Skip to main content

Full Key Recovery Side-Channel Attack Against Ephemeral SIKE on the Cortex-M4

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12910)

Abstract

This paper describes the first practical single-trace side-channel power analysis of SIKE. While SIKE is a post-quantum key exchange, the scheme still relies on a secret elliptic curve scalar multiplication which involves a loop of a double-and-add procedure, of which each iteration depends on a single bit of the private key. The attack therefore exploits the nature of elliptic curve point addition formulas which require the same function to be executed multiple times. We show how a single trace of a loop iteration can be segmented into several power traces on which 32-bit words can be hypothesised based on the value of a single private key bit. This segmentation enables a classical correlation power analysis in an extend-and-prune approach. Further error-correction techniques based on depth-search are suggested. The attack is explicitly geared towards and experimentally verified on an STM32F3 featuring a Cortex-M4 microcontroller which runs the SIKEp434 implementation adapted to 32-bit ARM that is part of the official implementations of SIKE. We obtained a resounding 100% success rate recovering the full private key in each experiment. We argue that our attack defeats many countermeasures which were suggested in a previous power analysis of SIKE, and finally show that the well-known countermeasure of projective coordinate randomisation stops the attack with a negligible overhead.

Keywords

  • Sike
  • Side-channel analysis
  • Correlation power analysis
  • Single-trace attack
  • Post-quantum key exchange
  • Isogeny-based cryptography

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-89915-8_11
  • Chapter length: 27 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-89915-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.

Notes

  1. 1.

    We refer to the official NAE-CW308 UFO datasheet to find the mentioned pins: http://media.newae.com/datasheets/NAE-CW308-datasheet.pdf.

  2. 2.

    We refer to the official CW308T-STM32F3 datasheet to find the mentioned pins: https://media.newae.com/datasheets/NAE-CW308T-STM32F_datasheet.pdf.

References

  1. Apon, D.: Passing the final checkpoint! NIST PQC 3rd round begins (2020). https://meetings.ams.org/math/fall2020se/meetingapp.cgi/Paper/1656. https://www.scribd.com/document/474476570/PQC-Overview-Aug-2020-NIST

  2. Aysu, A., Tobah, Y., Tiwari, M., Gerstlauer, A., Orshansky, M.: Horizontal side-channel vulnerabilities of post-quantum key exchange protocols. In: 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 81–88 (2018). https://doi.org/10.1109/HST.2018.8383894

  3. Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. Cryptology ePrint Archive, Report 2016/229 (2016). https://eprint.iacr.org/2016/229

  4. Azouaoui, M., Poussier, R., Standaert, F.-X.: Fast side-channel security evaluation of ECC implementations. In: Polian, I., Stöttinger, M. (eds.) COSADE 2019. LNCS, vol. 11421, pp. 25–42. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16350-1_3

    CrossRef  Google Scholar 

  5. Batina, L., Chmielewski, L., Papachristodoulou, L., Schwabe, P., Tunstall, M.: Online template attacks. J. Cryptogr. Eng. 9(1), 21–36 (2017). https://doi.org/10.1007/s13389-017-0171-8

    CrossRef  MATH  Google Scholar 

  6. Bos, J.W., Friedberger, S.J.: Arithmetic considerations for isogeny based cryptography. Cryptology ePrint Archive, Report 2018/376 (2018). https://eprint.iacr.org/2018/376

  7. Bos, J.W., Friedberger, S.J.: Faster modular arithmetic for isogeny based crypto on embedded devices. Cryptology ePrint Archive, Report 2018/792 (2018). https://eprint.iacr.org/2018/792

  8. Bos, J.W., Friedberger, S.J., Martinoli, M., Oswald, E., Stam, M.: Assessing the feasibility of single trace power analysis of Frodo. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 216–234. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_10

    CrossRef  Google Scholar 

  9. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2

    CrossRef  Google Scholar 

  10. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Trans. Comput. 53(6), 760–768 (2004). https://doi.org/10.1109/TC.2004.13

    CrossRef  MATH  Google Scholar 

  11. Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014). https://doi.org/10.1515/jmc-2012-0016

    MathSciNet  CrossRef  MATH  Google Scholar 

  12. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0_5

    CrossRef  Google Scholar 

  13. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_25

    CrossRef  Google Scholar 

  14. Corre, Y.L., Großschädl, J., Dinu, D.: Micro-architectural power simulator for leakage assessment of cryptographic software on ARM Cortex-M3 processors. Cryptology ePrint Archive, Report 2017/1253 (2017). https://eprint.iacr.org/2017/1253

  15. Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. Cryptology ePrint Archive, Report 2016/413 (2016). https://eprint.iacr.org/2016/413

  16. Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291

  17. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015. https://www.degruyter.com/view/journals/jmc/8/3/article-p209.xml

  18. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Cryptology ePrint Archive, Report 2011/506 (2011). https://eprint.iacr.org/2011/506

  19. Dugardin, M., Papachristodoulou, L., Najm, Z., Batina, L., Danger, J.-L., Guilley, S.: Dismantling real-world ECC with horizontal and vertical template attacks. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 88–108. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43283-0_6

    CrossRef  Google Scholar 

  20. Fan, J., Guo, X., De Mulder, E., Schaumont, P., Preneel, B., Verbauwhede, I.: State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures. In: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 76–87 (2010). https://doi.org/10.1109/HST.2010.5513110

  21. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

    CrossRef  Google Scholar 

  22. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3

    CrossRef  Google Scholar 

  23. Holdings, A.: Cortex-M4 specifications. https://developer.arm.com/ip-products/processors/cortex-m/cortex-m4

  24. NewAE Technology Inc.: SimpleSerial - ChipWhisperer Wiki (2017). https://wiki.newae.com/SimpleSerial

  25. NewAE Technology Inc.: CHIPWHISPERER | NewAE Technology (2021). https://www.newae.com/chipwhisperer

  26. NewAE Technology Inc.: GitHub - newaetech/chipwhisperer: ChipWhisperer - the complete open-source toolchain for side-channel power analysis and glitching attacks (2021). https://github.com/newaetech/chipwhisperer

  27. Jao, D., et al.: Supersingular isogeny key encapsulation (2017). https://sike.org/

  28. Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography — an algebraic approach —. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_31

    CrossRef  Google Scholar 

  29. Kalai, G.: The argument against quantum computers (2019). https://arxiv.org/abs/1908.02499

  30. Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on Keccak. IACR Cryptol. ePrint Arch. 2020, 371 (2020). https://eprint.iacr.org/2020/371

  31. Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: pqm4: testing and benchmarking NIST PQC on ARM Cortex-M4. In: Workshop Record of the Second PQC Standardization Conference (2019). https://cryptojedi.org/papers/#pqm4

  32. Koziel, B., Azarderakhsh, R., Jao, D.: Side-channel attacks on quantum-resistant supersingular isogeny Diffie-Hellman. In: SAC (2017)

    Google Scholar 

  33. Kwiatkowski, K.: Towards post-quantum cryptography in TLS (2019). https://blog.cloudflare.com/towards-post-quantum-cryptography-in-tls/

  34. Langley, A.: Post-quantum confidentiality for TLS (2018). https://www.imperialviolet.org/2018/04/11/pqconftls.html

  35. Leonardi, C.: A note on the ending elliptic curve in SIDH. Cryptology ePrint Archive, Report 2020/262 (2020). https://eprint.iacr.org/2020/262

  36. Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_2

    CrossRef  Google Scholar 

  37. Montgomery, P.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)

    MathSciNet  CrossRef  Google Scholar 

  38. Moody, D.: Let’s get ready to rumble - The NIST PQC “competition” (2018). https://csrc.nist.gov/presentations/2018/let-s-get-ready-to-rumble-the-nist-pqc-competiti

  39. Moody, D.: Round 2 of the NIST PQC “competition” - What was NIST thinking? (2019). https://csrc.nist.gov/presentations/2019/round-2-of-the-nist-pqc-competition-what-was-nist

  40. Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. Cryptology ePrint Archive, Report 2019/1447 (2019). https://eprint.iacr.org/2019/1447

  41. Poussier, R., Zhou, Y., Standaert, F.-X.: A systematic approach to the side-channel analysis of ECC implementations with worst-case horizontal attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 534–554. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_26

    CrossRef  Google Scholar 

  42. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25

    CrossRef  Google Scholar 

  43. Rostovtsev, A., Stolbunov, A.: A public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). https://eprint.iacr.org/2006/145

  44. Seo, H., Anastasova, M., Jalali, A., Azarderakhsh, R.: Supersingular isogeny key encapsulation (SIKE) round 2 on ARM Cortex-M4. Cryptology ePrint Archive, Report 2020/410 (2020). https://eprint.iacr.org/2020/410

  45. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). https://doi.org/10.1137/s0097539795293172

    MathSciNet  CrossRef  MATH  Google Scholar 

  46. Sim, B., et al.: Single-trace attacks on message encoding in lattice-based KEMs. IEEE Access 8, 183175–183191 (2020). https://doi.org/10.1109/ACCESS.2020.3029521

    CrossRef  Google Scholar 

  47. Weibel, A.: Round 2 hybrid post-quantum TLS benchmarks (2020). https://aws.amazon.com/blogs/security/round-2-hybrid-post-quantum-tls-benchmarks/

  48. Xavier, C., Hervé, P.: Improving the DPA attack using wavelet transform (2005). https://www.researchgate.net/publication/228717434_Improving_the_DPA_attack_using_Wavelet_transform

  49. Zanon, G.H.M., Simplicio, M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 248–268. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_12

    CrossRef  Google Scholar 

  50. Zhang, F., et al.: Side-channel analysis and countermeasure design on ARM-based quantum-resistant SIKE. IEEE Trans. Comput. 69(11), 1681–1693 (2020). https://doi.org/10.1109/TC.2020.3020407

    MathSciNet  CrossRef  MATH  Google Scholar 

  51. Zhang, Z., Wu, L., Mu, Z., Zhang, X.: A novel template attack on WNAF algorithm of ECC. In: Tenth International Conference on Computational Intelligence and Security, CIS 2014, Kunming, Yunnan, China, 15–16 November 2014, pp. 671–675. IEEE Computer Society (2014). https://doi.org/10.1109/CIS.2014.66

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Novak Kaluđerović .

Editor information

Editors and Affiliations

A Appendix

A Appendix

We include the code of the xDBLADD, fp2mul_mont, fp2sqr_mont and mp_addfast functions from [44]. Minor changes, such as variable naming, have been made to the code in order to adapt it to the names used in this paper. The lines of code 3,6,7,8,9,10,11,15,16,17,18,19 and the mp_addfast (highlighted in red) correspond to the targeted instructions.

Fig. 5.
figure 5

xDBLADD, fp2mul_mont and fp2sqr_mont from [44].

Fig. 6.
figure 6

mp_addfast from [44].

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Genêt, A., de Guertechin, N.L., Kaluđerović, N. (2021). Full Key Recovery Side-Channel Attack Against Ephemeral SIKE on the Cortex-M4. In: Bhasin, S., De Santis, F. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2021. Lecture Notes in Computer Science(), vol 12910. Springer, Cham. https://doi.org/10.1007/978-3-030-89915-8_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-89915-8_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-89914-1

  • Online ISBN: 978-3-030-89915-8

  • eBook Packages: Computer ScienceComputer Science (R0)