analysis of ecc implementations with
play

Analysis of ECC Implementations with Worst-Case Horizontal Attacks - PowerPoint PPT Presentation

Oct 16, 2023 •40 likes •410 views

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier, Franois-Xavier Standaert: Universit catholique de Louvain Yuanyuan Zhou: Universit catholique de Louvain &

  1. A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier, François-Xavier Standaert: Université catholique de Louvain Yuanyuan Zhou: Université catholique de Louvain & Brightsight BV CHES 2017 1 28/09/2017

  2. Outline – Context and motivation – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4 • Result on Cortex-A8 – Conclusion and future works CHES 2017 2 28/09/2017

  3. SCA on ECC: many options Elliptic curve cryptography (ECC) Side-channel attacks (SCA) Scalar multiplication 𝑙 𝑄 Many attack classes Different tools • DPA • Difference of mean • Horizontal DPA • Correlation • Template • Likelihood • Bit manipulation • Machine learning • Horizontal Collision • … • … CHES 2017 3 28/09/2017

  4. Which attack to use for evaluation Many attack classes Different tools • DPA • Difference of mean • Horizontal DPA • Correlation Which attack to use for a fixed • Template • Likelihood time security evaluation? • Bit manipulation • Machine learning • Horizontal Collision • … • … CHES 2017 4 28/09/2017

  5. Which attack to use for evaluation Many attack classes Different tools • DPA • Difference of mean • Horizontal DPA • Correlation Which attack to use for a fixed • Template • Likelihood time security evaluation? • Bit manipulation • Machine learning • Horizontal Collision • … • … Our general goal: approaching worst-case security How: use most of the available side-channel information CHES 2017 5 28/09/2017

  6. State of the art Attacker’s # needed # Information Input point traces assumptions used A posteriori DPA N Strong Small known Customizable Template 1 A priori known Strong (first bits only) Online 1 A priori known Very strong Customizable template A posteriori H-DPA 1 Strong Customizable known H-Collision 1 Not needed Weak Small Bit 1 Not needed Weak Small manipulation CHES 2017 6 28/09/2017

  7. This study: contribution on H-DPA Few practical Complex experiments for H- framework DPA • Systematic • A to Z application approach • Cortex-M4 (easy) • Close to worst-case • Cortex-A8 (more with leakage challenging) characterization Teaser: promising future work shown at the end of the talk! CHES 2017 7 28/09/2017

  8. Outline – Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4 • Result on Cortex-A8 – Conclusion and future works CHES 2017 8 28/09/2017

  9. Elliptic curve scalar multiplication (ECSM) Note: only collision attack against this ECSM: Hanley et al. (CTRSA 2015) CHES 2017 9 28/09/2017

  10. Identify the information: abstract view of regular ECSM Fixed and predictable sequence of register operations: N registers per scalar bit CHES 2017 10 28/09/2017

  11. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 CHES 2017 11 28/09/2017

  12. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction CHES 2017 12 28/09/2017

  13. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction 3. Acquire 1 attack measurement CHES 2017 13 28/09/2017

  14. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets 𝑇 0 (resp. 𝑇 1 ) that contain the guesses for the values 𝑆𝑡 0 (resp. 𝑆𝑡 1 ) in function of 𝑄 and 𝑙 0 = 0 (resp. 𝑙 0 = 1 ) CHES 2017 14 28/09/2017

  15. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets 𝑇 0 (resp. 𝑇 1 ) that contain the guesses for the values 𝑆𝑡 0 (resp. 𝑆𝑡 1 ) in function of 𝑄 and 𝑙 0 = 0 (resp. 𝑙 0 = 1 ) 5. Compare 𝑴(𝑆𝑡 𝑗 ) with the actual SCA leakages using a distinguisher 𝐸 : information combination CHES 2017 15 28/09/2017

  16. Horizontal DPA: modus operandi HDPA attack on 𝑙 0 : 1. Select several internal registers operations 𝑆𝑡 that depends on 𝑄 and 𝑙 0 2. Modelize the function 𝑴 that characterizes how 𝑆𝑡 leak: information extraction 3. Acquire 1 attack measurement 4. Prepare two sets 𝑇 0 (resp. 𝑇 1 ) that contain the guesses for the values 𝑆𝑡 0 (resp. 𝑆𝑡 1 ) in function of 𝑄 and 𝑙 0 = 0 (resp. 𝑙 0 = 1 ) 5. Compare 𝑴(𝑆𝑡 𝑗 ) with the actual SCA leakages using a distinguisher 𝐸 : information combination 6. Select 𝑙 0 = 𝑗 such that 𝐸(𝑇 𝑗 , 𝑴(𝑆𝑡 𝑗 )) is maximised. CHES 2017 16 28/09/2017

  17. Extracting the information: linear regression Classical templates: 𝑃(2 𝑡 ) Registers of size 𝑡 bits: Linear regression: 𝑃(𝑡) (or more: tradeoff) CHES 2017 17 28/09/2017

  18. Linear regression: deterministic part Acquire 𝑜 traces with random known 𝑄 and 𝑙 . 𝒎 𝒔 𝒔(1) 𝒎(1) 𝒎(2) 𝒔(2) 𝑡 ⋅ 𝑦 𝑗 𝑀(𝑦) = 𝛽 + 𝛽 𝑗 … 𝑗=1 𝑦 𝑗 : 𝑗 -th bit of 𝑦 𝒎(𝑜) 𝒔(𝑜) Function 𝑀: (𝛽, 𝛽 1 , … , 𝛽 𝑡 ) Leakages Processed value CHES 2017 18 28/09/2017

  19. Linear regression: noise Acquire 𝑛 traces with random known 𝑄 and 𝑙 𝒎 𝒔 𝒔(1) 𝒎(1) 𝒎(2) 𝒔(2) 𝑛 σ 2 = 1 2 𝑛 𝒎(𝑗) − 𝑀 𝒔(𝑗) 𝑗=1 … 𝒎(𝑛) 𝒔(𝑛) Noise approximation Leakages Processed value CHES 2017 19 28/09/2017

  20. Combining the information (attack) Parameter: 𝑒 scalar bits attacked per iteration Target Simulator 𝑙 = 101 𝑒 = 3 CHES 2017 20 28/09/2017

  21. Outline – Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4 • Result on Cortex-A8 – Conclusion and future works CHES 2017 21 28/09/2017

  22. Setup: target implementation/devices Cortex-M4 Cortex-A8 • • 100 MHz 1 GHz • • Constant time instructions (mostly) Constant time instructions (mostly) • • 32-bit registers 32-bit registers • Ubuntu running in background Custom constant time assembly implementation of NIST p256 256x256-bit multiplication achieved through 64 32x32-bit register multiplications (framework independent of the curve/implementation) N=1600 target registers per scalar bit (only) CHES 2017 22 28/09/2017

  23. Setup: trace acquisition & scenario Cortex-M4 Cortex-A8 • • Power measurement EM measurement • • Lecroy WaveRunner HRO 66 Lecroy WaveRunner 620Zi • • 200 Ms/sec 10 GS/s • • 123 scalar bits 4 scalar bits • • 40,000,000 samples per trace 2,000,000 samples per trace • Trace alignment Scenario: 1st order success rate Scenario: Lattice attack (ECDSA) on 123 bits with several partial nonces CHES 2017 23 28/09/2017

  24. Outline – Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4 • Result on Cortex-A8 – Conclusion and future works CHES 2017 24 28/09/2017

  25. Points of interest: CPA and partial SNR Acquire 𝑜 traces with random known 𝑄 and 𝑙 𝒎 𝑗 𝒎 𝑘 𝒔 𝒔(1) 𝑢 = 𝑏𝑠𝑕𝑛𝑏𝑦 𝑗 (⍴(𝐼𝑋 𝒔 , 𝒎 𝑗 )) 𝒔(2) … (𝑢𝑠𝑣𝑜𝑑 𝑐 (𝒔), 𝒎 𝑗 )) 𝑢 = 𝑏𝑠𝑕𝑛𝑏𝑦 𝑗 (𝑇𝑂𝑆 𝒔(𝑜) Leakages Processed value Time sample CHES 2017 25 28/09/2017

  26. Points of interest: windowed mode Cortex-M4: 1600 ⋅ 123 POIs ; 40,000,000 samples CHES 2017 26 28/09/2017

  27. Points of interest: windowed mode CHES 2017 27 28/09/2017

  28. Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold CHES 2017 28 28/09/2017

  29. Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold CHES 2017 29 28/09/2017

  30. Points of interest: windowed mode CPA: p-value partial SNR: heuristic threshold CHES 2017 30 28/09/2017

  31. Outline – Context and motivations – Horizontal differential power attack: systematic framework – Practical experiments • Setup • Points of interest • Result on Cortex-M4: first order success rate on 123 scalar bits • Result on Cortex-A8 – Conclusion and future works CHES 2017 31 28/09/2017

  32. Cortex-M4 results: 1-O SR on 123 bits Reminder on the parameters: 1-O SR • d: number of scalar bit targeted at the same time • N: number of target register per scalar bit Number N of POI per bit CHES 2017 32 28/09/2017

Recommend

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
An Analysis of Multicore Specific Optimization in MPI Implementations Pengqi Cheng & Yan Gu

An Analysis of Multicore Specific Optimization in MPI Implementations Pengqi Cheng & Yan Gu

An Analysis of Multicore Specific Optimization in MPI Implementations Pengqi Cheng & Yan Gu Tsinghua University Introduction CPU frequency stalled Solution: Multicore OpenMP shared memory MPI Message Passing

281 views • 24 slides
Objectives Graphs Graph Connectivity, Traversal BFS & DFS Implementations, Analysis

Objectives Graphs Graph Connectivity, Traversal BFS & DFS Implementations, Analysis

1/28/19 Objectives Graphs Graph Connectivity, Traversal BFS & DFS Implementations, Analysis Jan 28, 2019 CSCI211 - Sprenkle 1 Review What is a heap? When is it useful? What is a graph? What are two ways to

414 views • 17 slides
Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei Wang Joint work with Matthieu Rivain WhibOx 2019, May 18, 2019 Overview 1 White-Box Context 2 DCA against Internal Encodings 3 Collision

539 views • 26 slides
Analysis of QUIC Session Establishment and its Implementations Eva Gagliardi 1 , 2 Olivier

Analysis of QUIC Session Establishment and its Implementations Eva Gagliardi 1 , 2 Olivier

Analysis of QUIC Session Establishment and its Implementations Eva Gagliardi 1 , 2 Olivier Levillain 1 1 Tlcom SudParis 2 French Ministry of the Armies Sminaire SoSySec May 29th 2020 E. Gagliardi, O. Levillain (TSP/MinArm) QUIC Session

1.08k views • 71 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering

RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering

Cryptography RSA RSA Algorithm Analysis of RSA RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, rsa.tex, r1799 1

522 views • 29 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template<<typename ItemType> class

1.19k views • 71 slides
for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich

for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich

Sid ide Channel Analysis and Protection for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview Motivation QC-MDPC

593 views • 43 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides
LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

638 views • 27 slides
Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Part I: How to make software secure Something with implementations 2 Timing Attacks General idea of those attacks Secret

1.47k views • 65 slides
Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't need it... We have users ! We have users ! LDAP project phases Initial analysis Development + tests Costs Conformance tests Tests are

501 views • 27 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by

Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by

Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by looking at ways to re-index values of n and k. Idea: Using properties of addition and multiplication we can rewrite the equation. 1

541 views • 22 slides
Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on

Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on

Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on Privacy of Advance Web APIs 12 July, 2010. London, United Kingdom. Implementations iOS 4 Firefox 3.6 Chrome 6 Opera 10.6 Critical

445 views • 20 slides
Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN

Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN

Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN -W EI W ANG Contracts vs. Implementations: Definitions In Eiffel, there are two categories of constructs: Implementations are step-by-step

246 views • 23 slides
Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth,

Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth,

Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth, Sebastian Schildt, Lars Wolf Wolf-Bastian P September 23, 2011: CHANTS Workshop, Las Vegas, NV Motivation Several Bundle Protocol (BP) implementations

874 views • 17 slides
Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox, Doug Woos, Zachary Tatlock, and Karl Palmskog We should verify implementations of distributed systems... ...and we have! Framework Prover

1.41k views • 86 slides

More recommend