Protecting ECC against fault attacks: the ring extension method revisited (Q2023307)

Fault attacks profit of calculation mistakes, either captured or induced, in order to break cryptographic protocols and they are well known since the 90's. In RSA, for instance, given a public key \((n,e)\) where \(n=pq\) is the product of two hidden primes, the owner of the corresponding private key \((p,q,d)\) may either decrypt messages or sign messages more efficiently by calculating \(d_p=d\bmod(p-1)\) , \(d_q=d\bmod(q-1)\) to obtain \(s=m^d\bmod n\) by the Chinese Remainder Theorem (CRT) using \(s_p=m^{d_p}\bmod p\) and \(s_q=m^{d_q}\bmod q\). However, if there is an error \(s'_p\) for \(s_p\) then the resulting difference \(s-s'\) will be a multiple of \(q\) which can be recovered as gcd\((s-s',n)\). Similarly, in Elliptic Curves Cryptography, a small variation of the involved points may disturbe the curve and to allow the recovering of private keys using the CRT as well and alternate curves where the Discrete Logarithm Problem is easy. In the reviewed paper, Joye, author of [\textit{M. Joye} (ed.) and \textit{M. Tunstall} (ed.), Fault analysis in cryptography. Berlin: Springer (2012; Zbl 1250.94006)], recalls first some countermeasures to faults attacks, namely those due to \textit{A. Shamir} [``How to check modular exponentiation'', Presentation at Rump Session Program of EUROCRYPT'97, \url{ https://www.iacr.org/conferences/ec97/rump.html}] and \textit{D. Vigilant} [``RSA with CRT: a new cost-effective solution to thwart fault attacks'', Lect. Notes Comput. Sci. 5154, 130--145 (2008; \url{doi:10.1007/978-3-540-85053-3_9})] in case of RSA and those due to \textit{J. Blömer} et al. [``Sign change fault attacks on elliptic curve cryptosystems'', ibid. 4236, 36--52 (2006; \url{doi:10.1007/11889700_4})] and \textit{Y.-J. Baek} and \textit{I. Vasyltsov} [``How to prevent DPA and fault attack in a unified way for ECC scalar multiplication -- ring extension method'', ibid. 4464, 225--237 (2006; \url{doi:10.1007/978-3-540-72163-5_18})] for elliptic curves. Thereafter, in the context of ring extension he introduces two novel countermeasures rather general which are more efficient, hence more effective.