Paper 2019/400

Degenerate Fault Attacks on Elliptic Curve Parameters in OpenSSL

Akira Takahashi and Mehdi Tibouchi

Abstract

In this paper, we describe several practically exploitable fault attacks against OpenSSL's implementation of elliptic curve cryptography, related to the singular curve point decompression attacks of Blömer and Günther (FDTC2015) and the degenerate curve attacks of Neves and Tibouchi (PKC 2016). In particular, we show that OpenSSL allows to construct EC key files containing explicit curve parameters with a compressed base point. A simple single fault injection upon loading such a file yields a full key recovery attack when the key file is used for signing with ECDSA, and a complete recovery of the plaintext when the file is used for encryption using an algorithm like ECIES. The attack is especially devastating against curves with $j$-invariant equal to 0 such as the Bitcoin curve secp256k1, for which key recovery reduces to a single division in the base field. Additionally, we apply the present fault attack technique to OpenSSL's implementation of ECDH, by combining it with Neves and Tibouchi's degenerate curve attack. This version of the attack applies to usual named curve parameters with nonzero $j$-invariant, such as P192 and P256. Although it is typically more computationally expensive than the one against signatures and encryption, and requires multiple faulty outputs from the server, it can recover the entire static secret key of the server even in the presence of point validation. These various attacks can be mounted with only a single instruction skipping fault, and therefore can be easily injected using low-cost voltage glitches on embedded devices. We validated them in practice using concrete fault injection experiments on a Rapsberry Pi single board computer running the up to date OpenSSL command line tools---a setting where the threat of fault attacks is quite significant.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. EuroS&P 2019
Keywords
OpenSSLElliptic curve cryptographyInvalid curve attackFault attackEmbedded securitySingular curveSupersingular curve
Contact author(s)
takahashi @ cs au dk
takahashi akira 58s @ gmail com
mehdi tibouchi br @ hco ntt co jp
mehdi tibouchi @ normalesup org
History
2019-04-18: received
Short URL
https://ia.cr/2019/400
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/400,
      author = {Akira Takahashi and Mehdi Tibouchi},
      title = {Degenerate Fault Attacks on Elliptic Curve Parameters in OpenSSL},
      howpublished = {Cryptology ePrint Archive, Paper 2019/400},
      year = {2019},
      note = {\url{https://eprint.iacr.org/2019/400}},
      url = {https://eprint.iacr.org/2019/400}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.