A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks

Similar documents
Power Analysis Attacks

Practical Electromagnetic Template Attack on HMAC

Dissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks

Lowering the Bar: Deep Learning for Side Channel Analysis. Guilherme Perin, Baris Ege, Jasper van December 4, 2018

Side-Channel Attack against RSA Key Generation Algorithms

EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread

Masking vs. Multiparty Computation: How Large is the Gap for AES?

Very High-Order Masking: Efficient Implementation and Security Evaluation

Behind the Scene of Side Channel Attacks Extended Version

A Template Attack on Elliptic Curves using Classification methods

Masking as a Side-Channel Countermeasure in Hardware

Efficient Selection of Time Samples for Higher-Order DPA with Projection Pursuits

Non-Profiled Deep Learning-Based Side-Channel Attacks

On the Practical Security of a Leakage Resilient Masking Scheme

Constant-Time Callees with Variable-Time Callers. Cesar Pereida Garcı a Billy Bob Brumley Tampere University of Technology Finland

Adaptive Chosen-Message Side-Channel Attacks

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab

How to Certify the Leakage of a Chip?

Masking Proofs are Tight

Power Analysis Attacks against FPGA Implementations of the DES

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

DPA CONTEST 08/09 A SIMPLE IMPROVEMENT OF CLASSICAL CORRELATION POWER ANALYSIS ATTACK ON DES

Template Attacks on ECDSA

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Trace Augmentation: What Can Be Done Even Before Preprocessing in a Profiled SCA?

Leakage-Resilient Symmetric Cryptography (Overview of the ERC Project CRASH, part II)

Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16

Introduction to Public-Key Cryptography

Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

HOST Differential Power Attacks ECE 525

Scalar Blinding on Elliptic Curves with Special Structure

CS 161 Computer Security

Right-to-Left or Left-to-Right Exponentiation?

Software Engineering Aspects of Elliptic Curve Cryptography. Joppe W. Bos Real World Crypto 2017

Breaking Korea Transit Card with Side-Channel Attack

Cryptography for Embedded Systems. Elisabeth Oswald Reader, University of Bristol

Memory Address Side-Channel Analysis on Exponentiation

A physical level perspective

Improved Brute Force Search Strategies for Single Trace and Few Traces Template Attacks on the DES Round Keys

Collision Search for Elliptic Curve Discrete Logarithm over GF(2 m ) with FPGA

Introduction to Software Countermeasures For Embedded Cryptography

On the Design of Iterative Codes for Magnetic Recording Channel. Greg Burd, Panu Chaichanavong, Nitin Nangare, Nedeljko Varnica 12/07/2006

Deep Learning for Embedded Security Evaluation

Computer Security: Principles and Practice

Attack on DES. Jing Li

Countermeasures against EM Analysis

Introduction to Image Super-resolution. Presenter: Kevin Su

Post-Quantum Cryptography A Collective Challenge

An Optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks

Block Ciphers that are Easier to Mask How Far Can we Go?

A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua CHEN

Stochastic Road Shape Estimation, B. Southall & C. Taylor. Review by: Christopher Rasmussen

Studying Leakages on an Embedded Biometric System Using Side Channel Analysis

Very High Order Masking: Efficient Implementation and Security Evaluation

Breaking the Bitstream Decryption of FPGAs

Edge and corner detection

Expectation Maximization (EM) and Gaussian Mixture Models

Implementation Tradeoffs for Symmetric Cryptography

ON PRACTICAL RESULTS OF THE DIFFERENTIAL POWER ANALYSIS

FDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks

Topics in Parsing: Context and Markovization; Dependency Parsing. COMP-599 Oct 17, 2016

Test Vector Leakage Assessment (TVLA) Derived Test Requirements (DTR) with AES

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Revealing Skype Traffic: When Randomness Plays with You

UNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM

Abstract. Microsoft Research

Cryptographic Engineering

A New Attack with Side Channel Leakage during Exponent Recoding Computations

Adaptive Multiple-Frame Image Super- Resolution Based on U-Curve

Clustering Lecture 5: Mixture Model

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

ASCA, SASCA and DPA with Enumeration: Which One Beats the Other and When?

Robust Regression. Robust Data Mining Techniques By Boonyakorn Jantaranuson

The transition to post-quantum cryptography. Peter Schwabe February 19, 2018

A systematic approach to eliminating the vulnerabilities in smart cards evaluation

Applying TVLA to Public Key Cryptographic Algorithms. Michael Tunstall Gilbert Goodwill

Estimating Human Pose in Images. Navraj Singh December 11, 2009

Design and Validation Strategies for Obtaining Assurance in Countermeasures to Power Analysis and Related Attacks

Effortless Burst Separation

Fault Sensitivity Analysis

White-Box Cryptography

Part VI. Public-key cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

The Montgomery Powering Ladder

The Sources of Randomness in Smartphones with Symbian OS

Elliptic Curve Cryptography in JavaScript. Haustenne Laurie - De Neyer Quentin - Pereira Olivier Université catholique de Louvain

Introduction to Cryptography. Lecture 3

VTBPEKE: Verifier-based Tw o-basis Password Exponenti al Key Exchange

First practical results on reduced-round Keccak Unaligned rebound attack. María Naya-Plasencia INRIA Paris-Rocquencourt, France

A machine learning approach against a masked AES

Cryptographic Hash Functions

Feedback Week 4 - Problem Set

CPSC 467: Cryptography and Computer Security

Bayes Net Learning. EECS 474 Fall 2016

On the Need of Physical Security for Small Embedded Devices: a Case Study with COMP128-1 Implementations in SIM Cards

A First Step Towards Automatic Application of Power Analysis Countermeasures

Graphical Models, Bayesian Method, Sampling, and Variational Inference

Transcription:

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier, François-Xavier Standaert: Université catholique de Louvain Yuanyuan Zhou: Université catholique de Louvain & Brightsight BV 1

Outline Context and motivation Horizontal differential power attack: systematic framework Practical experiments Setup Points of interest Result on Cortex-M4 Result on Cortex-A8 Conclusion and future works 2

SCA on ECC: many options Elliptic curve cryptography (ECC) Side-channel attacks (SCA) Scalar multiplication k P Many attack classes DPA Horizontal DPA Template Bit manipulation Horizontal Collision Different tools Difference of mean Correlation Likelihood Machine learning 3

Which attack to use for evaluation Many attack classes DPA Horizontal DPA Template Bit manipulation Horizontal Collision Different tools Difference of mean Correlation Likelihood Machine learning Which attack to use for a fixed time security evaluation? 4

Which attack to use for evaluation Many attack classes DPA Horizontal DPA Template Bit manipulation Horizontal Collision Different tools Difference of mean Correlation Likelihood Machine learning Which attack to use for a fixed time security evaluation? Our general goal: approaching worst-case security How: use most of the available side-channel information 5

State of the art # needed traces Input point Attacker s assumptions # Information used DPA N A posteriori known Strong Small Template 1 A priori known Strong Online template Customizable (first bits only) 1 A priori known Very strong Customizable H-DPA 1 A posteriori known Strong Customizable H-Collision 1 Not needed Weak Small Bit manipulation 1 Not needed Weak Small 6

This study: contribution on H-DPA Complex framework Systematic approach Close to worst-case with leakage characterization Few practical experiments for H- DPA A to Z application Cortex-M4 (easy) Cortex-A8 (more challenging) Teaser: promising future work shown at the end of the talk! 7

Outline Context and motivations Horizontal differential power attack: systematic framework Practical experiments Setup Points of interest Result on Cortex-M4 Result on Cortex-A8 Conclusion and future works 8

Elliptic curve scalar multiplication (ECSM) Note: only collision attack against this ECSM: Hanley et al. (CTRSA 2015) 9

Identify the information: abstract view of regular ECSM Fixed and predictable sequence of register operations: N registers per scalar bit 10

Horizontal DPA: modus operandi HDPA attack on k 0 : 1. Select several internal registers operations Rs that depends on P and k 0 11

Horizontal DPA: modus operandi HDPA attack on k 0 : 1. Select several internal registers operations Rs that depends on P and k 0 2. Modelize the function L that characterizes how Rs leak: information extraction 12

Horizontal DPA: modus operandi HDPA attack on k 0 : 1. Select several internal registers operations Rs that depends on P and k 0 2. Modelize the function L that characterizes how Rs leak: information extraction 3. Acquire 1 attack measurement 13

Horizontal DPA: modus operandi HDPA attack on k 0 : 1. Select several internal registers operations Rs that depends on P and k 0 2. Modelize the function L that characterizes how Rs leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets S 0 (resp. S 1 ) that contain the guesses for the values Rs 0 (resp. Rs 1 ) in function of P and k 0 = 0 (resp. k 0 = 1) 14

Horizontal DPA: modus operandi HDPA attack on k 0 : 1. Select several internal registers operations Rs that depends on P and k 0 2. Modelize the function L that characterizes how Rs leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets S 0 (resp. S 1 ) that contain the guesses for the values Rs 0 (resp. Rs 1 ) in function of P and k 0 = 0 (resp. k 0 = 1) 5. Compare L(Rs i ) with the actual SCA leakages using a distinguisher D: information combination 15

Horizontal DPA: modus operandi HDPA attack on k 0 : 1. Select several internal registers operations Rs that depends on P and k 0 2. Modelize the function L that characterizes how Rs leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets S 0 (resp. S 1 ) that contain the guesses for the values Rs 0 (resp. Rs 1 ) in function of P and k 0 = 0 (resp. k 0 = 1) 5. Compare L(Rs i ) with the actual SCA leakages using a distinguisher D: information combination 6. Select k 0 = i such that D(S i, L(Rs i )) is maximised. 16

Extracting the information: linear regression Registers of size s bits: Classical templates: O(2 s ) Linear regression: O(s) (or more: tradeoff) 17

Linear regression: deterministic part Acquire n traces with random known P and k. l r l(1) r(1) l(2) l(n) r(2) r(n) L(x) = α + α i x i x i s i=1 : i-th bit of x Leakages Processed value Function L: (α, α 1,, α s ) 18

Linear regression: noise Acquire m traces with random known P and k l r l(1) r(1) l(2) r(2) σ 2 = 1 m m l(i) L r(i) 2 i=1 l(m) r(m) Leakages Processed value Noise approximation 19

Combining the information (attack) Parameter: d scalar bits attacked per iteration Target Simulator k = 101 d = 3 20

Outline Context and motivations Horizontal differential power attack: systematic framework Practical experiments Setup Points of interest Result on Cortex-M4 Result on Cortex-A8 Conclusion and future works 21

Setup: target implementation/devices Cortex-M4 100 MHz Constant time instructions (mostly) 32-bit registers Cortex-A8 1 GHz Constant time instructions (mostly) 32-bit registers Ubuntu running in background Custom constant time assembly implementation of NIST p256 256x256-bit multiplication achieved through 64 32x32-bit register multiplications (framework independent of the curve/implementation) N=1600 target registers per scalar bit (only) 22

Setup: trace acquisition & scenario Cortex-M4 Cortex-A8 Power measurement Lecroy WaveRunner HRO 66 200 Ms/sec 123 scalar bits 40,000,000 samples per trace EM measurement Lecroy WaveRunner 620Zi 10 GS/s 4 scalar bits 2,000,000 samples per trace Trace alignment Scenario: 1st order success rate on 123 bits Scenario: Lattice attack (ECDSA) with several partial nonces 23

Outline Context and motivations Horizontal differential power attack: systematic framework Practical experiments Setup Points of interest Result on Cortex-M4 Result on Cortex-A8 Conclusion and future works 24

Points of interest: CPA and partial SNR Acquire n traces with random known P and k l i l j r r(1) r(2) t = argmax i ( (HW r, l i )) t = argmax i (SNR (trunc b (r), l i )) r(n) Leakages Processed value Time sample 25

Points of interest: windowed mode Cortex-M4: 1600 123 POIs ; 40,000,000 samples 26

Points of interest: windowed mode 27

Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold 28

Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold 29

Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold 30

Outline Context and motivations Horizontal differential power attack: systematic framework Practical experiments Setup Points of interest Result on Cortex-M4: first order success rate on 123 scalar bits Result on Cortex-A8 Conclusion and future works 31

1-O SR Cortex-M4 results: 1-O SR on 123 bits Reminder on the parameters: d: number of scalar bit targeted at the same time N: number of target register per scalar bit Number N of POI per bit 32

Outline Context and motivations Horizontal differential power attack: systematic framework Practical experiments Setup Points of interest Result on Cortex-M4 Result on Cortex-A8: lattice attack on 4-bit partial nonces (ECDSA) Conclusion and future works 33

Number s of signatures Lattice attack on ECDSA: tradeoff Run s signatures: - s nonces n i - Recover b bits of each n i on the ECSM [n]p - Recover k from the s partial nonces trunc b (n i ) Number b of known bits per nonce 34

Lattice attack on ECDSA: our tradeoff Run 2200 signatures: - 2200 nonces n i Problem: incorrect partial nonces Answer: - Bayes for real probas - probability threshold t - Recover 4 bits of each n i on the ECSM [n]p - Recover k from the s partial nonces trunc 4 (n i ) - 140 correct partial nonces required 35

Cortex-A8 results: threshold for lattice attack on ECDSA Probability threshold t Nonce 1-O SR = x Key 1-O SR = x 140 # discarded traces #remaining traces None 0.815 3,9 10 13 0 2200 0.9 0.868 2,5 10 9 306 1894 0.9999999 0.992 0.312 1597 613 0.99999999999 1 1 1958 242 > 140 36

Conclusion and future work Conclusion: 1. Detailed systematic framework to apply HDPA in a close-to optimal way: a) Information identification b) Information extraction c) Information combination 1. Application in practice: a) Cortex-M4 & Cortex-A8 b) A-Z application of the framework A lot of noise is required to resist HDPA Next step: breaking point randomization!! 1. Replace the information combination by a belief probagation algorithm (soft analytical side-channel attack) 2. Recover the random point 3. Apply the same framework as in this study to recover the key - Cannot be done with TA or OTA - Cannot be used with correlation H-DPA SASCA on asym: See next talk!!! 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback