Abstract
Side-channel attacks are a threat to cryptographic algorithms running on embedded devices. Public-key cryptosystems, including elliptic curve cryptography (ECC), are particularly vulnerable because their private keys are usually long-term. Well known countermeasures like regularity, projective coordinates and scalar randomization, among others, are used to harden implementations against common side-channel attacks like DPA.
Horizontal clustering attacks can theoretically overcome these countermeasures by attacking individual side-channel traces. In practice horizontal attacks have been applied to overcome protected ECC implementations on FPGAs. However, it has not been known yet whether such attacks can be applied to protected implementations working on embedded devices, especially in a non-profiled setting.
In this paper we mount non-profiled horizontal clustering attacks on two protected implementations of the Montgomery Ladder on Curve25519 available in the \(\mu \)NaCl library targeting electromagnetic (EM) emanations. The first implementation performs the conditional swap (cswap) operation through arithmetic of field elements (cswap-arith), while the second does so by swapping the pointers (cswap-pointer). They run on a 32-bit ARM Cortex-M4F core.
Our best attack has success rates of 97.64% and 99.60% for cswap-arith and cswap-pointer, respectively. This means that at most 6 and 2 bits are incorrectly recovered, and therefore, a subsequent brute-force can fix them in reasonable time. Furthermore, our horizontal clustering framework used for the aforementioned attacks can be applied against other protected implementations.
E. NascimentoâThis work was partially done by the author in a research internship at Riscure BV.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Turning off the countermeasures is not always possible in the ICC EMVCo smart card evaluations [9], for example.
- 2.
In an m-ary method, m bits of the scalar are processed in one iteration of ECSM while in a standard ECSM a single bit is processed per iteration.
- 3.
Cswap means conditional swap. In a Montgomery ladder ECSM, the cswap condition value tells whether or not to swap and it depends on the secret scalar bit. Thus, it should ideally be constant time and not leak through other side channels.
- 4.
We use the term success rate to refer to the percentage of correctly recovered bits.
- 5.
- 6.
Selected by preprocessor definition DH_SWAP_BY_POINTERS.
- 7.
Our attack also works against implementations protected with scalar randomization. We have not implemented this countermeasure, but instead we set a random scalar for each ECSM execution.
- 8.
- 9.
Assuming that the sample values at a given index come from a normal distribution, choosing \(\beta \)Â =Â 2.0 implies that \(95\%\) of the values are within the interval \([x-\mu , x+\mu ]\).
- 10.
We note that the steps POI-OPT and key recovery can be repeated. Due to the high increase in computational time required to run them more than once, as well as the fact that the results using a single iteration were already feasible for a successful attack, we chose not to further investigate whether that could improve the results.
- 11.
We knew where and by how much to trim because we knew from the source code and binary the approximate location of the cswap in the iteration traces.
- 12.
MJ, LL and MD stand for majority rule, log-likelihood and multi-dimensional, resp.
- 13.
Among them: number of traces for CLA, âKR for CLAâ and âKR finalâ steps, clustering algorithms, distinguishers and statistical combination methods.
- 14.
|k| denotes the length of the base 2 representation of the scalar k.
References
Bauer, A., Jaulmes, Ă.: Correlation analysis against protected SFM implementations of RSA. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 98â115. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03515-4_7
Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal and vertical side-channel attacks against secure RSA implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 1â17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4_1
CaliĆski, T., Harabasz, J.: A dendrite method for cluster analysis. Commun. Stat. Theory Methods 3(1), 1â27 (1974)
Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 140â155. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7_9
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., LĂłpez, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46â61. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0_5
Davies, D.L., Bouldin, D.W.: A cluster separation measure. IEEE Trans. Pattern Anal. Mach. Intell. 1, 224â227 (1979)
Dempster, A.P., Laird, N.M., Rubin, D.B.: Maximum likelihood from incomplete data via the EM algorithm. J. R. Stat. Soc. Ser. B (Methodol.) 39, 1â38 (1977)
DĂŒrr, F.: Key 2.0 is a Bluetooth IoT Door Lock (2017). https://github.com/duerrfk/key20
EMV: EMVCo Security Evaluation Process, version 5.1, Security Guidelines (2016)
Fisher, R.A.: The use of multiple measurements in taxonomic problems. Ann. Eugenics 7(7), 179â188 (1936)
Forgy, E.W.: Cluster analysis of multivariate data: efficiency versus interpretability of classifications. Biometrics 21, 768â769 (1965)
Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side channel resistance validation. In: NIST Workshop 2011 (2011)
Hawkings, D.: Identification of Outliers. Chapman and Hall, London (1980)
Heyszl, J., Ibing, A., Mangard, S., De Santis, F., Sigl, G.: Clustering algorithms for non-profiled single-execution attacks on exponentiations. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 79â93. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08302-5_6
Heyszl, J., Mangard, S., Heinz, B., Stumpf, F., Sigl, G.: Localized electromagnetic analysis of cryptographic implementations. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 231â244. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_15
Itoh, K., Izu, T., Takenaka, M.: Address-bit differential power analysis of cryptographic schemes OK-ECDH and OK-ECDSA. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 129â143. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_11
Itoh, K., Izu, T., Takenaka, M.: A practical countermeasure against address-bit differential power analysis. In: Walter, C.D., Koç, Ă.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 382â396. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_30
Izumi, M., Ikegami, J., Sakiyama, K., Ohta, K.: Improved countermeasure against address-bit DPA for ECC scalar multiplication. In: 2010 Design, Automation and Test in Europe Conference and Exhibition (DATE 2010), pp. 981â984. IEEE (2010)
Izumi, M., Sakiyama, K., Ohta, K.: A new approach for implementing the MPL method toward higher SPA resistance. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 181â186. IEEE (2009)
JĂ€rvinen, K., Balasch, J.: Single-trace side-channel attacks on scalar multiplications with precomputations. In: Lemke-Rust, K., Tunstall, M. (eds.) CARDIS 2016. LNCS, vol. 10146, pp. 137â155. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54669-8_9
Jolliffe, I.: Principal Component Analysis. Springer Series in Statistics. Springer, Heidelberg (2002). https://doi.org/10.1007/b98835
Kauffman, L., Rousseeuw, L.: Finding Groups in Data. An Introduction to Cluster Analysis. Wiley, New York (1990)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203â209 (1987)
Le, D.-P., Tan, C.H., Tunstall, M.: Randomizing the montgomery powering ladder. In: Akram, R.N., Jajodia, S. (eds.) WISTP 2015. LNCS, vol. 9311, pp. 169â184. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24018-3_11
Lloyd, S.: Least squares quantization in PCM. IEEE Trans. Inf. Theory 28(2), 129â137 (1982)
Mather, L., Oswald, E., Bandenburg, J., WĂłjcik, M.: Does my device leak information? An a priori statistical power analysis of leakage detection tests. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 486â505. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_25
Meynard, O., RĂ©al, D., Flament, F., Guilley, S., Homma, N., Danger, J.L.: Enhancement of simple electro-magnetic attacks by pre-characterization in frequency domain and demodulation techniques. In: 2011 Design, Automation and Test in Europe, pp. 1â6 (2011)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417â426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31
Nascimento, E., Chmielewski, L.: Applying horizontal clustering side-channel attacks on embedded ECC implementations (extended version). Cryptology ePrint Archive, Report 2017/1204 (2017). https://eprint.iacr.org/2017/1204
Nascimento, E., Chmielewski, Ć., Oswald, D., Schwabe, P.: Attacking embedded ECC implementations through cmov side channels. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 99â119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_6
Negre, C., Perin, G.: Trade-off approaches for leak resistant modular arithmetic in RNS. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 107â124. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-19962-7_7
NIST: NIST/SEMATECH e-Handbook of Statistical Methods. Section 7.1.6. What are outliers in the data? (2013)
NIST: NIST/SEMATECH e-Handbook of Statistical Methods. Section 7.4.7.1. Tukeyâs method (2013)
Perin, G., Chmielewski, Ć.: A semi-parametric approach for side-channel attacks on protected RSA implementations. In: Homma, N., Medwed, M. (eds.) CARDIS 2015. LNCS, vol. 9514, pp. 34â53. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31271-2_3
Perin, G., Imbert, L., Torres, L., Maurine, P.: Attacking randomized exponentiations using unsupervised learning. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 144â160. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10175-0_11
T. H. Project: Picotls - TLS 1.3 implementation in C (2017). https://github.com/h2o/picotls
Specht, R., Heyszl, J., Kleinsteuber, M., Sigl, G.: Improving non-profiled attacks on exponentiations based on clustering and extracting leakage from multi-channel high-resolution EM measurements. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2014. LNCS, vol. 9064, pp. 3â19. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21476-4_1
Standaert, F.-X., Malkin, T.G., Yung, M.: A formal practice-oriented model for the analysis of side-channel attacks. IACR e-print archive 2006/134 (2006)
Walter, C.D.: Sliding windows succumbs to Big Mac attack. In: Koç, Ă.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286â299. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_24
Wilkinson, T.: HomeKit for Bluetooth Low Energy (BLE) for Nordic nRF51 (2015). https://github.com/aanon4/HomeKit
Witteman, M.F., van Woudenberg, J.G.J., Menarini, F.: Defeating RSA multiply-always and message blinding countermeasures. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 77â88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_6
Acknowledgements
This work was supported by the European Unionâs H2020 Programme under grant agreement number ICT-731591 (REASSURE).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Probability of Successful Efficient Error Correction
A Probability of Successful Efficient Error Correction
We assumed in Sect. 6 that the errors are uniformly distributed. Now we show how to drop this assumption. We create a in the following way: we randomly choose a set A of indices in k such that \(|A| = |k|/2\) and we set the corresponding bits to zero. Then we create b by setting the remaining indices of the original k to zero (the set of indices is denoted as B). Now \(R = [a] P + [b] P\) holds and if we set \(H=P\) then \(R - [b] P = [a] H\). The attack can be performed as before assuming that when we guess a and b, we limit the indices to A and B, respectively.
We now compute the probability that the attack from Sect. 6 works correctly, namely, that the 6 errors are corrected. Without loss of generality let us first assume that positions of the 6 errors position are fixed, because the partition to a and b is random. Therefore, the following situations are possible:
-
all errors are in a or in b: 2 possibilities;
-
one error is in a or b: 12 possibilities;
-
two errors are in a or b: 30 possibilities;
-
three errors are in both a and b: 20 possibilities.
In the first two cases the numbers of errors in a is 0, 1, 5, or 6. Therefore, the probability that out of 6 errors, 2, 3, or 4 of them are not in a equals:
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Nascimento, E., Chmielewski, Ć. (2018). Applying Horizontal Clustering Side-Channel Attacks on Embedded ECC Implementations. In: Eisenbarth, T., Teglia, Y. (eds) Smart Card Research and Advanced Applications. CARDIS 2017. Lecture Notes in Computer Science(), vol 10728. Springer, Cham. https://doi.org/10.1007/978-3-319-75208-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-75208-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75207-5
Online ISBN: 978-3-319-75208-2
eBook Packages: Computer ScienceComputer Science (R0)