Elliptic curve cryptosystems in the presence of permanent and transient faults (Q2486874)

The paper studies the security of elliptic curve cryptosystems in the presence of ``faults''. The security of elliptic cryptosystems based on the computational difficulty of solving the Discrete Logarithm Problem relies in the difficulty of finding \(d\) (the secret key) starting from \(dP\) (public key) where \(P\) is a fixed public point on a given elliptic curve \(E\). Intents of recovery of \(d\) can be based on attacks to the underlying discrete logarithm problem or in physical attacks (side-channel analysis, fault analysis). In [Crypto 2000, Lect. Notes Comput. Sci. 1880, 131--146 (2000; Zbl 0989.94505)] \textit{I. Biehl} et al. show that some information about \(d\) can be obtained if the attacker change the point \(P\) for another one \(\tilde{P}\) (not on the original curve but on a new one \(\tilde{E}\) ) chosen by him. These authors also consider a second attack in which a bit of error is inserted into \(P\). The present paper enlarges the scope of those attacks. The authors consider two possible scenarios: a \`\` permanent fault'' (a fault in the system parameters stored in a non-volatile memory) and a ``transient fault'' (faults during the transfer of the parameters into working memory). The first two sections are introductory. Section 3 describes the possibility of attacks, both in the permanent case and in the transient one, when faults are introduced in the point \(P\), in the definition field or in the parameters of the curve. This would allow to recover the value of \(d\) modulo \(r\), where \(r=\text{ord}_{\tilde{P}}(\tilde{E})\). Section 4, of conclusions, also points out the security measures that can be adopted to prevent those attacks.