Memory Tampering Attack on Binary GCD Based Inversion Algorithms

  • Alejandro Cabrera AldayaEmail author
  • Billy Bob Brumley
  • Alejandro J. Cabrera Sarmiento
  • Santiago Sánchez-Solano


In the field of cryptography engineering, implementation-based attacks are a major concern due to their proven feasibility. Fault injection is one attack vector, nowadays a major research line. In this paper, we present how a memory tampering-based fault attack can be used to severely limit the output space of binary GCD based modular inversion algorithm implementations. We frame the proposed attack in the context of ECDSA showing how this approach allows recovering the private key from only one signature, independent of the key size. We analyze two memory tampering proposals, illustrating how this technique can be adapted to different implementations. Besides its application to ECDSA, it can be extended to other cryptographic schemes and countermeasures where binary GCD based modular inversion algorithms are employed. In addition, we describe how memory tampering-based fault attacks can be used to mount a previously proposed fault attack on scenarios that were initially discarded, showing the importance of including memory tampering attacks in the frameworks for analyzing fault attacks and their countermeasures.


Fault attacks Binary GCD Bitstream manipulation FPGA memory tampering ECDSA 



This work was partially funded by Academy of Finland (Grant No. 303814) and Spanish Government (with support from FEDER) (Project No. TEC2017-83557-R).


  1. 1.
    Acıiçmez, O., Gueron, S., Seifert, J-P.: New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures. Cryptography and Coding, volume 4887 of Lecture Notes in Computer Science, pp. 185–203. Springer, Berlin (2007)Google Scholar
  2. 2.
    Aldaya, A.C., Sarmiento, A.J.C., Sánchez-Solano, S.: AES T-Box tampering attack. J. Cryptogr. Eng. 6(1), 31–48 (2016)CrossRefGoogle Scholar
  3. 3.
    Aldaya, A.C., Sarmiento, A.J.C., Sánchez-Solano, S.: SPA vulnerabilities of the binary extended Euclidean algorithm. J. Cryptogr. Eng. 7(4), 273–285 (2017)CrossRefGoogle Scholar
  4. 4.
    Aldaya, A.C., Cuiman Márquez, R., Cabrera Sarmiento, A.J., Sánchez-Solano, S.: Side-channel analysis of the modular inversion step in the RSA key generation algorithm. Int. J. Circuit Theory Appl. 45(2), 199–213 (2017)CrossRefGoogle Scholar
  5. 5.
    Balasch, J., Gierlichs, B., Verbauwhede, I.: An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 105–114. IEEE (2011)Google Scholar
  6. 6.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)CrossRefGoogle Scholar
  7. 7.
    Bhasin, S., Danger, J-L., Guilley, S., Ngo, XT, Sauvage, L.: Hardware Trojan horses in cryptographic IP cores. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 15–29. IEEE (2013)Google Scholar
  8. 8.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Annual International Cryptology Conference (CRYPTO). Springer, pp. 131–146 (2000)Google Scholar
  9. 9.
    Bos, J.W.: Constant time modular inversion. J. Cryptogr. Eng. 4(4), 275–281 (2014)CrossRefGoogle Scholar
  10. 10.
    Boscher, A., Handschuh, H., Trichina, E.: Blinded fault resistant exponentiation revisited. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, pp. 3–9 (2009)Google Scholar
  11. 11.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Cryptogr. 36(1), 33–43 (2005)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Danger, J.-L., Guilley, S., Hoogvorst, P., Murdica, C., Naccache, D.: A synthesis of side-channel attacks on elliptic curve cryptography in smart-cards. J. Cryptogr. Eng 3(4), 241–265 (2013)CrossRefGoogle Scholar
  13. 13.
    De Dormale, G.M., Bulens, P., Quisquater, J.-J.: An improved montgomery modular inversion targeted for efficient implementation on FPGA. In: Proceedings of 2004 IEEE International Conference on Field-Programmable Technology, 2004. IEEE, pp. 441–444 (2004)Google Scholar
  14. 14.
    De Mulder, E., Hutter, M., Marson, M.E., Pearson, P.: Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version. J. Cryptogr. Eng. 4(1), 33–45 (2014)CrossRefGoogle Scholar
  15. 15.
    Escobar, F.A., Chang, X., Valderrama, C.: Suitability analysis of FPGAS for heterogeneous platforms in HPC. IEEE Trans. Parallel Distrib. Syst. 27(2), 600–61 (2016)CrossRefGoogle Scholar
  16. 16.
    Fan, J., Gierlichs, B., Vercauteren, F.: To infinity and beyond: combined attack on ECC using points of low order. In: International Workshop on Cryptographic Hardware and Embedded Systems (CHES). Springer, pp. 143–159 (2011)Google Scholar
  17. 17.
    García, C.P., Brumley, B.B.: Constant-time callees with variable-time callers. In: 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC. USENIX Association, pp. 83–98 (2017)Google Scholar
  18. 18.
    Güneysu, T.: Utilizing hard cores of modern FPGA devices for high-performance cryptography. J. Cryptogr. Eng. 1(1), 37–55 (2011)CrossRefGoogle Scholar
  19. 19.
    Johnson, A.P., Saha, S., Chakraborty, R.S., Mukhopadhyay, D., Gören, S.: Fault attack on AES via hardware Trojan insertion by dynamic partial reconfiguration of FPGA over ethernet. In: Proceedings of the 9th Workshop on Embedded Systems Security. ACM, p. 1 (2014)Google Scholar
  20. 20.
    Kaliski Jr., B.S.: The Montgomery inverse and its applications. IEEE Trans. Comput. 44(8), 1064–1065 (1995)CrossRefGoogle Scholar
  21. 21.
    Kiss, Á., Krämer, J., Rauzy, P., Seifert, J.-P.: Algorithmic countermeasures against fault attacks and power analysis for RSA-CRT. In: International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE). Springer, pp. 111–129 (2016)Google Scholar
  22. 22.
    Knuth, D.E.: Seminumerical Algorithms, Volume 2 of The Art of Computer Programming. Addison-Wesley, Boston (1981)zbMATHGoogle Scholar
  23. 23.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Advances in Cryptology (CRYPTO). Springer, Berlin, pp. 388–397 (1999)CrossRefGoogle Scholar
  24. 24.
    Krämer, J.: Why Cryptography Should Not Rely on Physical Attack Complexity, 1st edn. Springer, Berlin (2015)CrossRefGoogle Scholar
  25. 25.
    Moradi, A., Kasper, M., Paar, C.: Black-box side-channel attacks highlight the importance of countermeasures. In: Topics in Cryptology–CT-RSA 2012, San Francisco, USA. Springer, pp. 1–18 (2012)Google Scholar
  26. 26.
    Moradi, A., Schneider, T.: Improved side-channel analysis attacks on Xilinx bitstream encryption of 5, 6, and 7 series. In: Standaert, F-X., Oswald, E., (eds.) Constructive Side-Channel Analysis and Secure Design. Springer, Cham, pp. 71–87 (2016)CrossRefGoogle Scholar
  27. 27.
    Moro, N., Heydemann, K., Encrenaz, E., Robisson, B.: Formal verification of a software countermeasure against instruction skip attacks. J. Cryptogr. Eng. 4(3), 145–156 (2014)CrossRefGoogle Scholar
  28. 28.
    National Institute of Standards and Technlogy (NIST). Digital Signature Standard (DSS). FIPS 186-4 (2013)Google Scholar
  29. 29.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Popp, T.: An introduction to implementation attacks and countermeasures. In: Proceedings of the 7th IEEE/ACM International Conference on Formal Methods and Models for Codesign. IEEE Press, pp. 108–115 (2009)Google Scholar
  31. 31.
    Roy, D.B., Bhasin, S., Guilley, S., Danger, J.-L., Mukhopadhyay, D., Ngo, X.T., Najm, Z.: Reconfigurable lut: a double edged sword for security-critical applications. In: International Conference on Security, Privacy, and Applied Cryptography Engineering. Springer, pp. 248–268 (2015)Google Scholar
  32. 32.
    Savaş, E., Koç, Ç.K.: Montgomery inversion. J. Cryptogr. Eng. 8(3), 201–210 (2018)CrossRefGoogle Scholar
  33. 33.
    Schaumont, P.R.: A Practical Introduction to Hardware/Software Codesign. Springer, Berlin (2012)zbMATHGoogle Scholar
  34. 34.
    Shah, S., Velegalati, R., Kaps, J.-P., Hwang, D.: Investigation of DPA resistance of block RAMs in cryptographic implementations on FPGAs. In: 2010 International Conference on Reconfigurable Computing and FPGAs (ReConFig). IEEE, pp. 274–279 (2010)Google Scholar
  35. 35.
    Stein, J.: Computational problems associated with Racah algebra. J. Comput. Phys. 1(3), 397–405 (1967)CrossRefGoogle Scholar
  36. 36.
    Swierczynski, P., Becker, G.T., Moradi, A., Paar, C.: Bitstream fault injections (BiFI)-automated fault attacks against SRAM-based FPGAs. IEEE Trans. Comput. 67(3), 348–360 (2017)MathSciNetCrossRefGoogle Scholar
  37. 37.
    Swierczynski, P., Fyrbiak, M., Koppe, P., Moradi, A., Paar, C.: Interdiction in practice–hardware Trojan against a high-security USB flash drive. J. Cryptogr. Eng. 7(3), 199–211 (2017)CrossRefGoogle Scholar
  38. 38.
    Swierczynski, P., Fyrbiak, M., Koppe, P., Paar, C.: FPGA Trojans through detecting and weakening of cryptographic primitives. IEEE Trans. CAD Integr. Circuits Syst. 34(8), 1236–1249 (2015)CrossRefGoogle Scholar
  39. 39.
    Trichina, E., Bellezza, A.: Implementation of elliptic curve cryptography with built-in counter measures against side channel attacks. In: International Workshop on Cryptographic Hardware and Embedded Systems (CHES). Springer, pp. 98–113 (2002)Google Scholar
  40. 40.
    Xilinx Inc. Data2MEM User Guide (2010)Google Scholar
  41. 41.
    Xilinx Inc. Vivado Design Suite User Guide: Embedded Processor Hardware Design (2017)Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Universidad Tecnológica de la Habana José Antonio Echeverría (CUJAE)La HabanaCuba
  2. 2.Tampere University of TechnologyTampereFinland
  3. 3.Instituto de Microelectrónica de Sevilla, IMSE-CNMCSIC/Universidad de SevillaSevilleSpain

Personalised recommendations