Practical Evaluation of Protected RNS Scalar Multiplication CHES - PowerPoint PPT Presentation

Practical Evaluation of Protected RNS Scalar Multiplication CHES 2019 By Louiza Papachristodoulou Joint work with A. Fournaris, K. Papagiannopoulos, L. Batina

Out utli line • Residue Number System in Elliptic Curve Cryptography • Proposed TVLA threshold calculation • TVLA analysis • Location and Data Dependent Template Attacks • Conclusions 2

Residue Number System X = 50 (m1, m2, m3) = (3, 7, 11) (x1, x2, x3) = (2, 1, 6) 3

RN RNS in in Elli Elliptic ic Cur urve Cryptography • Elliptic curves defined over prime fields GF(p) • Modular operations turn easily to RNS modular operations over GF(p) • RNS mod multiplication usually realized through RNS Montgomery multiplication to avoid modular inversion, but includes base extension • EC scalar multiplication is the critical operation Q = kP 4

LRA RA Mon ontgomery ry Power Lad adder Choose base 𝐶 𝑜 , 𝐶′ 𝑜 . Transform V, R to RNS format using permutation 𝑞 𝑢 • 𝑆 0 = 𝑆, 𝑆 1 = 𝑆 + 𝑊, 𝑆 2 = −𝑆 • Convert 𝑆 0 , 𝑆 1 , 𝑆 2 to Montgomery format • For i= t-1 to 0 • 𝑆 2 = 2𝑆 2 in permutation 𝑞 𝑢 • If 𝑙 𝑗 = 1 𝑆 0 = 𝑆 0 + 𝑆 1 and 𝑆 1 = 2 𝑆 1 in permutation 𝑞 𝑢 else in permutation γ 𝑢 𝑆 1 = 𝑆 0 + 𝑆 1 and 𝑆 0 = 2 𝑆 0 • Integrity check: if i,k not modified and 𝑆 0 + 𝑊 = 𝑆 1 then ret. 𝑆 0 + 𝑆 2 in permutation γ 𝑢 else ret. random value Transform 𝑆 0 + 𝑆 2 to binary format 5

Tes est Vec ector Lea eakage Asse ssessment t (TV (TVLA) • Statistical tests between two trace-sets of acquisition • Welch’s t-test to evaluate if two sets have significant statistical differences 𝑀 𝑗,𝐵 −𝑀 𝑗,𝐶 𝑡 𝑗 = 2 2 σ𝑗,𝐵 σ𝑗,𝐶 𝑜𝐵 + 𝑜𝐶 • Values above ±4.5, indicates leakage, but TVLA does not exploit it 6

t-tes est Th Threshold ld Cal alib ibratio ion for or TV TVLA 𝑜𝑢 𝐵 = 𝑜𝑢 𝐶 = 4 ∗ 10 3 – 10 ∗ 10 3 Input 𝑜𝑢 𝐵 , 𝑜𝑢 𝐶 : number of traces for groups A,B 𝑜 𝑡 = 4 ∗ 10 5 − 8 ∗ 10 5 𝑜 𝑡 : number of samples 𝜏 𝐵 = 9.7 , 𝜏 Β = 6.1 𝜏 𝐵 , 𝜏 Β ∶ sampled standard deviation Output Threshold value for Welch’s t -distribution 𝑢ℎ 𝑢 1. Choose level of significance α. Here α=0.00001 Family-wise error rate fwer = (1 − 𝑏) 𝑜 𝑡 2. Šidak correction 𝑡𝑗𝑒𝑏𝑙 𝑏 = 1 - (1 − 𝑏) (1/𝑜 𝑡 ) 3. 2 2 𝜏𝐵 𝜏𝐶 𝑜𝑢 𝐵 ) 2 𝑜𝑢𝐶 ) 2 ( ( 2 2 𝜏 𝐵 𝜏 𝐶 𝑜𝑢 𝐶 ) 2 / ( 4. df = ( 𝑜𝑢 𝐵 + 𝑜𝑢 𝐵 −1 + 𝑜𝑢 𝐶 −1 ) 𝑢ℎ 𝑢 = ± 6.3 5. Threshold 𝑢ℎ 𝑢 = |tinv (1- 𝑡𝑗𝑒𝑏𝑙 𝑏 /2, df)| 7

RNS im implementation on on Be BeagleBone • C Software implementation on ARM Cortex A8 • RNS Montgomery multiplication • Dedicated and Unified Group Law • 5 different variations: unprotected, randomized scalar, random input point, random base permutations (LRA), random order of operations 8

Proc ocessing of of Trac aces – Low Pass ass Filt Filter 9

t-test random vs fi fixed scala lar on on tw twisted Edwards p= 2 192 − 2 64 − 1 ) cu curve (a (a=1, d= d=2, p= Unprotected scalar mul Randomized scalar LRA LRA_rdm_point() 10

t-test random vs fi fixed poi oint on on secu cure Edwards = 2 192 − 2 64 − 1 ) cu curve (a= (a=107, d=4 =47, h=4 =4, p= Unprotected scalar mul Randomized scalar LRA LRA_rdm_point() 11

Data a Dep ependent t Tem empla late Attack acks • The value of a secret variable can be monitored • Trigger around the key-dependent assignment (if-statement) If 𝑙 𝑗 = 1: 𝑆 0 = 𝑆 0 + 𝑆 1 and 𝑆 1 = 2 𝑆 1 Else: 𝑆 1 = 𝑆 0 + 𝑆 1 and 𝑆 0 = 2 𝑆 0 • After alignment, 20k traces. Used half for templates, half for classification • Success rate 90-91% for the unprotected case, 82-97% for LRA countermeasure activated • Scalar randomization (65-72%) and LRA randomized RNS operations (55-58%) are good countermeasures 12

Loc ocatio ion Dep ependent t Tem empla late Attack acks • Templates created for storage structure that handles the key- dependent instruction (doubling) If 𝑙 𝑗 = 1: 𝑆 0 = 𝑆 0 + 𝑆 1 and 𝑆 1 = 2 𝑆 1 Else: 𝑆 1 = 𝑆 0 + 𝑆 1 and 𝑆 0 = 2 𝑆 0 • Template classification: 95-99.9% • LRA with randomized operations: 70-83% 13

Loc ocatio ion Dep ependent t Leak eakage • Registers are not really single registers, RNS values are stored in 50-bit chunks - result of doubling is stored in different memory locations • Location dependent leakage was not an expected result • The normal distributions for 𝑙 𝑗 = 0 and 𝑙 𝑗 = 1 for every variation of the implementation are very different ( N (− 24 . 3 , 9 , 7), N (19 . 6 , 6 . 1)) • Leaky platform - capacitors next to each other • Scalar randomization not an efficient countermeasure • LRA with randomized operations makes template attacks harder 14

Eval aluatio ion Tab able Pass t-test/secure against templates Fail t-test/not secure against templates 15

Con onclusions • TVLA bounds not rigid; compute according to distribution of traces, number of samples, number of traces • Randomization of scalar, input point, regularity of MPL are good countermeasures but not enough to avoid leakage • Different RNS representations do not lower the template success rates • Randomization of RNS operations protects against templates and less expensive compared to randomization of input point • Classification using ML algorithms • Evaluation on an FPGA would give further insights in the security of RNS 16

THANK YOU FOR YOUR ATTENTION ! louiza@cryptologio.org