Description
Elliptic curve signature schemes, favored for their efficiency and
smaller key sizes, face significant challenges in embedded systems
and IoT devices due to fault attacks. Older schemes like RSA as well
as post-quantum proof schemes have already been analyzed for their
resilience against fault attacks on the verification procedure. These
attacks have, however, not yet been studied for elliptic curve-based
signatures, even though they are commonly used in embedded systems that,
at the same time, experience the highest exposure to fault attacks. We
reveal that faults in elliptic curve points and parameters enable an
adversary to forge signatures in ECGDSA and ECSDSA, while ECDSA and EdDSA
remain resilient. The weakness lies in the Weierstraß curves used in the
affected schemes, which allow an adversary to perform cryptographic operations
on much weaker curves by faulting just a single bit. Further, we discovered
several attacks on the implementation of the verification algorithms of ECDSA
and EdDSA. Here, a single instruction skip is often enough to accept trivially
forged signatures. Secure bootloaders for embedded systems often implement
hardenings against fault attacks for their critical core operations but completely
fail to do so in the cryptographic libraries they utilize. We propose effective
countermeasures to enhance security in these constrained environments, addressing
a critical gap and motivating further research for more robust cryptographic
implementations.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching