Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations

Single-trace side-channel attacks are a serious threat to elliptic curve cryptography in practice because they can break also cryptosystems where scalars are nonces (e.g., ECDSA). Previously it was believed that single-trace attacks can be avoided by using scalar multiplication algorithms with regular patterns of operations but recently we have learned that they can be broken with correlation tests to decide whether different operations share common operands. In this work, we extend these attacks to scalar multiplication algorithms with precomputations. We show that many algorithms are vulnerable to our attack which correlates measurements with precomputed values. We also show that successful attacks are possible even without knowledge of precomputed values by using clustering instead of correlations. We provide extensive evidence for the feasibility of the attacks with simulations and experiments with an 8-bit AVR. Finally, we discuss the effectiveness of certain countermeasures against our attacks.

[1]  Éliane Jaulmes,et al.  Horizontal collision correlation attack on elliptic curves , 2014, Cryptography and Communications.

[2]  Mustapha Hedabou,et al.  Countermeasures for Preventing Comb Method Against SCA Attacks , 2005, ISPEC.

[3]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[4]  Andreas Ibing,et al.  Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations , 2013, CARDIS.

[5]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[6]  Louis Goubin,et al.  A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems , 2003, Public Key Cryptography.

[7]  C. D. Walter,et al.  Sliding Windows Succumbs to Big Mac Attack , 2001, CHES.

[8]  Ingrid Verbauwhede,et al.  Lightweight Coprocessor for Koblitz Curves: 283-Bit ECC Including Scalar Conversion with only 4300 Gates , 2015, CHES.

[9]  Yang Zhang,et al.  Twisted edwards-form elliptic curve cryptography for 8-bit AVR-based sensor nodes , 2013, AsiaPKC '13.

[10]  Zhe Liu,et al.  MoTE-ECC: Energy-Scalable Elliptic Curve Cryptography for Wireless Sensor Networks , 2014, ACNS.

[11]  Tsuyoshi Takagi,et al.  Efficient Representations on Koblitz Curves with Resistance to Side Channel Attacks , 2005, ACISP.

[12]  Naomi Benger,et al.  "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[13]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[14]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[15]  Paul G. Comba,et al.  Exponentiation Cryptosystems on the IBM PC , 1990, IBM Syst. J..

[16]  Marc Joye,et al.  Highly Regular m-Ary Powering Ladders , 2009, Selected Areas in Cryptography.

[17]  Hans Eberle,et al.  Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs , 2004, CHES.

[18]  Peter Schwabe,et al.  Online template attacks , 2014, Journal of Cryptographic Engineering.

[19]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.

[20]  Ricardo Dahab,et al.  Efficient and Secure Elliptic Curve Cryptography for 8-bit AVR Microcontrollers , 2015, SPACE.

[21]  Benoit Feix,et al.  Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms , 2007, Selected Areas in Cryptography.

[22]  Éliane Jaulmes,et al.  Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations , 2013, CT-RSA.

[23]  Sylvain Guilley,et al.  Dismantling Real-World ECC with Horizontal and Vertical Template Attacks , 2016, COSADE.

[24]  Michael Tunstall,et al.  Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace , 2015, CT-RSA.

[25]  Shipeng Li,et al.  Signed MSB-Set Comb Method for Elliptic Curve Point Multiplication , 2006, ISPEC.

[26]  Craig Costello,et al.  Fourℚ: Four-Dimensional Decompositions on a ℚ-curve over the Mersenne Prime , 2015, ASIACRYPT.

[27]  Ingrid Verbauwhede,et al.  An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost , 2012, Cryptography and Security.

[28]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[29]  Michael Hutter,et al.  Curved Tags - A Low-Resource ECDSA Implementation Tailored for RFID , 2014, RFIDSec.

[30]  David Naccache,et al.  Improving the Big Mac Attack on Elliptic Curve Cryptography , 2015, The New Codebreakers.

[31]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[32]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[33]  Patrick Schaumont,et al.  State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures , 2010, 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[34]  Bodo Möller,et al.  Securing Elliptic Curve Point Multiplication against Side-Channel Attacks , 2001, ISC.

[35]  Benedikt Heinz,et al.  Localized Electromagnetic Analysis of Cryptographic Implementations , 2012, CT-RSA.

[36]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[37]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[38]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[39]  Marc Joye,et al.  Highly Regular Right-to-Left Algorithms for Scalar Multiplication , 2007, CHES.

[40]  Georg Sigl,et al.  Improving Non-profiled Attacks on Exponentiations Based on Clustering and Extracting Leakage from Multi-channel High-Resolution EM Measurements , 2015, COSADE.

[41]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[42]  M. Scott,et al.  Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves , 2011, Journal of Cryptology.

[43]  Ricardo Dahab,et al.  NanoECC: Testing the Limits of Elliptic Curve Cryptography in Sensor Networks , 2008, EWSN.

[44]  Tsuyoshi Takagi,et al.  The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks , 2003, CT-RSA.

[45]  Patrick Longa,et al.  Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV–GLS curves (extended version) , 2014, Journal of Cryptographic Engineering.

[46]  Zhe Liu,et al.  Efficient Implementation of NIST-Compliant Elliptic Curve Cryptography for 8-bit AVR-Based Sensor Nodes , 2016, IEEE Transactions on Information Forensics and Security.

[47]  Vincent Verneuil,et al.  Atomicity Improvement for Elliptic Curve Scalar Multiplication , 2010, CARDIS.

[48]  Elaine B. Barker Digital Signature Standard (DSS) [includes Change Notice 1 from 12/30/1996] | NIST , 1994 .

[49]  Benoit Feix,et al.  There's Something about m-ary - Fixed-Point Scalar Multiplication Protected against Physical Attacks , 2013, INDOCRYPT.

[50]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[51]  Nicolas Thériault,et al.  SPA Resistant Left-to-Right Integer Recodings , 2005, IACR Cryptol. ePrint Arch..