论文信息 - Evaluating the Cache Side Channel Attacks Against ECDSA

Evaluating the Cache Side Channel Attacks Against ECDSA

Various attacks are proposed against different ECDSA implementations: the key-related data are acquired through cache side channels, and then processed to recover the private key. For each cache side channel attack, the requirements of the data qualified for sequent processing vary greatly, and the success probability of private key recovery relies on both the acquired data and the parameters of data processing. So it is difficult to tell, for a certain ECDSA implementation, (a) how many signatures does a cache side channel attack need to recover the private key? or which attack performs the best? and (b) what kind of threat level exists due to potential side channel attacks, if the ECDSA implementation runs for a number of signatures on an unprotected system with cache side channels? Currently, there is no quantitative metric to fairly answer the questions. Such a metric to evaluate cache side channel attacks, will provide a reference for the adversaries to choose the suitable attack, and also for the defenders to set up protections for the certain ECDSA implementation (e.g., updating the private key after it has been used for a certain number of signatures). In this paper, we design an evaluation approach to quantitatively compare the cache side channel attacks against ECDSA. The expected minimum number of signatures needed for at least one successful private key recovery, is proposed as the metric, and this metric considers both the data requirements and the success probability. We apply the approach to evaluate various cache side channel attacks against ECDSA. By calculating the metric, we obtain (a) for each attack, the optimal parameters with the minimum number of signatures needed, and (b) for each ECDSA implementation, the minimum number of signatures that will be enough for at least one successful private key recovery of some cache side channel attacks.

[1] Yukio Tsuruoka,et al. Speeding up Elliptic Cryptosystems by Using a Signed Binary Window Method , 1992, CRYPTO.

[2] Alessandro Barenghi,et al. A novel fault attack against ECDSA , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[3] Louis Goubin,et al. A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems , 2003, Public Key Cryptography.

[4] Jörn-Marc Schmidt,et al. A Fault Attack on ECDSA , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[5] László Lovász,et al. Factoring polynomials with rational coefficients , 1982 .

[6] Alfred Menezes,et al. The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[7] Onur Aciiçmez,et al. New Results on Instruction Cache Attacks , 2010, CHES.

[8] Billy Bob Brumley,et al. Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[9] Hua Chen,et al. Two Lattice-Based Differential Fault Attacks Against ECDSA with wNAF Algorithm , 2015, ICISC.

[10] Sean Turner,et al. Transport Layer Security , 2014, IEEE Internet Computing.

[11] Cesar Pereida García,et al. "Make Sure DSA Signing Exponentiations Really are Constant-Time" , 2016, CCS.

[12] Igor E. Shparlinski,et al. The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[13] Elisabeth Oswald,et al. Template Attacks on ECDSA , 2009, WISA.

[14] Jerome A. Solinas,et al. Efficient Arithmetic on Koblitz Curves , 2000, Des. Codes Cryptogr..

[15] Mingjie Liu,et al. Solving BDD by Enumeration: An Update , 2013, CT-RSA.

[16] Wenbo Wang,et al. Attacking OpenSSL ECDSA with a small amount of side-channel information , 2016, Science China Information Sciences.

[17] Naomi Benger,et al. "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[18] Phong Q. Nguyen. The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA , 2001 .

[19] Martin Hlavác,et al. Extended Hidden Number Problem and Its Cryptanalytic Applications , 2006, Selected Areas in Cryptography.

[20] Jean-Sébastien Coron,et al. Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[21] Igor E. Shparlinski,et al. The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[22] P. L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[23] Matthieu Rivain,et al. Lattice Attacks Against Elliptic-Curve Signatures with Blinded Scalar Multiplication , 2016, SAC.

[24] Yuval Yarom,et al. Just a Little Bit More , 2015, CT-RSA.

[25] Naomi Benger,et al. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack , 2014, IACR Cryptol. ePrint Arch..

[26] Daniel M. Gordon,et al. A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.

[27] Dan Boneh,et al. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[28] Claus-Peter Schnorr,et al. Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[29] Denis Réal,et al. Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[30] Nigel P. Smart,et al. Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[31] Wenbo Wang,et al. Attacking OpenSSL Implementation of ECDSA with a Few Signatures , 2016, CCS.

[32] Chen Hao,et al. The Attack Case of ECDSA on Blockchain Based on Improved Simple Power Analysis , 2019 .

[33] Atsuko Miyaji,et al. Efficient elliptic curve exponentiation , 1997, ICICS.

[34] Yuval Yarom,et al. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.