online template attack on ecdsa
play

Online Template Attack on ECDSA: Extracting Keys Via The Other Side - PowerPoint PPT Presentation

Mar 01, 2024 •15 likes •375 views

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

  1. Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020

  2. Side Channel Attack Introduction • “A side-channel is any unintentional signal that can offer us a blurry view of the algorithms internal computations” * • Attack implementation of some algorithm, not algorithm itself Message Device Signed message Leakage *Quote source: Introduction to Side-Channel Analysis: Basic Concepts and Techniques, L. Batina, March 2018, Hardware Security Lecture Notes 2

  3. Content • Part 1: Background – Cryptographic ‣ ECDSA ✴ Sign ✴ Verify ‣ Scalar Multiplication Algorithms ✴ Double And Add ✴ Montgomery Ladder ✴ Scalar Multiplication Optimization Tricks - Power Consumption Analysis ‣ Online Template Attack • Part 2: The Attack 3

  4. Part 1 Background 4

  5. ECDSA-Sign 5

  6. ECDSA-Verify 6

  7. Elliptic Curve Scalar Multiplication: Double And Add 7

  8. Elliptic Curve Scalar Multiplication: Montgomery Ladder 8

  9. Scalar Multiplication Optimization Tricks • Projective coordinates: – Homogeneous coordinates ‣ – Jacobian coordinates ‣ Image Source: 18.783 Elliptic Curves Lecture, A Sutherland, February 2017 9

  10. Scalar Multiplication Optimization Tricks • Projective coordinates: – Homogeneous coordinates ‣ – Jacobian coordinates ‣ • During signature verification: – Non-Adjacent Form (NAF) ‣ 7 = (1,0,0,-1) – Shamir’s trick ‣ 1 pre-computation 10

  11. Scalar Multiplication Optimization Tricks • Projective coordinates: – Homogeneous coordinates ‣ – Jacobian coordinates ‣ • During signature verification: – Non-Adjacent Form (NAF) ‣ 7 = (1,0,0,-1) – Shamir’s trick ‣ 1 pre-computation 10

  12. Scalar Multiplication Optimization Tricks • Projective coordinates: – Homogeneous coordinates ‣ – Jacobian coordinates ‣ • During signature verification: – Non-Adjacent Form (NAF) ‣ 7 = (1,0,0,-1) – Shamir’s trick ‣ 1 pre-computation 10

  13. Power Consumption Analysis • Template attack - Two identical devices - Build profiles - Match with target trace - Cumbersome 11

  14. Online Template Attack • Based on template attack • Templates on the fly • Max two templates per bit 12

  15. Online Template Attack • Based on template attack • Templates on the fly • Max two templates per bit 13

  16. Online Template Attack • Based on template attack • Templates on the fly • Max two templates per bit • Differentiate - (2n)P - (2n+1)P 14

  17. Part 2 The Attack 15

  18. Scenario • One device • One ECDSA signature generation - Standard projective coordinates - Montgomery ladder • Unlimited amount of signature verifications - On same device as the signature generated - Jacobian coordinates - Variant of double and add 16

  19. Scenario • One device • One ECDSA signature generation - Standard projective coordinates - Montgomery ladder • Unlimited amount of signature verifications - On same device as the signature generated - Jacobian coordinates - Variant of double and add • Goal: extract secret scalar via ECDSA signature verification 17

  20. Platform ChipWhisperer-Lite Classic 18

  21. Spotting The Attack Vector (1) 19

  22. Spotting The Attack Vector (1) 19

  23. Spotting The Attack Vector (1) 19

  24. Spotting The Attack Vector (2) Sign Verify 20

  25. Spotting The Attack Vector (2) 21

  26. Spotting The Attack Vector (2) 22

  27. Spotting The Attack Vector (2) 23

  28. Spotting The Attack Vector (2) Identical key dependent operation in the Montgommery ladder can be mimicked in the publicly accessible Jacobian doubling operation! 23

  29. Sign Verify Preparing The Input Montgomery Double and add Standard projective Jacobian • Compute possible values 24

  30. Sign Verify Preparing The Input Montgomery Double and add Standard projective Jacobian • Compute possible values • Feed legitimate point on curve 25

  31. Sign Verify Preparing The Input Montgomery Double and add Standard projective Jacobian • Compute possible values • Feed legitimate point on curve – Bit flipping ‣ …1010 -> …1011 ‣ …1010 -> …1000 26

  32. Measuring 27

  33. Extracting Bits (1) • Window resampling (to increase correlation computations) • Calculate Pearson correlation between: – Relevant square operation in target trace – Square operation in both templates 28

  34. Extracting Bits (2) After the correlation calculation, the template trace with the higher value is considered to represent the correct bit value. 29

  35. Countermeasure • Randomized projective coordinates – While signing – No longer build meaningful templates 30

  36. Implications • Attack successful on realistic implementation • Key extraction via ECDSA verification algorithm on the same device • Different scalar multiplications methods for signing and verification • Puts portability discussion in perspective • Simple countermeasure effective – Standard implemented in big crypto libraries – However, not always supported by hardware 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA Keegan Ryan NCC Group What is ROHNP? Key extraction attack on DSA and ECDSA Uses an old technique to target a new part of the algorithm

243 views • 23 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides
Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU

Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU

Template Attack vs. Bayes Classifier Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU Leuven, Belgium 2 TELECOM-ParisTech, Paris, France PROOFS, Santa Barbara August 20, 2016 1 / 32 Template Attack

701 views • 36 slides
A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien Courouss, Jean-Louis Lanet and Ronan Lashermes July 27th 2016 A template attack against Verify PIN algorithms Le Bouder et al. July 27th 2016 1/23

590 views • 30 slides
Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa Lee , and abhi shelat j@ckdoerner.net ykondi@ccs.neu.edu eysa@ccs.neu.edu abhi@neu.edu Northeastern University Traditional Signature

868 views • 57 slides
Implementing Strategies for Online Courses: Support of Master Course Template, Peer Team, and LMS

Implementing Strategies for Online Courses: Support of Master Course Template, Peer Team, and LMS

Implementing Strategies for Online Courses: Support of Master Course Template, Peer Team, and LMS September 26, 2017 Rich Schultz Associate Dean Center for Online Education North Park University Questions 1. Is faculty buy-in an issue for

358 views • 19 slides
C++ Template Meta A basic introduction to basic C++ techniques used in template metaprogramming.

C++ Template Meta A basic introduction to basic C++ techniques used in template metaprogramming.

C++ Template Meta A basic introduction to basic C++ techniques used in template metaprogramming. Github Repo The presentation and all of the code are online on github, with an OSI license. github.com/zwimer/Template-Meta-Tutorial Note: Much

1.12k views • 84 slides
ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016 ECDSA Elliptic Curve Cryptography allows for the construction of strong public/private key pairs with key lengths that are far shorter than

416 views • 27 slides
Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur

Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur

Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur and Vinod Ganapathy blaseur@rci.rutgers.edu , vinodg@cs.rutgers.edu Rutgers University W2SP09 Online Social Networks 200 million

513 views • 37 slides
Modern Modern Template Techniques Template The Simplest Function Template

Modern Modern Template Techniques Template The Simplest Function Template

Modern Modern Template Techniques Template The Simplest Function Template CRTPStatic Polymorphism Techniques Type TraitsBasic Metaprogramming Compile-time Conditionals Policy Classes Perfect Forwarding

1.29k views • 42 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
PDF Mirage: Content Masking Attack Against Information-Based Online Services Ian Markwood*, Dakun

PDF Mirage: Content Masking Attack Against Information-Based Online Services Ian Markwood*, Dakun

PDF Mirage: Content Masking Attack Against Information-Based Online Services Ian Markwood*, Dakun Shen*, Yao Liu, and Zhuo Lu University of South Florida *Co-first authors Presented by Ian Markwood Outline Motivation Background

681 views • 52 slides
From weak online reputation metrics to standardized attack-resistant trust metrics Dr. Jean-Marc

From weak online reputation metrics to standardized attack-resistant trust metrics Dr. Jean-Marc

ITU Workshop on Future Trust and Knowledge Infrastructure, Phase 2 Geneva, Switzerland 1 July 2016 From weak online reputation metrics to standardized attack-resistant trust metrics Dr. Jean-Marc Seigneur President at Rputaction SAS,

599 views • 26 slides
Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Systematic analysis of lattice attacks on noisy leakage of

549 views • 53 slides
Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack Tree for Cheating On-line Poker Bots Denial of Service Collusion Software Exploits Conclusion Importance Out-of-band market for virtual equipment

1.07k views • 63 slides
EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be

EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be

EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be filled by project partners (organisers) for all IF4TM events (except SC meetings). Furthermore, this template can be used to inform colleagues and

434 views • 4 slides
Marina Valeeva Outline 2 1. Introduction What is Dependency Parsing? What is a

Marina Valeeva Outline 2 1. Introduction What is Dependency Parsing? What is a

GRAPH-BASED DEPENDENCY PARSING Marina Valeeva Outline 2 1. Introduction What is Dependency Parsing? What is a Dependency Tree? Projectivity vs. Non-Projectivity 2. Graph-Based Dependency Parsing 3. Models Edge Based Factorization

572 views • 40 slides
Advanced Dependency Parsing Joakim Nivre Uppsala University Linguistics and Philology Based on

Advanced Dependency Parsing Joakim Nivre Uppsala University Linguistics and Philology Based on

Advanced Dependency Parsing Joakim Nivre Uppsala University Linguistics and Philology Based on tutorials with Ryan McDonald Advanced Dependency Parsing 1(36) Introduction Plan for the Lecture 1. Graph-based vs. transition-based dependency

1.61k views • 109 slides
On Clifford-Fischer Theory Ayoub Basheer School of Mathematics, Statistics & Computer

On Clifford-Fischer Theory Ayoub Basheer School of Mathematics, Statistics & Computer

Introduction Conjugacy Classes of Group Extensions Clifford-Fischer Theory Some Survey On Clifford-Fischer Theory The Bibliography On Clifford-Fischer Theory Ayoub Basheer School of Mathematics, Statistics & Computer Science, University

380 views • 21 slides
Boolean Subalgebras of Orthomodular Posets Harding, Heunen, Lindenhovius and Navara New Mexico

Boolean Subalgebras of Orthomodular Posets Harding, Heunen, Lindenhovius and Navara New Mexico

Boolean Subalgebras of Orthomodular Posets Harding, Heunen, Lindenhovius and Navara New Mexico State University www.math.nmsu.edu/ JohnHarding.html jharding@nmsu.edu Chapman, September 2018 Overview For an orthomodular poset A we consider

669 views • 29 slides
MORE ON THE PROPERTIES OF ALMOST CONNECTED PRO-LIE GROUPS Mikhail Tkachenko Universidad Aut

MORE ON THE PROPERTIES OF ALMOST CONNECTED PRO-LIE GROUPS Mikhail Tkachenko Universidad Aut

MORE ON THE PROPERTIES OF ALMOST CONNECTED PRO-LIE GROUPS Mikhail Tkachenko Universidad Aut onoma Metropolitana, Mexico City mich@xanum.uam.mx (Joint work with Arkady Leiderman) XII Symposium on Topology and Its Applications Prague, Czech

1.51k views • 119 slides
FIXED POINT SETS AND LEFSCHETZ MODULES John Maginnis and Silvia Onofrei Department of

FIXED POINT SETS AND LEFSCHETZ MODULES John Maginnis and Silvia Onofrei Department of

AMS Sectional Meeting Middle Tennessee State University, Murfreesboro, TN 3 - 4 November 2007 FIXED POINT SETS AND LEFSCHETZ MODULES John Maginnis and Silvia Onofrei Department of Mathematics, Kansas State University Abstract. The reduced

229 views • 6 slides
Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 2 Elliptic curve arithmetic 1/41 The two facets of an elliptic curve

606 views • 42 slides
Lagrangian submanifolds in complex projective space with parallel second fundamental form

Lagrangian submanifolds in complex projective space with parallel second fundamental form

Lagrangian submanifolds in complex projective space with parallel second fundamental form Lagrangian submanifolds in complex projective space with parallel second fundamental form Xianfeng Wang (Joint work with F. Dillen, H. Li & L.

526 views • 20 slides

More recommend