Dismantling Real-World ECC with Horizontal and Vertical Template Attacks

Abstract

Recent side-channel attacks on elliptic curve algorithms have shown that the security of these cryptosystems is a matter of serious concern. The development of techniques in the area of Template Attacks makes it feasible to extract a 256-bit secret key with only 257 traces. This paper enhances the applicability of this attack by exploiting both the horizontal leakage of the carry propagation during the finite field multiplication, and the vertical leakage of the input data. As a further contribution, our method provides detection and auto-correction of possible errors that may occur during the key recovery. These enhancements come at the cost of extra traces, while still providing a practical attack. Finally, we show that the elliptic curve algorithms developed for PolarSSL, and consequently mbedTLS, running on an ARM STM32F4 platform is completely vulnerable, when used without any modifications or countermeasures.

This work was supported in part by the Technology Foundation (STW) through project 12624-SIDES, 13499-TyPhoon (VIDI project) the ICT COST action IC1204 TRUDEVICE and the COST action IC1306 Cryptography for Secure Digital Interaction, Date: 2016-03-04.

Appendices

A Description for Online Template Attack

1.1 A.1 Attack Model for OTA

Online Template Attacks (OTA), introduced in [3], is an adaptive template attack technique, which can be used to recover the secret scalar in a scalar multiplication algorithm. The main assumption in the OTA attacker model is in his ability to choose an input point to the scalar multiplication algorithm, in order to generate template traces. As it is demonstrated in the original paper, OTA works with one target trace from the device under attack and one template trace per key-bit obtained from the attacker’s device that runs the same implementation. Performing OTA in practice requires the following assumptions to be made regarding the attacker:

• The attacker knows the input \(\mathcal {P}\) of the target device.

• He knows the implementation of the scalar multiplication algorithm and he is able to compute the intermediate values.

• He can choose the input points on a device similar to the target device.

Furthermore, we work with the following assumptions related to the device:

• The scalar can be randomized.

• The intermediate values are deterministic.

The OTA is then performed as follows:

1. 1.

   The attacker first obtains a target trace with input point \(\mathcal {P}\) from the target device.

2. 2.

   He obtains template traces with input points \([m]\mathcal {P}, m\in \mathbb {Z}\) for multiples of the point \(\mathcal {P}\), e.g. \(2\mathcal {P}\) or \(3\mathcal {P}\).

3. 3.

   He compares the correlations between the target and each pair of template traces. The correct guess is most likely to be the highest correlation.

The OTA technique is originally described for binary algorithms, but it can be easily adapted to the windows method by creating one template for a hypothesis made for each window.

The attacker model for OTA is more suitable for the Diffie-Hellman key-exchange protocol, because the input point can be selected. Nevertheless, this attack can be applied against the ECDSA algorithm, if the input point of the target device is known.

1.2 A.2 Constructing Template Traces for OTA

At this point, it is important to explain precisely how the interesting points to generate the template traces are chosen. With the term interesting points we mean the multiples of the point \(\mathcal {P}\) that are expected to be the outputs of every iteration of the scalar multiplication algorithm, i.e. \(2\mathcal {P}\) and \(3\mathcal {P}\) for the first bit of the scalar. This is demonstrated with a graphical example depicted in Fig. 12.

Let us assume that the initial input point to the double-and-add-always algorithm is \(\mathcal {P}\) and the most significant bit (\(K_{MSB}\)) of our secret scalar is 1. Then, the output of the second iteration (operations for \(K_{MSB-1}\)) is either \(2\mathcal {P}\) or \(3\mathcal {P}\). For example, if \(K_{MSB-1}=0\), then the output of the second iteration is \(2\mathcal {P}\) and consequently the template trace for \(2\mathcal {P}\) gives higher correlation to the target trace than the template for \(3\mathcal {P}\). We compute the correlations between the template traces \(2\mathcal {P}, 3\mathcal {P}\), and the target trace, in order to find the most likely key-bit. The highest correlation value is considered to be the right key guess.

We continue the same procedure of calculating the two possible outcomes for bit \(K_{MSB-2}\), which are the template traces for \(4\mathcal {P}\) or \(5\mathcal {P}\), and then finding the highest correlation between the templates and the target trace. Figure 13 shows how the templates for the third bit \(K_{MSB-2}\) can be generated. In general, for each iteration of the scalar multiplication algorithm, we compare the second iteration of the scalar multiplication execution (corresponding to the first doubling operation whose consumption is detected with EM) in the template trace with the \((i+1)^{\text {th}}\) execution of the target trace.

Fig. 12.

How to find the second MSB \(K_{MSB-1}\) in the target trace with the template trace of \(2\mathcal {P}\)

Fig. 13.

How to find the third MSB \(K_{MSB-2}\) in the target trace with the template trace of \(4\mathcal {P}\)

1.3 A.3 Template Matching Phase

Template matching is performed at suitable parts of the traces, where key-bit related assignments take place. Our pattern matching technique, in order to distinguish the right hypothesis on the attacked bit of the scalar, is based on the Pearson correlation coefficient \(\rho (X,Y)\) between the target trace and the template traces.

$$\begin{aligned} \rho (X,Y)=\frac{ \sum _i (X_i-\bar{X }) (Y_i-\bar{Y}) }{\sqrt{\sum _i (X_i-\bar{X})^2} \sqrt{ \sum _i (Y_i-\bar{Y})^2 } } = \frac{\langle X-\bar{X},\ Y-\bar{Y} \rangle }{||X-\bar{X}||\ ||Y-\bar{Y}||} \end{aligned}$$

(4)

We chose this metric, since it is both scale and offset-shift invariant.

B Probability of the Propagation of Carry

Computing the probability of having an inner carry is the same as computing the probability of \((X\times Y + R\times 2^{32}) \ge 2^{64}\) with X a random value between \([0, \max \{A_7| A\in \mathbb {F}_p\}]\), with Y a random value between \([0,\max \{B_i| B\in \mathbb {F}_p, i\in \{0,\cdots ,7\}\}]\) and with R a random value between \([0,\max \{X_i| X\in \mathbb {F}_{(p-1)^2}, i\in \{7,\cdots ,15\}\}]\). For all curves, \(\max \{B_i| B\in \mathbb {F}_p, i\in \{0,\cdots ,7\}\}\) and \(\max \{X_i| X\in \mathbb {F}_{(p-1)^2}, i\in \{7,\cdots ,14\}\}\) equal \(2^{32}-1\). The value \(\max \{A_7| A\in \mathbb {F}_p\}\) depends on the MSW of the characteristic of the finite field. The probability can be computed as follows:

$$\begin{aligned} \mathbb {P}(X\times Y + R\times 2^{32}) \ge 2^{64})= \frac{1}{4}\frac{\max \{A_7| A\in \mathbb {F}_p\}^2}{2^{64}} \end{aligned}$$

(5)

We hereby give a the complete computation of the probability of an inner-carry propagation (Eq. 5)

$$\begin{aligned}&\mathbb {P}(XY+2^{32}R \ge 2^{64})\\&=\sum _{x=0}^{A_7-1} \sum _{y=0}^{2^{32}-1} \sum _{r=0}^{2^{32}-1} \mathbb {P}(XY+2^{32}R \ge 2^{64} \mid X=x, Y=y, R=r) \mathbb {P}(X=x) \mathbb {P}(Y=y) \mathbb {P}(R=r) \\&=\sum _{x=0}^{A_7-1} \sum _{y=0}^{2^{32}-1} \sum _{r=0}^{2^{32}-1} \mathbb {P}(xy+2^{32}r \ge 2^{64}) \frac{1}{A_7} \frac{1}{2^{32}} \frac{1}{2^{32}} \\&=\frac{1}{A_7} \frac{1}{\left( 2^{32}\right) ^2} \sum _{x=0}^{A_7-1} \sum _{y=0}^{2^{32}-1} \sum _{r=0}^{2^{32}-1} {1}_{xy+2^{32}r \ge 2^{64}} , \text {where 1 is the indicator, i.e.,} {1}_z = {\left\{ \begin{array}{ll} 0 &{} \text {if}\ z\ \text {is false},\\ 1 &{} \text {otherwise}\\ \end{array}\right. } \end{aligned}$$

which can be approximated by:

$$\begin{aligned} \frac{1}{A_7}&\frac{1}{\left( 2^{32}\right) ^2} \int _{x=0}^{A_7-1} \int _{y=0}^{2^{32}-1} \int _{r=0}^{2^{32}-1} \delta _{xy+2^{32}r \ge 2^{64}} \text {dr}\text {dy}\text {dx} \\&\simeq \frac{1}{A_7} \frac{1}{\left( 2^{32}\right) ^2} \int _{x=0}^{A_7} \int _{y=0}^{2^{32}} \int _{r=0}^{2^{32}} \delta _{xy+2^{32}r \ge 2^{64}} \text {dr}\text {dy}\text {dx} \\&= \frac{2^{32}}{A_7} \int _{x=0}^{a_7} \int _{y=0}^{1} \int _{r=0}^{1} \delta _{xy+r \ge 1} \text {dr}\text {dy}\text {dx} \end{aligned}$$

with \(x\leftarrow x/2^{32}\), \(y\leftarrow y/2^{32}\), \(r\leftarrow r/2^{32}\) and \(a_7 = A_7/2^{32}\).

It holds, \(\delta _{xy+r \ge 1} = \delta _{r \ge 1-xy}\). Besides, \(1-xy \in [1-a_7, 1] \subset [0,1]\). Indeed,

$$\begin{aligned} 0 \le x \le a_7, 0 \le y \le 1 \implies 0 \le xy \le a_7, \text { hence } 1-a_7 \le 1-xy \le 1. \end{aligned}$$

Therefore,

For \(A_7=2^{32-1}\), this yields \({\approx }0.25\). For \(A_7=\texttt {0xA9FB57DA}\), this yields \({\approx }0.166\).