ

𝑑𝑝 (𝑚𝑜𝑑 𝜑(𝑞𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).

19. 𝑆𝑞𝑟 1 + 𝑑𝑞 ∙ 𝑟.

20. 𝑐𝑞 𝑀𝑞𝑑𝑎𝑠ℎ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑞).

19

21. 𝑆𝑑𝑎𝑠ℎ 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑞𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ) ).

22. 𝑆𝑟 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ) ).

23. 𝑐𝑠 𝑆𝑑𝑎𝑠ℎ − 𝑆𝑟 + 1 (𝑚𝑜𝑑 𝑟2).

24. Return 𝑆 ≡ 𝑆𝑑𝑎𝑠ℎ𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛).

Other related research works are summarized below.

Boneh et al. in [BDL 1997] present a fault attack which is implemented on several

cryptosystems and makes use of hardware faults. They show that their attack can

be implemented on cryptosystems use Chinese remainder theorem (CRT) like RSA

and Rabin signature and can be extended to other systems with more faults. They

state that the same idea can be applied on authentication schemas like Fiat Shamir

and Schnorr identification protocols. They suggest error detection bits as a

countermeasure to prevent their attack and verify computation and protect internal

storage.

Joye et al. in [JLQ 1999] present some remarks on the security of cryptosystems

which use CRT. Their results show that careless implementation of such

cryptosystems could make them vulnerable. Their method improves Bellcore’s

result published in [BDL 1997] as Bellcore’s method requires two signatures, one

correct and one faulty, to retrieve the secret information. However, their method

needs a one fault signature and known message which means their method is more

efficient.

The presence of faults in cryptosystems could be the result of applying active

attacks on these systems by inducing errors in the behaviour of their computational

hardware devices, for example, changing ROM content, EEPROM content

updating [AK 1996], [AK 1997], [Gut 1996], [Koc 1996], [Pet 1997] and [Qui

1997]. The main goal of Joye and his team is to show the importance of the cautious

implementation of cryptosystems.

Yen et al. in [YKM 2006] try a fault attack with only one fault induced in the

computation phase to make RSA cryptosystem susceptible to factorising RSA

modulus. They show that the two protocols suggested by [YKLM 2003] to protect

RSA-CRT is still vulnerable to factorising fault attacks.

20

Schmidt and Hutter in [SH 2007] present an optical and electromagnetic fault attack

on the implementation of RSA with CRT. They inject a fault by using light beams

which switch values in SRAM of a microcontroller and that leads to fault results in

the calculation of RSA signature. The other scenario is to use spark gaps which

induce high-voltage pulses that will generate a high electromagnetic field. This

electromagnetic field will lead microcontroller to give fault results of RSA

signature computation phase. They also apply their attack to three different

decapsulation techniques. They mention that all attacks are implemented at low

cost.

Berzati et al. in [BCG 2008] present a fault injection attack which can defeat the

secure implementation of RSA-CRT proposed by Ciet and Joye [CJ 2005a]. Their

attack principle is injecting an error in one of the bytes that represent the sub

signature value Sp related to prime p which is one of the factors of modulus n of

RSA cryptosystems. They can retrieve secret exponent of 1024-bit modulus by

using 13 fault signatures and with a probability of success of 50%. They can also

improve the probability of success of their attack to 99% if they use 83 faulty

signatures instead of 13. They finally concluded that the countermeasure proposed

to secure RSA-CRT signature is not secure.

Trichina and Korkikyan in [TK 2010] describe two fault laser attacks on 32 bit

ARM Cortex M3 uses RSA-CRT as a cryptosystem to protect its information. The

laser attack is more accurate to targeting a specific area on a hardware device and

changes a specific variable.

Two conclusions can be drawn from the author’s experimental work. Firstly, their

laser attack can be applied on a chip even if a complex system on chip (SOCs) is

used and the kind of laser is a multi-layer metal technology front side laser.

Secondly, the main effect of their laser attack is to change the flow of program

execution by skipping instructions instead of changing values in hardware registers.

A fault induced in the flow of the program can attack cryptosystems protected by a

countermeasure depending on conditional instructions like modified Ciet-Joye

scheme and modified Giraud scheme which are presented in [KQ 2007a] and

improved in [KQ 2007b]. In view of these experiments, one can conculde that the

fault attacks explained in [DGRS 2009] can be successfully implemented.

21

The authors indicate that the attack equipment may have some limitations that must

be taken into consideration when they design countermeasures to prevent this

attack. The first limitation is the fact that the laser beam can only shoot twice on the

same spot during the program execution. The second limitation is that the attacker

cannot specify the time of attack according for two reasons: the recharge time of

laser beam and the delay time between the trigger signal and the shot is the same

for one run. Their experiment shows that their attack is feasible on undefended 32-

bit ARM Cortex M3. They also believe in protecting cryptosystems from laser

attacks through applying countermeasures that include a combination of

algorithmic-level software with hardware (shields, sensors, alternative logic styles).

Brier et al. in [BNNT 2011] present a key-recovery fault attack against RSA-CRT

signatures by injecting error on the value of RSA modulus n before implementing

CRT instead of targeting one of the subdivisions of RSA-CRT Sp or Sq. This attack

depends on orthogonal lattice techniques proposed by Nguyen and Stern [NS 1997]

which is used to factorize RSA-CRT modulus n. The authors claim that they need

five faulty signatures to make their attack succeed if they know the values of

incorrect moduli for five different messages. However, they will need 45 faulty

signatures to factorize RSA-CRT modulus n when they do not know the faulty

moduli, and the faulty moduli differ from the correct one by only one byte or

multiple bytes restricted to the least bytes only.

Fouque et. al in [FGLTZ 2013] proposed a number of effective fault attacks against

implementations of RSA-CRT signatures that utilize modular exponentiation

depending on Montgomery scalar multiplication. These attacks can be operated on

any padding function like randomized paddings and they were the first efficient

fault attacks against RSA-PSS. The new proposed attacks depend on the

supposition that a value of a small register can be forced to either zero, constant or

with zero high order bits. Fouque and his team consider that these prototypes are

quite naturalistic as these faults can be accomplished against many suggested

hardware designs for RSA signatures.

Kong et al. in [KZJSY 2017] proposed an attack against Lee’s improved RSA-CRT

algorithm [LCC 2014]. Lee et al. in [LCC 2014] used modulus chaining method to

protect RSA-CRT algorithm by ensuring that the three primes p, q and r are not

changed during computations. Kong and his team proposed two attacks against

22

Lee’s improved RSA-CRT algorithm. The first one injects a permanent fault in Spr,

and as a result of this fault, they can factorize modulus n of RSA-CRT algorithm.

The second attack injects a transient error in prime p, and by using the fault result

generated by this error they can get the same result as in the first attack. However,

the modulus chaining method used by Lee cannot prevent the two attacks

mentioned above.

All the fault attacks proposed in the research works discussed above depended on

generating an error on the hardware level while the fault attacks proposed by this

thesis target the software level.

2.5.1.2 Modular Exponentiation Algorithms

Algorithm 2.3 is the algorithm I have chosen to attack (which is known as Protected

Montgomery Ladder RSA algorithm Left-to-Right [JY 2002, Fig. 9]). All details

concerning this algorithm and the fault attack proposed against it are given in

sections 4.4.1 and 4.4.2.

Algorithm 2.3 Protected Montgomery Ladder RSA Left-to-Right Algorithm

Internal INPUT (loaded from firmware): d = (dt, dt-1,… , d1)2, size of secret key

t.

INPUT by user: message g, modulus n.

OUTPUT: gd (mod n).

1. R(0) 1, R(1) g.

2. For i from t to 1 do

2.1 b ¬ di.

2.2 R(b) (R(b) * R(di)) (mod n).

2.3 R(di) R(di)2(mod n) .

End for.

3. Return R(0).

Algorithm 2.4 represents Right-to-Left version of algorithm 2.3 which I have

constructed by myself. All details concerning this algorithm and the fault attack

proposed against it are given in sections 4.4.3 and 4.4.4.

23

Algorithm 2.4 Protected Montgomery Ladder RSA Right-to-Left Algorithm

Internal INPUT (loaded from firmware): d = (dt, dt-1,… , d1)2, key size t.

INPUT by user: message g, modulus n.

OUTPUT: gd (mod n).

1. R(0) 1, R(1) g.

2. For i from 1 to t do

2.1 b ¬ di .

2.2 R(b) R(b)2(mod n).

2.3 R(b) R(b) * R(di) (mod n).

End for.

3. Return R(0).


Berzati et al. in [BCG 2008] introduce a fault attack against modular

exponentiation: "Right-To-Left" algorithm. The target of this attack is to recover

the secret key d by using Differential Fault Analysis and injecting error in RSA

modulus n. The authors present a theoretical analysis that shows their attack is

efficient compared to the attacks published by [Sei 2005], [Mui 2006] and [BCCC

2006]. They also use Good Manufacturing Practice (GMP) implementation to

demonstrate that their attack represents a real threat to RSA cryptosystem.

Berzati et al. in [BCDG 2009] provide an improvement of previous attacking

techniques published by [BCG 2008]. These techniques are based on modular

attack exponentiation “Right-To-Left” algorithm. The authors in their modified

attack overcome the problem of complexity of decomposing modular

exponentiation “Left-To-Right” into fractional multiplications by adjusting the

RSA modulus to a number with recognised factorisation. A full study of faulty

prime numbers with a fixed size vindicated the fault model in this article.

The fault attacks proposed in related research works outlined above depended on

analysing processes (such as DFA), while the fault attacks proposed by this thesis

depend on improving safe error attacks. The fault attacks proposed in the thesis

generate an error in the computations of algorithms by using the software used to

update hardware where these algorithms are stored.

24

2.5.2 Tampering with the Program Flow of Fault Attacks

Amiel et al. in [AVFM 2007] describe a new general attack which is a combination

of side channel attack and fault attack. This new class of attacks allow an attacker

to retrieve the secret key with a single power consumption curve. The attacker will

inject a fault in the flow of program execution which makes the processor skip an

instruction which assigns a value to one of the registers used in the program.

Therefore, this register will set with zero value and the result which is calculated

according to that value can easily be distinguished in power consumption curve. As

a result, the secret key can be recover. The authors show practical results which

prove that this attack is not only a theoretical threat. They state that the classical

countermeasures cannot prevent their attack. Finally, they suggest possible ways to

prevent their attack which are simple to apply and have no significant impact on the

complexity of the original cryptosystem.

Schmidt and Herbst in [SH 2008] present a fault attack on the square and multiply

algorithm based on inducing a fault in the control flow. The attacker tries in this

attack to change program flow computation by skipping a square operation. The

faulty result obtained can indicate the value of an equivalent bit of exponent. The

authors implemented their attack by using non-invasive spike attack and they

showed the effects of different side channel analysis countermeasures on their

attack. They used a low-cost equipment in their attack.

Barenghi et al. in [BBPP 2009] describe a fault attack based on the effects of under

power supplied to ARM general purpose CPU. The fault model is implemented on

an ARM9 microprocessor with RSA cryptosystems. The authors show that

decreasing the power of the ARM 9 CPU power supply will induce double faults.

The first one will be a fault data since it appears with data load instruction from

memory. The second fault will be swap instructions which differ with a single bit

in their opcode in the flow of the program. The main advantages of this attack are

its low cost and easy implementation. To prove the efficiency of the fault model,

the authors suggest two attacks methods, Bellcore [BDL 1997] and the earth root

extraction attacks [Sho 2001], to demonstrate practical implementation of the attack

and verify that they can recover the secret information with a reasonable number of

faults.

25

Bhattacharya and Mukhopadhyay in [BM 2017] improve the official differential

fault analysis on the 2-bit branch predictor performance under the influence of

faults. Their fault model is based on the ability of the attacker to introduce a bit-flip

error into the private keystream. The result of their analysis demonstrates that

differences of branch misses under the impact of fault can leak information about

private key bits. The authors claim that this kind of attack can threaten RSA

modular exponentiation and RSA-CRT algorithms. It can also threaten algorithms

protected by a countermeasure which halts or randomizes the final result if a fault

has been detected. This attack can be adjusted to attack processers with embedded

soft-core by introducing practical errors through a skip instruction technique.

2.5.3 Safe-Error Fault Attacks

Yen and Joye in [YJ 2000] describe a fault attack based on the concept of safe error

attack. In this kind of attack, the secret key bits leak depends on the information

whether the device had a fault result or correct one after the fault is injected. This

kind of attack cannot event prevent a check made before the output is delivered to

another stage. The authors state that their proposed attack is more powerful as it has

small computational complexity than other existing attacks. The primary target of

this article is to show that a hardware error-based cryptanalysis cannot be prevented

even if a check is made on the correctness of the outcomes. The authors advise the

cryptosystems hardware designers to deal cautiously with each detail when

improving the secure system.

2.5.4 Summary

In this section, I presented some fault attacks which targeted RSA cryptosystems.

The fault attacks could be classified into three major types: a specific algorithm,

tampering with the program flow and safe error. The aim of these attacks was to

inject an error into the computation process and use the fault result to deduce the

secret key which might be a key used in information encryption or signing a

message. The two kinds of fault attacks which were related to the proposed fault in

my thesis were fault attacks against specific algorithms and safe error fault attacks.

I discussed some articles that presented fault attacks against specific algorithms like

RSA-CRT and modular exponentiation. These articles suggested multiple ways to

inject faults such as laser, light beams, spark gaps and other methods which differed

from my approach which is based on targeting the software used to program

26

EEPROM and changing the cryptography algorithm stored in it. On the other hand,

I discussed the safe error concept which was suggested by Yen and Joye [YJ 2000]

as they tried to guess the secret key by checking the fault result of an injected error.

I modified their concept in my research work and made an additional operation

which eliminated the fault result after I deduced the secret key. This modification

makes any countermeasure, using verification process to search for fault values in

the computation process, quite useless.

2.6 RSA Countermeasures against Fault Attack

2.6.1 RSA Countermeasures against Fault Attack

Aumüller et al. in [ABFHS 2002] show that the standard Bellcore fault attack is in

principle feasible when using completely unprotected microcontrollers. Moreover,

they also indicate that unskilled implementations of countermeasures are not always

reliable. They again answer the question of Kaliski and Robshaw [KR 1997] and

show that these attacks are indeed practical. Their investigation also reveals that

one should test any conceivable countermeasures in reality against all possible

attack scenarios before trusting them. This approach was specially made with their

newly developed software countermeasures.

Although their software countermeasure seems to be very promising, they are

firmly convinced that cryptographic hardware should never be used without

appropriate hardware countermeasures in combination with software

countermeasures. As a result, they finish with the advice given by Kaliski and

Robshaw [KR 1997] from the RSA Laboratories stating that good engineering

practices in the design of secure hardware are essential.

Kim and Quisquater in [KQ 2007a] claim that exponentiation algorithm suggesed

by Fumaroli and Vigilant [FV 2006] is defeated by fault attack (FA), simple power

analysis (SPA) and differential power analysis (DPA). They also claim that the fault

attack against the exponentiation algorithm injects a fault during the calculation of

exponentiation and uses the fault result to deduce the secret key. Then, they propose

a powerful countermeasure that can resist SPA, DPA and FA based on the concept

of randomising all intermediate variables.

Boscher et al. in [BNP 2007] suggest a modular exponentiation algorithm which

can neither be attacked by fault attack (FA) nor by simple power analysis (SPA).

27

Their algorithm is verified by a practical fault model. The authors’ algorithm differs

from the classical modular exponentiation only by two additional modular

multiplications. The main idea of their proposed algorithm is inserting some

coherence test at the end of an algorithm to make it resistant to FA and SPA.

Vigilant in [Vig 2008] presents a countermeasure against Bellcore attack. His

proposed countermeasure is suitable to be implemented on devices with restricted

resources which include: execution time, memory utilisation, personalisation

management and code size. The countermeasure depends on the concept of

inserting a random integer in the computation of intermediate variables used in

modular exponentiation algorithm.

Joye in [Joy 2009b] proposes a countermeasure which embeds the public key e in

the verification of final signature result and the representation of the key object of

RSA. In RSA-CRT mode, the key object can be obtained from the {p, q, 𝑑𝑝 ≡

𝑑(𝑚𝑜𝑑 𝑝 − 1), 𝑑𝑞 ≡ 𝑑(𝑚𝑜𝑑 𝑞 − 1), iq}. However, in the RSA-standard mode,

the key object can be obtained from {N, d}. His countermeasure returns the final

signature S if a verification process which depends on public key e is successful.

The author claims that his proposed countermeasure is suitable for RSA

cryptosystem applied in Java Cards.

Coron et al. in [CGMPV 2010] investigate the fault resistance of Vigilant's

proposed efficient way of implementing an RSA-CRT resistance against fault

analysis [Vig 2008], and they show that it is not immune to fault injection. Indeed,

they highlight two weaknesses which can help an attacker to recover the whole

private key by using only one faulty signature. They also suggest some

modifications with a negligible cost to improve the fault resistance of Vigilant’s

scheme. Therefore the scheme, including modifications, remains suitable for

embedded device constraints.

Kim et al. in [KKHH 2011] made an investigation on countermeasures against

simple power and fault attacks concerning security and efficiency. They found that

the countermeasures they analysed are vulnerable to improved power and fault

attacks. They claim that utilising checksums operations decreases the security of

RSA-CRT cryptosystems against fault attacks. They proposed a countermeasure

28

which is resistant to the power and fault attacks as it uses logical operations instead

of arithmetic ones to check fault values in the RSA-CRT combination.

Fournaris and Koufopavlou in [FK 2012] proposed a hardware architecture which

is based on Montgomery modular exponentiation and multiplications which utilizes

the basics of parallelism to provide a high level of efficiency in space and time

complexity. They claim that their suggested hardware design is resistant to simple

power and fault attack. They built a testing platform to test their hardware design.

They also implemented their proposed hardware in FPGA technology.

Rauzy and Guilley in [RG 2014] carried out an analytical study on existing

countermeasures against fault injection attacks to understand how they work. The

intermediate results they got can be summarized as follows. Firstly, all

countermeasures they have studied had common features, but they optimize in

different ways. Secondly, there is no conceptual distinction between experiment-

based and infected countermeasures and how either one can be converted to the

other one. Thirdly, faults on data can represent a fault on the code (skipping

instruction error). After considering the above intermediate results, they managed

to improve the countermeasures they have studied through fixing Shamir's

countermeasure (which is known to be insecure), enhancing Vigilant's

countermeasure by reducing its nine tests into three, and thus achieving a higher

security level, and they were able to produce an updated countermeasure which is

resistant to an unspecified number of faults.

Kim in [Kim 2017] proposes a countermeasure to protect RSA algorithms based on

utilizing additive blinding technique. Additive blinding technique uses exponent or

modulus blinding approaches. The blinding approach is based on using random

variables to prevent an attacker from getting information about the parameters

through using exponent or modulus blinding approaches. The author proves the

efficiency of his proposed countermeasure by making security and performance

analyses. He claims that his countermeasure is low cost and faster than other

countermeasures that use multiplicative blinding. He also shows that his

countermeasure is resistant to various power attacks and it can be used to improve

the security of RSA and RSA-CRT algorithms against fault attacks.

29

2.6.2 Summary

According to the above literature, various forms of countermeasures were

introduced by experts to protect RSA cryptosystems against fault attacks. The

techniques used in these countermeasures could be summarized as follows:

randomization of the initial values or intermediate variables used in the computation

process, modification of modular exponentiation algorithm by inserting coherence

tests, verification of final results by using public key e, and using logical checksums

instead of numeric ones. All these techniques cannot prevent attacks proposed in

this thesis. I started by injecting a fault into the computation algorithm used to

encrypt or sign information which was stored in EEPROM and then I checked the

value of the key used in the algorithm according to the injected fault. Finally, I

eliminated the fault result I had generated, and therefore, any free error test

procedures could not detect any error in the calculations. Furthermore, even

randomizing variables could not undermine the proposed attacks in this thesis as

the attacker would generate an intermediate fault result by replacing one of the

components of the adding process by the fault value he injected. He would be able

to deduce the secret value according to this fault result.

2.7 Fault Attacks on Elliptic Curve Cryptosystems (ECC)

The main attack against elliptic curve cryptosystems aims to recover the secret

integer k given points P and Q such that Q = kP is computed on a known curve E

over a known field GF(q). The mathematical recovery of k is believed to be an NP-

complete problem [GG 2016]). However, many so-called ‘fault attacks’ have been

produced, taking various forms and serving different purposes, but I am only

concerned with fault attacks on the ECDH, and in this section, I review the current

state of such attacks.

According to the literature, most fault attacks can be classified into safe error, weak

curve-based and sign change attacks. In all cases, there is an assumption that the

attacker has sufficient access to the device to be able to perform the attack.

2.7.1 Safe-Error Fault Attacks

Safe error attacks induce temporary faults in cryptographic computations with the

aim of leaking key bits. Yen and Joye in [YJ 2000] presented such an attack based

on inducing an error in the temporary calculation of the addition step of the scalar

30

multiplication algorithm by changing the value of one of the registers which take

part in the calculation. The authors assume that the attacker should at least have a

minimum degree of the required controllability of hardware fault position in order

to be able to inject a fault in an exact register.

Timing and power attacks are likely to distinguish between point doubling and

point addition formulas and thus reveal bits of the secret key. However, if these are

adjusted by the use of ‘dummy operations’ this may lead to safe error attacks

[GJMRV 2011] and [FV 2012].

2.7.1.1 Computation Safe-Error

Algorithm 2.5 (taken from [FV 2012, alg. 1] where it is presented in additive form)

represents the Montgomery powering ladder with Left-to-Right scalar

multiplication beginning the point additions from the second bit from the left. All

details concerning this algorithm and the fault attack proposed against it are given

in sections 5.3.1 and 5.3.2.

Algorithm 2.5 The Left-to-Right Montgomery Ladder Algorithm

Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size, where

kt = 1.

INPUT by user: P ϵ E(Fq).

OUTPUT: k*P.

1. R(0) P, R(1) 2P.

2. For i from t-1 down to 1 do

2.1 R(¬ ki) R(0)+R(1).

2.2 R(ki) 2R(ki).

End for.

3. Return R(0).

While there appears to be no algorithm in the literature cited as being the Right-to-

Left equivalent of algorithm 2.5, I have used the Right-to-Left version of the EC

(protected) equivalent [JY 2002, Fig 6(b)] which I have modified to make it suitable

to be implemented for elliptic curves. Algorithm 2.6 represents the Right-to-Left

Montgomery Ladder algorithm. All details concerning this algorithm and the fault

attack proposed against it are given in sections 5.3.3 and 5.3.4.

31

Algorithm 2.6 The Right-to-Left Montgomery Ladder Algorithm

Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size.


OUTPUT: Q= k*P.

1. R(0) O.

2. R(1) P.

3. For i from 1 up to t do

3.1 G R(1).

3.2 b 1– ki.

3.3 R(b) R(0) + R(1).

3.4 R(1) G.

3.5 R(1) 2R(1).

End for.

4. Return R(0).

Algorithm 2.7 represents Coron Left-to-Right [DHB 2016, Alg 5]. All details

concerning this algorithm and the fault attack proposed against it are presented in


Algorithm 2.7 The Left-to-Right Coron Algorithm.


kt = 1.


OUTPUT: kP.

1. W(0) P.


2.1 W(0) 2W(0).

2.2 W(1) W(0)+P.

2.3 W(0) W(ki).

3. Return W(0)

Algorithm 2.8 represents a corresponding Right-to-Left version of algorithm 2.7,

which I have personally developed and introduced in this thesis. All details

concerning this algorithm and the fault attack proposed against it are given in


32

Algorithm 2.8 The Right-to-Left Coron Algorithm

Internal INPUT (loaded from firmware): k = (kt, kt-1,…, k1)2, t key size,


OUTPUT: kP.

1. W(0) O, R P

2. For i from 1 down to t do

2.1 W(1) R.

2.2 W(1) W(0)+ W(1).

2.3 W(0) W(ki).

2.4 R 2R.

End For.

3. Return W(0).

Algorithm 2.9 is in fact the Joye-Yen ‘Left-to-Right’ version [JY 2002, Fig. 7],

working from the most to the least significant bits (I have modified this algorithm

to get the output Q=kP instead of gk). All details concerning this algorithm and the

fault attack proposed against it are given in sections 5.5.1 and 5.5.2.

Algorithm 2.9 The Left-to-Right Joye-Yen Algorithm


kt = 1.


OUTPUT: Q= kP.

1. R(0) O.

2. R(1) P.


3.1 R(¬ ki) R(0) +R(1).

3.2 R(ki) 2R(ki).

End for.

4. Return R(0).

33

Algorithm 2.10 represents the ‘Right-to-Left’ version [Joy 2007, Alg. 3] working

in the opposite direction. All details concerning this algorithm and the fault attack

proposed against it are given in sections 5.5.3 and 5.5.4.

Algorithm 2.10 The Right-to-Left Joye Algorithm



OUTPUT: kP.

1. R(0) O.

2. R(1) P.

3. For i from 1 to t do

3.1 b 1- ki.

3.2 R(b) 2R(b).

3.3 R(b) R(b) + R(ki).

End for.

4. Return R(0).

A comparison of the six algorithms, which are targeted by the fault point attack

proposed by this thesis, is shown in table 2.1 below.

Algorithm

name

Position of

first bit in

memory word

to be accessed

Number of

temporary

variables used

in Algorithm

Initial values used in

Algorithm

Left-to-Right

Montgomery

Ladder

Second bit

from the left

2 R(0) = P and R(1)= 2P

Right-to-Left

Montgomery

Ladder

First bit from

the right

4 R(0) = O and R(1)= P.

Left-to-Right

Coron

Second bit

from the left

2 W(0) = P.

34

Right-to-Left

Coron

First bit from

the right

3 W(0) = O and R =P

Left-to-Right

Joye-Yen

Second bit

from the left

2 R(0)= O and R(1)= P.

Right-to-Left

Joye

First bit from

the right

3 R(0) = O and R(1) = P.

Table 2.1 Comparison of Six Original ECC Algorithms

Where:

O= identity point =[ infinity, infinity]

P=Base point

2P= Double of base point=P+P


Schmidt and Medwed in [SM 2009] present a fault attack on elliptic curve digital

signature algorithm (ECDSA). Their attack depends on the concept of computation

safe error.Their attack is achieved by inducing a fault relying on the possibility of

skipping instructions in the execution of double and add or Montgomery ladder

algorithms. The attacker repeats his attack number of times and uses the faulty result

he gets to obtain a sufficient number of bits of the secret key which enable him to

use lattice attacks [HS 2001], [NS 2003] to find the rest of the secret key.

The authors also propose a countermeasure which uses check value and redundancy

to modify the system, based on ECC, to be resistant to their attack.

Poddebniak e,t al in [PSSLR 2018] investigate the security of deterministic ECDSA

and EdDSA signature schemes and show that removing of random number

generators in these schemes make them vulnerable to new types of fault attacks.

They present a practical attack against EdDSA utilizing the Rowhammer fault

attack. They claim that there are a number of protocols, (such as TLS, SSH, and

IPSec) which utilize EdDSA, that cannot be victimized by their practical attack.

They also specify the features of protocols utilizing these deterministic signature

schemes which make them vulnerable to their attack. Finally, they discuss

alleviation strategies and their consequence on fault attacks against deterministic

signature schemes.

35

2.7.1.2 Memory Safe-Error

Yen and Joye in [YJ 2000] proposed a memory safe error attack for the first time.

Their attack is based on the assumption that if a fault in register or memory location

can be cleared depending on specific binary value component of the secret key, then

the attacker can deduce the value of this secret key by considering the result of the

above process. The attack is repeated number of times depending on some binary

bits of the secret key value. The authors show how their attack can be implemented

on RSA cryptosystems. They also claim that this attack can be implemented on

Elliptic Curve Scalar Multiplication (ECSM).

2.7.2 Weak Curve Based Attacks

In such attacks, the assumption is that a strong elliptic curve is chosen for the

cryptosystem but that the attack moves the computations onto a weak elliptic curve,

where it is hoped that it will be easier for the attacker to retrieve the secret key

values by solving the ECDLP. In this type of attack, fault injection can make use of

invalid points, invalid curves, and twisted curves.

2.7.2.1 Invalid Point Attacks

Biehl et al. in [BMM 2000] demonstrated such an attack by showing how an invalid

point which does not belong to the original elliptic curve can be used in the scalar

multiplication algorithm to solve the ECDLP on a weaker curve, and this process

will help the attacker to find the key. As a countermeasure, they suggest that the

processor should check the validity of each point produced during the execution of

the algorithm. However, their countermeasure can be circumvented by the attacker

if the invalid point is introduced precisely after the checkpoint.

Jager et al. in [JSS 2015] claim that some popular cryptographic libraries they have

investigated did not check whether the points used in their calculation belong to the

curves or not. ECC implementations of Oracle and Bouncy Castle miss the check

above. The authors investigate the impact of missing the checking process on

Oracle’s default Java TLS execution (JSSE with a SunEC provider) and TLS

servers using the Bouncy Castle library. They define an attack which retrieves the

long-term secret key from a TLS server which uses vulnerable Bouncy Castle

library.

36

2.7.2.2 Invalid Curve Attacks

Ciet and Joye in [CJ 2005b] identify two models of fault attacks: permanent and

transient. The permanent model assumes that there is a fault in the system

parameters which is stored in non-volatile memory (EPROM) before its transfer to

the working memory, RAM, to be used in the computations. On the other hand, the

transient model assumes that a fault in the system parameters is induced during the

transfer from EPROM to RAM. The authors show that both fault models can be

used to retrieve information about the secret key k.

Barenghi et al. in [BBPS 2011] demonstrate a fault attack against elliptic curve

digital signature algorithm (ECDSA). The target of this attack is the signature

recombination part of the algorithm, which is not analysed yet by any known fault

attack on ECDSA at that time. The attack utilises a low-cost device to inject the

fault and does not cause any damage to the device under attack [NS 2003], [SH

2007]. The attack succeeds to retrieve the secret key as it reduces the size of ECDLP

version, and consequently transfer the process to a weaker curve configuration, and

thus the problem is solved in shorter time.

Belgarric et.al in [BFMMT 2016] analyse the side-channel resistance of the

execution of the ECDSA signature system in Android’s typical cryptographic

library. They show that the secret key of elliptic curves over prime fields can be

recovered very effectively on smartphones utilizing electromagnetic side channel

and famous lattice reduction techniques. They practically demonstrate that elliptic

curve operations (doublings and additions) can be differentiated in multiple cores

CPU clocking over the Giga-hertz. They then expand the typical lattice attack on

ECDSA over prime fields to binary Koblitz curves. They claim that they were the

first experts who tried to implement an attack against Koblitz curves. These curves,

which can be found in Bouncy Castle that uses a sliding windows algorithm, allow

very effective execution utilizing the Frobenius operation. This leads to signal

processing challenges since the number of obtainable points are decreased. These

experts also examine practical side channel, clarifying the concrete risk of such

implementations. The attacks proposed in their research benefit from visible

architectural characteristics, like specific instructions calculations or memory

accesses of previous works targeting smartphones.

Serraj et al. in [SIA 2017] demonstrate that elliptic curve criterions suggested by

international security institutes such as National Institute of Standards and

37

Technology (NIST) [NIST 2013], the American National Standards Institute

(ANSI) [ANSI 2010] and the Chinese Commercial Cryptography Administration

Office (OSCCA) [OSCCA 2010] cannot resist random fault attacks. The main aim

of random fault attack is to transfer the calculations of ECDLP problem from a

strong curve to a weaker curve with less points by inducing faults [BMM 2000] &

[FLRV 2008]. The fault model of this attack is based on its effects, position and the

number of faults needed to make the attack succeed. The attacker in such kind of

attack faces great difficulty if he tries to induce a fault in a specific bit or when

choosing a proper faulty value. The authors offer a full mathematical description of

random fault attack against ECDLP implemented on PARI/GP system.

Samwel and Batina in [SB 2018] enhance and generalize preceding attacks against

Ed25519 by utlizing realstic targert platform. They state that their attack is

achievable with a high degree of success by utilizing voltage Fault Injection (FI)

and Electromagnetic Fault Injection (EMFI). They claim that an attacker can

recover the key by using their proposed attack with only one successful fault. They

affirm that their attack can achieve a high degree of success (close to 100%). The

attack remains effective even with adding redundancy to the implemenation.

Adding some randomness in the creation of the ephemeral scalar can be considered

a countermeasure against this attack. They also proposed an attack against the

implementation of WolfSSL and extended their attack to other implementations of

Ed25519.2.7.2.3 Twist Curve Based Fault Attack.

Fouque et al. in [FLRV 2008] present a fault attack targeting Montgomery-like

methods when the y-coordinate is not used. Using the twist of the given curve,

which is often weaker than the initial one, they can recover the secret key. The fault

model used in this attack is typical and reasonable, and by injecting a few faults,

the attacker can retrieve the secret key. The authors claim that to develop a

countermeasure to this attack, the designer needs to repeat the verifications enough

number of times to reduce the possibility of the attack success, since the probability

to find a random point on the curve is very high.

Romailler and Pelissier in [RP 2017] present a fault attack against Edwards-curve

digital signature algorithm (EdDSA). EdDSA is based on edwards25519 (the

Edward twist of Curve25519 [BDLSY 2011]). EdDSA is a signature system used

38

instead of elliptic curve digital signature (ECDSA) to sign messages in embedded

devices as it provides better performance and security. EdDSA branch and lookup

operations are not based on private key values during the signature process.

Therefore, EdDSA is considered resistant to various side-channel attacks. The

authors propose a fault attack against EdDSA by inducing a fault on hash function

involved in its signature algorithm. This fault will generate a fault signature that

can be used by the attacker to retrieve sufficient information about the secret key.

This will enable the attacker to form useful signatures for any message. They also

offer a practical execution of their attack against an implementation on Arduino

Nano. Samwel et al. in [SBBDS 2018] claim that EdDSA is not resistant to side-

channel attacks.

2.7.3 Sign Change Fault Attacks

Sign change attacks work directly on the original curve and introduce sign changes

to points used in the computation. Blömer et al. in [BOS 2006] demonstrate how

sign changes of intermediate points can be used to recover the unknown scalar

factor. Their attack leads to a faulty output that is a valid point on the original

elliptic curve. They base their approach on what is known as the ‘left to right

repeated doubling’ method of computing point multiples where the scalar target

multiple is represented in non-adjacent form. The authors state that they believe this

approach can also be employed against other scalar multiplication algorithms,

including the right to left version, binary expansion based repeated doubling, and

the Montgomery ladder [Mont 1987].

2.7.4 Summary

In consequence of investigating related literature, I enumerated and briefly

discussed, in this section, various forms of fault attacks against ECC, such as safe

error, weak curve based and sign change fault attacks. The attacker, in most of the

attacks reviewed, tried to make a hardware fault by changing register value and

memory location through using special equipment like a laser beam. Changing

values, which aim at producing faulty results, could be done by means of converting

positive base point into a negative one, or changing a single bit or multiple bits of

the register value which takes part in the calculation. The attacker analysed the fault

results he got to guess the secret key value. Other approaches were based on using

a weaker elliptic curve, points which do not belong to the original curve or twist

39

curve. Such approaches enabled an attacker to solve ECDLP in an easier

environment. The attacker might also try to make a fault software attack by skipping

single or multiple instructions which led to a fault in the algorithm being executed

and thus produced fault results. All the attacks against ECC, referred to in my

summarized review of related literature, differ from the attacks proposed in the

thesis as I targeted the software used to program the EEPROM. The attacker would

change the algorithm stored in the EEPROM by injecting a fault value and using it

instead of the correct value, and thus produced a fault value. Then the attacker

would use the fault result to retrieve the secret value.

2.8 Fault Attack on ECC Countermeasures

2.8.1 Fault Attack on ECC Countermeasures

In the previous section, I have presented fault-based attacks against ECC. In this

section, I will discuss relevant countermeasures.

Algorithms in which the computations made take the same amount of time,

without the use of dummy operations, are referred to as ‘regular’. Such algorithms

are resistant to power, timing, and safe error attacks, and therefore, all algorithms

should be designed to be regular.

Biehl et al. in [BMM 2000] and Ciet and Joye [CJ 2005b] suggest verifying that

points produced during an elliptic curve computation are the same points on the

curve. Ciet and Joye [CJ 2005b] suggest the use of cyclic redundancy checks to

look for faults in curve parameters. Giraud [Gir 2006] suggests a coherence

verification which compares the intermediate or final result with some acceptable

pattern.

Blömer et al. in [BOS 2006] propose the use of an elliptic curve over a ring

constructed by ‘combining’ two elliptic curves, one the ‘target’ curve and the other

a ‘dummy’ curve, over different fields; if the point to be signed has sufficient order

on both curves, then an algorithm computing elliptic curve additions on both the

combined curve and the dummy curve will produce the required result for the target

curve. This method is used as a countermeasure against sign change attacks.

Fournaris and Sklavos [FS 2015] explore effective algorithmic methods that can

resist fault attacks (FA) and power attacks (PA). They claim that there are trade-

40

offs between hardware efficiency concerning (space and calculation speed) and

level of resistance against FA and PA. They suggest a countermeasure combining

countermeasures against power attacks group and fault attacks group. Their

proposed countermeasure protects cryptography system (RSA/ECC) from (simple

power attack, comparative simple power attack, refined power attack and

differential power attack) by using Montgomery power ladder base point blinding

and randomization extension (which means using of two random variables B and

B-1 to mask the message). The proposed countermeasure also protects RSA and

ECC from FA and differential fault attack by using infective calculation and error

detection.

Rauzy et al. in [RMGN 2015] have studied the modular extension protection

technique, and they found that this technique is wrong, and therefore, they propose

another version of the same technique after they fix it. They prove the efficiency of

their improved technique especially the inverse relation between security

parameters and fault non-detection parameters. They implemented their techniques

on scalar multiplication of ARM Cortex-M4 microcontroller.

Fournaris et al. in [FPBS 2016] investigate Residue Number system RNS capability

to design a countermeasure against fault attacks and power attacks. They also

propose a scalar multiplication algorithm that resists fault attacks and power attacks

by using RNS. According to their analyses, they are able to verify their

countermeasure. They claim that the merging of classical PA and FA

countermeasures with lightweight RNS countermeasure can produce a powerful

cryptography system which resists FA and PA.

Seysen in [Sey 2017] presents a modification on modular extension of a curve

countermeasure which is used to protect point multiplication in elliptic curve.

Seysen claims that this modification will make the countermeasure more secure

against faults attacks. This modified countermeasure operates by utilizing a small

curve to make the point multiplication on modular extension of the main curve.

After that, the result is compared to the same point multiplication recomputed on

the small curve. If they are equal, then the system is secure. The above comparison

can be defective or worthless if a point in the infinity on the small curve can be

accessed with acceptable probability. The author suggests an alternative modular

extension countermeasure which does not suffer from the above problem.

41

Dugardin et al. in [DGMNR 2017] study the modular extension technique used to

protect elliptic curve scalar multiplication (ECSM) algorithms. They discover that

the existing countermeasure based on modular extension is faulty. Therefore, they

develop a test-free countermeasure to replace the previous one. Their

countermeasure makes use of Edwards’s curves and twisted Edwards’s curves in

its computation as the addition law of these curves is complete. The addition of a

curve is said to be complete when it deals with all pairs of input points but it does

not deal with any point at infinity. A point at infinity can be accessed as intermediate

point and therefore it may leak information about the secret key. Edwards’s curves

share with Weierstrass curve the advantage that the addition law for these curves is

unified and the same formula can be used for adding and doubling. This ensures

that their countermeasures will be more resistant to side-channel attacks.

Ambrose et.al in [ABFJLM 2018] demonstrate a number of differential fault attacks

and one differential power analysis attack against deterministic signature schemes.

These attacks show that eliminating randomness from the equation does

unavoidably remove all attacks vectors. The researches examine varied

countermeasures and propose a new one which involve entropy for low-cost

defence against these attacks. Their proposed countermeasure does not require

altering the key generation or the verification procedures and consequences in a

signature scheme. This countermeasure provides high performance and security for

an extensive range of use-cases.

Audrey and Tisserand in [AT 2018] study the protections of scalar multiplication

against both observation and perturbation attacks. The observation attack (side

channel attack) is the attack that targets scalar multiplication through observing

changes in physical parameters. The perturbation attack (fault attack) is the attack

that generates a fault by using perturbations of the system such as variation of power

supply. They propose two countermeasures to protect scalar multiplication against

these two attacks and they implemented them on a Cortex-M0 microcontroller. The

finite field operation over point coordinates is protected by the first proposed

countermeasure. The second countermeasure protects key bits.

2.8.2 Summary

Investigation of literature related to the countermeasure techniques, which were

recommended by experts to protect ECC against fault attacks, revealed some basic

42

concepts. One important concept confirmed by many experts was that all algorithms

must be regular and do not use dummy operations in their computations. Another

important concept was checking and ensuring that all the points used in the

computation should belong to the original curves before beginning with the

computations process. The countermeasures suggested by many experts were cyclic

redundancy checks, comparing the intermediate or final results with some

acceptable patterns, using two curves instead of one and comparing the final results

between them, using RNS, and using randomization techniques. However, after

considering all the above countermeasures techniques, I came to the conclusion that

they cannot prevent attacks proposed in this thesis.

43

Chapter Three EEPROM Environment

3.1 Introduction

EEPROM hardware devices store what is essentially 'metadata' needed to run,

change or secure another hardware device. Such metadata may include secret key

and algorithms used to encrypt and decrypt information or add a signature to this

information. Many research projects deal with different aspects of EEPROM. This

chapter is a review of EEPROM in three directions: EEPROM Architecture,

EEPROM Programming and Attacks on EEPROM Memory Devices. The thesis

work deals with attacks against algorithms stored in EEPROM and used to secure

information. The proposed attacks on EEPROM in this research work target the

software used to program EEPROM instead of attacking its physical layer.

Therefore, the importance of this chapter is to show how EEPROM is constructed

and programmed from the view related to the thesis work. Furthermore, I present

some attacks on EEPROM proposed in related research projects and compare them

to attacks proposed in this thesis.

The rest of the chapter is organised as follows: Section 3.2 shows the EEPROM

architecture. Section 3.3 presents EEPROM programming. Section 3.4 shows

attacks on EEPROM memory devices. Section 3.5 gives the implications of

proposed attacks in the thesis. Finally, a summary is given in section 3.6.

3.2 EEPROM Architecture

EEPROM architecture has a general configuration consisting of EEPROM array

with its periphery devices which connect EEPROM with the outer world and

control its operations. In this section, I present the general configuration of

EEPROM. Furthermore, I present main components of EEPROM cell.

3.2.1 General Configuration

The EEPROM can be organised as an array of cells with m rows, n columns and z

bits (cells) in each column. The size of EEPROM can be measured by bits or bytes.

As an example, 16 rows by 16 columns with 8 bits in each column construct an

EEPROM with size 2Kb where K represents 1024 bits. Periphery circuits connect

the EEPROM with its environment. These periphery circuits are: X decoder is used

for selecting the effective row. Y decoder is used for selecting the effective column.

Page latches (asynchronous sequential circuits with two stable states 0 and 1 with

44

capability to switch between them) are used as data and address bit storage units. A

high voltage power supplies Vcc and Vss. Sense amplifier is used for reading and

writing control operation [DXFM 2006]. The location of cryptography algorithms

which I implement my propose attack against them is stored on EEPROM array.

The general EEPROM architecture is shown in Figure 3.1 [Ros 1998].

Figure 3.1 General Architecture of EEPROM

3.2.2 EEPROM Memory Cell Design

Each memory cell consists of two transistors: the first one is a memory transistor

which is MOS transistor with an extra floating gate called floating gate transistor

(FGT). The floating gate acts as the main component of the erasing and

programming section of EEPROM cell. When the floating gate is charged with a

negative charge, it is said to be erased. While, when the floating gate is charged

with a positive charge then the EEPROM cell is programmed [AD 2008]. The

second transistor is the select transistor (ST) which is connected with the first

transistor serially and also connected with periphery circuits in order to control the

operations (Read, Erase and Write) of EEPROM cell and ensure that no mistakes

will happen during the writing operations [DXFM 2006] and [YYK 1971]. The

MOS and ST transistor can be shown in Figure 3.2.

Figure 3.2 shows the EEPROM cell configuration derived from [Was 2012]. Figure

3.3 driven from [Lee 2016] demonstrates the functioning of the floating gate.

45

Figure 3.2 EEPROM Cell Configuration

Figure 3.3 Floating Gate Operation.

According to the literature, many articles show different models for EEPROM cell

design which differ in the material size used and values of capacitance connected

to FGT and ST transistors. This difference affects the time of programming and life

of EEPROM cell. As I will consider the programming level of EEPROM in thesis

work, then I will not go deeper on this subject. For more information the reader can

refer to these articles [DXFM 2006], [LS 2007], [AD 2008], [RLBBRM 2008],

[WSCH 2008], [DRSFLN 2009], [LCK 2010], [DLDJLTZ 2012], [TMRCPK

2013], [SASOMKOKN 2014], [BKS 2015], [CC 2015], [MJ 2015],

[PNKKLCCKKKP 2015], [XHXYK 2016] and [YZWSL 2017].

WL

VDD

BL

Normal MOS transistor

E2PROM transistor

Word line

Control Gate / programming Gate

Floating Gate

Vdd

Weak

pullup of

some kind

Bitline

Data out

1-Not programmed

- No electronic trapped on

floating gate.

- WL=1 turns on the

transistor, Pulling Bitline low

-Data Out=1

-As floating gate has no effect

2- Programmed

- Electronic is trapped on

floating gate.

-Increase threshold voltage

- Transistor remain off when

WL=1

-Bitline=1 and Data Out=0

46

3.3 EEPROM Programming

The EEPROM is a modified generation of EPROM devices. EPROM devices must

be removed from their hardware circuit and connected to a special device, so that

they can be erased or reprogrammed. On the other hand, the EEPROM, or even a

particular part of it, can be erased and reprogrammed without any need to remove

it from its original circuit [Lan 2015, chap. 6].

Programming an EEPROM cell is a process of charging the floating gate of FGT in

EEPROM cell by threshold voltage VT, and this can be done analogously or

digitally.

3.3.1 Analogous Programming of EEPROM Cell

According to the literature, EEPROM cell can be analogously programmed by

connecting it to a controller which can provide a stable threshold voltage 14

volts.This method is presented by Barnett and Liu in [BL 2008] as they propose a

controller with a gated clock which generates a constant programming voltage

during a wide range of received RF input power, whereas Compagnoni et al. in

[CMAMS 2009] present a model that can explain how TaN/Al2O3/Si3N4/SiO2/Si

(TANOS) memory cell can be programmed and this physical model can reproduce

a threshold voltage VT that remains constant over a wide range of programming

prejudices and times.

3.3.2 Digital Programming of EEPROM Cell

Langbridge in [Lan 2015, Chap. 6] presents a programming system that enables one

to access EEPROM memory and digitally read, i.e. get data, and also write, i.e.

change data in the memory, by using a special EEPROM library included in

Arduino Uno hardware device. EEPROM library is a group of routines that can

access EEPROM memory. These routines can read and write bytes, bits, strings and

other values. For more information, the reader can refer to Wiley eBook [Lan 2015,

Chap. 6].

Beningo in [Ben 2017, chap. 9] presents a hardware abstraction layer (HAL) that

manages internal and external EEPROM devices. HAL is an interface that gives the

applications designers a set of functions that can be used to deal with hardware

functions. The author uses five different brands and sizes of EEPROMs to develop

his HAL. The sizes of EEPROMs used during his work is range from 16Kb to 1Mb.

47

The author generates a basic spreadsheet to list all the functions he needs to deal

with all kinds of EEPROMs he chooses for his work. The author suggests four main

categories of functions of HAL for EEPROM which initialization are, writing data,

reading data and writing and reading the status registers. Then, he provides codes

which show how the above four categories can be represented as functions that can

deal with EEPROM. He also presents the codes of implementation of his HAL

design on an external EEPROM.

Microchip Company provides a manual for programming EEPROM devices.

Section 5.5 in this manual explains how one can erase and program EEPROM

blocks. According to the manual EEPROM can be accessed by utilizing table read

and write. The manual lists some operations that can be applied on the data

EEPROM, for instance, erase one word, erase one row (16 words), erase entire data

EEPROM, program one word and program one row (16 words). During data

EEPROM normal operation any read and write operations can be performed on it.

NVMCON and NVMKEY registers are being utilized during erase and program

operations on data EEPROM. The programming software waits for each operation,

erase or program, to be complete, and then begins another one. The three

approaches are: used to inform the software that the pervious operation is complete

when WR bit in NVMCOM register is cleared, NVMIF bit is set or enable NVM

interrupts. The screen shots of all five operations will be shown in Appendix A. For

further information you can check a pdf in [Mic 2005].

3.4 Attacks on EEPROM Memory Devices

3.4.1 Software Attack

Hogenboom and Mostowski in [HM 2009] present a software attack on open Java

Card smart card which aims to give the attacker a random access to the whole

memory locations of the cards. An open Java Card means the card can install new

applets. Their attack depends on the use of exploitable bug in the limited Java

Virtual Machine running on the card to give the attacker the possibility of reading

or modifying other applet’s data and code on the card. They cannot confirm that the

card used in their work is exactly the card still utilised in the market. The attack

proposed by this article is similar to the attack proposed by the thesis in the point

that it has the same nature which targets the software level instead of hardware

48

level. However, the proposed attack in the thesis differs from their own, since our

proposed attack is more directed to get specific data. It is also more universal as it

can work with any device and has no restriction on the kind of software, whereas

the attack proposed by Hogenboom and Mostowski works only with a smart card

with specific software type (Java Card) and it works only with the open card and

gets all the information stored in EEPROM without a classification of data types

which they extract from EEPROM.

3.4.2 Laser Attack

Skorobogatov in [Sko 2009] shows how a laser beam can be used to change an

EEPROM cell value. In his attack, he used low-cost laser-diode module mounted

by a microscope. He claims that if a memory cell is being heated by using a laser

beam that will change its value, even if this operation cannot change all memory

cells because of their small size. However, he claims that cryptographic key can be

recovered by using a brute force attack. The attack proposed by Skorobogatov is a

permanent fault injection, and even this process may damage the device because of

the heating. The proposed attack by the thesis deals with software level of

EEPROM instead of physical layer. Furthermore, the injection fault result is

eliminated and causes no damage to the device.

Sakamoto et al. in [SFM 2016] introduce an attack technique which combines the

laser irradiation and power analysis techniques. This attack aims to extract data

while reading data from the EEPROM. The proposed attack method uses the laser

irradiation to extract multiple bits from sense amplifier when it is operating in real

time. The power analysis techniques are used to specify the time of executing the

decryption operation. The secret key must be read at the beginning of decryption

operation so the attacker can know the time of extracting critical information

according to the information provided by power attack. The attack proposed by the

article is working on hardware level, and needs to combine two types of hardware

attacks for extracting secret data. Furthermore, this attack requires special hardware

devices to be implemented. The proposed attack by the thesis deals with

programming level and it is simpler in implementation and directed to get the secret

data.

49

3.4.3 Optical Fault Masking Attacks

Skorobogatov in [Sko 2010] introduces an optical attack against EEPROM memory

called fault masking attacks. The aim of these attacks is to cripple regular memory

process through stopping changes of the memory contents. The objective of this

attack is to write-protect specific memory areas when required. The attack is applied

on two kinds of PIC microcontrollers: old (larger size like PIC16F84 which is

constructed with 1.2 µm technology), and new (smaller size like PIC16F628A built

with 0.5 μm technology with two metal layers). The attack has been improved by

attacking the backside and applied on PIC and MSP430 microcontrollers. The

benefit of this attack is to help data analysis and other types of fault injection attack.

However, the author does not give a clear view of how this attack assists in

retrieving secret information stored in EEPROM.

The attack proposed in this article is working on the hardware level, whereas the

attack proposed in the thesis is working on the software level. Also, it gives a clear

and accurate method to retrieve the secret key in cryptography systems.

3.4.4 Extraction and Analysis of Non-Volatile Memory of the ZW0301

Module IoT Device

Badenhop et al. in [BRMM 2016] analysed EEPROM and flash memory of Z-wave

devices which are used as IoT devices. In their work, they identified the hardware

and software of Z-wave devices. Furthermore, they proposed methods for

extracting information from memory. They also examined this information to find

the source code and compiler. Also, they discovered information related to the data

structure of EEPROM memory used in the Z-wave devices. Finally, they made their

tools (which they updated during their research) available under Github

AFITWiSec group. The attack proposed by Badenhop et al. is similar to thesis

attack as both of them are working with software level but they differ as article

attack works against EEPROM found on specific IoT devices while thesis attack is

a universal attack which works against EEPROM on any device.

3.4.5 Microprobing Attacks

Skorobogatov in [Sko 2017] indicates that encryption of embedded memory

devices inside secure microcontrollers is not enough to protect information from

attackers. He claims that if the memory has been accessed by a CPU, then the data

under process will be insecure. His claim is based on the fact that many CPU

50

instructions disclose data on the address bus. The author offers a practical

implementation of his claim through an encrypted on-Chip Mask ROM in a secure

microcontroller. He claims that the CPU instructions, in addition to its leaking

information during the program execution, may pass decrypted data in the address

bus or disclose information through conditional instructions. He advises the

designers of semiconductor devices, particularly those which are used in sensitive

applications like banking, not only to use a powerful encryption scheme, but also

to check the integrity of the codes to be used in these devices.

3.5 Implications for Attacks Proposed in the Thesis

There are important concepts that can be extracted from this chapter and related to

the thesis work. The first one is: a specific portion of EEPROM memory devices

can be reprogramed without any need to remove the EEPROM from its original

position; and also we do not need to erase all memory cells to do that. This concept

supports the application of the proposed attacks in the thesis which target

algorithms stored in EEPROM since they will change algorithms content in a way

that helps to retrieve secret information.

The second concept is: the previous attempts to attack EEPROM by targeting the

software system used to program EEPROM were limited to specific types of

hardware devices such as Java smart cards and Z-wave. Under specific conditions,

this concept supports the ability of attacking the software system used to program

EEPROM for purpose of retrieving the data stored in it.

The proposed attacks in the thesis target cryptography algorithms stored in

EEPROM by inserting fault value and generating a fault result in the computations

of algorithm, and consequently deducing the secret key according to this error.

These attacks are universal as they can be implemented on any hardware device

which contains EEPROM memory regardless of device type or EEPROM. These

attacks differ from those found in the literature, which can only be applied in

specific conditions.

3.6 Summary

In this chapter, I presented an overview of EEPROM memory devices. I gave a

short description of EEPROM general architecture and cell configuration. Then I

showed that EEPROM memory cells could be programmed analogously and

51

digitally. Furthermore, I presented some attacks on EEPROM memory. One of

them was a software attack against Java Smart Card by [HM 2009]. In the next

chapter, I will present the proposed attacks and their implementation on RSA

algorithms.

52

Chapter Four Proposed Fault Attacks against RSA

The proposed fault factoring attack and retrieve secret key attack against RSA

cryptosystems show security issues that threaten these cryptosystems. These attacks

inject a programming fault in algorithms stored in EEPROM. This fault will be used

to factorize RSA modulus or recover the secret key of RSA cryptosystem. The

importance of this chapter is to make developers of RSA cryptography systems

aware of the security risks which threaten the software used to program hardware

devices when they choose RSA cryptosystems to secure these devices. This chapter

is related to the thesis goals as it suggests new fault attacks on RSA, which is

considered one of the widely used public-key cryptosystems.

4.1 Introduction

I assume a scenario that Alice has an RSA system and she chooses parameters p, q

as two prime numbers. She also chooses a small integer e and computes 𝑛 = 𝑝 ∗ 𝑞,

d as 𝑒 ∗ 𝑑 ≡ 1 (𝑚𝑜𝑑 𝜑(𝑛)). The public key part of her RSA system will be (e, n)

and her private key part will be (p, q and d). She wants to use her RSA system to

encrypt and sign messages implemented on hardware. In order to carry out the two

operations mentioned above, Alice has to choose appropriate algorithms from the

algorithms which are currently used for this purpose. She chooses two RSA-CRT

signature Garner’s algorithms. The first one is protected by modified Shamir’s

countermeasure and the second one is protected by simplified Vigilant’s

countermeasure. She chooses these algorithms because they have higher speed of

process than other algorithms, and they are more resistant to multi fault attacks [RG

2014] and [BD 2017]. She will use these algorithms alternatively in her work

concerning sign messages. On the other hand, she chooses two Montgomery Ladder

RSA Left-to-Right and Right-to-Left algorithms to encrypt her messages. She

chooses these algorithms in the encryption process as they are regular algorithms

(they do not use dummy operations) and they are resistant to fault attacks [BD

2017]. She will use these algorithms alternatively in her work concerning

encrypting messages. More details about the importance of RSA can be found in

section 2.3.1 of chapter 2.

Depending on the mathematical background of RSA which is outlined in section

4.2 and the RSA algorithms which Alice chooses in the above scenario, two types

53

of attack are proposed in this chapter. The aim of the fault factoring attack (FF) is

to factorize the RSA modulus by applying a fault attack on the RSA-CRT signature

cryptosystem. In this attack, I chose according to Alice chose in above scenario,

two RSA-CRT Signature Garner’s algorithms. The first one is protected by

modified Shamir’s countermeasure and the second one is protected by simplified

Vigilant’s countermeasure, taking into consideration that these algorithms are

already resistant to fault attacks [RG 2014]. The mathematical background of the

FF attack is outlined in section 4.2.8. The details of this attack, which include

algorithms to be attacked, proposed attacks algorithms and a practical example, are

shown in section 4.3. The aim of the retrieve secret key (RSK) attack is to retrieve

the secret key d by applying a fault attack on both protected Montgomery Ladder

RSA versions “Left-to-Right and Right-to-Left” algorithms according to above

scenario. The details of the RSK attack which include algorithms to be attacked,

proposed attacks algorithms and a practical example, are shown in section 4.4.

In all proposed attack algorithms, I assume that the algorithm to be attacked is

stored in EEPROM inside the victim device to which the attacker has access, and

therefore, he can induce faults during the computation process of the algorithm.

EEPROM sits on a victim hardware device and can be erased, read and written to

[Lan 2015, chap. 6], [YouTube 2014] and [YouTube 2015]. The FF and RSK

attacks try to deal with a fault in software used to program EEPROM instead of a

fault in register level. The proposed fault attacks will enter a fault value, by

changing the algorithm written in the EEPROM and using this value in the

computation instead of correct values, and consequently deduce the secret key

according to the fault in the computation. Finally, the attacker will eliminate the

error result in the computation. Therefore, any checking procedure will confirm that

all the elements used in the computations are a free of error. The retrieve of secret

exponent d or factorize modulus n of RSA cryptosystem will have the same effect

as any of success of implementation of either of two operations will break RSA

cryptosystem.

All examples showing the implementation of the FF and RSK attacks in software

are done by using Intel (R) Core (TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as

a hardware platform and Windows 7 as the operating system. Maple 2017b [Maple

54

2017] was chosen as the software platform as it contains a cryptography package

designed for elliptic curve arithmetic operations.

4.2 Background of RSA Cryptosystem

4.2.1 Classical RSA

The standard RSA cryptosystem [BNP 2007, p. 230] is constructed by choosing

two prime numbers p and q, computing a modulus n = p*q and selecting a public

exponent e which is relatively prime to 𝜑(𝑛). The private exponent d can be

calculated as

𝑒 ∗ 𝑑 ≡ 1 (𝑚𝑜𝑑 𝜑(𝑛)). (1)

4.2.2 RSA Encryption

The equation used to encrypt a plain text M with e and n components of classical

RSA described above is shown below [BNP 2007, p. 230]

𝑐 ≡ 𝑀𝑒 (𝑚𝑜𝑑 𝑛). (2)

4.2.3 RSA Decryption

The equation used to decrypt a cipher c with d and n components of classical RSA

described above is shown below [BNP 2007, p. 230]

𝑀 ≡ 𝑐𝑑 (𝑚𝑜𝑑 𝑛). (3)

4.2.4 RSA Signature

The equation used to sign a message M with d and n components of classical RSA

described above is shown below [BNP 2007, p. 230]

𝑆 ≡ 𝑀𝑑 (𝑚𝑜𝑑 𝑛). (4)

4.2.5 RSA-CRT Signature

In general, because very large values for n are used to ensure security from a brute-

force attack, this exponentiation computation is inefficient. However, the system

owner who knows p and q can speed up the calculation of S by using the Chinese

Remainder Theorem (CRT) [YKM 2006, p. 55].

The values p and q are required to do this along with the solution to the equations

shown below:

Firstly, a value of dp and dq is computed by using (5) and (6)

55

𝑑𝑝 ≡ 𝑑(𝑚𝑜𝑑 𝑝 − 1). (5)

𝑑𝑞 ≡ 𝑑(𝑚𝑜𝑑 𝑞 − 1). (6)

Then Sp and Sq is computed by using (7) and (8)

𝑆𝑝 ≡ 𝑚𝑑𝑝(𝑚𝑜𝑑 𝑝). (7)

𝑆𝑞 ≡ 𝑚𝑑𝑞(𝑚𝑜𝑑 𝑞). (8)

Either Gauss’s algorithm or Garner’s algorithm can be used to find CRT signature

Scrt which is shown in 4.2.6 and 4.2.7.

4.2.6 RSA-CRT Signature Gauss’s Algorithm

The equation used to find the RSA-CRT signature Scrt by implementing Gauss’s

equation and using (7) and (8) [MVV 1996, pp. 612–613] is

𝑆𝑐𝑟𝑡 ≡ [(𝑆𝑝 ∗ 𝑞 ∗ (𝑞−1(𝑚𝑜𝑑 𝑝)) + (𝑆𝑞 ∗ 𝑝 ∗ (𝑝

−1(𝑚𝑜𝑑 𝑞))](𝑚𝑜𝑑 𝑛) (9)

4.2.7 RSA-CRT Signature Garner’s Algorithm

Another equation which is used to find the RSA-CRT signature Scrt by

implementing Garner’s equation and using (7) and (8) [MVV 1996, p. 68] is

𝑆𝑐𝑟𝑡 ≡ 𝑆𝑞 + 𝑞 ∗ [((𝑆𝑝 − 𝑆𝑞) ∗ (𝑞−1(𝑚𝑜𝑑 𝑝))) ∗ (𝑚𝑜𝑑 𝑝)]. (10)

Example 1.

James wants to sign a message M =24 and send it to Alice by using RSA-CRT

scheme. He chooses two prime numbers p=13 and q=23. He computes

n=p*q=13*23=299 then finds 𝜑(𝑛) where 𝜑(𝑛)= (p-1)*(q-1) =12*22=264.

After that James chooses e=7 where gcd (e,𝜑(𝑛)) =1.

James needs to compute secret key d, which is used in the signature of the message

where

𝑑 ≡ 𝑒−1𝑚𝑜𝑑 𝜑(𝑛) ≡ 7−1𝑚𝑜𝑑 264 ≡ 151.

Then he tries two methods to sign his message M. Firstly, he uses the direct equation

(4)

𝑆 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝑛 ≡ 24151 𝑚𝑜𝑑 299 ≡ 93.

Secondly, James tries another method to speed up the computation. He uses an

RSA-CRT scheme. Therefore, he computes dp and dq by using (5) and (6)

56

𝑑𝑝 ≡ 𝑑(𝑚𝑜𝑑 𝑝 − 1) ≡ 151 𝑚𝑜𝑑 12 ≡ 7.

𝑑𝑞 ≡ 𝑑(𝑚𝑜𝑑 𝑞 − 1) ≡ 151 𝑚𝑜𝑑 22 ≡ 19.

Next, he computes Sp and Sq by using (7) and (8)

𝑆𝑝 ≡ 𝑀𝑑𝑝(𝑚𝑜𝑑 𝑝) ≡ 247(𝑚𝑜𝑑 13) ≡ 2.

𝑆𝑞 ≡ 𝑀𝑑𝑝(𝑚𝑜𝑑 𝑝) ≡ 2419(𝑚𝑜𝑑 23) ≡ 1.

Now James can use either (9) or (10) to find the final result of signature message

M. He chooses to use (9) where

𝑆𝑐𝑟𝑡 ≡ [(𝑆𝑝 ∗ 𝑞 ∗ (𝑞−1(𝑚𝑜𝑑 𝑝)) + (𝑆𝑞 ∗ 𝑝 ∗ (𝑝

−1(𝑚𝑜𝑑 𝑞))](𝑚𝑜𝑑 𝑛)

≡ [2 ∗ 23 ∗ (23−1(𝑚𝑜𝑑 13)) + 1 ∗ 13 ∗ (13−1(𝑚𝑜𝑑 23))](𝑚𝑜𝑑 299)

≡ 93.

4.2.8 RSA-CRT Signature Cryptanalysis

In an RSA cryptosystem, with two prime numbers p and q and secret key d, a

message can be signed by using (4). This process can be sped up by using a CRT

approach. Instead of computing signature S, a two-value Sp, and Sq are calculated

by using (7) and (8). After that, Sp and Sq are combined to find Scrt by using either

(9) or (10).

Now if a fault occurs in the Sp computation process, then Spe is calculated instead

of Sp while Sq is still error-free. Then a fault signature Scrte is computed by

combining Spe and Sq. According to [BDL 1997], [Len 1996] and [JLQ 1999], a

cryptanalysis can find the factor q by implementing one of two following equations:

𝑞 ≡ 𝑔𝑐𝑑((𝑆𝑐𝑟𝑡𝑒 − 𝑆𝑐𝑟𝑡), 𝑛). (11)

Or

𝑞 ≡ 𝑔𝑐𝑑((𝑆𝑐𝑟𝑡𝑒𝑒 −𝑀), 𝑛). (12)

Example 2.

By using information from numeric example 1, Bob wants to factorize n used by

James and find factors p and q by injecting a fault in the computation

of the message signature calculation done by James.

57

Firstly Bob will use the same result that James gets in example 1. He will use (9) to

compute a fault result of the CRT signature by using fault Spe=17 instead of the

correct one Sp=2 where

𝑆𝑐𝑟𝑡 ≡ [(𝑆𝑝𝑒 ∗ 𝑞 ∗ (𝑞−1(𝑚𝑜𝑑 𝑝)) + (𝑆𝑞 ∗ 𝑝 ∗ (𝑝

−1(𝑚𝑜𝑑 𝑞))](𝑚𝑜𝑑 𝑛)

≡ [(17 ∗ 23 ∗ (23−1(𝑚𝑜𝑑 13)) + (1 ∗ 13 ∗ (13−1(𝑚𝑜𝑑 23))](𝑚𝑜𝑑 299)

≡ 277.

Now, after Bob gets faulted signature Scrte, he can use either (11) or (12) to find

factor q, since e, M, and Scrt are already known from example 1. Bob chooses (11)

to find factor q where

𝑞 = 𝑔𝑐𝑑((𝑆𝑐𝑟𝑡𝑒 − 𝑆𝑐𝑟𝑡), 𝑛) = 𝑔𝑐𝑑((277 − 93), 299) = 23.

4.2.9 RSA-CRT Garner’s Signature Algorithm Protected by Modified

Shamir’s Countermeasure

Rauzy and Guilley [RG 2014] modify Shamir’s countermeasure [Sha 1997] which

is applied for a patent in [Sha 1999] to protect RSA-CRT signature by verifying the

integrity of the partial components and final result of computing the final signature

by using RSA-CRT. They take new verifications from Aumüller et al.’s

countermeasure [ABFHS 2002]. The modified Shamir’s countermeasure can be

summarised as follows:

Rauzy and Guilley assume that Garner’s algorithm is used in the computations of

the RSA-CRT signature, and I assume that the firmware in victim device stores the

four values, prime numbers p and q, secret key d and the parameter 𝑖𝑞 ≡

𝑞−1 𝑚𝑜𝑑 𝑝 which are to be used in the the computations of the RSA-CRT

signature [BFM 2017].

The next step is to choose a random small integer r, which the algorithm will use

in computations as follows:

𝑝𝑟 = 𝑝 ∗ 𝑟. (13)

𝑞𝑟 = 𝑞 ∗ 𝑟. (14)

Now the algorithm will return the error value to the user instead of the final result

if one of two conditions is verified; otherwise the computation process will continue

until the final result is obtained and returned to the user

𝑝𝑟 ≢ 0 𝑚𝑜𝑑 𝑝 𝑜𝑟 𝑞𝑟 ≢ 0 𝑚𝑜𝑑 𝑞. (15)

58

Next step algorithm will compute

𝑆𝑝𝑟 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑝𝑟) (𝑚𝑜𝑑 𝑝𝑟). (16)

𝑆𝑞𝑟 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑞𝑟) (𝑚𝑜𝑑 𝑞𝑟). (17)

Now the algorithm will verify the components

𝑆𝑝𝑟 ≢ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑟). (18)

If the result is true then the algorithm will return error; otherwise the algorithm will

continue.

In the next step, a partial signature will be calculated

𝑆𝑝 ≡ 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝). (19)

𝑆𝑞 ≡ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞). (20)

In case of using Garner’s equation, the algorithm computes proper signature Scrt by

using

𝑆𝑐𝑟𝑡 ≡ 𝑆𝑞 + 𝑞 ∗ [(i𝑞 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))]. (21)

Finally, the algorithm will return the error if one of the two conditions is verified;

otherwise it will return 𝑆𝑐𝑟𝑡

𝑆𝑐𝑟𝑡 ≢ 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝) 𝑜𝑟 𝑆𝑐𝑟𝑡 ≢ 𝑆𝑞𝑟( 𝑚𝑜𝑑 𝑞 ). (22)

Example 3

Tony wants to implement modified Shamir’s countermeasure, which is suggested

by Rauzy and Guilley, to protect a message signed by using RSA-CRT scheme.

Therefore, he chooses two random prime numbers p=17, q=37, and small integer r

=7. Next, he chooses message M=36 Then he computes n=p*q=629. After that, he

chooses e=5 where gcd (e, 𝜑(𝑛))=1.

Tony needs to compute secret key d where d≡e-1 mod 𝜑(𝑛)≡ 5-1 mod 576≡461.

He also needs to compute 𝑖𝑞 ≡ 𝑞−1 𝑚𝑜𝑑 𝑝 ≡ 37−1 𝑚𝑜𝑑 17 ≡ 6.

After that, he needs to compute pr by using (13) and qr, by using (14) where

𝑝𝑟 = p ∗ 𝑟 = 17 ∗ 7 = 119.

𝑞𝑟 = 𝑞 ∗ 𝑟 = 37 ∗ 7 = 259.

59

Then Tony will check

𝑝𝑟 𝑚𝑜𝑑 𝑝 ≡ 119 𝑚𝑜𝑑 17 ≡ 0.

𝑞𝑟 𝑚𝑜𝑑 𝑞 ≡ 259 𝑚𝑜𝑑 37 ≡ 0.

As the two conditions have a 0 result, then Tony will proceed with computing 𝑆𝑝𝑟

and 𝑆𝑞𝑟 by using (16) and (17)

𝑆𝑝𝑟 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑝𝑟)( 𝑚𝑜𝑑 𝑝𝑟) ≡ 36

461 𝑚𝑜𝑑 ((17−1)∗(7−1)) 𝑚𝑜𝑑 119 ≡ 15.

𝑆𝑞𝑟 ≡ 𝑀𝑑 𝑚𝑜𝑑 𝜑(𝑞𝑟) (𝑚𝑜𝑑 𝑝𝑟) ≡ 36461 𝑚𝑜𝑑 ((37−1)∗(7−1)) 𝑚𝑜𝑑 259 ≡ 36.

Tony now checks the condition below

𝑆𝑝𝑟𝑚𝑜𝑑 𝑟 ≡ 𝑆𝑞𝑟 𝑚𝑜𝑑 𝑟 ≡ 15 mod 7 ≡ 36 mod 7≡1.

When the condition is verified, then Tony proceeds with computing 𝑆𝑝, 𝑆𝑞 and 𝑆𝑐𝑟𝑡

by using (19), (20) and (21) as shown below

𝑆𝑝 ≡ 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝) ≡ 15 𝑚𝑜𝑑 17 ≡15.

𝑆𝑞 ≡ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞) ≡ 36 𝑚𝑜𝑑 37 ≡ 36.

𝑆𝑐𝑟𝑡 ≡ 𝑆𝑞 + 𝑞 ∗ [(i𝑞 ∗ (𝑠𝑝 − 𝑠𝑞) )(𝑚𝑜𝑑 𝑝)] ≡ 36 + 37 ∗ [(6*(15-36)) mod 17]

≡ 406.

Finally, Tony will verify 𝑆𝑐𝑟𝑡 by verifying the conditions

𝑆𝑐𝑟𝑡 𝑚𝑜𝑑 𝑝 ≡ 𝑆𝑝𝑟 (𝑚𝑜𝑑 𝑝) ≡ 15.

𝑆𝑐𝑟𝑡 𝑚𝑜𝑑 𝑝 ≡ 𝑆𝑞𝑟 (𝑚𝑜𝑑 𝑞) ≡ 37.

The conditions are verified, then Tony will be able to use the final signature 𝑆𝑐𝑟𝑡 .

4.2.10 RSA-CRT Garner’s Signature Algorithm Protected by


Rauzy and Guilley [RG 2014] simplify Vigilant’s countermeasure [Vig 2008] to

protect RSA-CRT signature by reducing the number of verifications from 9 to 3

and enhancing the countermeasure in speed and decreasing its need for randomness.

The simplified Vigilant’s countermeasure can be summarised as follows:

60

Rauzy and Guilley assume that Garner’s algorithm is used in the computations of

the RSA-CRT signature, and I assume that the firmware of the victim device stores

the five values: prime numbers p and q, secret key dp, secret key dq and the

parameter 𝑖𝑞 ≡ 𝑞−1 𝑚𝑜𝑑 𝑝,which are to be used in the computations of the RSA-

CRT signature [BFM 2017].

In the beginning, the algorithm chooses a small random integer r and compute n =

p * q. In the next step, the algorithm will compute verification 𝑐𝑝 for the partial

prime p by applying the equations below:

𝑝′ = 𝑝 ∙ 𝑟2. (23)

𝑖𝑝𝑟 ≡ 𝑝−1(𝑚𝑜𝑑 𝑟2). (24)

𝑀𝑝 ≡ 𝑀 (𝑚𝑜𝑑 𝑝′). (25)

𝐵𝑝 = 𝑝 ∙ 𝑖𝑝𝑟 . (26)

𝐴𝑝 ≡ 1 − 𝐵𝑝 (𝑚𝑜𝑑 𝑝′). (27)

𝑀𝑝′ ≡ 𝐴𝑝 ∙ 𝑀𝑝 + 𝐵𝑝 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑝

′). (28)

𝑆𝑝′ ≡ 𝑀𝑝

′ 𝑑𝑝 𝑚𝑜𝑑 𝜑(𝑝′) (𝑚𝑜𝑑 𝑝′). (29)

𝑆𝑝𝑟 = 1 + 𝑑𝑝 ∙ 𝑟. (30)

𝑐𝑝 ≡ 𝑀𝑝′ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑝). (31)

After that, the algorithm will calculate verification term 𝑐𝑞for the partial prime q by

applying the equations below:

𝑞′ = 𝑞 ∙ 𝑟2. (32)

𝑖𝑞𝑟 ≡ 𝑞−1(𝑚𝑜𝑑 𝑟2). (33)

𝑀𝑞 ≡ 𝑀 (𝑚𝑜𝑑 𝑞′). (34)

𝐵𝑞 = 𝑞 ∙ 𝑖𝑞𝑟. (35)

𝐴𝑞 ≡ 1 − 𝐵𝑞 (𝑚𝑜𝑑 𝑞′). (36)

𝑀𝑞′ ≡ 𝐴𝑞 ∙ 𝑀𝑞 + 𝐵𝑞 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑞

′). (37)

𝑆𝑞′ ≡ 𝑀𝑞

′ 𝑑𝑞 𝑚𝑜𝑑 𝜑(𝑞′) (𝑚𝑜𝑑 𝑞′). (38)

61

𝑆𝑞𝑟 = 1 + 𝑑𝑞 ∙ 𝑟. (39)

𝑐𝑞 ≡ 𝑀𝑞′ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑞). (40)

The next step will be the algorithm computing the final signature as follows:

𝑆′ ≡ 𝑆𝑞′ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝

′ − 𝑆𝑞′ )(𝑚𝑜𝑑 𝑝′)). (41)

𝑆𝑟 ≡ 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝′)). (42)

Then them algorithm calculates verification term 𝑐𝑠 for final signature

𝑐𝑠 ≡ 𝑆′ − 𝑆𝑟 + 1 (𝑚𝑜𝑑 𝑟

2). (43)

Finally, the algorithm will return signature S if the equation below is verified

𝑆 ≡ 𝑆′𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛). (44)

Example 4

Jim wants to apply simplified Vigilant’s countermeasure to protect a signature for

a message by using RSA-CRT which is suggested by Rauzy and Guilley. Therefore,

he chooses two random prime numbers p=59, q=53, and small integer r=4. Next,

Jim chooses message M=56. Then he computes n=p*q=3127. After that, he chooses

e=5 where gcd (e, 𝜑(𝑛)) =1 and calculates d=e-1 mod 𝜑(𝑛) ≡ 5-1 mod 𝜑(3127) ≡

5-1 mod 3016 ≡2413.

He also needs to compute secret keys dp and dq and the parameter 𝑖𝑞 by using the

following equations:

𝑑𝑝 ≡ 𝑑 𝑚𝑜𝑑 (𝑝 − 1) ≡ 2413 𝑚𝑜𝑑 58 ≡ 35.

𝑑𝑞 ≡ 𝑑 𝑚𝑜𝑑 (𝑞 − 1) ≡ 2413 𝑚𝑜𝑑 52 ≡ 21.

𝑖𝑞 ≡ 𝑞−1 (𝑚𝑜𝑑 𝑝) ≡ 53−1 𝑚𝑜𝑑 59 ≡ 49.

After that, Jim chooses a small random integer r = 4. In the next step, Jim will

compute verification 𝑐𝑝 for the partial prime p by applying the equations below:

𝑝′ = 𝑝 ∙ 𝑟2 = 59 ∙ 42 = 944.

𝑖𝑝𝑟 ≡ 𝑝−1(𝑚𝑜𝑑 𝑟2) ≡ 59−1𝑚𝑜𝑑 42 ≡ 3.

𝑀𝑝 ≡ 𝑀 (𝑚𝑜𝑑 𝑝′) ≡ 56 𝑚𝑜𝑑 944 ≡ 56.

𝐵𝑝 = 𝑝 ∙ 𝑖𝑝𝑟 = 59 ∙ 3 ≡ 177.

62

𝐴𝑝 ≡ 1 − 𝐵𝑝 (𝑚𝑜𝑑 𝑝′) ≡ 1 − 177 𝑚𝑜𝑑 944 ≡ 768.

𝑀𝑝′ ≡ 𝐴𝑝 ∙ 𝑀𝑝 + 𝐵𝑝 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑝

′) ≡ 768 ∙ 56 + 177 ∙ (1 + 4) 𝑚𝑜𝑑 944.

≡ 469.

𝑆𝑝′ ≡ 𝑀𝑝

′ 𝑑𝑝 𝑚𝑜𝑑 𝜑(𝑝′) (𝑚𝑜𝑑 𝑝′) ≡ 46935 𝑚𝑜𝑑 𝜑(944) 𝑚𝑜𝑑 944

≡ 46935 𝑚𝑜𝑑 464 𝑚𝑜𝑑 944 ≡ 333.

𝑆𝑝𝑟 = 1 + 𝑑𝑝 ∙ 𝑟 = 1 + 35 ∙ 4 = 141.

𝑐𝑝 ≡ 𝑀𝑝′ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑝) ≡ 469 + 3127 − 56 + 1 𝑚𝑜𝑑 59 ≡ 1.

Then Jim will calculate verification term 𝑐𝑞for the partial prime q by applying the

equations below:

𝑞′ = 𝑞 ∙ 𝑟2 = 53 ∙ 42 = 848.

𝑖𝑞𝑟 ≡ 𝑞−1(𝑚𝑜𝑑 𝑟2) ≡ 53−1𝑚𝑜𝑑 42 ≡ 13.

𝑀𝑞 ≡ 𝑀 (𝑚𝑜𝑑 𝑞′) ≡ 56 𝑚𝑜𝑑 848 ≡ 56.

𝐵𝑞 = 𝑞 ∙ 𝑖𝑞𝑟 = 53 ∙ 13 = 689.

𝐴𝑞 ≡ 1 − 𝐵𝑞 (𝑚𝑜𝑑 𝑞′) ≡ 1 − 689 𝑚𝑜𝑑 848 ≡ 160.

𝑀𝑞′ ≡ 𝐴𝑞 ∙ 𝑀𝑞 + 𝐵𝑞 ∙ (1 + 𝑟) (𝑚𝑜𝑑 𝑞

′) ≡ 160 ∙ 56 + 689 ∙ (1 + 4) 𝑚𝑜𝑑 848.

≡ 533.

𝑆𝑞′ ≡ 𝑀𝑞

′ 𝑑𝑞 𝑚𝑜𝑑 𝜑(𝑞′) (𝑚𝑜𝑑 𝑞′) ≡ 53321 𝑚𝑜𝑑 𝜑(848) 𝑚𝑜𝑑 848

≡ 53321 𝑚𝑜𝑑 416 𝑚𝑜𝑑 848 ≡ 677.

𝑆𝑞𝑟 = 1 + 𝑑𝑞 ∙ 𝑟 = 1 + 21 ∙ 4 = 85.

𝑐𝑞 ≡ 𝑀𝑞′ + 𝑛 −𝑀 + 1 (𝑚𝑜𝑑 𝑞) ≡ 533 + 3127 − 56 + 1 𝑚𝑜𝑑 53 ≡ 1.

The next step Jim takes will be computing the final signature as follows:

𝑆′ ≡ 𝑆𝑞′ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝

′ − 𝑆𝑞′ )(𝑚𝑜𝑑 𝑝′) )

≡ 677 + 53 ∙ (49 ∙ (333 − 677)𝑚𝑜𝑑 944 ) ≡ 7885.

𝑆𝑟 ≡ 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝′) )

≡ 85 + 53 ∙ (49 ∙ (141 − 85)𝑚𝑜𝑑 944 ) ≡ 45453.

63

Then Jim calculates verification term 𝑐𝑠 for final signature

𝑐𝑠 ≡ 𝑆′ − 𝑆𝑟 + 1 𝑚𝑜𝑑 𝑟

2 ≡ 7885 − 45453 + 1 𝑚𝑜𝑑 16 ≡ 1.

Finally, the algorithm will return signature S if the equation below is verified

𝑆 𝑚𝑜𝑑 𝑛 ≡ 𝑆′𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛)

562413 𝑚𝑜𝑑 3127 ≡ 78851∙1∙1 𝑚𝑜𝑑 3127

1631 ≡ 1631.

4.3 Fault Factoring Attack

In the related literature, there are some attacks against RSA-CRT cryptosystems.

Kong et al. in [KZJSY 2017] proposed an attack against Lee’s improved RSA-CRT

algorithm [LCC 2014]. Lee et al. in [LCC 2014] used modulus chaining method to

protect RSA-CRT algorithm by ensuring that the three primes p, q and r are not

changed during computations. Kong and his team proposed two attacks against

Lee’s improved RSA-CRT algorithm. The first one injects a permanent fault in Spr,

and as a result of this fault, they can factorize modulus n of RSA-CRT algorithm.

The second attack injects a transient error in prime p, and by using the fault result

generated by this error they can get the same result as in the first attack. However,

the modulus chaining method used by Lee cannot prevent the two attacks

mentioned above.

Bhattacharya and Mukhopadhyay [BM 2017] improve the official differential fault

analysis on the 2-bit branch predictor performance under the influence of faults.

Their fault model is based on the ability of the attacker to introduce a bit-flip error

into the private keystream. The result of their analysis demonstrates that differences

of branch misses under the impact of fault can leak information about private key

bits. The authors claim that this kind of attack can threaten RSA modular

exponentiation and RSA-CRT algorithms. It can also threaten algorithms protected

by a countermeasure which halts or randomizes the final result if a fault has been

detected. This attack can be adjusted to attack processers with embedded soft-core

by introducing practical errors through a skip instruction technique.

In this section, I show how the fault factoring (FF) attacks are used to factorize the

RSA modulus n=p*q. The FF attacks try to deal with a fault in the programming

level of EEPROM instead of a fault in register level. The new fault attack will enter

64

a fault value by changing the algorithm written in the EEPROM [Lan 2015, chap.

6], [YouTube 2014] and [YouTube 2015], and then use this value in the

computation instead of the correct values, and thus deduce the secret key according

to the fault in the computation. Moreover, the attacker will eliminate the fault result

in the computation. Therefore, any checking procedure will confirm that all

elements used in the computations are free of error. This section will also include

algorithms that I choose to attack and the proposed attack algorithms to be used

against them, as well as practical examples that will show the implementation of

these attacks.

In this section, the FF attack will be implemented on a signature system using RSA-

CRT and protected by countermeasures. Section 4.3.2 will show the

implementation of an FF attack against the signature system using RSA-CRT

cryptosystem and protected by modified Shamir’s countermeasure [RG 2014, Alg.

10]. Section 4.3.4 will show the implementation of an FF attack against a signature

system also using RSA-CRT cryptosystem but protected by simplified Vigilant’s

countermeasure [RG 2014, alg. 11].

4.3.1 RSA-CRT Signature Using Garner’s Algorithm Protected by

Modified Shamir’s Countermeasure

Algorithm 2.1 in section 2.5.1.1 of chapter 2 represents the RSA-CRT signature

using Garner’s algorithm protected by modified Shamir’s countermeasure of which

the outline is shown in section 4.2.9. This algorithm is used to speed up the

computation time of the message signature by using RSA-CRT scheme. Shamir

modified this algorithm to be resistant to a fault attack by increasing the randomness

of this algorithm through adding more items to the computation process to make it

more difficult for an attacker to guess the secret key when using a fault attack.

Shamir achieved that by inserting a small integer r in the computation; however, he

did not specify how to choose random prime numbers. In the related literature,

several methods are proposed by researchers for generating random numbers such

as the software method presented by [AA 2016] which is based on the use of

congruence equations, and the hardware method, suggested by [KCLP 2016] which

generates a prime number by merging Fermat test and trial division in parallel. In

my implementation of these algorithms, I use the direct command from Maple to

generate a prime random number which is

65

Random_prime_number ≡ nextprime (rand (21 .. 2n)).

where n is the number of bits.

Also, Rauzy and Guilley suggest a modification to Shamir’s countermeasure which

protects the signature system using RSA-CRT by fixing the checksum operations.

4.3.2 FF Attack against RSA-CRT with Garner’s Algorithm and

Protected by Modified Shamir’s Countermeasure

Algorithm 4.1 is the proposed attack against algorithm 2.1. The aim of algorithm

4.1 is to factorize RSA-CRT modulus n. In algorithm 4.1, a fault value X is injected

to be used instead of the stored value 𝑖𝑞 ≡q-1 mod p to compute a CRT-RSA

signature S, so that a fault signature 𝑆𝑐𝑟𝑡𝑒 will be computed instead of the correct

one. This fault CRT-RSA signature 𝑆𝑐𝑟𝑡𝑒 can be used to factorize RSA-CRT

modulus n=p*q by computing the factor q= gcd ((𝑆𝑐𝑟𝑡𝑒-𝑆𝑐𝑟𝑡), n) [BDL 1997], [Len

1996] and [JLQ 1999]. Algorithm 4.1 is shown below.

Algorithm 4.1 FF Attack against Algorithm 2.1


INPUT by user: message M, fault value X.

OUTPUT: The factor q.


2. pr p*r.

3. qr q*r.

4. If pr ≢ 0 (mod p) or qr ≢ 0 (mod q ) then return error.



7. if 𝑆𝑝𝑟 ≢ 𝑆𝑞𝑟 𝑚𝑜𝑑 𝑟 then return error.



10. 𝑆𝑐𝑟𝑡 𝑆𝑞 + 𝑞 ∗ [(𝑖𝑞 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))].

11. Comment: use X instead of 𝑖𝑞 in the computation of Scrt so we get Scrte.

12. 𝑆𝑐𝑟𝑡𝑒 𝑆𝑞 + 𝑞 ∗ [(𝑋 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))].

13. n p*q

14. To get q, we compute 𝑞𝑡 gcd((𝑆𝑐𝑟𝑡𝑒-𝑆𝑐𝑟𝑡) ,n).

66

15. Eliminate 𝑆𝑐𝑟𝑡𝑒.


17. return q≡ 𝑞𝑡.

Example 5

See appendix A.1

4.3.3 RSA-CRT Signature with Garner’s Algorithm Protected by


Algorithm 2.2 in section 2.5.1.1 of chapter 2 represents the RSA-CRT signature

with Garner’s algorithm protected by simplified Vigilant’s countermeasure the

outline of which is shown in section 4.2.10. This algorithm which is proposed by

Rauzy and Guilley [RG 2014] represents a modification of the countermeasure

suggested by Vigilant [Vig 2008].

4.3.4 FF Attack against RSA-CRT Signature with Garner’s Algorithm

Protected by Simplified Vigilant’s Countermeasure

Algorithm 4.2 is the proposed attack against algorithm 2.2. The aim of algorithm

4.2 is to factorize RSA modulus n. In algorithm 4.2, a fault value X is injected to

be used instead of stored value 𝑖𝑞 ≡ 𝑞−1 𝑚𝑜𝑑 𝑝 to compute a CRT-RSA signature

S, so that a fault signature 𝑆𝑐𝑟𝑡𝑒 is computed instead of the correct one. This fault

CRT-RSA signature 𝑆𝑐𝑟𝑡𝑒 can be used to factorize RSA modulus n=p*q by

computing the factor 𝑞 = 𝑔𝑐𝑑((𝑆𝑐𝑟𝑡𝑒𝑒 −𝑀), 𝑛) [BDL 1997], [Len 1996] and [JLQ

1999]. Algorithm 4.2 shows that even if a more complicated check sum is used, the

FF attack can factorize RSA-CRT modulus n. In addition, it does not need to

compute a correct CRT signature as attackers do not need it in computing factor q.

The only two items attackers need to find are factor q are a fault CRT signature Scrte

and message M. Algorithm 4.2 is shown below.

Algorithm 4.2 FF Attack against Algorithm 2.2





2. n p*q.

67





7. 𝐴𝑝 1 − 𝐵𝑝( 𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).










16. 𝑆𝑝𝑟 1 + 𝑑𝑝 ∙ 𝑟.



𝑑𝑝( 𝑚𝑜𝑑 𝜑(𝑞𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).

19. 𝑆𝑞𝑟 1 + 𝑑𝑞 ∙ 𝑟.


21. 𝑆𝑑𝑎𝑠ℎ 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ)).

22. Comment: use X instead of 𝑖𝑞 in the computation of Sdash so we get Sdashe..

23. 𝑆𝑑𝑎𝑠ℎ𝑒 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑋 ∙ (𝑆𝑝𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ) ).

24. To get q, we compute 𝑞𝑡 gcd((𝑆𝑑𝑎𝑠ℎ𝑒𝑒 −𝑀),n).

25. Eliminate 𝑆𝑐𝑟𝑡𝑒 .

26. 𝑆𝑟 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ)).


28. 𝑆 ≡ 𝑀𝑑 (𝑚𝑜𝑑 𝑛).

29. 𝑆 ≢ 𝑆𝑑𝑎𝑠ℎ𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛) then return error.

30 return q=𝑞𝑡.

Example 6

See appendix A.2

68

4.4 Retrieve Secret Key Attack

In this section, I present the retrieve secret key (RSK) attack, which uses a fault

attack to retrieve RSA secret key d, which may be a key utilised in the signature or

decryption process. This section will include algorithms I choose to attack (which

are known as Protected Montgomery Ladder RSA algorithms Left-to-Right [JY

2002, Fig. 9] and Right-to-Left which I constructed by myself), the proposed

attacks of algorithms against them as well as practical examples to show the

implementation of these attacks.

The retrieved secret key attack is based on ideas concerning the ‘safe error attack’

on RSA cryptosystems described in [YJ 2000], in which the attacker injects a fault

into the intermediate calculation values of the multiplication process, and from this,

deduces a bit value of d. As mentioned previously, we assume that the attacker can

access the chip on which the algorithm was run. The simple and differential power

attacks as well as the computational and memory safe-error fault attacks are not

applicable on protected Montgomery Ladder RSA. In the same time, the new RSK

attack I proposed is applicable on protected Montgomery Ladder RSA. My new

RSK attack can be classified as computational safe-error fault attack.

4.4.1 Protected Montgomery Ladder RSA Left-to-Right Algorithm

The internal inputs (loaded from the firmware) to algorithm 2.3 in section 2.5.1.2

of chapter 2 are the secret key d = (dt, dt-1, …,d1)2 in binary form and size of secret

key t. The inputs by the user to algorithm 2.3 are the message g and modulus n.

The output is gd (mod n). Algorithm 2.3 uses R(0) and R(1) to compute gd,

initialising R(0) to 1 and R(1) to g. Then the algorithm enters a loop running from

t to 1. In each iteration, a reverse binary value of di is stored in b, R(b) multiplied

by R(di), the result is stored in R(b) and the value of R(di) is doubled. When the

loop ends, the value in R(0) will be the desired result gd.

4.4.2 RSK Attack against the Protected Montgomery Ladder RSA Left-

to-Right Algorithm

Algorithm 4.3 is a modification of algorithm 2.3. Therefore, algorithm 4.3 has the

same internal inputs loaded from the firmware of the victim device (the secret key

d = (dt, dt-1, …,d1)2 in binary form and the size of secret key t). The inputs by the

attacker are the message g, fault value X and modulus n. I assume that the attacker

does not know d, but does know that it is stored in the firmware of the victim device

69

in binary form and was used in processing the output gd. Algorithm 4.3 access the

bits of d in order, from most to least. In algorithm 4.3, the variable k is used to store

the captured binary values of d.

Algorithm 4.3 is initialised by setting R(0) to 1 and R(1) to message g and key size

counter z to 1. The idea behind the attack is based on the introduction of the error

using X at some points in the multiplication process. In each iteration of for loop of

algorithm 4.3, the reversed binary value of di is stored in b. The result of multiplied

R(b) by the introduced fault point X is stored in H, and the value of R(b) is stored

in T. In the next step, the value of di is checked: if it is 1 then R(b) is multiplied by

fault point X and stored in the R(b). At this point, the algorithm compares R(b) with

H and if they are equal, algorithm 4.3 will deduce that the value of the secret key

bit in this iteration is 1. In this case, the error in R(b) is eliminated by replacing its

value with T. However, if R(b) is not equal to G, then the algorithm deduces that

the value of the secret key bit is 0 in this iteration.

In the subsequent step, R(b) is multiplied by R(di) and stored in R(b), while R(di)

is doubled and stored in R(di). Then, the counter z is incremented by one. The

iterations are continued until the for-loop is ended. Then, k contains the estimated

bits of d, and v is the size of the final value of z-1 which represents the bit-size t of

d.

Algorithm 4.3 RSK Attack against Algorithm 2.3


t.

INPUT by attacker: message g, fault value X, modulus n.

OUTPUT: d in binary form and v size of secret key.

1. R(0) 1, R(1) g.

COMMENT: Assign key size counter label z 1.

2. z 1.

COMMENT: Inject error by using X instead of R(di) in multiplication operations.

3. For i= t to 1 do

3.1 b ¬ dz.

3.2 H R(b) *X (mod n).

3.3 T R(b) (mod n).

70

3.4 If di = 1 then

R(b) R(b) * X (mod n).

End IF.

COMMENT: The loops store the bits of d in order in the (t)-tuple d.

3.5 If R(b) = H then

{ki 1.

COMMENT: Eliminate the error in R(b) by replacing the fault value by a value

stored in T

R(b) T.

Else

ki 0.

End If.

3.6 R(b) R(b)*R(di) (mod n).

3.7 R(di) R(di)2(mod n).

3.8 z z+1.

End For loop.

4. Set v z-1.

5. d= (kv, kv-1, . . . , k2, k1).

Example 7

See appendix A.3

4.4.3 Protected Montgomery Ladder RSA Right-to-Left Algorithm

The internal inputs (loaded from the firmware) to algorithm 2.4 in section 2.5.1.2

of chapter 2 are the secret key d = (dt, dt-1, …, d1)2 in binary form and size of secret

key t. The inputs by the user to algorithm 2.4 are the message g and modulus n. The

output is gd. Algorithm 2.4 uses R(0) and R(1) to compute gd, initialising R(0) to 1

and R(1) to g . Then the algorithm enters a loop running from 1 to t. In each iteration,

a reverse binary value of di is stored in b, R(b) is doubled, R(di) is multiplied by

R(b) and the result is stored in R(b). When the loop ends, the value in R(0) will be

the desired result gd.

71

4.4.4 RSK Attack against the Protected Montgomery Ladder RSA

Right-to-Left Algorithm

Algorithm 4.4 is a modification of algorithm 2.4. Therefore, algorithm 4.4 has the

same internal inputs loaded from the firmware of the victim device (the secret key

d = (dt, dt-1, …, d1)2 in binary form and size of the secret key t). The inputs by the

attacker are the message g and fault value X and modulus n. I assume that the

attacker does not know d but does know that it is stored in the firmware of the victim

device in binary form and was used in processing the output gd. Algorithm 4.4

access the bits of d in order, from least to most. In algorithm 4.4, the variable k is

used to store the captured binary values of d.

Algorithm 4.4 is initialised by setting R(0) to 1, R(1) to message g and the key size

counter z to 1. The idea behind the attack is based on the introduction of the error

using X at some points in the multiplication process. In each iteration of algorithm

4.4, a reversed value of di is stored in b. The result of multiplying R(b) by the

introduced fault point X is stored in H and the value of R(b) is stored in T. In the

next step, the value of di is checked: if it is 1 then the result of R(b) multiplied by

the introduced fault point X is stored in the R(b). At this point, the algorithm

compares R(b) with H, and if they are equal, deduces that the value of the secret

key bit in this iteration is 1. In this case, the error in R(b) is eliminated by replacing

it with T. However, if R(b) is not equal to H, then the algorithm deduces that the

value of the secret key bit is 0 in this iteration.

In the subsequent step, R(b) is doubled and stored in R(b) and then the new value

of R(b) is multiplied by R(di) and the result is stored in R(b). Then the counter z is

incremented by one. The iterations are continued until the for-loop is ended. Then,

k contains the estimated bits of d, and v is the size of the final value of z-1 which

represents the bit-size t of d.

Algorithm 4.4 RSK Attack against Algorithm 2.4


t.



1. R(0) 1, R(1) g.

72

COMMENT: assign key size counter label z 1.

2. z 1.


3. For i= 1 to t do

3.1 b ¬ di.

3.2 H R(b) *X(mod n).

3.3 T R(b) (mod n).

3.4 If di = 1 then


End IF.


3.5 If R(b) = H then.

{ki 1.

COMMENT: Eliminate the error in R(b) by replacing fault value by a value

stored in T.

R(b) T.

Else

ki 0.

End If.

3.6 R(b) R(b)2 (mod n).

3.7 R(b) R(b)*R(di) (mod n).

3.8 z z+1.

End While loop.

4. Set v z-1.

5. d= (kv, kv-1, k3, . . . , k2, k1).

Example 8

See appendix A.4

4.5 Summary

In this chapter, two fault attacks were proposed to recover RSA cryptosystem secret

information. The FF attack was applied to RSA-CRT signature algorithms, and it

aimed to factorize RSA-CRT modulus n. The RSK attack was implemented on the

protected Montgomery Ladder RSA “Left-to-Right and Right-to-Left” algorithms,

and its goal was to recover the d secret key which might represent a decryption key

73

or a signature key. The two attacks depended on the concept of safe error attack.

All the attacks proposed in this chapter posed challenges to the designer of RSA

cryptosystems to take into consideration all the security issues highlighted here.

74

Chapter Five Proposed Fault Attack against Elliptic

Curve Cryptosystem

ECC is used to secure data in devices with restricted resources like smart card. The

fault attack technique proposed here inject a programming fault in algorithms stored

in EEPROM. This fault will be used to retrieve the secret key of ECC. This chapter

is closely related to the thesis goals as it suggests fault attack on ECC.

5.1 Introduction

In this chapter we focus on six algorithms for scalar multiplication suggested by

Montgomery ([JY 2002] and [FV 2012]), Coron [DHB 2016] and Joye ([JY 2002]

and [Joy 2007]). All six algorithms are regular and thus resistant to power, timing,

and safe error attacks (e.g., [FRV 2014], [Che 2017] & [Lal 2017]).

ECC is one of the most widespread cryptography systems currently used to deal

with devices with low or constrained resources like IoT devices. The main

advantage of this kind of cryptography systems is that they provide high level

security with smaller key size. ECC needs only a key size of 384 bits long digits to

give the same level of security of RSA with key size of 3072 bits long digits for the

year 2018 according to BlueKrypt website for both. Bluekrypt website [Gir 2017]

is a site which gives recommendations for key size according to the requirements

of different security institutes over the world such as Commercial National Security

Algorithm (CNSA) Suite, French Network and Information Security Agency

(ANSSI) and non-regulatory federal agency within the U.S. Commerce

Department's Technology Administration (NIST), etc. More details about important

ECC systems can be found in section 2.3.2 of chapter 2.

In this chapter, I propose a fault point attack against six algorithms to recover the

secret key used to secure data in ECC. Such attacks on ECC can help designers to

enhance the security level of ECC implemented on hardware devices by taking into

consideration the security issues involved in these attacks. The mathematical

background of the proposed attacks is outlined in section 5.2.

Any algorithm for point scalar multiplication enters a secret multiplier in bit format;

the algorithm may then begin with either the most significant bit or the least

significant one. Left-to-Right versions have some advantages; one being that the

first bit can be assumed to be 1, and so the algorithm can begin with the second bit.

75

Typically, in Right-to-Left algorithms, only one variable needs storage while in

Left-to-Right algorithms, storage is needed for two variables. This fact may have

some impact on the available resources but appears to have been mainly ignored in

real-world implementations for other factors such as security.

While the curve, field, and points P and Q are public knowledge and available on

the chip, I do not know k nor its number of bits t, but I do know that the bits of k

are stored inside the firmware of the victim device and were used in processing the

output Q. The aim of this chapter is to attack elliptic curve cryptosystem and try

solve the ECDLP which can be defined: for any positive integer k and point P on

the elliptic curve E, by kP we mean, P added to itself k times. The underlying

security of the use of elliptic curves in cryptography is based on the difficulty,

believed to be mathematically NP-hard [GG 2015], of finding the scalar multiple k

when P and Q = kP are known. The elliptic curve E modulo large prime number p

and a base point P on elliptic curve E represent the public key part of ECC. While,

the secret part of ECC is represent by a k in a range [2, p-2] and calculates Q=k*P

mod p. However, the public key in RSA is (e, N). While, the secret part in RSA is

d. Therefore, to decrypt a message c in RSA we use M =cd mod n.

The approach used to attack six algorithms is based on ideas concerning the ‘safe

error attack’ on elliptic curve cryptosystems described in [YJ 2000], in which the

attacker injects a fault into the intermediate calculation values of multiples of a

point, and from this, deduces a bit value of secret key. As mentioned previously,

the attack scenario assumed that the attacker could access the chip on which the

algorithm was run.

I assume that each algorithm is stored in EEPROM on a victim device to which I

have access and on which I can induce faults during the processing of the algorithm.

EEPROM sits on a hardware device and can be erased, read or written to [YouTube

2014], [Lan 2015, chap. 6], [YouTube 2015], and [Ard 2018]. All proposed attacks

in this chapter try to deal with a fault in the programming level of EEPROM instead

of a fault in the register level. The proposed fault attack will inject a fault value by

changing the algorithm written in the EEPROM after it is loaded into the RAM and

then this value is used in the computation instead of the correct values. This will

enable the attacker to deduce the secret key according to the fault result in the

76

computation. In addition, the attacker will eliminate the fault result in the

computation, therefore, any checking procedure will confirm that all elements used

in the computations are free of error.

All examples showing the implementation of the fault point attack in software are

done by using Intel (R) Core (TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as a

hardware platform and Windows 7 as the operating system. Maple 2017b [Maple

2017] was chosen as the software platform as it contains a cryptography package

designed for elliptic curve arithmetic operations.

In section 5.3 the Montgomery ladder algorithms are presented together with the

proposed fault point attack against them. Section 5.4 deals with the Coron

algorithms and the proposed fault point attack against them. Then in section 5.5 the

Joye algorithms are presented and also the proposed fault point attack against them.

Finally, section 5.6 will be the summary of this chapter.

5.2 Mathematical Background

Elliptic curves form the basis of an efficient cryptosystem which is often chosen for

implementation on small devices, such as those which would be used to authenticate

messages in an IoT scenario. Some mathematical models represent elliptic curve

according to the types of curve used and mathematical equations used to add and

double points. In this section, I will show how the elliptic curve can be used in

cryptography and signatures systems by offering a detailed presention of the

processes of key generation, encryption, decryption and signing a message by using

ECC.

I also focus on general Weierstrass and Montgomery elliptic curves because the

proposed fault attack against elliptic curve cryptosystem use general Weierstrass

and Montgomery elliptic curves in their operations.

5.2.1 ECC Key Generation

I assume that two users, Sam and Lauren, want to set up an ECC to sign messages

and to secure the interchange of messages between them.

The First step, for a setup of ECC, is the key generation. Each one of them must

choose an elliptic curve E modulo prime p, and a base point P on the same curve E.

Each one of them must also choose a private random a in [2, 𝑝 − 2] and

computes 𝑄 ≡ 𝑎𝑃 (𝑚𝑜𝑑 𝑝). Sam’s and Lauren’s public key is (p, P, Q) and their

77

private key is a. The message chosen by Sam or Lauren must be a point on the

elliptic curve of the two parties. [Bat 2013].

5.2.2 ECC Encryption

I assume that Sam wants to send a message to Lauren and he uses the keys

generated in 5.2.1 to encrypt it.

Sam creates a message as a point K on Lauren’s elliptic curve E.

He gets Lauren’s public key (p, P, Q) where 𝑄 ≡ 𝑐𝑃 (𝑚𝑜𝑑 𝑝), c is Lauren’s

secret.

He chooses 𝑑 ∈ [2, 𝑝 − 2] arbitrarily.

He calculates dP and K + dQ (mod p).

He sends the cipher ≡ (dP, K + dQ) (mod p). [Bat 2013]

5.2.3 ECC Decryption

Lauren receives the cipher message (dP, K + dQ) (mod p) from Sam. She retrieves

K by calculating (K+dQ)-cdP≡K+dcP-cdP≡K(mod p), where c is her arbitrary

secret [Bat 2013].

5.2.4 ECC Signature

Lauren wants to sign a message G and send it to Sam. She chooses a private key h.

She calculates N which represents number of points on her curve E and V=hP=(x,

y). Her public key will be (p, E, N, P, V). She signs the message G by taking the

following steps:

1. She arbitrarily chooses an integer t with 1 ≤ t < N and gcd (t, N)=1, and calculates

F=tP=(x, y).

2. She calculates u ≡ t -1 (G−hx) (mod N).

3. She sends the signed message (G, F, u) to Sam.

Sam verifies the signature of Lauren by taking the following steps:

1. Sam obtains Lauren’s public key p, E, N, P and V.

2. He calculates Z1=xV + uF and Z2=GP.

3. If Z1=Z2 then the signature is valid [Tra 2006].

78

5.2.5 General Weierstrass Elliptic Curves Background

The general affine version of the elliptic curve equation, as taken from the

monograph [BSS 1999, p. 30] by Blake, Seroussi and Smart, is known as the

Weierstrass elliptic curve equation and is given by:

𝑦2 + 𝑎1𝑥𝑦 + 𝑎2𝑦 = 𝑥3 + 𝑎3𝑥

2 + 𝑎4𝑥 + 𝑎5. (1)

Where the constants ai are from a fixed finite field GF(q) of any characteristic ≥ 2,

and q is a prime power (I have taken the liberty of labelling the coefficients in a

slightly different way than that of equation (3) in [BSS 1999, Chap. III]. Using E to

refer to such a curve, I then use the notation E(Fq) to indicate that the coefficients

are from GF(q).

The points of such a curve, along with an additional ‘point at infinity’, which acts

as the identity and for which I use the symbol O, form an abelian group under an

operation ‘+’ on the points defined algebraically by the equations (3) and (4) given

below [BSS 1999, Chap. III]. This ‘+’ operation can be defined regardless of the

characteristic of the field. Points on the curve are represented as affine pairs (x, y)

where each of x and y come from GF(q) and satisfy the equation (1).

For any point P = (x, y) on E, the negative of P is defined to be the point

−𝑃 = (𝑥, −𝑦 − 𝑎1𝑥 − 𝑎2). (2)

As mentioned on [BSS 1999, p. 33], this definition applies to all finite field

characteristics. I define P + (– P) to be O.

To define the addition of two points (other than the pair P and –P) on E, I introduce

some further notation to simplify the formulas. Let P1 = (x1, y1) and P2 = (x2, y2)

be distinct points on E.

In case x1 ≠ x2, let 𝛼 = (𝑦2 − 𝑦1)/(𝑥2 − 𝑥1) and 𝛽 = (𝑦1𝑥2 − 𝑦2𝑥1)/(𝑥2 − 𝑥1).

In case x1 = x2 but P2 ≠ –P1 (the case P1 = P2),

let 𝛼 = (3(𝑥1)2 + 2𝑎3𝑥1 + 𝑎4 − 𝑎1𝑦1)/(2𝑦1 + 𝑎1𝑥1 + 𝑎2) and 𝛽 = (−(𝑥1)

3 +

𝑎4𝑥1 + 2𝑎5 − 𝑎2𝑦1)/(2𝑦1 + 𝑎1𝑥1 + 𝑎2).

79

Letting P1 + P2 = (x3, y3), then the coordinates of this sum in both cases above are

given by:

𝑥3 = 𝛼2 + 𝑎1𝛼 − 𝑎3 − 𝑥1 − 𝑥2, (3)

And

𝑦3 = −(𝛼 + 𝑎1)𝑥3 − 𝛽 − 𝑎2. (4)

5.2.6 Montgomery Elliptic Curves Background

In the late 1980s, Montgomery developed a revised form of (1) to speed up elliptic

curve factorisation methods [Mont 1987], [CS 2017] and [OLR 2017]. The generic

version of these Montgomery curves for prime order fields of characteristic >3 in

affine form is given by:

𝐵𝑦2 = 𝑥3 + 𝐴𝑥2 + 𝑥. (5)

where A and B are elements of the underlying field.

As pointed out by Hamburg in [Ham 2015], over fields of prime characteristic

congruent to 3 modulo 4, the curve in (5) is equivalent to one with B = 1, whereas

this is not the case for fields of prime characteristic congruent to 1 modulo 4.

Hamburg also points out that where the order of the Montgomery curve is h*q for

a large prime q, the factor h is always divisible by 4, which leads to some possible

attacks. His paper describes how to eliminate factors by using ‘point compression’.

The Montgomery curve equation (5) over a field of prime order congruent to 3

modulo 4, can be transformed into a Montgomery curve with B = 1, in which case,

the curve is referred to as ‘untwisted’.

Computations on an elliptic curve can be performed in affine or projective

coordinates. Using projective coordinates has the advantage that field inversions in

point operations are simplified by the introduction of the additional coordinate.

However, the authors of [KFSV 2011] claim that points should be converted from

projective back to affine before outputting the result as this saves the cost of

transferring a coordinate. Not transferring back to affine coordinates before output

also provides an adversary with the opportunity of capturing some side-channel

information from the projection as has been shown in [NSS 2004]. In this section,

I will keep using affine point representation.

Based on the equation (5), the x-coordinate only values are computed as follows

[Mont 1987]:

80

For 2(x, y): 𝑥2𝑝 = [(𝑥2 − 𝑎)2 − 8𝑏𝑥]/[4(𝑥3 + 𝑎𝑥 + 𝑏)] . (6)

for P1 = (x1, y1) and P2 = (x2, y2) with x1 ≠ x2, letting xR be the x-coordinate of

the sum and 𝑥𝑅′ be the x-coordinate of the difference P1 – P2:

𝑥𝑅 = [2(𝑥1 + 𝑥2)(𝑥1𝑥2 + 𝑎) + 4𝑏]/(𝑥1 − 𝑥2)2 − 𝑥𝑅

′ . (7)

Although Montgomery curves have proved to be efficient for use in elliptic curve

factorisation methods, especially in conjunction with the Montgomery ladders

[Ham 2015], the curves have been found to be too specialised for general use in

most international standards used today, including ANSI, IEEE and SEC (e.g.,. [IT

2002]). The efficiency benefit of equations (6) and (7) is that only the x-coordinate

of points is used at each stage; however, the major drawback to using (7) for the

addition of two general points on a Montgomery curve, is that it requires that I

should be able to produce a difference of two points. Izu, Möller and Takagi

comment on this issue in [IMT 2002] and in [IT 2002], where the doubling and

addition operations are separated. Their aim is to gain as much efficiency as

possible, and this is achieved by writing the multiplier k as a sum of powers of 2

and producing repeated doublings of the point using (6) until the required sufficient

amount has been obtained. At this stage, however, to generate the value for Q = kP,

point additions of random points must be made, rather than point doublings, and

thus the need for point differences becomes problematic. The authors of [IMT

2002] deal with this situation by the use of a ‘YRecovering’ algorithm given in

Appendix A.5 of their paper. A simpler method usable in case the underlying field

has characteristically a prime congruent to 3 modulo 4, is a basic result found in

many elementary number theory and cryptography texts (for example [BJ 2002, p.

86]) which states: ‘If p ≡ 3 (mod 4) is prime and x ≡ y(p+1)/4 (mod p), then either y

or –y has square roots x and –x.’ Alternatively, equations (3) and (4) can be used

throughout instead of (6) and (7).

Nonetheless, the ‘Right-to-Left’ and ‘Left-to-Right’ algorithms produced by

Montgomery for point additions (first proposed in the context of RSA), and made

explicit on [JY 2002, p. 7], are still much in demand for point doubling which is the

major phase of the fast exponentiation procedure in point scalar multiplication. In

81

particular, their use in computing scalar multiples over curves with form (5) is

particularly efficient.

In our case, I focus on an attack in which many additions, which are not doublings

are required. In this case, the assumption that I have the x-coordinate x(P1 – P2) of

P1 – P2 is unreasonable; in fact to find this using (7) requires x(P1 – (–P2)) = x(P1 +

P2) leading us into an infinite loop computationally. In the proposed attack against

the Montgomery power ladder algorithm, I, therefore, use the addition formulas of

(3) and (4); an additional benefit for me is that these provide both coordinates of

the sum which I can then compare with my target point.

5.3 Montgomery Ladder Algorithms

The Montgomery powering ladder was introduced in [Mont 1987], [CS 2017] and

[OLR 2017] to assist in speeding up elliptic curve factorisation methods; it has been

analysed in many papers in the last twenty years, and is still used as one of the

benchmarks of elliptic curve computations of point multiples (e.g., [FV 2012]).

While it was initially introduced for use with the Montgomery curve equations, the

authors of [Cor 1999] and [JY 2002] explain how it can be adapted to work with

any abelian group, and also to any elliptic curve group represented by the form (1)

in section 5.2.5.

The aim of this section is to attack the ECDLP on both Right-to-Left and Left-to-

Right versions of the Montgomery powering ladder. I deal with the Left-to-Right

version in sections (5.3.1 and 5.3.2) and the Right-to-Left version in sections (5.3.3

and 5.3.4). When using bits of k from Left-to-Right (most to least significant), I can

always assume that the first bit is 1. In this case, there are two ways to establish the

algorithm computing multiples of P: either begin from the left-most bit or begin

from the second bit from the left. For small values of k, the latter method saves one

round in the loop and so is more efficient than the former method; however, for

very large values of k, there is little saving in efficiency between the two methods.

5.3.1 Left-to-Right Montgomery Ladder Algorithms

Algorithm 2.5 in section 2.7.1.1 of chapter 2 (taken from [FV 2012, alg. 1] where

it is presented in additive form) represent the Montgomery powering ladder with

Left-to-Right scalar multiplication beginning the point additions from the second

bit from the left.

82

The internal inputs (loaded from the firmware) to algorithm 2.5 are the secret key

k = (kt, kt-1,…, k1)2 in binary form and size of the secret key t. The input by the user

to algorithm 2.5 is the known base point P, which belongs to the known curve E(Fq)

over the field GF(q). The output is the known point Q = k*P. Algorithm 5.1 assumes

that kt = 1 and does not use this bit. Algorithm 2.5 initiates R(0) which is an

intermediate variable used to store the scalar additions of P with P value, and

initiates R(1) with 2P value. Then, algorithm 2.5 enters in loop starting from t-1

down to 1. In each iteration, R(0) is added to R(1) and the result is stored in R(¬ ki)

and R(ki) is doubled. When the loop ends, the value in R(0) is the final result of kP.

The addition operation used here is that of scalar addition and with equations (3)

and (4) since we do not require the efficiency provided by (6) and (7).

5.3.2 The Fault Point Attack against Left-to-Right Montgomery

Ladder Algorithm

On accessing the RAM of the victim device where algorithm 2.5 is loaded from the

EEPROM of the same device, I assume that the bits of k (kt-1,…, k1) are accessible

in order, from Left-to-Right (most to least). The proposed attack makes changes to

produce algorithms that capture the binary values of k and the attack approach is

based on ideas concerning the ‘safe error attack’ on elliptic curve cryptosystems

described above.

Algorithm 5.1 is a modification of algorithm 2.5. Therefore, I assume that the bits

(kt-1, … k2, k1) of the secret key k are stored in the firmware of the victim device

and loaded into the RAM of the victim device by algorithm 5.1 while it is being

executed in the RAM of the same device. The attacker has no direct access to the

secret key, nor to its size. Only algorithm 5.1 can access it and deal with it as an

internal input. Along the way, the captured bits of k are stored in values check (dt,

dt-1, …, d2, d1). The attack is based on the introduction of a significant error, using

any fault point X chosen by the attacker instead of P at some points in the point

addition process. To avoid legal discovery of this error, I correct it at line 3.4.

Algorithm 5.1 is initialised by setting R(0) to the point P, R(1) to the point 2P and

the key size counter e to 2. In each iteration of algorithm 5.1, R(0) is stored in Z

and the result of adding R(0) to the introduced fault point X is stored in N. In the

next step, the value of ki is checked: if it is 1 then the result of adding R(0) to the

83

introduced fault point X is stored in R(¬ki). At this stage, algorithm 5.1 compares

R(¬ ki) with N, and if they are equal, it deduces that the value of the secret key bit

in this iteration is 1; in which case, the error in R(¬ki) is eliminated by replacing it

with Z. However, if R(¬ki) is not equal to N, then the algorithm deduces that the

value of the secret key bit is 0 in this iteration.

In the next step, R(0) is added to R(1) and stored in R(¬ki) while R(ki) is doubled.

The key size counter e is incremented by one. The iterations are continued until the

loop ends. As a result of this process, the estimated bits of k are stored in d, and

the final value of e-1 represents the bit-size v of k.

Algorithm 5.1 Fault Point Attack against Algorithm 2.5


kt = 1.

INPUT by user: The elliptic curve E, its field Fq, point P on E (Fq) and Fault

point X.

OUTPUT: k in binary form and v size of secret key.

1. R(0) P, R(1) 2P, e 2.

COMMENT: Assign key size counter label e 2 and through the loop

store the bits of k in order in the (t-1)-tuple d.

2. Use X as a fault point.

COMMENT: Inject error by using X instead of P in addition operations.


3.1 Z R(0).

3.2 N R(0) + X.

3.3 If ki=1 then

R(¬ki) R(0) +X.

End if.

3.4 If R(¬ ki) = N then

di 1.

COMMENT: Eliminate the error in R(¬ ki) by replacing fault value by a

correct value stored in Z.

R(¬ ki) Z.

Else

84

di 0.

End If.

3.5 R(¬ki) R(0) + R(1).

3.6 R(ki) 2R(ki).

3.7 e e+1.

End While loop.

4. set v e–1.

5. k= (1, dt-1, dt-2 … d2, d1).

Example 1

See appendix B.1

5.3.3 The Right-to-Left Montgomery Ladder Algorithm

Algorithm 2.6 in section 2.7.1.1 of chapter 2 represent the Right-to-Left

Montgomery Ladder algorithm. Because the algorithm begins from the right, it

must start with the least significant bit.




over the field GF(q). The output is the known point Q = k*P. Algorithm 2.6 initiates

R(0) which is an intermediate variable used to store the scalar additions of P with

identity value O and, initiates R(1) with P value. Then, algorithm 2.6 enter in loop

starting from 1 up to t. In each iteration, R(1) is stored in G, the result of (1 - ¬ ki)

is stored in b, R(0) is added to R(1) and the result is stored in R(b), G is stored in

R(1) and R(1) is doubles. When the loop ends, the value in R(0) is the final result

of kP. As in the previous section, addition is based on equations (3) and (4).

5.3.4 Fault Point Attack against Right-to-Left Montgomery Ladder

Algorithm

On accessing the RAM of the victim device where the algorithm 2.6 is loaded from

the EEPROM of the same device, I assume that the bits of k (kt, kt-1,…, k1) are

accessible in order from Right-to-Left (least to most). The proposed attack makes

changes to produce algorithms that capture the binary values of k and the attack

approach is based on ideas concerning the ‘safe error attack’ on elliptic curve

cryptosystems described above.

85


(kt, kt-1, … k2, k1) of the secret key k are stored in the firmware of the victim device



secret key nor to its size. Only algorithm 5.2 can access it and deal with it as an

internal input. Along the way, the captured bits of k are stored in values (dt, dt-1 …

d2, d1). The attack is based on the introduction of a significant error, using any fault

point X chosen by the attacker instead of P at some points in the point addition

process. To avoid legal discovery of this error, I correct it at line 3.6.

Algorithm 5.2 is initialised by setting R(0) to the point O, R(1) to the point P and

the key size counter e to 1. In each iteration of algorithm 5.2, R(0) is stored in E,

R(1) is stored in G, the result of (1 - ¬ ki) is stored in b, and the result of adding

R(0) to the introduced fault point X is stored in N. In the next step, the value of b is

checked: if it is 0 then the result of adding R(0) to the introduced fault point X is

stored in R(b). At this stage, the algorithm compares R(b) with N, and if they are

equal, it deduces that the value of the secret key bit in this iteration is 1; in which

case, the error in R(b) is eliminated by replacing it with E. However, if R(b) is not

equal to N, then the algorithm deduces that the value of the secret key bit is 0 in this

iteration.

In the next step, R(0) is added to R(1) and stored in R(b), G is stored in R(1), R(1)

is doubled. The key size counter e is incremented by one. The iterations are

continued until the loop ends. As a result of this process the estimated bits of k are

stored in d, and the final value of e-1 represents the bit-size v of k.




point X.


1. R(0) O, R(1) P, e 1.

COMMENT: Assign key size counter label e 1 and through the loop store

the bits of k in order in the (t-1)-tuple d.


86



3.1 E R(0).

3.2 G R(1).

3.3 b 1– ki.

3.4 N R(0) + X.

3.5 If b=0 then

R(b) R(0) + X.

End If.

3.6 If R(b) = N then

{di 1.

COMMENT: Eliminate the error in R(¬ ke) by replacing the fault value by a

correct value stored in E.

R(b) E}.

Else

di 0.

End If

3.7 R(b) R(0) +R(1).

3.8 R(1) G.

3.9 R(1) 2R(1).

3.10 e e+1.

End While loop.

4. set v e-1.

5. k= (dt, dt-1, . . . , d2, d1).

Example 2

See appendix B.2

5.4 Coron’s Algorithms

The Coron Left-to-Right and Right-to-Left algorithms are resistant to simple power

and timing attacks and do not require a large amount of storage and computing

power. Algorithm 2.7 in section 2.7.1.1 of chapter 2 represents Coron Left-to-Right

[DHB 2016, Alg 5]. Algorithm 2.8 in section 2.7.1.1 of chapter 2 represents a

87

corresponding Right-to-Left version, which I personally developed and introduced

in this research.

5.4.1 Left-to-Right Coron Algorithm


k = (1, kt-1,…, k1)2 in binary form and size of the secret key t. The input by the user


over the field GF(q). The output is kP. This algorithm initiates the place-holder

W(0) to P and updates it with new multiples of P as the algorithm progresses

through the loop from t-1 down to 1. In each iteration, W(0) is doubled and added

to P, and the result is stored in the place-holder W(1), and W(ki) is stored in W(0).

The final result of kP is stored in W(0) after the loop is complete.

The addition operation used her is that of scalar addition and with equations (3) and

(4) since we do not require the efficiency provided by (6) and (7).

5.4.2 Fault Point Attack against Left-to-Right Coron Algorithm


EEPROM of the same device, I assume that the bits of k (kt-1,… k2, k1) are

accessible in order, from Left-to-Right (most to least). The proposed attack makes





(kt-1, … k2, k1 ) of the secret key k are stored in the firmware of the victim device

and then loaded into the RAM of the victim device by algorithm 5.3 while it is being



internal input. Along the way, the captured bits of k are stored in values (dt, dt-1 …




In algorithm 5.3, I use P and the fact that kt = 1. Then I use new variables to store

data which are collected from the registers or computed in addition steps. I use W(0)

88

to store accumulated multiples of P and the variable d to store the captured binary

values of k.


Internal INPUT (loaded from firmware): k = (1, kt-1,…, k1)2, t key size,


point X.


1. W(0) P.

COMMENT: Assign key size counter label e 2 the loop store the bits of k

in order in the (t-1)-tuple d.

2. Use X as a fault point, e 2.

COMMENT: Inject error by using X instead of P in addition operations


3.1 W(0) 2W(0).

3.2 R W(0) + X.

3.3 W(1) W(0)+X.

COMMENT: The loop stores the bits of k in order in the (t-1)-tuple d.

3.4 If W(ki) = R then

di 1.

Else

di 0.

End If.

COMMENT: Eliminate the error in W(1) by replacing fault value by a result of

addition W(0)+P.

3.5 W(1) W(0)+P.

3.6 W(0) W(ki).

3.7 e e+1.

End While loop.

4. Set v e-1.

5. k= (1, dt-1, dt-2, . . . , d2, d1.).

Algorithm 5.3 is initialised by setting W(0) to the point P and the counter key size

e to 2. In each iteration of algorithm 5.3, the value of W(0) is doubled and the result

89

of adding W(0) to the introduced fault point X is stored in R. In the next step, the

result of adding W(0) to the introduced fault point X is stored in W(1). At this

point, algorithm 5.3 compares W(ki) with R; if they are equal, it deduces that the

value of the secret key bit in this iteration is 1; otherwise, the algorithm deduces

that the value of the secret key bit is 0. In the next step, the result of adding P to

W(0) is stored in W(1). This operation eliminates the fault value in W(1). Then

W(ki) is stored in W(0). Next, the counter size e is incremented by one. The

iterations are continued until the loop ends. As a result of this process the estimated

bits of k are stored in d, and the final value of e-1 represents the bit-size v of k.

Example 3

See appendix B.3

5.4.3 Right-to-Left Coron Algorithm I rebuild the Right-to-Left Coron algorithm 2.8 in section 2.7.1.1 of chapter 2 which

is the reverse way of dealing with bits of the secret key in Left-to-Right Coron. I

use the same equation used by Coron Left-to-Right (W(0)= W(ki)) and build the

rest of the algorithm depending on this equation. I use a new variable R so that I

can get the final output kP. I refer to this algorithm as Right-to-Left Coron because

I need a Left-to-Right and Right-to-Left algorithm for Montgomery, Coron and

Joye as my attack is applied on two versions: Left-to Right and Right-to-Left

algorithms. Coron Right-to-Left algorithm is similar to the Right-to-Left Joye in

that it begins by setting O to W(0) and P to R. I could not find the Right-to-Left

version of Coron algorithm in any of the references I have searched, so I rebuild the

Right-to-Left Coron algorithm by myself.




over the field GF(q). The output is kP. Algorithm 2.8 initiates the place-holder W(0)

to O and a second place-holder R to P. Then the algorithm enters a loop running

from 1 up to t. In each iteration, it stores R in W(1), adds W(0) to W(1) and stores

the result in W(1); it also stores W(ki) in W(0), and stores 2R in R. When the loop

ends, the value in W(0) is the final result of kP.

90

5.4.4 Fault Point Attack against Right-to-Left Coron Algorithm


EEPROM of the same device, I assume that the bits of k (kt, kt-1,…, k1) are

accessible in order, from Right-to-Left ( least to most). The proposed attack makes

changes to produce algorithms that capture the binary values of k, and the attack




(kt, kt-1, … k2, k1 ) of the secret key k are stored in the firmware of the victim device




internal input. Along the way, the captured bits of k are stored in values (dt, dt-1, …

, d2, d1). The attack is based on the introduction of a significant error, using any

fault point X chosen by the attacker instead of P at some points in the point addition





point X.


1. W(0) O, R P.

COMMENT: Assign key size counter label e 1.


COMMENT: Inject error by using X instead of W(1) in addition operations.


3.1 G W(0) +X.

3.2 If ki = 1 then

W(1) W(0) + X.

End If.

COMMENT: The loop stores the bits of k in order in the de.

91

3.3 If W(1) = G then

di 1.

Else

di 0.

End If.

COMMENT: Eliminate the error in W(1) by replacing fault value by a value

stored in R

3.4 W(1) R.

3.5 W(1) W(0) + W(1).

3.6 W(0) W(ki).

3.7 R 2R.

3.8 e e+1.

End While loop.

4. set v e-1.

5. k= (dt, dt-1, . . . , d2, d1).

Algorithm 5.4 is initialised by setting W(0) to the identity point O, R to the point P

and the key size counter e to 1. As in the previous attack, the idea is based on the

introduction of a significant error, using fault point X instead of P at some stages in

the point addition process. In each iteration of algorithm 5.4, the result of adding

W(0) to the introduced fault point X is stored in G. In the next step, the value of ki

is checked: if it is 1 then the result of adding W(0) to the introduced fault point X

is stored in W(1). At this stage, algorithm 5.4 compares W(1) with G; and if they

are equal, it deduces that the value of the secret key bit in this iteration is 1;

otherwise, it deduces that the value of the secret key bit is 0. In the next step, R is

stored in W(1). This operation erases the fault in W(1). After that, W(0) is added to

W(1) and stored in W(1) while W(ki) is stored in W(0). The value of R is now

doubled, and the counter size e is incremented by one. The iterations are continued

until the loop ends. As a result of this process, the estimated bits of k are stored in

d, and the final value of e-1 represents the bit-size v of k.

The attacks proposed in algorithms 5.3 and 5.4 can retrieve secret key information

even though the original algorithms 2.7 and 2.8 incorporate a countermeasure

against simple power and timing attacks [Cor 1999]. They can also retrieve the

secret if the countermeasure of a combined curve check, suggested in [BOS 2006],

92

is implemented; this is because I eliminate the errors as I run the algorithm (Step

3.5 in algorithm 5.3 and Step 3.4 in algorithm 5.4).

Example 4

See appendix B.4

5.5 Joye’s Algorithms

I now show how to attack Joye’s Add-always algorithm in both directions: Left-to-

Right and Right-to-Left.

Algorithm 2.9 in section 2.7.1.1 of chapter 2 shows the Joye-Yen ‘Left-to-Right’

version [JY 2002, Fig. 7], working from the most to least significant bits( I modify

this algorithm to provide the output Q=kP instead of gk ); while algorithm 2.10 in

section 2.7.1.1 of chapter 2 shows the ‘Right-to-Left’ version [Joy 2007, Alg. 3]

working in the opposite direction.

5.5.1 The Left-to-Right Joye-Yen Algorithm

The fault point attack against algorithm 2.9 involves a modification to the same

algorithm by adding some steps to change the internal operation and the output of

the algorithm. My objective in so doing is to recover each of the bits of secret key

k.




over the field GF(q). The output is the known point Q = k*P. Algorithm 2.9 uses

R(0) and R(1) to accumulate multiples of P, initialising R(0) to O and R(1) to P.

Then the algorithm enters a loop running from t to 1. In each iteration, R(0) is added

to R(1) and the result stored in R(¬ ki) while 2R(ki) is stored in R(ki). When the

loop ends the value in R(0) will be the desired result kP.

5.5.2 Fault Point Attack against Left-to-Right Joye-Yen Algorithm


EEPROM of the same device, I assume that the bits of k (kt-1,…, k1) are accessible

in order, from Left-to-Right. The proposed attack makes changes to produce

algorithms that capture the binary values of k and the attack approach is based on

93

ideas concerning the ‘safe error attack’ on elliptic curve cryptosystems described

above.






internal input. Along the way, the captured bits of k are stored in values (dt, dt-1, …,




Algorithm 5.5 is initialised by setting R(0) to the identity point O, R(1) to the point

P and the key size counter e to 1. In each iteration of algorithm 5.5, the result of

adding R(0) to the introduced fault point X is stored in G. In the next step, the value

of R(¬ ki) is stored in T. At this point, algorithm 5.5 compares R(¬ ki) with G; if

they are equal, it deduces that the value of the secret key bit in this iteration is 1, in

which case, the error in R(¬ki) is eliminated by replacing it with T. However, if

R(¬ki) is not equal to G, then the algorithm deduces that the value of the secret key

bit is 0 in this iteration.

In the subsequent step, R(0) is added to R(1) and stored in R(¬ ki), while R(ki) is

doubled. The key size counter e is incremented by one. The iterations are continued

until the loop ends. As a result of this process, the estimated bits of k are stored in

d, and the final value of e-1 represents the bit-size v of k.




point X.


1. R(0) O, R(1) P.


2. Use X as a fault point. e 1.


94

3. For i from t down to 1 do

3.1 G R(0) +X.

3.2 T R(¬ ke).

3.3 If ki = 1 then

R(¬ ki) R(0) + X.

End If.

COMMENT: The loop stores the bits of k in order in the (t)-tuple d.

3.4 If R(¬ ki) = G then

{di 1.

COMMENT: Eliminate the error in R(¬ ke) by replacing fault value by a value

stored in T.

R(¬ ki) T.

Else

di 0.

End If.

3.5 R(¬ ki) R(0) + R(1).

3.6 R(ki) 2 R(ki).

3.7 e e+1.

End While loop.

4. Set v e-1.

5. k= (dt, dt-1, . . . , d2, d1).

Example 5

See appendix B.5

5.5.3 The Right-to-Left Joye Algorithm

The fault point attack against the Right-to-Left Joye algorithm 2.10 for scalar

multiplication involves a modification to same algorithm by adding some steps to

change the internal operation and the output of the algorithm. My objective, as

always, is to recover each of the bits of the secret key k.



to algorithm 2.10 is the known base point P, which belongs to the known curve

E(Fq) over the field GF(q). The output is kP. Algorithm 2.10 uses R(0) and R(1) to

95

accumulate multiples of P, initialising R(0) to O and R(1) to P. Then the algorithm

enters a loop running from 1 to t. Joye uses a dummy variable b to store ¬ ke. In

each iteration, R(b) is doubled and stored in R(b), and this is then added to R(kj)

with the result again stored in R(b). When the loop ends, the value in R(0) is kP.

5.5.4 Fault Point Attack against the Right-to-Left Joye Algorithm

On accessing the RAM of the victim device where algorithm 2.10 is loaded from

the EEPROM of the same device, I assume that the bits of k (kt, kt-1,…, k1) are

accessible in order, from Right-to-Left (least to most). The proposed attack makes







been executed in the RAM of the same device. The attacker has no direct access to

the secret key nor to its size. Only algorithm 5.6 can access it and deal with it as an

internal input. Along the way, the captured bits of k are stored in values (dt, dt-1, …

d3, d2, d1). The attack is based on the introduction of a significant error, using any

fault point X chosen by the attacker instead of P at some points in the point addition

process. To avoid legal discovery of this error, I correct it at line 3.7

Algorithm 5.6 is initialised by setting R(0) to the identity point O, R(1) to the point

P and the key size counter e to 1. In each iteration of algorithm 5.6, the variable b

is set to 1- ki, the value of R(b) is doubled, the result of adding R(0) to the introduced

fault point X is stored in G, and the value of R(b) is stored in T.

In Step 3.5, the result of adding R(b) to the fault point X is stored in R(b). At this

point, algorithm 5.6 compares R(b) with G. If they are equal, it deduces that the

value of the secret key bit in this iteration is 1; otherwise algorithm 5.6 deduces that

the value of the secret key bit is 0. Step 3.7 eliminates the error in R(b) by replacing

it with T. Step 3.8 again replaces the value of R(b) with R(b) + R(ki). The key size

counter e is incremented by one. The iterations are continued until the loops ends.

As a result of this process, the estimated bits of k are stored in d, and the final value

of e-1 represents the bit-size v of k.

96




point X.


1. R(0) O, R(1) P.

COMMENT: Assign pointer label e 1.




3.1 b 1- ki.

3.2 R(b) 2 R(b).

3.3 G R(0) + X.

3.4 T R(b).

3.5 R(b) R(b)+ X .


3.6 If R(b) = G then

di 1.

Else

di 0.

End If.


stored in T.

3.7 R(b) T.

3.8 R(b) R(b) + R(ke).

3.9 e e+1.

End While loop.

4. set v e-1.

5. k= (dt, dt-1, . . . , d2, d1).

Example 6

See appendix B.6

97

5.6 Summary

This chapter showed a new fault point attack implemented on six different scalar

multiplications algorithms. The aim of this attack was to retrieve the secret key k

bits used in these algorithms to find the result of Q=kP. Fault point attack was based

on ideas concerning the ‘safe error attack’ on elliptic curve cryptosystems described

in [YJ 2000], in which the attacker injected a fault into the intermediate calculation

values of multiples of P, and from this, deduced a bit value of k. The attack was

simulated successfully by Maple 2017b on all six algorithms with low numbers and

big numbers (384 bits long digits).

98

Chapter Six Implementation of Proposed Attacks on RSA

and ECC by Arduino Mega2560 Hardware

Arduino Mega2560 hardware is an open hardware and software product used as an

experimental tool to support developers in different applications like IoT devices.

The Arduino Mega2560 acts as a mini laptop computer with restricted resources.

The implementation of attacks proposed in this thesis against RSA and ECC by

using Arduino Mega2560 demonstrates the possibility of applying my attacks to

recover secret keys from hardware devices with restricted resources. This chapter

is related to the thesis goals as it focuses on the implementation of attacks proposed

against RSA and ECC.

6.1 Introduction

In this chapter I implement ten attack algorithms proposed in chapters four and five

against RSA and ECC cryptosystems by using Arduino Mega2560 hardware. I

present in section 6.2 a full description of the implementation process of RSK attack

against protected Montgomery Ladder RSA Left-to-Right algorithm [Chap. 4,

section 4.4.1] which is one of the fault attacks proposed against RSA algorithms in

this thesis. Section 6.2 offers a detailed description of implementation procedures

which represent a model that is applied in all the other implementation examples of

fault attacks proposed in this thesis against RSA and ECC cryptography algorithms.

The aim of this chapter is to demonstrate the possibility of implementation of

attacks proposed in this thesis against RSA and ECC in devices with low and

restricted hardware resources. This chapter also includes a short comparison

between Maple and MATLAB concerning the implementation of attack algorithms

and the difficulty I face when implementing high numbers (3072 bits long digits)

for RSA and high numbers (384 bits long digits) for ECC with MATLAB software.

The rest of chapter six is organized as follows: Section 6.2 deals with hardware

implementation procedures of proposed RSK attack on RSA algorithm by using

Arduino Mega2560. Section 6.3 presents a comparison between Maple and

MATLAB. Finally, a summary of the chapter is given in section 6.4

99

6.2 Hardware Implementation of proposed RSK attack on RSA

Algorithm by using Arduino Mega2560

Implementation of my proposed RSK attack on RSA algorithm can be summarised

as follows:

6.2.1 Description of a general IoT device

An average device component of the IoT has an internal EEPROM and RAM and

uses a suitable cipher suite to authenticate data being exchanged with other devices

in the same information network through a handshake protocol.

6.2.2 Preparing the victim device

I assume that the victim device is an average device component of the IoT with

internal (readable and writable) EEPROM and RAM memories. In particular, it

should be equivalent to the Arduino Mega2560 model of the Arduino series devices,

which has an internal EEPROM of size 4 KB, making it suitable for implementing

my proposed attacks.

In preparing the victim device for the attack, I chose an Arduino Mega2560 and

provided its EEPROM with three algorithms: a handshake program, and RSA and

ECC algorithms as follows: handshake [CT 2014], Protected Montgomery Ladder

RSA Left-to-Right algorithm [Chap. 4, section 4.4.1] and The Right-to-Left Coron

ECC algorithm [chap. 5, section 5.4.3].

The handshake program is used to establish connection with other devices. It also

checks for cipher suite used for authenticating data and the compatibility of

cryptography algorithm used to secure data exchange between the two devices. The

RSA and ECC algorithms are used to secure data being exchanged. The handshake

program and the MATLAB script of the two algorithms of RSA and ECC inside

the internal EEPROM are shown in Figures 6.1, 6.2 and 6.3.

Program 1 Handshake Program

The device sends a TCP Synchronize packet to Destination,

The device sends the cryptography suite used

The device receives Destination's SYN-ACK, cryptography suite ACK

The device sends Acknowledge,

TCP socket connection is ESTABLISHED.

Figure 6.1 Handshake Program.

100

MATLAB Script of Protected Montgomery Ladder RSA Left-to-Right

Algorithm

Internal INPUT (loaded from firmware): Secret key d, Secret key size t.

INPUT by user: Modulus n, Message g.

a = arduino('COM5','Mega2560')

r=[1 g];

for i=1:t

if d(i)==1

b=1;

else

b=2;

end

if d(i)==1

u=2;

else

u=1;

end

r(b)=mod(r(b)*r(u),n)

r(u)=powermod(r(u),2,n)

end

r(1)

clear arduino

clearvars a;

Figure 6.2 RSA MATLAB Script.

MATLAB Script of Right-to- Left-to- Coron ECC Algorithm

Internal INPUT (loaded from Firmware): Secret key d, Secret key d size

t.

INPUT by user: Coefficients of ECC equation a4 and a5, prime p, Base

point P1.

a = arduino(‘COM5’,’Mega2560’)

W=[0 0;0 0]

W(1, :)=[inf,inf]

R=P1

101

for i=t:1

if d(i)==1

u=2;

else

u=1;

end

W(2,:)=R

W(2,:)=addell([W(1,1),W(1,2)],[W(2,1),W(2,2)],a4,a5,p);

W(1, :)=W(u,:)

R=multell([R(1),R(2)],2,a4,a5,p)

end

W(1, :)

clear arduino

clearvars a;

Figure 6.3 ECC MATLAB Script.

6.2.3 Generic plan to attack an IoT device

The generic plan to attack an IoT device is based on establishing a wired connection

between the computer of the attacker and the IoT device in the absence of the owner

of the device for a period of time. The attacker must have full access to the IoT

device, reads the internal EEPROM of the device and finds the cryptographic

algorithm he wants to target and loads it into the RAM of the same device. Finally,

the attacker modifies the target cryptographic algorithm according to his attack,

executes the modified algorithm inside the RAM of the same device and retrieves

the secret key.

I assume that I am an attacker. I enter a room in which an information network is

operating through various IoT devices. I also assume that the administrator of the

information network is out of room for a period of time. I choose one of the IoT

devices in the network, which is Arduino Mega2560 model of the Arduino series

devices, to be a victim device because it has an internal EEPROM of the size of 4

KB which is suitable for implementing my proposed attacks in the thesis. The

Manufacturing Company of Arduino provides an Arduino Desktop IDE which can

be used to program this hardware device. The Arduino Desktop IDE software is

based on C++ software environment. The Arduino hardware device is also

102

supported by MATLAB 2017b which offers a particular software package dealing

with this device. The MATLAB 2017b also provides built-in functions that

facilitate executing cryptography algorithms. The Arduino Mega2560 is

characterized by the following specifications: Microcontroller ATmega2560,

Flash Memory 256 KB of which 8 KB are used by the bootloader

(firmware), SRAM 8KB and EEPROM 4KB. Figure 6.4 shows the main

components of Arduino Mega2560 [Chu 2018].

Figure 6.4 the Main Components of Arduino Mega2560

I assume that the EEPROM in the victim device is both readable and writable such

as the EEPROM 24LC256 chip, and that a suite of cryptographic algorithms as well

as a hand-shake protocol are stored there. For example, as described in [Neto2018],

a suite of protocols such as those recommended by NIST [PMC 2014, Section 3.3]

could be loaded during its manufacturing process.

I assume that when a key is needed, it is generated on some secondary computing

device of the victim owner and securely (via hardware) stored in firmware on the

Arduino device to be called when the associated algorithm is run.

When running one of the cryptographic algorithms, it loads into RAM along with

the appropriate pre-set key; I suppose that the key is not refreshed each time the


103

algorithm is used but used for a time period covering several deployments of the

authentication.

Figure 6.5 shows the diagram of hardware implementation of a fault attack

proposed in this thesis against RSA cryptography algorithm stored in the internal

EEPROM of the victim device.

Figure 6.5 Block Diagram of the Plan of Attack.

The implementation procedures of proposed fault attacks can be summarized in the

following steps:

1. I establish a connection between my computer laptop with the victim device

through a USB wire. I use the standard EEPROM library included in the Arduino

Desktop IDE software to deal with internal EEPROM of the victim device. I use

the command EEPROM.read (address) to read a byte from EEPROM. I read 4096

bytes since the size of internal EEPROM inside the victim device is 4 kB. The

results of reading are printed in serial output console of the victim device as a stream

Victim Device

3. Execute

modified

RSA to

retrieve

key d with

two inputs

from

firmware

and

attacker

Input

modulus

n, fault X

and

message

g

Flash

memory

Attack

er

Input key d and its

size t t

SRAM EEPROM

Modifying

RSA

1. Reading

contents

of

EEPROM

2. Checking contents of EEPROM to

specify original RSA algorithm.

104

of characters. Figure 6.6 shows the screen shot of the first 26 locations of EEPROM

content. I use the sketch below to get all values stored in the internal EEPROM.

#include <EEPROM.h>

int addr = 0;

byte value;

void setup() {

// put your setup code here, to run once:

Serial.begin(9600);

// initialise serial and wait for the port to open:

while (!Serial) {

; // wait for serial port to connect. Needed for native USB port only

}

}

void loop() {

// put your main code here, to run repeatedly:

value = EEPROM.read(addr);

Serial.print(addr);

Serial.print("\t");

Serial.write(value);

Serial.println();

addr = addr + 1;

if (addr == EEPROM.length()) {

for(;;){}

}

delay(10);

105

}

Figure 6.6 Screen Shot of the First 26 Locations of EEPROM Content.

The result of the above operation is presented as symbols from the characters set of

ASCII codes instead of hexadecimal values because I used the command

Serial.write (value) to show the output in serial output console of the victim device.

The command Serial.write (value) prints the character equivalent to the

hexadecimal code of ASCII codes. Figure 6.6 shows only the first 26 locations of

4096 locations where the handshake program is stored.

106

2. I copy the results I get from step one and paste them it on a word document. I

read the stream of characters inside the word document and search for the keyword

powermod which indicates the location of RSA program.

3. Depending on my knowledge and experience I rebuild the MATLAB script of

RSA algorithm from the equivalent characters I get from step two for the whole

RSA algorithm and load it into the RAM of the victim device. The MATLAB script

will be as follows:

Internal INPUT: Secret key d, Secret key size t.

INPUT by user: Modulus n, Message g.

OUTPUT: y=gd mod n


r=[1 g];

for i=1:t

if d(i)==1

b=1;

else

b=2;

end

if d(i)==1

u=2;

else

u=1;

end



end

107

y=r(1)

clear arduino

clearvars a;

The first step of the MATLAB script is internal input which loads the values of the

secret key d and its size t from firmware inside the flash memory of the victim

device into the RAM of the same device. This operation is executed by RSA

algorithm and I have no control over it. I can only input the modulus n and message

g inside the algorithm.

The MATLAB script considers the first value from left when dealing with For-

Loop. Therefore, the MATLAB script defines Left-to-Right in the For-Loop as “For

i=1:t ” where t represents the size of the secret key d. However, the For-Loop in

RSA algorithm from Left-to-Right is defined as “For i from t to 1 do”.

4. I modify the original MATLAB script I got from step three according to Figure

6.7 which represents the RSK attack algorithm against RSA algorithm.

RSK Attack Algorithm against RSA Algorithm


INPUT by attacker: Fault value X, Modulus n, Message g.

OUTPUT: k in binary form.

1. R(0) 1, R(1) g.

COMMENT: Inject error by using X instead of R(di) in multiplication

operations.


2.1 b ¬ di.

2.2 H R(b) *X (mod n).

2.3 S R(b) (mod n).

2.4 If di = 1 then


End IF.



ki 1.

108

COMMENT: Eliminate the error in R(b) by replacing the fault value by a

value stored in T

R(b) S.

Else

ki 0.

End If.

2.6 R(b) R(b)*R(di) (mod n).


End for

3. d= (kt, kt-1, . . . , k3 , k2, k1).

Figure 6.7 RSK Attack Algorithm against RSA Algorithm

5. The final result of modifying the original RSA MATLAB script carried out in

step 4 will be:


INPUT by attacker: fault value X, modulus n, message g.


r=[1 g];

Comment: The function sym() used to deal with high integers more than 64 bit.

k =sym ('k', [1 t])

for i=1:t

if d(i)==1

b=1;

else

b=2;

end

if d(i)==1

u=2;

else

u=1;

end

h=mod(r(b)*X,n);

s=r(b);

109

if d(i)== 1

r(b)=mod(r(b)*X,n)

end

if r(b)==h

k(i)=1

r(b)=s

else

k(i)=0

end



end

clear arduino

clearvars a;

I execute the modified algorithm in the RAM of the victim device, and the result I

get is the secret key value which is shown below.

The retrieved value of the secret key k will be [kt, kt-1 , . . , k2, k1]

6.2.4 Implementation Time of RSK Attack against RSA Program

The time required for the attack to be completed is 20.08 minutes. This time is

calculated for implementing the following steps:

1. Getting control of the victim device by connecting it to my computer and

preparing Arduino Desktop IDE software to be operated.

2. Reading all the contents of EEPROM of the victim device.

3. Checking the output of step 2 and specifying the location of RSA original

algorithm to be attacked. The time needed to carry out this step depends on the

experience of the attacker.

4. Running MATLAB 2017b and rebuilding the RSA original MATLAB script.

5. Modifying the result of step 4 according to the attack algorithm.

6. Getting the key by running the final modified MATLAB script according to the

attack algorithm.

110

More experienced attackers usually spend less implementation time.

The implementation is done with

Message g=124.

Modulus n=143.

Secret key d = 1 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1

Columns 17 through 32

1 0 0 0 1 0 1 1 1 0 0 0 0 0 1 1

Columns 33 through 35

1 1 1.

Size of key t=35.

Fault value X=66.

Appendix C provides ten implementation examples which demonstrate how the

attacks proposed by this thesis can be implemented on RSA and ECC cryptography

algorithms by using Arduino Mega2560.

6.3 Maple and MATLAB: A Comparison

In chapters four and five, I have used Maple 2017 as a software platform in

implementation of attack algorithms which I proposed against RSA and ECC

cryptosystems. In this chapter, I have chosen MATLAB 2017b [MATLAB 2017]

as a software platform to implement all attacks proposed against RSA and ECC by

using Arduino mega2560. Now, I want to point out some significant similarities

and differences, which I have noticed, between Maple and MATLAB in the

implementation of cryptography algorithms.

Firstly, Maple is similar to MATLAB as each of the two software platforms has a

special cryptography package containing built-in functions to simplify applying

cryptography algorithms.

Secondly, Maple can deal with high numbers like (3072 bits long digits) in RSA

and (384 bits long digits) in case of ECC directly. However, MATLAB converts

the same high numbers mentioned above in floating point’s representation which is

not defined for cryptography package. I have solved this problem by using sym

111

function which converts high numbers from floating point’s representation into

special high numbers. The sym function represents one of the functions define in

the symbolic toolbar of MATLAB.

Finally, Maple uses fast modular exponentiation to deal with high numbers

mentioned above for RSA and ECC when dealing with modular inverse functions.

However, MATLAB lacks fast modular exponentiation to deal with high numbers.

Therefore, MATLAB gives an error when using high numbers with modular

inverse.

In spite of all the restriction of MATLAB, I have succeeded to factorize RSA

modulus and retrieve the secret key in RSA with high numbers (3072 bits long

digits). I have also succeeded to retrieve the secret keys d in all six attack

algorithms proposed against ECC with high numbers (384 bits long digits).

Example

In this example I demonstrate how MATLAB and MAPLE deal with high numbers.

I will use the result of x=2100 as an example to show the difference between

MATLAB and Maple when dealing with result x.

In Maple

x := 2100;

x := 1267650600228229401496703205376

In MATLAB

x=2100

x =1.2677e+30

By using sym() function

>> x=sym(x)

x =

1267650600228229401496703205376

6.4 Summary

In this chapter, I described the implementation of all the attacks proposed in this

thesis against RSA and ECC by using Arduino Mega2560 as a hardware platform

and MATLAB 2017b as a software platform. The aim of demonstrating the

112

implementation process was to prove the possibility of applying my proposed

attacks on a restricted hardware device like Arduino Mega2560 which represents

an example of IoT devices. The implementation is conducted successfully with

small numbers (two to three digits), high numbers (3072 bits long digits) in RSA

and (384 bits long digits) in case of ECC. Furthermore, I made a short comparison

between MAPLE and MATLAB software concerning implementing cryptography

algorithms. I also explained the difficulty I had faced when using MATLAB in my

implementation and then I offered some solutions to the problems I had faced in

my work.

113

Chapter Seven Summary, Conclusion & Future work

In this chapter, I present an overall summary of my research work. The chapter also

includes the main findings and conclusions that may be derived from this research

work. Finally, I offer my suggestions for future work.

7.1 Summary

This research work may be summarized as follows:

1. I built a programming platform to implement two public key systems (RSA and

Elliptic Curve) by using Maple 2017. I used this software platform to analyse the

procedures of these cryptographic systems.

2. I have studied and analysed attacks against RSA and Elliptic Curve by reviewing

previous related work. I have developed different scenarios of attacks for different

protocols i.e. ECDH, encryption or signature. The attacks proposed in this thesis

only target the modular exponential and scalar multiplication.

3. I reviewed existing literature on EEPROM hardware devices. However, my

proposed attacks are based on idea of attacking software used to program EEPROM

and trying to change EEPROM content in a way that simplifies the detection of the

secret key value. My review of EEPROM devices supported the idea of my

proposed attacks and helped me to achieve my goal. Therefore, I included a whole

chapter to my thesis under the name of ‘EEPROM Environment’.

4. I proposed two new fault attacks on RSA cryptosystems. The first one was the

fault factorizing attack (FF) which factorized the RSA modulus by applying a fault

attack on the two RSA-CRT Signature Garner’s algorithms. The first algorithm was

protected by modified Shamir’s countermeasure and the second one was protected

by simplified Vigilant’s countermeasure. It can be clearly noted that the proposed

FF attacks induce a fault into the computation of i_q. I also proposed a retrieve

secret key (RSK) attack which was able to retrieve the secret key d by applying a

fault attack on both protected Montgomery Ladder RSA versions: “Left-to-Right

and Right-to-Left” algorithms. I implemented the two attacks FF and RSK by using

Intel (R) Core (TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform

and Windows 7 as the operating system. Maple 2017 was chosen as the software

platform as it contains a cryptography package designed for cryptographic

arithmetic operations.

114

5. I proposed a fault point attack on six scalar multiplications algorithms of ECC

which are both versions “Left-to-Right and Right-to-Left” of Montgomery, Coron

and Joye algorithms. I also made a comparison between General Weierstrass and

Montgomery Elliptic Curves equations. I used the General Weierstrass Elliptic

Curves equations because they compute the two coordinates x and y of the point in

the same step. I implemented the fault point attack on six ECC algorithms by using

Intel (R) Core (TM) i7-4500 CPU 2.4 GHZ with 8 GB RAM as a hardware platform

and Windows 7 as the operating system. I selected Maple 2017 as a software

platform because it contains a cryptography package designed for cryptographic

computation operations.

6. I complemented the implementation of all attack algorithms against RSA and

ECC by using Arduino Mega2560 hardware. The number of attack algorithms

which had been implemented were ten: four against RSA algorithms and six against

Elliptic Curve Cryptosystem (ECC) algorithms.

The Arduino Mega2560 is characterized by the following specifications:

Microcontroller ATmega2560, Flash Memory 256 KB of which 8 KB are

used by the bootloader (firmware), SRAM 8KB and EEPROM 4KB. The

software platform used in the implementation was MATLAB 2017b. I faced some

problems in programming these attack algorithms by using MATLAB 2017b,

especially when I used high numbers: (3072 bits long digits) for RSA and (384 bits

long digits) for ECC. However, I was able to solve these problems and I managed

to complete implementation of attack algorithms with high numbers for all ten

attack algorithms.

7.2 Conclusion

My research work has revealed certain facts and conclusions that can be specified

as follows:

1. A fault attack can be implemented on hardware devices not only by targeting

their hardware components but, also by attacking the software used to program and

update these hardware devices.


115

2. Use of devices with readable/writable/ EEPROM should be avoided in the IoT

in order to circumvent attacks such as mine.

3. The PUF security techniques which are used to generate secret key in real time

cannot prevent the proposed attacks in this thesis. The proposed attacks in this thesis

change algorithms stored in EEPROM and retrieve secret keys during algorithms

operations in real time instead of retrieving keys generated previously and stored in

EEPROM memory.

4. The attacks proposed in this research work can be implemented on a device with

limited resources such as a Arduino Mega2560 hardware device. These attacks can

retrieve the secret key for ECC with key size 384 bits long digits and factorize

modulus n and also retrieve the secret key for RSA with key size 3072 bits long

digits. The key sizes recommended for the year 2018 are 384 bits long digits for

ECC and 3072 bits long digits for RSA according to BlueKrypt web site. Bluekrypt

website [Gir 2017] is a site which gives recommendations for key size according to

the requirements of different security institutes all over the world.

5. Maple software provides more powerful functions to deal with high numbers like

3072 bits long digits than MATLAB. Therefore, it is more suitable to use Maple

instead of MATLAB when implementing cryptography algorithms.

7.3 Future work

In this section I will offer few suggestions for future work which can be summarized

as follows:

1. Extending the Implementation of the attacks proposed in this research work to

other cryptosystems which are used to secure IoT devices including lightweight

cryptography algorithms.

2. This thesis deals with hardware implementation of proposed FF, RSK and fault

point attacks against RSA and ECC cryptography algorithms in case of direct access

(wired connection between attacker computer and victim device) and leaves

indirect access (wireless connection) as future work. The attacker can target a

victim device even if he has no direct access to it. He can establish a connection

with the victim device remotely. The Bluetooth and NFC techniques can provide

116

the attacker with the opportunity to get control over a hardware device without

being observed by the device owner.

3. The attacks proposed in this thesis target (modular exponentiation in the case for

RSA) or (scalar multiplication in the case of ECC). An approach which combines

the two techniques in dealing with both algorithms, i.e. RSA and ECC, can be

considered for a future work. The two algorithms typically perform both kinds of

computations, i.e. modular exponentiation and scalar multiplication.

4. This thesis offers some ideas for empowering and upgrading the countermeasures

resistance to fault attacks proposed in this thesis. These ideas deal with two aspects

of protection. The first one concerns the physical access of an attacker to the victim

hardware device which can be prevented by protecting these hardware devices from

unauthorized, direct access (wired connection). Furthermore, owners of hardware

device are advised to disable any facility of remote connection via Bluetooth or near

field communication (NFC) technology and enable these facilities only when they

need them for an authorized information transfer (wireless connection). The second

aspect is related to the software used to program and update hardware devices. This

software must be obtained from a known source and which has the authority to

perform program or update processes. This may prevent any malware software or

unknown source software to make any modifications on the hardware content.

5. Modifying the attack algorithms proposed in this thesis to overcome any

countermeasures proposed against them in future.

6. I plan to include the implementation of fault point attack against Edwards’s

curves in a future work.

7. In the near future, I plan to submit a selection of results of this thesis to a

respected journal in the field.

117

References

[AA 2016] Agarwal, R, & Agarwal, G 2016,’ An Efficient Method of Generating

Random Numbers from Congruence Equations for Cryptographic Applications’,

International Journal of Science, Engineering and Computer Technology, vol. 6,

no.7, pp. 290.

[ABFHS 2002] Aumüller C, Bier P, Fischer W, Hofreiter P, Seifert J, P 2002,’

Fault Attacks on RSA with CRT: Concrete Results and Practical

Countermeasures’, in B S Kaliski, K Koç, & C Paar (eds), Proceedings of

Cryptographic Hardware and Embedded Systems - CHES 2002, CHES 2002,

Springer, Berlin, Heidelberg, pp. 260-275.

[ABFJLM 2018] Ambrose, C, Bos, JW, Fay, B, Joye, M, Lochter, M & Murray, B

2018, 'Differential attacks on deterministic signatures', in Cryptographers’ Track

at the RSA Conference, pp. 339-53.

[ABKA 2017] Abdullah, K, Bakar, SA, Kamis, NH & Aliamis, H 2017, 'RSA

cryptosystem with fuzzy set theory for encryption and decryption', AIP Conference

Proceedings, vol. 1905, no. 1, p. 030001.

[AD 2008] Aziza, H & Delsuc, B 2008, ‘Device and memory array models for flash

EEPROM technology’, Journal of WSEAS transactions on circuits and systems,

vol. 7, no.4, pp. 249-258.

[AK 1996] Anderson, R & Kuhn, M 1996, ‘Tamper resistance-a cautionary note’,

Proceedings of the second Usenix workshop on electronic commerce, pp. 1-11.

[AK 1997] Anderson, R & Kuhn, M 1997, ‘Low cost attacks on tamper resistant

devices’, in B Christianson, B Crispo, M Lomas & M Roe (eds), Proceedings of

International Workshop on Security Protocols 1997, Springer, BerGlin,

Heidelberg, pp.125-136.

[AMQP 2012] Standard, O.A.S.I.S., 2012. Oasis advanced message queuing

protocol (amqp) version 1.0, retrieved 17 November 2017, < http://docs.oasis-

open.org/amqp/core/v1.0/os/amqp-core-complete-v1.0-os.pdf.

http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-complete-v1.0-os.pdf

http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-complete-v1.0-os.pdf

118

[ANSI 2010] ANSI X9.63, “Public key cryptography for the financial services

industry: Key agreement and key transport using elliptic curve cryptography,”

Tech. Rep., 2011.

[ARC 2018] Ammar, M, Russello, G & Crispo, B 2018, ‘Internet of Things: A

survey on the security of IoT frameworks’, Journal of Information Security and

Applications, vol. 38, pp.8-27.

[Ard 2018] Arduino Company 2018, EEPROM Read, Arduino Company, retrieved

25 March 2018, < https://www.arduino.cc/en/Tutorial/EEPROMRead>.

[AT 2018] Audrey, L & Tisserand, A 2018, 'Microcontroller Implementation of

Simultaneous Protections Against Observation and Perturbation Attacks for ECC',

in SECRYPT: 15th International Joint Conference on e-Business and

Telecommunications.

[AVFM 2007] Amiel, F, Villegas, K, Feix, B & Marcel, L 2007, ‘passive and active

combined attacks: Combining fault attacks and side channel analysis’, Proceedings

of Fault Diagnosis and Tolerance in Cryptography, FDTC 2007, pp. 92-102.

[Bat 2013] Batten, L M 2013, Public key cryptography: applications and attacks,

John Wiley & Sons, New Jersey, U.S.A.

[BBPP 2009] Barenghi, A, Bertoni, G, Parrinello, E & Pelosi, G 2009, ‘Low

Voltage Fault Attacks on the RSA Cryptosystem’, Proceedings of 2009 Workshop

on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 23-31, IEEE.

[BBPS 2011] Barenghi, A, Bertoni, G, Palomba, A & Susella, R 2011, ‘A novel

fault attack against ECDSA’, Proceedings of 2011 IEEE International Symposium

on Hardware-Oriented Security and Trust, pp. 161-6, IEEE.

[BCCC 2006] Brier, E, Chevallier-Mames, B, Ciet, M & Clavier, C 2006, ‘Why

one should also secure RSA public key elements’, in L Goubin & M Matsui (eds),

Proceedings of Cryptographic Hardware and Embedded Systems - CHES 2006.

CHES 2006. Springer, Berlin, Heidelberg, pp. 324-338.

[BCDG 2009] Berzati, A, Canovas, C, Dumas, J-G & Goubin, L 2009, ‘Fault

attacks on RSA public keys: Left-to-right implementations are also vulnerable’,

https://www.arduino.cc/en/Tutorial/EEPROMRead

119

in M Fischlin (eds), Proceedings of Topics in Cryptology – CT-RSA 2009, CT-

RSA 2009, Springer, Berlin, Heidelberg, pp. 414-28.

[BCG 2008] Berzati, A, Canovas, C & Goubin, L 2008, ‘In(security) Against Fault

Injection Attacks for CRT-RSA Implementations’, Proceedings of 2008 5th

Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 101-7, IEEE.

[BCG 2010] Berzati, A, Canovas-Dumas, C & Goubin, L 2010, ‘Public key

perturbation of randomized RSA implementations’, in S Mangard & FX Standaert

(eds), Proceedings of Cryptographic Hardware and Embedded Systems, CHES

2010. CHES 2010, Springer, Berlin, Heidelberg, pp. 306-319.

[BCS 2012] Bormann, C, Castellani, AP & Shelby, Z 2012, ‘CoAP: An Application

Protocol for Billions of Tiny Internet Nodes’, IEEE Internet Computing, vol. 16,

no. 2, pp. 62-7, IEEE.

[BD 2017] Berlin, K & Dhenakaran, S 2017, ‘An Overview of Cryptanalysis of

RSA Public key System’, International Journal of Engineering and Technology

(IJET), vol. 9, no.5, pp. 3575-3579.

[BDL 1997] Boneh, D, DeMillo, RA & Lipton, RJ 1997, ‘On the importance of

checking cryptographic protocols for faults’, in W Fumy (eds), Proceedings of

Advances in Cryptology — EUROCRYPT ’97, EUROCRYPT 1997, Springer,

Berlin, Heidelberg, pp. 37-51.

[BDLSY 2011] Bernstein, DJ, Duif, N, Lange, T, Schwabe, P & Yang, B-Y 2011,

‘High-speed high-security signatures’, in B Preneel & T Takagi (eds),

Proceedings of Cryptographic Hardware and Embedded Systems – CHES 2011,

CHES 2011, Springer, Berlin, Heidelberg, pp. 124-42.

[Ben 2017] Beningo, J 2017, ‘HAL Design for EEPROM and Memory Devices’,

in Reusable Firmware Development, Springer, Apress, Berkeley, CA, pp. 219-41.

[BFM 2017] Buttigieg, R, Farrugia, M & Meli, C 2017, ‘Security Issues in

Controller Area Networks in Automobiles’, arXiv preprint arXiv:1711.05824.

[BFMMT 2016] Belgarric, P, Fouque, P-A, Macario-Rat, G & Tibouchi, M 2016,

'Side-channel analysis of Weierstrass and Koblitz curve ECDSA on Android

smartphones', in Cryptographers’ Track at the RSA Conference, pp. 236-52.

120

[BGV 2011] Balasch, J, Gierlichs, B & Verbauwhede, I 2011, ‘An In-depth and

Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs’,

Proceedings of 2011 Workshop on Fault Diagnosis and Tolerance in

Cryptography, pp. 105-14, IEEE.

[BJ 2002] Brier, E & Joye, M 2002, ‘Weierstraß elliptic curves and side-channel

attacks’, in D Naccache & P Paillier (eds), Proceedings of Public Key

Cryptography. PKC 2002, Springer, Berlin, Heidelberg, pp. 335-345.

[BKS 2015] Bindal, A, Kumar, A & Sharma, KK 2015,’Modeling a Floating Gate

EEPROM Device using Finite Element Analysis’, Proceedings of IJCA

Proceedings on National Conference on Advancements in Alternate Energy

Resources for Rural Applications AERA 2015, no. 2, pp. 1-3.

[BL 2008] Barnett, RE & Liu, J 2008, ‘An EEPROM Programming Controller for

Passive UHF RFID Transponders With Gated Clock Regulation Loop and Current

Surge Control’, IEEE Journal of Solid-State Circuits, vol. 43, no. 8, pp. 1808-15,

IEEE.

[BM 2017] Bhattacharya, S & Mukhopadhyay, D 2017, ‘Formal fault analysis of

branch predictors: attacking countermeasures of asymmetric key ciphers’, Journal

of Cryptographic Engineering, vol. 7, no.4, pp. 299-310.

[BM 2018] Bashir, A & Mir, A H 2018,’ Internet of Things Security Issues, Threats,

Attacks and Counter Measures’, International Journal of Computing and Digital

Systems, vol. 7, no. 2, pp. 1-10.

[BMM 2000] Biehl, I, Meyer, B & Müller, V 2000, ‘Differential fault attacks on

elliptic curve cryptosystems’, in M Bellare (eds), Proceedings of Advances in

Cryptology — CRYPTO 2000, CRYPTO 2000, Springer, Berlin, Heidelberg, pp.

131-146.

[BNNT 2011] Brier, É, Naccache, D, Nguyen, PQ & Tibouchi, M 2011, ‘Modulus

fault attacks against RSA–CRT signatures’, Journal of Cryptographic Engineering,

vol. 1, no. 3, p. 243.

121

[BNP 2007] Boscher, A, Naciri, R & Prouff, E 2007, ‘CRT RSA algorithm

protected against fault attacks’, in D Sauveron, K Markantonakis A Bilas & JJ

Quisquater (eds), Proceedings of Information Security Theory and Practices.

S,mart Cards, Mobile and Ubiquitous Computing Systems , WISTP 2007,


[BOS 2006] Blömer, J, Otto, M & Seifert, J-P 2006, ‘Sign change fault attacks on

elliptic curve cryptosystems’, in L Breveglieri, I Koren, D Naccache & JP Seifert

(eds), Proceedings of Fault Diagnosis and Tolerance in Cryptography,


[BRMM 2016] Badenhop, CW, Ramsey, BW, Mullins, BE & Mailloux, LO 2016,

‘Extraction and analysis of non-volatile memory of the ZW0301 module, a Z-Wave

transceiver’, Digital Investigation, vol. 17, pp. 14-27.

[BSS 1999] Blake, I, Seroussi, G & Smart, N 1999, Elliptic curves in cryptography,

vol. 265, Cambridge university press.

[BT 2015] Bigou, K & Tisserand, A 2015, 'Single base modular multiplication for

efficient hardware RNS implementations of ECC', in International Workshop on

Cryptographic Hardware and Embedded Systems, pp. 123-40.

[CC 2015] Chung, CP & Chang-Liao, KS 2015, ‘A Highly Scalable Single Poly-

Silicon Embedded Electrically Erasable Programmable Read Only Memory With

Tungsten Control Gate by Full CMOS Process’, IEEE Electron Device Letters, vol.

36, no. 4, pp. 336-338, IEEE.

[CGMPV 2010] Coron, JS, Giraud, C, Morin, N, Piret, G & Vigilant, D 2010, ‘Fault

Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm’, Proceedings of

2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 89-96,

IEEE.

[Che 2017] Chen, C 2017, ‘FPGA IMPLEMENTATION FOR ELLIPTIC CURVE

CRYPTOGRAPHY OVER BINARY EXTENSION FIELD’, M A Sc, University

of Windsor, retrieved 10 December 2017, Electronic Theses and Dissertations.

[Chu 2018] Chuan, C H 2018, ‘Getting Started with Arduino’, Nanyang

Technological University (NTU Singapore), retrieved 3 May 2018,

<https://www.ntu.edu.sg/home/ehchua/programming/arduino/Arduino.html>.

https://scholar.uwindsor.ca/do/search/?q=author_lname%3A%22Chen%22%20author_fname%3A%22Che%22&start=0&context=3143471


http://www.ntu.edu.sg/home/ehchua/programming

122

[CJ 2001] Clavier, C & Joye, M 2001, ‘Universal Exponentiation Algorithm A First

Step towards Provable SPA-Resistance’, in ÇK Koç, D Naccache & C Paar (eds),

Proceedings of Cryptographic Hardware and Embedded Systems — CHES 2001,


[CJ 2005a] Ciet, M & Joye, M 2005, ‘Practical fault countermeasures for chinese

remaindering based RSA’, Proceedings of Workshop on Fault Diagnosis and

Tolerance in Cryptography–FDTC, pp. 124-32.

[CJ 2005b] Ciet, M & Joye, M 2005, ‘Elliptic Curve Cryptosystems in the Presence

of Permanent and Transient Faults’, Designs, Codes and Cryptography, vol. 36, no.

1, pp. 33-43.

[CJRR 1999] Chari, S, Jutla, CS, Rao, JR & Rohatgi, P 1999, ‘Towards Sound

Approaches to Counteract Power-Analysis Attacks’, in M Wiener (ed.),

Proceedings of Advances in Cryptology — CRYPTO’ 99, Springer, Berlin,

Heidelberg, pp. 398-412.

[CMAMS 2009] Compagnoni, CM, Mauri, A, Amoroso, SM, Maconi, A &

Spinelli, AS 2009, ‘Physical Modeling for Programming of TANOS Memories in

the Fowler-Nordheim Regime’, IEEE Transactions on Electron Devices, vol. 56,

no. 9, pp. 2008-2015, IEEE.

[CMW 2014] Clavier, C, Marion, D & Wurcker, A 2014, 'Simple power analysis

on AES key expansion revisited', in International Workshop on Cryptographic

Hardware and Embedded Systems, pp. 279-97.

[Cor 1999] Coron, J-S 1999, ‘Resistance Against Differential Power Analysis For

Elliptic Curve Cryptosystems’, in ÇK Koç & C Paar (eds), Proceedings of

Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, pp.

292-302.

[CS 2017] Costello, C & Smith, B 2017, ‘Montgomery curves and their arithmetic:

The case of large characteristic fields’, IACR Cryptology ePrint Archive, vol. 2017,

p. 212.

[CT 2014] Chen, Y-C & Towsley, D 2014, “On bufferbloat and delay analysis of

multipath TCP in wireless networks”, proceeding in Networking Conference, 2014

IFIP, pp. 1-9.

123

[DGMNR 2017] Dugardin, M, Guilley, S, Moreau, M, Najm, Z & Rauzy, P 2017,

‘Using modular extension to provably protect Edwards curves against fault attacks’,

Journal of Cryptographic Engineering, vol. 7, no. 4, pp. 321-330.

[DGRS 2009] Dottax, E, Giraud, C, Rivain, M & Sierra, Y 2009, ‘On Second-Order

Fault Analysis Resistance for CRT-RSA Implementations’, in O Markowitch, A

Bilas, J-H Hoepman, CJ Mitchell & J-J Quisquater (eds), Proceedings of

Information Security Theory and Practice. Smart Devices, Pervasive Systems, and

Ubiquitous Networks, Springer, Berlin, Heidelberg, pp. 68-83.

[DHB 2016] Dubeuf, J, Hely, D & Beroulle, V 2016, ‘ECDSA Passive Attacks,

Leakage Sources, and Common Design Mistakes’, ACM Trans,Des. Autom,

Electron, Syst, vol. 21, no. 2, pp. 1-24.

[DLDJLTZ 2012] Du, Y, Li, X, Dai, L, Jing, X, Li, Z, Tang, H & Zhuang, Y 2012,

‘A new type of low power read circuit in EEPROM for UHF RFID’,

Microelectronics Journal, vol. 43, no. 6, pp. 364-369.

[DRSFLN 2009] Di Bartolomeo, A, Rücker, H, Schley, P, Fox, A, Lischke, S &

Na, K-Y 2009, ‘A single-poly EEPROM cell for embedded memory applications’,

Solid-State Electronics, vol. 53, no. 6, pp. 644-8.

[DXFM 2006] Dong-Sheng, L, Xue-Cheng, Z, Fan, Z & Min, D 2006,’ Embeded

EEPROM Memory Achieving Lower Power - New design of EEPROM memory

for RFID tag IC’, IEEE Circuits and Devices Magazine, vol. 22, no. 6, pp. 53-59,

IEEE.

[Eva 2011] Evans, D 2011, ‘The internet of things: How the next evolution of the

internet is changing everything’, CISCO white paper, vol. 1, no. 2011, pp. 1-11.

[FGLTZ 2013] Fouque, P-A, Guillermin, N, Leresteux, D, Tibouchi, M &

Zapalowicz, J-C 2013, 'Attacking RSA–CRT signatures with faults on Montgomery

multiplication', Journal of Cryptographic Engineering, vol. 3, no. 1, pp. 59-72

[FK 2012] Fournaris, AP & Koufopavlou, O 2012, ‘CRT RSA Hardware

Architecture with Fault and Simple Power Attack Countermeasures’, Proceedings

of 2012 15th Euromicro Conference on Digital System Design, pp. 661-667, IEEE.

124

[FLRV 2008] Fouque, PA, Lercier, R, Réal, D & Valette, F 2008, ‘Fault Attack on

Elliptic Curve Montgomery Ladder Implementation’, Proceedings of 2008 5th

Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 92-98, IEEE.

[FPBS 2016] Fournaris, AP, Papachristodoulou, L, Batina, L & Sklavos, N 2016,

‘Residue Number System as a side channel and fault injection attack

countermeasure in elliptic curve cryptography’, Proceedings of 2016 International

Conference on Design and Technology of Integrated Systems in Nanoscale Era

(DTIS), pp. 1-4, IEEE.

[FRV 2014] Feix, B, Roussellet, M & Venelli, A 2014, ‘Side-Channel

Analysis on Blinded Regular Scalar Multiplications', in W Meier & D

Mukhopadhyay (eds), Proceedings of Progress in Cryptology -- INDOCRYPT

2014, Cham, pp. 3-20.

[FS 2015] Fournaris, A & Sklavos, N 2015,‘Public key cryptographic

primitive design and protection against fault and power analysis attacks',

Proceedings of DATE 2015 conference Workshop on trustworthy

manufacturing and utilization of secure devices, pp. 1-4.

[FV 2003] Fouque, P-A & Valette, F 2003, 'The Doubling Attack – Why Upwards

Is Better than Downwards’, in CD Walter, ÇK Koç & C Paar (eds), Proceedings of

Cryptographic Hardware and Embedded Systems - CHES 2003, Springer, Berlin,


[FV 2006] Fumaroli, G & Vigilant, D 2006, ‘Blinded Fault Resistant

Exponentiation’, in L Breveglieri, I Koren, D Naccache & J-P Seifert (eds),

Proceedings of Fault Diagnosis and Tolerance in Cryptography, Springer, Berlin,


[FV 2012] Fan, J & Verbauwhede, I 2012, ‘An Updated Survey on Secure ECC

Implementations: Attacks, Countermeasures and Cost’, in D Naccache (ed.),

Proceedings of Cryptography and Security: From Theory to Applications: Essays

Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday,


125

[GG 2015] Galbraith, SD & Gaudry, P 2016, ‘Recent progress on the elliptic curve

discrete logarithm problem’, Designs, Codes and Cryptography, vol. 78, no. 1, pp.

51-72.

[GG 2016] Galbraith, S D & Gaudry, P 2016, ‘Recent progress on the elliptic curve

discrete logarithm problem’, Designs, Codes and Cryptography, vol. 78 no. 1,

pp.51-72.

[Gir 2006] Giraud, C 2006, ‘An RSA Implementation Resistant to Fault Attacks

and to Simple Power Analysis’, IEEE Transactions on Computers, vol. 55, no. 9,

pp. 1116-1120, IEEE.

[Gir 2017] Giry, D 2017, cryptographic key Length Recommendation, BlueKrypt,

retrieved 10 September 2017, < https://www.keylength.com/>.

[GJMRV 2011] Goundar, RR, Joye, M, Miyaji, A, Rivain, M & Venelli, A 2011,

‘Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic’, Journal

of Cryptographic Engineering, vol. 1, no. 2, p. 161.

[Gut 1996] Gutmann, P 1996, ‘Secure deletion of data from magnetic and solid-

state memory’, Proceedings of the Sixth USENIX Security Symposium, San Jose,

CA, vol. 14, pp. 77-89.

[Ham 2015] Hamburg, M 2015, ‘Decaf: Eliminating Cofactors Through Point

Compression’, in R Gennaro & M Robshaw (eds), Proceedings of Advances in

Cryptology -- CRYPTO 2015, Springer, Berlin, Heidelberg, pp. 705-723.

[He 2013] He, Y 2013, ‘Highly secure cryptographic computations against side-

channel attacks’, M A Sc, University of Windsor, retrieved 12 December

2017, Electronic Theses and Dissertations.

[HM 2009] Hogenboom, J & Mostowski, W 2009, ‘Full memory read attack on a

java card’, Proceedings of 4th Benelux Workshop on Information and System

Security Proceedings (WISSEC’09).

[HS 2001] Howgrave-Graham, NA & Smart, NP 2001, ‘Lattice attacks on digital

signature schemes’, Designs, Codes and Cryptography, vol. 23, no. 3, pp. 283-290.

https://www.bluekrypt.com/


126

[Hua 2017] Huang, Y 2017, ‘Efficient scalar multiplication against side channel

attacks using new number representation’, M A Sc, University of Windsor,

retrieved 12 December 2017, Electronic Theses and Dissertations.

[IEEE 802 2011] IEEE 802 Working Group 2011, ‘IEEE Standard for Local and

Metropolitan Area Networks—Part 15.4: Low-Rate Wireless Personal Area

Networks (LR-WPANs)', IEEE Std, vol. 802, pp. 4-2011, IEEE.

[IMT 2002] Izu, T, Möller, B & Takagi, T 2002, ‘Improved Elliptic Curve

Multiplication Methods Resistant against Side Channel Attacks’, in A Menezes &

P Sarkar (eds), Proceedings of Progress in Cryptology — INDOCRYPT 2002,


[ISA 2009] ISA, I 2009, ‘100.11 a-2009: Wireless systems for industrial

automation: Process control and related applications’, International Society of

Automation: Research Triangle Park, NC, USA.

[IT 2002] Izu, T & Takagi, T 2002, ‘A Fast Parallel Elliptic Curve Multiplication

Resistant against Side Channel Attacks’, in D Naccache & P Paillier (eds),

Proceedings of Public Key Cryptography, Springer, Berlin, Heidelberg, pp. 280-

296.

[JLQ 1999] Joye, M, Lenstra, AK & Quisquater, J-J 1999, ‘Chinese remaindering

based cryptosystems in the presence of faults’, Journal of cryptology, vol. 12, no.

4, pp. 241-245.

[Joy 2007] Joye, M 2007, ‘Highly Regular Right-to-Left Algorithms for Scalar

Multiplication’, in P Paillier & I Verbauwhede (eds), Proceedings of

Cryptographic Hardware and Embedded Systems - CHES 2007, Springer, Berlin,


[Joy 2009a] Joye, M 2009, ‘Highly Regular m-Ary Powering Ladders’, Selected

Areas in Cryptography: 16th Annual International Workshop, Proceedings of SAC

2009, Revised Selected Papers, Springer-Verlag, Berlin, Heidelberg, pp. 135-147.

[Joy 2009b] Joye, M 2009, ‘Protecting RSA against Fault Attacks: The Embedding

Method’, Proceedings of 2009 Workshop on Fault Diagnosis and Tolerance in

Cryptography (FDTC), pp. 41-45, IEEE.


127

[JQBD 1997] Joye, M, Quisquater, J-J, Bao, F & Deng, RH 1997, ‘RSA-type

signatures in the presence of transient faults’, in M Darnell (ed.), Proceedings of

Crytography and Coding, Springer, Berlin, Heidelberg, pp. 155-160.

[JSS 2015] Jager, T, Schwenk, J & Somorovsky, J 2015, ‘Practical Invalid Curve

Attacks on TLS-ECDH’, in G Pernul, P Y A Ryan & E Weippl (eds), Proceedings

of Computer Security -- ESORICS 2015, Springer, Cham, pp. 407-425.

[JY 2002] Joye, M & Yen, S-M 2003, ‘The Montgomery Powering Ladder’, in BS

Kaliski, çK Koç & C Paar (eds), Proceedings of Cryptographic Hardware and

Embedded Systems - CHES 2002, Springer, Berlin, Heidelberg, pp. 291-302.

[KBPQ 2008] Kim, CH, Bulens, P, Petit, C & Quisquater, J-J 2008, ‘Fault Attacks

on Public Key Elements: Application to DLP-Based Schemes’, in SF Mjølsnes, S

Mauw & SK Katsikas (eds), Proceedings of Public Key Infrastructure, Springer,


[KCLP 2016] Kim, DK, Choi, P, Lee, M-K & Park, H 2016, ‘Design and Analysis

of Efficient Parallel Hardware Prime Generators’, JOURNAL OF

SEMICONDUCTOR TECHNOLOGY AND SCIENCE, vol. 16, no. 5, pp. 564-581.

[KFSV 2011] Karaklajić, D, Fan, J, Schmidt, JM & Verbauwhede, I 2011, ‘Low-

cost fault detection method for ECC using Montgomery powering ladder’,

Proceedings of 2011 Design, Automation & Test in Europe, pp. 1-6, IEEE.

[KHPD 2008] Kim, AN, Hekland, F, Petersen, S & Doyle, P 2008, ‘When HART

goes wireless: Understanding and implementing the WirelessHART standard’,

Proceedings of 2008 IEEE International Conference on Emerging Technologies

and Factory Automation, pp. 899-907, IEEE.

[KIK 2008] Kara-Ivaniov, M, Iceland, E & Kipnis, A 2008, ‘Attacks on

Authentication and Signature Schemes Involving Corruption of Public Key

(Modulus)’, Proceedings of 2008 5th Workshop on Fault Diagnosis and Tolerance

in Cryptography, pp. 108-115, IEEE.

[Kim 2017] Kim, H 2017,‘Thwarting side-channel analysis against RSA

cryptosystems with additive blinding’, Information Sciences, vol. 412-413, pp. 36-

49.

128

[KK 1999] Kömmerling, O & Kuhn, MG 1999, ‘Design Principles for Tamper-

Resistant Smartcard Processors’, Smartcard, vol. 99, pp. 9-20.

[KKHH 2011] Kim, S-K, Kim, TH, Han, D-G & Hong, S 2011, ‘An efficient CRT-

RSA algorithm secure against power and fault attacks’, Journal of Systems and

Software, vol. 84, no. 10, pp. 1660-1669.

[Koc 1996] Kocar, O 1996, ‘Hardwaresicherheit von mikrochips in chipkarten’,

Datenschutz und Datensicherheit, vol. 20, no. 7, pp. 421-424.

[KJJ 1999] Kocher, P, Jaffe, J & Jun, B 1999, 'Differential power analysis', in

Annual International Cryptology Conference, pp. 388-97.

[KQ 2007a] Kim, CH & Quisquater, J-J 2007, ‘Fault Attacks for CRT Based RSA:

New Attacks, New Results, and New Countermeasures’, in D Sauveron, K

Markantonakis, A Bilas & J-J Quisquater (eds), Proceedings of Information

Security Theory and Practices, Smart Cards, Mobile and Ubiquitous Computing

Systems, Springer, Berlin, Heidelberg, pp. 215-28.

[KQ 2007b] Kim, CH & Quisquater, JJ 2007, ‘How can we overcome both side

channel analysis and fault attacks on RSA-CRT?’, Proceedings of Workshop on

Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 21-29, IEEE.

[KR 1997] Kaliski Jr, BS & Robshaw, MJ 1997, ‘Comments on some new attacks

on cryptographic devices’, RSA Laboratories Bulletin, vol. 5, pp. 1-5.

[KSQL 2007] Kim, CH, Shin, JH, Quisquater, J-J & Lee, PJ 2007, ‘Safe-Error

Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier’, in

K-H Nam & G Rhee (eds), Proceedings of Information Security and Cryptology -

ICISC 2007, Springer, Berlin, Heidelberg, pp. 273-281.

[KSV 2013] Karaklajić, D, Schmidt, J-M & Verbauwhede, I 2013, ‘Hardware

designer's guide to fault attacks’, IEEE Transactions on Very Large Scale

Integration (VLSI) Systems, vol. 21, no. 12, pp. 2295-2306, IEEE.

[KZJSY 2017] Kong, F, Zhou, D, Jiang, Y, Shang, J & Yu, J 2017, ‘Fault Attack

on an Improved CRT-RSA Algorithm with the Modulus Chaining Method’,

Proceedings of 2017 IEEE International Conference on Computational Science

129

and Engineering (CSE) and IEEE International Conference on Embedded and

Ubiquitous Computing (EUC), vol. 1, pp. 866-869, IEEE.

[Lal 2017] Lalonde, DR 2017, ‘Private and Public-Key Side-Channel Threats

Against Hardware Accelerated Cryptosystems’, M A Sc, University of Windsor,

retrieved 13 December 2017, Electronic Theses and Dissertations.

[Lan 2015] Langbridge, JA 2015, Arduino Sketches: Tools and Techniques for

Programming Wizardry, John Wiley & Sons.

[LCC 2014] Lee, S, Choi, D & Choi, Y 2014, ‘Improved Shamir's CRT-RSA

algorithm: Revisit with the modulus chaining method’, ETRI Journal, vol. 36 no.

3, pp. 469-478.

[LCFS 2017] Lac, B, Canteaut, A, Fournier, J & Sirdey, R 2017, ‘DFA on LS-

Designs with a Practical Implementation on SCREAM’, in S Guilley (eds),

proceedings of Constructive Side-Channel Analysis and Secure Design. COSADE

2017, Springer, Cham, pp. 223-247.

[LCK 2010] Lee, K S, Chun, J H & Kwon, K W, 2010 ‘A low power CMOS

compatible embedded EEPROM for passive RFID tag’, Microelectronics Journal,

vol. 41 no.10, pp.662-668.

[Lee 2016] Lee, Y 2016, Floating Gate operation, Block Diagram, SlidePlayer,

retrieved 20 October 2017, < http://slideplayer.com/slide/6103857/>.

[Len 1996] Lenstra, AK 1996, Memo on RSA signature generation in the presence

of faults.

[Loc 2010] Locke, D 2010, ‘Mq telemetry transport (mqtt) v3. 1 protocol

specification’, IBM developerWorks Technical Library, p. 15.

[LS 2007] Lin, C F & Sun, C Y 2007, ‘A single-poly EEPROM cell structure

compatible to standard CMOS process’, Solid-state electronics, vol. 51 no. 6,

pp.888-893.

[Maple 2017] Maplesoft 2017, Maple User Manual Copyright, Waterloo Maple

Inc, retrieved 10 May 2017,

<https://www.maplesoft.com/documentation_center/maple2017/UserManual.pdf>


http://slideplayer.com/slide/6103857/

130

[MATLAB 2017] MathWorks 2017, MATLAB reference manual, MathWorks,

retrieved 8 August 2017, <

https://au.mathworks.com/help/matlab/index.html?s_tid=gn_loc_drop >.

[Mic 2005] Microchip Company 2005, Section 5. Flash and EEPROM

Programming, Microchip Company, retrieved 28 December 2017, <

http://ww1.microchip.com/downloads/en/DeviceDoc/70052D.pdf >.

[MJ 2015] Milić, L & Jelenković, L 2015, ‘A novel versatile architecture for

Internet of Things’, proceedings of 2015 38th International Convention on

Information and Communication Technology, Electronics and Microelectronics

(MIPRO), pp. 1026-1031, IEEE.

[MLUUM 2018] Mughal, MA, Luo, X, Ullah, A, Ullah, S & Mahmood, Z 2018,

'A Lightweight Digital Signature Based Security Scheme for Human-Centered

Internet of Things', IEEE Access.

[Mont 1987] Montgomery, P L, 1987, ‘Speeding the Pollard and elliptic curve

methods of factorization’, Mathematics of computation, vol. 48 no.177, pp.243-

264.

[Mui 2006] Muir, JA 2006, ‘Seifert’s RSA fault attack: Simplified analysis and

generalizations’, in P Ning, S Qing & N Li (eds), proceedings of Information and

Communications Security. ICICS 2006. Lecture Notes in Computer Science,


[MVV 1996] Menezes, AJ, Van Oorschot, PC & Vanstone, SA 1996, Handbook of

applied cryptography, CRC press.

[NIST 2013] Gallagher, P & Kerry, C 1993, ‘Fips pub 186-4: Digital signature

standard, dss (2013)’, Halton, JH, & Ribenboim, P.

[NS 1997] Nguyen, P & Stern, J 1997, ‘Merkle-Hellman revisited: a cryptanalysis

of the Qu-Vanstone cryptosystem based on group factorizations’, in B S Kaliski

(eds), proceedings of Advances in Cryptology — CRYPTO '97, CRYPTO 1997,


https://mail.deakin.edu.au/owa/redir.aspx?REF=26MCYxeU0zipkrhqXRvGajFNZxDz7cJOV1W4ORywAcrXus2eI17VCAFodHRwOi8vd3cxLm1pY3JvY2hpcC5jb20vZG93bmxvYWRzL2VuL0RldmljZURvYy83MDA1MkQucGRm

131

[NS 2003] Nguyen, P Q, & Shparlinski, I E 2003, ‘The insecurity of the elliptic

curve digital signature algorithm with partially known nonces’, Designs, codes and

cryptography, vol. 30 no. 2, pp.201-217.

[NSS 2004] Naccache, D, Smart, NP & Stern, J 2004, ‘Projective coordinates leak’,

in C Cachin, J L Camenisch (eds), proceedings of Advances in Cryptology -

EUROCRYPT 2004. EUROCRYPT 2004, Springer, Berlin, Heidelberg pp. 257-267.

[OLR 2017] Oliveira, T, López, J & Rodríguez-Henríquez, F 2017, ‘The

Montgomery ladder on binary elliptic curves’, Journal of Cryptographic

Engineering, pp. 1-18.

[OSCCA 2010] OSCCA, “SM 2: A group of ECC public key algorithms,” Tech.

Rep.,

[PBA 2010] Pellegrini, A, Bertacco, V & Austin, T 2010, ‘Fault-based attack of

RSA authentication’, Proceedings of the conference on Design, automation and test

in Europe, European Design and Automation Association, pp. 855-860.

[PBMCKH 2009] Park, J, Bae, K, Moon, S, Choi, D, Kang, Y & Ha, J 2009, ‘A

new fault cryptanalysis on Montgomery ladder exponentiation algorithm’,

Proceedings of the 2nd International Conference on Interaction Sciences:

Information Technology, Culture and Human, pp. 896-9. ACM.

[PBR 2017] Piscitelli, R, Bhasin, S & Regazzoni, F 2017, ‘Fault attacks, injection

techniques and tools for simulation’, Proceedings of Hardware Security and

Trust, Springer, pp. 27-47.

[Pet 1997] Peterson, I 1997, ‘Chinks in digital armor: Exploiting faults to break

smart‐card cryptosystems’, Science News, vol. 151 no. 5, pp.78-79.

[PMC 2014] Polk, T, McKay, K, Chokhani, S 2014, Guidelines for the Selection,

Configuration, and Use of Transport Layer Security (TLS) Implementations, NIST

Special Publication 800-52 Revision 1, retrieved 7 May 2018, <

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf>.

[PNKKLCCKKKP 2015] Park, K T, Nam, S, Kim, D, Kwak, P, Lee, D, Choi, Y

H, Choi, M H, Kwak, D H, Kim, D H, Kim, M S, & Park, H W, 2015, ‘Three-

dimensional 128 Gb MLC vertical NAND flash memory with 24-WL stacked layers

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf

132

and 50 MB/s high-speed programming’, IEEE Journal of Solid-State Circuits, vol.

50 no. 1, pp.204-213, IEEE.

[PSSLR 2018] Poddebniak, D, Somorovsky, J, Schinzel, S, Lochter, M & Rösler,

P 2018, 'Attacking deterministic signature schemes using fault attacks', in 2018

IEEE European Symposium on Security and Privacy (EuroS&P), pp. 338-52.

[PV 2006] Page, D, & Vercauteren, F 2006, ‘A fault attack on pairing-based

cryptography’, IEEE Transactions on Computers, vol. 55 no. 9, pp.1075-1080,

IEEE.

[QS 2002] Quisquater, J-J & Samyde, D 2002, ‘Eddy current for magnetic analysis

with active sensor’, Proceedings of eSMART, vol. 2002.

[Qui 1997] Quisquater, J J 1997, ‘The adolescence of smart cards’, Future

Generation Computer Systems, vol. 13no. 1, pp.3-7.

[RG 2014] Rauzy, P & Guilley, S 2014, ‘Countermeasures against High-Order

Fault-Injection Attacks on CRT-RSA’, Proceedings of 2014 Workshop on Fault

Diagnosis and Tolerance in Cryptography, pp. 68-82, IEEE.

[RLBBRM 2008] Raguet, J R, Laffont, R, Bouchakour, R, Bidal, V, Regnier, A, &

Mirabel, J M 2008, ‘New EEPROM concept for single bit operation’. Solid-State

Electronics, vol. 52 no. 10, pp.1525-1529.

[RMGN 2015] Rauzy, P, Moreau, M, Guilley, S & Najm, Z 2015, Using modular

extension to provably protect ECC against fault attacks, Cryptology ePrint Archive,

Report 2015/882.

[Ros 1998] Ross K 1998, the General Architecture of EEPROM, Block Diagram,

The Newsletter of the seattle Robotics Society: Encoder, retrieved 12 October

2017,< http://www.seattlerobotics.org/encoder/aug99/serialeeprom.html>.

[RP 2017] Romailler, Y & Pelissier, S 2017, ‘Practical Fault Attack against the

Ed25519 and EdDSA Signature Schemes’, Proceedings of 2017 Workshop on Fault

Diagnosis and Tolerance in Cryptography (FDTC), pp. 17-24, IEEE.

[SA 2002] Skorobogatov, SP & Anderson, RJ 2003, ‘Optical Fault Induction

Attacks’, in BS Kaliski, çK Koç & C Paar (eds), Proceedings of Cryptographic

133

Hardware and Embedded Systems - CHES 2002, Springer, Berlin, Heidelberg, pp.

2-12.

[SASOMKOKN 2014] Shukuri, S, Ajika, N, Shimizu, S, Otoi, H, Mihara, M,

Kawajiri, Y, Ogura, T, Kobayashi, K & Nakashima, M 2014, ‘Byte alterable

embedded EEPROM with B4-HE architecture achieving 10usec programming and

57F2 cell size’, Proceedings of 2014 IEEE 6th International Memory Workshop

(IMW), pp. 1-3, IEEE.

[SB 2018] Samwel, N & Batina, L 2018, 'Practical Fault Injection on Deterministic

Signatures: The Case of EdDSA', in International Conference on Cryptology in

Africa, pp. 306-21.

[SBBDS 2018] Samwel, N, Batina, L, Bertoni, G, Daemen, J & Susella, R 2018,

'Breaking Ed25519 in WolfSSL', in Cham, pp. 1-20.

[Sei 2005] Seifert, J-P 2005, ‘On authenticated computing and RSA-based

authentication’, paper presented to Proceedings of the 12th ACM conference on

Computer and communications security, Alexandria, VA, USA, pp. 122-127.

[Sey 2017] Seysen, M 2017, ‘Error-free protection of EC point multiplication by

modular extension’, IACR Cryptology ePrint Archive, vol. 2017, p. 170.

[SFM 2016] Sakamoto, J, Fujimoto, D & Matsumoto, T 2016, ‘Laser irradiation on

EEPROM sense amplifiers enhances side-channel leakage of read bits’,

Proceedings of 2016 IEEE Asian Hardware-Oriented Security and Trust

(AsianHOST), pp. 1-6, IEEE.

[SH 2007] Schmidt, J-M & Hutter, M 2007, Optical and em fault-attacks on crt-

based rsa: Concrete results. Vienna, Austria.

[SH 2008] Schmidt, JM & Herbst, C 2008, ‘A Practical Fault Attack on Square and

Multiply’, Proceedings of 2008 5th Workshop on Fault Diagnosis and Tolerance

in Cryptography, pp. 53-8, IEEE.

[Sha 1997] Shamir, A 1997, ‘How to check modular exponentiation’, rump session

of EUROCRYPT, vol. 97.

[Sha 1999] Shamir, A 1999, ‘Method and apparatus for protecting public key

schemes from timing and fault attacks’, Yeda Research and Development Co. Ltd,

134

At The Weizmann Institute Of Science, U.S. Patent 5,991,415.Embedded Systems,

Springer, Berlin Heidelberg, pp. 2-12.

[Sho 2001] Shoup, V 2001, ‘A proposal for an ISO standard for public key

encryption (version 2.1)’, IACR E-Print Archive, vol. 112.

[SIA 2017] Serraj, T, Ismaili, MC & Azizi, A 2017, ‘On the security of some elliptic

curve standards in the presence of random fault analysis attacks’, Proceedings of

2017 International Conference on Wireless Technologies, Embedded and

Intelligent Systems (WITS), pp. 1-5, IEEE.

[SKLM 2001] Sung-Ming, Y, Kim, S, Lim, S & Moon, S 2002, ‘A Countermeasure

against One Physical Cryptanalysis May Benefit Another Attack’, in K Kim (ed.),

Proceedings of Information Security and Cryptology — ICISC 2001, Springer,


[Sko 2002] Skorobogatov, S 2002, Low temperature data remanence in static RAM,

University of Cambridge, Computer Laboratory, p.11.

[Sko 2009] Skorobogatov, S 2009, ‘Local heating attacks on Flash memory

devices’, Proceedings of 2009 IEEE International Workshop on Hardware-

Oriented Security and Trust, pp. 1-6, IEEE.

[Sko 2010] Skorobogatov, S 2010, ‘Optical Fault Masking Attacks’, Proceedings

of 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 23-9,

IEEE.

[Sko 2017] Skorobogatov, S 2017, ‘How Microprobing Can Attack Encrypted

Memory’, Proceedings of 2017 Euromicro Conference on Digital System Design

(DSD), pp. 244-51, IEEE.

[SM 2009] Schmidt, J M & Medwed, M 2009, ‘A Fault Attack on ECDSA’,

Proceedings of 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography

(FDTC), pp. 93-9, IEEE.

[SM 2010] Schmidt, J-M & Medwed, M 2011, ‘Fault Attacks on the Montgomery

Powering Ladder’, in K-H Rhee & D Nyang (eds), Proceedings of Information

Security and Cryptology - ICISC 2010, Springer, Berlin, Heidelberg, pp. 396-406.

135

[SS 2017] Schinianakis, D & Stouraitis, T 2017, ‘RNS-Based Public-Key

Cryptography (RSA and ECC)’, in AS Molahosseini, LS de Sousa & C-H Chang

(eds), Proceedings of Embedded Systems Design with Special Arithmetic and

Number Systems, Springer International Publishing, Cham, pp. 311-344.

[TK 2010] Trichina, E & Korkikyan, R 2010, ‘Multi Fault Laser Attacks on

Protected CRT-RSA’, Proceedings of 2010 Workshop on Fault Diagnosis and

Tolerance in Cryptography, pp. 75-86, IEEE.

[TMRCPK 2013] Torricelli, F, Milani, L, Richelli, A, Colalongo, L, Pasotti, M, &

Kovacs-Vajna, Z M 2013, ‘Half-MOS single-poly EEPROM cell in standard

CMOS process’, IEEE Transactions on Electron Devices, vol. 60 no. 6, pp.1892-

1897, IEEE.

[Tra 2006] Trappe, W 2006, Introduction to cryptography with coding theory,

Pearson Education India.

[Vig 2008] Vigilant, D 2008, ‘RSA with CRT: A New Cost-Effective Solution to

Thwart Fault Attacks’, in E Oswald & P Rohatgi (eds), Proceedings of

Cryptographic Hardware and Embedded Systems – CHES 2008, Springer, Berlin,


[Wan 2004] Wagner, D 2004, ‘Cryptanalysis of a provably secure CRT-RSA

algorithm’, paper presented to Proceedings of the 11th ACM conference on

Computer and communications security, Washington DC, USA, pp. 92-97, ACM.

[WYSLGG 2018] Wang, W, Yu, Y, Standaert, F-X, Liu, J, Guo, Z & Gu, D 2018,

“Ridge-Based DPA: Improvement of Differential Power Analysis For Nanoscale

Chips”, IEEE Transactions on Information Forensics and Security, vol. 13, no. 5,

pp. 1301-16.

[Was 2012] Washington, J 2012, EEPROM Cell Configuration, Block Diagram,

SlidePlayer, retrieved 18 October 2017, < http://slideplayer.com/slide/6465527/>.

[Win 2012] Winter, T 2012, ‘RPL: IPv6 routing protocol for low-power and lossy

networks’.

http://slideplayer.com/slide/6465527/

136

[WSCH 2008] Wu, YC, Su, PW, Chang, CW & Hung, MF 2008, ‘Novel Twin

Poly-Si Thin-Film Transistors EEPROM With Trigate Nanowire Structure’, IEEE

Electron Device Letters, vol. 29, no. 11, pp. 1226-1228, IEEE.

[WW 2005] Waddle, J & Wagner, D 2005, ‘Fault attacks on dual-rail encoded

systems’, Proceedings of 21st Annual Computer Security Applications Conference

(ACSAC'05), pp. 10 494, IEEE.

[XHXYK 2016] Xu, Y, Hu, J, Xiao, J, Yang, G & Kong, W 2016, ‘Design

Techniques for a 30-ns Access Time 1.5-V 200-KB Embedded EEPROM

Memory’, IEEE Transactions on Circuits and Systems II: Express Briefs, vol. 63,

no. 11, pp. 1064-1068, IEEE.

[YJ 2000] Yen, S-M & Joye, M 2000, ‘Checking before output may not be

enough against fault-based cryptanalysis’, IEEE Transactions on computers, vol.

49, no. 9, pp. 967-70.IEEE.

[YKLM 2003] Yen, S-M, Kim, S, Lim, S & Moon, S-J 2003, “RSA speedup with

Chinese remainder theorem immune against hardware fault cryptanalysis”, IEEE

Transactions on computers, vol. 52, no. 4, pp. 461-72.IEEE.

[YKM 2006] Yen, S-M, Kim, D & Moon, S 2006, ‘Cryptanalysis of Two Protocols

for RSA with CRT Based on Fault Infection’, in L Breveglieri, I Koren, D Naccache

& J-P Seifert (eds), Proceedings of Fault Diagnosis and Tolerance in

Cryptography, Springer, Berlin, Heidelberg, pp. 53-61.

[YKMH 2006] Yen, S-M, Ko, L-C, Moon, S & Ha, J 2006, ‘Relative Doubling

Attack Against Montgomery Ladder’, in DH Won & S Kim (eds), Proceedings of

Information Security and Cryptology - ICISC 2005, Springer, Berlin, Heidelberg,

pp. 117-28.

[YMH 2002] Yen, S-M, Moon, S & Ha, J-C 2003, ‘Hardware Fault Attack on RSA

with CRT Revisited’, in PJ Lee & CH Lim (eds), Proceedings of Information

Security and Cryptology — ICISC 2002, Berlin, Heidelberg, pp. 374-388.

[YouTube 2014] How to Read, Erase, & Write EProm EEProm Chips Electronic

Fuel injection DIY Tuning GQ-4X Programmer 2014. YouTube, Guns & Gears, 2

May, retrieved 2 August 2016,

<https://www.youtube.com/watch?v=vUDP1XTmF9A>.

https://www.youtube.com/watch?v=vUDP1XTmF9A

137

[YouTube 2015] In system programming 93c56 scenic instrument panel 2015,

YouTube, REVELTRONICS, 12 July, retrieved 2 August 2016, <

https://www.youtube.com/watch?v=bl2FaM1SxK4>.

[YZV 2014] Yan, Z, Zhang, P & Vasilakos, AV 2014, ‘A survey on trust

management for Internet of Things’, Journal of network and computer applications,

vol. 42, pp. 120-34.

[YZWSL 2017] Yang, F, Zheng, Y, Wang, C, Shen, L, & Liao, H 2017, ‘A single-

poly EEPROM with low leakage charge pump and peripheral circuits for passive

RFID tag in a standard CMOS technology’, IEICE Electronics Express, vol. 14

no.10, pp. 20170315-20170315.

[YYK 1971] Yasuo, T, Yutaka H & Kiyoko N 1971, ‘Proposal of electrically

reprogrammable non-volatile semiconductor memory’, Proceedings of the 3rd

Conference on Solid State Devices, Tokyo. The Japan Society of Applied Physics:

155-162

[ZigBee 2006] ZigBee Alliance, ZigBee specification, 344-346, 2006.

https://www.youtube.com/channel/UCvcKnhov3vU98ro2cMNbRqQ

138

Appendices

Appendix A

A.1 Example 5

The internal inputs (loaded from the firmware) to algorithm 4.2 are p=31, q=29

d=593 and 𝑖𝑞 ≡ q-1 mod p=15. The input enter by user to algorithm 4.2 are the

message M=23 and the random fault value X=66. I assume that p, q, d and 𝑖𝑞 are

stored in firmware of the victim device, and the attacker does not have any access

to them. The goal of this example is to compute q which has a partial factor of

n=p*q.

Algorithm 4.2 was implemented in Maple code and the steps are shown below.

1. r := (rand(2 .. 2^4))(); r := 11.

2. pr := p*r; pr := 341.

3. qr := q*r; qr := 319.

4. er := "error"; er := "error".

if `mod`(pr, p) <> 0 or `mod`(qr, q) <> 0 then er end if.

5. v := (p-1)*(r-1); v := 300.

Spr: = `mod`(M^(`mod`(d, v)), pr); Spr := 232.

6. u := (q-1)*(r-1); u := 280.

Sqr := `mod`(M^(`mod`(d, u)), qr); Sqr := 199.

7. if `mod`(Spr, r) <> `mod`(Sqr, r) then er end if.

8. Sp := `mod`(Spr, p); Sp := 15.

9. Sq := `mod`(Sqr, q); Sq := 25.

10. Scrt := Sq+q*(`mod`(iq*(Sp-Sq), p)); Scrt := 170.

11 and 12. Scrte := Sq+q*(`mod`(X*(Sp-Sq), p)); Scrte := 663.

13. n=p*q=899.

14. qt := gcd(Scrte-Scrt, n); qt := 29.

139

15. unassign ('Scrte').

16. if `mod`(Scrt, p) <> `mod`(Spr, p) or `mod`(Scrt, q) <> `mod`(Sqr, q) then er

end if.

17. q = qt; q = 29.

A.2 Example 6

The internal inputs (loaded from the firmware) to algorithm 4.4 are p=47, q=37,

dp≡ d mod (p-1) ≡21,dq≡d mod(q-1) ≡23 and 𝑖𝑞 ≡ q-1 mod p=14. The inputs by

the user to algorithm 4.4 are the message M=56 and the random fault value X=34.

I assume that p, q, dp, dq and 𝑖𝑞 are stored in the firmware of the victim device, and

the attacker does not have any access to them. The goal of this example is to

compute q which has a partial factor of n=p*q.

Algorithm 4.4 was implemented in Maple code and the steps are shown below.

1.r := (rand(2 .. 2^4))(); r := 3.

2. n:= p*q; n := 1739.

3. pdash := p*r^2; pdash := 423.

4. ipr := `mod`(1/p, r^2); ipr := 5.

5. Mp := `mod`(M, pdash); Mp := 56.

6. Bp := p*ipr; Bp := 235.

7. Ap := `mod`(1-Bp, pdash); Ap := 189.

8. Mpdash := `mod`(Ap*Mp+Bp*(1+r), pdash); Mpdash := 103.

9. qdash := q*r^2; qdash := 333.

10. iqr := `mod`(1/q, r^2); iqr := 1.

11. Mq := `mod`(M, qdash); Mq := 56.

12. Bq := q*iqr; Bq := 37.

13. Aq := `mod`(1-Bq, qdash); Aq := 297.

14. Mqdash := `mod`(Aq*Mq+Bq*(1+r), qdash); Mqdash := 130.

140

15. eupdash := (p-1)*(r^2-1); eupdash := 368.

Spdash := `mod`(Mpdash^(`mod`(dp, eupdash)), pdash);Spdash := 253.

16. Spr := dp*r+1; Spr := 64.

17. cp := `mod`(Mpdash+n-M+1, p); cp := 1.

18. euqdash := (q-1)*(r^2-1); euqdash := 288.

Sqdash := `mod`(Mqdash^(`mod`(dq, euqdash)), qdash); Sqdash := 52.

19. Sqr := dq*r+1; Sqr := 70.

20. cq := `mod`(Mqdash+n-M+1, q); cq := 1.

21. Sdash := Sqdash+q*(`mod`(iq*(Spdash-Sqdash), pdash)); Sdash := 10264.


23. Sdashe := Sqdash+q*(`mod`(X*(Spdash-Sqdash), pdash)); Sdashe := 2494.

24. qt := gcd(Sdashe^e-M, n); qt := 37.

25. unassign('Sdashe').

26. Sr := Sqr+q*(`mod`(iq*(Spr-Sqr), pdash)); Sr := 12613.

27. cs := `mod`(Sdash-Sr+1, r^2); cs := 1.

28. Sf := `mod`(M^d, n); Sf := 1569.

29. Sfchk := `mod`(Sdash^(cp*cq*cs), n); Sfchk := 1569 As Sf=Sfchk no error.

30. q = qt; q = 37.

A.3 Example 7

I choose three random prime numbers p=3967, q=1327 and e=37 and compute

n=p*q=5264209, and d=e-1 mod (p-1)*(q-1)= 2131993 in decimal form or

"1000001000100000011001" in binary form. The internal inputs (loaded from the

firmware) to algorithm 4.6 are d= "1000001000100000011001" in binary form and

the size of the secret key t= 22. The inputs by the attacker to algorithm 4.6 are the

message g=12, the random fault value X=8 and modulus n= 5264209. I assume that

the secret key d and size of the secret key t are stored in the firmware of the victim

141

device, and the attacker does not have any access to them. The goal of this example

is to retrieve d which is the secret key of RSA.

Since Maple does not accept indices beginning with 0, as in the binary left to right

attack, we use 1, 2 instead of 0, 1 in the Maple code.

The Maple program considers the first value from left when dealing with For-Loop.

Therefore, the Maple program defines Left-to-Right in the For-Loop as “for i from

1 to t do” where t represents the size of the secret key d. However, the For-Loop in

RSA algorithm from Left-to-Right is defined as “For i from t to 1 do”.

The attack algorithm 4.6 was implemented in Maple code, and the steps are shown

below.

Step1.

> R[1] := 1; R[1] := 1

> R[2] := g; R[2] := 12

Step2.

> z=1; z=1

Step3

for i from 1 to t do

Step 3.1

if d[i] = "1" then b := 1 else b := 2 end if

Step 3.2

H: = R[b]*X mod n

Step 3.3

T := R[b]

Step 3.4

if d[i] = "1" then R[b] := R[b]*X mod n end if

Step 3.5

if R[b] = H then k[i] := 1; R[b] := T else k[i] := 0 end if

Step 3.6

if d[i] = "1" then u := 2 else u := 1end if

R[b]:= R[b]*R[u] mod n

142

Step 3.7

R[u] := R[u]^2 mod n

Step 3.8

z := z+1

End While loop

Step 4

Set v z-1

Step 5

d= [k1, k2, k3, . . . , kv-1, kv]= "1000001000100000011001"

A.4 Example 8



"11001001011100100010010101" in binary form. The internal inputs (loaded from

the firmware) to algorithm 4.8 are d= "11001001011100100010010101" in binary

form and size of the secret key t= 26. The inputs by the attacker to algorithm 4.8

are the message g=16, the random fault value X=12 and modulus n= 5264209. I

assume that the secret key d and size of the secret key t are stored in the firmware

of the victim device, and the attacker does not have any access to them. The goal of

this example is to retrieve d which is the secret key of RSA.

Since Maple does not accept indices beginning from 0, as in the binary left to right

attack, we use 1 and 2 instead of 0 and 1 in the Maple code.


Therefore, the Maple program defines Right-to-Left in the For-Loop as “for i from

t to 1 do” where t represents the size of the secret key d. However, the For-Loop in

RSA algorithm from Right-to-Left is defined as “For i from 1 to t do”.

The attack algorithm 4.8 was implemented in Maple code, and the steps are shown

below.

Step1

> R[1] := 1; R[1] := 1

> R[2] := g; R[2] := 16

Step2

143

> z=1; z=1

Step3

for i from t by -1 to 1 do

Step 3.1


Step 3.2

H: = R[b]*X mod n

Step 3.3

T := R[b]

Step 3.4


Step 3.5


Step 3.6


R[b]:= R[b]^2 mod n

Step 3.7

R[b] := R[b]*R[u] mod n

Step 3.8

z := z+1

End While loop

Step 4

Set v z-1

Step 5

d= [kv, kv-1, . . . , k2, k1]= "11001001011100100010010101"

144

Appendix B

B.1 example 1

Here, I demonstrate the attack on a Weierstrass curve, using point addition formulas

(3) and (4) in the computations, so that both coordinates are evaluated in each step.

I use the curve y2=x3+x+ (3w+3) over GF(52) where w is a solution of the

irreducible polynomial x2+4x+2 over GF(5), and so w2=w+3. Based on points in

affine form, I choose the point P = (0, 2w+1), value k = 6. Based on the general

Weierstrass equation (1), the coefficients are: a1=0, a2=0, a3=0, a4=1, a5=3w+3. I

also need a fault value X which I have chosen arbitrarily with value (0, 3w + 4)

modulo 5.

The internal inputs (loaded from the firmware) to algorithm 5.2 are k="110" in

binary form and the size of the secret key t= 3. The inputs by the attacker to

algorithm 5.2 are the P = (0, 2w+1), the random fault value X=(0, 3w + 4) and the

curve GF(p) values where p=5, a4=1 and a5=3w+3. I assume that the secret key k

and size of the secret key t are stored in the firmware of the victim device, and the

attacker does not have any access to them. The goal of this example is to retrieve k

which is the secret key of ECC.

Maple will not directly compute elliptic curve points using the inbuilt commands.

My options were therefore either to write subroutines in Maple enabling

computation of values such as (w+4)-1 or (w+4)2 in the extension field, or to use as

much of Maple as we could and do the remaining work by hand. I opted for the

latter solution. The four Maple commands ‘solve’, ‘expand’, ‘addell’ and ‘multell’

were used extensively, along with manual manipulation.

Because k is 110 in binary form, algorithm 5.2 will run through two complete

iterations, in each of which it will produce a bit of k. The steps are given below.

Step 1

>R(0)=P=[0, 2w+1];

>R(1)=2P=[3w+4,3w+2];

> e=2;

Step 2

X= [0, 3w+4];

Step 3

145

Iteration 1

i=2

Z= R(0)=[0, 2w+1];

N=R(0)+X=P+(-P)= O;

Since k2=1 then R(¬k2)=R(0) +X= P+(-P)= O;

Since R(¬k2)=R(0)=N we set d2 =1 and ‘eliminate error’: R(¬k2) by R(¬k2)=Z=

P=[0, 2w+1];

R(¬k2)=R(0)=R(0)+R(1)=P+2P=3P=[4w+3,4w+3];

R(k2)=R(1)=2R(k2)=2R(1)=4P=[2w,w+3];

Set e=e+1=3 updating the key size counter;

Iteration 2

i=1

Z= R(0)= 3P=[4w+3,4w+3];

N=R(0)+X=3P+(-P)=2P=[3w+4,3w+2];

Since k3=0 then no value added to X and stored in R(¬k3);

Since R(¬k1)=R(1)≠ N we set d1 =0 and no error occurs in R(¬k3);

R(¬k1)=R(1)=R(0)+R(1)=3P+4P=7P=[2w,4w+2];

R(k1)=R(0)=2R(k1)=2R(0)=6P=[2w+2,3];

Set e=e+1=4 updating the key size counter;

End of loop

Set v = e – 1 = 3.

I obtain the final value of k as the components of the triple (1, d2, d1) which is 110.

B.2 Example 2

I use the same experimental environment and addition operations which I have used

for the attack in the previous section.

The chosen curve is of Montgomery type:

y2 = x3 + 356055934632865372341974084664 x2 + x with P = (737747, 724721),

where k = 8957 in base 10 and is “10001011111101” in base 2, and the field is

GF(p) where p = 1083948976932424618521046268491.

I also need a fault value X which I have chosen arbitrarily with value (737747,

1083948976932424618521045543770).

The internal inputs (loaded from the firmware) to algorithm 5.4 are

k="10001011111101" in binary form and the size of the secret key t= 14. The inputs

146

by the attacker to algorithm 5.4 are the P = (737747, 724721), the random fault

value X=(737747, 1083948976932424618521045543770) and the curve GF(p)

values where p=1083948976932424618521046268491, a4=1 and a5=0. I assume

that the secret key k and size of the secret key t are stored in the firmware of the

victim device, and the attacker does not have any access to them. The goal of this

example is to retrieve k which is the secret key of ECC.

I use point addition formulas (3) and (4) in the computations so that both

coordinates are evaluated in each step.

In the Maple code below, I use R(1) instead of R(0) and R(2) instead of R(1) as

Maple does not use the index 0. Note also that O in Maple is represented as

[“infinity”,”infinity”].


Therefore, the Maple program defines Right-to-Left in the For-Loop as “for i from

t by -1 to t do” where t represents the size of the secret key d. However, the For-

Loop in ECC algorithm from Right-to-Left is defined as “For i from 1 to t do”.

Step 1

> R [1]:= [“infinity”, “infinity”]; R [1]:= [“infinity”, “infinity”];

> R [2]:= [737747, 724721]; R [2]:= [737747, 724721];

> e:=1; e:=1

Step 2

>X:= (737747, 1083948976932424618521045543770); X:= (737747,

1083948976932424618521045543770).

Step 3

for i from t by -1 to 1 do :

Step 3.1

E := R[1]

Step 3.2

G := R[2]

COMMENT: Since b is an index in the next steps, we use b = 1, 2 instead of b =

0, 1

Step 3.3

if k[i] = "1" then b := 1 else b := 2 end if

Step 3.4

147

N := addell([R[1][1], R[1][2]], [X[1], X[2]], a4, a5, p)

Step 3.5

if b = 1 then R[b] := addell([R[1][1], R[1][2]], [X[1], X[2]], a4, a5, p) end if

Step 3.6

c := R[b];

if c = N then d[i] := "1"; R[b] := E else d[i] := "0" end if

Step 3.7

R[b] := addell([R[1][1], R[1][2]], [R[2][1], R[2][2]], a4, a5, p)

Step 3.8

R[2] := G

Step 3.9

R[2] := multell([R[2][1], R[2][2]], 2, a4, a5, p)

Step 3.10

e := e+1

End of Step 3

Step 4

v=e-1; v=14

Step 5 (the bits of k are output)

[d14=1, d13=0, d12=0, d11=0, d10=1, d9=0, d8=1, d7=1, d6=1, d5=1, d4=1, d3=1, d2=0, d1=1]

Concerning the point X on the curve, the Maple notation for the x- (respectively y-

) coordinate of X is given by X[1] (respectively X[2]). So in Step 3 above, where

R[i] is itself a point, the notation R[i][1] refers to its x-coordinate.

B.3 Example 3

I choose the field GF(16708911996216745859) for the elliptic curve y2 = x3 +

9763215x + 16479282469090387564 with point P = (612359, 1000013) given in

affine form. My target is to find k, which I know in advance is 933 in base 10 and

is “1110100101” in base 2. I set p = 16708911996216745859. I also choose

arbitrarily a fault point X:= ( 612359, 16708911996215745846).

Referring to the general Weierstrass equation (1), the corresponding coefficients

are: a1=0, a2=0, a3=0, a4=9763215, a5=16479282469090387564.


k="1110100101" in binary form and the size of the secret key t= 10. The inputs by

148

the attacker to algorithm 5.6 are the P = (612359, 1000013), the random fault value

X:= (612359, 16708911996215745846)and the curve GF(p) values where

p=16708911996216745859, a4=9763215 and a5=16479282469090387564. I

assume that the secret key k and size of the secret key t are stored in the firmware


this example is to retrieve k which is the secret key of ECC.

Implementation of algorithm 5.6 in Maple code access register bits from Left-to-

Right and the steps for this example are shown below. I begin with counter key size

e=2 as I begin to count from second bit as the first bit is always 1. The notations

P[1] and P[2] refer respectively to the abscissa and ordinate values of the point P.

Since Maple does not accept indices beginning from 0, I use 1 and 2 instead of 0

and 1.


Therefore, the Maple program defines Left-to-Right in the For-Loop as “for i from

1 to t do” where t represents the size of the secret key d. However, the For-Loop in

ECC algorithm from Left-to-Right is defined as “For i from t to 1 do”.

Step 1

> W[1]:= P; W[1]:=[ 612359, 1000013]

> e:=2; e:=2

Step 2

> X:= [ 612359, 16708911996215745846]

COMMENT: Inject error into Step 3 by using X instead of P in addition operations:

Step 3

for i from 1 to t -1 do

Step 3.1

W[1] := multell([W[1][1], W[1][2]], 2, a4, a5, p)

Step 3.2

R := addell([W[1][1], W[1][2]], [X[1], X[2]], a4, a5, p)

Step 3.3

149

W[2]:= addell([W[1][1],W[1][2]],[X[1],X[2]].a4,a5,p);

Step 3.4

if k[i] = "1" then u := 2 else u := 1 end if;

n := W[u];

if n = R then d[i] := "1" else d[i] := "0" end if

Step 3.5

W[2] := addell([W[1][1], W[1][2]], [P[1], P[2]], a4, a5, p)

Step 3.6

W[1] := W[u]

Step 3.7

e := e+1

End of Step 3

Step 4

> v := e-1; v := 10


[d10=1, d9=1, d8=1, d7=0, d6=1, d5=0, d4=0, d3=1, d2=0, d1=1]

B.4 Example 4

I choose the curve y2=x3+x+(3w+3) over GF(52) where w is a solution of the

irreducible polynomial x2+4x+2 over GF(5), and so w2=w+3. Based on points in

affine form, I choose P = (0, 2w+1), the value k = 6.

Based on the general Weierstrass equation (1), the coefficients are: a1=0, a2=0, a3=0,

a4=1, a5=3w+3. I also choose arbitrarily a fault point X= (0, 3w + 4) modulo 5.



algorithm 5.8 are the P = (0, 2w+1), the random fault value X= (0, 3w + 4) and the

curve GF(p) values where p=5, a4=1 and a5=3w+3. I assume that the secret key k

and size of the secret key t are stored in the firmware of the victim device, and the

150



Maple will not directly compute elliptic curve points for an extension field using

the commands of the previous example. My options were therefore either to write

subroutines for Maple enabling computation of values such as (w+4)-1or (w+4)2 in

the extension field or to use as much of Maple as I could and do the remaining work

by hand. I opted for the latter solution. The four Maple commands ‘solve’, ‘expand’,

‘addell’ and ‘multell’ were used extensively, while their outputs often needed

manual manipulation; in particular, I used equations (3) and (4) from section 5.2.5.

Because k is 110 in binary form, algorithm 5.8 will run through three complete

iterations, in each of which it will produce a bit of k. The description of execution

of algorithm 5.8 is presented below.

Note that Maple represents O as [“infinity”, “infinity”].

Step 1

>W(0)=O=[“infinity”, “infinity”];

>R=P=[0, 2w+1];

> e=1;

Step 2

Choose X= [0, 3w+4];

Step 3

Iteration 1

i=1;

V = W(0) + X = O +(-P) = [0, 3w+4];

Since k=0 then W(1) is not changed;

Since W(1) ≠ V I set d[i] =0;

W(1)=R= P=[0, 2w+1];

W(1)=W(0)+W(1)= O+P = P=[0, 2w+1];

W(0)=W(ki)=W(0)= O =[“infinity”, “infinity”];

151

R=2R=2P=[3w+4, 3w+2];

Set e=e+1;

Iteration 2

i=2;

V = W(0) + X = O +(– P) = [0, 3w+4] ;

Since k=1 then W(1) = W(0) + X = O +(-P) = [0, 3w+4];

Since W(1) = V I set d[i] =1;

W(1)=R= 2P=[3w+4, 3w+2];

W(1)=W(0)+W(1)= O+2P= 2P=[3w+4, 3w+2];

W(0)=W(ki)=W(1)=2P;

R=2R=4P=[2w, w+3];

Set e=e+1=3;

Iteration 3

i=3;

V = W(0) + X = 2P +(-P) = P=[0, 2w+1];

Since k=1 then W(1) = W(0) + X = 2P +(-P) = P=[0, 2w+1];

Since W(1) = V, I set d[i] =1;

W(1)=R= 4P=[3w+4, 3w+2];

W(1)=W(0)+W(1)= 2P+4P= 6P=[2w+2, 3];

W(0)=W(ki)=W(1)=6P=[2w+2, 3];

R=2R=8P;

Set e=e+1=4;

The iterations end.

The final output value of k is equal to (kt, kt-1, …, k1)2 which is represented by the

components of the triple (d[3], d[2], d[1]) which is 110.

B.5 Example 5

I choose the field GF(36028797018963971) for the elliptic curve y2 = x3 +

23049492390237540x + 26353962252453337 with points P =

152

(36028797018963969, 18083753824772429) given in affine form. My target is to

find k, which I know in advance is 1435 in base 10 and is “10110011011” in binary

base. I set p = 36028797018963971. I also choose arbitrarily a fault point X:=

(36028797018963969, 17945043194191542).


are: a1=0, a2=0, a3=0, a4=23049492390237540, a5=26353962252453337.



by the attacker to algorithm 5.10 are the P = (36028797018963969,

18083753824772429), the random fault value X:= ([36028797018963969,

17945043194191542) and the curve GF(p) values where p=36028797018963971,

a4=23049492390237540 and a5=26353962252453337. I assume that the secret key

k and size of the secret key t are stored in the firmware of the victim device, and the



The attack algorithm 5.10 is implemented in Maple code, and the steps are shown

below. The notations P[1] and P[2] refer respectively to the abscissa and ordinate

values of the point P. Since Maple does not accept indices beginning from 0, as in

the Coron attack, I use 1 and 2 instead of 0 and 1 in the Maple code.

The Maple program considers the first value from the left when dealing with For-

Loop. Therefore, the Maple program defines Left-to-Right in the For-Loop as “for

i from 1 to t do” where t represents the size of the secret key d. However, the For-

Loop in ECC algorithm from Left-to-Right is defined as “For i from t to 1 do”.

Step1

> R[1] := ["infinity", "infinity"]; R[1] := ["infinity", "infinity"]

> R[2] := P ; R[2] := [36028797018963969, 18083753824772429]

> e := 1; e := 1

Step 2

153

> X := [36028797018963969, 17945043194191542]; X := [36028797018963969,

17945043194191542]

Step 3


Step 3.1

G := addell([R[1][1], R[1][2]],[X[1],X[2]],a4,a5,p);

Step 3.2

if k[i] = "1" then z := 1 else z := 2 end if

T := R[z]

Step 3.3

if k[i] = "1" then u := 2 else u := 1 end if

if u=2 then R[z] := addell([R[1][1], R[1][2]],[X[1],X[2]],a4,a5,p); end if;

Step 3.4

n := R[z];

if n = G then d[i] := "1"; R[z] := T else d[i] := "0" end if

Step 3.5

R[z] := addell([R[1][1], R[1][2]], [R[2][1], R[2][2]], a4, a5, p)

Step 3.6

R[u] := multell([R[u][1], R[u][2]], 2, a4, a5, p)

Step 3.7

e := e+1

End For Loop

Step 4

v:=e-1; v:=11


[d11=1, d10=0, d9=1, d8=1, d7=0, d6=0, d5=1, d4=1, d3=0, d2=1, d1=1]

154

B.6 Example 6

In this example, I choose an elliptic curve over the extension field GF(28) of GF(2)

using a solution w of the irreducible polynomial x8+ x4 + x3 +x+1 over GF(2). I use

the elliptic curve y2+xy=x3 + (w4+w+1) where the coefficients are polynomials in

GF(28). Based on points in affine form, I choose the point P = (w, w2 +1), value k

= 6. Based on the general Weierstrass equation (1), the coefficients are: a1=1, a2=0,

a3=0, a4=0, and a5= w4+w+1. I also choose arbitrarily a fault point X = (w, w2 +w+1)

modulo 2.



algorithm 5.12 are the P = (w, w2 +1), the random fault value X = (w, w2 +w+1)

and the curve GF(p) values where p=2, a4=0 and a5= w4+w+1. I assume that the

secret key k and size of the secret key t are stored in the firmware of the victim


is to retrieve k which is the secret key of ECC.

I face here the same Maple problem as in the previous field extension example:

Maple will not directly compute elliptic curve points using the commands. So I use

as many Maple commands as possible in combination with manual manipulation;

in particular, I use equations (3) and (4) from Section 5.2.5.

Because k is 110 in binary form, the attack algorithm will run through three

complete iterations, in each of which it will produce a bit of k.

Step 1

>R(0)= O;

>R(1)=P=[ w, w2 +1];

> e=1;

Step 2

X= - P = [w, w2 +w+1];

Step 3

Iteration 1

155

i=1

Since k =0 then b=1-0=1;

R(b)=R(1)=2R(1)=2P=[w6+w2+w, w6+w5+1];

G = R(0) + X = O +(-P) = -P= [w, w2 +w+1];

T= R(b)= 2P=[w6+w2+w, w6+w5+1];

R(b)= R(b) + X = R(1)+X=2P+(-P) =P= [w, w2+1];

Since R(b)= R(1)≠G I set d[i] =0;

R(b)=T=2P=[w6+w2+w, w6+w5+1] which eliminates the error in R(b)=R(1);

R(b)=R(b)+R(ki)=R(1)=R(1)+R(0)=2P+O = 2P = [w6+w2+w, w6+w5+1];

Set e=e+1=2;

Iteration 2

i=2

R(b)=R(0)=2R(0)= O;

G = R(0) + X = O + (-P) = [w, w2 +w+1];

T= R(b)= O;

R(b)= R(b) + X = R(0)=R(0)+X= O +(-P) = [w, w2 +w+1];

Since R(b) = R(0) = G I set d[i] =1;

R(b)=T= O which eliminates the error in R(b)=R(0);

R(b)=R(b)+R(ki)=R(0)=R(0)+R(1)= O + 2P = 2P = [w6+w2+w, w6+w5+1];

Set e=e+1=3;

Iteration 3

i=3

Since k =1 then b=1-1=0;

R(b)=R(0)=2R(0)=4P=[w6+1, w7+w5+w4+w3+1];

G = R(0) + X = 4P+(-P) = 3P=[w7+w5+w3+w2, w5+w2+w];

T= R(b)=4P=[w6+1, w7+w5+w4+w3+1];

R(b)= R(b) + X = R(0)=R(0)+X4P+(-P) = 3P=[w7+w5+w3+w2, w5+w2+w];

Since R(b) = R(0) = G I set d[i] =1;

156

R(b)= T=4P=[w6+1, w7+w5+w4+w3+1]which eliminates the error in R(b)=R(0);

R(b)=R(b)+R(ki)=R(0)=R(0)+R(1)=4P+ 2P=6P=[w+1, w2];

Set e=e+1=3;

Ends of iterations

Iteration 4

v=e-1=3

The final output value of k is equal to (kt, kt-1,…, k1)2 as the components of the

triple (d[3], d[2], d[1]) = (1,1,0).

157

Appendix C

C.1 Implementation Examples of Fault Factoring (FF) Attack

Algorithms against RSA-CRT by Using Arduino Hardware

In this appendix I present the implementation examples of FF attack against RSA-

CRT algorithms by using Arduino Mega2560 hardware. This appendix is arranged

as follows: appendix C.1.1 focuses on the implementation example of FF attack

against RSA-CRT signature protected by modified Shamir’s countermeasure.

Appendix C.1.2 presents the implementation example of FF attack against RSA-

CRT signature protected by Simplified Vigilant’s Countermeasure.

C.1.1 Implementation of FF Attack against RSA-CRT Signature

Algorithm Protected by Modified Shamir’s Countermeasure


Modified Shamir’s Countermeasure

The details of the FF attack algorithm against RSA-CRT signature algorithm

protected by modified Shamir’s countermeasure can be found in section 4.3.2.

Algorithm C.1.1 shows the FF attack algorithm against RSA-CRT Signature

algorithm protected by modified Shamir’s countermeasure.

Algorithm C.1.1 The FF Attack Algorithm against RSA-CRT Signature

Algorithm Protected by Modified Shamir’s Countermeasure





2. pr p*r.

3. qr q*r.

4. If pr ≢ 0 (mod p) or qr ≢ 0 (mod q ) then return error.



7. if 𝑆𝑝𝑟 ≢ 𝑆𝑞𝑟 𝑚𝑜𝑑 𝑟 then return error.



10. 𝑆𝑐𝑟𝑡 𝑆𝑞 + 𝑞 ∗ [(𝑖𝑞 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))].

158

11. Comment: use X instead of 𝑖𝑞 in the computation of Scrt so we get Scrte.

12. 𝑆𝑐𝑟𝑡𝑒 𝑆𝑞 + 𝑞 ∗ [(𝑋 ∗ (𝑆𝑝 − 𝑆𝑞) (𝑚𝑜𝑑 𝑝))].

13. n p*q

14. To get q, we compute 𝑞𝑡 gcd((𝑆𝑐𝑟𝑡𝑒-𝑆𝑐𝑟𝑡) ,n).

15. Eliminate 𝑆𝑐𝑟𝑡𝑒.


17. return q= 𝑞𝑡.

Example of the Implementation Process

The internal inputs (loaded from the firmware) to algorithm C.1.1 are p=67, q=71

d=1777 and 𝑖𝑞 ≡ q-1 mod p=17. The inputs by the attacker to algorithm C.1.1 are

the message M=23 and the random fault value X=66. I assume that p, q, d and 𝑖𝑞

are stored in the firmware of the victim device, and the attacker does not have any

access to them. The goal of this example is to compute q which has a factor of

n=p*q. The attacker also chooses a small integer r=5.

The implementation program in MATLAB 2017b is:


pr=p*r;

qr=q*r;

if mod(pr,p)~= 0 || mod(qr,q)~= 0 disp('error'); end

v=(p-1)*(r-1);

u=(q-1)*(r-1);

spr=powermod(M,mod(d,v),p)

sqr=powermod(M,mod(d,u),q)

if mod(spr,r)~= mod(sqr,r) disp('error'); end

sp=mod(spr,p)

sq=mod(sqr,q)

scrt=sq+(q*mod(iq*(sp-sq),p))

n=p*q

scrte=sq+(q*mod(X*(sp-sq),p));

qt=gcd((scrte-scrt),n)

clear scrte;

159

sfinal=powermod(M,d,n)

if mod(scrt,p)~= mod(spr,p) || mod(scrt,q)~= mod(sqr,q) disp('error'); end

q=qt

clear arduino

clearvars a;

The results of the implementation program are:

RSAshmair_Arduino

a =

arduino with properties:

Port: 'COM5'

Board: 'Mega2560'

AvailablePins: {'D2-D53', 'A0-A15'}

Libraries: {'I2C', 'Servo', 'SPI'}

pr = 335

qr = 355

spr = 39

sqr = 34

sp = 39

sq = 34

n = 4757

scrt = 1312

qt = 71

q = 71

160

C.1.2 Implementation of the FF Attack against RSA-CRT Signature

Algorithm Protected by Simplified Vigilant’s Countermeasure



The details of the FF attack algorithm against RSA-CRT signature algorithm

protected by Simplified Vigilant’s Countermeasure can be found in section 4.3.4

Algorithm C.1.2 shows the FF attack algorithm against RSA-CRT Signature

algorithm protected by Simplified Vigilant’s Countermeasure.

Algorithm C.1.2 FF Attack Algorithm against RSA-CRT Signature

Algorithm Protected by Simplified Vigilant’s Countermeasure





2. n p*q.





7. 𝐴𝑝 1 − 𝐵𝑝( 𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ).










16. 𝑆𝑝𝑟 1 + 𝑑𝑝 ∙ 𝑟.



𝑑𝑝( 𝑚𝑜𝑑 𝜑(𝑞𝑑𝑎𝑠ℎ)) (𝑚𝑜𝑑 𝑞𝑑𝑎𝑠ℎ).

161

19. 𝑆𝑞𝑟 1 + 𝑑𝑞 ∙ 𝑟.


21. 𝑆𝑑𝑎𝑠ℎ 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ)).


23. 𝑆𝑑𝑎𝑠ℎ𝑒 𝑆𝑞𝑑𝑎𝑠ℎ + 𝑞 ∙ (𝑋 ∙ (𝑆𝑝𝑑𝑎𝑠ℎ − 𝑆𝑞𝑑𝑎𝑠ℎ)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ) ).

24. To get q, we compute 𝑞𝑡 gcd((𝑆𝑑𝑎𝑠ℎ𝑒𝑒 −𝑀),n).

25. Eliminate 𝑆𝑐𝑟𝑡𝑒 .

26. 𝑆𝑟 𝑆𝑞𝑟 + 𝑞 ∙ (𝑖𝑞 ∙ (𝑆𝑝𝑟 − 𝑆𝑞𝑟)(𝑚𝑜𝑑 𝑝𝑑𝑎𝑠ℎ)).


28. 𝑆 ≡ 𝑀𝑑 (𝑚𝑜𝑑 𝑛).

29. 𝑆 ≢ 𝑆𝑑𝑎𝑠ℎ𝑐𝑝𝑐𝑞𝑐𝑠 (𝑚𝑜𝑑 𝑛) then return error.

30 return q=𝑞𝑡.


The internal inputs (loaded from the firmware) to algorithm C.1.2 are p=131,

q=137, dp≡ d mod (p-1) ≡87, dq≡d mod(q-1) ≡91 and 𝑖𝑞 ≡ q-1 mod p=22. The

inputs by the attacker to algorithm C.1.2 are the message M=31 and the random

fault value X=77. I assume that p, q, dp, dq and 𝑖𝑞 are stored in the firmware in


example is to compute q which has a factor of n=p*q. The attacker also chooses a

small integer r=6.

The implementation in program MATLAB 2017b is:


n=p*q

pdash=p*(r^2)

ipr=powermod(p,-1,r^2)

Mp=mod(M,pdash)

Bp=p*ipr

Ap=1-mod(Bp,pdash)

Mpdash=Ap*Mp+mod(Bp*(1+r),pdash)

qdash=q*(r^2)

162

iqr=powermod(q,-1,r^2)

Mq=mod(M,qdash)

Bq=q*iqr

Aq=1-mod(Bq,qdash)

Mqdash=Aq*Mq+mod(Bq*(1+r),qdash)

eupdash=(p-1)*(r^2-1)

Spdash=powermod(Mpdash,mod(dp,eupdash),pdash)

Spr=1+dp*r

cp=mod(Mpdash+n-M+1,p)

euqdash=(q-1)*(r^2-1)

Sqdash=powermod(Mqdash,mod(dq,euqdash),qdash)

Sqr=1+dq*r

cq=mod(Mqdash+n-M+1,q)

Sdash=Sqdash+q*mod(iq*(Spdash-Sqdash),pdash)

Sr=Sqr+q*mod(iq*(Spr-Sqr),pdash)

Sdashe=Sqdash+q*mod(X*(Spdash-Sqdash),pdash)

qt=gcd((Sdashe-Sdash),n)

clear Sdashe;

cs=mod(Sdash-Sr+1,r^2)


if mod(sfinal, n)~= powermod(Sdash,(cp*cq*cs),n) disp('error'); end

q=qt

clear arduino

clearvars a;


RSAvirlag_Arduino

a =


Port: 'COM5'

Board: 'Mega2560'


163


n = 17947

pdash = 3275

ipr = 21

Mp = 31

Bp = 2751

Ap = -2750

Mpdash = -85119

qdash = 3425

iqr = 23

Mq = 31

Bq = 3151

Aq = -3150

Mqdash = -95869

eupdash = 3120

Spdash = 2736

Spr = 436

cp = 1

euqdash = 3264

Sqdash = 3231

Sqr = 456

cq = 1

Sdash = 306001

Sr = 388851

164

Sdashe = 165576

qt = 137

cs = 1

q = 137

C.2 Implementation Examples of RSK Attack against Protected

RSA Montgomery Ladder Algorithms by using Arduino

Hardware

In this appendix I present the implementation of the RSK attack against RSA

algorithms by using Arduino Mega2560. This appendix is arranged as follows:

appendix C.2.1 deals with the implementation example of retrieve secret key attack

against protected RSA Montgomery ladder Left-to-Right algorithm. Appendix

C.2.2 presents the implementation example of retrieve secret key attack against

protected RSA Montgomery ladder Right –to-Left algorithm.

C.2.1 Implementation of RSK Attack Algorithm against Protected RSA

Montgomery Ladder Left-to-Right Algorithm

RSK Attack Algorithm against Protected RSA Montgomery Ladder Left-to-

Right Algorithm

The details of RSK attack algorithm against protected RSA Montgomery ladder

Left-to-Right algorithm can be found in section 4.4.2. Algorithm C.2.1 presents the

retrieve secret attack algorithm against protected RSA Montgomery ladder Left-to-

Right algorithm.

Algorithm C.2.1 RSK Attack against Protected RSA Montgomery ladder

Left-to-Right Algorithm


t.



1. R(0) 1, R(1) g.

COMMENT: Assign key size counter label z 1.

2. z 1.


165

3. For i= t to 1 do

3.1 b ¬ dz.

3.2 H R(b) *X (mod n).

3.3 T R(b) (mod n).

3.4 If di = 1 then


End IF.



{ki 1.

COMMENT: Eliminate the error in R(b) by replacing the fault value by a value

stored in T

R(b) T.

Else

ki 0.

End If.

3.6 R(b) R(b)*R(di) (mod n).


3.8 z z+1.

End For loop.

4. Set v z-1.

5. d= (kv, kv-1, . . . , k2, k1).





firmware) to algorithm C.2.1 are d= "1011100011110001" in binary form and the

size of the secret key t= 16. The inputs by the attacker to algorithm C.2.1 are the

message g=124, the random fault value X=66 and modulus n= 67591. I assume that

the secret key d and size of the secret key t are stored in the firmware of the victim


is to retrieve d which is the secret key of RSA.

166



r=[1 g];

z=1;

k= [1 t]

for i=1:t

if d(i)==1

b=1;

else

b=2;

end

if d(i)==1

u=2;

else

u=1;

end

h=mod(r(b)*X,n);

T=mod(r(b),n);

if d(i)==1

r(b)=mod(r(b)*X,n)

end

if r(b)==h

k(i)=1

r(b)=T

else

k(i)=0

end



z=z+1

end

v=z-1

clear arduino;

167

clearvars a;


RSAmontLR

a =


Port: 'COM5'

Board: 'Mega2560'


Libraries: {'I2C', 'Servo', 'SPI'}p =257

r(1) = 1 % initial value for r(1) and r(2)

r(2)=124

r = 20578 50805 % Final value of r(1) and r(2)

d =[ k16, k15, …., k3, k2, k1]

=[ 1, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1] % retrieve secret key

C.2.2 Implementation of RSK Attack against Protected RSA

Montgomery Ladder Right-to-Left Algorithm

RSK Attack Algorithm against Protected RSA Montgomery Ladder Right-

to-Left Algorithm

The details of RSK attack algorithm against protected RSA Montgomery ladder

Right-to-Left algorithm can be found in section 4.4.4. Algorithm C.2.2 shows the

Retrieve secret attack algorithm against protected RSA Montgomery ladder Right-

to-Left algorithm.

Algorithm C.2.2 RSK Attack against Protected RSA Montgomery ladder

Right-to-Left Algorithm


t.


168


1. R(0) 1, R(1) g.

COMMENT: assign key size counter label z 1.

2. z 1.


3. For i= t to 1 do

3.1 b ¬ di.

3.2 H R(b) *X(mod n).

3.3 T R(b) (mod n).

3.4 If di = 1 then


End IF.


3.5 If R(b) = H then.

{ki 1.


stored in T.

R(b) T.

Else

ki 0.

End If.

3.6 R(b) R(b)2 (mod n).

3.7 R(b) R(b)*R(di) (mod n).

3.8 z z+1.

End While loop.

4. Set v z-1.

5. d= (kv, kv-1, k3, . . . , k2, k1).





firmware) to algorithm C.2.2 are d= "101001001100011101" in binary form and

169

the size of the secret key t= 18. The inputs by the attacker to algorithm C.2.2 are

the message g=143, the random fault value X=78 and modulus n= 272483. I assume

that the secret key d and size of the secret key t are stored in the firmware of the


example is to retrieve d which is the secret key of RSA.



r=[1 g];

z=1;

k = [1 t]

for i=1:t

if d(i)==1

b=1;

else

b=2;

end

if d(i)==1

u=2;

else

u=1;

end

h=mod(r(b)*X,n);

T=mod(r(b),n);

if d(i)==1

r(b)=mod(r(b)*X,n)

end

if r(b)==h

k(i)=1

r(b)=T

else

k(i)=0

end


170


z=z+1

end

v=z-1

clear arduino;

clearvars a;

The results of the implementation program are

RSAmontRL

a =


Port: 'COM5'

Board: 'Mega2560'



r(1) = 1 % initial value for r(1) and r(2)

r(2)=143

y = 197597 % final value gd

r = 197597 190622 % Final value of r(1) and r(2)

d = [k18, k17, …., k3, k2, k1]

= [ 1, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1] % retrieve secret key

C.3 Implementation Examples of Proposed Attacks against ECC

by Using Arduino Hardware

In this appendix I will present the implementation of fault point attacks against ECC

algorithms by using Arduino Mega2560. This appendix is arranged as follows:

appendix C.3.1 focuses on the implementation of fault point attack against Left-to-

Right ECC Montgomery ladder algorithm. Appendix C.3.2 presents the

implementation of fault point attack against Right–to-Left ECC Montgomery

ladder algorithm. Appendix C.3.3 shows the implementation of fault point attack

171

against Left-to-Right Coron algorithm. Appendix C.3.4 deals with the

implementation of fault point attack against Right–to-Left Coron algorithm.

Appendix C.3.5 presents the implementation of fault point attack against Left-to-

Right Joye-Yen algorithm. Appendix C.3.6 focuses on the implementation of fault

point attack against Right–to-Left Joye algorithm.

C.3.1 Implementation of Fault Point Attack against Left-to-Right ECC

Montgomery Ladder Algorithm

Fault Point Attack against Left-to-Right ECC Montgomery Ladder

Algorithm

The details of the fault point attack against Left-to-Right ECC Montgomery ladder

algorithm can be found in section 5.3.2. Algorithm C.3.1 shows the fault point

attack against Left-to-Right ECC Montgomery ladder Left-to-Right algorithm.

Algorithm C.3.1 The Fault Point Attack against Left-to-Right ECC



kt = 1.


point X.


1. R(0) P, R(1) 2P, e 2.






3.1 Z R(0).

3.2 N R(0) + X.

3.3 If ki=1 then

R(¬ki) R(0) +X.

End if.

3.4 If R(¬ ki) = N then

172

di 1.

COMMENT: Eliminate the error in R(¬ ki) by replacing fault value by a correct

value stored in Z.

R(¬ ki) Z.

Else

di 0.

End If.

3.5 R(¬ki) R(0) + R(1).

3.6 R(ki) 2R(ki).

3.7 e e+1.

End While loop.

4. set v e–1.

5. k= (1, dt-1, dt-2 … d2, d1).


I choose a curve of Montgomery type:

y2 = x3 + 1024 x2 + x with P = (1029, 208), where k = 522 and the field is

GF(p) where p = 1031. I arbitrarily choose a fault point X=(1029,823).


are: a1=0, a2=0, a3=0, a4=1, & a5=0.

The internal inputs (loaded from the firmware) to algorithm C.3.1 are

k="1000001010" in binary form and the size of the secret key t= 10. The inputs by

the attacker to algorithm C.3.1 are the P = (1029, 208), the random fault value

X=(1029,823) and the curve GF(p) values where p=1013, a4=1 & a5=0. I assume




Implementation of algorithm C.3.1 in MATLAB code access register bits from

Left-to-Right and the steps for this example are shown below. I begin with e=2 as

the first bit is always 1. The notations P[1] and P[2] refer respectively to the abscissa

and ordinate values of the point P. Since MATLAB does not accept indices

beginning from 0, I use 1 and 2 instead of 0 and 1.

173

The MATLAB script considers the first value from the left when dealing with For-

Loop. Therefore, the MATLAB script defines Left-to-Right in the For-Loop as “for





R=[0 0;0 0]

d(1)=1

e=2

R(1,:)=P

dp=multell([P(1),P(2)],2,a4,a5,p)

R(2,:)=dp

for i=2:t

Z=R(1,:)

if k(i)==1

u=1;

else

u=2;

end

if k(i)==1

z=2;

else

z=1;

end

N=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p)

if u==1

r11(u,:)=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p);

end

if r11(u,:)==N

d(i)=1;

r11(u,:)=Z;

else

d(i)=0;

174

end

R(u,:)=addell([R(1,1),R(1,2)],[R(2,1),R(2,2)],a4,a5,p)

r11(z,:)=multell([R(z,1),R(z,2)],2,a4,a5,p)

e=e+1

end

v=e-1

clear arduino;

clearvars a;


ECCMontLRArduino

a =


Port: 'COM5'

Board: 'Mega2560'



R(1 , :) = [1029 208] % initial value for r(1,1) and r(1, 2)

R(2, :)= [593 450] % initial value for r(2,1) and r(2, 2)

R(1 , :) = [398 641] % Final value of r(1)

k = [1, d9, d8, … d2, d1]

= [1, 0, 0, 0, 0, 0, 1, 0, 1, 0] % retrieve secret key

C.3.2 Implementation of Fault Point Attack against Right–to-Left ECC


Fault Point Attack against Right–to-Left ECC Montgomery Ladder

Algorithm

The details of the fault point attack against Right–to-Left ECC Montgomery ladder

algorithm can be found in section 5.3.4. Algorithm C.3.2 shows the fault point

attack against Right–to-Left ECC Montgomery ladder algorithm.

175

Algorithm C.3.2 Fault Point Attack against Right–to-Left ECC

Montgomery ladder Algorithm



point X.


1. R(0) O, R(1) P, e 1.






3.1 E R(0).

3.2 G R(1).

3.3 b 1– ki.

3.4 N R(0) + X.

3.5 If b=0 then

R(b) R(0) + X.

End If.

3.6 If R(b) = N then

{di 1.

COMMENT: Eliminate the error in R(¬ ke) by replacing the fault value by a

correct value stored in E.

R(b) E}.

Else

di 0.

End If

3.7 R(b) R(0) +R(1).

3.8 R(1) G.

3.9 R(1) 2R(1).

3.10 e e+1.

End While loop.

4. set v e-1.

176

5. k= (dt, dt-1, . . . , d2, d1).


I choose a curve of Montgomery type:

y2 = x3 + 2048 x2 + x with P = (2061, 972), where k = 1129 and the field is

GF(p) where p = 2063. I arbitrarily choose a fault point X=(2061,1091).


are: a1=0, a2=0, a3=2048, a4=1, & a5=8192.



by the attacker to algorithm C.3.2 are the P = (2061, 972), the random fault value

X=(2061,1091) and the curve GF(p) values where p=2063, a4=1 & a5=0. I assume





Right-to-Left and the steps for this example are shown below. The notations P[1]

and P[2] refer respectively to the abscissa and ordinate values of the point P. Since

MATLAB does not accept indices beginning from 0, I use 1 and 2 instead of 0 and

1.


Loop. Therefore, the MATLAB script defines Right-to-Left in the For-Loop as “for

i from t by -1 to t do” where t represents the size of the secret key d. However, the

For-Loop in ECC algorithm from Right-to-Left is defined as “For i from 1 to t do”.

The Implementation Program in MATLAB 2017b is:


R=[0 0;0 0]

e=1

R(1,:)=[inf,inf]

R(2,:)=P

for i=t:-1:1

177

E=R(1,:)

G=R(2,:)

if k(i)==1

b=1;

else

b=2;

end

if k(i)==1

z=2;

else

z=1;

end

N=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p)

if b==1

R(b,:)=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p);

end

if R(b,:)==N

d(i)=1;

R(b,:)=E;

else

d(i)=0;

end

R(b,:)=addell([R(1,1),R(1,2)],[R(2,1),R(2,2)],a4,a5,p)

R(2,:)=G

R(2,:)=multell([R(2,1),R(2,2)],2,a4,a5,p)

e=e+1

end

v=e-1

clear arduino;

clearvars a;


ECCMontRLArduino

178

R(1 , :) = [Inf Inf] % initial value for R(1,1) and R(1, 2)

R(2, :)= [2061 972] % initial value for R(2,1) and R(2, 2)

R(1,:) = [799 284] % Final value of R(1,1) and R(1,2)

k = [d11, d10, d9, … d2, d1]

= [ 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1] % retrieve secret key.

C.3.3 Implementation of the Fault Point Attack against Left-to-Right

Coron Algorithm

Fault Point Attack against Left-to-Right Coron Algorithm

The details of fault point attack against Coron algorithm can be found in section

5.4.2. Algorithm C.3.3 shows the fault point attack against Left-to-Right Coron

algorithm.

Algorithm C.3.3 Fault Point Attack against Left-to-Right Coron Algorithm



point X.


1. W(0) P.

COMMENT: Assign key size counter label e 2 the loop store the bits of k

in order in the (t-1)-tuple d.


COMMENT: Inject error by using X instead of P in addition operations


3.1 W(0) 2W(0).

3.2 R W(0) + X.

3.3 W(1) W(0)+X.

COMMENT: The loop stores the bits of k in order in the (t-1)-tuple d.

3.4 If W(ki) = R then

di 1.

Else

di 0.

End If.

179

COMMENT: Eliminate the error in W(1) by replacing fault value by a result of

addition W(0)+P.

3.5 W(1) W(0)+P.

3.6 W(0) W(ki).

3.7 e e+1.

End While loop.

4. Set v e-1.

5. k= (1, dt-1, dt-2, . . . , d2, d1.).


I choose a curve:

y2 = x3 + 4096x + 8192 with P = (8217, 8062), where k=1679 and the field is

GF(8219) where p=8219. I arbitrarily choose a fault point X=(8217,157).


are: a1=0, a2=0, a3=0, a4=4096, & a5=8192.



by the attacker to algorithm C.3.3 are the P = (8217, 8062), the random fault value

X=(8217,157) and the curve GF(p) values where p=8219, a4=4096 & a5=8192. I

assume that the secret key k and size of the secret key t are stored in the firmware


this example is to retrieve k which is the secret key of ECC.


Left-to-Right and the steps for this example are shown below. I begin with e=2 as

the first bit is always 1. The notations P[1] and P[2] refer respectively to the abscissa

and ordinate values of the point P. Since MATLAB does not accept indices

beginning from 0, I use 1 and 2 instead of 0 and 1.






180


W=[0 0;0 0]

e=2

W(1,:)=P

d(1)=1

for i=2:t

W(1,:)=multell([W(1,1),W(1,2)],2,a4,a5,p)

R=addell([W(1,1),W(1,2)],[X(1),X(2)],a4,a5,p)

W(2,:)=addell([W(1,1),W(1,2)],[X(1),X(2)],a4,a5,p)

if k(i)==1

u=2;

else

u=1;

end

n=W(u,:)

if n==R

d(i)=1;

else

d(i)=0;

end

W(2,:)=addell([W(1,1),W(1,2)],[P(1),P(2)],a4,a5,p)

W(1,:)=W(u,:)

e=e+1

end

v=e-1

clear arduino;

clearvars a;


CoronLRArduino

a =


Port: 'COM5'

181

Board: 'Mega2560'



W(1 , :) = [8217, 8062] % initial value for W(1,1) and W(1, 2)

W(1 , :)= [7919 4758] % Final value of W(1,1) and W(1,2)

k = [1, d10, d9, … d2, d1]

= [ 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1] % retrieve secret key

C.3.4 Implementation of Fault Point Attack against Right-to-Left

Coron Algorithm

Fault Point Attack against Right-to-Left Coron Algorithm

The details of fault point attack against Right-to-Left Coron algorithm can be found

in section 5.4.4. Algorithm C.3.4 shows the fault point attack against Right-to-Left

Coron algorithm.

Algorithm C.3.4 Fault Point Attack against Right-to-Left Coron Algorithm



point X.


1. W(0) O, R P.



COMMENT: Inject error by using X instead of W(1) in addition operations.


3.1 G W(0) +X.

3.2 If ki = 1 then

W(1) W(0) + X.

End If.


3.3 If W(1) = G then

di 1.

182

Else

di 0.

End If.

COMMENT: Eliminate the error in W(1) by replacing fault value by a value

stored in R

3.4 W(1) R.

3.5 W(1) W(0) + W(1).

3.6 W(0) W(ki).

3.7 R 2R.

3.8 e e+1.

End While loop.

4. set v e-1.

5. k= (dt, dt-1, . . . , d2, d1).


I choose a curve :

y2 = x3 + 2048 x2 + x with P = (131109, 34349), where k = 4790 and the field

is GF(131111) where p = 131111. I arbitrarily choose a fault point

X=(7919,126353).


a1=0, a2=0, a3=0, a4=13621, & a5=13162.



by the attacker to algorithm C.3.4 are the P = (131109, 34349), the random fault

value X=(7919,126353) and the curve GF(p) values where p=131111, a4=13621 &

a5=13621. I assume that the secret key k and size of the secret key t are stored in

the firmware of the victim device, and the attacker does not have any access to

them. The goal of this example is to retrieve k which is the secret key of ECC.




183


1.






a = arduino ('COM5','Mega2560')

W=[0 0;0 0]

e=1

W(1,:)=[inf,inf]

R=P

for i=t:-1:1

G=addell([W(1,1),W(1,2)],[X(1),X(2)],a4,a5,p)

if k(i)==1

u=2;

else

u=1;

end

if u==2

W(2,:)=addell([W(1,1),W(1,2)],[X(1),X(2)],a4,a5,p);

end

if W(2,:)==G

d(i)=1;

else

d(i)=0;

end

W(2,:)=R

W(2,:)=addell([W(1,1),W(1,2)],[W(2,1),W(2,2)],a4,a5,p);

W(1,:)=W(u,:)

R=multell([R(1),R(2)],2,a4,a5,p)

e=e+1

184

end

v=e-1

clear arduino;

clearvars a;

The results of the implantation program are:

CoronRLsecond_Arduino

a =


Port: 'COM5'

Board: 'Mega2560'



W(1 , :) = [Inf, Inf] % initial value for W(1,1) and W(1, 2)

W(1 , :)= [16866, 26161] % Final value of W(1,1) and W(1,2)

k = [d13, d12, d11, … d2, d1]

= [ 1, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0] % retrieve secret key

C.3.5 Implementation of Fault Point Attack against Left-to-Right Joye-

Yen Algorithm

Fault Point Attack against Left-to-Right Joye-Yen Algorithm

The details of fault point attack against Left-to-Right Joye-Yen algorithm can be

found in section 5.5.2. Algorithm C.3.5 shows the fault point attack against Left-

to-Right Joye algorithm.

Algorithm C.3.5 Fault Point Attack against Left-to-Right Joye-Yen

Algorithm



point X.


185

1. R(0) O, R(1) P.


2. Use X as a fault point. e 1.


3. For i from t down to 1 do

3.1 G R(0) +X.

3.2 T R(¬ ke).

3.3 If ki = 1 then

R(¬ ki) R(0) + X.

End If.

COMMENT: The loop stores the bits of k in order in the (t)-tuple d.

3.4 If R(¬ ki) = G then

{di 1.

COMMENT: Eliminate the error in R(¬ ke) by replacing fault value by a value

stored in T.

R(¬ ki) T.

Else

di 0.

End If.

3.5 R(¬ ki) R(0) + R(1).

3.6 R(ki) 2 R(ki).

3.7 e e+1.

End While loop.

4. Set v e-1.

5. k= (dt, dt-1, . . . , d2, d1).


I choose a curve:

y2 = x3 + 173541x + 109093 with P = (524345, 19732), where k=8892 and the field

is GF(524347) where p=524347. I arbitrarily choose a fault point

X=(524345,504615).


are: a1=0, a2=0, a3=0, a4=173541, & a5=109093.

186




value X=(524345,504615) and the curve GF(p) values where p=524347, a4=173541

& a5=109093. I assume that the secret key k and size of the secret key t are stored

in the firmware of the victim device, and the attacker does not have any access to

them. The goal of this example is to retrieve k which is the secret key of ECC.


Left-to-Right and the steps for this example are shown below. The notations P[1]



1.







R=[0 0;0 0]

R(1,:)=[inf,inf]

R(2,:)=P

e=1

for i=1:t

G=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p)

if k(i)==1

u=2;

else

u=1;

end

if k(i)==1

z=1;

else

187

z=2;

end

T=R(z,:)

if u==2

R(z,:)=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p);

end

n=R(z,:)

if n==G

d(i)=1;

R(z,:)=T;

else

d(i)=0;

end

R(z,:)=addell([R(1,1),R(1,2)],[R(2,1),R(2,2)],a4,a5,p)

R(u,:)=multell([R(u,1),R(u,2)],2,a4,a5,p)

e=e+1

end

v=e-1

clear arduino;

clearvars a;


JoyeLRArduino

R(1 , :) = [Inf, Inf] % initial value for R(1,1) and R(1, 2)

R(2 , :) = [524345, 19732] % initial value for R(2,1) and R(2, 2)

R(1 , :)= [383934 479120] % Final value of R(1,1) and R(1,2)

k = [d14, d13, d12, … d2, d1]

= [ 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0] % retrieve secret key

188

C.3.6 Implementation of the Fault Point Attack against Right-to-Left

Joye Algorithm

Fault Point Attack against Right-to-Left Joye Algorithm

The details of the fault point attack against Right-to-Left Joye algorithm can be

found in section 5.5.4. Algorithm C.3.6 shows the fault point attack against Right-

to-Left Joye algorithm.

Algorithm C.3.6 Fault Point Attack against the Right-to-Left Joye

Algorithm



point X.


1. R(0) O, R(1) P.

COMMENT: Assign pointer label e 1.




3.1 b 1- ki.

3.2 R(b) 2 R(b).

3.3 G R(0) + X.

3.4 T R(b).

3.5 R(b) R(b)+ X .


3.6 If R(b) = G then

di 1.

Else

di 0.

End If.


stored in T.

3.7 R(b) T.

3.8 R(b) R(b) + R(ke).

3.9 e e+1.

189

End While loop.

4. set v e-1.

5. k= (dt, dt-1, . . . , d2, d1).


I choose a curve :

y2 = x3 + 427149x + 474895 with P = (2097209, 1489440), where k = 11469

and the field is GF(2097211) where p = 2097211. I arbitrarily choose a fault

point X =(2097209,607771).


a1=0, a2=0, a3=0, a4=427149, & a5=474895.




value X =(2097209,607771) and the curve GF(p) values where p = 2097211,

a4=427149 & a5=474895. I assume that the secret key k and size of the secret key t

are stored in the firmware of the victim device, and the attacker does not have any

access to them. The goal of this example is to retrieve k which is the secret key of

ECC.





1.







R=[0 0;0 0]

190

R(1,:)=[inf,inf]

R(2,:)=P1

e=1

for i=t:-1:1

b=1-k(i)

if b==1

u=2;

else

u=1;

end

if k(i)==1

z=2;

else

z=1;

end

R(u,:)=multell([R(u,1),R(u,2)],2,a4,a5,p)

G=addell([R(1,1),R(1,2)],[X(1),X(2)],a4,a5,p)

T=R(u,:)

R(u,:)=addell([R(u,1),R(u,2)],[X(1),X(2)],a4,a5,p)

n=R(u,:)

if n==G

d(i)=1;

else

d(i)=0;

end

R(u,:)=T;

R(u,:)=addell([R(u,1),R(u,2)],[R(z,1),R(z,2)],a4,a5,p)

e=e+1

end

v=e-1

clear arduino;

clearvars a;


191

JoyeRLArduino

R(1 , :) = [Inf, Inf] % initial value for R(1,1) and R(1, 2)

R(2 , :) = [2097209, 1489440] % initial value for R(2,1) and R(2, 2)

R(1 , :)= [971536 81621] % Final value of R(1,1) and R(1,2)

k = [d14, d13, d12, … d2, d1]

= [ 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1] % retrieve secret key

192

Appendix D

In this appendix I present screen shots for some operations on data EEPROM

provided by Microchip Company.

197

Appendix E

I present here two implementation examples which show how I apply RSK

proposed in chapter four against “Left-to-Right” and “Right-to-Left” RSA

Montgomery algorithms with a private key size 3072 bits long digits.

Example 1

In the implementation of RSK against protected Montgomery Ladder RSA “Left-

to-Right” algorithm I choose a three random prime numbers

p=1163603031671925599536121850942724354878673317495800969327483540

023830390261362267571099520255825457644727094348532522232753490897

056409220262210459339557609926199043267219425156016607293534152960

992279407428669020825425632042006704380965619767418163055163946368

057604059053416792183528470457560825370422913494318276423494444546

795767104938152854187821670562979117801566249209877284117036522220

804894975178989290012463424982702090973772475299331142830354513877

60297,

q=5114017202906162834225114490694101835101718744158939158227478374

505364051549333807004015722326092910851385550332803615396003342024

541702972434868437520753306647602690654135134224638535551947371947

335244445483621237441772963633194593768776031726542888922757777888

107321971138590135738663656295893205944696858160238748614766839774

303423711503307559480255021437406091614785052108644059897658937071

239997051287235412532645874009217001460067465348080538407747937868

3913 and

e=103 and compute

n=p*q=59506859213239921575846581294469119076843978644651413757443

740054366261430373329415204843081389427660058444832810324168007403

002535396755303643027938927664809633602701420410547978330933054166

467687851545926103087218956406827938438065920119694223001126760735

399875157639137462934900852698489091684531390521655094282864547193

591274556583238073006146638977539477171171953187059696508965952283

665368734436694692817395256067382905013775912036950705881316516292

198

956276566441741303865724496262251405901631375546630509512313877125

989897853121490381316987979349738588499360667594982798506567294778

599863739458716083671468393874301356567542286667743426999797593323

890028407774647320024510920735838920774971598022264498274435613682

709709110175884556921906446749759234815130153715715168232854060177

484249129041683326939369184665925085729107227059940472869112554547

766694808400652776596183536380303761437320073039490122131655772896

12574002161, and

d≡e-1 mod (p-1)*(q-1) ≡

236871963858527843165991245929440182733068264507835724665552751672

720069771388981167320249158928789714795751276235270960029468262519

540482276637295679226626912133758326042410919137045461671924774291

447901259245298638564337858784073854633486161470198659921373921833

151767440386439896598120199296996678350620180472388101595624974976

390282792329441942931852341608157092240841693937559961557634007778

457466454602477010242598320301511146834321842615644075453204971586

325770504721168008460723140033152366050822252235109260065146223236

459120630443288827963281018456567872761835210687809808196059783042

076121081718149590038048135086401692050041456193135223934795630561

161242971753662914601597022440136031208479679988959352457860427926

399555802327717488180927363985850907936092014579953282891598115021

458273834638513215631220276460134426293652682343419836927918386547

772790764196525965349198441406830552144045728136669011958489275834

8311 in decimal form.

The internal inputs (loaded from the firmware) to the attack algorithm are d in

binary form:

"11001011110111001100000110110110001110101111101100001010000101100

010110011101100010011000011010111110100001001100011011101110110111

111010100111111011110111101010010110101110110000000111010101101011

011010100001101100111110110101001101110110100101010001011000100111

010101010100001011100011011100100110110001011011011110001110110001

100101110111010001001101001010000101001111100101111111110000010110

199

011001110100111111010001100100111011111001000111001111010011000010

010001010010011001100100001111101000110111001101011111111011100100

101011110101100100010011001010101011111010100000000101001000111010

101101011110001010111101011011001001100111111000010111100111100111

011001111100101011100011011101010111101011000011100000000110000100

100100111110001100011000101110101010111000000001101100100011111010

100100100110010101010001110101111110110110000011111110001100101000

111101000101101010110110110111110010100010111000111100101001011110

011111011000000100110111110101001011100100010100111011011100101100

101110101011110011001100111010010011101001000010010000011110010101

000101001100111101101011110011001000011011111011111010100000000001

100000011110010010100100111010110111111100111000001010110101001011

101101101010000011111001100100011110000101101110110110001010010100

100110010100011111100100111011010000110010111100010100011001111000

101000101100100101100101101110000010000101011100110000101101110101

100100101001110100101011010101010111001110001010100100101001110110

100000011001100100001000111000001011101000100011010110111100100110

001011111011101000100000100010001111011111100010100100011001001111

011001001011110110011110110001101000101000101100000011111110110101

110111110010011001010000110011101010110101111111011010001100111010

010010110110101101100100110110110011101011001111011011101100010010

111111001111011010101010000010001111001110011111001011111011111110

111001111111110000101100000000101001110111000011110101000111101110

100100111101110010000001110101011001010111000100110011100000100001

000110001110010000000000001101001011011011010100110011100101100101

101010101010011000000101111001011111011111111111000011001100100101

011000111100101010001010100001011000101011011111011110111001000011

010111110101011000100100110011101000010110110101010100111011100001

001010010011111111111110111101011001100100100010111110101111011011

010100010010111101011001100101101101000111001111001000000111001011

011000110001111110001100011110011000110010111111000010011011101001

001011101110010000011111011000001100101100000101011011100001111000

000011111110110110010010011001100101011110101011100001010011111100

001110001001011100000100011111010110110001110011100111010010001111

200

000011010110110110001100011011110100000010101101101010010000100001

010011000111011011101000101000101011111000001110011101011111010110

001001011111011001000100110000001010000101100011001001100110001010

001011000001111000011110100001000111010010111110101110010011101001

011010000111101101000111011100010111010100110101100111110111110000

110110101100101101101111110110110011010001000110111000100000011011

1111101000100011100010101001010101001000010111" and size of the secret

key t= 3081. The inputs by the attacker to attack algorithm are the message g=222,

the random fault value X=352 and modulus n which its value is given above. I

assume that the secret key d and size of the secret key t are stored in the firmware


this example is to retrieve d which is the secret key of RSA..

Since Maple does not accept indices beginning with 0, as in the binary left to right

attack, we use 1, 2 instead of 0, 1 in the Maple code.

The attack algorithm was implemented in Maple code, and the steps are shown

below.

Step1.

> R[1] := 1; R[1] := 1

> R[2] := g; R[2] := 222

Step2.

> z=1; z=1

Step3


Step 3.1


Step 3.2

H: = R[b]*X mod n

Step 3.3

T := R[b]

Step 3.4

201


Step 3.5


Step 3.6


R[b]:= R[b]*R[u] mod n

Step 3.7

R[u] := R[u]^2 mod n

Step 3.8

z := z+1

End While loop

Step 4

Set v z-1

Step 5

d= [kv, kv-1, . . . , k2, k1]=

"11001011110111001100000110110110001110101111101100001010000101100

010110011101100010011000011010111110100001001100011011101110110111

111010100111111011110111101010010110101110110000000111010101101011

011010100001101100111110110101001101110110100101010001011000100111

010101010100001011100011011100100110110001011011011110001110110001

100101110111010001001101001010000101001111100101111111110000010110

011001110100111111010001100100111011111001000111001111010011000010

010001010010011001100100001111101000110111001101011111111011100100

101011110101100100010011001010101011111010100000000101001000111010

101101011110001010111101011011001001100111111000010111100111100111

011001111100101011100011011101010111101011000011100000000110000100

100100111110001100011000101110101010111000000001101100100011111010

100100100110010101010001110101111110110110000011111110001100101000

111101000101101010110110110111110010100010111000111100101001011110

011111011000000100110111110101001011100100010100111011011100101100

101110101011110011001100111010010011101001000010010000011110010101

000101001100111101101011110011001000011011111011111010100000000001

100000011110010010100100111010110111111100111000001010110101001011

101101101010000011111001100100011110000101101110110110001010010100

202

100110010100011111100100111011010000110010111100010100011001111000

101000101100100101100101101110000010000101011100110000101101110101

100100101001110100101011010101010111001110001010100100101001110110

100000011001100100001000111000001011101000100011010110111100100110

001011111011101000100000100010001111011111100010100100011001001111

011001001011110110011110110001101000101000101100000011111110110101

110111110010011001010000110011101010110101111111011010001100111010

010010110110101101100100110110110011101011001111011011101100010010

111111001111011010101010000010001111001110011111001011111011111110

111001111111110000101100000000101001110111000011110101000111101110

100100111101110010000001110101011001010111000100110011100000100001

000110001110010000000000001101001011011011010100110011100101100101

101010101010011000000101111001011111011111111111000011001100100101

011000111100101010001010100001011000101011011111011110111001000011

010111110101011000100100110011101000010110110101010100111011100001

001010010011111111111110111101011001100100100010111110101111011011

010100010010111101011001100101101101000111001111001000000111001011

011000110001111110001100011110011000110010111111000010011011101001

001011101110010000011111011000001100101100000101011011100001111000

000011111110110110010010011001100101011110101011100001010011111100

001110001001011100000100011111010110110001110011100111010010001111

000011010110110110001100011011110100000010101101101010010000100001

010011000111011011101000101000101011111000001110011101011111010110

001001011111011001000100110000001010000101100011001001100110001010

001011000001111000011110100001000111010010111110101110010011101001

011010000111101101000111011100010111010100110101100111110111110000

110110101100101101101111110110110011010001000110111000100000011011

1111101000100011100010101001010101001000010111".

Example 2

In the implementation of RSK against protected Montgomery Ladder RSA “Right-

to-Left” algorithm I choose a three random prime numbers

203

p=2925029103012206221626292552601223949661602997874593350342750082

447217051181303453670406961218222062493928278243690351543617470402

684057616773788184726531684024550090682743518517551145669362151962

105898161350757374675290163709399324202147786226262152877389966061

255405961191243141515193385138854884803431102164660869203754171140

840553724275241402544367008171654210123031586936268988373990976602

477546123535775804867537950020333156188536342764542769128420674434

6911,

q=1628826500287324368994561500492174487412170434849390548276053784

075406405966191657612062746930557343602294153042785604625796477267

741505999075777905437117158546504689464627489334163162757601266851

769894145053398815811937372213967628482840015328789262584052155816

845920039620790188696761359542321850199629498511799703019955649846

565291277163931734479298121566305135282458505569765190147653966893

590648458531923724791373289441510004516999501659021211252449753631

6823,

and e=43 and compute

n=p*q=

476436491709794345856348878901905897903342965253726007618923541068

890253291899306090616801075806374511337075010335376948201592945989

975357301955813511125974083401380731028647904024151337590252433452

172510839081012654311956793349899515632612725759110114652213976335

132808392789369433535701649039637378654803306859966162026420921855

016689061741791996664386353963316833482957427596042062205686618940

426999033724523326116316353607231309624337515159318684722811514880

992638710513252891351723914838495040382151382501695420853862192065

096364941711229225216475202513693516068494032881849469488996226218

180660956461870435974634045230020820620187181222272059076791213013

132312962414274023935121201268932534780907963552798144922045526081

787878852172027551417276401164884814468974435018513660238514110979

280380531456348210388838728689460422024040332117453672974230302110

204

682709579450898815491175833850275439302802852852546304982075517383

753

and d≡e-1 mod (p-1)*(q-1) ≡

886393472948454596942044425864010972843428772565071642081718215942

121401473301034587194048513128138625743395368065817578049475248353

442525212941048392792509922607219964704461216789118767609771969213

344206212243744473138524266697487470944395768854158352841328328065

363364451701152434485026323794674192846145687181332394467759854613

984537789287054877515137402722449922758990562969380580847789058493

817672620882834095100123448571593134184813981691755692507556306755

250418892056293182224214649874532197230537019859452245335207727255

572335572532610441659122085629580381593059944217841688920663720025

907022879937134017373294175850182361202748098056053906617966557905

812818415577138826163434124716768386848427810236807423828138246140

976035058700826510321356194145334817559755215356107791630541211358

552428868957426679352906848948589707849561687548115140014476031906

978165132602611197957327328803430385576640760217500467299295324130

27 in decimal form.

The internal inputs (loaded from the firmware) to the attack algorithm are d in

binary form:

"11110100000111100011011100001110100001100001011101011010011011100

101011010001110001001111110110000001010010100111111010000101111100

001001100000100010011001011111010010100000000111100010100011111101

100100011010101110101010011100100101111011000010101101101110110101

100110000010101101110010110001101010000011001001100110110000101000

100001111100110100011110010011101000110011011001111110001100011110

001101110101011000011011101100010111110110110000111101011001100111

110001001000000111111011000100101101001101000011110101101011000101

111111000111100100110111110011000101100100100111101110110111101001

000000010000011001110110101010111011010010110101100011100000010001

001101011010000000011000000111110110100011010111101001111001011001

100001011100111010111011110101000010011100000000001000100101011101

205

001011100011001000100101010010010001001100100010011110001111001001

010000011011010111110000011101111101001100111100001111010000001011

111010011110010011010101011000101011101110101111110101100101010110

100010000010011001011000000111111100000001010011100010100010000101

100101001011100010100001010010101101010000000111001011001000001111

011000100001100111011000111000011110011011000101000010000001110110

001000111111000100011011011100001000000000011110110100001101110011

001110001000100111101011001010011100000000000100111111000000001000

001100000101100110011001101011000111100101011110000001101001101001

000010011110010100100001011010011100111111100101110101011101000100

011111000000001100101101011101011111100110100111010010011001001111

001010001010101000110000011100111001001000000111000110011111001100

111011010011010110100000101111111000101110011000001100110111000100

000100111101001010001111111000111011000010100101101001100001111101

110010001111000101101000010110101100101101001110100101001010000110

001111100000110110011100000011100000100010100110110000000111010100

111010011100001001010110111101101110011100110101000011111010110100

000010110001100111011001101110111011011001011100110011101000010110

101000000010000011100110000010000101111001011100010111010010001001

101000100011011001000010100111100010000111100010100011001000000010

010100110001101000001101101110010111101001110000111101111010010001

110001010110110101111011001110011001010011111010000100010011101111

000000011000110111110101111110010001110000101101100011100110110100

011000111111100101000101110101111010011111001111101100100001100011

111111110010011001111000111110110101001010111011001101100011100101

000100000010011001001010010000101100111101101011010110010111001011

111111101111001111100011011110101011110011011001100101110000000001

001111110000101100100010000111111001101110001100000111001101110001

111110010001001000100110101101101111101110000001000010011111000100

011101100001011001000111100001010010100110110011111100001010000010

101010101010110001111111110010111101100010110001001111010101110010

100101110101010111000101000011001101010010011100000101011110011001

000011001011001110111101100000100000101110110010001110011111110010

011111011100010101100110010111010101011110011000011011111110000110

206

10100111000001000010000001001010001100011" and size of the secret key t=

3076. The inputs by the attacker to attack algorithm are the message g=260, the

random fault value X=787 and modulus n which its value is given above. I assume

that the secret key d and size of the secret key t are stored in the firmware of the


example is to retrieve d which is the secret key of RSA..

Since Maple does not accept indices beginning from 0, as in the binary left to right

attack, we use 1 and 2 instead of 0 and 1 in the Maple code.

The attack algorithm was implemented in Maple code, and the steps are shown

below.

Step1

> R[1] := 1; R[1] := 1

> R[2] := g; R[2] := 260

Step2

> z=1; z=1

Step3

for i from t by -1 to 1 do

Step 3.1


Step 3.2

H: = R[b]*X mod n

Step 3.3

T := R[b]

Step 3.4


Step 3.5


Step 3.6


R[b]:= R[b]^2 mod n

207

Step 3.7

R[b] := R[b]*R[u] mod n

Step 3.8

z := z+1

End While loop

Step 4

Set v z-1

Step 5

d= [kt, kt-1,. . . , k2, k1]=

"11110100000111100011011100001110100001100001011101011010011011100

101011010001110001001111110110000001010010100111111010000101111100

001001100000100010011001011111010010100000000111100010100011111101

100100011010101110101010011100100101111011000010101101101110110101

100110000010101101110010110001101010000011001001100110110000101000

100001111100110100011110010011101000110011011001111110001100011110

001101110101011000011011101100010111110110110000111101011001100111

110001001000000111111011000100101101001101000011110101101011000101

111111000111100100110111110011000101100100100111101110110111101001

000000010000011001110110101010111011010010110101100011100000010001

001101011010000000011000000111110110100011010111101001111001011001

100001011100111010111011110101000010011100000000001000100101011101

001011100011001000100101010010010001001100100010011110001111001001

010000011011010111110000011101111101001100111100001111010000001011

111010011110010011010101011000101011101110101111110101100101010110

100010000010011001011000000111111100000001010011100010100010000101

100101001011100010100001010010101101010000000111001011001000001111

011000100001100111011000111000011110011011000101000010000001110110

001000111111000100011011011100001000000000011110110100001101110011

001110001000100111101011001010011100000000000100111111000000001000

001100000101100110011001101011000111100101011110000001101001101001

000010011110010100100001011010011100111111100101110101011101000100

011111000000001100101101011101011111100110100111010010011001001111

001010001010101000110000011100111001001000000111000110011111001100

208

111011010011010110100000101111111000101110011000001100110111000100

000100111101001010001111111000111011000010100101101001100001111101

110010001111000101101000010110101100101101001110100101001010000110

001111100000110110011100000011100000100010100110110000000111010100

111010011100001001010110111101101110011100110101000011111010110100

000010110001100111011001101110111011011001011100110011101000010110

101000000010000011100110000010000101111001011100010111010010001001

101000100011011001000010100111100010000111100010100011001000000010

010100110001101000001101101110010111101001110000111101111010010001

110001010110110101111011001110011001010011111010000100010011101111

000000011000110111110101111110010001110000101101100011100110110100

011000111111100101000101110101111010011111001111101100100001100011

111111110010011001111000111110110101001010111011001101100011100101

000100000010011001001010010000101100111101101011010110010111001011

111111101111001111100011011110101011110011011001100101110000000001

001111110000101100100010000111111001101110001100000111001101110001

111110010001001000100110101101101111101110000001000010011111000100

011101100001011001000111100001010010100110110011111100001010000010

101010101010110001111111110010111101100010110001001111010101110010

100101110101010111000101000011001101010010011100000101011110011001

000011001011001110111101100000100000101110110010001110011111110010

011111011100010101100110010111010101011110011000011011111110000110

10100111000001000010000001001010001100011".

209

Appendix F

I present here two implementation examples to show how I apply a fault point attack

proposed in chapter five against “Left-to- Right” and “Right-to-Left” Coron

algorithms with a private key size 384 bits long digits.

Example 1

In this example I implement fault point attack against “Left-to- Right” Coron

algorithm.

I choose the field

GF(39402006196394479212279040100143613805079739270465446667948293

404245721771497210611414266254884915640806627990307047)

for the elliptic curve y2 = x3 +

279503974009108680717862289403158754920875853053263116892722308031

51023644068552761279886225476177281403352866529296 x +

468874730229678858229705420347854345750284847257991630749736540585

7008329225735853833551903436306437780786411000956.

With point P =

(39402006196394479212279040100143613805079739270465446667948293404

245721771497210611414266254884915640806627990307045,

363771486838893820567360406595479978658686802834037313031960150946

68485388524198850095479870062155363105961434073471) given in affine

form. My target is to find k, which I know in advance is

312145579408803855624250154864117785886180357951470178931020154986

51020161929235784873730223985639746019018329134118 in base 10. I also

choose arbitrarily a fault point X :=

(39402006196394479212279040100143613805079739270465446667948293404

245721771497210611414266254884915640806627990307045,

302485751250509715554299944059561593921105898706171536475227830957

7236382973011761318786384822760277700666556233576).

I set p =

394020061963944792122790401001436138050797392704654466679482934042

45721771497210611414266254884915640806627990307047.

210


are:

a1=0, a2=0, a3=0, a4=

279503974009108680717862289403158754920875853053263116892722308031

51023644068552761279886225476177281403352866529296,

a5=

468874730229678858229705420347854345750284847257991630749736540585

7008329225735853833551903436306437780786411000956.

The internal inputs (loaded from the firmware) to attack algorithm are

k="110010101100111000011001011010011110000011100000110101001010110

111110101101000010100101110101011100000001111000000001001100010001

010011111011110100111110100110011001100010001010000110010111010000

010010010010001100110100011110101110001111101110000111000000011011

001011000001000100111000101001101100100000010101100010011001110111

100011010001011100110110110101110011011011001010000100110" in binary

form and the size of the secret key t= 384. The inputs by the attacker to attack

algorithm are the point P, the random fault value X and the curve GF(p) with p, a4

and a5 values which are given above. I assume that the secret key k and size of the

secret key t are stored in the firmware of the victim device, and the attacker does

not have any access to them. The goal of this example is to retrieve k which is the

secret key of ECC.

Implementation of attack algorithm in Maple code access register bits from left-to-

right and the steps for this example are shown below. I begin with e≡2 as the first

bit is always 1. The notations P[1] and P[2] refer respectively to the abscissa and

ordinate values of the point P. Since Maple does not accept indices beginning from

0, I use 1 and 2 instead of 0 and 1.

Step 1

W[1] := P;

W[1] :=

[3940200619639447921227904010014361380507973927046544666794829\

3404245721771497210611414266254884915640806627990307045,

211

36377\148683889382056736040659547997865868680283403731303196015094

66\ 8485388524198850095479870062155363105961434073471]

> e:=2; e:=2

Step 2

> X:=

(39402006196394479212279040100143613805079739270465446667948293404

245721771497210611414266254884915640806627990307045,

302485751250509715554299944059561593921105898706171536475227830957

7236382973011761318786384822760277700666556233576). COMMENT:

Inject error into Step 3 by using X instead of P in addition operations:

Step 3

for i from 1 to t -1 do

Step 3.1

W[1] := multell([W[1][1], W[1][2]], 2, a4, a5, p)

Step 3.2

R := addell([W[1][1], W[1][2]], [X[1], X[2]], a4, a5, p)

Step 3.3

W[2]:= addell([W[1][1],W[1][2]],[X[1],X[2]].a4,a5,p);

Step 3.4

if k[i] = "1" then u := 2 else u := 1 end if;

n := W[u];

if n = R then d[i] := "1" else d[i] := "0" end if

Step 3.5

W[2] := addell([W[1][1], W[1][2]], [P[1], P[2]], a4, a5, p)

Step 3.6

W[1] := W[u]

212

Step 3.7

e := e+1

End of Step 3

Step 4

> v := e-1; v := 384

Step 5

d="110010101100111000011001011010011110000011100000110101001010110

111110101101000010100101110101011100000001111000000001001100010001

010011111011110100111110100110011001100010001010000110010111010000

010010010010001100110100011110101110001111101110000111000000011011

001011000001000100111000101001101100100000010101100010011001110111

100011010001011100110110110101110011011011001010000100110".

Example 2

In this example I implement fault point attack against “Right-to-Left” Coron

algorithm.

I choose the field

GF(32084455814733133929866525925776603080359232331786713678343824

090925198070759290328067047552719758075416655999797491) for the

elliptic curve y2 = x3 +

296014293675709371137141008288369891812888028854582502243128659064

50280284253852165313477896069518623196309402260394x +

215613898409263492591999663353449584532916113593045307505915268240

47792017039748312539842693274838003686591478584484 with points

P =

(32084455814733133929866525925776603080359232331786713678343824090

925198070759290328067047552719758075416655999797489,

150867710108893037920764455710588886357925659569076627910312164579

20884355336392184814449583312490007665225852854054) and

X=

[32084455814733133929866525925776603080359232331786713678343824090

925198070759290328067047552719758075416655999797489,

213

169976848038438301377900803547177144445666663748790508873126076330

04313715422898143252597969407268067751430146943437] given in affine

form. My target is to find k, which is stored in the firmware of the victim device

with value

377142980861484771443397232925800706395029897715451815076746512408

10586220276942828529839697747780788088213766375431 in base 10.

I set p ≡

320844558147331339298665259257766030803592323317867136783438240909

25198070759290328067047552719758075416655999797491.


are:

a1=0, a2=0, a3=0, a4=

296014293675709371137141008288369891812888028854582502243128659064

50280284253852165313477896069518623196309402260394, a5=

296014293675709371137141008288369891812888028854582502243128659064

50280284253852165313477896069518623196309402260394.


k="111101010000100011100100101010100001110000011111111001100101001

001111100010000011001010000011000110011000101000010101010010110011

100110011011111001011100101110001001100000010100001111100111011001

001000101001010101001110111000000000100111001011111011000110101101

011111110001000110000110001000111001100101001111001011110101110101

001101101101001001010111010100011110001111000100000000111" in binary

form and the size of the secret key t= 384. The inputs by the attacker to attack

algorithm are the point P, the random fault value X and the curve GF(p) with p, a4

and a5 values which are given above. I assume that the secret key k and size of the

secret key t are stored in the firmware of the victim device, and the attacker does

not have any access to them. The goal of this example is to retrieve k which is the

secret key of ECC.

The notations P[1] and P[2] refer respectively to the abscissa and ordinate values

of the point P. Since Maple does not accept indices beginning from 0, I use 1 and

2 instead of 0 and 1.

214

Step 1

W[1] := ["infinity", "infinity"]; W[1] := ["infinity", "infinity"]

R := P;

R :=

[3208445581473313392986652592577660308035923233178671367834382\

4090925198070759290328067047552719758075416655999797489, 15086\

77101088930379207644557105888863579256595690766279103121645792\

0884355336392184814449583312490007665225852854054]

Step 2

X :=

X=

[32084455814733133929866525925776603080359232331786713678343824090

925198070759290328067047552719758075416655999797489,

169976848038438301377900803547177144445666663748790508873126076330

04313715422898143252597969407268067751430146943437]

COMMENT: Inject error into Step 3 by using X instead of P in addition operations.

e := 1; e := 1

Step 3

for i from t by -1 to 1 do :

Step 3.1

G := addell([W[1][1], W[1][2]], [X[1], X[2]], a4, a5, p)

Step 3.2

if k[i] = "1" then u := 2 else u := 1 end if

if u = 2 then W[2] := addell([W[1][1], W[1][2]], [X[1], X[2]], a4, a5, p) end if

Step 3.3

if W[2] = G then d[i] := "1" else d[i] := "0" end if

Step 3.4

215

W[2] := R

Step 3.5

W[2] := addell([W[1][1], W[1][2]], [P[1], P[2]], a4, a5, p)

Step 3.6

W[1] := W[u]

Step 3.7

R := multell([R[1], R[2]], 2, a4, a5, p)

Step 3.8

e := e+1

End of Step 3

Step 4

> v := e-1; v := 384

Step 5

d="111101010000100011100100101010100001110000011111111001100101001

001111100010000011001010000011000110011000101000010101010010110011

100110011011111001011100101110001001100000010100001111100111011001

001000101001010101001110111000000000100111001011111011000110101101

011111110001000110000110001000111001100101001111001011110101110101

001101101101001001010111010100011110001111000100000000111"

216

Appendix G

I demonstrate here two implementation examples which to how I apply FF attack

proposed in chapter 4 against RSA-CRT signature protected by modified Shamir’s

countermeasure and Simplified Vigilant’s Countermeasure algorithms by using

Arduino Mega2560. This appendix shows how attacks can factorize the modulus n

with size 3072 bits long digits on Arduino Mega2560 hardware device.

Example 1

In this example I implement FF attack against RSA-CRT signature protected by

modified Shamir’s countermeasure.

I choose three random prime numbers

p=5809605995369958062859502533304574370686975176362895236661486152

287203730997110225737336044533118407251326157754980517443990529594

540047121662885672187032401032111639706440498844049850989051627200

244765807041812394729680540024104827976584369381522292361208779044

769892743225751738076979568811309579125511333093243519553784816306

381580161860200247492568448150242515304449577187604136428738580990

172551573934146255830366405915000869643732053218566832545291107903

722831634138599586406690325959725187447169059540805012310209639011

750748760017095360734234945757416272994856013308616958529958304677

637019181594088528345061285863898271763457294883546638879554311615

446446330199254382340016292057090751175533888161918987295591531536

698701292267685465517437915790823154844634780260102891718032495396

075041899485513811126977307478969074857043710716150121315922024556

759241239013152919710956468406379442914941614357107914462567329694

509,

q=5809605995369958062859502533304574370686975176362895236661486152

287203730997110225737336044533118407251326157754980517443990529594

540047121662885672187032401032111639706440498844049850989051627200

244765807041812394729680540024104827976584369381522292361208779044

769892743225751738076979568811309579125511333093243519553784816306

381580161860200247492568448150242515304449577187604136428738580990

217

172551573934146255830366405915000869643732053218566832545291107903

722831634138599586406690325959725187447169059540805012310209639011

750748760017095360734234945757416272994856013308616958529958304677

637019181594088528345061285863898271763457294883546638879554311615

446446330199254382340016292057090751175533888161918987295591531536

698701292267685465517437915790823154844634780260102891718032495396

075041899485513811126977307478969074857043710716150121315922024556

759241239013152919710956468406379442914941614357107914462567329694

573 and e=3

and compute n=p*q=

337515218214385611849111744886826404774824526906135437899871151084

665003784674132416503098237599152146135462950863521351172060726207

028052137864298272611904952952097250362148614445522452710018844423

313364638411836590291565871784390447510515700543762037763420971108

976401193279180123374243133559193596396525678717812867692707110267

091573529243487775155745125792074301249607450177138114756335603617

462402313721869876332818900039751245174104362327517860532580309042

489897843433735800204290643997239816292100396861998120170599620408

941456496131418993734579901361101240330822684452997592142705570206

978374447296284704455535973834352324658581243318792909226969802227

356673323935612163123006229898288296485668393765657478972738362500

087728995623901601898523186831764997784754495348973021510834485352

883671335921984444102440129030706195384760231210870118216027271303

420623602926941969150307534755710471876215776777340159710612862760

590101323749905857040042217480237801141901467826506088250466013974

849048604238998325271030832094431183778754662545905563690188222970

085147724189358012388859237720764945954374202277501197089806912740

140516507532823657759605485842833495687835894949361459772142847155

001069128577748216700197598571813825899279561538283138904752627787

058295214338608978736235674716718816095220744300616960521325579242

351123476048878446641682125214142387185165674673688652259102777485

823350481420862478973733905214758923215221560777097459336365178428

977713867825174226168535500680825347801422177983602371590304449830

218

031095385678973725024437810440752674458910837190961024737495468228

529278822604626497800471743542974694380456685728536020348379794835

995928585157043405307016098619710464912134861843885356291383489908

871458287843917804744417954127424628639705301708437699006750433251

113611007226025572385284078570528352436558521218956861919843651996

57, d≡e-1 mod (p-1)*(q-1) ≡

270012174571508489479289395909461123819859621524908350319896920867

732003027739305933202478590079321716908370360690817080937648580965

622441710291438618089523962361677800289718891556417962168015075538

650691710729469272233252697427512358008412560435009630210736776887

181120954623344098699394506847354877117220542974250294154165688213

673258823394790220124596100633659440999685960141710491805068482893

969921850977495901066255120031800996139283489862014288426064247233

991918274746988640163432515197791853033680317489598496136479696327

153165196905135194987663921088880992264658147562398073714164456165

582699557837027763564428779067481859726864994655034327381575841781

885338659148489730498404983918630637188534715012525983178190690000

070183196499121281518818549465411998227803596279178417208667588282

306937068737587555281952103224564956307808184968696094572821817042

736498882341553575320246027804568377500972621421872127768490290208

379127363074005356626281733451317050982529571439398546813789032743

283979187437435048419447953145650431001785205957036171848302104863

427364232745315654918568973662825721460451380317203341847019494988

196160293357260610532795748288589548924918805855132490038373813007

682571411250170764128484977876497794711242319738730198263245041327

541353581707683223107893369369494808004983360438827385557243167551

120073597892762664027483205531299995448419688241881601082624495529

093374238919096600671941908816204139417472295968797770505737918555

170190933986613609187069268425999910323441529449010560792910685021

832569403037762526498569674530229791351811951616022597717127388735

680281774895631080800116721920927736695823137992125019549239331281

617522191842667275966606226242597894415551405313462017544586865589

896496238506913265763897443638434505199064869908348218150647953692

743028981570373742532923768354351595310180987261438858134797646484

219

61, 𝑖𝑞= q-1 mod p where

p=2450927529296701057768852631237867312633567652528096427966564470

496164074014405876482938643787409328059153222802882405796683504672

696582379451529892953904294185422098001154585449833530886006155225

103260574845764604026583977822669224302621530832829717089884953659

512298501048364014501225755592271228693575093648712109811752969379

254729130784771979410927314063383561144064665376020495055874088855

229045195253467951678435827495390991880949459951582882480044686146

883069595652221700515322481264259063454274446993777114568369691458

082347133132212105309755367741409990169704880614572779379826159785

878117467235006097895572729973832083400208546278996238277311975212

766469545552810442549694373211585160652178359068309572765327677367

044764607675429805765169120724253518450080297922230907443544958995

219158301345451139069193551592690078455315315458375832430154604109

882804897708673888003059760108941327479740993556904901413895592214

871. I also choose arbitrarily a small integer r=13

The internal inputs (loaded from the firmware) to the attack algorithm are p, q d

and 𝑖𝑞 values which are given above. The input enter by attacker to the attack

algorithm 4.2 are the message M=23 and the random fault value X=66. I assume

that p, q, d and 𝑖𝑞 are stored in firmware of the victim device, and the attacker does

not have any access to them. The goal of this example is to compute q which has a

partial factor of n=p*q.



pr=p*r;

qr=q*r;

if mod(pr,p)~= 0 || mod(qr,q)~= 0 disp('error'); end

v=(p-1)*(r-1);

u=(q-1)*(r-1);

spr=powermod(M,mod(d,v),p)

sqr=powermod(M,mod(d,u),q)

if mod(spr,r)~= mod(sqr,r) disp('error'); end

220

sp=mod(spr,p)

sq=mod(sqr,q)

scrt=sq+(q*mod(iq*(sp-sq),p))

n=p*q

scrte=sq+(q*mod(X*(sp-sq),p));

qt=gcd((scrte-scrt),n)

clear scrte;


if mod(scrt,p)~= mod(spr,p) || mod(scrt,q)~= mod(sqr,q) disp('error'); end

q=qt

clear arduino

clearvars a;


a =


Port: 'COM5'

Board: 'Mega2560'



n =

337515218214385611849111744886826404774824526906135437899871151084

665003784674132416503098237599152146135462950863521351172060726207

028052137864298272611904952952097250362148614445522452710018844423

313364638411836590291565871784390447510515700543762037763420971108

976401193279180123374243133559193596396525678717812867692707110267

091573529243487775155745125792074301249607450177138114756335603617

462402313721869876332818900039751245174104362327517860532580309042

489897843433735800204290643997239816292100396861998120170599620408

941456496131418993734579901361101240330822684452997592142705570206

221

978374447296284704455535973834352324658581243318792909226969802227

356673323935612163123006229898288296485668393765657478972738362500

087728995623901601898523186831764997784754495348973021510834485352

883671335921984444102440129030706195384760231210870118216027271303

420623602926941969150307534755710471876215776777340159710612862760

590101323749905857040042217480237801141901467826506088250466013974

849048604238998325271030832094431183778754662545905563690188222970

085147724189358012388859237720764945954374202277501197089806912740

140516507532823657759605485842833495687835894949361459772142847155

001069128577748216700197598571813825899279561538283138904752627787

058295214338608978736235674716718816095220744300616960521325579242

351123476048878446641682125214142387185165674673688652259102777485

823350481420862478973733905214758923215221560777097459336365178428

977713867825174226168535500680825347801422177983602371590304449830

031095385678973725024437810440752674458910837190961024737495468228

529278822604626497800471743542974694380456685728536020348379794835

995928585157043405307016098619710464912134861843885356291383489908

871458287843917804744417954127424628639705301708437699006750433251

113611007226025572385284078570528352436558521218956861919843651996

57

spr =

350923587821522061492508324524331947827255643115003504699070037661

210872174512287986416310423881268699565786584462559619275749434255

261112997775744484080885990323430668466384201563843825618388610868

085032184811244187737816688043042715296479133124875549947807817048

251876930717929165068685356923511237769172408505407249900626918604

987831097690680600052699744016721079602206815741987842408485637867

953313516656098625529265395569567144371617827505372363171395626868

928068785890610418135387952125002676328134312510743681453799373942

603639667366943599220466313918246715373822050305278317884150592108

064832529941972160041778207181536232920883464229675481704127784421

138812665916597844896318207869711240340093320709372917097557513539

972902235863292229573508428819901273380698060333712131116106884579

310147301557482420958281783641489559206245197307631385684367530035

222

281783976155947350741775616487329945073835434629148574953532921622

8

sqr =

476075575399175848137562888974467897883540967646377608693020993783

261413213832119896791484541461556862871452460256060529390833411664

137206035403522676174723262337886122292508313770402448866465898824

820859391239337479595187130225256984449577471621013560365640129721

486870588999427972620316784961405768178338632389406997904508630746

635982998229048889325267581672347369522114186031602028071509569270

732026692017727577011326006197065328718666651810454133238972948683

447232776843341691362072448435329936992481512015792783597815156719

769676431367534449049216941251045087280252065158880107411660274326

778014180841297043771922266803035911881975345024815357601711659136

496844027646036487905628225086138646193138364207898125498732836321

627175786310066350060960366721054025293316846285770953082487974620

909446393186696410377563887883430972575208913312580797638404215685

706398966708809408247061354437746429851275445179549353413978230514

sp =

350923587821522061492508324524331947827255643115003504699070037661

210872174512287986416310423881268699565786584462559619275749434255

261112997775744484080885990323430668466384201563843825618388610868

085032184811244187737816688043042715296479133124875549947807817048

251876930717929165068685356923511237769172408505407249900626918604

987831097690680600052699744016721079602206815741987842408485637867

953313516656098625529265395569567144371617827505372363171395626868

928068785890610418135387952125002676328134312510743681453799373942

603639667366943599220466313918246715373822050305278317884150592108

064832529941972160041778207181536232920883464229675481704127784421

138812665916597844896318207869711240340093320709372917097557513539

972902235863292229573508428819901273380698060333712131116106884579

310147301557482420958281783641489559206245197307631385684367530035

223

281783976155947350741775616487329945073835434629148574953532921622

8

sq =

476075575399175848137562888974467897883540967646377608693020993783

261413213832119896791484541461556862871452460256060529390833411664

137206035403522676174723262337886122292508313770402448866465898824

820859391239337479595187130225256984449577471621013560365640129721

486870588999427972620316784961405768178338632389406997904508630746

635982998229048889325267581672347369522114186031602028071509569270

732026692017727577011326006197065328718666651810454133238972948683

447232776843341691362072448435329936992481512015792783597815156719

769676431367534449049216941251045087280252065158880107411660274326

778014180841297043771922266803035911881975345024815357601711659136

496844027646036487905628225086138646193138364207898125498732836321

627175786310066350060960366721054025293316846285770953082487974620

909446393186696410377563887883430972575208913312580797638404215685

706398966708809408247061354437746429851275445179549353413978230514

scrt =

343954058138733778560556825177617362867807685324919380373090060125

302020955118666240627018828645271226090883288455059419112159826688

537447836385788864289577598233110202227858737904659082881991711118

374504514863088713614741186032363760363286329675502793863993554184

809521868180718065889695272041853809049199985765429730207703646225

770978040908420331822615554629180943776702091375557799810674396169

682882068130959961321263272549066013781521564839760970120751529680

639537565222931996729289036922343784119904425684449000281057955046

512604102143613618294594146229636800642249579717458781469782065360

811490551849010285338441263482471236858195226884575840335449287552

140714051383813140937294706150540994475567895188451649376024050934

285906534247787810714303066946242497737107847625632211838502054443

086673299183104314367496766518920649053811248507547576234741374603

473523799833592056319975785102073215070249987162092801886924087303

936573934477029687426730109671610765947174384490120720468033567341

893035609985755026393287169437585562015688022719636856951039833877

224

734580725490423637069978162926922123561522871223502453246067672365

546009281463262070193565563287388295076760299020375819878431468643

789539160011690541462016122104183997695753704964399151935135343472

990564200969488826925465826862532945841530575126630687844631754522

461907131146858040472157346177975487626855617599338344512135008099

164194885469690155975837964296907353949156108506145139076679936438

180535209513346746196698216076360399637128379668795586667710267559

927986322338086218818218479458538500795487570095583096637530176254

547986365059286516771870741782277409552356882891268995792074860155

566822084940940837527226123006842396745490989049373621579081577481

115639747580508122261710004356168230764252760621386757351701841304

367831516332887254836264573141231713138223220552327606574463912939

0

qt =

580960599536995806285950253330457437068697517636289523666148615228

720373099711022573733604453311840725132615775498051744399052959454

004712166288567218703240103211163970644049884404985098905162720024

476580704181239472968054002410482797658436938152229236120877904476

989274322575173807697956881130957912551133309324351955378481630638

158016186020024749256844815024251530444957718760413642873858099017

255157393414625583036640591500086964373205321856683254529110790372

283163413859958640669032595972518744716905954080501231020963901175

074876001709536073423494575741627299485601330861695852995830467763

701918159408852834506128586389827176345729488354663887955431161544

644633019925438234001629205709075117553388816191898729559153153669

870129226768546551743791579082315484463478026010289171803249539607

504189948551381112697730747896907485704371071615012131592202455675

924123901315291971095646840637944291494161435710791446256732969457

3

q =

580960599536995806285950253330457437068697517636289523666148615228

720373099711022573733604453311840725132615775498051744399052959454

225

004712166288567218703240103211163970644049884404985098905162720024

476580704181239472968054002410482797658436938152229236120877904476

989274322575173807697956881130957912551133309324351955378481630638

158016186020024749256844815024251530444957718760413642873858099017

255157393414625583036640591500086964373205321856683254529110790372

283163413859958640669032595972518744716905954080501231020963901175

074876001709536073423494575741627299485601330861695852995830467763

701918159408852834506128586389827176345729488354663887955431161544

644633019925438234001629205709075117553388816191898729559153153669

870129226768546551743791579082315484463478026010289171803249539607

504189948551381112697730747896907485704371071615012131592202455675

924123901315291971095646840637944291494161435710791446256732969457

3.

Example 2

In this example I implement FF attack against RSA-CRT signature protected by

Simplified Vigilant’s Countermeasure algorithms.

I choose three random prime numbers

p=

464768479629596645028760202664365949654958014109031618932918892182

976298479768818058986883562649472580106092620398441395519242367563

203769733030853774962592082568931176515239907523988079124130176019

581264563344991578374443201928386238126749550521783388896702323581

591419458060139046158365504904766330040906647459481564302785304510

526412948816019799405475852019401224355966175008330914299086479213

804125914731700466429312473200069571498564257485346603623288632297

826530731087966912535226076778014995773524763264400984816771120940

059900801367628858738795660593301839588481064689356682396664374210

961534527527082267604902869111861741076583590683731110364344929235

715706415940350587201303364567260094042711052953518983647322522935

896103381414837241395033263265852387570782420808231337442599631686

003351958841104890158184598317525988563496857292009705273761964540

226

739299121052233576876517472510355433195329148568633157005386375507

59,

q=

464768479629596645028760202664365949654958014109031618932918892182

976298479768818058986883562649472580106092620398441395519242367563

203769733030853774962592082568931176515239907523988079124130176019

581264563344991578374443201928386238126749550521783388896702323581

591419458060139046158365504904766330040906647459481564302785304510

526412948816019799405475852019401224355966175008330914299086479213

804125914731700466429312473200069571498564257485346603623288632297

826530731087966912535226076778014995773524763264400984816771120940

059900801367628858738795660593301839588481064689356682396664374210

961534527527082267604902869111861741076583590683731110364344929235

715706415940350587201303364567260094042711052953518983647322522935

896103381414837241395033263265852387570782420808231337442599631686

003351958841104890158184598317525988563496857292009705273761964540

739299121052233576876517472510355433195329148568633157005386375527

53 and e=3 and compute

n=p*q=

216009739657206791583431516727568899055887697219926680255917536694

185602422191444746561982872063457373526696288552653664750118864772

497953368233150894471619169889342240231775113245134369734412060430

920553368583575417786602157942009886406730048348007704168589421509

744896763698675278959515605477883901693776434379400235323332550570

938607058715832176099676880506927552799748768113368393444054786315

175937480781996720853004096025440796911426791889611430740851397787

193534619797590912130746012158233482426944253991678796909183757061

722532157524108155990131136871104793811726518049918458971331564932

466159646269622210851543023253985487781491995724027461905260673425

508270927318791784398723987134904509750827772010020786542552552000

056146557199297025215054839572329598582242877023342733766934070625

845549654990070044225561682579651965046246547974956875658257453634

189199105873242860256196822243654702000778097137497702214792232124

227

279235069869622527075794087557729756281456129279112661254194747732

550658116652235614412826763872663232717293774795898354482198372721

501790155139919945349449882038222784857262345464130811027013128923

179098892554977214407061126607775822930236073055718253539710953878

481288997270644477967184694594127629635035075689506969052353437341

182108897439859288754478923164652087191394233590616051225180711404

855445381604591555554344010722689509969790327331067302132313240277

668974257425657504322117238755754497326637446000516322329722415435

468407598352128661672387515784208010622201638714730479466804470040

897183849758140634223321847093444107610899403681842324116296770352

414543772881303264905122259837240805137993596796487188311791571436

697701097927790426234648710087072378071421752875413132275175112173

531230187789476238972027820486975368083258762312032677131526239675

511199415608418096737824123938237334178500108464316515056169757768

9527,

d≡e-1 mod (p-1)*(q-1) ≡

172807791725765433266745213382055119244710157775941344204734029355

348481937753155797249586297650765898821357030842122931800095091817

998362694586520715577295335911473792185420090596107495787529648344

736442694866860334229281726353607909125384038678406163334871537207

795917410958940223167612484382307121355021147503520188258666040456

750885646972665740879741504405542042239799014490694714755243829052

140749984625597376682403276820352637529141433511689144592681118229

754827695838072729704596809726586785941555403193343037527347005649

378025726019286524792104909496883835049381214439934767177065251945

972927717015697768681234418603188390225193596579221969524208538740

406616741855033427518979189707923607800662217608016629234042041600

044917245759437620172043871657863678865794301618674187013547256500

676439723992056035380449346063721572036997238379965500526605962907

351359284698594288204957457794923761600622477709998161771833785699

415951760221624475340175106803553949830685575197545623100429095911

112905717645487402586471274095739024892137537910343621257450820296

190171808383442295880158432309475329061566037850920839555624420322

228

229978881030461906271657810055366478534160865636226068609421525925

479568486487553357635213907596825842427373554192253870213038185000

777264510770831114213095524899411250163419928072359546351359185456

463490290647966036980606209006950494831855233745088296047877974105

369954914243118532857130173776155357928933560588182642106709594413

333767665859820867598089282057873579064345613936754676655096946045

342362527366079191096979031768965498231494185494534161527207897414

160183715649997002528876954036716482605711500589933446911076096782

383823224239594945125398435857404264256004883567398804421058495631

848930518890123312935091302816499878649591060132953986420840800307

757130746549898740160235019590424180411674820394355081532849624206

8813,

𝑑𝑝 ≡ 𝑑 𝑚𝑜𝑑 (𝑝 − 1) ≡

278861087777757987017256121598619569792974808465418971359751335309

785779087861290835392130137589683548063655572239064837311545420537

922261839818512264977555249541358705909143944514392847474478105611

748758738006994947024665921157031742876049730313070033338021394148

954851674836083427695019302942859798024543988475688938581671182706

315847769289611879643285511211640734613579705004998548579451887528

282475548839020279857587483920041742899138554491207962173973179378

695918438652780147521135646066808997464114857958640590890062672564

035940480820577315243277396355981103753088638813614009437998624526

576920716516249360562941721467117044645950154410238666218606957541

429423849564210352320782018740356056425626631772111390188393513761

537662028848902344837019957959511432542469452484938802465559779011

602011175304662934094910758990515593138098114375205823164257178724

443579472631340146125910483506213259917197489141179894203231825304

55

𝑑𝑞 ≡ 𝑑 𝑚𝑜𝑑 (𝑞 − 1) ≡

185907391851838658011504081065746379861983205643612647573167556873

190519391907527223594753425059789032042437048159376558207696947025

281507893212341509985036833027572470606095963009595231649652070407

229

832505825337996631349777280771354495250699820208713355558680929432

636567783224055618463346201961906532016362658983792625721114121804

210565179526407919762190340807760489742386470003332365719634591685

521650365892680186571724989280027828599425702994138641449315452919

130612292435186765014090430711205998309409905305760393926708448376

023960320547051543495518264237320735835392425875742672958665749684

384613811010832907041961147644744696430633436273492444145737971694

286282566376140234880521345826904037617084421181407593458929009174

358441352565934896558013305306340955028312968323292534977039852674

401340783536441956063273839327010395425398742916803882109504785816

295719648420893430750606989004142173278131659427453262802154550211

01

𝑖𝑞 ≡ q-1 mod p≡

473159485279880235410422874327313379036893063511200695302821138982

668949806384503841395874439407436979746924784056587779791405218732

850377411260096872203641889475892822630861089405063089579731322627

758258306715312389217712988924084284552307716930401343761437169945

150742978867644064042869596267139242719679285026453147208953945915

932105459426539715543187552457063433020366767937267681056743005418

265985760734880615271566860880712753331035828834129190248383111115

640851245791661400424528052085943049859706754978301905304937500254

925576041512681335626757869109529957053468686719856602439934142250

878593325416237213258752670159016717344766644477419335024884757446

591215659156926625886983866635676023523923489215468172920794745014

979483382282908525592736973134242902090616005135762093785595412398

488868844757995449860137780634191452750199909881032949701974316959

729577339887680120892342261382157236402466485252921418616316119498

7. I also choose arbitrarily a small integer r=28

The internal inputs (loaded from the firmware) to the attack are p, q, dp, dq and 𝑖𝑞

values which are given above. The inputs by the attacker to the attack algorithm are

the message M=55 and the random fault value X=756. I assume that p, q, dp, dq and

230

𝑖𝑞 are stored in the firmware in victim device, and attacker does not have any access

to them. The goal of this example is to compute q which has a factor of n=p*q.



n=p*q

pdash=p*(r^2)

ipr=powermod(p,-1,r^2)

Mp=mod(M,pdash)

Bp=p*ipr

Ap=1-mod(Bp,pdash)

Mpdash=Ap*Mp+mod(Bp*(1+r),pdash)

qdash=q*(r^2)

iqr=powermod(q,-1,r^2)

Mq=mod(M,qdash)

Bq=q*iqr

Aq=1-mod(Bq,qdash)

Mqdash=Aq*Mq+mod(Bq*(1+r),qdash)

eupdash=(p-1)*(r^2-1)

Spdash=powermod(Mpdash,mod(dp,eupdash),pdash)

Spr=1+dp*r

cp=mod(Mpdash+n-M+1,p)

euqdash=(q-1)*(r^2-1)

Sqdash=powermod(Mqdash,mod(dq,euqdash),qdash)

Sqr=1+dq*r

cq=mod(Mqdash+n-M+1,q)

Sdash=Sqdash+q*mod(iq*(Spdash-Sqdash),pdash)

Sr=Sqr+q*mod(iq*(Spr-Sqr),pdash)

Sdashe=Sqdash+q*mod(X*(Spdash-Sqdash),pdash)

qt=gcd((Sdashe-Sdash),n)

clear Sdashe;

cs=mod(Sdash-Sr+1,r^2)


if mod(sfinal, n)~= powermod(Sdash,(cp*cq*cs),n) disp('error'); end

231

q=qt

clear arduino

clearvars a;


a =


Port: 'COM5'

Board: 'Mega2560'



n=

216009739657206791583431516727568899055887697219926680255917536694

185602422191444746561982872063457373526696288552653664750118864772

497953368233150894471619169889342240231775113245134369734412060430

920553368583575417786602157942009886406730048348007704168589421509

744896763698675278959515605477883901693776434379400235323332550570

938607058715832176099676880506927552799748768113368393444054786315

175937480781996720853004096025440796911426791889611430740851397787

193534619797590912130746012158233482426944253991678796909183757061

722532157524108155990131136871104793811726518049918458971331564932

466159646269622210851543023253985487781491995724027461905260673425

508270927318791784398723987134904509750827772010020786542552552000

056146557199297025215054839572329598582242877023342733766934070625

845549654990070044225561682579651965046246547974956875658257453634

189199105873242860256196822243654702000778097137497702214792232124

279235069869622527075794087557729756281456129279112661254194747732

550658116652235614412826763872663232717293774795898354482198372721

501790155139919945349449882038222784857262345464130811027013128923

179098892554977214407061126607775822930236073055718253539710953878

481288997270644477967184694594127629635035075689506969052353437341

232

182108897439859288754478923164652087191394233590616051225180711404

855445381604591555554344010722689509969790327331067302132313240277

668974257425657504322117238755754497326637446000516322329722415435

468407598352128661672387515784208010622201638714730479466804470040

897183849758140634223321847093444107610899403681842324116296770352

414543772881303264905122259837240805137993596796487188311791571436

697701097927790426234648710087072378071421752875413132275175112173

531230187789476238972027820486975368083258762312032677131526239675

511199415608418096737824123938237334178500108464316515056169757768

9527

pdash =

364378488029603769702547998888862904529487083061480789243408411471

453418008138753358245716713117186502803176614392378054087086016169

551755470696189359570672192734042042387948087498806654033318057999

351711417662473397445563470311854810691371647609078176895014621687

967672855119149012188158555845336802752070811608233546413383678736

252707751871759522733893067983210559895077481206531436810483799703

622434717149653165680580978988854544054874377868511737240658287721

496000093172966059427617244193963756686443414399290372096348558817

006962228272221025251215797905148642237369154716455638998984869381

393843069581232497802243849383699605004041535096045190525646424520

801113830097234860365821837820731913729485465515558883179500857981

742545051029232397253706078400428271855493417913653368554998111241

826627935731426233884016725080940375033781536116935608934629380199

939610510904951124271189698448118659625138052477808395092222918397

95056

ipr =

151

Mp =

55

233

Bp =

701800404240690933993427906023192583978986601304637744588707527196

294210704450915269070194179600703595960199856801646507234055975020

437692296876589200193514044679086076538012260361221999477436565789

567709490650937283345409234911863219571391821287892917234020508608

203043381670809959699131912406197158361769037663817162097205809810

894883552712189897102268536549295848777508924262579680591620583612

844230131244867704308261834532105052962832028802873371471165834769

718061403942830037928191375934802643618022392529245487073324392619

490450210065119576695581447495885777778606407680928590418963205058

551917136565894224083403332358911229025641221932433976650160843145

930716688069929386673968080496562742004493689959813665307457009633

203116105936404234506500227531437105231881455420429319538325443845

865061457850068384138858743459464242730880254510934654963380566456

516341672788872701083541383490636704124947014338636067078133427016

4609

Ap =

701800404240690933993427906023192583978986601304637744588707527196

294210704450915269070194179600703595960199856801646507234055975020

437692296876589200193514044679086076538012260361221999477436565789

567709490650937283345409234911863219571391821287892917234020508608

203043381670809959699131912406197158361769037663817162097205809810

894883552712189897102268536549295848777508924262579680591620583612

844230131244867704308261834532105052962832028802873371471165834769

718061403942830037928191375934802643618022392529245487073324392619

490450210065119576695581447495885777778606407680928590418963205058

551917136565894224083403332358911229025641221932433976650160843145

930716688069929386673968080496562742004493689959813665307457009633

203116105936404234506500227531437105231881455420429319538325443845

865061457850068384138858743459464242730880254510934654963380566456

516341672788872701083541383490636704124947014338636067078133427016

4608

234

Mpdash =

364657349117381527689565255010461524099280057869946208214768162806

763203787226614649081108843254776186351240269964617118924397561590

089677732536007871835649747983583401093857231443321046880792536104

963460176400480392392588136233011842434247697339391246928352643082

116627706793985095615853575148279662550095355596709235351965349918

959023599641049134613536353494422200629691060911536435359063251591

150717192698492185960438566472774585797773516423002945202832260900

874696011611618839575138379840030565683907529257249012687238621489

570998168753041602566459075301504623341122243355269253008422868005

920419990297748747162806791105166722048687485250455429191865031478

342543253946799070718142619839472269785911092147330994569689251495

504082713058081299598543098358387783288035887366138307357463671020

838229946906730896818111635839930890626919634231310814757793637378

664054090377582464417315608931624872885055249966949574986426150223

255059

qdash =

364378488029603769702547998888862904529487083061480789243408411471

453418008138753358245716713117186502803176614392378054087086016169

551755470696189359570672192734042042387948087498806654033318057999

351711417662473397445563470311854810691371647609078176895014621687

967672855119149012188158555845336802752070811608233546413383678736

252707751871759522733893067983210559895077481206531436810483799703

622434717149653165680580978988854544054874377868511737240658287721

496000093172966059427617244193963756686443414399290372096348558817

006962228272221025251215797905148642237369154716455638998984869381

393843069581232497802243849383699605004041535096045190525646424520

801113830097234860365821837820731913729485465515558883179500857981

742545051029232397253706078400428271855493417913653368554998111241

826627935731426233884016725080940375033781536116935608934629380199

235

939610510904951124271189698448118659625138052477808395092222918413

58352

iqr =

225

Mq =

55

Bq =

104572907916659245131471045599482338672365553174532114259906750741

169667157947984063272048801596131330523870839589649313991829532701

720848189931942099366583218578009514715928979192897317802929289604

405784526752623105134249720433886903578518648867401262501758022805

858069378063531285385632238603572424259203995678383351968126693514

868442913483604454866232066704365275480092389376874455717294457823

105928330814632604946595306470015653587176957934202985815239942267

010969414494792555320425867275053374049043071734490221583773502211

513477680307716493216229023633492913907408239555105253539249484197

466345268693593510211103145550168891742231307903839499831977609078

036033943586578882120293257027633521159609986914541771320647567660

576623260818338379313882484234816787203426044681852050924584917129

350754190739248600285591534621443347426786792890702183686596442021

666342302236752554797216431314829972468949058427942460326211934493

69425

Aq =

104572907916659245131471045599482338672365553174532114259906750741

169667157947984063272048801596131330523870839589649313991829532701

720848189931942099366583218578009514715928979192897317802929289604

405784526752623105134249720433886903578518648867401262501758022805

858069378063531285385632238603572424259203995678383351968126693514

868442913483604454866232066704365275480092389376874455717294457823

105928330814632604946595306470015653587176957934202985815239942267

236

010969414494792555320425867275053374049043071734490221583773502211

513477680307716493216229023633492913907408239555105253539249484197

466345268693593510211103145550168891742231307903839499831977609078

036033943586578882120293257027633521159609986914541771320647567660

576623260818338379313882484234816787203426044681852050924584917129

350754190739248600285591534621443347426786792890702183686596442021

666342302236752554797216431314829972468949058427942460326211934493

69424

Mqdash =

563392351006997053103863117669744404171740104702968128470484281104

203869017175761251103900254643690661604605474446990659648425597960

115609670380000946009654122490058372171773815900578349514270599370

936408903686798791305500049377589797857245805142505824020582556645

605118667060500551753170665045557745275587038050383552247836346127

660117776554779200839317827817918164164302197345098734313352630102

973361433837767305405612580013124334570559592923737152912150480071

425320552224833491375201050270309777876666718029106873794889952803

540611751417839702563168099771200489949156746616438170401236554418

527572154268329124790663257937398802533034628626818851983658923219

534579317402892981805419938528432685998574338390255711977284362302

893256518951065704019059321730866264213302450503738027247919273529

773263244507187347849751370080505003336670890409374164732854253416

284178394539517541889714480177052856119377993894897112921929364414

471811

eupdash =

363913719549974173057519238686198538579832125047371757624475492579

270441709658984540186729829554537030223070521771979612691566773801

988551700963158505795709600651473111211432847591282665954193927823

332130153099128405867189027109926424453244898058556393506117919364

386081435661088873142000190340432036422029904960774064849080893431

742181338922943502934487592131191158670721515031523105896184713224

408630591234921465214151666515654474483375813611026390637034999089

237

198173562441878092515082018117185741690669889636025971111531787696

066902327470853396392477002244555340397780673651766282316588205007

182881535053705415534638946514587743262964951505361459415282079591

565398123681294509778620534456164653635442754462605364195853535458

806648947647817560012311045137162419467922635492845137217555511610

140624583772585128993858540482622849045218039259643599229355618235

398871211783898890694313180975608304191942723329239761935217532022

43514

Spdash =

234890193780752685593582341053798245342216691894067213673121370754

215601683923491389165035607372761127217131517172261147738614438333

621061890661290253953329994283452502172601118403104068252618998666

084164253701032422815210913798118371579450257243817606015493651389

695457963634825616163029785500214795074466323149924710836446748148

499070029569438486929950626878591707073637214418069470144550552423

402891191328422980928704544871567408908215180410906993050760143854

313050976431805334282693774112638271290070774238372344823068374465

423574162053589188194758738687797405308931050938655346279393136166

290876141134347666637972794466810698452849277233217293628666720112

978586079043882790156013676806500886688544360242603277234473545631

531677671870738495426957554453338548976900167519020344917116254924

483484587509785333553070087708206235823168523439063340572578957605

402148818996253359711804524174756566239727930210538698368860797511

69493

Spr =

780811045777722363648317140476134795420329463703173119807303738867

400181446011614339097964385251113934578235602269381544472327177506

182333151491834341937154698715804376545603044640299972928538695712

896524466419585851669064579239688880052939244876596093346459903617

073584689541033597546054048240007434468723167731929028028679311577

684373754010913263001199431392594056918023174013995936022465285079

190931536749256783601244954976116880117587952575382294087124902260

238

348571628227784413059179808987065192899521602284193654492175483179

300633346297616482681176709796747090508648188678119226426396148674

415378006245498209576236820107927725008660432348668265412099481116

002386778779788986498189652472996957991754568961911892527501838532

305453680776926565543655882286632011118914466957828646903567381232

485631290853056215465750125173443660786674720250576304859920100428

442022523367752409152549353817397127768152969595303703769049110852

741

cp =

1

euqdash =

363913719549974173057519238686198538579832125047371757624475492579

270441709658984540186729829554537030223070521771979612691566773801

988551700963158505795709600651473111211432847591282665954193927823

332130153099128405867189027109926424453244898058556393506117919364

386081435661088873142000190340432036422029904960774064849080893431

742181338922943502934487592131191158670721515031523105896184713224

408630591234921465214151666515654474483375813611026390637034999089

198173562441878092515082018117185741690669889636025971111531787696

066902327470853396392477002244555340397780673651766282316588205007

182881535053705415534638946514587743262964951505361459415282079591

565398123681294509778620534456164653635442754462605364195853535458

806648947647817560012311045137162419467922635492845137217555511610

140624583772585128993858540482622849045218039259643599229355618235

398871211783898890694313180975608304191942723329239761935217532038

04816

Sqdash =

299086069792410282204582350451858994288880046696178348719891511234

731789595365182440017144611180452137547239569661003011174203273066

789792373872326758649253862533541337419628165941493178503739275014

239

380645106650355471642208215095801135700467753321911084888470600768

396641371776161921495446894473320916295110506794920218462504337207

330826262124861523295424094613621312827498846168922011014642682504

909510371732341230863473019667069093457282488387749994902410031712

212574764011282077865442308365232276000307218641398083045734578241

430849676196389484639814159304521522642228969707100261194033328968

015068277981137142754715145186776450044207529104429433747445385995

302932193995521690361603553896352316425194156935097093455709053771

961925175699322596388679244719289125303216240823366088508864803186

618616336261866920521840839941602395334173012358070098973530744506

705555403363240355538476076012353909141698621562776538258325200191

27005

Sqr =

520540697185148242432211426984089863613552975802115413204869159244

933454297341076226065309590167409289718823734846254362981551451670

788222100994556227958103132477202917697068696426866648619025797141

931016310946390567779376386159792586701959496584397395564306602411

382389793027355731697369365493338289645815445154619352019119541051

789582502673942175334132954261729371278682116009330624014976856719

460621024499504522400829969984077920078391968383588196058083268173

565714418818522942039453205991376795266347734856129102994783655452

867088897531744321787451139864498060339098792452079484284264099116

276918670830332139717491213405285150005773621565778843608066320744

001591185853192657665459768315331305327836379307941261685001225688

203635787184617710362437254857754674079276311305219097935711587488

323754193902037476977166750115629107191116480167050869906613400285

628015015578501606101699569211598085178768646396869135846032740590

829

cq =

1

240

Sdash =

232984893843810085293278926443081065552688900367764085872204342752

662580713623980903461421942959010076615483313219928273086125252251

246131357335284860526891635317417742208854512147009072019475970357

579782786878564562108383134158851266563083684981002038315126232527

809994909722681915782024143089262501926730502257009951901531017978

785510546702114473692988140231747503637113709797616212343204620545

554072252265073936503445156362407552270846039836753248944222224566

912645674446583878099630025464456738356544514136767796598907484482

776696207169877129394816249209745799126893473802355439826321590077

769263050055236043298251631125510897024862528167846773628966907750

554887555117065863885938256478332645840357404962348062140524616046

503730899747324326894776592086040421220699292379990045487565419219

916481962550063073513676214196489952946886703082742504109259661518

827732779136552059667984406586134251316307875353032245521604230520

453225842965495646982486911595516394917588566065097540133240008131

239484865191205901041601447008102600105488796829642917899845609078

731805889491178810941095480978467484007056916633016460090733279494

100410710643651053251396589307805188211966712774093781113115305278

901153362981215732547926110250062798232956434404942077713017919077

889880490979439386058655191310101571737477996709672934676014213708

557142095070567514371483835307115077939674102951367524710521809796

854503044671509332799098759284671668231437790483651818593629698796

211517629021015304260498365480696494522164225213348142375516988469

619485123579746538091465757562210670998158799484498882107481293733

236843641235480066598283789158966259244076602229414593027447745226

809498953055469674783679086899762924015138660738577209260517862497

006380189985758139215135098298553354430018522704160068039996649635

847532486558608319293190854579952507481941591906047800110095250447

384325

Sr =

494726868411210019751024936186759474456757806105820200244141694060

712980709829254056923305341614961227198913794159687916141458795536

241

344490134120248024735747660844614817380102089555778017666909791700

758332334321019507608450744538824223568652739056363626794657778915

901474550991914438198564493465550132273637448347126500044018655250

849750891544007255974857552559852124407647673094857135311104445943

921324543497565906021999435285035334011901160031004664065918581290

286618224488639339322853666048596553973111799401916882516292525596

725133560071172756686292037716462464517475486116037318888655659629

499837501265948751936125559180342602200518259590897271096695655966

561183617879332082914753777828967637804727339804711880213929477139

803617473232172926472178778550617282478890359273477885536572448366

131646697687728847488350914472908251997613503058535434975510030929

798770848471341221573808422690254733079471142217133503683970508540

700787409214722298363656703822382142330779240701405933132888769516

702981874250157200881038791824303027387023329878349925992965416688

917223664308236582076576384871606677914061603521860765140550030285

203327927056117125517998825841167293735001424609426754407548859494

666168432158741145633620550115685347791069670368784584427722467343

245253368172193929304431760311711755986888798745059404497849486196

140501576400554826118569744743226646290690439276762539294217395285

797459537869959437460890684447616331471785630350183822299335653898

763181352776108387892854597321281407376647501216049625123425603160

000998650407085099839775756561770852991427584861601266828000400918

448396045962900790649557768476117370473231806205330311381245920894

934138587492589610071919602976318747919961795893401235205681115458

661181348350250425169558974711379801288207212968425386273188788120

785472068385300925950305655216799495094305768283145167627277468540

279813

Sdashe =

136937121951800817461170539181411708350853578926972432911471981903

704623629629875159637746823019153239973653936128657395313242055226

262390596614700029774592685029656637962116343257864620217681212027

617852923382530175734203442260253283996296451574215008853507848884

491035545656047004202730934849722544063761745281106792487306357432

242

467974095770680936192889287679887374908885783100998786363935532253

856713549020681420899161315126901586153518787395414234088440969894

127837617609198940682958609348507400655827555047623830535227373503

157842179127771089376318547074245945684484935586408823740645339431

572739924136403216992953126242692686736000977244776808867838878708

817136064218526715267715141400411836392245830580265142659275509557

027897382967723015712294965671773537062157219201142648504049354178

184669677601380951023653915925448935954089910935102708578352460624

911268459700610129121636965852213215376981943663298231636130064564

302280363950296018390895899037906300072185821701394705120161028213

749665001070827173723246900334704997401176381771272106647838533333

302278426393761026691745272382105528663570306455246334056212221135

951481621205229876500731752712055181130466668201290164476445720875

354343377352592949516404455947293010269191092402753417954543650022

630132117750271485882076783401548953842176113328865856228580991808

005053951277377167446718803111055427270774067659368147403844641789

436952051890667430812691393571408924980197511009742450903904230156

253491645015677999037017033567329944704761465628253674493489427734

994758724358560826705466277192531486916370022943130431810644421947

920826848207514595287357470076043527303131252671460901642360779016

593992642671273505885179574075408500880610262992197044672606917298

901601303287594896453983184333124809079046166680074252071563243473

071048665277181617214609515561284192183791085990042807721809719202

1390301

qt =

464768479629596645028760202664365949654958014109031618932918892182

976298479768818058986883562649472580106092620398441395519242367563

203769733030853774962592082568931176515239907523988079124130176019

581264563344991578374443201928386238126749550521783388896702323581

591419458060139046158365504904766330040906647459481564302785304510

526412948816019799405475852019401224355966175008330914299086479213

804125914731700466429312473200069571498564257485346603623288632297

826530731087966912535226076778014995773524763264400984816771120940

243

059900801367628858738795660593301839588481064689356682396664374210

961534527527082267604902869111861741076583590683731110364344929235

715706415940350587201303364567260094042711052953518983647322522935

896103381414837241395033263265852387570782420808231337442599631686

003351958841104890158184598317525988563496857292009705273761964540

739299121052233576876517472510355433195329148568633157005386375527

53

cs =

1

q =

464768479629596645028760202664365949654958014109031618932918892182

976298479768818058986883562649472580106092620398441395519242367563

203769733030853774962592082568931176515239907523988079124130176019

581264563344991578374443201928386238126749550521783388896702323581

591419458060139046158365504904766330040906647459481564302785304510

526412948816019799405475852019401224355966175008330914299086479213

804125914731700466429312473200069571498564257485346603623288632297

826530731087966912535226076778014995773524763264400984816771120940

059900801367628858738795660593301839588481064689356682396664374210

961534527527082267604902869111861741076583590683731110364344929235

715706415940350587201303364567260094042711052953518983647322522935

896103381414837241395033263265852387570782420808231337442599631686

003351958841104890158184598317525988563496857292009705273761964540

739299121052233576876517472510355433195329148568633157005386375527

53

fault attacks on rsa and elliptic curve cryptosystems

Documents