online template attack on ecdsa
play

Online Template Attack on ECDSA: Extracting Keys Via The Other Side - PowerPoint PPT Presentation

Mar 01, 2024 •15 likes •375 views

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

  1. Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020

  2. Side Channel Attack Introduction • “A side-channel is any unintentional signal that can offer us a blurry view of the algorithms internal computations” * • Attack implementation of some algorithm, not algorithm itself Message Device Signed message Leakage *Quote source: Introduction to Side-Channel Analysis: Basic Concepts and Techniques, L. Batina, March 2018, Hardware Security Lecture Notes 2

  3. Content • Part 1: Background – Cryptographic ‣ ECDSA ✴ Sign ✴ Verify ‣ Scalar Multiplication Algorithms ✴ Double And Add ✴ Montgomery Ladder ✴ Scalar Multiplication Optimization Tricks - Power Consumption Analysis ‣ Online Template Attack • Part 2: The Attack 3

  4. Part 1 Background 4

  5. ECDSA-Sign 5

  6. ECDSA-Verify 6

  7. Elliptic Curve Scalar Multiplication: Double And Add 7

  8. Elliptic Curve Scalar Multiplication: Montgomery Ladder 8

  9. Scalar Multiplication Optimization Tricks • Projective coordinates: – Homogeneous coordinates ‣ – Jacobian coordinates ‣ Image Source: 18.783 Elliptic Curves Lecture, A Sutherland, February 2017 9

  10. Scalar Multiplication Optimization Tricks • Projective coordinates: – Homogeneous coordinates ‣ – Jacobian coordinates ‣ • During signature verification: – Non-Adjacent Form (NAF) ‣ 7 = (1,0,0,-1) – Shamir’s trick ‣ 1 pre-computation 10

  11. Scalar Multiplication Optimization Tricks • Projective coordinates: – Homogeneous coordinates ‣ – Jacobian coordinates ‣ • During signature verification: – Non-Adjacent Form (NAF) ‣ 7 = (1,0,0,-1) – Shamir’s trick ‣ 1 pre-computation 10

  12. Scalar Multiplication Optimization Tricks • Projective coordinates: – Homogeneous coordinates ‣ – Jacobian coordinates ‣ • During signature verification: – Non-Adjacent Form (NAF) ‣ 7 = (1,0,0,-1) – Shamir’s trick ‣ 1 pre-computation 10

  13. Power Consumption Analysis • Template attack - Two identical devices - Build profiles - Match with target trace - Cumbersome 11

  14. Online Template Attack • Based on template attack • Templates on the fly • Max two templates per bit 12

  15. Online Template Attack • Based on template attack • Templates on the fly • Max two templates per bit 13

  16. Online Template Attack • Based on template attack • Templates on the fly • Max two templates per bit • Differentiate - (2n)P - (2n+1)P 14

  17. Part 2 The Attack 15

  18. Scenario • One device • One ECDSA signature generation - Standard projective coordinates - Montgomery ladder • Unlimited amount of signature verifications - On same device as the signature generated - Jacobian coordinates - Variant of double and add 16

  19. Scenario • One device • One ECDSA signature generation - Standard projective coordinates - Montgomery ladder • Unlimited amount of signature verifications - On same device as the signature generated - Jacobian coordinates - Variant of double and add • Goal: extract secret scalar via ECDSA signature verification 17

  20. Platform ChipWhisperer-Lite Classic 18

  21. Spotting The Attack Vector (1) 19

  22. Spotting The Attack Vector (1) 19

  23. Spotting The Attack Vector (1) 19

  24. Spotting The Attack Vector (2) Sign Verify 20

  25. Spotting The Attack Vector (2) 21

  26. Spotting The Attack Vector (2) 22

  27. Spotting The Attack Vector (2) 23

  28. Spotting The Attack Vector (2) Identical key dependent operation in the Montgommery ladder can be mimicked in the publicly accessible Jacobian doubling operation! 23

  29. Sign Verify Preparing The Input Montgomery Double and add Standard projective Jacobian • Compute possible values 24

  30. Sign Verify Preparing The Input Montgomery Double and add Standard projective Jacobian • Compute possible values • Feed legitimate point on curve 25

  31. Sign Verify Preparing The Input Montgomery Double and add Standard projective Jacobian • Compute possible values • Feed legitimate point on curve – Bit flipping ‣ …1010 -> …1011 ‣ …1010 -> …1000 26

  32. Measuring 27

  33. Extracting Bits (1) • Window resampling (to increase correlation computations) • Calculate Pearson correlation between: – Relevant square operation in target trace – Square operation in both templates 28

  34. Extracting Bits (2) After the correlation calculation, the template trace with the higher value is considered to represent the correct bit value. 29

  35. Countermeasure • Randomized projective coordinates – While signing – No longer build meaningful templates 30

  36. Implications • Attack successful on realistic implementation • Key extraction via ECDSA verification algorithm on the same device • Different scalar multiplications methods for signing and verification • Puts portability discussion in perspective • Simple countermeasure effective – Standard implemented in big crypto libraries – However, not always supported by hardware 31

Recommend

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA Keegan Ryan NCC Group What is ROHNP? Key extraction attack on DSA and ECDSA Uses an old technique to target a new part of the algorithm

243 views • 23 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides
Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU

Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU

Template Attack vs. Bayes Classifier Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU Leuven, Belgium 2 TELECOM-ParisTech, Paris, France PROOFS, Santa Barbara August 20, 2016 1 / 32 Template Attack

701 views • 36 slides
A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien Courouss, Jean-Louis Lanet and Ronan Lashermes July 27th 2016 A template attack against Verify PIN algorithms Le Bouder et al. July 27th 2016 1/23

590 views • 30 slides
Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa Lee , and abhi shelat j@ckdoerner.net ykondi@ccs.neu.edu eysa@ccs.neu.edu abhi@neu.edu Northeastern University Traditional Signature

868 views • 57 slides
Implementing Strategies for Online Courses: Support of Master Course Template, Peer Team, and LMS

Implementing Strategies for Online Courses: Support of Master Course Template, Peer Team, and LMS

Implementing Strategies for Online Courses: Support of Master Course Template, Peer Team, and LMS September 26, 2017 Rich Schultz Associate Dean Center for Online Education North Park University Questions 1. Is faculty buy-in an issue for

358 views • 19 slides
C++ Template Meta A basic introduction to basic C++ techniques used in template metaprogramming.

C++ Template Meta A basic introduction to basic C++ techniques used in template metaprogramming.

C++ Template Meta A basic introduction to basic C++ techniques used in template metaprogramming. Github Repo The presentation and all of the code are online on github, with an OSI license. github.com/zwimer/Template-Meta-Tutorial Note: Much

1.12k views • 84 slides
ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016 ECDSA Elliptic Curve Cryptography allows for the construction of strong public/private key pairs with key lengths that are far shorter than

416 views • 27 slides
Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur

Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur

Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur and Vinod Ganapathy blaseur@rci.rutgers.edu , vinodg@cs.rutgers.edu Rutgers University W2SP09 Online Social Networks 200 million

513 views • 37 slides
Modern Modern Template Techniques Template The Simplest Function Template

Modern Modern Template Techniques Template The Simplest Function Template

Modern Modern Template Techniques Template The Simplest Function Template CRTPStatic Polymorphism Techniques Type TraitsBasic Metaprogramming Compile-time Conditionals Policy Classes Perfect Forwarding

1.29k views • 42 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
PDF Mirage: Content Masking Attack Against Information-Based Online Services Ian Markwood*, Dakun

PDF Mirage: Content Masking Attack Against Information-Based Online Services Ian Markwood*, Dakun

PDF Mirage: Content Masking Attack Against Information-Based Online Services Ian Markwood*, Dakun Shen*, Yao Liu, and Zhuo Lu University of South Florida *Co-first authors Presented by Ian Markwood Outline Motivation Background

681 views • 52 slides
From weak online reputation metrics to standardized attack-resistant trust metrics Dr. Jean-Marc

From weak online reputation metrics to standardized attack-resistant trust metrics Dr. Jean-Marc

ITU Workshop on Future Trust and Knowledge Infrastructure, Phase 2 Geneva, Switzerland 1 July 2016 From weak online reputation metrics to standardized attack-resistant trust metrics Dr. Jean-Marc Seigneur President at Rputaction SAS,

599 views • 26 slides
Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Systematic analysis of lattice attacks on noisy leakage of

549 views • 53 slides
Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack Tree for Cheating On-line Poker Bots Denial of Service Collusion Software Exploits Conclusion Importance Out-of-band market for virtual equipment

1.07k views • 63 slides
EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be

EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be

EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be filled by project partners (organisers) for all IF4TM events (except SC meetings). Furthermore, this template can be used to inform colleagues and

434 views • 4 slides
Announcements: Homework 1 Out HW1 and a latex template for solutions are out on the course

Announcements: Homework 1 Out HW1 and a latex template for solutions are out on the course

Announcements: Homework 1 Out HW1 and a latex template for solutions are out on the course website: http://www.haifeng-xu.com/cs6501fa19 The HW sol template is for your convenience, but not required. Feel free to use your own template

750 views • 39 slides
Webinar Agenda Welcome and Introductions The HSA template The HSA/PP Section template

Webinar Agenda Welcome and Introductions The HSA template The HSA/PP Section template

Health Systems and Public Policy Analysis Section Jeremy Patch, MPH Stephanie Reffey, PhD Becky Royer, MPH, CHES Webinar Agenda Welcome and Introductions The HSA template The HSA/PP Section template The HSA/PP Section checklist

725 views • 9 slides
Template Metaprogramming in C++ CS242, Fall 2009 Keith Schwarz Preliminaries A C++ template is a

Template Metaprogramming in C++ CS242, Fall 2009 Keith Schwarz Preliminaries A C++ template is a

Template Metaprogramming in C++ CS242, Fall 2009 Keith Schwarz Preliminaries A C++ template is a type or function parameterized over a set of types, functions, or constants. template <typename One, typename Two> struct Pair { One

1.34k views • 113 slides
BUILDING A POWER POINT TEMPLATE By using a Master Template for your PowerPoint presentations, you

BUILDING A POWER POINT TEMPLATE By using a Master Template for your PowerPoint presentations, you

BUILDING A POWER POINT TEMPLATE By using a Master Template for your PowerPoint presentations, you can save the time it takes to make a presentation and to standardize a look and feel for you slides. A Master Template is a presentation that you

82 views • 4 slides
Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City

Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City

UC Non-Interactive, Proactive, Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City College, CUNY), Steven Goldfeder (Cornell Tech), Nikolaos Makriyannis (Fireblocks), Udi Peled (Fireblocks) To appear

1.18k views • 41 slides
Testbench Template Testbench template generated by Cadence The Big Picture 1010010100100

Testbench Template Testbench template generated by Cadence The Big Picture 1010010100100

Testbench Template Testbench template generated by Cadence The Big Picture 1010010100100 DUT 1001000010100 (Device Actual 1110101001110 Under Output 1010100010011 Test) Vectors 0100100010001 Input Vector Table Pass/Fail Compare

305 views • 18 slides
TWG Review and Reporting Template TWG Network Meeting 27-28 February Name of TWG: on

TWG Review and Reporting Template TWG Network Meeting 27-28 February Name of TWG: on

TWG Review and Reporting Template TWG Network Meeting 27-28 February Name of TWG: on HIV/AIDS General guidance for using the template This template is designed to support and complement the dialogue

753 views • 7 slides
Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany November 6, 2020 NIST Workshop on Multi-Party Threshold Schemes 2020 Based on work published at ESORICS20 with Anders Dalskov, Marcel Keller,

775 views • 63 slides

More recommend