Analysis of the Fault Attack ECDLP over Prime Field

In 2000, Biehl et al. proposed a fault-based attack on elliptic curve cryptography. In this paper, we refined the fault attack method. An elliptic curve E is defined over prime field Fp with base point P ∈ E Fp . Applying the fault attack on these curves, the discrete logarithm on the curve can be computed in subexponential time of Lp 1/2, 1 o 1 . The runtime bound relies on heuristics conjecture about smooth numbers similar to the ones used by Lenstra, 1987.


Introduction
In 1996, a fault analysis attack was introduced by Boneh et al. 1 . Biehl et al. 2 proposed the first fault-based attack on elliptic curve cryptography 3, 4 .Their basic idea is to change the input points, elliptic curve parameters, or the base field in order to perform the operations in a weaker group where solving the elliptic curve discrete logarithm problem ECDLP is feasible.A basic assumption for this attack is that one of the two parameters of the governing elliptic curve equation is not involved for point operations formulas.In this way, the computation could be performed in a cryptographically less secure elliptic curve.
In 2 , it is claimed that the attacker can get the secret multiplier k with subexponential time, but the authors did not give the proof or even an outline of the proof.I find that this is not a trivial result.Since the distribution of the cardinality of elliptic curves over finite field F q is not uniform in the interval q 1 − 2 √ q, q 1 2 √ q .
In practice, in order to get a better function, the cryptosystem may be based on some special family of elliptic curve.Here, we assume that the fault attack is restricted on the following elliptic curve defined over prime field F p : 1.1 which is denoted by E A,B .In this paper, we prove that the attacker can get the secret multiplier k with subexponential time when the fault attack is restricted to the elliptic curve family of E A,B .It is noted that we can get a simpler proof when the fault attack is based on the general elliptic curves.In Section 2, the fault attack method is described in detail and some improvements of the fault attack are introduced.Firstly, we can control the order of the fault point in E A, B by a suitable choice of the random key d.On the other hand, some points in E A,B can be chosen as fault point to increase the probability of success of the fault attack.
Our analysis depends on the number of E A, B F p with B ∈ F p .In Section 3, we research the isomorphism classes of the elliptic curves expressed by form 1.1 .By Deuring 5 , we find that the density of √ p is large enough to ensure our method success.The analysis of our method in this paper shows that the performance of the algorithm is largely determined by the density of numbers built up from small primes in the neighborhood of p 1 and the number of isomorphism classes of the elliptic curves which can be expressed by form 1.1 .If a reasonable conjecture concerning the density of smooth integers is assumed, then the following can be proved.
Suppose that 0 ≤ α ≤ 1 and c is a positive constant; let There is a function Then, with a suitable choice of parameters, ECDLP in the family of elliptic curves 1.1 can be determined by the attacker with probability at least 1 − e −h within time K p M p , where M p O log p 11 and h is the number of times Algorithm 2 is applied.
The paper is organized as follows.In Section 2, we describe the scalar multiplication algorithm and elliptic curve discrete logarithm problem and refine the fault attack method.In Section 3, we discuss the isomorphism class of elliptic curves expressed by form 1.1 .In Section 4, the efficiency of the attack algorithm is considered.

Scalar Multiplication Algorithm
Let E A,B be an elliptic curve of form 1.1 defined over finite field F p with p / 2, 3 and P i : x i , y i ∈ E A,B F p , i 1, 2, 3, such that P 1 P 2 P 3 .The algorithm below is a description of the elliptic curve scalar multiplication ECSM on curves defined in its most common form:

2.2
The fault attack is based on the fact that the curve coefficient B is not used in any of the addition formulas given above.

Elliptic Curve Discrete Logarithm Problem
Let E be an elliptic curve and P x P , y P ∈ E. Given Q x Q , y Q ∈ P , the discrete logarithm problem asks for the integer k such that Q kP .
If the order of the base point P does not contain at least a large prime factor, then it is possible to use an extension for ECC of the Silver-Pohlig-Hellman algorithm 6 to solve the ECDLP as presented in Algorithm 1.Let n be the order of the base point P with a prime factor n j−1 i 0 p e i i , where p i < p i 1 , i 0, . . ., j − 2. Without losing generality, we assume that the order of the base point P is a prime number which is large enough for practical cryptosystems.

Fault Attack
In this section, we consider the following EC ElGamal cryptosystem.Let E A,B be an elliptic curve of form 1.1 defined over a prime field F p .Given a point P x P , y P ∈ E A F p , we assume that Q x Q , y Q kP is the public key and 1 ≤ k < ord P the secret key of some user, where ord P denotes the order of the base point P .
Encryption: Input message m, choose 1 < d < ord P randomly, and return dP, x dQ m .Decryption: Input H, m , compute kH, and return m x kH .
The fault attack is that the attacker randomly chooses an elliptic curve E A, B defined over prime field F p , finds a point P x P , y P ∈ E A, B F p , and inputs d P, m to the decryption oracle, then the attacker can get the x-coordinate of kd P .Having x kd P , we compute y kd P by In practice, we can compute E A, B and P ∈ E A, B F p as follows.Fix an element x P ∈ F p , for any y P ∈ F p , and define B :

2.4
Input: Let E A, B be an elliptic curve of form 1.1 as follows: Having the points pair d P, kd P ∈ E A, B F p , one can obtain k mod n, where n ord d P .This would be possible if all the prime factors of E A, B F p are smaller than order of P .The complete attack procedure is presented as Algorithm 2.
By repeating Algorithm 2, then applying CRT, we can get k from the congruences k mod n.The following lemma is useful for us to increase the efficiency of Algorithm 2. Lemma 2.1.Let E be an elliptic curve defined over finite filed F q .Then, with For giving an elliptic curve E A, B defined over finite field F p , we assume that 1, then the order of d P is a w smooth integer.Certainly, of course, we can choose a point P in E A,B F p .The procedure of choosing such a point is similar as above.

The Isomorphism Classes
In this section, we count the number of isomorphism classes over F p of elliptic curves 1.1 defined over a prime field F p .
It is easy to see that the discriminant Δ and the j invariant of the formula 1.1 are equal to −16 4/27 A 4  Given A, B, B, let T denote the number of the solutions u, r of i and ii ; it is easy to see that T ≤ 6.For any p / 2, 3, the number of the automorphism of elliptic curve E A,B is at most 3. Hence, we have where H t 2 − 4p denotes the Kronecker class number of t 2 − 4p.
For the Kronecker class number, the following result is useful.

Lemma 3.1 see 10 .
There exist effectively computable positive constants c 1 , c 2 such that for each z ∈ Z >1 there is Δ * Δ * z < −4 such that for all Δ ∈ Z with −z ≤ Δ < 0, Δ ≡ 0, or 1 mod 4, except that the left inequality may be invalid if Δ 0 Δ * , where Δ 0 is the fundamental discriminant associated with Δ. Let 3.9 In order to apply Algorithm belong to the ring of integers O L of L. Also, αα p, and by the unique prime ideal factorization in O L and the fact that A * {1, −1} because Δ * < −4 this determines α up to conjugation and sign.Hence, t α α is determined up to sign, as required.This completes the proof.

Theorem 3.3.
There is a positive effectively computable constant c 4 such that, for each prime number p > 3, the following assertion is valid.Let S be a set of integers s ∈ T p QR1 with s − p 1 ≤ p, 3.17 and let y P be defined as above.Then, the number N of pair B, x P ∈ F 2 p for which where Proof.The number to be estimated equals the number of pairs B, y P ∈ F 2 p for which E A, B is an elliptic curve over F p with x P , y P ∈ E A, B F p and E A, B F p ∈ S. Each elliptic curve E A over F p is isomorphic to E A, B for exactly T / AutE, value of A ∈ F p .Each E A, B exactly gives rise to two points x P , y P .Thus, the number to be estimated equals where the sum ranges over the elliptic curves E A, B over F p , up to isomorphism, for which E A, B F p ∈ S. Applying Theorem 3.2, we obtain the result.

Theorem 3.4.
There exists a positive effectively computable constant c 5 such that, for each prime number p > 3, the following assertion is valid.Let , where h is the number of times that Algorithm 2 is applied.
Proof.By Theorem 3.5, the failure probability of repeating Algorithm 2 h times equals 1 − N/p 2 h , where h ≤ e −c 5 c 6 h f w / log p 2 log log p .

3.28
Consequently, the desired result follows.

Efficiency
In the case of factoring, the best rigorously analyzed result is Corollary 1.2 of 11 , which states that all prime factors of n that are less than w can be found in time L w 2/3, c log 2 n. , for p −→ ∞.

4.4
These arguments lead to the following conjectural running time estimation for solving the discrete logarithm problem on elliptic curve of form 1.1 over prime field.such that the following assertion is true.Let p be a prime number that is not 2 or 3.Then, we can find the discrete logarithm of Montgomery elliptic curve over prime filed F p within time O K p M p .

:
i . 2 Use the CRT to solve the system of congruences k ≡ k i mod p Silver-Pohlig-Hellman algorithm for solving the ECDLP. is a parameter to be chosen later and q is the order of point P .Output: Scalar k partially with a probability.1 Randomly choose x P , y P ∈ F p .
1.1 B ← y 2 P − x 3 P − Ax 2 P . 2 P ← x P , y P .2.1 Obtain n ord P in elliptic curve E A, B F p .2.2 Choose an integer 1 < d < ord P , compute d P .3 Apply decryption oracle to compute x kd P .3.1 y kd P ← x 3 4 If all the prime factors of n are smaller than w, then 4.1 Utilize Algorithm 2 with d P, kd P, n to obtain k mod n. 5 Return k mod n Algorithm 2: Basic fault attack on ECSM algorithm.
Then there exists a point P such that ord P n 2 .The number of such points is n 1 φ n 2 , where φ • is the Euler function.Let n 2 n 2w n 2 , where n 2w is the product of all the prime factors of n 2 which are smaller than w.If, in Step 2.2 , we choose d satisfying n 2 | d and d, n 2w 1 − A 2 4A 2 B 27B2and − 4 3 A 6 /Δ, respectively.Hence, the number of elliptic curves over the prime field F p with A fixed is the number of B ∈ F p with p .Therefore, E A,B ∼ E A, B if and only if there exist u ∈ F * p , r ∈ F p such that the following conditions hold: i u61 and A Au 4 3u 4 r; ii 3u 2 r 2 2u 2 rA 0 and Ar 2 r 3 B B.
It is easy to see that T ≤ 2. Hence, we conclude that the number of elliptic curves over F p with B fixed is equal to p − T .E A,B is isomorphic to E A, B if and only if there exists an admissible transform:x u 2 x r, y u 3 y u 2 sx t,3.3where r, s, t ∈ F p and u ∈ F * 2, we divide F p into two parts S B : B ∈ F p , and x 3 P Ax 2 P B is a quadratic nonresidue in F p .Theorem 3.2.There exist an effectively computable positive constant c 3 such that, for each prime number p > 3, the following assertion is valid.If S is a set of integers s ∈ T p QR1 with s − p 1 ≤ p, 3.13 then E A, B : B ∈ S p QR1 , E A, B F p ∈ S ∼ F p ≥ c 3 S − 2 Applying Lemma 3.1 with z 4p, we note that |t 2 − 4p| ≥ 3p if p 1 − t ∈ S. Since S ⊆ T There exists an effectively computable constant c 7 > 1 with the following property.Let w ∈ Z >1 and and each prime dividing s is ≤ w , 3.20 and let y P be defined as above.Then, the number N of triple B, x P ∈ F 2 p QR1 : s − p 1 < p, and each prime dividing s is ≤ w .
13urnal of Applied MathematicsSchoof 12presents a deterministic algorithm to compute the number of F p -points of an elliptic curve that is defined over a finite field F p and takes O log 9 p elementary operations.Theorem 3.6 shows that, in order to have a reasonable chance of success, one should choose the number h of the same order of magnitude as O log p 2 log log p /f w .In Algorithm 2, for any y P , we can obtain B ∈ S Hence, to minimize the estimated running time, the number w should be chosen such that L w 2/3, c /f w √ w is minimal.A theorem of Canfield et al.13implies the following result.Let α be a positive real number.Then, the probability that a random positive integer s < x has all its prime factors less than L x 1/2, 1 α is L x 1/2, 1 −1/2α o 1 for x → ∞.The conjecture we need is that the same result is valid if s is a random integer in the interval x 1 − √ x, x 1 √ x .Putting x p, we see that the conjecture implies that