`Journal of Applied MathematicsVolume 2011, Article ID 580749, 11 pageshttp://dx.doi.org/10.1155/2011/580749`
Research Article

## Analysis of the Fault Attack ECDLP over Prime Field

School of Mathematics, Shandong University, Jinan 250100, China

Received 17 May 2011; Revised 27 August 2011; Accepted 12 September 2011

Academic Editor: Tak-Wah Lam

Copyright © 2011 Mingqiang Wang and Tao Zhan. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

In 2000, Biehl et al. proposed a fault-based attack on elliptic curve cryptography. In this paper, we refined the fault attack method. An elliptic curve is defined over prime field with base point . Applying the fault attack on these curves, the discrete logarithm on the curve can be computed in subexponential time of . The runtime bound relies on heuristics conjecture about smooth numbers similar to the ones used by Lenstra, 1987.

#### 1. Introduction

In 1996, a fault analysis attack was introduced by Boneh et al. . Biehl et al.  proposed the first fault-based attack on elliptic curve cryptography [3, 4]. Their basic idea is to change the input points, elliptic curve parameters, or the base field in order to perform the operations in a weaker group where solving the elliptic curve discrete logarithm problem (ECDLP) is feasible. A basic assumption for this attack is that one of the two parameters of the governing elliptic curve equation is not involved for point operations formulas. In this way, the computation could be performed in a cryptographically less secure elliptic curve.

In , it is claimed that the attacker can get the secret multiplier with subexponential time, but the authors did not give the proof or even an outline of the proof. I find that this is not a trivial result. Since the distribution of the cardinality of elliptic curves over finite field is not uniform in the interval .

In practice, in order to get a better function, the cryptosystem may be based on some special family of elliptic curve. Here, we assume that the fault attack is restricted on the following elliptic curve defined over prime field : which is denoted by . In this paper, we prove that the attacker can get the secret multiplier with subexponential time when the fault attack is restricted to the elliptic curve family of . It is noted that we can get a simpler proof when the fault attack is based on the general elliptic curves.

In Section 2, the fault attack method is described in detail and some improvements of the fault attack are introduced. Firstly, we can control the order of the fault point in by a suitable choice of the random key . On the other hand, some points in can be chosen as fault point to increase the probability of success of the fault attack.

Our analysis depends on the number of with . In Section 3, we research the isomorphism classes of the elliptic curves expressed by form (1.1). By Deuring , we find that the density of with in is large enough to ensure our method success.

The analysis of our method in this paper shows that the performance of the algorithm is largely determined by the density of numbers built up from small primes in the neighborhood of and the number of isomorphism classes of the elliptic curves which can be expressed by form (1.1). If a reasonable conjecture concerning the density of smooth integers is assumed, then the following can be proved.

Suppose that and is a positive constant; let denote There is a function with for . Then, with a suitable choice of parameters, ECDLP in the family of elliptic curves (1.1) can be determined by the attacker with probability at least within time , where and is the number of times Algorithm 2 is applied.

The paper is organized as follows. In Section 2, we describe the scalar multiplication algorithm and elliptic curve discrete logarithm problem and refine the fault attack method. In Section 3, we discuss the isomorphism class of elliptic curves expressed by form (1.1). In Section 4, the efficiency of the attack algorithm is considered.

#### 2. Preliminaries

##### 2.1. Scalar Multiplication Algorithm

Let be an elliptic curve of form (1.1) defined over finite field with and , , such that . The algorithm below is a description of the elliptic curve scalar multiplication (ECSM) on curves defined in its most common form: with

The fault attack is based on the fact that the curve coefficient is not used in any of the addition formulas given above.

##### 2.2. Elliptic Curve Discrete Logarithm Problem

Let be an elliptic curve and . Given , the discrete logarithm problem asks for the integer such that .

If the order of the base point does not contain at least a large prime factor, then it is possible to use an extension for ECC of the Silver-Pohlig-Hellman algorithm  to solve the ECDLP as presented in Algorithm 1. Let be the order of the base point with a prime factor , where , .

Algorithm 1: Silver-Pohlig-Hellman algorithm for solving the ECDLP.

Without losing generality, we assume that the order of the base point is a prime number which is large enough for practical cryptosystems.

##### 2.3. Fault Attack

In this section, we consider the following EC ElGamal cryptosystem. Let be an elliptic curve of form (1.1) defined over a prime field . Given a point , we assume that is the public key and the secret key of some user, where denotes the order of the base point .Encryption: Input message , choose randomly, and return .Decryption: Input , compute , and return .

The fault attack is that the attacker randomly chooses an elliptic curve defined over prime field , finds a point , and inputs to the decryption oracle, then the attacker can get the -coordinate of . Having , we compute by

In practice, we can compute and as follows. Fix an element , for any , and define Let be an elliptic curve of form (1.1) as follows: clearly .

Having the points pair , one can obtain , where . This would be possible if all the prime factors of are smaller than order of . The complete attack procedure is presented as Algorithm 2.

By repeating Algorithm 2, then applying CRT, we can get from the congruences . The following lemma is useful for us to increase the efficiency of Algorithm 2.

Lemma 2.1. Let be an elliptic curve defined over finite filed . Then, with and .

For giving an elliptic curve defined over finite field , we assume that . Then there exists a point such that . The number of such points is , where is the Euler function. Let , where is the product of all the prime factors of which are smaller than . If, in Step (2.2), we choose satisfying and , then the order of is a smooth integer.

Certainly, of course, we can choose a point in . The procedure of choosing such a point is similar as above.

#### 3. The Isomorphism Classes

In this section, we count the number of isomorphism classes over of elliptic curves (1.1) defined over a prime field .

It is easy to see that the discriminant and the invariant of the formula (1.1) are equal to and , respectively. Hence, the number of elliptic curves over the prime field with fixed is the number of with Let be the number of the solutions of the following equation in : It is easy to see that . Hence, we conclude that the number of elliptic curves over with fixed is equal to .

is isomorphic to if and only if there exists an admissible transform: where and . Therefore, if and only if there exist such that the following conditions hold:(i) and ;(ii) and .

Given , let denote the number of the solutions of (i) and (ii); it is easy to see that . For any , the number of the automorphism of elliptic curve is at most 3. Hence, we have where over a set of representatives of the isomorphism classes. We express this by writing and in similar expression below, denotes the weighted cardinality, the isomorphism class of being counted with the weight .

For any elliptic curve over , we have which is obtained by a theorem of Hasse. Let, conversely, be a prime and let be an integer satisfying . Then, the weighted number of elliptic curves over with , up to isomorphism is given by a formula that is basically due to Deuring ; see also : where denotes the Kronecker class number of .

For the Kronecker class number, the following result is useful.

Lemma 3.1 (see ). There exist effectively computable positive constants such that for each there is such that for all with , except that the left inequality may be invalid if , where is the fundamental discriminant associated with .

Let

In order to apply Algorithm 2, we divide into two parts and as follows: Since , Lemma 2.1 cannot be applied directly in the following estimation. In order to apply Lemma 2.1, should be partitioned into two parts and as follows:

Let

Theorem 3.2. There exist an effectively computable positive constant such that, for each prime number , the following assertion is valid. If is a set of integers with then

Proof. The proof of Theorem 3.3 is similar to the proof of (1.9) in ; for self-containdeness, we give it here. The left-hand side of the inequality equals Applying Lemma 3.1 with , we note that if . Since , it suffices to prove that there are at most two integers , , for which the fundamental discriminant associated with equals . Let , and let be such an integer. Then, the zeros of belong to the ring of integers of . Also, , and by the unique prime ideal factorization in and the fact that (because ) this determines up to conjugation and sign. Hence, is determined up to sign, as required. This completes the proof.

Theorem 3.3. There is a positive effectively computable constant such that, for each prime number , the following assertion is valid. Let be a set of integers with and let be defined as above. Then, the number of pair for which where , is at least .

Proof. The number to be estimated equals the number of pairs for which is an elliptic curve over with and . Each elliptic curve over is isomorphic to for exactly , value of . Each exactly gives rise to two points . Thus, the number to be estimated equals where the sum ranges over the elliptic curves over , up to isomorphism, for which . Applying Theorem 3.2, we obtain the result.

Theorem 3.4. There exists a positive effectively computable constant such that, for each prime number , the following assertion is valid. Let and let be defined as above. Then, the number of triple for which where , is at least .

Proof. This can be deduced from Theorem 3.3 immediately.

Theorem 3.5. There exists a positive effectively computable constant such that the cardinality of is at least .

Proof. The map is a bijective map. By the definition of and , we have . By (3.6), the trace of any elliptic curve over satisfies ; hence, the cardinality of is at most Therefore, the cardinality of is From the discussion about the isomorphism classes of elliptic curves and the fact that , we have Applying Lemma 2.1, we get the proof of the result.
Let . Our attack method depends on the following reasonable heuristic assumption.Heuristic Assumption: The set is uniformly distributed in the interval .
By the assumption, one can deduce that .

Theorem 3.6. There exists an effectively computable constant with the following property. Let and Let denotes the probability that a random integer in the interval has all its prime factors . The probability of success of Algorithm 2 on input is at least , where is the number of times that Algorithm 2 is applied.

Proof. By Theorem 3.5, the failure probability of repeating Algorithm 2   times equals , where It follows that Consequently, the desired result follows.

#### 4. Efficiency

In the case of factoring, the best rigorously analyzed result is Corollary 1.2 of , which states that all prime factors of that are less than can be found in time . Schoof  presents a deterministic algorithm to compute the number of -points of an elliptic curve that is defined over a finite field and takes elementary operations.

Theorem 3.6 shows that, in order to have a reasonable chance of success, one should choose the number of the same order of magnitude as . In Algorithm 2, for any , we can obtain . From the discussion in Theorem 3.6, the probability of is approximately . Hence, the cases of are neglected, which does not affect the analysis result. Therefore, the time spent on Algorithm 2 is , where . The time required by Algorithm 2 is . Hence, to minimize the estimated running time, the number should be chosen such that is minimal.

A theorem of Canfield et al.  implies the following result. Let be a positive real number. Then, the probability that a random positive integer has all its prime factors less than is for . The conjecture we need is that the same result is valid if is a random integer in the interval . Putting , we see that the conjecture implies that for any fixed positive , with .

The following identities are useful for our estimation: where lower-order terms in the exponent are neglected.

With , the conjecture would imply that which suggests that for the optimal choice of we have

These arguments lead to the following conjectural running time estimation for solving the discrete logarithm problem on elliptic curve of form (1.1) over prime field.

Theorem 4.1. There is a function with such that the following assertion is true. Let be a prime number that is not 2 or 3. Then, we can find the discrete logarithm of Montgomery elliptic curve over prime filed within time .

#### Acknowledgments

One of the authors gratefully acknowledges the helpful comments and suggestions of the anonymous reviewers, which have improved the presentation. This work was supported by NSFC project under (Grant no. 60873041), Nature Science of Shandong Province (Grant no. Y2008G23), Doctoral Fund of Ministry of Education of China (Grant no. 20090131120012), and IIFSDU (Grant no. 2010ST075).

#### References

1. D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance of eliminating errors in cryptographic computations,” Journal of Cryptology, vol. 14, no. 2, pp. 101–119, 2001.
2. I. Biehl, B. Meyer, and V. Müller, “Differential fault attacks on elliptic curve cryptosystems,” in Advances in Cryptology—CRYPTO 2000, vol. 1880 of Lecture Notes in Computer Science, pp. 131–146, Springer, Berlin, Germany, 2000.
3. N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987.
4. V. S. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology—CRYPTO '86, vol. 263 of Lecture Notes in Computer Science, pp. 417–426, Springer, Berlin, Germany, 1987.
5. M. Deuring, “Die Typen der Multiplikatorenringe elliptischer Funktionenkörper,” Abhandlungen aus dem Mathematischen Seminar der Universität Hamburg, vol. 14, no. 1, pp. 197–272, 1941.
6. S. C. Pohlig and M. E. Hellman, “An improved algorithm for computing logarithms over $GF\left(p\right)$ and its cryptographic significance,” IEEE Transactions on Information Theory, vol. 24, no. 1, pp. 106–110, 1978.
7. B. J. Birch, “How the number of points of an elliptic curve over a fixed prime field varies,” Journal of the London Mathematical Society, Second Series, vol. 43, pp. 57–60, 1968.
8. R. Schoof, “Nonsingular plane cubic curves over finite fields,” Journal of Combinatorial Theory, Series A, vol. 46, no. 2, pp. 183–211, 1987.
9. W. C. Waterhouse, “Abelian varieties over finite fields,” Annales Scientifiques de l'École Normale Supérieure, Quatrième Série, vol. 2, pp. 521–560, 1969.
10. H. W. Lenstra, Jr., “Factoring integers with elliptic curves,” Annals of Mathematics, Second Series, vol. 126, no. 3, pp. 649–673, 1987.
11. H. W. Lenstra, Jr., J. Pila, and C. Pomerance, “A hyperelliptic smoothness test. I,” Philosophical Transactions of the Royal Society of London A, vol. 345, no. 1676, pp. 397–408, 1993.
12. R. Schoof, “Elliptic curves over finite fields and the computation of square roots mod $p$,” Mathematics of Computation, vol. 44, no. 170, pp. 483–494, 1985.
13. E. R. Canfield, P. Erdős, and C. Pomerance, “On a problem of Oppenheim concerning “factorisatio numerorum”,” Journal of Number Theory, vol. 17, no. 1, pp. 1–28, 1983.