author: J08nY 2025-04-21 12:26:00 +0200
committer: J08nY 2025-04-21 12:26:00 +0200
commit: efa1b87eead8fb2374568ec7252ac87230ca1a1c (patch)
tree: 8245d1380108b0abed0b0fe42b6976168dab7ab7 /analysis
parent: 386fe4bc62b06ec68414f5ba9ed4959ce0823472 (diff)
download: ECTester-efa1b87eead8fb2374568ec7252ac87230ca1a1c.tar.gz
ECTester-efa1b87eead8fb2374568ec7252ac87230ca1a1c.tar.zst
ECTester-efa1b87eead8fb2374568ec7252ac87230ca1a1c.zip
1 files changed, 61 insertions, 5 deletions
diff --git a/analysis/countermeasures/simulation.ipynb b/analysis/countermeasures/simulation.ipynb
index 4f4c601..db66832 100644
--- a/analysis/countermeasures/simulation.ipynb
+++ b/analysis/countermeasures/simulation.ipynb
@@ -2315,7 +2315,11 @@
    "id": "867fedf2-0d95-4012-b57c-f2e3dcf0826c",
    "metadata": {},
    "source": [
-    "## Composite test"
+    "## Composite test\n",
+    "\n",
+    "The composite test works by observing the implementation operating on a composite order curve. The order of the curve is correctly presented to the implementation, so this test is not applicable to targets that check primality of the curve order.\n",
+    "\n",
+    "This test is able to detect the presence of multiplicative splitting, due to errors arising from trying to invert the random mask modulo a composite order. Based on the inversion algorithm used, different behaviors may be present. Importantly, the other countermeasures do not error on composite order curves."
    ]
   },
   {
@@ -2329,6 +2333,14 @@
    ]
   },
   {
+   "cell_type": "markdown",
+   "id": "9f8c9bb9-64f4-4154-b148-8050de4468fc",
+   "metadata": {},
+   "source": [
+    "The order is 11-times a big prime."
+   ]
+  },
+  {
    "cell_type": "code",
    "execution_count": 104,
    "id": "9db677c5-34e3-4b5e-93dc-11b9b7e2cf3a",
@@ -2356,6 +2368,14 @@
    ]
   },
   {
+   "cell_type": "markdown",
+   "id": "f0338115-84f8-44ee-bbb6-67a678537c0e",
+   "metadata": {},
+   "source": [
+    "The test consists of repeatedly performing the operation (ECDH, keygen, ECDSA) and observing whether the implementation returns an error and checking the validity of the result if it returns a result."
+   ]
+  },
+  {
    "cell_type": "code",
    "execution_count": 120,
    "id": "db1e4115-d0cf-4558-93e5-d60781407548",
@@ -2385,6 +2405,14 @@
    ]
   },
   {
+   "cell_type": "markdown",
+   "id": "0ebd90c6-2022-4d50-aca0-416c444418bb",
+   "metadata": {},
+   "source": [
+    "Scalar multipliers without countermeasures have no issues computing over composite order curves."
+   ]
+  },
+  {
    "cell_type": "code",
    "execution_count": 74,
    "id": "9946acdf-41db-4aa2-864a-1e1e771bc6cc",
@@ -2425,7 +2453,8 @@
    "id": "54c9ef0f-bc9e-47b9-a7e4-3821c2a2f93a",
    "metadata": {},
    "source": [
-    "### Group scalar randomization"
+    "### Group scalar randomization\n",
+    "GSR has no issues computing over composite order curves."
    ]
   },
   {
@@ -2451,7 +2480,8 @@
    "id": "fea32f4e-dca2-4a5c-bd93-6580183e2d02",
    "metadata": {},
    "source": [
-    "### Multiplicative splitting"
+    "### Multiplicative splitting\n",
+    "When multiplicative splitting is used, the implementation may detect the element as not invertible and raise an error, as can be seen below when the extended euclid algorithm is used."
    ]
   },
   {
@@ -2479,6 +2509,14 @@
    ]
   },
   {
+   "cell_type": "markdown",
+   "id": "15a742dd-d615-4103-8782-f7f26559ec8f",
+   "metadata": {},
+   "source": [
+    "If we keep using the extended euclid algorithm but instead make the implementation ignore the errors and return the results, we get wrong results for masks that were not invertible."
+   ]
+  },
+  {
    "cell_type": "code",
    "execution_count": 115,
    "id": "00433eb9-9ef1-47b6-b2c6-775e08b67223",
@@ -2499,6 +2537,14 @@
    ]
   },
   {
+   "cell_type": "markdown",
+   "id": "2082a2a6-7ab3-469b-a7e5-71c9e2e465d4",
+   "metadata": {},
+   "source": [
+    "This also shows that all of the `Mod` implementations in pyecsca use extended euclid algorithm for the inversion."
+   ]
+  },
+  {
    "cell_type": "code",
    "execution_count": 116,
    "id": "c4e4e3be-f5f9-4de2-b2cd-48ecc31a97d1",
@@ -2562,6 +2608,14 @@
    ]
   },
   {
+   "cell_type": "markdown",
+   "id": "141687e0-d688-4431-91ea-010a66b4bcfe",
+   "metadata": {},
+   "source": [
+    "If we switch to inversion via Fermat's little theorem, we see that we always get wrong results."
+   ]
+  },
+  {
    "cell_type": "code",
    "execution_count": 119,
    "id": "f4cd4c05-33ac-48f7-9996-751b2c7ffe4d",
@@ -2596,7 +2650,8 @@
    "id": "189d4f2a-1f0c-473f-b9fe-988bf4fbe9f7",
    "metadata": {},
    "source": [
-    "### Additive splitting"
+    "### Additive splitting\n",
+    "Additive splitting has no issues computing over composite order curves."
    ]
   },
   {
@@ -2622,7 +2677,8 @@
    "id": "287b7945-c538-4b40-a65b-1081f68107ab",
    "metadata": {},
    "source": [
-    "### Euclidean splitting"
+    "### Euclidean splitting\n",
+    "Euclidean splitting has no issues computing over composite order curves."
    ]
   },
   {
author	J08nY	2025-04-21 12:26:00 +0200
committer	J08nY	2025-04-21 12:26:00 +0200
commit	efa1b87eead8fb2374568ec7252ac87230ca1a1c (patch)
tree	8245d1380108b0abed0b0fe42b6976168dab7ab7 /analysis
parent	386fe4bc62b06ec68414f5ba9ed4959ce0823472 (diff)
download	ECTester-efa1b87eead8fb2374568ec7252ac87230ca1a1c.tar.gz ECTester-efa1b87eead8fb2374568ec7252ac87230ca1a1c.tar.zst ECTester-efa1b87eead8fb2374568ec7252ac87230ca1a1c.zip