Abstract
This paper describes the first practical single-trace side-channel power analysis of SIKE. While SIKE is a post-quantum key exchange, the scheme still relies on a secret elliptic curve scalar multiplication which involves a loop of a double-and-add procedure, of which each iteration depends on a single bit of the private key. The attack therefore exploits the nature of elliptic curve point addition formulas which require the same function to be executed multiple times. We show how a single trace of a loop iteration can be segmented into several power traces on which 32-bit words can be hypothesised based on the value of a single private key bit. This segmentation enables a classical correlation power analysis in an extend-and-prune approach. Further error-correction techniques based on depth-search are suggested. The attack is explicitly geared towards and experimentally verified on an STM32F3 featuring a Cortex-M4 microcontroller which runs the SIKEp434 implementation adapted to 32-bit ARM that is part of the official implementations of SIKE. We obtained a resounding 100% success rate recovering the full private key in each experiment. We argue that our attack defeats many countermeasures which were suggested in a previous power analysis of SIKE, and finally show that the well-known countermeasure of projective coordinate randomisation stops the attack with a negligible overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We refer to the official NAE-CW308 UFO datasheet to find the mentioned pins: http://media.newae.com/datasheets/NAE-CW308-datasheet.pdf.
- 2.
We refer to the official CW308T-STM32F3 datasheet to find the mentioned pins: https://media.newae.com/datasheets/NAE-CW308T-STM32F_datasheet.pdf.
References
Apon, D.: Passing the final checkpoint! NIST PQC 3rd round begins (2020). https://meetings.ams.org/math/fall2020se/meetingapp.cgi/Paper/1656. https://www.scribd.com/document/474476570/PQC-Overview-Aug-2020-NIST
Aysu, A., Tobah, Y., Tiwari, M., Gerstlauer, A., Orshansky, M.: Horizontal side-channel vulnerabilities of post-quantum key exchange protocols. In: 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 81–88 (2018). https://doi.org/10.1109/HST.2018.8383894
Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. Cryptology ePrint Archive, Report 2016/229 (2016). https://eprint.iacr.org/2016/229
Azouaoui, M., Poussier, R., Standaert, F.-X.: Fast side-channel security evaluation of ECC implementations. In: Polian, I., Stöttinger, M. (eds.) COSADE 2019. LNCS, vol. 11421, pp. 25–42. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16350-1_3
Batina, L., Chmielewski, L., Papachristodoulou, L., Schwabe, P., Tunstall, M.: Online template attacks. J. Cryptogr. Eng. 9(1), 21–36 (2017). https://doi.org/10.1007/s13389-017-0171-8
Bos, J.W., Friedberger, S.J.: Arithmetic considerations for isogeny based cryptography. Cryptology ePrint Archive, Report 2018/376 (2018). https://eprint.iacr.org/2018/376
Bos, J.W., Friedberger, S.J.: Faster modular arithmetic for isogeny based crypto on embedded devices. Cryptology ePrint Archive, Report 2018/792 (2018). https://eprint.iacr.org/2018/792
Bos, J.W., Friedberger, S.J., Martinoli, M., Oswald, E., Stam, M.: Assessing the feasibility of single trace power analysis of Frodo. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 216–234. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_10
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2
Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Trans. Comput. 53(6), 760–768 (2004). https://doi.org/10.1109/TC.2004.13
Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014). https://doi.org/10.1515/jmc-2012-0016
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0_5
Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_25
Corre, Y.L., Großschädl, J., Dinu, D.: Micro-architectural power simulator for leakage assessment of cryptographic software on ARM Cortex-M3 processors. Cryptology ePrint Archive, Report 2017/1253 (2017). https://eprint.iacr.org/2017/1253
Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. Cryptology ePrint Archive, Report 2016/413 (2016). https://eprint.iacr.org/2016/413
Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015. https://www.degruyter.com/view/journals/jmc/8/3/article-p209.xml
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Cryptology ePrint Archive, Report 2011/506 (2011). https://eprint.iacr.org/2011/506
Dugardin, M., Papachristodoulou, L., Najm, Z., Batina, L., Danger, J.-L., Guilley, S.: Dismantling real-world ECC with horizontal and vertical template attacks. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 88–108. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43283-0_6
Fan, J., Guo, X., De Mulder, E., Schaumont, P., Preneel, B., Verbauwhede, I.: State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures. In: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 76–87 (2010). https://doi.org/10.1109/HST.2010.5513110
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3
Holdings, A.: Cortex-M4 specifications. https://developer.arm.com/ip-products/processors/cortex-m/cortex-m4
NewAE Technology Inc.: SimpleSerial - ChipWhisperer Wiki (2017). https://wiki.newae.com/SimpleSerial
NewAE Technology Inc.: CHIPWHISPERER | NewAE Technology (2021). https://www.newae.com/chipwhisperer
NewAE Technology Inc.: GitHub - newaetech/chipwhisperer: ChipWhisperer - the complete open-source toolchain for side-channel power analysis and glitching attacks (2021). https://github.com/newaetech/chipwhisperer
Jao, D., et al.: Supersingular isogeny key encapsulation (2017). https://sike.org/
Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography — an algebraic approach —. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_31
Kalai, G.: The argument against quantum computers (2019). https://arxiv.org/abs/1908.02499
Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on Keccak. IACR Cryptol. ePrint Arch. 2020, 371 (2020). https://eprint.iacr.org/2020/371
Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: pqm4: testing and benchmarking NIST PQC on ARM Cortex-M4. In: Workshop Record of the Second PQC Standardization Conference (2019). https://cryptojedi.org/papers/#pqm4
Koziel, B., Azarderakhsh, R., Jao, D.: Side-channel attacks on quantum-resistant supersingular isogeny Diffie-Hellman. In: SAC (2017)
Kwiatkowski, K.: Towards post-quantum cryptography in TLS (2019). https://blog.cloudflare.com/towards-post-quantum-cryptography-in-tls/
Langley, A.: Post-quantum confidentiality for TLS (2018). https://www.imperialviolet.org/2018/04/11/pqconftls.html
Leonardi, C.: A note on the ending elliptic curve in SIDH. Cryptology ePrint Archive, Report 2020/262 (2020). https://eprint.iacr.org/2020/262
Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_2
Montgomery, P.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)
Moody, D.: Let’s get ready to rumble - The NIST PQC “competition” (2018). https://csrc.nist.gov/presentations/2018/let-s-get-ready-to-rumble-the-nist-pqc-competiti
Moody, D.: Round 2 of the NIST PQC “competition” - What was NIST thinking? (2019). https://csrc.nist.gov/presentations/2019/round-2-of-the-nist-pqc-competition-what-was-nist
Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. Cryptology ePrint Archive, Report 2019/1447 (2019). https://eprint.iacr.org/2019/1447
Poussier, R., Zhou, Y., Standaert, F.-X.: A systematic approach to the side-channel analysis of ECC implementations with worst-case horizontal attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 534–554. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_26
Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25
Rostovtsev, A., Stolbunov, A.: A public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). https://eprint.iacr.org/2006/145
Seo, H., Anastasova, M., Jalali, A., Azarderakhsh, R.: Supersingular isogeny key encapsulation (SIKE) round 2 on ARM Cortex-M4. Cryptology ePrint Archive, Report 2020/410 (2020). https://eprint.iacr.org/2020/410
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). https://doi.org/10.1137/s0097539795293172
Sim, B., et al.: Single-trace attacks on message encoding in lattice-based KEMs. IEEE Access 8, 183175–183191 (2020). https://doi.org/10.1109/ACCESS.2020.3029521
Weibel, A.: Round 2 hybrid post-quantum TLS benchmarks (2020). https://aws.amazon.com/blogs/security/round-2-hybrid-post-quantum-tls-benchmarks/
Xavier, C., Hervé, P.: Improving the DPA attack using wavelet transform (2005). https://www.researchgate.net/publication/228717434_Improving_the_DPA_attack_using_Wavelet_transform
Zanon, G.H.M., Simplicio, M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 248–268. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_12
Zhang, F., et al.: Side-channel analysis and countermeasure design on ARM-based quantum-resistant SIKE. IEEE Trans. Comput. 69(11), 1681–1693 (2020). https://doi.org/10.1109/TC.2020.3020407
Zhang, Z., Wu, L., Mu, Z., Zhang, X.: A novel template attack on WNAF algorithm of ECC. In: Tenth International Conference on Computational Intelligence and Security, CIS 2014, Kunming, Yunnan, China, 15–16 November 2014, pp. 671–675. IEEE Computer Society (2014). https://doi.org/10.1109/CIS.2014.66
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
We include the code of the xDBLADD, fp2mul_mont, fp2sqr_mont and mp_addfast functions from [44]. Minor changes, such as variable naming, have been made to the code in order to adapt it to the names used in this paper. The lines of code 3,6,7,8,9,10,11,15,16,17,18,19 and the mp_addfast (highlighted in red) correspond to the targeted instructions.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Genêt, A., de Guertechin, N.L., Kaluđerović, N. (2021). Full Key Recovery Side-Channel Attack Against Ephemeral SIKE on the Cortex-M4. In: Bhasin, S., De Santis, F. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2021. Lecture Notes in Computer Science(), vol 12910. Springer, Cham. https://doi.org/10.1007/978-3-030-89915-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-89915-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-89914-1
Online ISBN: 978-3-030-89915-8
eBook Packages: Computer ScienceComputer Science (R0)