Practical Evaluation of Protected RNS Scalar Multiplication CHES - - PowerPoint PPT Presentation

Practical Evaluation of Protected RNS Scalar Multiplication

By Louiza Papachristodoulou Joint work with

• A. Fournaris, K. Papagiannopoulos, L. Batina

CHES 2019

Out utli line

• Residue Number System in Elliptic Curve Cryptography
• Proposed TVLA threshold calculation
• TVLA analysis
• Location and Data Dependent Template Attacks
• Conclusions

2

Residue Number System

X = 50 (m1, m2, m3) = (3, 7, 11) (x1, x2, x3) = (2, 1, 6)

3

RN RNS in in Elli Elliptic ic Cur urve Cryptography

• Elliptic curves defined over prime fields GF(p)
• Modular operations turn easily to RNS modular
• perations over GF(p)
• RNS mod multiplication usually realized through RNS

Montgomery multiplication to avoid modular inversion, but includes base extension

• EC scalar multiplication is the critical operation Q = kP

4

LRA RA Mon

• ntgomery

ry Power Lad adder

• 𝑆0 = 𝑆, 𝑆1= 𝑆 + 𝑊, 𝑆2 = −𝑆
• Convert 𝑆0 , 𝑆1, 𝑆2 to Montgomery format
• For i= t-1 to 0
• 𝑆2 = 2𝑆2
• If 𝑙𝑗 = 1

𝑆0 = 𝑆0 + 𝑆1 and 𝑆1 = 2𝑆1 else 𝑆1 = 𝑆0 + 𝑆1 and 𝑆0 = 2𝑆0 Choose base 𝐶𝑜, 𝐶′𝑜. Transform V, R to RNS format using permutation 𝑞𝑢

• Integrity check: if i,k not modified and 𝑆0+ 𝑊 = 𝑆1 then ret. 𝑆0 + 𝑆2

in permutation 𝑞𝑢 in permutation 𝑞𝑢 in permutation γ𝑢 in permutation γ𝑢 else ret. random value Transform 𝑆0 + 𝑆2 to binary format

5

Tes est Vec ector Lea eakage Asse ssessment t (TV (TVLA)

• Statistical tests between two trace-sets of acquisition
• Welch’s t-test to evaluate if two sets have significant statistical

differences 𝑡𝑗 =

𝑀𝑗,𝐵 −𝑀𝑗,𝐶

σ𝑗,𝐵 2 𝑜𝐵 + σ𝑗,𝐶 2 𝑜𝐶

• Values above ±4.5, indicates leakage, but TVLA does not exploit it

6

t-tes est Th Threshold ld Cal alib ibratio ion for

• r TV

TVLA

Input 𝑜𝑢𝐵 , 𝑜𝑢𝐶 : number of traces for groups A,B 𝑜𝑡 : number of samples 𝜏

𝐵, 𝜏Β ∶ sampled standard deviation

Output Threshold value for Welch’s t-distribution 𝑢ℎ𝑢 1. Choose level of significance α. Here α=0.00001 2. Family-wise error rate fwer = (1 − 𝑏)𝑜𝑡 3. Šidak correction 𝑡𝑗𝑒𝑏𝑙𝑏= 1 - (1 − 𝑏)(1/𝑜𝑡) 4. df = (

𝜏𝐵

2

𝑜𝑢𝐵 + 𝜏𝐶

2

𝑜𝑢𝐶 )2 / ( (

𝜏𝐵 2 𝑜𝑢𝐵) 2

𝑜𝑢𝐵 −1 + (

𝜏𝐶 2 𝑜𝑢𝐶) 2

𝑜𝑢𝐶 −1)

5. Threshold 𝑢ℎ𝑢= |tinv (1- 𝑡𝑗𝑒𝑏𝑙𝑏 /2, df)| 𝑜𝑢𝐵 = 𝑜𝑢𝐶= 4 ∗ 103 – 10∗ 103

𝑜𝑡 = 4 ∗ 105 − 8 ∗ 105

𝜏

𝐵 = 9.7 , 𝜏Β = 6.1

𝑢ℎ𝑢 = ± 6.3

7

RNS im implementation on

• n Be

BeagleBone

• C Software implementation on ARM Cortex A8
• RNS Montgomery multiplication
• Dedicated and Unified Group Law
• 5 different variations: unprotected, randomized

scalar, random input point, random base permutations (LRA), random

• rder
• f
• perations

8

Proc

• cessing of
• f Trac

aces – Low Pass ass Filt Filter

9

t-test random vs fi fixed scala lar on

• n tw

twisted Edwards cu curve (a

(a=1, d= d=2, p= p= 2192 − 264 − 1)

Unprotected scalar mul LRA_rdm_point() Randomized scalar LRA

10

t-test random vs fi fixed poi

• int on
• n secu

cure Edwards cu curve (a= (a=107, d=4 =47, h=4 =4, p= = 2192 − 264 − 1)

Unprotected scalar mul LRA_rdm_point() Randomized scalar LRA

11

Data a Dep ependent t Tem empla late Attack acks

• The value of a secret variable can be monitored
• Trigger around the key-dependent assignment (if-statement)

If 𝑙𝑗 = 1: 𝑆0 = 𝑆0 + 𝑆1 and 𝑆1 = 2𝑆1 Else: 𝑆1 = 𝑆0 + 𝑆1 and 𝑆0 = 2𝑆0

• After alignment, 20k traces. Used half for templates, half for

classification

• Success rate 90-91% for the unprotected case, 82-97% for LRA

countermeasure activated

• Scalar randomization (65-72%) and LRA randomized RNS operations

(55-58%) are good countermeasures

12

Loc

• catio

ion Dep ependent t Tem empla late Attack acks

• Templates created for storage structure that handles the key-

dependent instruction (doubling)

If 𝑙𝑗 = 1: 𝑆0 = 𝑆0 + 𝑆1 and 𝑆1 = 2𝑆1 Else: 𝑆1 = 𝑆0 + 𝑆1 and 𝑆0 = 2𝑆0

• Template classification: 95-99.9%
• LRA with randomized operations: 70-83%

13

Loc

• catio

ion Dep ependent t Leak eakage

• Registers are not really single registers, RNS values are stored in 50-bit

chunks - result of doubling is stored in different memory locations

• Location dependent leakage was not an expected result
• The normal distributions for 𝑙𝑗 = 0 and 𝑙𝑗 = 1 for every variation of

the implementation are very different (N(−24.3, 9, 7), N(19.6, 6.1))

• Leaky platform - capacitors next to each other
• Scalar randomization not an efficient countermeasure
• LRA with randomized operations makes template attacks harder

14

Eval aluatio ion Tab able

Pass t-test/secure against templates Fail t-test/not secure against templates

15

Con

• nclusions
• TVLA bounds not rigid; compute according to distribution of traces,

number of samples, number of traces

• Randomization of scalar, input point, regularity of MPL are good

countermeasures but not enough to avoid leakage

• Different RNS representations do not lower the template success rates
• Randomization of RNS operations protects against templates and less

expensive compared to randomization of input point

• Classification using ML algorithms
• Evaluation on an FPGA would give further insights in the security of RNS

16

THANK YOU FOR YOUR ATTENTION !

louiza@cryptologio.org