Project : cascade

Section: New Results

Cryptanalysis (Side-Channel)

The Carry Leakage on the Randomized Exponent Countermeasure, CHES '08

Fault Attack on Elliptic Curve with Montgomery Ladder, FDTC '08

At CHES 2008, we show that a very important countermeasure against DPA attacks, the randomization of the secret exponent using a multiple of $Im1 ${\#981 (N)}$$ or the order of the elliptic curve, can be attacked using a side channel attack that recovers the carry used in the addition of the secret key with a random value. The carry is leaked since such addition used large number, say 1024 bits packed in block of 8, 16 or 32 bits. Using statistic methods, we show that the carry of the addition of a fixed and secret value with a random value gives information on the secret.

At FDTC, we show that a fault attack on the abscissae of a compressed point on an elliptic curve cannot be detected and the Montgomery ladder works as the point were on the curve. However, with probability one half, the point lies on the twisted of the original elliptic curve and if the group order of the twisted is not prime, then a classical Pohlig-Hellman algorithm can be used to recover the secret scalar. This is the first attack on the Montgomery ladder with compressed representation and this algorithm has been promoted by various people as one of the most secure algorithm that computes the scalar multiplication on elliptic curve.

Logo Inria