Fault Attacks on Projective-to-Affine Coordinates Conversion

Fault Attacks onProjective-to-Affine Coordinates Conversion

Diana Maimut (ENS, France)Cedric Murdica (Secure-IC/Telecom ParisTech, France)

David Naccache (ENS, France)Mehdi Tibouchi (ntt Secure Platform, Japan)

Cedric Murdica (Secure-IC/Telecom ParisTech) Fault on Projective-to-Affine Coordinates Conversion Thursday, March 7th , 2013 1 / 31

Our contribution

Attack by Naccache, Smart and Stern at EUROCRYPT’04

Attack on Elliptic Curve Cryptosystems when the returned point of some signatureschemes is given in projective coordinates (X ,Y ,Z ).

Feasibility of the attack

In many systems, results are given in affine coordinates (x , y).

Our fault attack modelInjecting an error during the conversion process to recover the missing Zcoordinate.We propose 3 different ways to recover the missing Z coordinate depending on thefault’s precision.

Our contribution

Attack by Naccache, Smart and Stern at EUROCRYPT’04

Attack on Elliptic Curve Cryptosystems when the returned point of some signatureschemes is given in projective coordinates (X ,Y ,Z ).

In many systems, results are given in affine coordinates (x , y).

Our fault attack modelInjecting an error during the conversion process to recover the missing Zcoordinate.We propose 3 different ways to recover the missing Z coordinate depending on thefault’s precision.

Table of Contents

1 Preliminaries

2 Fault on conversion procedure

3 Large Unknown Faults

4 Two Faults

5 Known Fault

6 Conclusion

Preliminaries

Table of Contents

1 Preliminaries

4 Two Faults

5 Known Fault

6 Conclusion

Preliminaries Elliptic Curve Cryptosystems

Table of Contents

1 PreliminariesElliptic Curve CryptosystemsNaccache et al.’ attack

4 Two Faults

5 Known Fault

6 Conclusion

Elliptic Curve

Elliptic Curve on affine coordinates

On a field Fp, p > 3, an elliptic curve E is the set of points (x , y) ∈ Fp, satisfying

y2 = x3 + ax + b, with 4a3 + 27b2 6= 0

plus the point at infinity O.Costly formulæ because of inversions.

Elliptic Curve on Jacobian coordinates

To prevent costly division, represent the point (x , y) by (xZ 2, yZ 3,Z ) for anynon-zero Z . The curve equation is

Y 2 = X 3 + aXZ 4 + bZ 6

with O = (1, 1, 0) and the equivalence relation (X ,Y ,Z ) ∼ (λ2X , λ3Y , λZ ).To retrieve the affine coordinates from (X ,Y ,Z ), compute(x , y) := (x , y , 1) = (X/Z 2,Y /Z 3, 1).

Returning the result in Jacobian coordinates

Computation of Q = [k]P

Operation called Elliptic Curve Scalar Multiplication (ecsm)

with k private

with P public

Is it secure to return the value Q = (X ,Y ,Z ) in Jacobian coordinates?

No”Projective coordinates leak” at Eurocrypt 2004 by Naccache, Smart, Stern.Some bits of k can be retrieved.

Returning the result in Jacobian coordinates

Computation of Q = [k]P

Operation called Elliptic Curve Scalar Multiplication (ecsm)

with k private

with P public

Is it secure to return the value Q = (X ,Y ,Z ) in Jacobian coordinates?

No”Projective coordinates leak” at Eurocrypt 2004 by Naccache, Smart, Stern.Some bits of k can be retrieved.

Preliminaries Naccache et al.’ attack

Table of Contents

1 PreliminariesElliptic Curve CryptosystemsNaccache et al.’ attack

4 Two Faults

5 Known Fault

6 Conclusion

Group law in Jacobian coordinates

P1 = (X1,Y1,Z1) = (x1Z21 , y1Z

31 ,Z1),P2 = (X2,Y2, 1) = (x2, y2, 1)

Algorithm ecdbl =

S = 4X1Y21

M = 3X 21 + aZ 4

X3 = −2S + M2

Y3 = −8Y 41 + M(S − X3)

Z3 = 2Y1Z1 = 2y1Z41

P3 = (X3,Y3,Z3) return(P3 = 2P1)

Algorithm ecadd =

H = x2Z21 − X1

R = y2Z31 − Y1

X3 = −H3 − 2UH2 + R2

Y3 = −SH3 + R(UH2 − X3)Z3 = Z1H = Z 3

1 (x2 − x1)P3 = (X3,Y3,Z3) return(P3 = P1 + P2)

Description of the attack

Output result in Jacobian coordinates

[k]P = (X0,Y0,Z0) is computed using the Double-and-Add method.

A← Pfor i = N − 2 downto 0 do

A← ecdbl(A)if ki = 1 then A← ecadd(A,P)

end forreturn A = [k]P = (X0,Y0,Z0)

If k0 = 0

The last operation to obtain (X0,Y0,Z0) was a doubling. Is this possible?

If k0 = 1

The last operations to obtain (X0,Y0,Z0) was a doubling followed by an addition.Is this possible?

Notation: (X1,Y1,Z1) are the coordinates of the point A at the end of iteration 1

If k0 = 0

The last operation to obtain Q = (X0,Y0,Z0) was a doubling.

Z0 = 2Y1Z1 = 2y1Z41 ⇒ Z 4

Z0 is given in the output

Halve the point Q ⇒ (x1, y1) = [2−1 mod #E ]Q

Only Z1 is unknown

Result

2y1is not a fourth root, then k0 = 1

2y1is a fourth root, then compute the ”possible” (X1,Y1,Z1) points

In an analogous manner, if k0 = 1, the last operation was an addition.Addition involves a cube for the Z coordinates ⇒ try a cubic root.

Backtracking Algorithm

(X0,Y0,Z0)

∅ k0 = 1

(X0,Y0,Z0)

∅ k0 = 1

halve(Xt ,Yt ,Zt)0 (Xt ,Yt ,Zt)1 (Xt ,Yt ,Zt)2

(X0,Y0,Z0)

∅ k0 = 1

halve(Xt ,Yt ,Zt)0 (Xt ,Yt ,Zt)1 (Xt ,Yt ,Zt)2

∅ (X1,Y1,Z1) ∅halve halve halve

(X0,Y0,Z0)

∅ k0 = 1

halve(Xt ,Yt ,Zt)1

(X1,Y1,Z1)

(X2,Y2,Z2)0 (X2,Y2,Z2)1

(X0,Y0,Z0)

∅ k0 = 1

halve(Xt ,Yt ,Zt)1

(X1,Y1,Z1)

(X2,Y2,Z2)0 (X2,Y2,Z2)1

halve(Xt ,Yt ,Zt)

(X0,Y0,Z0)

∅ k0 = 1

halve(Xt ,Yt ,Zt)1

(X1,Y1,Z1)

(X2,Y2,Z2)0 (X2,Y2,Z2)1

halve(Xt ,Yt ,Zt)

∅halve

k1 = 0

(X0,Y0,Z0)

∅ k0 = 1

halve(Xt ,Yt ,Zt)1

(X1,Y1,Z1)

(X2,Y2,Z2)0 (X2,Y2,Z2)1

halve(Xt ,Yt ,Zt)

∅halve

k1 = 0

−P halve −P halve

Synthesis of Naccache et al.’ attack

The attack cannot permit to recover all bits of the scalar, only a few. This isenough for some protocols.

The result must be in Jacobian coordinates (X ,Y ,Z ). In schemes, the resultsare in affine coordinates (x , y). [k]P is computed in Jacobian coordinates andthe point is converted in affine coordinates before returning it.

Our contributionInject a fault during the conversion procedure, so that the faulty result in affinecoordinates contains some information on the missing coordinate Z .

Synthesis of Naccache et al.’ attack

The attack cannot permit to recover all bits of the scalar, only a few. This isenough for some protocols.

The result must be in Jacobian coordinates (X ,Y ,Z ). In schemes, the resultsare in affine coordinates (x , y). [k]P is computed in Jacobian coordinates andthe point is converted in affine coordinates before returning it.

Our contributionInject a fault during the conversion procedure, so that the faulty result in affinecoordinates contains some information on the missing coordinate Z .

Fault on conversion procedure

Table of Contents

1 Preliminaries

4 Two Faults

5 Known Fault

6 Conclusion

Conversion Procedure

The following procedure converts P = (X ,Y ,Z ) = (xZ 2, yZ 3,Z ) from Jacobianto affine coordinates (x , y).

convert(X ,Y ,Z ) =

r ← Z−1

s ← r2

x ← X · st ← Y · sy ← t · r return(x , y)

Conversion Procedure

The following procedure converts P = (X ,Y ,Z ) = (xZ 2, yZ 3,Z ) from Jacobianto affine coordinates (x , y).

convert(X ,Y ,Z ) =

r ← Z−1

s ← r2

s = s + ε ←↩ corruption of sx ← X · st ← Y · sy ← t · r return(x , y)

Equations system

x = x + xZ 2ε mod p

y = y + yZ 2ε mod p

Large Unknown Faults

Table of Contents

1 Preliminaries

4 Two Faults

5 Known Fault

6 Conclusion

Large Unknown Faults and a correct result

= Z−2

Equations system

Unknown values in red

xi = x + xZ 2εi ⇒xix− 1 = Z 2εi mod p with εi < pa for some a < 1

s1 = Z−2 + ε1

s2 = Z−2 + ε2

sn = Z−2 + εn

Equations system

Equations system with a known result (x , y)

⇒ ui = Z 2εi mod p with ui =xix− 1

⇒ ε = s · u mod p with s = Z−2,u = (u1, ..., un), ε = (ε1, ..., εn)

Recover ε using LLL

Let L be the lattice generated by the vector u and pZn in Zn

Since ε satisfies ε = s · u mod p, ε is a vector in L, with εi < pa

Then, we can recover ε directly by reducing L using LLL since ε is a smallvector of the lattice.

Simulation (SAGE): with p ≈ 2256 and εi ≈ 2224, only 9 faults are necessaryto recover ε, in 3ms.

Equations system with a known result (x , y)

⇒ ui = Z 2εi mod p with ui =xix− 1

⇒ ε = s · u mod p with s = Z−2,u = (u1, ..., un), ε = (ε1, ..., εn)

Recover ε using LLL

Let L be the lattice generated by the vector u and pZn in Zn

Since ε satisfies ε = s · u mod p, ε is a vector in L, with εi < pa

Then, we can recover ε directly by reducing L using LLL since ε is a smallvector of the lattice.

Simulation (SAGE): with p ≈ 2256 and εi ≈ 2224, only 9 faults are necessaryto recover ε, in 3ms.

Two Faults

Table of Contents

1 Preliminaries

4 Two Faults

5 Known Fault

6 Conclusion

Two Faults

Two Faults and a correct result

= Z−2

Equations system

x− 1 = u1 = Z 2ε1 mod p with ε1 < p1/2

x− 1 = u2 = Z 2ε2 mod p with ε2 < p1/2

Two Faults

s1 = Z−2 + ε1

s2 = Z−2 + ε2

Equations system

x− 1 = u1 = Z 2ε1 mod p with ε1 < p1/2

x− 1 = u2 = Z 2ε2 mod p with ε2 < p1/2

Two Faults

Equations system

x− 1 = u1 = Z 2ε1 mod p with ε1 < p1/2

x− 1 = u2 = Z 2ε2 mod p with ε2 < p1/2

Let α = u1/u2 = ε1ε−12

⇒ problem known as the Rational NumberReconstruction and is solved using Gauß’ algorithm for finding the shortest vectorin a bidimensional lattice.

TheoremLet ε1, ε2 ∈ Z such that −A ≤ ε1 ≤ A and 0 < ε2 ≤ B. Let p > 2AB be a primeand α = ε1ε

−12 mod p. Then ε1, ε2 can be recovered from A,B, α, p in polynomial

Recover ε1, ε2 with A = B = b√pc, 2AB < p, 0 ≤ ε1 ≤ A and 0 < ε2 ≤ B.

Two Faults

Equations system

x− 1 = u1 = Z 2ε1 mod p with ε1 < p1/2

x− 1 = u2 = Z 2ε2 mod p with ε2 < p1/2

Let α = u1/u2 = ε1ε−12 ⇒ problem known as the Rational Number

Reconstruction and is solved using Gauß’ algorithm for finding the shortest vectorin a bidimensional lattice.

TheoremLet ε1, ε2 ∈ Z such that −A ≤ ε1 ≤ A and 0 < ε2 ≤ B. Let p > 2AB be a primeand α = ε1ε

−12 mod p. Then ε1, ε2 can be recovered from A,B, α, p in polynomial

Recover ε1, ε2 with A = B = b√pc, 2AB < p, 0 ≤ ε1 ≤ A and 0 < ε2 ≤ B.Cedric Murdica (Secure-IC/Telecom ParisTech) Fault on Projective-to-Affine Coordinates Conversion Thursday, March 7th , 2013 23 / 31

Known Fault

Table of Contents

1 Preliminaries

4 Two Faults

5 Known Fault

6 Conclusion

Known Fault

= Z−2

Equation

x = x + xZ 2ε with ε known

The knowledge of x suffices to recover Z .

Known Fault

s = Z−2 + ε

Equation

x = x + xZ 2ε with ε known

The knowledge of x suffices to recover Z .

Known Fault

Known Fault on ecdsa

G a public generator of order n.Key pair of an entity (d ,P) with P = [d ]G .

Algorithm 1 ecdsa Signature

Input: Private key d , message mOutput: Signature (r , s)

kR←− {1, . . . , n − 1}

Q ← [k]Gr ← xQ mod ni ← k−1 mod ns ← i(dr + m) mod nreturn (r , s)

Algorithm 2 ecdsa Verification

Input: Public key P, m, signature (r , s)Output: true or falsew ← s−1 mod nu1 ← w ·m mod nu2 ← w · r mod nQ ← [u1]G + [u2]Pv ← xQ mod n

return (v?= r)

Known Fault

Algorithm 3 Wrong ecdsa Signature

kR←− {1, . . . , n − 1}

(xQ , yQ) ← [k]G ← fault duringconversion of Qr ← xQ mod ni ← k−1 mod ns ← i(dr + m) mod nreturn (r , s)

Algorithm 4 Recover the x coordinate of Q

Input: P, m, wrong signature (r , s)Output: Qw ← s−1 mod nu1 ← w ·m mod nu2 ← w · r mod nQ ← [u1]G + [u2]P

kmdr+m

Q = [k]G = Qreturn Q

Recover the true x coordinate of Q

From (r , s), we can recover the correct value of xQ⇒ recover the Z coordinate of Q ⇒ grab a few bits of k

Known Fault

Algorithm 5 Wrong ecdsa Signature

kR←− {1, . . . , n − 1}

(xQ , yQ) ← [k]G ← fault duringconversion of Qr ← xQ mod ni ← k−1 mod ns ← i(dr + m) mod nreturn (r , s)

Algorithm 6 Recover the x coordinate of Q

Input: P, m, wrong signature (r , s)Output: Qw ← s−1 mod nu1 ← w ·m mod nu2 ← w · r mod nQ ← [u1]G + [u2]P

kmdr+m

Q = [k]G = Qreturn Q

Recover the true x coordinate of Q

From (r , s), we can recover the correct value of xQ⇒ recover the Z coordinate of Q ⇒ grab a few bits of k

Conclusion

Table of Contents

1 Preliminaries

4 Two Faults

5 Known Fault

6 Conclusion

Conclusion

ContributionA new kind of fault attack at the end of the ecsm

The attack permits to perform the Naccache et al.’s attack even when theresult is returned in affine coordinates

Practical attacks on particular elliptic curve schemes (large and two faults)

Theoretical attack on ecdsa. Theoretical because the fault model is toostrong.

PreventionCheck the validity of the result after conversion to affine coordinates.

Conclusion

Thanks for your attention.

Questions?

Conclusion

Thanks for your attention.

Questions?

Conclusion

Fault Attacks onProjective-to-Affine Coordinates Conversion

Diana Maimut (ENS, France)Cedric Murdica (Secure-IC/Telecom ParisTech, France)

David Naccache (ENS, France)Mehdi Tibouchi (ntt Secure Platform, Japan)

Fault Attacks on Projective-to-Affine Coordinates Conversion

Documents

Transcript of Fault Attacks on Projective-to-Affine Coordinates Conversion

A key to the projective model of homogeneous metric spaces · homogeneous coordinates [6]. Projective geometry is di erent from a ne geometry in that it also allows one to model points,

Homogeneous coordinates Projective geometry- 2D ax+by+ …3 04/01/2004 Projective Geometry 2D 13 Projective transformations A projectivity is an invertible mapping h from P2 to itself

lecture 5 - McGill CIMlanger/557/5-slides.pdf · lecture 5 - projective transformation - normalized view volume - GL_PROJECTION matrix - clip coordinates - normalized device coordinates

1 Basic geometric concepts to understand Affine, Euclidean geometries (inhomogeneous coordinates) projective geometry (homogeneous coordinates) plane at.

Distinctive Image Features from Scale-Invariant Keypointsvgg/research/affine/det_eval_files/lowe_ijcv20… · image data into scale-invariant coordinates relative to local features.

Affine and projective universal geometry (pdf)

Vision for Graphics: Single View Modeling · 3D projective geometry These concepts generalize naturally to 3D • Homogeneous coordinates – Projective 3D points have four coords:

Differential Geometry of a Particular Group of Projective ... · Our geometry has the properties of the affine and therefore also of the projective geometry. We remark that W. BLASCHKE

PICTURES OF THE PROJECTIVE PLANE - math-art.eu · sorry that I do not know of any nice pictures of Hjelmslev planes or their uniserial rings of coordinates. Pictures of the projective

Geometric transformation - aiismath.com...Projective transformation •Also known as homography or homographic transformation. •A generalization of affine transformation. •Properties

PDF - arxiv.org · arxiv:1512.00835v4 [math.ag] 24 aug 2017 hodge theory and deformations of affine cones of subcanonical projective varieties carmelo di natale, enrico fatighenti,

Negligibility of Projective Linear AutomorphismsFrom Theorem 1.4, we can deduce Theorem 1.2 and the ‘‘negligibility’’ of an affine linear automorphism. Therefore we conclude

2D Projective Geometry - Department of Computer Sciencehager/teaching/cs461/Notes/Lect5... · · 2012-10-07• Fit affine transformation T to these s correspondences • Find inliers

Ames Room Projective Geometry - University of Washington3D projective geometry These concepts generalize naturally to 3D Homogeneous coordinates Projective 3D points have four coords:

Lecture 7 --- 6.837 Fall '01 - Research | MIT CSAILgroups.csail.mit.edu/graphics/classes/6.837/F01/Lecture...Geometric Image Transformations Algebraic Groups Euclidean Affine Projective

Structure from motion Multi-view geometry Affine structure from motion Projective structure from motion Planches : ponce/geomvis/lect4.ppt ponce/geomvis/lect4.ppt.

Homogeneous Coordinates (Projective Space) Let be a point in Euclidean space Change to homogeneous coordinates: Defined up to scale: Can go back to non-homogeneous.

Navigation using affine structure from motiondwm/Publications/beardsley_etal_eccv1994/fulltext.pdfUnlike recent schemes which compute projective or affine structure using a batch process,

EECS 442 Computer vision Multiple view geometry Affine ...x o D D Projective case Affine case Parallel projection matrix Magnification (scaling term) (points at infinity are mapped

CMSC427 Transformations Ireastman/slides/L05P1Transformations.pdf · •Classes: rigid, affine, projective •Representing transformations •Unifying representation with homogeneous