Horizontal Collision Correlation Attack on Elliptic Curves

Elliptic curves based algorithms are nowadays widely spread among embedded systems. They indeed have the double advantage of providing efficient implementations with short certificates and of being relatively easy to secure against side-channel attacks. As a matter of fact, when an algorithm with constant execution flow is implemented together with randomization techniques, the obtained design usually thwarts classical side-channel attacks while keeping good performances. Recently, a new technique that makes some randomizations ineffective, has been successfully applied in the context of RSA implementations. This method, related to a so-called horizontali¾?modus operandi, introduced by Walter in 2001, turns out to be very powerful since it only requires leakages on a single algorithm execution. In this paper, we combine such kind of techniques together with the collision correlation analysis, introduced at CHES 2010 by Moradi et al., to propose a new attack on elliptic curves atomic implementations or unified formulas with input randomization. We show how it may be applied against several state-of-the art implementations, including those of Chevallier-Mames et al., of Longa and of Giraud-Verneuil and also Bernstein and Lange for unified Edward's formulas. Finally, we provide simulation results for several sizes of elliptic curves on different hardware architectures. These results, which turn out to be the very first horizontali¾?attacks on elliptic curves, open new perspectives in securing such implementations. Indeed, this paper shows that two of the main existing countermeasures for elliptic curve implementations become irrelevant when going from vertical to horizontali¾? analysis.

[1]  Marc Joye,et al.  The Jacobi Model of an Elliptic Curve and Side-Channel Analysis , 2003, AAECC.

[2]  Tanja Lange,et al.  Analysis and optimization of elliptic-curve single-scalar multiplication , 2007, IACR Cryptol. ePrint Arch..

[3]  Christof Paar,et al.  A New Class of Collision Attacks and Its Application to DES , 2003, FSE.

[4]  H. Edwards A normal form for elliptic curves , 2007 .

[5]  Christophe Clavier,et al.  Universal Exponentiation Algorithm , 2001, CHES.

[6]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[7]  Ernest A. Brickell A survey of hardware implementations of RSA (abstract) , 1989, CRYPTO 1989.

[8]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[9]  Thomas S. Messerges,et al.  Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[10]  Jovan Dj. Golic,et al.  Multiplicative Masking and Power Analysis of AES , 2002, CHES.

[11]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[12]  Patrick Longa,et al.  Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems over Prime Fields , 2008, IACR Cryptol. ePrint Arch..

[13]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[14]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[15]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[16]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[17]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[18]  Çetin Kaya Koç,et al.  About Cryptographic Engineering , 2008, Cryptographic Engineering.

[19]  Andrew D. Booth,et al.  A SIGNED BINARY MULTIPLICATION TECHNIQUE , 1951 .

[20]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[21]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.

[22]  C. D. Walter,et al.  Sliding Windows Succumbs to Big Mac Attack , 2001, CHES.

[23]  Paul Barrett,et al.  Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor , 1986, CRYPTO.

[24]  Bart Preneel,et al.  Mutual Information Analysis A Generic Side-Channel Distinguisher , 2008 .

[25]  Marc Joye,et al.  Highly Regular Right-to-Left Algorithms for Scalar Multiplication , 2007, CHES.

[26]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[27]  Christophe Clavier,et al.  ROSETTA for Single Trace Analysis Recovery Of Secret Exponent by Triangular Trace Analysis , 2012 .

[28]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[29]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[30]  Marc Joye,et al.  Protections against Differential Analysis for Elliptic Curve Cryptography , 2001, CHES.

[31]  Lejla Batina,et al.  Mutual Information Analysis: a Comprehensive Study , 2011, Journal of Cryptology.

[32]  Marc Joye,et al.  Coordinate Blinding over Large Prime Fields , 2010, CHES.

[33]  Éliane Jaulmes,et al.  Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations , 2013, CT-RSA.

[34]  Andrey Bogdanov,et al.  Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection , 2008, INDOCRYPT.

[35]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[36]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[37]  Jean-Jacques Quisquater,et al.  A new tool for non-intrusive analysis of smart cards based on electromagnetic emissions. The SEMA and DEMA methods , 2000 .

[38]  Nigel P. Smart,et al.  Preventing SPA/DPA in ECC Systems Using the Jacobi Form , 2001, CHES.

[39]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[40]  Yoo-Jin Baek,et al.  How to Prevent DPA and Fault Attack in a Unified Way for ECC Scalar Multiplication - Ring Extension Method , 2007, ISPEC.

[41]  Vincent Verneuil,et al.  Elliptic curve cryptography and security of embedded devices , 2012 .

[42]  Amir Moradi,et al.  Statistical Tools Flavor Side-Channel Collision Attacks , 2012, EUROCRYPT.

[43]  Christophe Clavier,et al.  ROSETTA for Single Trace Analysis , 2012, INDOCRYPT.

[44]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[45]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[46]  Vincent Verneuil,et al.  Atomicity Improvement for Elliptic Curve Scalar Multiplication , 2010, CARDIS.

[47]  Christophe Clavier,et al.  Improved Collision-Correlation Power Analysis on First Order Protected AES , 2011, CHES.

[48]  Marc Joye,et al.  Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic , 2011, Journal of Cryptographic Engineering.

[49]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[50]  Paul G. Comba,et al.  Exponentiation Cryptosystems on the IBM PC , 1990, IBM Syst. J..

[51]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .