analysis of ecc implementations with
play

Analysis of ECC Implementations with Worst-Case Horizontal Attacks - PowerPoint PPT Presentation

Oct 16, 2023 •40 likes •410 views

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier, Franois-Xavier Standaert: Universit catholique de Louvain Yuanyuan Zhou: Universit catholique de Louvain &

  1. A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier, François-Xavier Standaert: Université catholique de Louvain Yuanyuan Zhou: Université catholique de Louvain & Brightsight BV CHES 2017 1 28/09/2017

  2. Outline – Context and motivation – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4 • Result on Cortex-A8 – Conclusion and future works CHES 2017 2 28/09/2017

  3. SCA on ECC: many options Elliptic curve cryptography (ECC) Side-channel attacks (SCA) Scalar multiplication 𝑙 𝑄 Many attack classes Different tools • DPA • Difference of mean • Horizontal DPA • Correlation • Template • Likelihood • Bit manipulation • Machine learning • Horizontal Collision • … • … CHES 2017 3 28/09/2017

  4. Which attack to use for evaluation Many attack classes Different tools • DPA • Difference of mean • Horizontal DPA • Correlation Which attack to use for a fixed • Template • Likelihood time security evaluation? • Bit manipulation • Machine learning • Horizontal Collision • … • … CHES 2017 4 28/09/2017

  5. Which attack to use for evaluation Many attack classes Different tools • DPA • Difference of mean • Horizontal DPA • Correlation Which attack to use for a fixed • Template • Likelihood time security evaluation? • Bit manipulation • Machine learning • Horizontal Collision • … • … Our general goal: approaching worst-case security How: use most of the available side-channel information CHES 2017 5 28/09/2017

  6. State of the art Attacker’s # needed # Information Input point traces assumptions used A posteriori DPA N Strong Small known Customizable Template 1 A priori known Strong (first bits only) Online 1 A priori known Very strong Customizable template A posteriori H-DPA 1 Strong Customizable known H-Collision 1 Not needed Weak Small Bit 1 Not needed Weak Small manipulation CHES 2017 6 28/09/2017

  7. This study: contribution on H-DPA Few practical Complex experiments for H- framework DPA • Systematic • A to Z application approach • Cortex-M4 (easy) • Close to worst-case • Cortex-A8 (more with leakage challenging) characterization Teaser: promising future work shown at the end of the talk! CHES 2017 7 28/09/2017

  8. Outline – Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4 • Result on Cortex-A8 – Conclusion and future works CHES 2017 8 28/09/2017

  9. Elliptic curve scalar multiplication (ECSM) Note: only collision attack against this ECSM: Hanley et al. (CTRSA 2015) CHES 2017 9 28/09/2017

  10. Identify the information: abstract view of regular ECSM Fixed and predictable sequence of register operations: N registers per scalar bit CHES 2017 10 28/09/2017

  11. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 CHES 2017 11 28/09/2017

  12. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction CHES 2017 12 28/09/2017

  13. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction 3. Acquire 1 attack measurement CHES 2017 13 28/09/2017

  14. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets 𝑇 0 (resp. 𝑇 1 ) that contain the guesses for the values 𝑆𝑡 0 (resp. 𝑆𝑡 1 ) in function of 𝑄 and 𝑙 0 = 0 (resp. 𝑙 0 = 1 ) CHES 2017 14 28/09/2017

  15. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets 𝑇 0 (resp. 𝑇 1 ) that contain the guesses for the values 𝑆𝑡 0 (resp. 𝑆𝑡 1 ) in function of 𝑄 and 𝑙 0 = 0 (resp. 𝑙 0 = 1 ) 5. Compare 𝑴(𝑆𝑡 𝑗 ) with the actual SCA leakages using a distinguisher 𝐸 : information combination CHES 2017 15 28/09/2017

  16. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets 𝑇 0 (resp. 𝑇 1 ) that contain the guesses for the values 𝑆𝑡 0 (resp. 𝑆𝑡 1 ) in function of 𝑄 and 𝑙 0 = 0 (resp. 𝑙 0 = 1 ) 5. Compare 𝑴(𝑆𝑡 𝑗 ) with the actual SCA leakages using a distinguisher 𝐸 : information combination 6. Select 𝑙 0 = 𝑗 such that 𝐸(𝑇 𝑗 , 𝑴(𝑆𝑡 𝑗 )) is maximised. CHES 2017 16 28/09/2017

  17. Extracting the information: linear regression Classical templates: 𝑃(2 𝑡 ) Registers of size 𝑡 bits: Linear regression: 𝑃(𝑡) (or more: tradeoff) CHES 2017 17 28/09/2017

  18. Linear regression: deterministic part Acquire 𝑜 traces with random known 𝑄 and 𝑙 . 𝒎 𝒔 𝒔(1) 𝒎(1) 𝒎(2) 𝒔(2) 𝑡 ⋅ 𝑦 𝑗 𝑀(𝑦) = 𝛽 + 𝛽 𝑗 … 𝑗=1 𝑦 𝑗 : 𝑗 -th bit of 𝑦 𝒎(𝑜) 𝒔(𝑜) Function 𝑀: (𝛽, 𝛽 1 , … , 𝛽 𝑡 ) Leakages Processed value CHES 2017 18 28/09/2017

  19. Linear regression: noise Acquire 𝑛 traces with random known 𝑄 and 𝑙 𝒎 𝒔 𝒔(1) 𝒎(1) 𝒎(2) 𝒔(2) 𝑛 σ 2 = 1 2 𝑛 𝒎(𝑗) − 𝑀 𝒔(𝑗) 𝑗=1 … 𝒎(𝑛) 𝒔(𝑛) Noise approximation Leakages Processed value CHES 2017 19 28/09/2017

  20. Combining the information (attack) Parameter: 𝑒 scalar bits attacked per iteration Target Simulator 𝑙 = 101 𝑒 = 3 CHES 2017 20 28/09/2017

  21. Outline – Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4 • Result on Cortex-A8 – Conclusion and future works CHES 2017 21 28/09/2017

  22. Setup: target implementation/devices Cortex-M4 Cortex-A8 • • 100 MHz 1 GHz • • Constant time instructions (mostly) Constant time instructions (mostly) • • 32-bit registers 32-bit registers • Ubuntu running in background Custom constant time assembly implementation of NIST p256 256x256-bit multiplication achieved through 64 32x32-bit register multiplications (framework independent of the curve/implementation) N=1600 target registers per scalar bit (only) CHES 2017 22 28/09/2017

  23. Setup: trace acquisition & scenario Cortex-M4 Cortex-A8 • • Power measurement EM measurement • • Lecroy WaveRunner HRO 66 Lecroy WaveRunner 620Zi • • 200 Ms/sec 10 GS/s • • 123 scalar bits 4 scalar bits • • 40,000,000 samples per trace 2,000,000 samples per trace • Trace alignment Scenario: 1st order success rate Scenario: Lattice attack (ECDSA) on 123 bits with several partial nonces CHES 2017 23 28/09/2017

  24. Outline – Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4 • Result on Cortex-A8 – Conclusion and future works CHES 2017 24 28/09/2017

  25. Points of interest: CPA and partial SNR Acquire 𝑜 traces with random known 𝑄 and 𝑙 𝒎 𝑗 𝒎 𝑘 𝒔 𝒔(1) 𝑢 = 𝑏𝑠𝑕𝑛𝑏𝑦 𝑗 (⍴(𝐼𝑋 𝒔 , 𝒎 𝑗 )) 𝒔(2) … (𝑢𝑠𝑣𝑜𝑑 𝑐 (𝒔), 𝒎 𝑗 )) 𝑢 = 𝑏𝑠𝑕𝑛𝑏𝑦 𝑗 (𝑇𝑂𝑆 𝒔(𝑜) Leakages Processed value Time sample CHES 2017 25 28/09/2017

  26. Points of interest: windowed mode Cortex-M4: 1600 ⋅ 123 POIs ; 40,000,000 samples CHES 2017 26 28/09/2017

  27. Points of interest: windowed mode CHES 2017 27 28/09/2017

  28. Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold CHES 2017 28 28/09/2017

  29. Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold CHES 2017 29 28/09/2017

  30. Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold CHES 2017 30 28/09/2017

  31. Outline – Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4: first order success rate on 123 scalar bits • Result on Cortex-A8 – Conclusion and future works CHES 2017 31 28/09/2017

  32. Cortex-M4 results: 1-O SR on 123 bits Reminder on the parameters: 1-O SR • d: number of scalar bit targeted at the same time • N: number of target register per scalar bit Number N of POI per bit CHES 2017 32 28/09/2017

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
An Analysis of Multicore Specific Optimization in MPI Implementations Pengqi Cheng & Yan Gu

An Analysis of Multicore Specific Optimization in MPI Implementations Pengqi Cheng & Yan Gu

An Analysis of Multicore Specific Optimization in MPI Implementations Pengqi Cheng & Yan Gu Tsinghua University Introduction CPU frequency stalled Solution: Multicore OpenMP shared memory MPI Message Passing

281 views • 24 slides
Objectives Graphs Graph Connectivity, Traversal BFS & DFS Implementations, Analysis

Objectives Graphs Graph Connectivity, Traversal BFS & DFS Implementations, Analysis

1/28/19 Objectives Graphs Graph Connectivity, Traversal BFS & DFS Implementations, Analysis Jan 28, 2019 CSCI211 - Sprenkle 1 Review What is a heap? When is it useful? What is a graph? What are two ways to

414 views • 17 slides
Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei Wang Joint work with Matthieu Rivain WhibOx 2019, May 18, 2019 Overview 1 White-Box Context 2 DCA against Internal Encodings 3 Collision

539 views • 26 slides
Analysis of QUIC Session Establishment and its Implementations Eva Gagliardi 1 , 2 Olivier

Analysis of QUIC Session Establishment and its Implementations Eva Gagliardi 1 , 2 Olivier

Analysis of QUIC Session Establishment and its Implementations Eva Gagliardi 1 , 2 Olivier Levillain 1 1 Tlcom SudParis 2 French Ministry of the Armies Sminaire SoSySec May 29th 2020 E. Gagliardi, O. Levillain (TSP/MinArm) QUIC Session

1.08k views • 71 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering

RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering

Cryptography RSA RSA Algorithm Analysis of RSA RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, rsa.tex, r1799 1

522 views • 29 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template<<typename ItemType> class

1.19k views • 71 slides
for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich

for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich

Sid ide Channel Analysis and Protection for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview Motivation QC-MDPC

593 views • 43 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides
LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

638 views • 27 slides
Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Part I: How to make software secure Something with implementations 2 Timing Attacks General idea of those attacks Secret

1.47k views • 65 slides
Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel

Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel

Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel A. Carreira-Perpi n an Electrical Engineering and Computer Science University of California, Merced https://eecs.ucmerced.edu June 29, 2012

302 views • 18 slides
CICM 2018: PC Chair Report Florian Rabe Universities of Erlagen-Nuremberg and Paris-Sud PC Chair

CICM 2018: PC Chair Report Florian Rabe Universities of Erlagen-Nuremberg and Paris-Sud PC Chair

1 CICM 2018: PC Chair Report Florian Rabe Universities of Erlagen-Nuremberg and Paris-Sud PC Chair Report 2 PC Chair Report PC Chair Report 3 Program Committee Chairs General Chair: Florian Rabe Calculemus: Grant Passmore DML:

625 views • 18 slides
Sardana and the Sardana Community Guifre Cuni on behalf of the ALBA Synchrotron Controls Group

Sardana and the Sardana Community Guifre Cuni on behalf of the ALBA Synchrotron Controls Group

Sardana and the Sardana Community Guifre Cuni on behalf of the ALBA Synchrotron Controls Group NOBUGS 2014 24 th -26 th Sep 2014 KEK GC NOBUGS2014 24-26 Sep 2014 KEK 1 Hardware and User Interfaces Supervision, Control and

603 views • 17 slides
Versions of Random Forests: Properties and Performances Choongsoon Bae Google Inc. U.C.Berkeley

Versions of Random Forests: Properties and Performances Choongsoon Bae Google Inc. U.C.Berkeley

M OTIVATION CART B AGGING R ANDOM F ORESTS P ERFORMANCES Versions of Random Forests: Properties and Performances Choongsoon Bae Google Inc. U.C.Berkeley March 26, 2009 Joint work with Peter Bickel M OTIVATION CART B AGGING R ANDOM F ORESTS

925 views • 76 slides
Continuous models of computation: computability, complexity, universality Amaury Pouly Joint

Continuous models of computation: computability, complexity, universality Amaury Pouly Joint

Continuous models of computation: computability, complexity, universality Amaury Pouly Joint work with Olivier Bournez and Daniel Graa 29 january 2018 1 / 21 Teaser Characterization of P using differential equations Universal differential

891 views • 62 slides
CS 5220: Single core architecture David Bindel 2017-08-29 1 Just for fun

CS 5220: Single core architecture David Bindel 2017-08-29 1 Just for fun

CS 5220: Single core architecture David Bindel 2017-08-29 1 Just for fun http://www.youtube.com/watch?v=fKK933KK6Gg Is this a fair portrayal of your CPU? (See Rich Vuducs talk, Should I port my code to a GPU?) 2 The idealized

690 views • 30 slides
Fractional Diffusion Equations IMPA November 1 2017 William Rundell Texas A&M University

Fractional Diffusion Equations IMPA November 1 2017 William Rundell Texas A&M University

Fractional Diffusion Equations IMPA November 1 2017 William Rundell Texas A&M University Historical Classical Diffusion Robert Brown (1828) Experimental observation of diffusion Thomas Graham (1827) Adolf Fick (1855): Macro

1.23k views • 99 slides
Bootstrapping Solr search clusters and maintain them using Puppet All you ever wanted to know

Bootstrapping Solr search clusters and maintain them using Puppet All you ever wanted to know

22 August 2012 Bootstrapping Solr search clusters and maintain them using Puppet All you ever wanted to know about maintaining Solr for a search-critical Drupal application Friday, August 24, 12 Who Are We Nick Veenhof Nick_vh,

522 views • 48 slides

More recommend