Abstract
Point randomization is an important countermeasure to protect Elliptic Curve Cryptography (ECC) implementations against side-channel attacks. In this paper, we revisit its worst-case security in front of advanced side-channel adversaries taking advantage of analytical techniques in order to exploit all the leakage samples of an implementation. Our main contributions in this respect are the following: first, we show that due to the nature of the attacks against the point randomization (which can be viewed as Simple Power Analyses), the gain of using analytical techniques over simpler divide-and-conquer attacks is limited. Second, we take advantage of this observation to evaluate the theoretical noise levels necessary for the point randomization to provide strong security guarantees and compare different elliptic curve coordinates systems. Then, we turn this simulated analysis into actual experiments and show that reasonable security levels can be achieved by implementations even on low-cost (e.g. 8-bit) embedded devices. Finally, we are able to bound the security on 32-bit devices against worst-case adversaries.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is referred to as Independent Operations’ Leakages (IOL) and is a commonly used assumption in SCA and was shown to be reasonable [13]. For our case study it can be easily verified by plotting a covariance matrix.
- 2.
The operand-caching multiplication is an optimized schoolbook-like multiplication that minimizes the number of operand word loads. It is specifically designed for small embedded devices in order to improve efficiency by minimizing memory operations.
References
Archambeau, C., Peeters, E., Standaert, F.-X., Quisquater, J.-J.: Template attacks in principal subspaces. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 1–14. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_1
Battistello, A., Coron, J.-S., Prouff, E., Zeitoun, R.: Horizontal side-channel attacks and countermeasures on the ISW masking scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 23–39. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_2
Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 553–570. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_28
Bronchain, O., Standaert, F.-X.: Side-channel countermeasures’ dissection and the limits of closed source security evaluations. IACR Cryptology ePrint Archive 2019:1008 (2019)
Cassiers, G., Standaert, F.-X.: Towards globally optimized masking: From low randomness to low noise rate or probe isolating multiplications with reduced randomness and security against horizontal attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 162–198 (2019)
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0_5
Clavier, C., Joye, M.: Universal exponentiation algorithm. In: Cryptographic Hardware and Embedded Systems - CHES 2001, Third International Workshop, Paris, France, 14–16 May 2001, Proceedings, number Generators, pp. 300–308 (2001)
Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_25
Durvaux, F., Standaert, F.-X.: From improved leakage detection to the detection of points of interests in leakage traces. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 240–262. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_10
Fischer, W., Giraud, C., Knudsen, E.W., Seifert, J.-P.: Parallel scalar multiplication on general elliptic curves over f\({}_{\text{p}}\) hedged against non-differential side-channel attacks. IACR Cryptology ePrint Archive, 2002:7 (2002)
Glowacz, C., Grosso, V., Poussier, R., Schüth, J., Standaert, F.-X.: Simpler and more efficient rank estimation for side-channel security assessment. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 117–129. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_6
Green, J., Roy, A., Oswald, E.: A systematic study of the impact of graphical models on inference-based attacks on AES. Cryptology ePrint Archive, Report 2018/671 (2018). https://eprint.iacr.org/2018/671
Grosso, V., Standaert, F.-X.: Masking proofs are tight and how to exploit it in security evaluations. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 385–412. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_13
Grosso, V., Standaert, F.-X.: ASCA, SASCA and DPA with enumeration: which one beats the other and when? Cryptology ePrint Archive, Report 2015/535 (2015). https://eprint.iacr.org/2015/535
Guo, Q., Grosso, V., Standaert, F.-X.: Modeling soft analytical side-channel attacks from a coding theory viewpoint. Cryptology ePrint Archive, Report 2018/498 (2018). https://eprint.iacr.org/2018/498
Hanley, N., Kim, H.S., Tunstall, M.: Exploiting collisions in addition chain-based exponentiation algorithms using a single trace. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 431–448. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_23
Hutter, M., Schwabe, P.: NaCl on 8-bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_9
Hutter, M., Wenger, E.: Fast multi-precision multiplication for public-key cryptography on embedded microprocessors. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 459–474. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_30
Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_22
Judea, P.: Reverend Bayes on inference engines: a distributed hierarchical approach. In: Proceedings of the Second AAAI Conference on Artificial Intelligence, AAAI 1982, pp. 133–136. AAAI Press (1982)
Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on keccak. Cryptology ePrint Archive, Report 2020/371 (2020). https://eprint.iacr.org/2020/371
Karatsuba, A., Ofman, Yu.: Multiplication of many-digital numbers by automatic computers. Dokl. Akad. Nauk SSSR 145, 293–294 (1962)
Kim, T.H., Takagi, T., Han, D.-G., Kim, H.W., Lim, J.: Side channel attacks and countermeasures on pairing based cryptosystems over binary fields. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 168–181. Springer, Heidelberg (2006). https://doi.org/10.1007/11935070_11
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Koziel, B., Ackie, A.-B., El Khatib, R., Azarderakhsh, R., Mozaffari-Kermani, M.: Sike’d up: fast and secure hardware architectures for supersingular isogeny key encapsulation. Cryptology ePrint Archive, Report 2019/711 (2019). https://eprint.iacr.org/2019/711
MacKay, D.J.C.: Information Theory, Inference & Learning Algorithms. Cambridge University Press, New York (2002)
Montgomery, P.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)
Nascimento, E., Chmielewski, Ł.: Applying horizontal clustering side-channel attacks on embedded ECC implementations. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 213–231. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_13
Poussier, R., Zhou, Y., Standaert, F.-X.: A systematic approach to the side-channel analysis of ECC implementations with worst-case horizontal attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 534–554. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_26
Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25
NIST FIPS PUB. 186–2: Digital signature standard (DSS). National Institute for Standards and Technology (2000)
Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_25
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_8
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_15
Acknowledgement
François-Xavier Standaert is a senior research associate of the Belgian fund for scientific research (FNRS-F.R.S.). This work has been funded in parts by the ERC project 724725 (SWORD) and by the European Commission through the H2020 project 731591 (acronym REASSURE). The authors acknowledge the support from the Singapore National Research Foundation (“SOCure” grant NRF2018NCR-NCR002-0001 – www.green-ic.org/socure).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Factorization of \(f_{\mathrm {add}}\)
A Factorization of \(f_{\mathrm {add}}\)
The LPRM rules for information propagation for factors with multiple outputs are deduced from the factorization of a factor with two outputs into two factors with one output each, as shown by the diagram below for the addition operation:
Where in1 and in2 refer to the two inputs to the addition. out1 to the result of the addition and out2 to the output carry bit. Then the add factor is defined as:
The add factor can be factorized into \(f_{\mathrm {add}}^1\) and \(f_{\mathrm {add}}^2\) which are defined as:
The LRPM propagation rules applied to the factorized factor yield for the variable in1:
Since information at variable node is summed we have:
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Azouaoui, M., Durvaux, F., Poussier, R., Standaert, FX., Papagiannopoulos, K., Verneuil, V. (2020). On the Worst-Case Side-Channel Security of ECC Point Randomization in Embedded Devices. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds) Progress in Cryptology – INDOCRYPT 2020. INDOCRYPT 2020. Lecture Notes in Computer Science(), vol 12578. Springer, Cham. https://doi.org/10.1007/978-3-030-65277-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-65277-7_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65276-0
Online ISBN: 978-3-030-65277-7
eBook Packages: Computer ScienceComputer Science (R0)