d1 s2 r1 - hitcon 2020cryptosystems 4 public key private key secret key secret key symmetriccipher...
TRANSCRIPT
Simple Power Analysisof Elliptic Curve Cryptography
Yuan-‐Che Hsu and JPChen
1
Outline
• Elliptic Curve Cryptography -‐ Page 3
• Simple Power Analysis -‐ Page 10
• Measurement Setup and Implementation -‐ Page 17
• Conclusions -‐ Page 36
2
Outline
• Elliptic Curve Cryptography
• Simple Power Analysis
• Measurement Setup and Implementation
• Conclusions
3
Cryptosystems
4
PublicKey
PrivateKey
SecretKey
SecretKey
Symmetric Cipher Asymmetric Cipher (PKC)
High Speed EncryptionAES / 3-‐DES
Key AgreementRSA / ECC
Elliptic Curve Cryptography (ECC)
• 𝑦" = 𝑥% + 𝑎𝑥 + 𝑏
• Private Key: [d]
• Public Key: [d]P
https://www.slideshare.net/KellyBresnahan/elliptic-‐curve-‐cryptography-‐664060215
Scalar Multiplication
• Compute [d]P
• Double-‐and-‐Add Algorithm
• 2 Registers
6
10101 10101 10101 10101 10101 10101 10101X 1P 1P 1P 1P 1P 1P 1PY 1P 2P 4P 5P 10P 20P 21P
Implementation Hierarchy
ECProtocolsEC Scalar
Multiplication
EC GroupOperations
Finite Field Arithmetic+ − × ÷
[𝟐]𝑷 / 𝑷 +𝑸
𝒅 𝑷
ECDH
7
ECDH (Key Exchange)
8
Alice BobSpecifiedField / Curve / Base Point 𝑷
𝑨Choose secret 𝑎Compute 𝐴 = [𝑎]𝑃
Choose secret 𝑏Compute 𝐵 = 𝑏 𝑃𝑩
Compute shared secret 𝑄 = 𝑎 𝐵
Compute shared secret 𝑄 = 𝑏 𝐴
Advantage of ECC
• Small Key Size / Efficient Performance
• Standard of NIST / SECG
9
ECC-‐256RSA-‐3072
Outline
• Elliptic Curve Cryptography
• Simple Power Analysis
• Measurement Setup and Implementation
• Conclusions
10
Side Channel Attack (SCA)
11
Plaintext Ciphertext
Execution TimeFalse Output
Power Consumption
Power Analysis Attack
• Simple Power Analysis
• Instruction Leakage
• Differential Power Analysis
• Data Leakage
http://www.edn.com/Home/PrintView?contentItemId=4410267https://www.cosic.esat.kuleuven.be/secure-‐embedded-‐systems/physical.html
12
Simple Power Analysis (SPA)
• Key-‐Dependent Instructions
• Template Profiling
• Pattern Recognition
https://wiki.newae.com/Tutorial_B2_Viewing_Instruction_Power_Differences13
Key-‐Dependent Instructions
ECProtocolsEC Scalar
Multiplication
EC GroupOperations
Finite Field Arithmetic+ − × ÷
[𝟐]𝑷 / 𝑷 +𝑸
𝒅 𝑷
ECDH
14
+ − × ÷
[𝟐]𝑷 / 𝑷 +𝑸
Double and Add in Power Traces
15
Double Add
Video Demo
16
Outline
• Elliptic Curve Cryptography
• Simple Power Analysis
• Measurement Setup and Implementation
• Conclusions
17
Measurement Setup
http://en.mtmsystems.jp/sakura.htmlhttp://www.saelig.com/product/PSPC10BIT015.htm
https://www.acer.com/ac/en/IL/content/model/NX.M69ET.00818
Embedded System
Target Victims
CPU / MCU
AtmelATmega8515
Why?
19
ASIC / FPGA
XilinxSpartan-‐6Why?
Trace (FPGA)
20[2]𝑃 / 𝑃 + 𝑄 ÷ Idle
Trace Enlarged (FPGA)
21
Template Construction (FPGA)
Double Add
22
Pearson Correlation Coefficient
https://en.wikipedia.org/wiki/Pearson_correlation_coefficienthttp://www.improvedoutcomes.com/docs/WebSiteDocs/Clustering/Clustering_Parameters/Pearson_Correlation_and_Pearson_Squared_Distance_Metric.htm
23
Correlation Trace (FPGA)
24[2]𝑃 / 𝑃 + 𝑄 ÷ Idle
Correlation Trace Zoomed (FPGA)
A A A A A A A A A A A A A A A AD D D D D D D D D D D D D D D
25
Double
Add
Key Recovery (FPGA)
D A 1
D 0
26
Two Trace (Smartcard)
27
More Traces (Smartcard)
28
Variance Trace (Smartcard)
29
Variance Trace Enlarged (Smartcard)
30
Extracted Variance Template (Smartcard)
31
Experiment Results
Trace # Base Point TemplateConstruction
Pattern Recognition
FPGA 32 Fixed Average CorrelationSmartcard 30 Random Alignment
VarianceExtractionCorrelation
32
If not?
Outline
• Elliptic Curve Cryptography
• Simple Power Analysis
• Measurement Setup and Implementation
• Conclusions
33
Conclusion
• Algorithmic security is not sufficient anymore
• Hardware security is the main challenge for embedded systems
• Countermeasure exists but trades performance
34
35
Thank You for Listening!