Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace

Public key cryptographic algorithms are typically based on group exponentiation algorithms where the exponent is unknown to an adversary. A collision attack applied to an instance of an exponentiation is typically where an adversary seeks to determine whether two operations in the exponentiation have the same input. In this paper, we extend this to an adversary who seeks to determine whether the output of one operation is used as the input to another. We describe implementations of these attacks applied to a 192-bit scalar multiplication over an elliptic curve that only require a single power consumption trace to succeed with a high probability. Moreover, our attacks do not require any knowledge of the input to the exponentiation algorithm. These attacks would, therefore, be applicable to algorithms, such as EC-DSA, where an exponent is ephemeral, or to implementations where an exponent is blinded. We then demonstrate that a side-channel resistant implementation of a group exponentiation algorithm will require countermeasures that introduce enough noise such that an attack is not practical, as algorithmic countermeasures are not possible. (The work described in this paper was conducted when the last two authors were part of the Cryptography Group at the University of Bristol, United Kingdom.)

[1]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[2]  JaeCheol Ha,et al.  Power Analysis by Exploiting Chosen Message and Internal Collisions - Vulnerability of Checking Mechanism for RSA-Decryption , 2005, Mycrypt.

[3]  Patel,et al.  Information Security: Theory and Practice , 2008 .

[4]  Dong Hoon Lee,et al.  Information, Security and Cryptology - ICISC 2009, 12th International Conference, Seoul, Korea, December 2-4, 2009, Revised Selected Papers , 2010, ICISC.

[5]  Adi Shamir,et al.  Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs , 2008, CHES.

[6]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[7]  A. Satoh,et al.  Side-Channel Attack Standard Evaluation Board SASEBO-W for Smartcard Testing , 2011 .

[8]  Marc Joye,et al.  Protections against Differential Analysis for Elliptic Curve Cryptography , 2001, CHES.

[9]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[10]  Christof Paar,et al.  A New Class of Collision Attacks and Its Application to DES , 2003, FSE.

[11]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[12]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[13]  Michael Tunstall,et al.  Side-Channel Analysis of Cryptographic Software via Early-Terminating Multiplications , 2009, ICISC.

[14]  Ingrid Verbauwhede,et al.  Selecting Time Samples for Multivariate DPA Attacks , 2012, CHES.

[15]  Benoit Feix,et al.  On the BRIP Algorithms Security for RSA , 2008, WISTP.

[16]  Douglas R. Stinson Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem , 2002, Math. Comput..

[17]  Sung-Ming Yen,et al.  Modified Doubling Attack by Exploiting Chosen Ciphertext of Small Order , 2011, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[18]  Michael Tunstall Random Order m-ary Exponentiation , 2009, ACISP.

[19]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[20]  JaeCheol Ha,et al.  Relative Doubling Attack Against Montgomery Ladder , 2005, ICISC.

[21]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[22]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[23]  C. D. Walter,et al.  Sliding Windows Succumbs to Big Mac Attack , 2001, CHES.

[24]  Seokhie Hong,et al.  Practical second-order correlation power analysis on the message blinding method and its novel countermeasure for RSA , 2010 .

[25]  Ingrid Verbauwhede,et al.  An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost , 2012, Cryptography and Security.

[26]  S KaliskiBurton,et al.  Analyzing and Comparing Montgomery Multiplication Algorithms , 1996 .

[27]  Tolga Acar,et al.  Analyzing and comparing Montgomery multiplication algorithms , 1996, IEEE Micro.

[28]  Bart Preneel,et al.  On the Performance of Signature Schemes Based on Elliptic Curves , 1998, ANTS.

[29]  Marc Joye,et al.  Highly Regular Right-to-Left Algorithms for Scalar Multiplication , 2007, CHES.

[30]  Bart Preneel Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21-25, 2009. Proceedings , 2009, AFRICACRYPT.

[31]  Manfred Josef Aigner,et al.  Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks , 2001, CHES.

[32]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[33]  Maurice Keller,et al.  Elliptic Curve Cryptography on FPGA for Low-Power Applications , 2009, TRETS.

[34]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[35]  C. D. Walter,et al.  MIST: An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis , 2002, CT-RSA.

[36]  Marc Joye,et al.  The distributions of individual bits in the output of multiplicative operations , 2014, Cryptography and Communications.

[37]  Henri Gilbert,et al.  Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , 2010, EUROCRYPT.

[38]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[39]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[40]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[41]  David Naccache,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001 .

[42]  Kristin E. Lauter,et al.  Selected Areas in Cryptography -- SAC 2013 , 2013, Lecture Notes in Computer Science.

[43]  Kazuo Ohta,et al.  Advances in Cryptology — ASIACRYPT’98 , 2002, Lecture Notes in Computer Science.

[44]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[45]  Éliane Jaulmes,et al.  Horizontal Collision Correlation Attack on Elliptic Curves , 2013, Selected Areas in Cryptography.

[46]  David Naccache,et al.  Cryptography and Security: From Theory to Applications , 2012, Lecture Notes in Computer Science.

[47]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[48]  Mridul Nandi,et al.  Progress in Cryptology - INDOCRYPT 2012 , 2012, Lecture Notes in Computer Science.

[49]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[50]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[51]  Christophe Clavier,et al.  ROSETTA for Single Trace Analysis , 2012, INDOCRYPT.

[52]  Aggelos Kiayias,et al.  Topics in Cryptology - CT-RSA 2011 - The Cryptographers' Track at the RSA Conference 2011, San Francisco, CA, USA, February 14-18, 2011. Proceedings , 2011, CT-RSA.

[53]  Atsuko Miyaji,et al.  Efficient Countermeasures against RPA, DPA, and SPA , 2004, CHES.

[54]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[55]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[56]  Mostafa Hashem Sherif,et al.  Wireless Transport Layer Security , 2016 .

[57]  Marc Joye,et al.  Exponent Recoding and Regular Exponentiation Algorithms , 2009, AFRICACRYPT.

[58]  Jasper G. J. van Woudenberg,et al.  Defeating RSA Multiply-Always and Message Blinding Countermeasures , 2011, CT-RSA.

[59]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[60]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[61]  Christophe Clavier,et al.  Improved Collision-Correlation Power Analysis on First Order Protected AES , 2011, CHES.

[62]  Tsuyoshi Takagi,et al.  Fast Elliptic Curve Multiplications Resistant against Side Channel Attacks , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[63]  C. D. Walter,et al.  Some Security Aspects of the M IST Randomized Exponentiation Algorithm , 2002, CHES.

[64]  Ingrid Verbauwhede,et al.  Cryptographic Hardware and Embedded Systems - Ches 2007 , 2008 .

[65]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[66]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[67]  Kouichi Sakurai,et al.  A Second-Order DPA Attack Breaks a Window-Method Based Countermeasure against Side Channel Attacks , 2002, ISC.

[68]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[69]  Yaacov Belenky,et al.  Two Exponentiation Algorithms Resistant to Cross-correlation Power Analysis and to Other Known Attacks , 2012, IACR Cryptol. ePrint Arch..