Journal of Applied Mathematics
Volume 2011, Issue 1 580749
Research Article
Open Access

Analysis of the Fault Attack ECDLP over Prime Field

Mingqiang Wang

Corresponding Author

Mingqiang Wang

School of Mathematics, Shandong University, Jinan 250100, China sdu.edu.cn

Search for more papers by this author
Tao Zhan

Tao Zhan

School of Mathematics, Shandong University, Jinan 250100, China sdu.edu.cn

Search for more papers by this author
First published: 03 November 2011
https://doi.org/10.1155/2011/580749
Citations: 2
Academic Editor: Tak-Wah Lam

Abstract

In 2000, Biehl et al. proposed a fault-based attack on elliptic curve cryptography. In this paper, we refined the fault attack method. An elliptic curve E is defined over prime field 𝔽p with base point PE(𝔽p). Applying the fault attack on these curves, the discrete logarithm on the curve can be computed in subexponential time of Lp(1/2, 1 + o(1)). The runtime bound relies on heuristics conjecture about smooth numbers similar to the ones used by Lenstra, 1987.

1. Introduction

In 1996, a fault analysis attack was introduced by Boneh et al. [1]. Biehl et al. [2] proposed the first fault-based attack on elliptic curve cryptography [3, 4]. Their basic idea is to change the input points, elliptic curve parameters, or the base field in order to perform the operations in a weaker group where solving the elliptic curve discrete logarithm problem (ECDLP) is feasible. A basic assumption for this attack is that one of the two parameters of the governing elliptic curve equation is not involved for point operations formulas. In this way, the computation could be performed in a cryptographically less secure elliptic curve.

In [2], it is claimed that the attacker can get the secret multiplier k with subexponential time, but the authors did not give the proof or even an outline of the proof. I find that this is not a trivial result. Since the distribution of the cardinality of elliptic curves over finite field 𝔽q is not uniform in the interval .

In practice, in order to get a better function, the cryptosystem may be based on some special family of elliptic curve. Here, we assume that the fault attack is restricted on the following elliptic curve defined over prime field 𝔽p:
()
which is denoted by EA,B. In this paper, we prove that the attacker can get the secret multiplier k with subexponential time when the fault attack is restricted to the elliptic curve family of EA,B. It is noted that we can get a simpler proof when the fault attack is based on the general elliptic curves.

In Section 2, the fault attack method is described in detail and some improvements of the fault attack are introduced. Firstly, we can control the order of the fault point in by a suitable choice of the random key d. On the other hand, some points in EA,B can be chosen as fault point to increase the probability of success of the fault attack.

Our analysis depends on the number of with . In Section 3, we research the isomorphism classes of the elliptic curves expressed by form (1.1). By Deuring [5], we find that the density of with in is large enough to ensure our method success.

The analysis of our method in this paper shows that the performance of the algorithm is largely determined by the density of numbers built up from small primes in the neighborhood of p + 1 and the number of isomorphism classes of the elliptic curves which can be expressed by form (1.1). If a reasonable conjecture concerning the density of smooth integers is assumed, then the following can be proved.

Suppose that 0 ≤ α ≤ 1 and c is a positive constant; let Lx(α, c) denote
()
There is a function K : >0>0 with K(x) = Lx(1/2,1 + o(1)) for x. Then, with a suitable choice of parameters, ECDLP in the family of elliptic curves (1.1) can be determined by the attacker with probability at least 1 − eh within time K(p)M(p), where M(p) = O((log p) 11) and h is the number of times Algorithm 2 is applied.

The paper is organized as follows. In Section 2, we describe the scalar multiplication algorithm and elliptic curve discrete logarithm problem and refine the fault attack method. In Section 3, we discuss the isomorphism class of elliptic curves expressed by form (1.1). In Section 4, the efficiency of the attack algorithm is considered.

2. Preliminaries

2.1. Scalar Multiplication Algorithm

Let EA,B be an elliptic curve of form (1.1) defined over finite field 𝔽p with p ≠ 2,3 and Pi = :(xi, yi) ∈ EA,B(𝔽p), i = 1,2, 3, such that P1 + P2 = P3. The algorithm below is a description of the elliptic curve scalar multiplication (ECSM) on curves defined in its most common form:
()
with
()

The fault attack is based on the fact that the curve coefficient B is not used in any of the addition formulas given above.

2.2. Elliptic Curve Discrete Logarithm Problem

Let E be an elliptic curve and P = (xP, yP) ∈ E. Given Q = (xQ, yQ)∈〈P〉, the discrete logarithm problem asks for the integer k such that Q = kP.

If the order of the base point P does not contain at least a large prime factor, then it is possible to use an extension for ECC of the Silver-Pohlig-Hellman algorithm [6] to solve the ECDLP as presented in Algorithm 1. Let n be the order of the base point P with a prime factor , where pi < pi+1, i = 0, …, j − 2.

    Algorithm 1: Silver-Pohlig-Hellman algorithm for solving the ECDLP.

  • Input:  PE(𝔽p), Q ∈ 〈P〉, , where pi < pi+1, i = 0, …, j − 2.

  • Output:  k mod  n.

  •  (1) For i = 0 to j − 1 do

  •      (1.1) Q𝒪, ki ← 0.

  •      (1.2) Pi ← (n/pi)P.

  •      (1.3) For t = 0 to (ei − 1) do

  •          (1.3.1) .

  •          (1.3.2) .{ECDLP in a subgroup of order ord(Pi).}

  •          (1.3.3) .

  •          (1.3.4) .

  •  (2) Use the CRT to solve the system of congruences .

  •      This gives us k mod  n

  •  (3) Return (k)

    Algorithm 2: Basic fault attack on ECSM algorithm.

  • Input:  EA and P = (xP, yP) ∈ EA(𝔽p), Q = (xQ, yQ) = kP,

  • w is a parameter to be chosen later and q is the order of point P.

  • Output: Scalar k partially with a probability.

  • (1) Randomly choose .

  •     (1.1) .

  • (2) .

  •     (2.1) Obtain in elliptic curve .

  •     (2.2) Choose an integer , compute .

  • (3) Apply decryption oracle to compute .

  •     (3.1) .

  • (4) If all the prime factors of n are smaller than w, then

  •     (4.1) Utilize Algorithm 2 with to obtain k mod  n.

  • (5) Return (k mod  n)

Without losing generality, we assume that the order of the base point P is a prime number which is large enough for practical cryptosystems.

2.3. Fault Attack

In this section, we consider the following EC ElGamal cryptosystem. Let EA,B be an elliptic curve of form (1.1) defined over a prime field 𝔽p. Given a point P = (xP, yP) ∈ EA(𝔽p), we assume that Q = (xQ, yQ) = kP is the public key and 1 ≤ k < ord(P) the secret key of some user, where ord(P) denotes the order of the base point P.

  • Encryption: Input message m, choose 1 < d < ord(P) randomly, and return (dP, xdQm).

  • Decryption: Input (H, m), compute kH, and return (mxkH).

The fault attack is that the attacker randomly chooses an elliptic curve defined over prime field 𝔽p, finds a point , and inputs to the decryption oracle, then the attacker can get the x-coordinate of . Having , we compute by
()
In practice, we can compute and as follows. Fix an element , for any , and define
()
Let be an elliptic curve of form (1.1) as follows:
()
clearly .

Having the points pair , one can obtain kmod n, where . This would be possible if all the prime factors of are smaller than order of P. The complete attack procedure is presented as Algorithm 2.

By repeating Algorithm 2, then applying CRT, we can get k from the congruences k mod  n. The following lemma is useful for us to increase the efficiency of Algorithm 2.

Lemma 2.1. Let E be an elliptic curve defined over finite filed 𝔽q. Then,

()
with n1n2 and n1q − 1.

For giving an elliptic curve defined over finite field 𝔽p, we assume that . Then there exists a point such that . The number of such points is n1ϕ(n2), where ϕ(·) is the Euler function. Let , where n2w is the product of all the prime factors of n2 which are smaller than w. If, in Step (2.2), we choose d satisfying and (d, n2w) = 1, then the order of is a w smooth integer.

Certainly, of course, we can choose a point in EA,B(𝔽p). The procedure of choosing such a point is similar as above.

3. The Isomorphism Classes

In this section, we count the number of isomorphism classes over 𝔽p of elliptic curves (1.1) defined over a prime field 𝔽p.

It is easy to see that the discriminant Δ and the j invariant of the formula (1.1) are equal to −16((4/27)A4(1 − A2) + 4A2B + 27B2) and −(43A6)/Δ, respectively. Hence, the number of elliptic curves over the prime field 𝔽p with A fixed is the number of B𝔽p with
()
Let T be the number of the solutions of the following equation in 𝔽p:
()
It is easy to see that T ≤ 2. Hence, we conclude that the number of elliptic curves over 𝔽p with B fixed is equal to pT.
EA,B is isomorphic to if and only if there exists an admissible transform:
()
where r, s, t𝔽p and . Therefore, if and only if there exist such that the following conditions hold:
  • (i)

    u6 = 1 and A = Au4 + 3u4r;

  • (ii)

    3u2r2 + 2u2rA = 0 and .

Given , let T denote the number of the solutions (u, r) of (i) and (ii); it is easy to see that T ≤ 6. For any p ≠ 2,3, the number of the automorphism of elliptic curve EA,B is at most 3. Hence, we have
()
where over a set of representatives of the isomorphism classes. We express this by writing
()
and in similar expression below, denotes the weighted cardinality, the isomorphism class of being counted with the weight .
For any elliptic curve E over 𝔽p, we have
()
which is obtained by a theorem of Hasse. Let, conversely, p be a prime >3 and let t be an integer satisfying . Then, the weighted number of elliptic curves E over 𝔽p with E(𝔽p) = p + 1 − t, up to isomorphism is given by a formula that is basically due to Deuring [5]; see also [79]:
()
where H(t2 − 4p) denotes the Kronecker class number of t2 − 4p.

For the Kronecker class number, the following result is useful.

Lemma 3.1 (see [10].)There exist effectively computable positive constants c1, c2 such that for each z>1 there is Δ* = Δ*(z)<−4 such that

()
for all Δ ∈ with −z ≤ Δ < 0,  Δ ≡ 0,  or  1 mod  4, except that the left inequality may be invalid if Δ0 = Δ*, where Δ0 is the fundamental discriminant associated with Δ.

Let
()
In order to apply Algorithm 2, we divide 𝔽p into two parts and as follows:
()
Since HtH(t2 − 4p), Lemma 2.1 cannot be applied directly in the following estimation. In order to apply Lemma 2.1, should be partitioned into two parts and as follows:
()
Let
()

Theorem 3.2. There exist an effectively computable positive constant c3 such that, for each prime number p > 3, the following assertion is valid. If S is a set of integers with

()
then
()

Proof. The proof of Theorem 3.3 is similar to the proof of (1.9) in [10]; for self-containdeness, we give it here. The left-hand side of the inequality equals

()
Applying Lemma 3.1 with z = 4p, we note that |t2 − 4p | ≥ 3p if p + 1 − tS. Since , it suffices to prove that there are at most two integers t, , for which the fundamental discriminant associated with t2 − 4p equals Δ*. Let , and let t be such an integer. Then, the zeros of
()
belong to the ring of integers 𝒪L of L. Also, , and by the unique prime ideal factorization in 𝒪L and the fact that A* = {1, −1} (because Δ* < −4) this determines α up to conjugation and sign. Hence, is determined up to sign, as required. This completes the proof.

Theorem 3.3. There is a positive effectively computable constant c4 such that, for each prime number p > 3, the following assertion is valid. Let S be a set of integers with

()
and let be defined as above. Then, the number N of pair for which
()
where , is at least .

Proof. The number to be estimated equals the number of pairs for which is an elliptic curve over 𝔽p with and . Each elliptic curve over 𝔽p is isomorphic to for exactly T/AutE, value of . Each exactly gives rise to two points . Thus, the number to be estimated equals

()
where the sum ranges over the elliptic curves over 𝔽p, up to isomorphism, for which . Applying Theorem 3.2, we obtain the result.

Theorem 3.4. There exists a positive effectively computable constant c5 such that, for each prime number p > 3, the following assertion is valid. Let

()
and let be defined as above. Then, the number N of triple for which
()
where , is at least .

Proof. This can be deduced from Theorem 3.3 immediately.

Theorem 3.5. There exists a positive effectively computable constant c6 such that the cardinality of is at least .

Proof. The map

()
is a bijective map. By the definition of and , we have . By (3.6), the trace t of any elliptic curve E over 𝔽p satisfies ; hence, the cardinality of is at most
()
Therefore, the cardinality of is
()
From the discussion about the isomorphism classes of elliptic curves and the fact that HtH(t2 − 4p), we have
()
Applying Lemma 2.1, we get the proof of the result.

Let . Our attack method depends on the following reasonable heuristic assumption.

  • Heuristic Assumption: The set is uniformly distributed in the interval .

By the assumption, one can deduce that .

Theorem 3.6. There exists an effectively computable constant c7 > 1 with the following property. Let w>1 and

()
Let f(w) = Sw/T1 denotes the probability that a random integer in the interval has all its prime factors <w. The probability of success of Algorithm 2 on input P, QEA,B, w is at least , where h is the number of times that Algorithm 2 is applied.

Proof. By Theorem 3.5, the failure probability of repeating Algorithm 2  h times equals (1 − N/p2) h, where

()
It follows that
()
Consequently, the desired result follows.

4. Efficiency

In the case of factoring, the best rigorously analyzed result is Corollary 1.2 of [11], which states that all prime factors of n that are less than w can be found in time Lw(2/3, c)log 2n. Schoof [12] presents a deterministic algorithm to compute the number of 𝔽p-points of an elliptic curve that is defined over a finite field 𝔽p and takes O(log 9p) elementary operations.

Theorem 3.6 shows that, in order to have a reasonable chance of success, one should choose the number h of the same order of magnitude as O((log p) 2(log  log p)/f(w)). In Algorithm 2, for any , we can obtain . From the discussion in Theorem 3.6, the probability of is approximately 1/log p. Hence, the cases of are neglected, which does not affect the analysis result. Therefore, the time spent on Algorithm 2 is O(hLw(2/3, c)M(p)), where M(p) = O(log 11p). The time required by Algorithm 2 is . Hence, to minimize the estimated running time, the number w should be chosen such that is minimal.

A theorem of Canfield et al. [13] implies the following result. Let α be a positive real number. Then, the probability that a random positive integer s < x has all its prime factors less than Lx(1/2,1) α is Lx(1/2,1) −1/2α+o(1) for x. The conjecture we need is that the same result is valid if s is a random integer in the interval . Putting x = p, we see that the conjecture implies that
()
for any fixed positive α, with f(w) = Sw/T1.
The following identities are useful for our estimation:
()
where lower-order terms in the exponent are neglected.
With w = Lp(1/2,1) α, the conjecture would imply that
()
which suggests that for the optimal choice of w we have
()

These arguments lead to the following conjectural running time estimation for solving the discrete logarithm problem on elliptic curve of form (1.1) over prime field.

Theorem 4.1. There is a function K : >0>0 with

()
such that the following assertion is true. Let p be a prime number that is not 2 or 3. Then, we can find the discrete logarithm of Montgomery elliptic curve over prime filed 𝔽p within time O(K(p)M(p)).

Acknowledgments

One of the authors gratefully acknowledges the helpful comments and suggestions of the anonymous reviewers, which have improved the presentation. This work was supported by NSFC project under (Grant no. 60873041), Nature Science of Shandong Province (Grant no. Y2008G23), Doctoral Fund of Ministry of Education of China (Grant no. 20090131120012), and IIFSDU (Grant no. 2010ST075).

      The full text of this article hosted at iucr.org is unavailable due to technical difficulties.