protection of cryptographic keys
play

Protection of cryptographic keys recodings against physical attacks - PowerPoint PPT Presentation

Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon RASTIKIAN Arnaud TISSERAND 2 = 3 PLAN Introduction Elliptic Curve Cryptography Side Channel Attacks


  1. 𝑆 Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon RASTIKIAN Arnaud TISSERAND 𝑄 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  2. 𝑆 PLAN β€’ Introduction β€’ Elliptic Curve Cryptography β€’ Side Channel Attacks β€’ Application 𝑄 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  3. 𝑆 Introduction β€’ Public-key cryptography conceived by W. Diffie & M. Hellman. β€’ Then comes RSA. β€’ Then ECC by N. Koblitz & V. Miller basing their schemes on ECDLP. 𝑄 β€’ What about security? 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  4. 𝑆 Elliptic Curve Cryptography β€’ An elliptic curve over a field K is defined by the Weierstrass equation [1] E: 𝑧 2 + 𝑏 1 𝑦𝑧 + 𝑏 3 𝑧 = 𝑦 3 + 𝑏 2 𝑦 2 + 𝑏 4 𝑦 + 𝑏 6 Where 𝑏 1 , 𝑏 2 , 𝑏 3 , 𝑏 4 , 𝑏 6 ∈ 𝐿 π‘π‘œπ‘’ Ξ” β‰  0 3 βˆ’ 27𝑒 6 2 + 9𝑒 2 𝑒 4 𝑒 6 2 𝑒 8 βˆ’ 8𝑒 4 Ξ” = βˆ’π‘’ 2 2 + 4𝑏_2 𝑒 2 = 𝑏 1 𝑄 𝑒 4 = 2𝑏 4 + 𝑏 1 𝑏 3 2 + 4𝑏 6 𝑒 6 = 𝑏 3 2 βˆ’ 𝑏 4 2 𝑏 6 + 4𝑏 2 𝑏 6 βˆ’ 𝑏 1 𝑏 3 𝑏 4 + 𝑏 2 𝑏 3 2 𝑒 8 = 𝑏 1 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  5. 𝑆 Elliptic Curve Cryptography β€’ 𝐹 1 , 𝐹 2 are isomorphic over K if βˆƒπ‘£, 𝑠, 𝑑, 𝑒 ∈ 𝐿 π‘₯π‘—π‘’β„Ž 𝑣 β‰  0 such that [1]: Ξ¦ ∢ 𝐿 2 β†’ 𝐿 2 𝑦, 𝑧 β†’ (𝑣 2 𝑦 + 𝑠, 𝑣 3 𝑧 + 𝑣 2 𝑑𝑦 + 𝑒) Transforms equation 𝐹 1 into equation 𝐹 2 . 𝑄 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  6. 𝑆 Elliptic Curve Cryptography Over prime fields F p p > 3 : y 2 = x 3 + ax + b where a, b ∈ K Over binary fields F 2 𝑛 : If 𝑏 1 β‰  0 then 𝑧 2 + 𝑦𝑧 = 𝑦 3 + 𝑏𝑦 2 + 𝑐 π‘₯β„Žπ‘“π‘ π‘“ 𝑏, 𝑐 ∈ 𝐿 Ξ” = βˆ’16 (4a 3 + 27b 2 ) Ξ” = 𝑐 If 𝑏 1 = 0 then 𝑧 2 + 𝑑𝑧 = 𝑦 3 + 𝑏𝑦 + 𝑐 π‘₯β„Žπ‘“π‘ π‘“ 𝑏, 𝑐, 𝑑 ∈ 𝐿 Ξ” = 𝑑 4 Over optimal extension fields F 3 𝑛 : 2 β‰  βˆ’π‘ 2 then 𝑧 2 = 𝑦 3 + 𝑏𝑦 2 + 𝑐 π‘₯β„Žπ‘“π‘ π‘“ 𝑏, 𝑐 ∈ 𝐿 If 𝑏 1 Ξ” = βˆ’π‘ 3 𝑐 𝑄 2 = βˆ’π‘ 2 then 𝑧 2 = 𝑦 3 + 𝑏𝑦 If 𝑏 1 + 𝑐 π‘₯β„Žπ‘“π‘ π‘“ 𝑏, 𝑐 ∈ 𝐿 Ξ” = βˆ’π‘ 3 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  7. 𝑆 Elliptic Curve Cryptography β€’ Additive law +: 𝐹 𝐿 β†’ 𝐹(𝐿) defined by the chord-and-tangent rule 𝑄 Point addition and point doubling on the curve 𝑧 2 = 𝑦 3 βˆ’ 𝑦 + 1 defined over R [5]. 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  8. 𝑆 Elliptic Curve Cryptography β€’ Mathematically βˆ€π‘„, 𝑅 ∈ 𝐹(𝐿) : Identity : 𝑄 + ∞ = ∞ + 𝑄 = 𝑄 1. Negative : βˆ’π‘„ = βˆ’ 𝑦, 𝑧 = 𝑦, βˆ’π‘§ and 𝑦, 𝑧 + 𝑦, βˆ’π‘§ = ∞ 2. Point addition : 𝑄 = 𝑦 1 , 𝑧 1 , 𝑅 = 𝑦 2 , 𝑧 2 π‘π‘œπ‘’ 𝑄 β‰  ±𝑅 π‘’β„Žπ‘“π‘œ 3. 2 𝑧 2 βˆ’π‘§ 1 𝑧 2 βˆ’π‘§ 1 𝑄 + 𝑅 = 𝑦 3 , 𝑧 3 π‘₯β„Žπ‘“π‘ π‘“ 𝑦 3 = and 𝑧 3 = 𝑦 1 βˆ’ 𝑦 3 βˆ’ 𝑧 1 𝑦 2 βˆ’π‘¦ 1 𝑦 2 βˆ’π‘¦ 1 4. Point doubling : if 𝑄 β‰  βˆ’π‘„ then 2 𝑄 = 𝑦 3 , 𝑧 3 where 𝑄 2 2 +𝑏 3𝑦 1 +𝑏 3𝑦 1 𝑦 3 = βˆ’ 2𝑦 1 and 𝑧 3 = 𝑦 1 βˆ’ 𝑦 3 βˆ’ 𝑧 1 2𝑧 1 2𝑧 1 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  9. 𝑆 Elliptic Curve Cryptography Let E be an elliptic curve defined over F p . Suppose P ∈ 𝐹( F p ) has a prime order n. <P>={ ∞ ,P, 2P, …, (n -1) P} is a cyclic group. ECDLP: Key pair generation: Given E, p, P, n (public parameter). Choose random integer k in [1,n-1] (secret key). Compute Q=kP. 𝑄 ECDLP problem : Given E, p, P, n (public) and Q=kP. Find k (secret key). 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  10. 𝑆 Elliptic Curve Cryptography β€’ No sub-exponential complexity algorithm for solving ECDLP. β€’ Pollard’s rho attack and Shanks attack solve it in Ο(βˆšπ‘œ) . Symmetric key size (bits) RSA and DH key size (bits) ECC key size (bits) 80 (SKIPJACK ) 1024 160 112 (Triple-DES) 2048 224 128 (AES-Small) 3072 256 192 (AES-Medium) 7680 384 256 (AES-Large) 15360 521 𝑄 NIST comparision of ECC, RSA and DH key for different security requierements. 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  11. 𝑆 Elliptic Curve Cryptography β€’ Projective coordinates: c,d postitive integers . An equivalence relation on the set 𝐿 3 \{(0,0,0)} noted as 2 , π‘Ž 2 ) exists if π‘Œ 1 = πœ‡ 𝑑 π‘Œ 2 , 𝑍 1 = πœ‡ 𝑒 𝑍 2 , π‘Ž 1 = πœ‡π‘Ž 2 𝑔𝑝𝑠 πœ‡ ∈ 𝐿 βˆ— π‘Œ 1 , 𝑍 1 , π‘Ž 1 ~(π‘Œ 2 , 𝑍 The projective point is the representative class π‘Œ: 𝑍: π‘Ž = {(πœ‡ 𝑑 π‘Œ, πœ‡ 𝑒 𝑍, πœ‡π‘Ž)|πœ‡ ∈ 𝐿 βˆ— } 1-1 correspondance between the projective points such that π‘Ž β‰  0 and the affine points. 𝑄 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  12. 𝑆 Elliptic Curve Cryptography β€’ Several projective coordinates : 1. Standard projective coordinates (c=1 and d=1): (X,Y,Z) with π‘Ž β‰  0 π‘Œ 𝑍 corresponds to the affine point ( π‘Ž , π‘Ž ) and (0:1:0) to ∞ 2. Jacobian projective coordinates (c=2 and d=3): (X,Y,Z) with π‘Ž β‰  0 π‘Œ 𝑍 corresponds to the affine point ( π‘Ž 2 , π‘Ž 3 ) and (1:1:0) to ∞ . 3. Chudnovsky coordiates: The Jacobian point is represented with redundancy (X:Y:Z:ZΒ²:ZΒ³) 𝑄 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  13. 𝑆 Side Channel Attacks β€’ Making assumption about the knowledge that an attacker has about the security. β€’ It is best to make stronger assumption than Kerckhoff’s principle. β€’ Electronic circuits are enherently leaky. 𝑄 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  14. 𝑆 Side Channel Attacks β€’ Power analysis attack is the observation and the study of the power consuption of the cryptegraphic device. β€’ Two types of power analysis attacks are well-known: 1. Simple power attack (SPA): Visual examination of graphs of the current used by a device overtime. Small number of power traces is needed. 2. Differential power attack (DPA): Does not require detailed knowledge about the device. It is a statistical analysis of the power consumption measurements from a cyptosystem. Large number of power traces is 𝑄 needed. 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  15. 𝑆 Side Channel Attacks β€’ How to compute Q=kP? β€’ Classical algorithm : Double-and-Add Input : 𝑙 = 𝑙 π‘œβˆ’1 𝑙 π‘œβˆ’2 … 𝑙 0 , 𝑄 ∈ 𝐹(F π‘ž ) Output: Q=kP 𝑅 ← ∞ For i form n-1 to 0 do 𝑄 Q ← 2 𝑅 (DBL) If k i = 1 then 𝑅 ← 𝑅 + 𝑄 (ADD) 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  16. 𝑆 Side Channel Attacks 𝑄 Power consumption measure of Double-and-Add algorithm from left to right coded on FPGA [5]. 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  17. 𝑆 Side Channel Attacks 𝑄 Power consumption measure of Double-and-Add algorithm from left to right coded on FPGA [5]. In Jacobian coordinates ADD = 12 M + 4 S DBL = 4M + 4S 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  18. 𝑆 Side Channel Attacks 𝑄 Power consumption measure of Double-and-Add algorithm from left to right coded on FPGA [5]. In Jacobian coordinates ADD = 12 M + 4 S DBL = 4M + 4S 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  19. 𝑆 Side Channel Attacks β€’ NAF algorithms coded in C language. β€’ w-NAF algorithm for point multiplication ressembles to Double-and-Add but with different secret key representation. β€’ Subtracting a point is easy beacause -(X,Y,Z) = (X,-Y,Z). π‘šβˆ’1 𝑙 𝑗 2 𝑗 π‘₯β„Žπ‘“π‘ π‘“ 𝑙 𝑗 < 2 π‘₯βˆ’1 and β€’ A width-w NAF of k is the expression 𝑙 = 𝑗=0 𝑙 𝑗 are either odd or zero except 𝑙 π‘šβˆ’1 β‰  0 . At most one of any consecutive digits is nonzero. 𝑄 β€’ Unique representation given k and w noted 𝑂𝐡𝐺 π‘₯ (𝑙) . β€’ π‘€π‘“π‘œπ‘•π‘’β„Ž 𝑂𝐡𝐺 π‘₯ 𝑙 = Length k + 1 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  20. 𝑆 Side Channel Attacks Width-w NAF algorithm: Input: k positive integer, w Output: 𝑂𝐡𝐺 π‘₯ 𝑙 𝑗 ← 0 While 𝑙 β‰₯ 0 do : if k is odd then 𝑙 𝑗 ← 𝑙 𝑛𝑝𝑒𝑑 2 π‘₯ , 𝑙 ← 𝑙 βˆ’ 𝑙 𝑗 else 𝑙 𝑗 ← 0 𝑙 𝑙 ← 2 , 𝑗 ← i + 1 𝑄 Return 𝑂𝐡𝐺 π‘₯ 𝑙 = (𝑙 π‘—βˆ’1 … 𝑙 0 ) mods is a function that keeps 𝑙 𝑗 ∈ βˆ’2 π‘₯βˆ’1 , 2 π‘₯βˆ’1 βˆ’ 1 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  21. 𝑆 Side Channel Attacks Window NAF method for point multiplication algorithm: Input: k positive integer, w, 𝑄 ∈ 𝐹 F π‘Ÿ Output: 𝑙𝑄 Calculate 𝑂𝐡𝐺 π‘₯ 𝑙 𝑗 = 𝑗𝑄 βˆ€π‘— 𝑝𝑒𝑒 π‘π‘œπ‘’ 𝑗 < 2 π‘₯βˆ’1 Compute and store all 𝑄 𝑅 ← ∞ For i from l-1 downto 0 do : 𝑅 ← 2𝑅 𝑄 if 𝑙 𝑗 β‰  0 then if 𝑙 𝑗 > 0 then 𝑅 ← 𝑅 + 𝑄 𝑙 𝑗 else 𝑅 ← 𝑅 βˆ’ 𝑄 βˆ’π‘™ 𝑗 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  22. 𝑆 Side Channel Attacks Window NAF method for point multiplication algorithm: Input: k positive integer, w, 𝑄 ∈ 𝐹 F π‘Ÿ Output: 𝑙𝑄 Calculate 𝑂𝐡𝐺 π‘₯ 𝑙 𝑗 = 𝑗𝑄 βˆ€π‘— 𝑝𝑒𝑒 π‘π‘œπ‘’ 𝑗 < 2 π‘₯βˆ’1 Compute and store all 𝑄 𝑅 ← ∞ For i from l-1 downto 0 do : β€’ Faster computation of kP. 𝑅 ← 2𝑅 β€’ Is it safe against SPA? 𝑄 if 𝑙 𝑗 β‰  0 then if 𝑙 𝑗 > 0 then 𝑅 ← 𝑅 + 𝑄 𝑙 𝑗 else 𝑅 ← 𝑅 βˆ’ 𝑄 βˆ’π‘™ 𝑗 𝑧 2 = 𝑦 3 βˆ’ 𝑦

  23. 𝑆 Side Channel Attacks β€’ Cryptographic device STM32L053R8 Nucleo [3] β€’ Ultra-Low power consumption platform. β€’ Processor ARM 32-bit Cortex-M0+. β€’ 64 Kbytes Flash. β€’ 8Kbytes RAM. β€’ 32MHz CPU. β€’ 1 user led and 2 buttons. β€’ Mbed Enabled. β€’ Etc … 𝑄 β€’ Make the led twinkle. 𝑧 2 = 𝑦 3 βˆ’ 𝑦

Recommend


More recommend