Key Bit-Dependent Attack on Protected PKC Using a Single Trace

Public key cryptosystems are typically based on scalar multiplication or modular exponentiation algorithms where the key is unknown to an attacker. Such algorithms are vulnerable to side-channel attacks, and various countermeasures have been proposed. However, no combination of countermeasures is effective against single trace attacks. Hence, template and collision attacks have been the focus of research. However, such attacks require complicated pre-processing to eliminate noise. In this paper, we present a single trace attack based on the power consumption properties of the key bit check phase. The proposed attack does not require sophisticated pre-processing. We apply the attack to hardware and software implementations. In hardware implementation, we target the Montgomery-Lopez-Dahab ladder algorithm and determine that private key bits can be extracted at a 100% success rate. In software implementation, we target the key bit check functions of mbedTLS and OpenSSL, and observe that private key bits can be recovered at 96.13% and 96.25% success rates, respectively. Moreover, if we use leakage associated with referred register addresses, the success rate is 100% in both cases. We propose two countermeasures to eliminate these vulnerabilities. Experimental results show that the proposed countermeasures can address these vulnerabilities effectively.

[1]  Henk L. Muller,et al.  Random Register Renaming to Foil DPA , 2001, CHES.

[2]  Anderson C. A. Nascimento,et al.  Cheater Detection in SPDZ Multiparty Computation , 2016 .

[3]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[4]  Marc Joye,et al.  Highly Regular Right-to-Left Algorithms for Scalar Multiplication , 2007, CHES.

[5]  Marc Joye,et al.  (Virtually) Free Randomization Techniques for Elliptic Curve Cryptography , 2003, ICICS.

[6]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[7]  Guilherme Perin,et al.  A Semi-Parametric Approach for Side-Channel Attacks on Protected RSA Implementations , 2015, CARDIS.

[8]  Erick Nascimento,et al.  Attacking Embedded ECC Implementations Through cmov Side Channels , 2016, SAC.

[9]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.

[10]  Andreas Ibing,et al.  Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations , 2013, CARDIS.

[11]  Daisuke Suzuki,et al.  Two Operands of Multipliers in Side-Channel Attack , 2015, COSADE.

[12]  Kouichi Itoh,et al.  A Practical Countermeasure against Address-Bit Differential Power Analysis , 2003, CHES.

[13]  Philippe Maurine,et al.  Collision for Estimating SCA Measurement Quality and Related Applications , 2015, CARDIS.

[14]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[15]  Benedikt Heinz,et al.  Localized Electromagnetic Analysis of Cryptographic Implementations , 2012, CT-RSA.

[16]  Christopher M. Bishop,et al.  Pattern Recognition and Machine Learning (Information Science and Statistics) , 2006 .

[17]  Kazuo Ohta,et al.  Improved countermeasure against Address-bit DPA for ECC scalar multiplication , 2010, 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010).

[18]  Georg Sigl,et al.  Improving Non-profiled Attacks on Exponentiations Based on Clustering and Extracting Leakage from Multi-channel High-Resolution EM Measurements , 2015, COSADE.

[19]  C. D. Walter,et al.  Sliding Windows Succumbs to Big Mac Attack , 2001, CHES.

[20]  Philippe Maurine,et al.  Collision Based Attacks in Practice , 2015, 2015 Euromicro Conference on Digital System Design.

[21]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[22]  Laurent Imbert,et al.  Attacking Randomized Exponentiations Using Unsupervised Learning , 2014, COSADE.

[23]  Michael Tunstall,et al.  Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace , 2015, CT-RSA.

[24]  Adi Shamir,et al.  Comparative Power Analysis of Modular Exponentiation Algorithms , 2010, IEEE Transactions on Computers.

[25]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[26]  Christof Paar,et al.  Templates vs. Stochastic Methods , 2006, CHES.

[27]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .