diff options
Diffstat (limited to 'analysis')
| -rw-r--r-- | analysis/countermeasures/simulation.ipynb | 66 |
1 files changed, 61 insertions, 5 deletions
diff --git a/analysis/countermeasures/simulation.ipynb b/analysis/countermeasures/simulation.ipynb index 4f4c601..db66832 100644 --- a/analysis/countermeasures/simulation.ipynb +++ b/analysis/countermeasures/simulation.ipynb @@ -2315,7 +2315,11 @@ "id": "867fedf2-0d95-4012-b57c-f2e3dcf0826c", "metadata": {}, "source": [ - "## Composite test" + "## Composite test\n", + "\n", + "The composite test works by observing the implementation operating on a composite order curve. The order of the curve is correctly presented to the implementation, so this test is not applicable to targets that check primality of the curve order.\n", + "\n", + "This test is able to detect the presence of multiplicative splitting, due to errors arising from trying to invert the random mask modulo a composite order. Based on the inversion algorithm used, different behaviors may be present. Importantly, the other countermeasures do not error on composite order curves." ] }, { @@ -2329,6 +2333,14 @@ ] }, { + "cell_type": "markdown", + "id": "9f8c9bb9-64f4-4154-b148-8050de4468fc", + "metadata": {}, + "source": [ + "The order is 11-times a big prime." + ] + }, + { "cell_type": "code", "execution_count": 104, "id": "9db677c5-34e3-4b5e-93dc-11b9b7e2cf3a", @@ -2356,6 +2368,14 @@ ] }, { + "cell_type": "markdown", + "id": "f0338115-84f8-44ee-bbb6-67a678537c0e", + "metadata": {}, + "source": [ + "The test consists of repeatedly performing the operation (ECDH, keygen, ECDSA) and observing whether the implementation returns an error and checking the validity of the result if it returns a result." + ] + }, + { "cell_type": "code", "execution_count": 120, "id": "db1e4115-d0cf-4558-93e5-d60781407548", @@ -2385,6 +2405,14 @@ ] }, { + "cell_type": "markdown", + "id": "0ebd90c6-2022-4d50-aca0-416c444418bb", + "metadata": {}, + "source": [ + "Scalar multipliers without countermeasures have no issues computing over composite order curves." + ] + }, + { "cell_type": "code", "execution_count": 74, "id": "9946acdf-41db-4aa2-864a-1e1e771bc6cc", @@ -2425,7 +2453,8 @@ "id": "54c9ef0f-bc9e-47b9-a7e4-3821c2a2f93a", "metadata": {}, "source": [ - "### Group scalar randomization" + "### Group scalar randomization\n", + "GSR has no issues computing over composite order curves." ] }, { @@ -2451,7 +2480,8 @@ "id": "fea32f4e-dca2-4a5c-bd93-6580183e2d02", "metadata": {}, "source": [ - "### Multiplicative splitting" + "### Multiplicative splitting\n", + "When multiplicative splitting is used, the implementation may detect the element as not invertible and raise an error, as can be seen below when the extended euclid algorithm is used." ] }, { @@ -2479,6 +2509,14 @@ ] }, { + "cell_type": "markdown", + "id": "15a742dd-d615-4103-8782-f7f26559ec8f", + "metadata": {}, + "source": [ + "If we keep using the extended euclid algorithm but instead make the implementation ignore the errors and return the results, we get wrong results for masks that were not invertible." + ] + }, + { "cell_type": "code", "execution_count": 115, "id": "00433eb9-9ef1-47b6-b2c6-775e08b67223", @@ -2499,6 +2537,14 @@ ] }, { + "cell_type": "markdown", + "id": "2082a2a6-7ab3-469b-a7e5-71c9e2e465d4", + "metadata": {}, + "source": [ + "This also shows that all of the `Mod` implementations in pyecsca use extended euclid algorithm for the inversion." + ] + }, + { "cell_type": "code", "execution_count": 116, "id": "c4e4e3be-f5f9-4de2-b2cd-48ecc31a97d1", @@ -2562,6 +2608,14 @@ ] }, { + "cell_type": "markdown", + "id": "141687e0-d688-4431-91ea-010a66b4bcfe", + "metadata": {}, + "source": [ + "If we switch to inversion via Fermat's little theorem, we see that we always get wrong results." + ] + }, + { "cell_type": "code", "execution_count": 119, "id": "f4cd4c05-33ac-48f7-9996-751b2c7ffe4d", @@ -2596,7 +2650,8 @@ "id": "189d4f2a-1f0c-473f-b9fe-988bf4fbe9f7", "metadata": {}, "source": [ - "### Additive splitting" + "### Additive splitting\n", + "Additive splitting has no issues computing over composite order curves." ] }, { @@ -2622,7 +2677,8 @@ "id": "287b7945-c538-4b40-a65b-1081f68107ab", "metadata": {}, "source": [ - "### Euclidean splitting" + "### Euclidean splitting\n", + "Euclidean splitting has no issues computing over composite order curves." ] }, { |