## Sign Change Fault Attacks on Elliptic Curve Cryptosystems (2004)

### Cached

### Download Links

- [eprint.iacr.org]
- [eprint.iacr.org]
- [www.upb.de]
- DBLP

### Other Repositories/Bibliography

Venue: | Fault Diagnosis and Tolerance in Cryptography 2006 (FDTC ’06), volume 4236 of Lecture Notes in Computer Science |

Citations: | 14 - 0 self |

### BibTeX

@INPROCEEDINGS{Blömer04signchange,

author = {Johannes Blömer and Martin Otto and Jean-Pierre Seifert},

title = {Sign Change Fault Attacks on Elliptic Curve Cryptosystems},

booktitle = {Fault Diagnosis and Tolerance in Cryptography 2006 (FDTC ’06), volume 4236 of Lecture Notes in Computer Science},

year = {2004},

pages = {36--52},

publisher = {Prentice Hall}

}

### OpenURL

### Abstract

We present a new type of fault attacks on elliptic curve scalar multiplications: Sign Change Attacks. These attacks exploit di#erent number representations as they are often employed in modern cryptographic applications. Previously, fault attacks on elliptic curves aimed to force a device to output points which are on a cryptographically weak curve. Such attacks can easily be defended against. Our attack produces points which do not leave the curve and are not easily detected. The paper also presents a revised scalar multiplication algorithm that provably protects against Sign Change Attacks.

### Citations

819 | The Arithmetic of Elliptic Curves - Silverman - 1986 |

429 | zur Gathen and - von - 1999 |

413 | Modular Multiplication Without Trial Division - Montgomery - 1985 |

354 | Tamper Resistance — a Cautionary Note - J, Kuhn - 1996 |

233 | Factoring Integers with Elliptic Curves - Lenstra - 1987 |

230 | Compuer Arithmetic Algorithms - Koren - 1993 |

226 | Low cost attacks on tamper resistant devices - Anderson, Kuhn - 1997 |

186 | Speeding the Pollard and elliptic curve methods of factorization - Montgomery - 1987 |

162 | Resistance against differential power analysis for elliptic curve cryptosystems - Coron - 1999 |

159 | elliptic curves in cryptography - blake, seroussi, et al. - 1999 |

149 | Design principles for tamper-resistant smartcard processors - Kommerling, Kuhn - 1999 |

143 | T.: Efficient elliptic curve exponentiation using mixed coordinates - Cohen, Miyaji, et al. - 1998 |

110 | Die Typen der Multiplikatorenringe elliptischer Funktionenkörper - Deuring - 1941 |

97 | Speeding up the computations on an elliptic curve using additionsubtraction chains - Morain, Olivos - 1990 |

91 |
Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor
- Barrett
- 1987
(Show Context)
Citation Context ...lly add +1. Note that providing this functionality is a must for the modulus register in order to implement the underlying modular multiplication algorithm efficiently, cf. [BOPV03], [Sed87], [WQ90], =-=[Bar96]-=- or [Mon85]. Given this functionality, it can be used for an attack. We consider such a crypto co-processor, cf. [Sed87], adding simultaneously at least three different operands with a possible sign c... |

82 | Counting points on elliptic curves over finite fields - Schoof - 1995 |

81 | Optical fault induction attacks - Skorobogatov, Anderson - 2002 |

80 | Binary arithmetic - Reitwiesner - 1960 |

76 |
A signed binary multiplication technique. Quarterly journal of mechanics and applied mathematics
- Booth
- 1951
(Show Context)
Citation Context ...gits are non-zero. It achieves a higher ratio of zeros to non-zeros, which reduces the number of additions/subtractions in the resulting double-and-add-or-subtract method. For details on the NAF, see =-=[Boo51]-=-, [Rei60], [JY00], or [OT04]. Using the NAF, subtractions are introduced. Since negating a point on an elliptic curve simply means to change the sign of the y-coordinate, subtractions are cheap operat... |

71 | The sorcerer’s apprentice guide to fault attacks - Bar-El, Choukri, et al. |

69 | Almost all primes can be quickly certified - Goldwasser, Kilian - 1986 |

59 | On the importance of eliminating errors in cryptographic computations - Boneh, DeMillo, et al. |

47 | Differential Fault Attacks on Elliptic Curve Cryptosystems - Biehl, Meyer, et al. - 2000 |

46 | Protections against differential analysis for elliptic curve cryptography-an algebraic approach - Joye, Tymen - 2001 |

38 | High-speed arithmetic in binary computers - MacSorley - 1961 |

34 | Optimal left-to-right binary signed-digit recoding - Joye, Yen - 2000 |

31 | Fault attacks on RSA with CRT: Concrete results and practical countermeasures - Aumüller, Bier, et al. - 2002 |

31 | Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults - Ciet, Joye |

30 | The montgomery powering ladder - Joye, Yen - 2002 |

27 | Smart card crypto-coprocessors for public-key cryptography - HANDSCHUH, P |

24 | Hardware architectures for public key cryptography - Batina, Örs, et al. - 2003 |

20 | A new CRT-RSA algorithm secure against Bellcore attacks - Blömer, Otto, et al. - 2003 |

19 | Resistance against di®erential power analysis for elliptic curve cryptosystems - Coron - 1999 |

18 | Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attack - Shamir - 1999 |

17 | Constructing elliptic curve cryptosystems in characteristic 2 - Koblitz - 1990 |

15 | D.: Eddy current for Magnetic Analysis with Active Sensor - Quisquater, Samyde - 2002 |

15 | RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis
- Yen, Kim, et al.
- 2003
(Show Context)
Citation Context ...r weighted projective representations such as Jacobian or Hessian representations will do just as well. It has been noted in the literature that it is desirable to eliminate single points of failure (=-=[YKLM03]-=-, [BOS03]). The explicit check proposed in Line 5 uses the zero flag as a single point of failure. However, one could easily modify the algorithm to use ”infective computations” as defined in [YKLM03]... |

12 | Compact encoding of non-adjacent forms with applications to elliptic curve cryptography - Joye, Tymen - 1992 |

11 |
The RSA Cryptography Processor
- Sedlak
- 1987
(Show Context)
Citation Context ... to compute the 2th complement of any register used as a multiplicand without time delay. Actually, considering the prototypical architecture of such an embedded crypto-co-processor, cf. [BOPV03] and =-=[Sed87]-=-, this task is trivial to solve. Namely, simply invert every bit send to the long integer arithmetic unit (ALU) and additionally add +1. Note that providing this functionality is a must for the modulu... |

8 | J.-J.: CORSAIR: A smart card for public key cryptosystems - Waleffe - 1990 |

6 | Protections against Di#erential Analysis for Elliptic Curve Cryptography-An Algebraic Approach - Joye, Tymen - 2001 |

4 | Exceptional procedure attack on elliptic curve cryptosystems - Izu, Takagi |

1 | P1363/D3 (Draft Version 3), Standard specifications for public key cryptography - IEEE - 1998 |

1 | SCA-resistant and fast elliptic scalar multiplication based on wNAF - Okeya, Takagi |