Analysis of ECC Implementations with Worst-Case Horizontal Attacks - - PowerPoint PPT Presentation

analysis of ecc implementations with
SMART_READER_LITE
LIVE PREVIEW

Analysis of ECC Implementations with Worst-Case Horizontal Attacks - - PowerPoint PPT Presentation

Oct 16, 2023 40 likes •410 views

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier, Franois-Xavier Standaert: Universit catholique de Louvain Yuanyuan Zhou: Universit catholique de Louvain &

slide-1
SLIDE 1

CHES 2017 1 28/09/2017

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks

Romain Poussier, François-Xavier Standaert: Université catholique de Louvain Yuanyuan Zhou: Université catholique de Louvain & Brightsight BV

slide-2
SLIDE 2

Outline

– Context and motivation – Horizontal differential power attack: systematic framework – Practical experiments

  • Setup
  • Points of interest
  • Result on Cortex-M4
  • Result on Cortex-A8

– Conclusion and future works

2 28/09/2017 CHES 2017

slide-3
SLIDE 3

SCA on ECC: many options

3

Elliptic curve cryptography (ECC) Side-channel attacks (SCA)

Many attack classes

  • DPA
  • Horizontal DPA
  • Template
  • Bit manipulation
  • Horizontal Collision

Different tools

  • Difference of mean
  • Correlation
  • Likelihood
  • Machine learning

Scalar multiplication 𝑙 𝑄

CHES 2017 28/09/2017

slide-4
SLIDE 4

Which attack to use for evaluation

4

Many attack classes

  • DPA
  • Horizontal DPA
  • Template
  • Bit manipulation
  • Horizontal Collision

Different tools

  • Difference of mean
  • Correlation
  • Likelihood
  • Machine learning

Which attack to use for a fixed time security evaluation?

CHES 2017 28/09/2017

slide-5
SLIDE 5

Which attack to use for evaluation

5

Many attack classes

  • DPA
  • Horizontal DPA
  • Template
  • Bit manipulation
  • Horizontal Collision

Different tools

  • Difference of mean
  • Correlation
  • Likelihood
  • Machine learning

Our general goal: approaching worst-case security How: use most of the available side-channel information Which attack to use for a fixed time security evaluation?

CHES 2017 28/09/2017

slide-6
SLIDE 6

State of the art

6 28/09/2017 CHES 2017

# needed traces Input point Attacker’s assumptions # Information used DPA N A posteriori known Strong Small Template 1 A priori known Strong Customizable (first bits only) Online template 1 A priori known Very strong Customizable H-DPA 1 A posteriori known Strong Customizable H-Collision 1 Not needed Weak Small Bit manipulation 1 Not needed Weak Small

slide-7
SLIDE 7

This study: contribution on H-DPA

7 CHES 2017

Complex framework

  • Systematic

approach

  • Close to worst-case

with leakage characterization Few practical experiments for H- DPA

  • A to Z application
  • Cortex-M4 (easy)
  • Cortex-A8 (more

challenging)

28/09/2017

Teaser: promising future work shown at the end of the talk!

slide-8
SLIDE 8

Outline

– Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments

  • Setup
  • Points of interest
  • Result on Cortex-M4
  • Result on Cortex-A8

– Conclusion and future works

8 28/09/2017 CHES 2017

slide-9
SLIDE 9

Elliptic curve scalar multiplication (ECSM)

9 28/09/2017 CHES 2017

Note: only collision attack against this ECSM: Hanley et al. (CTRSA 2015)

slide-10
SLIDE 10

Identify the information: abstract view of regular ECSM

10 28/09/2017 CHES 2017

Fixed and predictable sequence of register operations: N registers per scalar bit

slide-11
SLIDE 11

Horizontal DPA: modus operandi

11

HDPA attack on 𝑙0:

  • 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙0

CHES 2017 28/09/2017

slide-12
SLIDE 12

Horizontal DPA: modus operandi

12

HDPA attack on 𝑙0:

  • 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙0
  • 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction

CHES 2017 28/09/2017

slide-13
SLIDE 13

Horizontal DPA: modus operandi

13

HDPA attack on 𝑙0:

  • 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙0
  • 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction
  • 3. Acquire 1 attack measurement

CHES 2017 28/09/2017

slide-14
SLIDE 14

Horizontal DPA: modus operandi

14

HDPA attack on 𝑙0:

  • 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙0
  • 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction
  • 3. Acquire 1 attack measurement
  • 4. Prepare two sets 𝑇0 (resp. 𝑇1) that contain the guesses for the values 𝑆𝑡0 (resp.

𝑆𝑡1) in function of 𝑄 and 𝑙0 = 0 (resp. 𝑙0 = 1)

CHES 2017 28/09/2017

slide-15
SLIDE 15

Horizontal DPA: modus operandi

15

HDPA attack on 𝑙0:

  • 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙0
  • 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction
  • 3. Acquire 1 attack measurement
  • 4. Prepare two sets 𝑇0 (resp. 𝑇1) that contain the guesses for the values 𝑆𝑡0 (resp.

𝑆𝑡1) in function of 𝑄 and 𝑙0 = 0 (resp. 𝑙0 = 1)

  • 5. Compare 𝑴(𝑆𝑡𝑗) with the actual SCA leakages using a distinguisher 𝐸:

information combination

CHES 2017 28/09/2017

slide-16
SLIDE 16

Horizontal DPA: modus operandi

16

HDPA attack on 𝑙0:

  • 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙0
  • 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction
  • 3. Acquire 1 attack measurement
  • 4. Prepare two sets 𝑇0 (resp. 𝑇1) that contain the guesses for the values 𝑆𝑡0 (resp.

𝑆𝑡1) in function of 𝑄 and 𝑙0 = 0 (resp. 𝑙0 = 1)

  • 5. Compare 𝑴(𝑆𝑡𝑗) with the actual SCA leakages using a distinguisher 𝐸:

information combination

  • 6. Select 𝑙0 = 𝑗 such that 𝐸(𝑇𝑗, 𝑴(𝑆𝑡𝑗)) is maximised.

28/09/2017 CHES 2017

slide-17
SLIDE 17

Extracting the information: linear regression

17 28/09/2017 CHES 2017

Classical templates: 𝑃(2𝑡) Linear regression: 𝑃(𝑡) (or more: tradeoff) Registers of size 𝑡 bits:

slide-18
SLIDE 18

Linear regression: deterministic part

18 28/09/2017 CHES 2017

𝒎 𝒔 Acquire 𝑜 traces with random known 𝑄 and 𝑙. 𝒔(1) 𝑀(𝑦) = 𝛽 + 𝛽𝑗

⋅ 𝑦𝑗

𝑡 𝑗=1

𝑦𝑗 : 𝑗-th bit of 𝑦 … Leakages Processed value Function 𝑀: (𝛽, 𝛽1, … , 𝛽𝑡) 𝒔(2) 𝒔(𝑜) 𝒎(1) 𝒎(2) 𝒎(𝑜)

slide-19
SLIDE 19

Linear regression: noise

19 28/09/2017 CHES 2017

Acquire 𝑛 traces with random known 𝑄 and 𝑙 σ2 = 1 𝑛 𝒎(𝑗) −𝑀 𝒔(𝑗)

2 𝑛 𝑗=1

Processed value Noise approximation 𝒔 𝒔(1) … 𝒔(2) 𝒔(𝑛) 𝒎(1) 𝒎(2) 𝒎(𝑛) 𝒎 Leakages

slide-20
SLIDE 20

Combining the information (attack)

20 28/09/2017 CHES 2017

Parameter: 𝑒 scalar bits attacked per iteration Target Simulator 𝑙 = 101 𝑒 = 3

slide-21
SLIDE 21

Outline

– Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments

  • Setup
  • Points of interest
  • Result on Cortex-M4
  • Result on Cortex-A8

– Conclusion and future works

21 28/09/2017 CHES 2017

slide-22
SLIDE 22

Setup: target implementation/devices

22 28/09/2017 CHES 2017

Custom constant time assembly implementation of NIST p256 256x256-bit multiplication achieved through 64 32x32-bit register multiplications (framework independent of the curve/implementation) N=1600 target registers per scalar bit (only) Cortex-M4

  • 100 MHz
  • Constant time instructions (mostly)
  • 32-bit registers

Cortex-A8

  • 1 GHz
  • Constant time instructions (mostly)
  • 32-bit registers
  • Ubuntu running in background
slide-23
SLIDE 23

Setup: trace acquisition & scenario

23 28/09/2017 CHES 2017

Cortex-M4

  • Power measurement
  • Lecroy WaveRunner HRO 66
  • 200 Ms/sec
  • 123 scalar bits
  • 40,000,000 samples per trace

Cortex-A8

  • EM measurement
  • Lecroy WaveRunner 620Zi
  • 10 GS/s
  • 4 scalar bits
  • 2,000,000 samples per trace
  • Trace alignment

Scenario: 1st order success rate

  • n 123 bits

Scenario: Lattice attack (ECDSA) with several partial nonces

slide-24
SLIDE 24

Outline

– Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments

  • Setup
  • Points of interest
  • Result on Cortex-M4
  • Result on Cortex-A8

– Conclusion and future works

24 28/09/2017 CHES 2017

slide-25
SLIDE 25

Points of interest: CPA and partial SNR

25 28/09/2017 CHES 2017

Acquire 𝑜 traces with random known 𝑄 and 𝑙 𝑢 = 𝑏𝑠𝑕𝑛𝑏𝑦𝑗(⍴(𝐼𝑋 𝒔 , 𝒎𝑗)) Processed value Time sample 𝒎𝑗 𝒔 𝒔(1) … 𝒔(2) 𝒔(𝑜) 𝒎𝑘 𝑢 = 𝑏𝑠𝑕𝑛𝑏𝑦𝑗(𝑇𝑂𝑆

(𝑢𝑠𝑣𝑜𝑑𝑐(𝒔), 𝒎𝑗))

Leakages

slide-26
SLIDE 26

Points of interest: windowed mode

26 28/09/2017 CHES 2017

Cortex-M4: 1600 ⋅ 123 POIs ; 40,000,000 samples

slide-27
SLIDE 27

Points of interest: windowed mode

27 28/09/2017 CHES 2017

slide-28
SLIDE 28

Points of interest: windowed mode

28 28/09/2017 CHES 2017

CPA: p-value partial SNR: heuristic threshold

slide-29
SLIDE 29

Points of interest: windowed mode

29 28/09/2017 CHES 2017

CPA: p-value partial SNR: heuristic threshold

slide-30
SLIDE 30

Points of interest: windowed mode

30 28/09/2017 CHES 2017

CPA: p-value partial SNR: heuristic threshold

slide-31
SLIDE 31

Outline

– Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments

  • Setup
  • Points of interest
  • Result on Cortex-M4: first order success rate on 123 scalar bits
  • Result on Cortex-A8

– Conclusion and future works

31 28/09/2017 CHES 2017

slide-32
SLIDE 32

Cortex-M4 results: 1-O SR on 123 bits

32 28/09/2017 CHES 2017

1-O SR Number N of POI per bit

Reminder on the parameters:

  • d: number of scalar bit

targeted at the same time

  • N: number of target

register per scalar bit

slide-33
SLIDE 33

Outline

– Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments

  • Setup
  • Points of interest
  • Result on Cortex-M4
  • Result on Cortex-A8: lattice attack on 4-bit partial nonces

(ECDSA)

– Conclusion and future works

33 28/09/2017 CHES 2017

slide-34
SLIDE 34

Lattice attack on ECDSA: tradeoff

34 28/09/2017 CHES 2017

Number 𝑡 of signatures Number 𝑐 of known bits per nonce

Run 𝑡 signatures:

  • 𝑡 nonces 𝑜𝑗
  • Recover 𝑐 bits of each 𝑜𝑗
  • n the ECSM [𝑜]𝑄
  • Recover 𝑙 from the 𝑡 partial

nonces 𝑢𝑠𝑣𝑜𝑑𝑐(𝑜𝑗)

slide-35
SLIDE 35

Lattice attack on ECDSA: our tradeoff

35 28/09/2017 CHES 2017

Run 2200 signatures:

  • 2200 nonces 𝑜𝑗
  • Recover 4 bits of each 𝑜𝑗
  • n the ECSM [𝑜]𝑄
  • Recover 𝑙 from the 𝑡 partial

nonces 𝑢𝑠𝑣𝑜𝑑4(𝑜𝑗)

  • 140 correct partial nonces

required Problem: incorrect partial nonces Answer: - Bayes for real probas

  • probability threshold 𝑢
slide-36
SLIDE 36

Cortex-A8 results: threshold for lattice attack on ECDSA

36 28/09/2017 CHES 2017

Probability threshold 𝑢 Nonce 1-O SR = 𝒚 Key 1-O SR = 𝒚𝟐𝟓𝟏 # discarded traces #remaining traces None 0.815 3,9 ⋅ 10−13 2200 0.9 0.868 2,5 ⋅ 10−9 306 1894 0.9999999 0.992 0.312 1597 613 0.99999999999 1 1 1958 242 > 140

slide-37
SLIDE 37

Conclusion and future work

37 28/09/2017 CHES 2017

Next step: breaking point randomization !!

  • 1. Replace the information combination

by a belief probagation algorithm (soft analytical side-channel attack)

  • 2. Recover the random point
  • 3. Apply the same framework as in this

study to recover the key SASCA on asym: See next talk !!! Conclusion:

  • 1. Detailed systematic framework to

apply HDPA in a close-to optimal way: a) Information identification b) Information extraction c) Information combination

  • 1. Application in practice:

a) Cortex-M4 & Cortex-A8 b) A-Z application of the framework A lot of noise is required to resist HDPA

  • Cannot be done with TA or OTA
  • Cannot be used with correlation H-DPA