Abstract
Recent side-channel attacks on elliptic curve algorithms have shown that the security of these cryptosystems is a matter of serious concern. The development of techniques in the area of Template Attacks makes it feasible to extract a 256-bit secret key with only 257 traces. This paper enhances the applicability of this attack by exploiting both the horizontal leakage of the carry propagation during the finite field multiplication, and the vertical leakage of the input data. As a further contribution, our method provides detection and auto-correction of possible errors that may occur during the key recovery. These enhancements come at the cost of extra traces, while still providing a practical attack. Finally, we show that the elliptic curve algorithms developed for PolarSSL, and consequently mbedTLS, running on an ARM STM32F4 platform is completely vulnerable, when used without any modifications or countermeasures.
This work was supported in part by the Technology Foundation (STW) through project 12624-SIDES, 13499-TyPhoon (VIDI project) the ICT COST action IC1204 TRUDEVICE and the COST action IC1306 Cryptography for Secure Digital Interaction, Date: 2016-03-04.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The beginning of the doubling operation is the implementation in PolarSSL v1.3.7. The sequence of the finite field operations in the doubling operation in the mbedTLS v2.2.0 changes to: \(D_1\leftarrow X\times X , D_2\leftarrow 3\times X\), but this does not affect the efficiency of our attack.
- 2.
This is a simple identification phase, where we scan the device and find where the crypto processor is. Then we just move the probe around this position, in order to get a signal as clear as possible.
- 3.
Because in the beginning \(Z=1\) and we computed \(aZ^4\) with 3 multiplications.
- 4.
The fact that doubling is performed faster for P-256, allows us to recover 7 bits of the scalar at once.
References
ANSI-X9.62. Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) (1998)
ANSI-X9.63. Public Key Cryptography for The Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography (1998)
Batina, L., Chmielewski, L., Papachristodoulou, L., Schwabe, P., Tunstall, M.: Online template attacks. In: Proceedings of Progress in Cryptology - INDOCRYpPT –15th International Conference on Cryptology in India, New Delhi, India, 14–17 December, pp. 21–36 (2014)
Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 553–570. Springer, Heidelberg (2014)
Bernstein, D.J., Lange, T.: Explicit formulas database. http://www.hyperelliptic.org/EFD/
Cryptographic Key Implementation BlueKrypt
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
BSI: RFC(5639)-Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. Technical report, Bundesamt für Sicherheit in der Informationstechnik (BSI) (2010)
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: 4th International Workshop on Cryptographic Hardware and Embedded Systems - CHES, Redwood Shores, CA, USA, August 13–15, Revised Papers, pp. 13–28 (2002)
Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 140–155. Springer, Heidelberg (2012)
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010)
Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998)
Coron, J.S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)
Fouque, P.A., Valette, F.: The Doubling Attack – Why Upwards Is Better than Downwards. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)
Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: Collision-based power analysis of modular exponentiation using chosen-message pairs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 15–29. Springer, Heidelberg (2008)
Hutter, M., Schwabe, P.: NaCl on 8-Bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013)
Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography, vol. 317. Cambridge University Press, Cambridge (1999)
Riscure Inspector
Joye, M.: Elliptic curve cryptosystems and side channel analysis. ST J. Syst. Res. 4, 17–21 (2003)
Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001)
Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
ARM mbed. Polarssl version 1.3.7. https://tls.mbed.org/
ST Microelectronics: RM0090 Reference Manual. DocID018909 Rev 8 (2014)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)
De Mulder, E., Buysschaert, P., Berna Örs, S., Delmotte, P., Preneel, B., Vandenbosch, G., Verbauwhede, I.: Electromagnetic analysis attack on an FPGA Implementation of an elliptic curve cryptosystem. In: IEEE International Conference on Computer as a Tool, Belgrade, Serbia & Montenegro, November 2005, pp. 1879–1882 (2005). doi:10.1109/EURCON.2005.1630348, http://www.sps.ele.tue.nl/members/m.j.bastiaans/spc/demulder.pdf
NIST: FIPS publication 186–4 - Digital Signature standard (DSS). Technical report, National Institute of Standards and Technology (NIST), July 2013
Rechberger, C., Oswald, E.: Practical template attacks. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 440–456. Springer, Heidelberg (2005)
Rivain, M.: Fast and regular algorithms for scalar multiplication over elliptic curves. IACR Cryptology ePrint Archive, 2011:338 (2011)
Acknowledgements
The authors would like to thank the anonymous reviewers for their useful comments that improved the quality of the paper. Moreover, the first author would like to thank Jean-Christophe Courrège and Carine Therond for useful comments on an earlier version of this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Description for Online Template Attack
1.1 A.1 Attack Model for OTA
Online Template Attacks (OTA), introduced in [3], is an adaptive template attack technique, which can be used to recover the secret scalar in a scalar multiplication algorithm. The main assumption in the OTA attacker model is in his ability to choose an input point to the scalar multiplication algorithm, in order to generate template traces. As it is demonstrated in the original paper, OTA works with one target trace from the device under attack and one template trace per key-bit obtained from the attacker’s device that runs the same implementation. Performing OTA in practice requires the following assumptions to be made regarding the attacker:
-
The attacker knows the input \(\mathcal {P}\) of the target device.
-
He knows the implementation of the scalar multiplication algorithm and he is able to compute the intermediate values.
-
He can choose the input points on a device similar to the target device.
Furthermore, we work with the following assumptions related to the device:
-
The scalar can be randomized.
-
The intermediate values are deterministic.
The OTA is then performed as follows:
-
1.
The attacker first obtains a target trace with input point \(\mathcal {P}\) from the target device.
-
2.
He obtains template traces with input points \([m]\mathcal {P}, m\in \mathbb {Z}\) for multiples of the point \(\mathcal {P}\), e.g. \(2\mathcal {P}\) or \(3\mathcal {P}\).
-
3.
He compares the correlations between the target and each pair of template traces. The correct guess is most likely to be the highest correlation.
The OTA technique is originally described for binary algorithms, but it can be easily adapted to the windows method by creating one template for a hypothesis made for each window.
The attacker model for OTA is more suitable for the Diffie-Hellman key-exchange protocol, because the input point can be selected. Nevertheless, this attack can be applied against the ECDSA algorithm, if the input point of the target device is known.
1.2 A.2 Constructing Template Traces for OTA
At this point, it is important to explain precisely how the interesting points to generate the template traces are chosen. With the term interesting points we mean the multiples of the point \(\mathcal {P}\) that are expected to be the outputs of every iteration of the scalar multiplication algorithm, i.e. \(2\mathcal {P}\) and \(3\mathcal {P}\) for the first bit of the scalar. This is demonstrated with a graphical example depicted in Fig. 12.
Let us assume that the initial input point to the double-and-add-always algorithm is \(\mathcal {P}\) and the most significant bit (\(K_{MSB}\)) of our secret scalar is 1. Then, the output of the second iteration (operations for \(K_{MSB-1}\)) is either \(2\mathcal {P}\) or \(3\mathcal {P}\). For example, if \(K_{MSB-1}=0\), then the output of the second iteration is \(2\mathcal {P}\) and consequently the template trace for \(2\mathcal {P}\) gives higher correlation to the target trace than the template for \(3\mathcal {P}\). We compute the correlations between the template traces \(2\mathcal {P}, 3\mathcal {P}\), and the target trace, in order to find the most likely key-bit. The highest correlation value is considered to be the right key guess.
We continue the same procedure of calculating the two possible outcomes for bit \(K_{MSB-2}\), which are the template traces for \(4\mathcal {P}\) or \(5\mathcal {P}\), and then finding the highest correlation between the templates and the target trace. Figure 13 shows how the templates for the third bit \(K_{MSB-2}\) can be generated. In general, for each iteration of the scalar multiplication algorithm, we compare the second iteration of the scalar multiplication execution (corresponding to the first doubling operation whose consumption is detected with EM) in the template trace with the \((i+1)^{\text {th}}\) execution of the target trace.
1.3 A.3 Template Matching Phase
Template matching is performed at suitable parts of the traces, where key-bit related assignments take place. Our pattern matching technique, in order to distinguish the right hypothesis on the attacked bit of the scalar, is based on the Pearson correlation coefficient \(\rho (X,Y)\) between the target trace and the template traces.
We chose this metric, since it is both scale and offset-shift invariant.
B Probability of the Propagation of Carry
Computing the probability of having an inner carry is the same as computing the probability of \((X\times Y + R\times 2^{32}) \ge 2^{64}\) with X a random value between \([0, \max \{A_7| A\in \mathbb {F}_p\}]\), with Y a random value between \([0,\max \{B_i| B\in \mathbb {F}_p, i\in \{0,\cdots ,7\}\}]\) and with R a random value between \([0,\max \{X_i| X\in \mathbb {F}_{(p-1)^2}, i\in \{7,\cdots ,15\}\}]\). For all curves, \(\max \{B_i| B\in \mathbb {F}_p, i\in \{0,\cdots ,7\}\}\) and \(\max \{X_i| X\in \mathbb {F}_{(p-1)^2}, i\in \{7,\cdots ,14\}\}\) equal \(2^{32}-1\). The value \(\max \{A_7| A\in \mathbb {F}_p\}\) depends on the MSW of the characteristic of the finite field. The probability can be computed as follows:
We hereby give a the complete computation of the probability of an inner-carry propagation (Eq. 5)
which can be approximated by:
with \(x\leftarrow x/2^{32}\), \(y\leftarrow y/2^{32}\), \(r\leftarrow r/2^{32}\) and \(a_7 = A_7/2^{32}\).
It holds, \(\delta _{xy+r \ge 1} = \delta _{r \ge 1-xy}\). Besides, \(1-xy \in [1-a_7, 1] \subset [0,1]\). Indeed,
Therefore,
For \(A_7=2^{32-1}\), this yields \({\approx }0.25\). For \(A_7=\texttt {0xA9FB57DA}\), this yields \({\approx }0.166\).
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Dugardin, M., Papachristodoulou, L., Najm, Z., Batina, L., Danger, JL., Guilley, S. (2016). Dismantling Real-World ECC with Horizontal and Vertical Template Attacks. In: Standaert, FX., Oswald, E. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2016. Lecture Notes in Computer Science(), vol 9689. Springer, Cham. https://doi.org/10.1007/978-3-319-43283-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-43283-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-43282-3
Online ISBN: 978-3-319-43283-0
eBook Packages: Computer ScienceComputer Science (R0)