d1 s2 r1 - hitcon 2020cryptosystems 4 public key private key secret key secret key symmetriccipher...
TRANSCRIPT
![Page 1: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/1.jpg)
Simple Power Analysisof Elliptic Curve Cryptography
Yuan-‐Che Hsu and JPChen
1
![Page 2: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/2.jpg)
Outline
• Elliptic Curve Cryptography -‐ Page 3
• Simple Power Analysis -‐ Page 10
• Measurement Setup and Implementation -‐ Page 17
• Conclusions -‐ Page 36
2
![Page 3: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/3.jpg)
Outline
• Elliptic Curve Cryptography
• Simple Power Analysis
• Measurement Setup and Implementation
• Conclusions
3
![Page 4: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/4.jpg)
Cryptosystems
4
PublicKey
PrivateKey
SecretKey
SecretKey
Symmetric Cipher Asymmetric Cipher (PKC)
High Speed EncryptionAES / 3-‐DES
Key AgreementRSA / ECC
![Page 5: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/5.jpg)
Elliptic Curve Cryptography (ECC)
• 𝑦" = 𝑥% + 𝑎𝑥 + 𝑏
• Private Key: [d]
• Public Key: [d]P
https://www.slideshare.net/KellyBresnahan/elliptic-‐curve-‐cryptography-‐664060215
![Page 6: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/6.jpg)
Scalar Multiplication
• Compute [d]P
• Double-‐and-‐Add Algorithm
• 2 Registers
6
10101 10101 10101 10101 10101 10101 10101X 1P 1P 1P 1P 1P 1P 1PY 1P 2P 4P 5P 10P 20P 21P
![Page 7: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/7.jpg)
Implementation Hierarchy
ECProtocolsEC Scalar
Multiplication
EC GroupOperations
Finite Field Arithmetic+ − × ÷
[𝟐]𝑷 / 𝑷 +𝑸
𝒅 𝑷
ECDH
7
![Page 8: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/8.jpg)
ECDH (Key Exchange)
8
Alice BobSpecifiedField / Curve / Base Point 𝑷
𝑨Choose secret 𝑎Compute 𝐴 = [𝑎]𝑃
Choose secret 𝑏Compute 𝐵 = 𝑏 𝑃𝑩
Compute shared secret 𝑄 = 𝑎 𝐵
Compute shared secret 𝑄 = 𝑏 𝐴
![Page 9: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/9.jpg)
Advantage of ECC
• Small Key Size / Efficient Performance
• Standard of NIST / SECG
9
ECC-‐256RSA-‐3072
![Page 10: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/10.jpg)
Outline
• Elliptic Curve Cryptography
• Simple Power Analysis
• Measurement Setup and Implementation
• Conclusions
10
![Page 11: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/11.jpg)
Side Channel Attack (SCA)
11
Plaintext Ciphertext
Execution TimeFalse Output
Power Consumption
![Page 12: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/12.jpg)
Power Analysis Attack
• Simple Power Analysis
• Instruction Leakage
• Differential Power Analysis
• Data Leakage
http://www.edn.com/Home/PrintView?contentItemId=4410267https://www.cosic.esat.kuleuven.be/secure-‐embedded-‐systems/physical.html
12
![Page 13: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/13.jpg)
Simple Power Analysis (SPA)
• Key-‐Dependent Instructions
• Template Profiling
• Pattern Recognition
https://wiki.newae.com/Tutorial_B2_Viewing_Instruction_Power_Differences13
![Page 14: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/14.jpg)
Key-‐Dependent Instructions
ECProtocolsEC Scalar
Multiplication
EC GroupOperations
Finite Field Arithmetic+ − × ÷
[𝟐]𝑷 / 𝑷 +𝑸
𝒅 𝑷
ECDH
14
+ − × ÷
[𝟐]𝑷 / 𝑷 +𝑸
![Page 15: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/15.jpg)
Double and Add in Power Traces
15
Double Add
![Page 16: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/16.jpg)
Video Demo
16
![Page 17: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/17.jpg)
Outline
• Elliptic Curve Cryptography
• Simple Power Analysis
• Measurement Setup and Implementation
• Conclusions
17
![Page 18: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/18.jpg)
Measurement Setup
http://en.mtmsystems.jp/sakura.htmlhttp://www.saelig.com/product/PSPC10BIT015.htm
https://www.acer.com/ac/en/IL/content/model/NX.M69ET.00818
![Page 19: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/19.jpg)
Embedded System
Target Victims
CPU / MCU
AtmelATmega8515
Why?
19
ASIC / FPGA
XilinxSpartan-‐6Why?
![Page 20: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/20.jpg)
Trace (FPGA)
20[2]𝑃 / 𝑃 + 𝑄 ÷ Idle
![Page 21: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/21.jpg)
Trace Enlarged (FPGA)
21
![Page 22: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/22.jpg)
Template Construction (FPGA)
Double Add
22
![Page 23: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/23.jpg)
Pearson Correlation Coefficient
https://en.wikipedia.org/wiki/Pearson_correlation_coefficienthttp://www.improvedoutcomes.com/docs/WebSiteDocs/Clustering/Clustering_Parameters/Pearson_Correlation_and_Pearson_Squared_Distance_Metric.htm
23
![Page 24: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/24.jpg)
Correlation Trace (FPGA)
24[2]𝑃 / 𝑃 + 𝑄 ÷ Idle
![Page 25: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/25.jpg)
Correlation Trace Zoomed (FPGA)
A A A A A A A A A A A A A A A AD D D D D D D D D D D D D D D
25
Double
Add
![Page 26: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/26.jpg)
Key Recovery (FPGA)
D A 1
D 0
26
![Page 27: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/27.jpg)
Two Trace (Smartcard)
27
![Page 28: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/28.jpg)
More Traces (Smartcard)
28
![Page 29: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/29.jpg)
Variance Trace (Smartcard)
29
![Page 30: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/30.jpg)
Variance Trace Enlarged (Smartcard)
30
![Page 31: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/31.jpg)
Extracted Variance Template (Smartcard)
31
![Page 32: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/32.jpg)
Experiment Results
Trace # Base Point TemplateConstruction
Pattern Recognition
FPGA 32 Fixed Average CorrelationSmartcard 30 Random Alignment
VarianceExtractionCorrelation
32
If not?
![Page 33: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/33.jpg)
Outline
• Elliptic Curve Cryptography
• Simple Power Analysis
• Measurement Setup and Implementation
• Conclusions
33
![Page 34: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/34.jpg)
Conclusion
• Algorithmic security is not sufficient anymore
• Hardware security is the main challenge for embedded systems
• Countermeasure exists but trades performance
34
![Page 35: d1 s2 r1 - HITCON 2020Cryptosystems 4 Public Key Private Key Secret Key Secret Key SymmetricCipher Asymmetric+Cipher+(PKC) High2SpeedEncryption AES/3;DES Key2Agreement RSA/ECC Scalar’Multiplication](https://reader035.vdocument.in/reader035/viewer/2022062509/60ed7df03f35e412bb291e33/html5/thumbnails/35.jpg)
35
Thank You for Listening!