π Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon RASTIKIAN Arnaud TISSERAND π π§ 2 = π¦ 3 β π¦
π PLAN β’ Introduction β’ Elliptic Curve Cryptography β’ Side Channel Attacks β’ Application π π§ 2 = π¦ 3 β π¦
π Introduction β’ Public-key cryptography conceived by W. Diffie & M. Hellman. β’ Then comes RSA. β’ Then ECC by N. Koblitz & V. Miller basing their schemes on ECDLP. π β’ What about security? π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography β’ An elliptic curve over a field K is defined by the Weierstrass equation [1] E: π§ 2 + π 1 π¦π§ + π 3 π§ = π¦ 3 + π 2 π¦ 2 + π 4 π¦ + π 6 Where π 1 , π 2 , π 3 , π 4 , π 6 β πΏ πππ Ξ β 0 3 β 27π 6 2 + 9π 2 π 4 π 6 2 π 8 β 8π 4 Ξ = βπ 2 2 + 4π_2 π 2 = π 1 π π 4 = 2π 4 + π 1 π 3 2 + 4π 6 π 6 = π 3 2 β π 4 2 π 6 + 4π 2 π 6 β π 1 π 3 π 4 + π 2 π 3 2 π 8 = π 1 π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography β’ πΉ 1 , πΉ 2 are isomorphic over K if βπ£, π , π‘, π’ β πΏ π₯ππ’β π£ β 0 such that [1]: Ξ¦ βΆ πΏ 2 β πΏ 2 π¦, π§ β (π£ 2 π¦ + π , π£ 3 π§ + π£ 2 π‘π¦ + π’) Transforms equation πΉ 1 into equation πΉ 2 . π π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography Over prime fields F p p > 3 : y 2 = x 3 + ax + b where a, b β K Over binary fields F 2 π : If π 1 β 0 then π§ 2 + π¦π§ = π¦ 3 + ππ¦ 2 + π π₯βππ π π, π β πΏ Ξ = β16 (4a 3 + 27b 2 ) Ξ = π If π 1 = 0 then π§ 2 + ππ§ = π¦ 3 + ππ¦ + π π₯βππ π π, π, π β πΏ Ξ = π 4 Over optimal extension fields F 3 π : 2 β βπ 2 then π§ 2 = π¦ 3 + ππ¦ 2 + π π₯βππ π π, π β πΏ If π 1 Ξ = βπ 3 π π 2 = βπ 2 then π§ 2 = π¦ 3 + ππ¦ If π 1 + π π₯βππ π π, π β πΏ Ξ = βπ 3 π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography β’ Additive law +: πΉ πΏ β πΉ(πΏ) defined by the chord-and-tangent rule π Point addition and point doubling on the curve π§ 2 = π¦ 3 β π¦ + 1 defined over R [5]. π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography β’ Mathematically βπ, π β πΉ(πΏ) : Identity : π + β = β + π = π 1. Negative : βπ = β π¦, π§ = π¦, βπ§ and π¦, π§ + π¦, βπ§ = β 2. Point addition : π = π¦ 1 , π§ 1 , π = π¦ 2 , π§ 2 πππ π β Β±π π’βππ 3. 2 π§ 2 βπ§ 1 π§ 2 βπ§ 1 π + π = π¦ 3 , π§ 3 π₯βππ π π¦ 3 = and π§ 3 = π¦ 1 β π¦ 3 β π§ 1 π¦ 2 βπ¦ 1 π¦ 2 βπ¦ 1 4. Point doubling : if π β βπ then 2 π = π¦ 3 , π§ 3 where π 2 2 +π 3π¦ 1 +π 3π¦ 1 π¦ 3 = β 2π¦ 1 and π§ 3 = π¦ 1 β π¦ 3 β π§ 1 2π§ 1 2π§ 1 π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography Let E be an elliptic curve defined over F p . Suppose P β πΉ( F p ) has a prime order n. <P>={ β ,P, 2P, β¦, (n -1) P} is a cyclic group. ECDLP: Key pair generation: Given E, p, P, n (public parameter). Choose random integer k in [1,n-1] (secret key). Compute Q=kP. π ECDLP problem : Given E, p, P, n (public) and Q=kP. Find k (secret key). π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography β’ No sub-exponential complexity algorithm for solving ECDLP. β’ Pollardβs rho attack and Shanks attack solve it in Ξ(βπ) . Symmetric key size (bits) RSA and DH key size (bits) ECC key size (bits) 80 (SKIPJACK ) 1024 160 112 (Triple-DES) 2048 224 128 (AES-Small) 3072 256 192 (AES-Medium) 7680 384 256 (AES-Large) 15360 521 π NIST comparision of ECC, RSA and DH key for different security requierements. π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography β’ Projective coordinates: c,d postitive integers . An equivalence relation on the set πΏ 3 \{(0,0,0)} noted as 2 , π 2 ) exists if π 1 = π π π 2 , π 1 = π π π 2 , π 1 = ππ 2 πππ π β πΏ β π 1 , π 1 , π 1 ~(π 2 , π The projective point is the representative class π: π: π = {(π π π, π π π, ππ)|π β πΏ β } 1-1 correspondance between the projective points such that π β 0 and the affine points. π π§ 2 = π¦ 3 β π¦
π Elliptic Curve Cryptography β’ Several projective coordinates : 1. Standard projective coordinates (c=1 and d=1): (X,Y,Z) with π β 0 π π corresponds to the affine point ( π , π ) and (0:1:0) to β 2. Jacobian projective coordinates (c=2 and d=3): (X,Y,Z) with π β 0 π π corresponds to the affine point ( π 2 , π 3 ) and (1:1:0) to β . 3. Chudnovsky coordiates: The Jacobian point is represented with redundancy (X:Y:Z:ZΒ²:ZΒ³) π π§ 2 = π¦ 3 β π¦
π Side Channel Attacks β’ Making assumption about the knowledge that an attacker has about the security. β’ It is best to make stronger assumption than Kerckhoffβs principle. β’ Electronic circuits are enherently leaky. π π§ 2 = π¦ 3 β π¦
π Side Channel Attacks β’ Power analysis attack is the observation and the study of the power consuption of the cryptegraphic device. β’ Two types of power analysis attacks are well-known: 1. Simple power attack (SPA): Visual examination of graphs of the current used by a device overtime. Small number of power traces is needed. 2. Differential power attack (DPA): Does not require detailed knowledge about the device. It is a statistical analysis of the power consumption measurements from a cyptosystem. Large number of power traces is π needed. π§ 2 = π¦ 3 β π¦
π Side Channel Attacks β’ How to compute Q=kP? β’ Classical algorithm : Double-and-Add Input : π = π πβ1 π πβ2 β¦ π 0 , π β πΉ(F π ) Output: Q=kP π β β For i form n-1 to 0 do π Q β 2 π (DBL) If k i = 1 then π β π + π (ADD) π§ 2 = π¦ 3 β π¦
π Side Channel Attacks π Power consumption measure of Double-and-Add algorithm from left to right coded on FPGA [5]. π§ 2 = π¦ 3 β π¦
π Side Channel Attacks π Power consumption measure of Double-and-Add algorithm from left to right coded on FPGA [5]. In Jacobian coordinates ADD = 12 M + 4 S DBL = 4M + 4S π§ 2 = π¦ 3 β π¦
π Side Channel Attacks π Power consumption measure of Double-and-Add algorithm from left to right coded on FPGA [5]. In Jacobian coordinates ADD = 12 M + 4 S DBL = 4M + 4S π§ 2 = π¦ 3 β π¦
π Side Channel Attacks β’ NAF algorithms coded in C language. β’ w-NAF algorithm for point multiplication ressembles to Double-and-Add but with different secret key representation. β’ Subtracting a point is easy beacause -(X,Y,Z) = (X,-Y,Z). πβ1 π π 2 π π₯βππ π π π < 2 π₯β1 and β’ A width-w NAF of k is the expression π = π=0 π π are either odd or zero except π πβ1 β 0 . At most one of any consecutive digits is nonzero. π β’ Unique representation given k and w noted ππ΅πΊ π₯ (π) . β’ πππππ’β ππ΅πΊ π₯ π = Length k + 1 π§ 2 = π¦ 3 β π¦
π Side Channel Attacks Width-w NAF algorithm: Input: k positive integer, w Output: ππ΅πΊ π₯ π π β 0 While π β₯ 0 do : if k is odd then π π β π ππππ‘ 2 π₯ , π β π β π π else π π β 0 π π β 2 , π β i + 1 π Return ππ΅πΊ π₯ π = (π πβ1 β¦ π 0 ) mods is a function that keeps π π β β2 π₯β1 , 2 π₯β1 β 1 π§ 2 = π¦ 3 β π¦
π Side Channel Attacks Window NAF method for point multiplication algorithm: Input: k positive integer, w, π β πΉ F π Output: ππ Calculate ππ΅πΊ π₯ π π = ππ βπ πππ πππ π < 2 π₯β1 Compute and store all π π β β For i from l-1 downto 0 do : π β 2π π if π π β 0 then if π π > 0 then π β π + π π π else π β π β π βπ π π§ 2 = π¦ 3 β π¦
π Side Channel Attacks Window NAF method for point multiplication algorithm: Input: k positive integer, w, π β πΉ F π Output: ππ Calculate ππ΅πΊ π₯ π π = ππ βπ πππ πππ π < 2 π₯β1 Compute and store all π π β β For i from l-1 downto 0 do : β’ Faster computation of kP. π β 2π β’ Is it safe against SPA? π if π π β 0 then if π π > 0 then π β π + π π π else π β π β π βπ π π§ 2 = π¦ 3 β π¦
π Side Channel Attacks β’ Cryptographic device STM32L053R8 Nucleo [3] β’ Ultra-Low power consumption platform. β’ Processor ARM 32-bit Cortex-M0+. β’ 64 Kbytes Flash. β’ 8Kbytes RAM. β’ 32MHz CPU. β’ 1 user led and 2 buttons. β’ Mbed Enabled. β’ Etc β¦ π β’ Make the led twinkle. π§ 2 = π¦ 3 β π¦
Recommend
More recommend