exploiting dummy codes in elliptic curve cryptography
play

Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon - PowerPoint PPT Presentation

Jan 31, 2024 •587 likes •1.15k views

Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon 4 June 2020 2/20 About me PhD thesis on elliptic curves Orange, and Universit de Rennes 1 Risk assessment and audit Interest: challenges (root-me, CryptoHack), korean

  1. Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon 4 June 2020

  2. 2/20 About me PhD thesis on elliptic curves Orange, and Université de Rennes 1 Risk assessment and audit Interest: challenges (root-me, CryptoHack), korean movies, science-fjction

  3. 3/20 Introduction About Elliptic Curve Cryptography: Public-key cryptography with small parameters, keys, signatures, etc Protocols: TLS 1.3, SSH, Bitcoin, Signal, etc Servers, smart cards, IoT devices, etc Parameter size 128-bit security 256-bit security ECC RSA ECC RSA

  4. 4/20 Introduction Hard to implement secure and effjcient cryptography. Depends on threat model (physical access to the device, etc) One protection can lead to a vulnerability Passive attacks: timing, power analysis, etc Active attacks: difgerential fault analysis, C safe-errors C safe-error attacks against protected implementations to attack ECDSA 1 . 1 Fouque et al., “Safe-Errors on SPA Protected Implementations with the Atomicity Technique”; Dubeuf, Hely, and Beroulle, “Enhanced Elliptic Curve Scalar Multiplication Secure Against Side Channel Attacks and Safe Errors.”

  5. 5/20 In this presentation We extend the previous results, and show that a C safe-error attack is also possible on these implementations: Assembly optimized implementation of P-256: OpenSSL since version 1.0.2 BoringSSL LibreSSL/OpenBSD P-224, P-384 and P-521 in BoringSSL

  6. 6/20 Plan 1 Why dummy codes in ECC? 2 Presentation of the attack 3 Why it works 4 Mitigations and conclusion

  7. 7/20 Operations on elliptic curves Basic operations: Addition: P + Q Doubling: P + P = 2 P P + O = O + P = P

  8. 7/20 Operations on elliptic curves P Q P Q P Basic operations: O Addition: P + Q Doubling: P + P = 2 P P + O = O + P = P E : y 2 = x 3 − 3 x + 137 mod 251

  9. 7/20 Operations on elliptic curves P Q P Q P Basic operations: O Addition: P + Q Doubling: P + P = 2 P P + O = O + P = P E : y 2 = x 3 − 3 x + 137 mod 251

  10. 7/20 Operations on elliptic curves P Q P Basic operations: O Addition: P + Q Doubling: P + P = 2 P P + O = O + P = P λ = y P − y Q x P − x Q { x P + Q = λ 2 − x P − x Q y P + Q = λ ( x P − x P + Q ) − x P P + Q E : y 2 = x 3 − 3 x + 137 mod 251

  11. 7/20 Operations on elliptic curves P Q P Q Basic operations: O Addition: P + Q Doubling: P + P = 2 P P + O = O + P = P λ = 3 x P + a 2 y P 2 P { x 2 P = λ 2 − 2 x P y 2 P = λ ( x P − x 2 P ) − x P E : y 2 = x 3 − 3 x + 137 mod 251

  12. 7/20 Operations on elliptic curves fjnd k from P and kP Discrete logarithm problem: hard to Scalar multiplication: Basic operations: P Q P Q P k is often secret (private key or nonce) O Addition: P + Q Doubling: P + P = 2 P P + O = O + P = P kP = P + · · · + P E : y 2 = x 3 − 3 x + 137 mod 251

  13. D D D A D D D A 8/20 P Consequence: same sequence of addition: Solution: perform a dummy point k learns that: remarks the missing addition and From power consumption, attacker P P D D D P A Windowing scalar multiplication P P P D D D P P P For effjciency: split k in groups of consecutive bits (windows) Available operations: point addition (A), point doubling (D) operations for all possible secret k Example: k = 232 = (11 101 000) 2 = O

  14. D D D A D D D A 8/20 P Consequence: same sequence of addition: Solution: perform a dummy point k learns that: remarks the missing addition and From power consumption, attacker Historic of operations: P P D D D P A Windowing scalar multiplication P P P D D D P P For effjciency: split k in groups of consecutive bits (windows) Available operations: point addition (A), point doubling (D) operations for all possible secret k Example: k = 232 = (11 101 000) 2 11 3 P = 3 P

  15. D D D A D D D A 8/20 A Consequence: same sequence of addition: Solution: perform a dummy point k learns that: remarks the missing addition and From power consumption, attacker P P D D D P P P Windowing scalar multiplication P Available operations: point addition (A), point doubling (D) For effjciency: split k in groups of consecutive bits (windows) operations for all possible secret k P D D D Example: k = 232 = (11 101 000) 2 11 3 P = 3 P 2 3 · 3 P 11 000 = 24 P Historic of operations: D D D

  16. D D D A D D D A 8/20 Windowing scalar multiplication Consequence: same sequence of addition: Solution: perform a dummy point k learns that: remarks the missing addition and From power consumption, attacker P P D D D P P A operations for all possible secret k For effjciency: split k in groups of consecutive bits (windows) D D D Available operations: point addition (A), point doubling (D) Example: k = 232 = (11 101 000) 2 11 3 P = 3 P 2 3 · 3 P 11 000 = 24 P 11 101 24 P + 5 P = 29 P Historic of operations: D D D A

  17. D D D A D D D A 8/20 Windowing scalar multiplication Consequence: same sequence of addition: Solution: perform a dummy point k learns that: remarks the missing addition and From power consumption, attacker P P D D D A operations for all possible secret k Available operations: point addition (A), point doubling (D) For effjciency: split k in groups of consecutive bits (windows) D D D Example: k = 232 = (11 101 000) 2 11 3 P = 3 P 2 3 · 3 P 11 000 = 24 P 11 101 24 P + 5 P = 29 P 2 3 · 29 P 11 101 000 = 232 P Historic of operations: D D D A D D D

  18. D D D A D D D A 8/20 A Consequence: same sequence of addition: Solution: perform a dummy point k learns that: remarks the missing addition and From power consumption, attacker Historic of operations: D D D A D D D D D D Windowing scalar multiplication operations for all possible secret k For effjciency: split k in groups of consecutive bits (windows) Available operations: point addition (A), point doubling (D) D D D Example: k = 232 = (11 101 000) 2 11 3 P = 3 P 2 3 · 3 P 11 000 = 24 P 11 101 24 P + 5 P = 29 P 2 3 · 29 P 11 101 000 = 232 P 11 101 000 232 P = 232 P

  19. D D D A D D D A 8/20 A Consequence: same sequence of addition: Solution: perform a dummy point learns that: remarks the missing addition and From power consumption, attacker Historic of operations: D D D A D D D D D D Windowing scalar multiplication operations for all possible secret k D D D Available operations: point addition (A), point doubling (D) For effjciency: split k in groups of consecutive bits (windows) Example: k = 232 = (11 101 000) 2 11 3 P = 3 P k = ∗ ∗ ∗ ∗ ∗ 000 2 3 · 3 P 11 000 = 24 P 11 101 24 P + 5 P = 29 P 2 3 · 29 P 11 101 000 = 232 P 11 101 000 232 P = 232 P

  20. 8/20 D D D Consequence: same sequence of addition: Solution: perform a dummy point learns that: remarks the missing addition and From power consumption, attacker Historic of operations: D D D A D D D D D D Windowing scalar multiplication A operations for all possible secret k Available operations: point addition (A), point doubling (D) For effjciency: split k in groups of consecutive bits (windows) Example: k = 232 = (11 101 000) 2 11 3 P = 3 P k = ∗ ∗ ∗ ∗ ∗ 000 2 3 · 3 P 11 000 = 24 P 11 101 24 P + 5 P = 29 P 2 3 · 29 P 11 101 000 = 232 P 11 101 000 232 P = 232 P D D D A D D D A

  21. 8/20 D D D Consequence: same sequence of addition: Solution: perform a dummy point learns that: remarks the missing addition and From power consumption, attacker Historic of operations: D D D A D D D D D D Windowing scalar multiplication A operations for all possible secret k Available operations: point addition (A), point doubling (D) For effjciency: split k in groups of consecutive bits (windows) Example: k = 232 = (11 101 000) 2 11 3 P = 3 P k = ∗ ∗ ∗ ∗ ∗ 000 2 3 · 3 P 11 000 = 24 P 11 101 24 P + 5 P = 29 P 2 3 · 29 P 11 101 000 = 232 P 11 101 000 232 P = 232 P D D D A D D D A

  22. 9/20 Principle of C safe-error Dummy or not dummy?

  23. 9/20 Principle of C safe-error Make a fault in the last point addition (exact details in the article): D D D A D D D A Point addition is not dummy: Incorrect output for kP Point addition is dummy: Correct output for kP Last window is null: k Number of bits of the last window in the targeted implementations: Assembly optimized implementation of P-256: most signifjcant bits BoringSSL (P-224, P-384, P-521): least signifjcant bits �

  24. 9/20 Principle of C safe-error Make a fault in the last point addition (exact details in the article): D D D A D D D A Point addition is not dummy: Incorrect output for kP Point addition is dummy: Correct output for kP Last window is null: k Number of bits of the last window in the targeted implementations: Assembly optimized implementation of P-256: most signifjcant bits BoringSSL (P-224, P-384, P-521): least signifjcant bits �

  25. 9/20 Principle of C safe-error Make a fault in the last point addition (exact details in the article): D D D A D D D A Point addition is not dummy: Incorrect output for kP Point addition is dummy: Correct output for kP Number of bits of the last window in the targeted implementations: Assembly optimized implementation of P-256: most signifjcant bits BoringSSL (P-224, P-384, P-521): least signifjcant bits � Last window is null: k = ∗ ∗ ∗ ∗ ∗ 000

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views • 32 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March 21 st , 2016 1/13 A Brief Introduction to Elliptic Curve Cryptography Elliptic Curve 2/13 A

385 views • 13 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 24 May, 2007 Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May,

1.08k views • 69 slides
Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview Bitcoin Transactions Elliptic Curve Cryptography Introduction Arithmetics Signature Bitcoin, the protocol A blockchain Each

992 views • 52 slides
Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May 19, 2017 university-logo-isi Rana Barua Introduction to Elliptic Curve Cryptography ElGamal Public Key Cryptosystem, 1984 Key Generation: Choose

417 views • 16 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
Sta$c Single Assignment (SSA) Form SSA form Sta$c single

Sta$c Single Assignment (SSA) Form SSA form Sta$c single

Sta$c Single Assignment (SSA) Form SSA form Sta$c single assignment form Intermediate representa$on of program in which every use of a variable

539 views • 34 slides
A Local Optimal Method on DSA Guiding Template Assignment with Redundant/Dummy Via Insertion

A Local Optimal Method on DSA Guiding Template Assignment with Redundant/Dummy Via Insertion

A Local Optimal Method on DSA Guiding Template Assignment with Redundant/Dummy Via Insertion Xingquan Li 1 , Bei Yu 2 , Jianli Chen 1 , Wenxing Zhu 1 , 24th Asia and South Pacific Design T h e p i c Automation Conference t u r e c a

839 views • 44 slides
Diversity to foster innovation: Using the lens of Brazilian Microdata Filipe Lage de Sousa,

Diversity to foster innovation: Using the lens of Brazilian Microdata Filipe Lage de Sousa,

Diversity to foster innovation: Using the lens of Brazilian Microdata Filipe Lage de Sousa, Glaucia Ferreira, Leandro Veloso and Synthia Santana WIDER Development Conference, Transforming economies for better jobs September 11th, 2019

567 views • 17 slides
Density Gradient Minimization with Coupling-Constrained Dummy Fill for CMP Control Huang-Yu Chen

Density Gradient Minimization with Coupling-Constrained Dummy Fill for CMP Control Huang-Yu Chen

Density Gradient Minimization with Coupling-Constrained Dummy Fill for CMP Control Huang-Yu Chen 1 , Szu-Jui Chou 2 , and Yao-Wen Chang 1 1 National Taiwan University, Taiwan 2 Synopsys, Inc, Taiwan NTUEE 1 Outline Introduction

735 views • 24 slides
Status Report: Adjoint Code with the History Updates NAGWare Fortran Compiler v5.1 Merge

Status Report: Adjoint Code with the History Updates NAGWare Fortran Compiler v5.1 Merge

CompAD-II Report Michael Maier Status Report: Adjoint Code with the History Updates NAGWare Fortran Compiler v5.1 Merge Outlook Michael Maier Department of Computer Science RWTH Aachen University Germany maier@stce.rwth-aachen.de 5 th

174 views • 13 slides
Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr, Yang Chen, Pascal Cuoq, Eric Eide, Chucky Ellison, Xuejun Yang Background: Csmith [PLDI

797 views • 48 slides
The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work with Srini Devadas,

The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work with Srini Devadas,

The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work with Srini Devadas, Marten van Dijk Ling Ren, Albert Kwon, Xiangyao Yu Elaine Shi & Emil Stefanov David Wentzlaff & Princeton Team (Mike, Tri, Jonathan,

923 views • 37 slides
Xylem: Enhancing Vertical Thermal Conduction in 3D Processor-Memory Stacks Aditya Agrawal, Josep

Xylem: Enhancing Vertical Thermal Conduction in 3D Processor-Memory Stacks Aditya Agrawal, Josep

Xylem: Enhancing Vertical Thermal Conduction in 3D Processor-Memory Stacks Aditya Agrawal, Josep Torrellas and Sachin Idgunji University of Illinois at Urbana Champaign and Nvidia Corporation http://iacoma.cs.uiuc.edu MICRO, October 2017 Xylem

388 views • 18 slides

More recommend