Skip to main content
SpringerLink
Log in

Full Key Recovery Side-Channel Attack Against Ephemeral SIKE on the Cortex-M4

  • Conference paper
  • First Online:
Constructive Side-Channel Analysis and Secure Design (COSADE 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12910))

Abstract

This paper describes the first practical single-trace side-channel power analysis of SIKE. While SIKE is a post-quantum key exchange, the scheme still relies on a secret elliptic curve scalar multiplication which involves a loop of a double-and-add procedure, of which each iteration depends on a single bit of the private key. The attack therefore exploits the nature of elliptic curve point addition formulas which require the same function to be executed multiple times. We show how a single trace of a loop iteration can be segmented into several power traces on which 32-bit words can be hypothesised based on the value of a single private key bit. This segmentation enables a classical correlation power analysis in an extend-and-prune approach. Further error-correction techniques based on depth-search are suggested. The attack is explicitly geared towards and experimentally verified on an STM32F3 featuring a Cortex-M4 microcontroller which runs the SIKEp434 implementation adapted to 32-bit ARM that is part of the official implementations of SIKE. We obtained a resounding 100% success rate recovering the full private key in each experiment. We argue that our attack defeats many countermeasures which were suggested in a previous power analysis of SIKE, and finally show that the well-known countermeasure of projective coordinate randomisation stops the attack with a negligible overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We refer to the official NAE-CW308 UFO datasheet to find the mentioned pins: http://media.newae.com/datasheets/NAE-CW308-datasheet.pdf.

  2. 2.

    We refer to the official CW308T-STM32F3 datasheet to find the mentioned pins: https://media.newae.com/datasheets/NAE-CW308T-STM32F_datasheet.pdf.

References

  1. Apon, D.: Passing the final checkpoint! NIST PQC 3rd round begins (2020). https://meetings.ams.org/math/fall2020se/meetingapp.cgi/Paper/1656. https://www.scribd.com/document/474476570/PQC-Overview-Aug-2020-NIST

  2. Aysu, A., Tobah, Y., Tiwari, M., Gerstlauer, A., Orshansky, M.: Horizontal side-channel vulnerabilities of post-quantum key exchange protocols. In: 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 81–88 (2018). https://doi.org/10.1109/HST.2018.8383894

  3. Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. Cryptology ePrint Archive, Report 2016/229 (2016). https://eprint.iacr.org/2016/229

  4. Azouaoui, M., Poussier, R., Standaert, F.-X.: Fast side-channel security evaluation of ECC implementations. In: Polian, I., Stöttinger, M. (eds.) COSADE 2019. LNCS, vol. 11421, pp. 25–42. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16350-1_3

    Chapter  Google Scholar 

  5. Batina, L., Chmielewski, L., Papachristodoulou, L., Schwabe, P., Tunstall, M.: Online template attacks. J. Cryptogr. Eng. 9(1), 21–36 (2017). https://doi.org/10.1007/s13389-017-0171-8

    Article  MATH  Google Scholar 

  6. Bos, J.W., Friedberger, S.J.: Arithmetic considerations for isogeny based cryptography. Cryptology ePrint Archive, Report 2018/376 (2018). https://eprint.iacr.org/2018/376

  7. Bos, J.W., Friedberger, S.J.: Faster modular arithmetic for isogeny based crypto on embedded devices. Cryptology ePrint Archive, Report 2018/792 (2018). https://eprint.iacr.org/2018/792

  8. Bos, J.W., Friedberger, S.J., Martinoli, M., Oswald, E., Stam, M.: Assessing the feasibility of single trace power analysis of Frodo. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 216–234. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_10

    Chapter  Google Scholar 

  9. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2

    Chapter  Google Scholar 

  10. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Trans. Comput. 53(6), 760–768 (2004). https://doi.org/10.1109/TC.2004.13

    Article  MATH  Google Scholar 

  11. Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014). https://doi.org/10.1515/jmc-2012-0016

    Article  MathSciNet  MATH  Google Scholar 

  12. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0_5

    Chapter  Google Scholar 

  13. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_25

    Chapter  Google Scholar 

  14. Corre, Y.L., Großschädl, J., Dinu, D.: Micro-architectural power simulator for leakage assessment of cryptographic software on ARM Cortex-M3 processors. Cryptology ePrint Archive, Report 2017/1253 (2017). https://eprint.iacr.org/2017/1253

  15. Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. Cryptology ePrint Archive, Report 2016/413 (2016). https://eprint.iacr.org/2016/413

  16. Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291

  17. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015. https://www.degruyter.com/view/journals/jmc/8/3/article-p209.xml

  18. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Cryptology ePrint Archive, Report 2011/506 (2011). https://eprint.iacr.org/2011/506

  19. Dugardin, M., Papachristodoulou, L., Najm, Z., Batina, L., Danger, J.-L., Guilley, S.: Dismantling real-world ECC with horizontal and vertical template attacks. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 88–108. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43283-0_6

    Chapter  Google Scholar 

  20. Fan, J., Guo, X., De Mulder, E., Schaumont, P., Preneel, B., Verbauwhede, I.: State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures. In: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 76–87 (2010). https://doi.org/10.1109/HST.2010.5513110

  21. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

    Chapter  Google Scholar 

  22. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3

    Chapter  Google Scholar 

  23. Holdings, A.: Cortex-M4 specifications. https://developer.arm.com/ip-products/processors/cortex-m/cortex-m4

  24. NewAE Technology Inc.: SimpleSerial - ChipWhisperer Wiki (2017). https://wiki.newae.com/SimpleSerial

  25. NewAE Technology Inc.: CHIPWHISPERER | NewAE Technology (2021). https://www.newae.com/chipwhisperer

  26. NewAE Technology Inc.: GitHub - newaetech/chipwhisperer: ChipWhisperer - the complete open-source toolchain for side-channel power analysis and glitching attacks (2021). https://github.com/newaetech/chipwhisperer

  27. Jao, D., et al.: Supersingular isogeny key encapsulation (2017). https://sike.org/

  28. Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography — an algebraic approach —. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_31

    Chapter  Google Scholar 

  29. Kalai, G.: The argument against quantum computers (2019). https://arxiv.org/abs/1908.02499

  30. Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on Keccak. IACR Cryptol. ePrint Arch. 2020, 371 (2020). https://eprint.iacr.org/2020/371

  31. Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: pqm4: testing and benchmarking NIST PQC on ARM Cortex-M4. In: Workshop Record of the Second PQC Standardization Conference (2019). https://cryptojedi.org/papers/#pqm4

  32. Koziel, B., Azarderakhsh, R., Jao, D.: Side-channel attacks on quantum-resistant supersingular isogeny Diffie-Hellman. In: SAC (2017)

    Google Scholar 

  33. Kwiatkowski, K.: Towards post-quantum cryptography in TLS (2019). https://blog.cloudflare.com/towards-post-quantum-cryptography-in-tls/

  34. Langley, A.: Post-quantum confidentiality for TLS (2018). https://www.imperialviolet.org/2018/04/11/pqconftls.html

  35. Leonardi, C.: A note on the ending elliptic curve in SIDH. Cryptology ePrint Archive, Report 2020/262 (2020). https://eprint.iacr.org/2020/262

  36. Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_2

    Chapter  Google Scholar 

  37. Montgomery, P.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)

    Article  MathSciNet  Google Scholar 

  38. Moody, D.: Let’s get ready to rumble - The NIST PQC “competition” (2018). https://csrc.nist.gov/presentations/2018/let-s-get-ready-to-rumble-the-nist-pqc-competiti

  39. Moody, D.: Round 2 of the NIST PQC “competition” - What was NIST thinking? (2019). https://csrc.nist.gov/presentations/2019/round-2-of-the-nist-pqc-competition-what-was-nist

  40. Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. Cryptology ePrint Archive, Report 2019/1447 (2019). https://eprint.iacr.org/2019/1447

  41. Poussier, R., Zhou, Y., Standaert, F.-X.: A systematic approach to the side-channel analysis of ECC implementations with worst-case horizontal attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 534–554. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_26

    Chapter  Google Scholar 

  42. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25

    Chapter  Google Scholar 

  43. Rostovtsev, A., Stolbunov, A.: A public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). https://eprint.iacr.org/2006/145

  44. Seo, H., Anastasova, M., Jalali, A., Azarderakhsh, R.: Supersingular isogeny key encapsulation (SIKE) round 2 on ARM Cortex-M4. Cryptology ePrint Archive, Report 2020/410 (2020). https://eprint.iacr.org/2020/410

  45. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). https://doi.org/10.1137/s0097539795293172

    Article  MathSciNet  MATH  Google Scholar 

  46. Sim, B., et al.: Single-trace attacks on message encoding in lattice-based KEMs. IEEE Access 8, 183175–183191 (2020). https://doi.org/10.1109/ACCESS.2020.3029521

    Article  Google Scholar 

  47. Weibel, A.: Round 2 hybrid post-quantum TLS benchmarks (2020). https://aws.amazon.com/blogs/security/round-2-hybrid-post-quantum-tls-benchmarks/

  48. Xavier, C., Hervé, P.: Improving the DPA attack using wavelet transform (2005). https://www.researchgate.net/publication/228717434_Improving_the_DPA_attack_using_Wavelet_transform

  49. Zanon, G.H.M., Simplicio, M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 248–268. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_12

    Chapter  Google Scholar 

  50. Zhang, F., et al.: Side-channel analysis and countermeasure design on ARM-based quantum-resistant SIKE. IEEE Trans. Comput. 69(11), 1681–1693 (2020). https://doi.org/10.1109/TC.2020.3020407

    Article  MathSciNet  MATH  Google Scholar 

  51. Zhang, Z., Wu, L., Mu, Z., Zhang, X.: A novel template attack on WNAF algorithm of ECC. In: Tenth International Conference on Computational Intelligence and Security, CIS 2014, Kunming, Yunnan, China, 15–16 November 2014, pp. 671–675. IEEE Computer Society (2014). https://doi.org/10.1109/CIS.2014.66

Download references

Author information

Authors and Affiliations

  1. École Polytechnique Fédérale de Lausanne, Lausanne, Switzerland

    Aymeric Genêt & Novak Kaluđerović

  2. Kudelski Group, Cheseaux-sur-Lausanne, Switzerland

    Aymeric Genêt

  3. CYSEC SA, Lausanne, Switzerland

    Natacha Linard de Guertechin

Authors
  1. Aymeric Genêt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Natacha Linard de Guertechin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Novak Kaluđerović
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Novak Kaluđerović .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Shivam Bhasin

  2. Siemens AG, Munich, Germany

    Fabrizio De Santis

A Appendix

A Appendix

We include the code of the xDBLADD, fp2mul_mont, fp2sqr_mont and mp_addfast functions from [44]. Minor changes, such as variable naming, have been made to the code in order to adapt it to the names used in this paper. The lines of code 3,6,7,8,9,10,11,15,16,17,18,19 and the mp_addfast (highlighted in red) correspond to the targeted instructions.

Fig. 5.
figure 5

xDBLADD, fp2mul_mont and fp2sqr_mont from [44].

Full size image
Fig. 6.
figure 6

mp_addfast from [44].

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Genêt, A., de Guertechin, N.L., Kaluđerović, N. (2021). Full Key Recovery Side-Channel Attack Against Ephemeral SIKE on the Cortex-M4. In: Bhasin, S., De Santis, F. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2021. Lecture Notes in Computer Science(), vol 12910. Springer, Cham. https://doi.org/10.1007/978-3-030-89915-8_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-89915-8_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-89914-1

  • Online ISBN: 978-3-030-89915-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation