• PDF / 2,381,467 Bytes
• 21 Pages / 439.37 x 666.142 pts Page_size
• 33 Downloads / 161 Views

DOWNLOAD

REPORT

ICTEAM/ELEN/Crypto Group, Universit´e catholique de Louvain, Louvain-la-Neuve, Belgium [email protected] 2 Brightsight BV, Delft, The Netherlands

Abstract. The wide number and variety of side-channel attacks against scalar multiplication algorithms makes their security evaluations complex, in particular in case of time constraints making exhaustive analyses impossible. In this paper, we present a systematic way to evaluate the security of such implementations against horizontal attacks. As horizontal attacks allow extracting most of the information in the leakage traces of scalar multiplications, they are suitable to avoid risks of overestimated security levels. For this purpose, we additionally propose to use linear regression in order to accurately characterize the leakage function and therefore approach worst-case security evaluations. We then show how to apply our tools in the contexts of ECDSA and ECDH implementations, and validate them against two targets: a Cortex-M4 and a Cortex-A8 micro-controllers.

1

Introduction

State of the art. The secure implementation of Elliptic Curve Cryptography (ECC) is an important ingredient in modern information systems. In this paper, we are concerned with side-channel attacks against scalar multiplication implementations which have been the focus of continuous interest over the last 20 years. This literature informally divides these attacks in two main categories: attacks using a Divide and Conquer (DC) approach and attacks using an Extend and Prune (EP) approach – which we next survey. Attacks that belong to the first category aim at recovering the scalar bits independently and are therefore simple to analyze. They associate a probability or a score to each scalar bit. The scalar is trivially recovered if all the correct bits have the highest probability. If it is not the case, computational power can be used to mitigate the lack of side-channel information thanks to key enumeration [30,35,38]. If the key is beyond computational reach (e.g. beyond 260 ), rank estimation (which requires the knowledge of the key and is therefore only accessible to evaluators, not to concrete adversaries) allows estimating the computational security level of a leaking implementation [6,20,30,39]. c International Association for Cryptologic Research 2017  W. Fischer and N. Homma (Eds.): CHES 2017, LNCS 10529, pp. 534–554, 2017. DOI: 10.1007/978-3-319-66787-4 26

A Systematic Approach to the Side-Channel Analysis

535

k0 k1 k0

Pr [k2 = 1|k0 = 1, k1 = 1]

Pr [k1 = 1|k0 = 1] Pr [k2 = 0|k0 = 1, k1 = 1]

Pr [k0 = 1] Pr [k2 = 1|k0 = 1, k1 = 0] Pr [k1 = 0|k0 = 1] Pr [k2 = 0|k0 = 1, k1 = 0] Pr [k2 = 1|k0 = 0, k1 = 1] Pr [k1 = 1|k0 = 0] Pr [k2 = 0|k0 = 0, k1 = 1] Pr [k0 = 0] Pr [k2 = 1|k0 = 0, k1 = 0] Pr [k1 = 0|k0 = 0] Pr [k2 = 0|k0 = 0, k1 = 0]

Fig. 1. Conditional probability tree for a 3 bits scalar k = (k0 , k1 , k2 ).

Attacks using an EP approach recover the scalar bits in a recursive manner. Recovering the i-th bit requires to first recover all the previous ones. For a nbit scala

Recommend Documents

A Secure ECC-Based Authentication Scheme to Resist Replay Attacks for the IoT

149 80 87MB

The Method of Intrinsic Scaling A Systematic Approach to Regularity

164 68 3MB

A Systematic Approach to Cryptocurrency Fees

178 113 905KB

A Systematic Approach to Multiobjective Optimization

185 69 139KB

A Three-Pronged Approach to Mitigate Web Attacks

130 38 39MB

Systematic Approach to Evaluation of Melanoma and Sarcoma with PET

161 94 20MB

The Influence Agenda A Systematic Approach to Aligning Stakeholders

199 108 2MB

A Deep Learning Approach Against Botnet Attacks to Reduce the Interference Problem of IoT

159 11 31MB

Shear Strengthening of T-beam with GFRP A Systematic Approach

167 23 7MB

Large carnivore attacks on hominins during the Pleistocene: a forensic approach with a Neanderthal example

147 57 3MB

Taylor Expansion of Maximum Likelihood Attacks for Masked and Shuffled Implementations

135 74 31MB

From requirements to implementations: a model-driven approach for web development

170 69 2MB