Transient Fault Induction Attacks on XTR

  • Mathieu Ciet
  • Christophe Giraud
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3269)


At Crypto 2000, the public-key system XTR was introduced by Lenstra and Verheul. This system uses an efficient and compact method to represent subgroup elements. Application of XTR in cryptographic protocols, such as Diffie-Hellman key agreement, El Gamal encryption or DSA signature, greatly reduces the computational cost without compromising security. XTR in the presence of a fault, i.e. when processing under unexpected conditions, has never been studied. This paper presents four different fault analyses and shows how an error during the XTR exponentiation can be exploited by a malicious adversary to recover a part or the totality of the secret parameter. Countermeasures are also presented to counteract fault attacks. They are very simple to implement and induce a negligible performance penalty in terms of both memory and time.


Differential fault analysis public-key system XTR countermeasures smart cards 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akishita, T., Takagi, T.: Zero-value Point Attacks on Elliptic Curve Cryptosystem. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 218–233. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Anderson, R., Kuhn, M.: Tamper Resistance - a Cautionary Note. In: Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pp. 1–11 (1996)Google Scholar
  3. 3.
    Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Bao, F., Deng, R., Han, Y., Jeng, A., Narasimhalu, A.D., Ngair, T.-H.: Breaking Public Key Cryptosystems an Tamper Resistance Devices in the Presence of Transient Fault. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 115–124. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. 5.
    Bévan, R.: Estimation statistique et sécurité des cartes à puce – Evaluation d’attaques DPA évoluées. PhD thesis, Supelec (June 2004)Google Scholar
  6. 6.
    Biehl, I., Meyer, B., Müller, V.: Differential Fault Analysis on Elliptic Curve Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystem. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  9. 9.
    Gong, G., Harn, L.: Public key cryptosystems based on cubic finite field extensions. In: IEEE Transaction on Information Theory, LNCS, November 1999, Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Goubin, L.: A Refined Power-Analysis Attack on Elliptic Curve Cryptosystem. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–210. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Granger, R., Page, D., Stam, M.: A Comparison of CEILIDH and XTR. In: Buell, D.A. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 235–249. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Joye, M., Lenstra, A.K., Quisquater, J.-J.: Chinese Remaindering Based Cryptosystems in the Presence of Faults. Journal of Cryptology 12(4), 241–246 (1999)zbMATHCrossRefGoogle Scholar
  13. 13.
    Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  14. 14.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  15. 15.
    Lenstra, A.K.: Memo on RSA Signature Generation in the Presence of Faults (1996) (manuscript), Available from the author at akl@Lucent.comGoogle Scholar
  16. 16.
    Lenstra, A.K., Verheul, E.R.: An overview of the XTR public key system. In: Public Key Cryptography and Computational Number Theory Conference (2000)Google Scholar
  17. 17.
    Lenstra, A.K., Verheul, E.R.: Key improvements to XTR. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 220–233. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  18. 18.
    Lenstra, A.K., Verheul, E.R.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 1–19. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. 19.
    Lenstra, A.K., Verheul, E.R.: Fast irreductibility and subgroup membership testing in XTR. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 73–86. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Piret, G., Quisquater, J.-J.: A Differential Fault Attack Technique Against SPN Structures, with Application to the AES and Khazad. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Rubin, K., Silverberg, A.: Torus-based cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 349–365. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Skorobogatov, S., Anderson, R.: Optical Fault Induction Attack. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Smith, P., Skinner, C.: A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discret logarithms. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 357–364. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  24. 24.
    Stam, M., Lenstra, A.K.: Speeding up XTR. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 125–143. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Verheul, E.R.: Evidence that XTR Is More Secure then Supersingular Elliptic Curve Cryptosystems. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 195–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Yen, S.-M., Joye, M.: Checking before output not be enough against faultbased cryptanalysis. IEEE Transactions on Computers 49(9), 967–970 (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Mathieu Ciet
    • 1
  • Christophe Giraud
    • 2
  1. 1.Innova CardLa CiotatFrance
  2. 2.Oberthur Card SystemsPuteauxFrance

Personalised recommendations