horizontal collision correlation attack on elliptic curves
play

Horizontal Collision Correlation Attack on Elliptic Curves A. Bauer - PowerPoint PPT Presentation

Dec 28, 2023 •18 likes •308 views

Horizontal Collision Correlation Attack on Elliptic Curves A. Bauer E. Jaulmes E. Prouff J. Wild Talk by J.-R. Reinhard ANSSI (French Network and Information Security Agency) Selected Areas in Cryptography 2013 Burnaby, Canada August 16,

  1. Horizontal Collision Correlation Attack on Elliptic Curves A. Bauer E. Jaulmes E. Prouff J. Wild Talk by J.-R. Reinhard ANSSI (French Network and Information Security Agency) Selected Areas in Cryptography 2013 Burnaby, Canada – August 16, 2013 Bauer et al. | ANSSI | SAC 2013 1 / 20

  2. | Introduction Elliptic Curve Cryptography Introduced by Koblitz and Miller in mid 80s Use the group of F p -rational points of an Elliptic Curve to build cryptosystems Security based on the hardness of DL in this group Many advantages DL believed to be more difficult on E ( F p ) than on ( F ∗ p , × ) Thus, smaller parameter sizes can be chosen Faster computations, more compact implementations Use of ECC (mainly ECDSA, ECDH) is spreading Introduction in SSL/TLS, openssl, https://www.google.com Smart cards, E-passport, ... Bauer et al. | ANSSI | SAC 2013 2 / 20

  3. | Introduction Side Channel Attacks Introduced by Kocher et al. in mid 90s Cryptographic computations are performed stepwise by processors Sequence of performed operations and/or intermediate values may leak partially through observable physical side channels Power consumption Electromagnetic emanation Simple SC Analysis Sensitive targeted operations need to be observed only for fixed inputs e.g., SPA Advanced SC Analysis Sensitive targeted operations need to be observed for several different inputs A statistical post-processing is applied to aggregate observations relative to a same secret data (e.g., key bit) e.g., CPA Bauer et al. | ANSSI | SAC 2013 3 / 20

  4. | Introduction Variations on Advanced SCA Vertical vs Horizontal Attacks [CFGRV10] Differ by the origin of aggregated observations: Vertical: N executions Horizontal: N sub-parts of a single execution . . . Correlation [BCO04] vs Collision Attacks [SWP03] Differ by what the statistical post-processing correlates: Observations and hypotheses Several observations stemming from a model Bauer et al. | ANSSI | SAC 2013 4 / 20

  5. | Introduction ECC Implementation Point Representation P ∼ a triplet of F p values: ( X : Y : Z ) e.g., Projective coordinates Point addition and doubling formulas express coordinates of P + Q , 2 P explicitely from the coordinates of P and Q Computations scalar multiplication: Q = sP ↔ sequence of elliptic curve operations ( E -operations) each of these E -operations: ↔ sequence of field operations ( F p -operations) each of these F p -operations: ↔ sequence of word multi-precision operations ( W -operations), manageable by the processor Bauer et al. | ANSSI | SAC 2013 5 / 20

  6. | Introduction ECC Implementation: Logical Layers scalar multiplication: . E 2 · E + E 2 · E 2 · E + E 2 · E + E 2 · E 2 · E 2 · E + E 2 · E + E 2 · E + E ... EC layer ... · F p + F p · F p · F p ... ... + F p + F p · F p + F p ... · F p ... Field layer + F p ... · W + W · W + W · W ... + W ... · W + W · W + W · W ... + W ... Word layer ... ... ...Physical layer Bauer et al. | ANSSI | SAC 2013 6 / 20

  7. | Introduction ECC & SCA Specificities of EC regarding SCA Usually, s is ephemeral: ECDH, ECDSA For each s , only one trace is available The sequence of operations in the EC layer is correlated to s SCA Protection Use regular algorithms: the sequence of operation types is independent of s Double & Add always, unified formulas: regular EC layer Atomicity: regular Field layer Correlation to s is moved to operations I/O routing Bauer et al. | ANSSI | SAC 2013 7 / 20

  8. | Introduction ECC & SCA Specificities of EC regarding SCA Double & Add: SPA Usually, s is ephemeral: ECDH, ECDSA 1: π ← 0 For each s , only one trace is available 2: for i := 0 to ⌈ log 2 ( q ) ⌉ − 1 do The sequence of operations in the EC layer is correlated to s π ← 2 · π 3: if s i = 1 then 4: SCA Protection π ← π + P 5: end if Use regular algorithms: the sequence of operation types is 6: independent of s 7: end for Double & Add always, unified formulas: regular EC layer 2 · E + E 2 · E 2 · E + E 2 · E + E 2 · E 2 · E 2 · E + E 2 · E + E 2 · E + E ... Atomicity: regular Field layer Correlation to s is moved to operations I/O routing 1 0 1 1 0 0 1 1 1 Bauer et al. | ANSSI | SAC 2013 7 / 20

  9. | Introduction ECC & SCA Specificities of EC regarding SCA Usually, s is ephemeral: ECDH, ECDSA For each s , only one trace is available The sequence of operations in the EC layer is correlated to s SCA Protection Use regular algorithms: the sequence of operation types is independent of s Double & Add always, unified formulas: regular EC layer Atomicity: regular Field layer Correlation to s is moved to operations I/O routing Bauer et al. | ANSSI | SAC 2013 7 / 20

  10. | Introduction ECC & SCA Specificities of EC regarding SCA Double & Add Always Usually, s is ephemeral: ECDH, ECDSA 1: π ← 0 For each s , only one trace is available 2: for i := 0 to ⌈ log 2 ( q ) ⌉ − 1 do The sequence of operations in the EC layer is correlated to s π 0 ← 2 · π 3: π 1 ← π 0 + P 4: SCA Protection π ← π s i 5: Use regular algorithms: the sequence of operation types is 6: end for independent of s 2 · E Double & Add always, unified formulas: regular EC layer + E 2 · E + E 2 · E + E 2 · E + E 2 · E ... Atomicity: regular Field layer Correlation to s is moved to operations I/O routing 1 0 1 1 Bauer et al. | ANSSI | SAC 2013 7 / 20

  11. | Introduction ECC & SCA Specificities of EC regarding SCA Usually, s is ephemeral: ECDH, ECDSA Unified Formulas For each s , only one trace is available The sequence of operations in the EC layer is correlated to s Basic double & add algorithm, but using the same operator for both + E and 2 · E SCA Protection P P P Use regular algorithms: the sequence of operation types is + E + E + E + E + E + E + E + E + E ... independent of s Double & Add always, unified formulas: regular EC layer 1 0 1 1 0 Atomicity: regular Field layer Correlation to s is moved to operations I/O routing Bauer et al. | ANSSI | SAC 2013 7 / 20

  12. | Introduction ECC & SCA Specificities of EC regarding SCA Usually, s is ephemeral: ECDH, ECDSA For each s , only one trace is available The sequence of operations in the EC layer is correlated to s SCA Protection Use regular algorithms: the sequence of operation types is independent of s Double & Add always, unified formulas: regular EC layer Atomicity: regular Field layer Correlation to s is moved to operations I/O routing Bauer et al. | ANSSI | SAC 2013 7 / 20

  13. | Introduction Contribution Establish a shared factor distinguisher by analyzing the word layer Use this distinguisher to build secret scalar recovery attacks Explore the wide applicability of these Horizontal Collision Correlation attacks Core Ideas Field multiplications are not atomic but built on word multiplications By combining information leaked by word multiplications corresponding to two field multiplications, one can identify factor reuse Identifying factor reuse enables to distinguish point addition from point doubling in classical regular algorithms, even in presence of classical blindings, using a single trace Bauer et al. | ANSSI | SAC 2013 8 / 20

  14. | Shared Factor Distinguisher Multiplication over F p : Implementation and Modeling Implementation Each element X ∈ F p is represented by an array of t words, X [ i ] ∈ W · F p interleaves word additions, multiplications and reductions X · F p Y involves computations of N word multiplications x · W y Multiplication example LIM: X [ i ] · W Y [ j ] , N = t 2 Modeling Heuristically: words x are independent and follow U ( W ) Distribution of word multiplication results can be deduced Per field multiplication, we get N noisy samples of a random variable following this distribution Bauer et al. | ANSSI | SAC 2013 9 / 20

  15. | Shared Factor Distinguisher Shared Factor Bias Let us consider jointly two F p multiplications ( X . Z , Y . W ) X · Z Y · W ... ... · W + W · W + W · W + W · W + W · W + W · W + W , , , ... · W · W · W · W · W · W No Factor Repetition Z = W No correlation between the Correlation due to the reuse of word multiplication results Z ( Collision ) N word multiplication pairs available ( Horizontal ) Bauer et al. | ANSSI | SAC 2013 10 / 20

  16. | Shared Factor Distinguisher A Distinguisher Algorithm � � � � l X · Z l Y · W 1: Get observations , of the word multiplications i i ρ ( l X · Z , l Y · W ) 2: Compute the Pearson coefficient ρ = ˆ 3: if ρ > ρ limit then return "shared factor" 4: else return "no shared factor" Simulation LIM multiplication (optimized distinguisher) , B ∼ N ( 0 , σ 2 ) Leakage model: l U · V = HW ( U [ i ] · V [ j ]) + B U · V i , j i , j Correlation as a function of SNR (8-bit proc., 384-bit curves) Correlation as a function of SNR (32-bit proc., 384-bit curves) Bauer et al. | ANSSI | SAC 2013 11 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking ECC2K-130, joint work by many authors: ECDL attack in progress against Koblitz curve over F 2 131 using many CPUs, GPUs, FPGAs. Vertically

288 views • 17 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
PT2PC: Learning to Generate 3D Point Cloud Shapes from Part Tree Conditions Kaichun Mo, He Wang,

PT2PC: Learning to Generate 3D Point Cloud Shapes from Part Tree Conditions Kaichun Mo, He Wang,

PT2PC: Learning to Generate 3D Point Cloud Shapes from Part Tree Conditions Kaichun Mo, He Wang, Xinchen Yan, Leonidas Guibas (Data and Code has been released) 1 PT2PC: Learning to Generate 3D Point Cloud Shapes from Part Tree Conditions

554 views • 33 slides
H-type foliations Fabrice Baudoin Based on a joint work with E. Grong, G. Molino & L. Rizzi

H-type foliations Fabrice Baudoin Based on a joint work with E. Grong, G. Molino & L. Rizzi

H-type foliations Fabrice Baudoin Based on a joint work with E. Grong, G. Molino & L. Rizzi Sub-Riemannian manifolds Let M be a smooth, connected manifold with dimension n + m . Sub-Riemannian manifolds Let M be a smooth, connected manifold

842 views • 49 slides
Elliptic curves Bjorn Poonen MIT Arnold Ross Lecture May 31, 2019 Plane curves Degree 1

Elliptic curves Bjorn Poonen MIT Arnold Ross Lecture May 31, 2019 Plane curves Degree 1

Elliptic curves Bjorn Poonen MIT Arnold Ross Lecture May 31, 2019 Plane curves Degree 1 (lines) 3 x + 7 y + 6 = 0 Degree 2 (conics) 2 x 2 + 9 xy + 3 y 2 3 x + 7 y + 6 = 0 Degree 3 (cubic curves) 4 x 3 + 5 x 2 y + xy 2 + 8 y 3 2 x 2 + 9 xy

1.3k views • 99 slides
Target Field Direction Measurement Murchhana Roy, Suman Kandu, Wolfgang Korsch University of

Target Field Direction Measurement Murchhana Roy, Suman Kandu, Wolfgang Korsch University of

Background Description of Horizontal Compass Compass Testing Application in Hall C Summary Backup Slides Target Field Direction Measurement Murchhana Roy, Suman Kandu, Wolfgang Korsch University of Kentucky 07.24.2019 Murchhana Roy, Suman

271 views • 23 slides
Horizontal Test Stand 2 (HTS-2) Joe Ozelis PIP-II Collaboration Meeting 9-10 November, 2015

Horizontal Test Stand 2 (HTS-2) Joe Ozelis PIP-II Collaboration Meeting 9-10 November, 2015

Horizontal Test Stand 2 (HTS-2) Joe Ozelis PIP-II Collaboration Meeting 9-10 November, 2015 Outline Introduction, Requirements HTS-2 Facility Timeframe J. Ozelis HTS-2 2 11/9/2015 Introduction Purpose PIP-II

216 views • 21 slides
Long-term security for cars Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit

Long-term security for cars Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit

Long-term security for cars Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 16 November 2016 2 / 31 3 / 31 4 / 31 D-Wave quantum computer isnt universal . . . Cant store

989 views • 53 slides
On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive Systems Mika Katara, Reino Kurki-Suonio and Tommi Mikkonen Institute of Software Systems Tampere University of Technology Finland Outline 1.

1.03k views • 21 slides
Optimization Coaching Vincent St-Amour Sam Tobin-Hochstadt Matthias Felleisen PLT OOPSLA 2012

Optimization Coaching Vincent St-Amour Sam Tobin-Hochstadt Matthias Felleisen PLT OOPSLA 2012

Optimization Coaching Vincent St-Amour Sam Tobin-Hochstadt Matthias Felleisen PLT OOPSLA 2012 - October 23th, 2012 #lang typed/racket/base #lang typed/racket/base #lang typed/racket/base (require racket/match racket/math racket/flonum

667 views • 38 slides

More recommend