Security Analysis

The MPL algorithm due to its regularity in the number of Oi operations performed in its round, provides resistance against SSCAs (and more specifically PAs). Thus, simple PAs, the simplest form of horizontal SCAs, are not successful against MPL. The atomic block approach, that has been found to be vulnerable to advanced horizontal attacks, like Big Mac, HCA, HCCA attack [2, 3, 5, 6], is not applied in MPL (the algorithm uses no dummy data and is by design highly regular). However, some ASCA horizontal attacks can be successful even against MPL. This problem can be thwarted by the use of message/base point blinding (with a high bit length random element) and by avoiding the use of digit serial Z* or F operations (mainly multiplications).

The adopted blinding technique of the proposed algorithm prevents vertical SSCAs (vertical SPAs) (like DA, RDA) since the connection between two consecutive messages/base point inputs is lost (they are blinded with different random numbers/points). However, message/base point blinding randomization, as indicated in [8], is not enough to provide protection against 2-TorA. So, it is imperative that the intermediate computation results are blinded with a different random element of G in every ME/SM round. This is achieved by exponentiating/scalar multiplying the random element B along with the message/base point without normalizing the random element to B at the end of each ME/SM round, as is done in similar blinding techniques (e.g., in the BRIP approach [19]).

The random element involvement in each of the proposed algorithm’s round with out normalization (apart from the end of the algorithm) enhances message/base point blinding and makes the proposed approach highly resistant against ASCAs (and more specifically advanced PAs). DPA and CPA are not successful against the proposed message/base point blinding approach.

Regarding fault injection attacks, the proposed algorithms, as already mentioned, rely on the MPL round coherence check introduced at the end of a single ME or SM operation. This enhances the principle of fault infective computation introduced in [43]. However, a clever attacked could try to bypass the fault detection mechanism by introducing an additional fault after this function complementing an already injected fault during the main algorithmic process [31] (similar to the KQ attack). This two fault approach is not applicable in the proposed algorithm since the faulty result after fault detection remains blinded. Unblinding correctly this result will require a correct value (not faulty) to be used after fault detection. By bypassing the detection mechanism the attacker cannot discriminate if the ME/SM output is a blinded correct result or a faulty result. Thus, this result is useless for fault analysis.

< Prev   CONTENTS   Source   Next >