Attacks on Authentication and Signature Schemes ...

Attacks on Authentication and Signature Schemes Involving Corruption of Public Key (Modulus) Michael Kara-Ivanov ∗ [email protected]

Eran Iceland [email protected]

Aviad Kipnis [email protected]

NDS Technologies Israel Ltd. 5 Shlomo Halevi Street, Jerusalem, Israel

Abstract Brier et al (2006) [1] showed how to attack RSA by induction of faults in public modulus n. We propose to use the same kind of technique to attack other asymmetric cryptographic schemes. The most interesting case in which we use a somewhat different approach is the attack on Elliptic Curves based signature protocol (namely ECDSA). Here we also take advantage of the short keys to offer a nontrivial practical attack that enables us to fully recover the private key. Different idea is used to attack Guillou-Quisquater authentication scheme (GQ). This demonstrates how the difference between schemes influences the details of the modulus corruption attacks. Special efforts were devoted to calculate the amount of corrupted data to perform the attack on each scheme. Various ways of protection against fault injection attacks on public key elements are discussed. Keywords: Fault Injection Attacks, Corruption of Public Key (Modulus), Attacks on Signature and Authentication schemes, Smart Cards, Elliptic curve cryptography.

1. Introduction Smart Card technology in general with its various security aspects is reviewed in [2]. Various cryptographic algorithms, used in smart card are reviewed in [3, 4]. Traditionally, the security of public key authentication and signature protocols is related to the difficulties of the factorization and discrete logarithm problems. Concrete implementation of these algorithms may open the doors to a variety of sidechannel attacks [5,6]. Another type of attacks is ”fault attacks”. These attacks started from attacks on private parameters [7,8], other attacks were mounted against symmetric ciphers in both block [9] and stream modes [10], and recently the list of these attacks was extended also by attacks ∗ The authors would like to thank Ohad Shamir, Yaron Sella, and Yaacov Belenky for their help

on public parameters of public key cryptosystems [1,11]. Sometimes, a combination of various types of attacks can lead to a disclosure of smart card secrets [12]. Brier et al (2006) [1] showed, how to attack RSA by induction of faults in public modulus n, without making any assumption about concrete model of modulus corruption. This approach enabled an attacker to achieve full recovery of a secret key stored in a secure device (for example, smart card). Most impressing in this attack is that no knowledge of the fault behavior is needed to achieve the attacker’s goal. In fact, most simple fault to induce is to change a word (the size of the word depends on architecture) in an undetermined way. This can be achieved when public key components (for example, modulus) stored in EEPROM or in Flash are transferred to RAM. We propose to use the same kind of technique to attack other asymmetric cryptographic schemes. We would like to emphasize that we attack here only public elements of the scheme which are usually less defended then the secret components. The most interesting case in which we use a somewhat different approach is the attack on Elliptic Curves based signature protocol (namely ECDSA). Though there are two different moduli involved in the scheme, we show that it is enough to induce fault only in one of them - and using a nontrivial calculations to recover the private key. Here we also take advantage of the short keys to offer a nontrivial practical attack that enables us to fully recover the private key. The amount of data, which shall be collected to perform the attack, depends on the key length. The same idea can be used to attack Guillou-Quisquater authentication scheme. This demonstrates how the difference between schemes influences the techniques of the attack and the amount of needed data to perform the attack. We also offer various ways of protection against these kinds of attacks. Some of them depend on the algorithm itself (for example exposing hash of values instead of the values themselves) and some involves a change in the implementation (such as repeat some processes and compar-

ing the values). In each case we indicate to what attack this protection is applicable. The rest of the article is ordered as follows: In the next section we show how to attack the ECDSA scheme by modulus corruption method. We also shortly survey a previous work that was done in that field and emphasizes the advantages of our work. In the third section we demonstrate how to extend the idea to Guillou-Quisquater authentication scheme. From these attacks one can also continue to attack other asymmetric schemes. In the forth section we discuss ways of protection against these attacks. In the fifth section we conclude and summarize the results of this article. In Appendix A, we present a theoretic calculations that helped us to estimate the number of necessary faults needed to have a successful attack.

2. An Attack on ECDSA We start here with our most interesting result: a modulus corruption attack on cryptographic scheme based on elliptic curves - namely ECDSA (a variant of the Digital Signature Algorithm (DSA), which operates on elliptic curve groups). As we show in the sequel, in this case we benefit from the short key size which makes the attack more feasible.

2.1. Background Elliptic curves cryptography was introduced independently by Koblitz [19] and Miller [20] as an alternative for cryptographic protocols based on the discrete logarithm problem on a multiplicative group of a finite field. The security of these protocole relies on the hardness of the following question: Given 2 points G and Q on an elliptic curve E such that Q = dG - find d. The arithmetic of elliptic curves in general, its properties and the way it is used in Cryptography may be widely found in the literature. For example see [21, 22]. Key Generation Let us describe the ECDSA scheme [13,14]. Suppose that the curve parameters are (p, a, b, G, n, h). Here p is a prime number, G = (xG , yG ) is a base point on E(Fp ). The number n (the order of G) is a prime (in fact, both the elliptic curve itself and the base point G were chosen to ensure, that n is prime), and h is an integer, which is the cofactor h = #E(Fp )/n. Here #E(Fp ) is the number of points on the curve E(Fp ) (including the point at infinity); a and b are parameters in the curve’s equation y 2 = x3 + ax + b, so a, b ∈ Fp . Also, Alice must have a key pair suitable for elliptic curve cryptography, consisting of a private key dA (a randomly selected integer in the interval [1, n−1]) and a public

key QA (one more point on the subgroup, generated by G), computed by the formula QA = dA G. Remark: We assume here the elliptic curve is defined over the field E(Fp ) for a ”big” prime number p. The same attack is valid if the curve is defined over the field of 2m elements. The protocol of ECDSA Suppose that Alice wants to send a signed message m to Bob. First Alice calculates the digest e of this message e = Hash(m). Then she does the following: I. Selects a random integer k ∈ [1, n−1] (k is equivalent to a session secret key in other systems). II. Calculates r = x1 (mod n), where (x1 , y1 ) = kG. If r = 0, go back to step I. III. Calculates s = k −1 (e + rdA ) back to step I.

(mod n). If s = 0, go

IV. The signature of the message m with the digest e is the pair (r, s). Previous work The security of point multiplication on elliptic curves in the presence of faults was considered by Biehl, Meyer and Muller [23]. They noted that the parameter a6 (in out notation it is the parameter b in the curve’s parameters) is not used in the classical addition formula. Hence by choosˆ and knowing the result of ing a different base point G ˆ the multiplication dG they derived some knowledge on the secret d. Ciet and Joye [24] extended the attack model of Biehl, Meyer and Muller to a more practical scenario: They showed that if the first coordinate of the base point ˆ = (ˆ G = (x, y) was changed to G x, y), where x ˆ is unknown they can guess x ˆ with good probability and derive some knowledge on the secret d. Ciet and Joye showed also how inducing fault on the field representation can reveal some information on the secret d. A different approach was taken by Blomer, Otto and Seifert [25]. In their model the attacker can change an intermediate value - a point on the curve Qi appeared during one of the iteration in the calculation of the multiplication, to its inverse −Qi . The attacker does not know on which iteration the fault was induced.

2.2. Our Attack on ECDSA The Fault Model The common idea in these works is that they attack directly the computation Q = dG. This computation is usually done

on serialization and hence it is not likely to attack it. As opposed to that, we assume that the keys (public and private) were generated correctly and we have a cryptographic device (smart card for example) that has these keys and uses the ECDSA protocol to sign messages. A pirate put his hands on this cryptographic device and would like to reveal its secret (i.e. the private key). We assume that the curve parameters are stored in a non volatile memory of a cryptographic device (for example EEPORM of a smart card) that sign messages using the ECDSA protocol. When a message should be signed, the parameters are loaded into the RAM. At the point when the modulus n is loaded, a glitch is injected - changing the value of the modulus registers into an unknown number denoted by ni . For simplicity of discussion, assume that ni is uniformly distributed among the integers with bit-size less or equal to the bit-size of n. This random number is used by the device (instead of the real modulus) during the protocol to produce a corrupted signature (ri , si ). This fault is induced many times - each with a different random number. We collect the corrupted signatures and using them we fully recover the secret key. Note that here we induce fault only on the public key parameters (which are usually less defended) and we do not assume to know the value of the register after the fault was induced. Note that the integer k selected in stage I of the protocol might not be invertible (mod ni ). In this case we do not know what the cryptographic device’s calculation of k −1 (mod ni ) in stage III will yield, so we can think of it as an arbitrary number.

The difficulties Before we show how to attack the scheme let us discuss the objective difficulties in the attacks on this type of schemes. First, there are two moduli involved in the scheme: the characteristic of the field p (computation of kG in stage II involves addition and multiplication in the field Fp ), and the modulus n which appears in stages II and III of the scheme. At first glance, attacking only the modulus n to a uniformly distributed number ni without affecting p does not seem to help. The reason for this is that since k is randomly distributed the attacker will expect s to be also randomly distributed and it does not seem to yield a constructive information. The alternative is to attack both moduli n and p simultaneously. In this case which is technically much harder to conduct, the point G is not any more on the curve (mod pi ) (pi is a corrupted value, used instead of modulus p), so the calculation of (x1 , y1 ) gives a random value which also does not seem to be helpful. Even though, we found a way to attack the scheme.

The attack’s description Each fault yields a triple (ni , ri , si ) (ni is unknown). The motivation of the attack is as follows: Let l be a small prime and suppose that l | ni , l - dA (we cannot know it since both ni and dA are unknown) and suppose also that si ≡ 0 (mod l) and ri 6≡ 0 (mod l). From step III we know that k −1 (e + rdA ) ≡ 0 (mod l). With high probability this means that (e+rdA ) ≡ 0 (mod l) and hence dA ≡ −e/ri (mod l) In order to recover the secret dA (mod l), the attacker can do the following: 1. Collect sufficiently many corrupted signatures (ri , si ), where the input ei is not divided by l. 2. For each signature: if si ≡ 0 (mod l) and ri 6≡ 0 (mod l), compute the value −ei /ri (mod l) as a candidate for dA (mod l). Note that this candidate cannot be 0. 3. As explained in the sequel, if dA ≡ x (mod l), for x 6= 0 (mod l), one expects x to appear almost twice than any other values. If dA ≡ 0 (mod l), one expects all the values (except 0) to appear with the same probability. Hence, the attacker analyzes the distribution of the candidates to get the value of dA (mod l). We will now analyze the distribution of the candidates mentioned in step 3. We assume that si ≡ 0 (mod l) and ri 6≡ 0 (mod l). Suppose first that dA 6≡ 0 (mod l). The case when l | ni and k −1 6≡ 0 (mod l) (so we have the correct value of dA (mod l)) happens with probability l−1 l2 . Otherwise, all the integer values in [1, l − 1] will appear as candidates for dA (mod l) with the same probability. So, the ratio between the probability in which the correct value should appear and the probability of the other l . If dA (mod l) ≡ 0, then since ei values, is 2 − l2 −l+1 (mod l) 6≡ 0, the value −ei /ri (mod l) is nonzero, and all the values between 1 and l − 1 should appear as candidates for dA (mod l) with the same probability. Now, we would like to estimate the amount of data that should be collected in order to recover the secret key. Suppose that the secret key dA is 160-bits long (equivalent to 1024-bits of RSA). Using CRT we must find dA (mod l)j for j = 1, 2, . . . where the lj ’s are prime numbers such that l1 · l2 · . . . > 2160 . An easy computation shows that it is enough to use all the primes less than 131. Let l be one of these prime numbers. Among the collected data we restrict out attention only to the pairs (ri , si ) where si ≡ 0 (mod l) and ri 6≡ 0 (mod l) and compute −ei /ri (mod l). Here we need to distinguish between two options: A. All the numbers between 1 to l − 1 appears with the same probability. (Hence dA (mod l) ≡ 0.)

B. There is x ∈ [1, l − 1] that its probability to appear is almost as twice as the other numbers. (Hence dA (mod l) ≡ x.)

The question is: how many (fault) signatures one needs in order to distinguish between the options? It is clear that this number is growing as l grows, so let’s concentrate on the case where l = 131. According to our numerical experiments (software simulation) if we take 130 · 13 (i.e the average number of appearance is 13) signatures, with a high probability one can distinguish between the two options and find dA (mod l). Taking into account that we restricted our attention to only l−1 l2 ≈ 1/132 of the signatures we came to conclusion that one needs a total number of 250, 000 signatures to fully recover the secret key dA with a high probability. Our theoretic computation in the appendix also supports this estimate. Moreover, since we have the equality QA = dA G where QA and G are known it is easy to check if we indeed recovered the correct number. If we didn’t, we probably have a problem with dA (mod l) for a large l - so we can try for example to take the 10 biggest primes we used (in our case 83, 89, . . . 131) and for each of them try the 3 most probable options for dA (mod l). It demands 310 attempts (which can be easily handled by a PC) and significantly increases the probability to recover the correct secret key. From now on, we will not elaborate on how the estimates were done since we used the same methods for all cases, of course, with the required changes. If the secret key dA is 256-bits long (equivalent to 3072-bits of RSA), it is enough to use all primes less than 199 to recover dA (mod l). In this case, the attacker needs 600, 000 corrupted signatures. Remark: The same attack is applicable also to the Digital Signature Algorithm (DSA) [26 ]. Remark: If the fault model is different and we can choose the corrupted moduli, (for simplicity assume we can also choose the input) then we can perform the attack with only 5000 corrupted modulus: Let us demonstrate it in the case of 160 bits key size. Choose 5000 different numbers ni (i = 1, 2 . . . 20) where each prime less than 131 divides half of them. Let e = ei be a prime number bigger then 131 (so for each prime l < 131, ei 6≡ 0 (mod l)). Now compute the corrupted signatures (ri , si ). For a given prime l denote by Al all the signatures (ri , si ) where l | ni , si ≡ 0 (mod l) and ri 6≡ 0 (mod l). An easy computation shows that one should expect at least 10 couples (ri , si ) that hold all the conditions. Now Compute all the values −ei /ri (mod l) for (ri , si ) ∈ Al . If one receives the same value (maybe except of one) then this is the value of dA (mod l). Otherwise dA (mod l) ≡ 0.

3. Extending the attack into other schemes Brier et al [1] showed how to attack RSA by induction of faults in public modulus n. We showed here how to attack ECDSA by inducing fault on the modulus. The same idea can able us to attack many other scheme. In each scheme one should analyze it carefully to see how randomizing the modulus will enable us to reveal secret. We will demonstrate it on Guillou-Quisquater Identification scheme [15,16]. Remark: Among the other schemes that can be attacked by the described method is Schnorr’s Authentication protocol [17,18]. However, in this case the amount of faults that should be collected is 235 (for 1024 bits key size) which makes the attack harder to perform.

3.1. An Attack on Guillou-Quisquater Identification Scheme A brief description of Guillou-Quisquater Identification scheme is given below: Key Generation Assume that Peggy wants to prove her identity to Victor. Peggy’s public key consists of J (a set of credentials), n (a product of two large secret primes p, q) and an exponent v (v should be sufficiently large and gcd(v, (p − 1)(q − 1)) = 1 ). Peggy’s private key is B, calculated such that JB v ≡ 1 (mod n). GQ Identification Scheme I. Peggy picks a random integer r, r ∈ [1, n − 1]. Peggy computes T ≡ rv (mod n) and sends it to Victor. II. Victor picks a random integer d, d ∈ [0, v − 1]. Victor sends d to Peggy. III. Peggy computes D ≡ rB d Victor.

(mod n) and sends it to

IV. Victor computes T 0 ≡ Dv · J d (mod n). If T ≡ T 0 (mod n), then authentication succeeds. An Attack on GQ Scheme The fault model is very similar to the one described before. A cryptographic device (for example smart card) that holds the private key B proves its identity to another cryptographic device using the GQ protocol. The attacker eavesdrops to the communication during the protocol. He also corrupts the modulus using a glitch to a random number ni which remains unknown to the attacker. The attack on

the identification scheme of Guillou-Quisquater can be performed in the following manner:

4. Protection of Cryptography Schemes Against Modulus Corruption Attacks

1. At the first stage, the attacker collects triples of (Ti ,Di , di ), which were sent between Peggy and Victor during an authentication protocol, with simultaneous attempts to produce a fault injection in the modulus n, thus producing faulty moduli ni .

This section summarizes some of our suggestions on how to defend against modulus corruption attacks discussed earlier. Protection of cryptography schemes against its elements corruption attacks can be roughly divided into two different groups: generic protections and algorithm specific protections. In the following list we described several generic protections of cryptographic schemes components.

2. Let l be a small prime and assume gcd(l − 1, v) = 1. 3. For each triple, if gcd(di , l − 1) = 1 an attacker calculates Bi

1 di

− d1v i

(mod l) ≡ Di · Ti

(mod l).

4. Most of results Bi (mod l) will be randomly distributed, while a small number of them will give the same result. The repetition of the result corresponds to a case when l | ni , and thus the attacker knows true value of B (mod l). 5. An attacker uses Chinese Reminder Theorem (CRT) to reconstruct unreduced value of B from partial residues B (mod l). Let us now estimate the effort necessary to get smart card secret B by this method. We can work here only with primes l such that gcd(l−1, v) = 1. This condition depends on the scheme parameters, but in many cases v is a prime so we will discard this condition in our analysis. In any case it is not likely that this condition will disqualify too many primes. Given l, the probability that l | ni is 1l . For a given l, the condition gcd(di , l − 1) 6= 1 will disqualify approximately 2/3 of the triples (it is known that the probability of a random integer and an even random integer to be coprime is 0.4). In order to recover a 512-bits secret key, it is enough to calculate B (mod l) for all primes less than 385. Given one of these primes, we calculated, that collecting 10, 000 triples where di and l − 1 are coprime will be enough to recover B (mod l). Hence we estimate that in this case 30, 000 results, produced by corrupting the modulus, will be enough. If the secret key is 1024 bit long, it is enough to calculate B (mod l) for all primes less than 745. In this case, one needs to get 60, 000 results with a corrupted modulus. Remark: This attack may be easily protected with a slight change in the protocol. Suppose that in stage I Peggy sends HASH(T ) instead of T . (It means that in stage IV Victor should compare HASH(T 0 ) with HASH(T ) instead of T 0 with T - which does not affect the security of the protocol). In this case the attacker does not have the value of Ti and the attack is prevented.

1. Do not expose faulty values, such as signatures. Calculate everything twice and check the consistency of the calculations before exposing data, or alternatively check the correctness of signature before releasing it. With these protections an attacker will not be able to accumulate faulty results to attack signature schemes. ”Calculate twice” protection makes sense only for ”deterministic” schemes, in which one gets the same signature for various instances of signing of the same message. Check of the signature correction by verification may be used also for none-deterministic schemes. Both protections represent a generic protection of signature schemes against modulus corruption attacks. This protection is also valid against corruption of other components of the scheme. An obvious drawback of these protective measures is reduced efficiency, as both second calculation and verification are time consuming. It is important to note, that verification mentioned above is not necessarily full verification. Sometimes simple checksum or additional redundancy is enough. For example, if the device (for example, smart card) performs (say, RSA) decryption we suggest the following. Clear message is concatenated with checksum (or any other redundancy) of this very message and this concatenation is encrypted outside of the smart card. At the end of decryption process inside a smart card this checksum (or redundancy) is verified and removed. Only if verification was performed correctly the clear message is released outside the smart card. It is important to note, that removal of the part of decrypted message itself (even without checksum verification) already represents a protection against modulus corruption attacks. 2. Encrypt communication between Peggy and Victor, thus making difficult or impossible for an attacker to collect intermediate values to perform described above modulus corruption attack. This is a generic protection of authentication protocols, such as GQ etc. Unfortunately, communication encryption between Peggy and Victor is not always possible and demands significant efforts (shared key or additional public cryptography infrastructure).

3. Hash intermediate values when performing authentication (for example, GQ) and signing (for example, Schnorr signature) protocols. See the remark after the description of the attack on GQ authentication scheme. 4. As was discussed earlier, most simple fault to induce is to change a word (the size of the word depends on architecture) in an undetermined way. This can be achieved when public key components (for example, modulus) stored in EEPROM or in Flash are transferred to RAM. We suggest to perform this transfer of the modulus into RAM on various authentication and signature stages (if several stages exist), thus making it difficult to get identical modulus faults during the various stages of the authentication protocol. The same value of a corrupted modulus during the various stages of authentication protocol would be critical for the described above attacks. This may be viewed as a generic protection measure, however, each particular protocol shall be reviewed separately to build better protection. For example, in GQ protocol one can see three natural different points (in stages I, III and IV) for modulus reloading from EEPROM or Flash to RAM.

5. Conclusion We described modulus corruption attacks on a number of authentication and signature schemes with an aim to recover the secret keys from a secure device (for example, smart card), which produces the signature of given message or authenticates itself in dialog with another device. Our first contribution can be viewed as an extension of Brier et al (2006) attack on RSA [1] to other authentication and signature schemes. In addition, as straightforward modulus corruption attack is not feasible for Elliptic Curves signature protocol (ECDSA) and DSA, we proposed a novel way to attack these protocols with modulus corruption attack. Our article does not discuss full list of the schemes, which can be attacked by modulus corruption method. Instead, we had chosen the most interesting cases (in our opinion) and stressed different details of attacks, number of necessary data to provide these attacks and protection of these schemes. We would like to note, that not only modulus, but other components of authentication and signature schemes can be corrupted with fault injection attack and subsequent recover of the secrets of secure device. Because of this we stressed several generic protections which defend these schemes against full variety of fault injection attacks.

References [1] E. Breier, B. Chevallier-Mames, M.Ciet and C. Clavier, Why One Should Also Secure Public Key Elements, Workshop

on Cryptographic Hardware and Embedded Systems (CHES 2006) LNCS 4249, pp 324-338, 2006. [2] W. Rankl and W. Effing Smart card Handbook, Second Edition, John Wiley and Sons, 1999. [3] J. Borst, B Preneel, V. Rijimen, Cryptography on smart cards, Computer Networks 36 (4), 2001, pp 423-435. [4] B. Prenel, A survey of recent developments in cryptographic algorithms for smart cards, Computer Networks 51 22232233, 2007. [5] P.C. Kocher, J. Jaffe and B. Jun., Differential Power Analysis, Proceedings of Advances in Cryptology (Crypto 99’), pp 388397, Springer-Verlag, 1999. [6] S. Mangard, E. Oswald , T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards, Advances in Information Security, Springer-Verlag, 2007. [7] D. Boneh, R.A. DeMillo, and R. J. Lipton. On the Importance of Checking Cryptographic Protocols for Faults, In W. Fumy, editor, Advances in Cryptology-EUROCRYPT ’97, International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 11-15, 1997 Proceedings, vol 1223 of Lecture Notes in Computer Science, p 37-51. Springer-Verlag, 1997. [8] D. Boneh, R.A. DeMillo, and R. J. Lipton. On the Importance of Checking Cryptographic Protocols for Faults, Journal of Cryptology, Springer-Verlag, 1997. 14, 2, pp 101-119, 2001. [9] E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, Proceedings of Advances in Cryptology (Crypto 97’), pp 513-525, Springer-Verlag, 1997. [10] J. Hoch and A. Shamir, Fault Analysis of Stream Ciphers, Cryptographic Hardware and Embedded Systems CHES ’2004, Springer-Verlag, LNCS 3156, 2004, pp 240-253. [11] J.-P. Seifert, On authenticated computing and RSA-based authentication, ACM Conference on Computer and Communications Security: 122-127, 2005. [12] D. Naccache, P.Q. Nguyen, M. Tunstall, and C. Whelan, Experimenting with faults, lattices and the DSA, PKC’ 05, LNCS 3386, pp.16-28, Springer Verlag, 2005. [13] Accredited Standards Committee X9, American National Standard X9.62-2005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), November 16, 2005. [14] Certicom Research, Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography, Version 1.0, September 20, 2000. [15] L.C. Guillou and J.-J. Quisquater, A Practical ZeroKnowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory, Proceedings of Eurocrypt 88, Springer-Verlag Eds, pp. 123-128, 1988.

[16] J.-J. Quisquater and L.C. Guillou, Des Procedes d’Authentication Bases sur une Publication de Problemes Complexes et Personnalises don’t les Solutions Maintenues Secrets Costituent autant d’Accreditations, Proceedings of SECURICOM ’89: 7th Worldwide Congress on Computer and Communication Security and Protection, Societe d’Edition et d’Organisation d’Expositions Professionnelles, 1989, pp 149-158. (in French.)

encountered the following question. Let n be an integer. Suppose we have a probabilistic process that yields results in [0, n − 1]. Suppose also, that for all y ∈ [0, n − 1] the probability is the same except one value x ∈ [0, n − 1] such that P r(x) = P r(y) + . Our question is: how many times should we go through the process in order to determine x? Let us denote this number by m. It is easy to conclude, that for all y 6= x,

[17] C.P. Schnorr, Efficient Signature Generation for Smart Cards, Proceedings of Advances in Cryptology (Crypto 89’), pp 239-252, Springer-Verlag, 1990. [18] C.P. Schnorr, Efficient Signature Generation for Smart Cards, Journal of Cryptology, v.4, n.3, 1991, pp. 161-174. [19] N. Koblitz, Elliptic Curve Cryptosystems, Mathematics of Computation, 48(177): 203-209, 1987. [20] V.S. Miller, Use of elliptic curves in cryptography, Crypto 85’, volume 218, of Lectures Notes in Computer Science, pages 308 - 318. [21] Joseph H. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, New York, 1986. [22] Neal Koblitz, A course in number theory and Cryptography, 2nd edition, Springer-Verlag, New York, 1994, pages 167 199. [23] I. Biehli, B. Meyer, V. Muller, Differential fault attacks on elliptic curve cryptosystems, In M. Bellare, editor, Advances in Cryptology, CRYPTO 2000, volume 1880 of Lectures Notes in Computer Science, pages 131-146. Springer-Verlag, 2000. [24] M. Ciet and M. Joye, Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults, In Designs, Codes and Cryptography 36(1): 33-43, 2005. [25] J. Blomer, M. Otto and J.P. Seifert, Sign change fault attacks on elliptic curve cryptosystems, 2nd Workshop on Fault Diagnosis and Tolerance in Cryptography - FDTC 2005, (L. Breveglieri and I. Koren, editors), Edinburgh (Scotland), 2005 [26] National Instistue of Standards and Technology, NIST FIPS PUB 186-2 Digital Signature Standard, U.S Department of Commerce, January 2000 [27] S. Kullback and R. A. Leibler (1951) On information and sufficiency, Annals of Mathematical Statistics 22:79-86.

P r(y) = py =

1− n

and

1− + . n For all z ∈ [0, n − 1], denote by pˆz the proportion of receiving z in m experiments. Using the inequality P r(x) = px =

DKL (p||q) ≥

(p − q)2 , 2 max{p, q}

(Here DKL (p||q) is the Kullback - Leibler divergence. For example see [27]). We obtain that P r(px − pˆx ≥

  ) ≤ e−m·DKL (px − 2 ||px ) ≤ 2

2 /4

mn2

e−m 2(1+(n−1))/n = e− 8(1+(n−1)) P r(ˆ py − py ≥

  ) ≤ e−m·DKL (py + 2 ||py ) ≤ 2

2 /4

mn2

e−m 2((1−)/n+/2) = e− 8((1−)+n/2) In case of a failure (the most common value is different from x) we must have or pˆx ≤ px − /2 either there exists y 6= x such that pˆy ≥ py + /2. Hence, the probability of a failure is bounded by the sum of the probabilities of these events. We have: P r(f ailure) ≤ (n − 1)P r(ˆ py ≥ py + /2) + P r(ˆ px ≤ px − /2) ≤ mn2

mn2

mn2

(n − 1)e− 8((1−)+n/2) + e− 8(1+(n−1)) ≤ ne− 8(1+(n−1)) . If we want P r(f ailure) ≤ δ then we can demand mn2

A. Theoretical Calculation of Number of Corrupted Moduli Needed to Provide an Attack

ne− 8(1+(n−1)) ≤ δ. An easy computation shows that this is equivalent to m ≥ 8(

This Appendix is devoted to theoretical development of an expression for number of faults in modulus necessary for successful modulus corruption attack. Making numerical experiments for the attacks described in this paper, we

If we take  =

1 nd

n−1 n 1 + ) log( ). n2 n δ

for an integer d then we have

n m ≥ 8(n2d−1 + nd − nd−1 ) log( ) δ

This bound is not tight. Moreover, in a case when we are trying to recover a secret, and it is possible to find out if we have the correct answer, we can assume that for ”big” values of n the correct value will be among the highest values (and not exactly the highest). This explains why our simulations shows that we can omit the log( nδ ) factor, and the number of actual needed experiments is m = 8(n2d−1 + nd − nd−1 ). This expression together with numerical experiments were used in our estimates of the necessary number of faults for successful modulus corruption attack.