Online Template Attack on ECDSA: Extracting Keys Via The Other Side - - PowerPoint PPT Presentation

▶

Mar 01, 2024 15 likes •381 views

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

SLIDE 1

Online Template Attack on ECDSA:

By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020

Extracting Keys Via The Other Side

SLIDE 2

Side Channel Attack Introduction

“A side-channel is any unintentional signal that can offer us a blurry view of the

algorithms internal computations”*

Attack implementation of some algorithm, not algorithm itself

Message Device Signed message Leakage

*Quote source: Introduction to Side-Channel Analysis: Basic Concepts and Techniques, L. Batina, March 2018, Hardware Security Lecture Notes

SLIDE 3

Content

Part 1: Background

– Cryptographic

ECDSA

✴ Sign ✴ Verify

Scalar Multiplication Algorithms

✴ Double And Add ✴ Montgomery Ladder ✴ Scalar Multiplication Optimization Tricks

Power Consumption Analysis
Online Template Attack
Part 2: The Attack

SLIDE 4

Part 1

Background

SLIDE 5

ECDSA-Sign

SLIDE 6

ECDSA-Verify

SLIDE 7

Elliptic Curve Scalar Multiplication: Double And Add

SLIDE 8

Elliptic Curve Scalar Multiplication: Montgomery Ladder

SLIDE 9

Scalar Multiplication Optimization Tricks

Projective coordinates:

– Homogeneous coordinates

– Jacobian coordinates
9

Image Source: 18.783 Elliptic Curves Lecture, A Sutherland, February 2017

SLIDE 10

Scalar Multiplication Optimization Tricks

Projective coordinates:

– Homogeneous coordinates

– Jacobian coordinates
10
During signature verification:

– Non-Adjacent Form (NAF)

7 = (1,0,0,-1)

– Shamir’s trick

1 pre-computation

SLIDE 11

Scalar Multiplication Optimization Tricks

Projective coordinates:

– Homogeneous coordinates

– Jacobian coordinates
10
During signature verification:

– Non-Adjacent Form (NAF)

7 = (1,0,0,-1)

– Shamir’s trick

1 pre-computation

SLIDE 12

Scalar Multiplication Optimization Tricks

Projective coordinates:

– Homogeneous coordinates

– Jacobian coordinates
10
During signature verification:

– Non-Adjacent Form (NAF)

7 = (1,0,0,-1)

– Shamir’s trick

1 pre-computation

SLIDE 13

Power Consumption Analysis

Template attack
Two identical devices
Build profiles
Match with target trace
Cumbersome

SLIDE 14

Online Template Attack

Based on template attack
Templates on the fly
Max two templates per bit

SLIDE 15

Online Template Attack

Based on template attack
Templates on the fly
Max two templates per bit

SLIDE 16

Online Template Attack

Based on template attack
Templates on the fly
Max two templates per bit

Differentiate
(2n)P
(2n+1)P

SLIDE 17

Part 2

The Attack

SLIDE 18

Scenario

One device
One ECDSA signature generation
Standard projective coordinates
Montgomery ladder
Unlimited amount of signature verifications
On same device as the signature generated
Jacobian coordinates
Variant of double and add

SLIDE 19

Scenario

One device
One ECDSA signature generation
Standard projective coordinates
Montgomery ladder
Unlimited amount of signature verifications
On same device as the signature generated
Jacobian coordinates
Variant of double and add

Goal: extract secret scalar via

ECDSA signature verification

SLIDE 20

Platform

ChipWhisperer-Lite Classic

SLIDE 21

Spotting The Attack Vector (1)

SLIDE 22

Spotting The Attack Vector (1)

SLIDE 23

Spotting The Attack Vector (1)

SLIDE 24

Spotting The Attack Vector (2)

Sign Verify

SLIDE 25

Spotting The Attack Vector (2)

SLIDE 26

Spotting The Attack Vector (2)

SLIDE 27

Spotting The Attack Vector (2)

SLIDE 28

Spotting The Attack Vector (2)

Identical key dependent operation in the Montgommery ladder can be mimicked in the publicly accessible Jacobian doubling operation!

SLIDE 29

Preparing The Input

Compute possible values

Montgomery Double and add Sign Verify Standard projective Jacobian

SLIDE 30

Preparing The Input

Compute possible values
Feed legitimate point on curve

Montgomery Double and add Sign Verify Standard projective Jacobian

SLIDE 31

Preparing The Input

Compute possible values
Feed legitimate point on curve

– Bit flipping

…1010 -> …1011
…1010 -> …1000

Montgomery Double and add Sign Verify Standard projective Jacobian

SLIDE 32

Measuring

SLIDE 33

Extracting Bits (1)

Window resampling (to increase correlation computations)
Calculate Pearson correlation between:

– Relevant square operation in target trace – Square operation in both templates

SLIDE 34

Extracting Bits (2)

After the correlation calculation, the template trace with the higher value is considered to represent the correct bit value.

SLIDE 35

Countermeasure

Randomized projective coordinates

– While signing – No longer build meaningful templates

SLIDE 36

Implications

Attack successful on realistic implementation
Key extraction via ECDSA verification algorithm on the same device
Different scalar multiplications methods for signing and verification
Puts portability discussion in perspective
Simple countermeasure effective

– Standard implemented in big crypto libraries – However, not always supported by hardware