Side-Channel Analysis on Blinded Regular Scalar Multiplications - PowerPoint PPT Presentation

Side-Channel Analysis on Blinded Regular Scalar Multiplications Benoit Feix Mylène Roussellet Alexandre Venelli Thales Communications & Security

Target of our paper 2 / 2 / Elliptic Curve Cryptosystems (ECC) implemented on • embedded devices by industrials Use of international standards like NIST FIPS186-2 or SEC2 • We are looking for their resistance against non-profiled • side-channel attacks The attacker has no access to an open device • Template attacks → talk « Online Template Attacks » • More restrictive from an adversary point of view, hence • generally more difficult to mount on protected devices We propose an new attack path on a industrially • standard implementation of scalar multiplication algorithm resistant against previously known non- Référence / date profiled attacks Thales Communications & Security

Target of our paper 3 / 3 / Example of targeted implementation : • Elliptic curve NIST P-192 • SSCA-resistance • • Double-and-add-always DSCA-resistance • Input point blinding : randomized projective coordinates • • Exponent blinding : add a random multiple of the curve's order 𝑹 = 𝒆 𝑸 • Référence / date Thales Communications & Security

Agenda 4 / 4 / Background: side-channel attacks, ECC 1. Attack strategy 2. Weakness of the scalar blinding 1. Attack with known input 2. Attack on a fully protected algorithm 3. Experimental results 3. Countermeasures 4. Conclusion 5. Référence / date Thales Communications & Security

Different flavors of side-channel attacks 5 / 5 / Non-profiled side-channel analysis categories : • Vertical correlation attacks • • The original CPA from Brier et al. CHES 2004 Horizontal correlation attacks • Attack against exponentiation with known inputs from Clavier et al. ICS 2010 • Vertical collision-correlation attacks • • Attack against simple first-order masked AES from Clavier et al. CHES 2011 • Attack against multiply-always exponentiation with blinded inputs from Witteman CT-RSA 2011 Horizontal collision-correlation attacks • • The classical Big-Mac attack from Walter CHES 2001 • Attack against atomic implementations of ECC from Bauer et al. 2013 Référence / date • Attack against blinded exponentiations from Clavier et al. INDOCRYPT 2012 Thales Communications & Security

Side-channel resistant scalar multiplication 6 / 6 / SSCA resistance : • Regular algorithms • • Montgomery ladder, double-and-add-always, Joye's double-add, co-Z algorithms Unified addition formulas • • Same formula used for both point addition and point doubling Inefficient on standardized curves, only relevant for particular curve families : • Edwards, Huff, … Atomicity • The point addition and point doubling are computed using the same sequence • of finite field operations, hence using dummy operations Référence / date Thales Communications & Security

Side-channel resistant scalar multiplication 7 / 7 / DSCA resistance • Scalar blinding • 𝑒 ′ = 𝑒 + 𝑠. #𝐹 • Add a random multiple of the curve's order to the secret scalar • Scalar splitting • • Several methods : additive, multiplicative, Euclidean The most efficient, the Euclidean, consists in 𝑒 ′ = 𝑒/𝑠 . 𝑠 + (𝑒 𝑛𝑝𝑒 𝑠) • Randomized projective points • An affine point 𝑄 = (𝑦, 𝑧) can be represented in Jacobian coordinates as • (𝜇 2 𝑦, 𝜇 3 𝑧, 𝜇) for any non-zero 𝜇 Référence / date Thales Communications & Security

Side-channel resistant scalar multiplication 8 / 8 / Double-and-add-always • Randomized projective points • Scalar blinding • Référence / date Thales Communications & Security

Agenda 9 / 9 / Background: side-channel attacks, ECC 1. Attack strategy 2. Weakness of the scalar blinding 1. Attack with known input 2. Attack on a fully protected algorithm 3. Experimental results 3. Countermeasures 4. Conclusion 5. Référence / date Thales Communications & Security

Attack strategy 10 / 10 / Attack in 3 steps Exploit weakness in the scalar blinding CM 1. Vertical attack  Middle part of the scalar  Recover the random used for the blinding 2. Horizontal attack  MS part of the scalar  Find the remaining bits 3. Vertical attack  LS part of the scalar  Référence / date Thales Communications & Security

Weakness in blinded scalars 11 / 11 / A possible weakness in the scalar blinding technique • has been noted by Joye, Ciet since CHES 2003 𝑒 ′ = 𝑒 + 𝑠. #𝐹 Example taken from Marc Joye’s slides on ECC in the • presence of faults The same weakness has also been noted by Smart, • Oswald, Page in IET Information Security 2008 Référence / date Thales Communications & Security

Weakness in blinded scalars 12 / 12 / Both remark that the middle part of 𝑒′ is correlated to • the most significant part of 𝑒 However no key recovery attack path was found. • Concerns were raised about the use of scalar blinding We provide a full key recovery attack exploiting this • weakness and we show the limits of this CM Référence / date Thales Communications & Security

Classification of sparse order groups 13 / 13 / Hasse’s theorem: • 𝒒 − 𝟐 𝟑 ≤ 𝒐 ≤ 𝒒 + 𝟐 𝟑 𝒐 = #𝑭(𝑮 𝒒 ) then • 𝒐 is close to the value of 𝒒 • NIST FIPS186-2 • Curves defined over the primes: 𝑞 192 , 𝑞 224 , 𝑞 256 , 𝑞 384 , 𝑞 521 • Hence their orders are also sparse • 3 categories of curves • Type-1: the order has a large pattern of ones, • Type-2: the order has a large pattern of zeros, • Type-3: the order has a combination of large patterns of both • Référence / date ones and zeros Thales Communications & Security

Classification of sparse order groups 14 / 14 / Notation: 1 𝑏,𝑐  a pattern of 1 bits from the bit position • 𝑏 to 𝑐 . Respectively for 0 𝑏,𝑐 Types of 𝑙 -bit curve orders 𝑜 : • Type-1: 𝒐 = 𝟐 𝒍−𝟐,𝒃 + 𝒚 with 𝒍 − 𝟐 > 𝒃 and 𝟏 ≤ 𝒚 < 𝟑 𝒃 • Type-2: 𝒐 = 𝟑 𝒍−𝟐 + 𝟏 𝒍−𝟑,𝒃 + 𝒚 with 𝒍 − 𝟑 > 𝒃 and 𝟏 ≤ 𝒚 < 𝟑 𝒃 • Type-3: 𝒐 = 𝟐 𝒍−𝟐,𝒃 + 𝟏 𝒃−𝟐,𝒄 + 𝟐 𝒄−𝟐,𝒅 + 𝒚 with 𝒍 − 𝟐 > 𝒃 > 𝒄 > • 𝒅 and 𝟏 ≤ 𝒚 < 𝟑 𝒅 Examples with standard curves: • Type-1: 𝒐 = 𝟐 𝟐𝟘𝟐,𝟘𝟕 + 𝒚 (NIST P-192) • Type-2: 𝒐 = 𝟑 𝟑𝟑𝟔 + 𝟏 𝟑𝟑𝟓,𝟐𝟐𝟓 + 𝒚 (SECP224k1) • Référence / date Type-3: 𝒐 = 𝟐 𝟑𝟔𝟔,𝟑𝟑𝟓 + 𝟏 𝟑𝟑𝟒,𝟐𝟘𝟑 + 𝟐 𝟐𝟘𝟐,𝟐𝟑𝟗 + 𝒚 (NIST P-256) • Thales Communications & Security

Random multiple of the order 15 / 15 / 𝑠 ∈ [1,2 𝑛 − 1] an 𝑛 -bit random used for the scalar blinding • Representations of 𝑠. 𝑜 : • 𝒔 𝟐 . 𝟑 𝒍 + 𝟐 𝒍−𝟐,𝒃+𝒏 + 𝒚 Type-1: 𝒔. 𝒐 = • Type-2: 𝒔. 𝒐 = 𝒔. 𝟑 𝒍 + 𝟏 𝒍−𝟐,𝒃+𝒏 + 𝒚 • 𝒔 𝟐 . 𝟑 𝒍 + 𝟐 𝒍−𝟐,𝒃+𝒏 + 𝒔 𝟏 . 𝟑 𝒃+𝒏 + 𝟏 𝒃−𝟐+𝒏,𝒄+𝒏 + Type-3: 𝒔. 𝒐 = • 𝒔 𝟐 . 𝟑 𝒄+𝒏 + 𝟐 𝒄−𝟐+𝒏,𝒅+𝒏 + 𝒚 The patterns of zeros and ones are reduced by 𝑛 bits • The values 1 and 0 are directly related to 𝑠 and 𝑛 𝑠 𝑠 • See paper for details • Référence / date Thales Communications & Security

Adding the scalar to the random mask 16 / 16 / Representations of 𝑒 ′ with the 3 types : • Type-1: 𝐞 ′ = ( 𝒔 𝟐 + 𝟐). 𝟑 𝒍 + 𝒆 𝒍−𝟐,𝒃+𝒏 + 𝒚 Non-masked • Type-2: 𝐞 ′ = 𝒔. 𝟑 𝒍 + 𝒆 𝒍−𝟐,𝒃+𝒏 + 𝒚 • Type-3: 𝐞 ′ = ( 𝒔 𝟐 + 𝟐). 𝟑 𝒍 + 𝒆 𝒍−𝟐,𝒃+𝒏 + 𝒔 𝟏 . 𝟑 𝒃+𝒏 + 𝒆 𝒃−𝟐+𝒏,𝒄+𝒏 + • 𝒔 𝟐 + 𝟐). 𝟑 𝒄+𝒏 + 𝒆 𝒄−𝟐+𝒏,𝒅+𝒏 + 𝒚 ( We clearly distinguish the non-masked part of 𝑒 ′ • Référence / date Thales Communications & Security

Agenda 17 / 17 / Background: side-channel attacks, ECC 1. Attack strategy 2. Weakness of the scalar blinding 1. Attack with known input 2. Attack on a fully protected algorithm 3. Experimental results 3. Countermeasures 4. Conclusion 5. Référence / date Thales Communications & Security

Attack on a blinded scalar multiplication with known input 18 / 18 / First, simpler scenario, the input point is known, i.e. not • masked Notations: {𝐷 1 , … , 𝐷 𝑂 } be 𝑂 side-channel traces • corresponding to the computations 𝑒 ′ 𝑗 𝑄 (𝑗) where 𝑒 ′(𝑗) = 𝑒 + 𝑠 (𝑗) . 𝑜 We consider random factors 𝑠 (𝑗) ∈ [1,2 𝑛−1 ] • Référence / date Thales Communications & Security

Attack step 1 19 / 19 / Goal: find the non-masked part of 𝑒 ′ • Let 𝜀 be the bit-length of this non-masked part noted 𝑒 = • 𝑒 𝑏,𝑐 with 𝜀 = (𝑏 − 𝑐) Most significant part of 𝑒 ′ unknown •  Vertical collision-correlation • Type-1 𝒆 ′ 𝒆 𝒆 + 𝒔. 𝒐 𝒔 𝟐 + 𝟐 Référence / date 𝑙 + 𝑛 𝑏 + 𝑛 𝑙 Thales Communications & Security