Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management...
-
Upload
adelia-franklin -
Category
Documents
-
view
215 -
download
1
Transcript of Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management...
Enhanced Doublng Attacks on SignedEnhanced Doublng Attacks on Signed-All-Bits Set Recoding-All-Bits Set Recoding
1 Graduate School of Information Management and Security,
Korea University, Korea
http://cist.korea.ac.kr
Hee-seok KimHee-seok Kim11, Tae Hyun Kim, Tae Hyun Kim11, , Jeong Choon RyooJeong Choon Ryoo11, , Dong-Guk HanDong-Guk Han22, , Ho Won KimHo Won Kim22, , and Jongin Limand Jongin Lim11
2 Electronics and Telecommunications Research Institute(ETRI), Korea
http://www.etri.re.kr/
WISTP 2007WISTP 2007
WISTP 2007WISTP 2007
Side Channel attacks-Power analysisSide Channel attacks-Power analysis Scalar multiplication & Simple power analysis to ECCScalar multiplication & Simple power analysis to ECC Countermeasures & Original Doubling Attack ( DA )Countermeasures & Original Doubling Attack ( DA )
Countermeasure1 - Coron’s dummy method Countermeasure2 - sABS recoding method DA & Weakness of Coron’s dummy method Security of sABS recoding against DA
Proposed AttacksProposed Attacks Recursive attack Initializing attack
Experiments & Statistical approach of noise reductionExperiments & Statistical approach of noise reduction Countermeasures & ConclusionCountermeasures & Conclusion
ContentsContents
WISTP 2007WISTP 2007
Which are Side Channel Attacks Which are Side Channel Attacks
1. Timing Attacks
- Kocher (1996)
2. Differential Fault Analysis (DFA)
- Biham-Shamir (1997)
3. Simple Power Analysis (SPA)
- Kocher, Jaffe, Jun (1998)
4. Differential Power Analysis (DPA)
- Kocher, Jaffe, Jun (1998)
WISTP 2007WISTP 2007
Power attacksPower attacks
Kocher et al., June 1998: Measure instantaneous power Kocher et al., June 1998: Measure instantaneous power consumption of a device while it runs a cryptographic algorithmconsumption of a device while it runs a cryptographic algorithm
Different power consumption when operating on logical oDifferent power consumption when operating on logical onnes vs. es vs. logical zeroes.logical zeroes.
WISTP 2007WISTP 2007
In general, Addition has different power consumption from Doubling. – C. Clavier et al. [3]
Simple Power analysis to ECCSimple Power analysis to ECC
Point Doubling ( D ) : Execution in all bit values of secret key
d : secret exponent
Point Addition ( A ) : Execution when bit value is only ‘1’
D D DAA AD
(2)11101d
General scalar multiplication algorithm
WISTP 2007WISTP 2007
Countermeasure against SPA-Coron’s methodCountermeasure against SPA-Coron’s method
d 1 1 1 0 1
P 2P 6P 14P
28P
3P 7P 29P
Point Doubling ( D ) , Point Addition ( A ) : Execution in all bit values of secret key
Coron’s dummy method
d 1 1 1 0 1
P 2P 6P 14P
28P
3P 7P 29P
D A D A D D A15P
D A D A D D AA
WISTP 2007WISTP 2007
Countermeasure against SPA-sABS recodingCountermeasure against SPA-sABS recoding
1 11 111 1111 ..... 1 1where
sABS recoding 1 1 0 0 1 0 1
1 1 1 1 1 1 1
d 1 1 1 -1 -1 1 -1
P 2PD
6PD
14PD
26PD
50PD
102PD
3PA
7PA
13PS
25PS
51PA
101PS
D : Doubling, A : Addition, S : Subtraction
The power consumption of
Addition is similar to that of
Subtraction !!
It’s secure against original
SPA .
WISTP 2007WISTP 2007
Doubling Attack ( DA ) – Fouque et al.Doubling Attack ( DA ) – Fouque et al.
Characteristics
Assumption Attacker has an ability to decide whether A=B or not when a smartcard computes ECDBL(A) and ECDBL(B).
When input values are P and 2P, Coron’s dummy method carries out the same doubling in the vicinity of the bit value ‘0’.
Attack method d 1 0 1 0 0 1
PPP
2P3P
4P5P
10P11P
2OP21P
40P41P
2P2P2P
4P6P
8P10P
20P22P
40P42P
80P82P
WISTP 2007WISTP 2007
Doubling Attack ( DA ) – Fouque et al.Doubling Attack ( DA ) – Fouque et al.
P
2P
D A D A D A D A
D A D A D A D A
Key : 1 Key : 1 00 11 00 . . . . . . ..
= =≠
WISTP 2007WISTP 2007
Security of sABS recoding against DASecurity of sABS recoding against DA
Characteristics
Because sABS recoded value has not ‘0’ bit, it is secure against original DA
Example
d 1 1 -1 1 -1 -1
PPP
2P3P
6P5P
10P11P
22P21P
42P41P
2P2P2P
4P6P
12P10P
20P22P
44P42P
84P82P
WISTP 2007WISTP 2007
Characteristics
Feasible attack – Supporting a concrete method for experiment
Object New power attacks on scalar multiplication using recoding countermeasures (sABS recoding)
Proposed ‘initializing attack’ - Combination of ‘doubling attack’ and ‘Goubin’s attack’
SPA-based attacks on one-bit of key
Proposed attacksProposed attacks
WISTP 2007WISTP 2007
Proposed attack 1 - Recursive AttackProposed attack 1 - Recursive Attack
Object New power attack on scalar multiplication using recoding countermeasures (sABS recoding)
If an attacker knows upper n bits of secret key, he can find the upper (n+1)-th bit by this attack. By this method, attacker can find all bits of secret key in sequence.
Characteristic
An attacker that knows upper n bits of secret key ( = d’ ) selects two inputs A, B for originating same ECDBL in the vicinity of upper (n+1)-th bit ( = t ) .
A = d’P, B = (2d’+1) P if t = 1, (2d’+1)A = d’B if t = -1, (2d’+1)A ≠d’B
WISTP 2007WISTP 2007
Proposed attack 1 - Recursive AttackProposed attack 1 - Recursive Attack
d 1 1 -1 1 1 1 -1
A = d’P, B = (2d’+1) P if t = 1, (2d’+1)A = d’B if t = -1, (2d’+1)A ≠d’B
d’=11
11P 11P 22P33P
66P55P
110P121P
242P253P
506P517P
1034P1023P
23P 23P 46P69P
138P115P
230P253P
506P529P
1058P1081P
2162P2139P
1
WISTP 2007WISTP 2007
Proposed attack 2 - Initializing AttackProposed attack 2 - Initializing Attack
An attacker that knows upper n bits of secret key ( = d’ ), he selects one input A for originating ECDBL(P) in the upper (n+1)-th bit ( = t ) .
A = (2d’+1)-1P if t = 1, (2d’+1)A = P if t = -1, (2d’+1)A ≠P An attacker acquires the first doubling signal-
ECDBL(P) in the signal according to input point ‘P’. the first doubling signal-ECDBL(P) in the signal according to input point ‘P’ compares with the (n+1)-th doubling signal-ECDBL(P) in the power signal according to input point ‘(2d’+1)-1P’
WISTP 2007WISTP 2007
Proposed attack 2 - Initializing AttackProposed attack 2 - Initializing Attack
d 1 1 -1 1 1 1 -1
d’=11
54P 54P 35P16P
32P51P
29P10P
20PP
2P56P
39P20P
1
A = (2d’+1)-1P if t = 1, (2d’+1)A = P if t = -1, (2d’+1)A ≠PThe order
of curve : 73 (2*11+1)-1 mod 73
= 54
WISTP 2007WISTP 2007
Experiments & Statistical approach of noise Experiments & Statistical approach of noise reductionreduction
SettingSetting
PIC Microcontroller Power supply – 5VFunction generator – 1MHz
Oscilloscope
…………
Splitting 1 trace into n- 1 pieces
1 ECDBL+1 ECADD
…………
INPUT : P
INPUT : P
…………
INPUT : Q
Disc. Disc. Disc. Disc.Disc. Disc. Disc. Disc.
Disc. Disc. Disc. Disc.Disc. Disc. Disc. Disc.
X1
X2
Ambiguous area
k
1m 2m1a1b
=m
X1 X2
k points
Experiments & Statistical approach of noise Experiments & Statistical approach of noise reductionreduction
21 2 1 2
1
1.( , , ) ( ( ) ( ))
k
j
Disc S S t S t j S t jk
21 1
2 1
( 1)a b
m km m
Ambiguous area
k
1m 2m1a1b 2a 2b
Eliminateambiguous area
1m 2m
=m
X1 X2 X1 X2
Experiments & Statistical approach of noise Experiments & Statistical approach of noise reductionreduction
WISTP 2007WISTP 2007
………………
………………
………………
INPUT : 3P
Key : 1 1 -Key : 1 1 -1 . . . .1 . . . .
1 2 1 1
1 1 2 1
a m bmD
a b m m
KeKeyy
1 ??
Disc < D
1
INPUT : P
1 ??
INPUT : 7P
Disc > D
-1 k pointsuk points
Experiments & Statistical approach of noise Experiments & Statistical approach of noise reductionreduction
WISTP 2007WISTP 2007
Countermeasures & ConclusionCountermeasures & Conclusion
Characteristics of proposed attacksCharacteristics of proposed attacks These new attacks is applicable to sABS recoding countermeasure. These new attacks is applicable to sABS recoding countermeasure. SPA-based attacks on one-bit of key.SPA-based attacks on one-bit of key. Initializing attack is more powerful than Goubin’s attack.Initializing attack is more powerful than Goubin’s attack.
CountermeasuresCountermeasures Using a Projective coordinates – affine coordinates is not secure.Using a Projective coordinates – affine coordinates is not secure. BRIP can be applied to our attacks [BRIP can be applied to our attacks [13]13] .