On the Worst-Case Side-Channel Security of ECC Point Randomization in Embedded Devices

Point randomization is an important countermeasure to protect Elliptic Curve Cryptography (ECC) implementations against sidechannel attacks. In this paper, we revisit its worst-case security in front of advanced side-channel adversaries taking advantage of analytical techniques in order to exploit all the leakage samples of an implementation. Our main contributions in this respect are the following: first, we show that due to the nature of the attacks against the point randomization (which can be viewed as Simple Power Analyses), the gain of using analytical techniques over simpler divide-and-conquer attacks is limited. Second, we take advantage of this observation to evaluate the theoretical noise levels necessary for the point randomization to provide strong security guarantees and compare different elliptic curve coordinates systems. Then, we turn this simulated analysis into actual experiments and show that reasonable security levels can be achieved by implementations even on low-cost (e.g. 8-bit) embedded devices. Finally, we are able to bound the security on 32-bit devices against worst-case adversaries.

[1]  Peter Schwabe,et al.  NaCl on 8-Bit AVR Microcontrollers , 2013, AFRICACRYPT.

[2]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[3]  François-Xavier Standaert,et al.  Modeling Soft Analytical Side-Channel Attacks from a Coding Theory Viewpoint , 2020, IACR Cryptol. ePrint Arch..

[4]  François-Xavier Standaert,et al.  An optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks , 2012, IACR Cryptol. ePrint Arch..

[5]  Elisabeth Oswald,et al.  A Systematic Study of the Impact of Graphical Models on Inference-based Attacks on AES , 2018, IACR Cryptol. ePrint Arch..

[6]  Jean-Sébastien Coron,et al.  Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme , 2016, CHES.

[7]  François-Xavier Standaert,et al.  Side-Channel Countermeasures' Dissection and the Limits of Closed Source Security Evaluations , 2019, IACR Cryptol. ePrint Arch..

[8]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[9]  Erick Nascimento,et al.  Applying Horizontal Clustering Side-Channel Attacks on Embedded ECC Implementations , 2017, CARDIS.

[10]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[11]  Tsuyoshi Takagi,et al.  Side Channel Attacks and Countermeasures on Pairing Based Cryptosystems over Binary Fields , 2006, CANS.

[12]  Stefan Mangard,et al.  Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption , 2017, CHES.

[13]  Romain Poussier,et al.  A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks , 2017, CHES.

[14]  Erich Wenger,et al.  Fast Multi-precision Multiplication for Public-Key Cryptography on Embedded Microprocessors , 2020, Journal of Cryptology.

[15]  Yuhong Yang,et al.  Information Theory, Inference, and Learning Algorithms , 2005 .

[16]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[17]  François-Xavier Standaert,et al.  ASCA, SASCA and DPA with Enumeration: Which One Beats the Other and When? , 2015, ASIACRYPT.

[18]  Michael Tunstall,et al.  Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace , 2015, CT-RSA.

[19]  Romain Poussier,et al.  Simpler and More Efficient Rank Estimation for Side-Channel Security Assessment , 2015, FSE.

[20]  François-Xavier Standaert,et al.  Towards Globally Optimized Masking: From Low Randomness to Low Noise Rate or Probe Isolating Multiplications with Reduced Randomness and Security against Horizontal Attacks , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[21]  Judea Pearl,et al.  Reverend Bayes on Inference Engines: A Distributed Hierarchical Approach , 1982, AAAI.

[22]  Christophe Clavier,et al.  Universal Exponentiation Algorithm , 2001, CHES.

[23]  Eric Peeters,et al.  Template Attacks in Principal Subspaces , 2006, CHES.

[24]  Jean-Pierre Seifert,et al.  Parallel scalar multiplication on general elliptic curves over Fp hedged against Non-Differential Side-Channel Attacks , 2002, IACR Cryptol. ePrint Arch..

[25]  François Durvaux,et al.  From Improved Leakage Detection to the Detection of Points of Interests in Leakage Traces , 2016, EUROCRYPT.

[26]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[27]  François-Xavier Standaert,et al.  Masking Proofs are Tight (and How to Exploit it in Security Evaluations) , 2018, IACR Cryptol. ePrint Arch..

[28]  François-Xavier Standaert,et al.  Soft Analytical Side-Channel Attacks , 2014, ASIACRYPT.

[29]  Matthias J. Kannwischer,et al.  Single-Trace Attacks on Keccak , 2020, IACR Cryptol. ePrint Arch..

[30]  Reza Azarderakhsh,et al.  SIKE'd Up: Fast and Secure Hardware Architectures for Supersingular Isogeny Key Encapsulation , 2019, IACR Cryptol. ePrint Arch..

[31]  François-Xavier Standaert,et al.  Security Evaluations beyond Computing Power , 2013, EUROCRYPT.

[32]  Éliane Jaulmes,et al.  Horizontal collision correlation attack on elliptic curves , 2014, Cryptography and Communications.