Dynamic Runtime Methods to Enhance Private Key Blinding

In this paper we propose new methods to blind exponents used in RSA and in elliptic curves based algorithms. Due to classical differential power analysis (DPA and CPA), a lot of countermeasures to protect exponents have been proposed since 1999 Kocher [20] and by Coron [13]. However, these blinding methods present some drawbacks regarding execution time and memory cost. It also got some weaknesses. Indeed they could also be targeted by some attacks such as The Carry Leakage on the Randomized Exponent proposed by P.A. Fouque et al. in [23] or inefficient against some others analysis such as Single Power Analysis. In this article, we explain how the most used method could be exploited when an attacker can access test samples. We target here new dynamic blinding methods in order to prevent from any learning phase and also to improve the resistance against the latest side channel analyses published

Recovering Secrets From Prefix-Dependent Leakage

We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm. Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to $k$-bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA

A Comparison of Double Point Multiplication Algorithms and their Implementation over Binary Elliptic Curves

Efficient implementation of double point multiplication is crucial for elliptic curve cryptographic systems. We revisit three recently proposed simultaneous double point multiplication algorithms. We propose hardware architectures for these algorithms, and provide a comparative analysis of their performance. We implement the proposed architectures on Xilinx Virtex-4 FPGA, and report on the area and time results . Our results indicate that differential addition chain based algorithms are better suited to compute double point multiplication over binary elliptic curves for both high performance and resource constrained applications

FPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD

Elliptic curve cryptography plays a crucial role in network and communication security. However, implementation of elliptic curve cryptography, especially the implementation of scalar multiplication on an elliptic curve, faces multiple challenges. One of the main challenges is side channel attacks (SCAs). SCAs pose a real threat to the conventional implementations of scalar multiplication such as binary methods (also called doubling-and-add methods). Several scalar multiplication algorithms with countermeasures against side channel attacks have been proposed. Among them, Montgomery Powering Ladder (MPL) has been shown an effective countermeasure against simple power analysis. However, MPL is still vulnerable to certain more sophisticated side channel attacks. A recently proposed modified MPL utilizes a combination of sequence masking (SM), exponent splitting (ES) and point randomization (PR). And it has shown to be one of the best countermeasure algorithms that are immune to many sophisticated side channel attacks [11]. In this thesis, an efficient hardware architecture for this algorithm is proposed and its FPGA implementation is also presented. To our best knowledge, this is the first time that this modified MPL with SM, ES, and PR has been implemented in hardware

On the Impacts of Mathematical Realization over Practical Security of Leakage Resilient Cryptographic Schemes

In real world, in order to transform an abstract and generic cryptographic scheme into actual physical implementation, one usually undergoes two processes: mathematical realization at algorithmic level and physical realization at implementation level. In the former process, the abstract and generic cryptographic scheme is transformed into an exact and specific mathematical scheme, while in the latter process the output of mathematical realization is being transformed into a physical cryptographic module runs as a piece of software, or hardware, or combination of both. In black-box model (i.e. leakage-free setting), a cryptographic scheme can be mathematically realized without affecting its theoretical security as long as the mathematical components meet the required cryptographic properties. However, up to now, no previous work formally show that whether one can mathematically realize a leakage resilient cryptographic scheme in existent ways without affecting its practical security. Our results give a negative answer to this important question by introducing attacks against several kinds of mathematical realization of a practical leakage resilient cryptographic scheme. Our results show that there may exist a big gap between the theoretical tolerance leakage rate and the practical tolerance leakage rate of the same leakage resilient cryptographic scheme if the mathematical components in the mathematical realization are not provably secure in leakage setting. Therefore, on one hand, we suggest that all (practical) leakage resilient cryptographic schemes should at least come with a kind of mathematical realization. Using this kind of mathematical realization, its practical security can be guaranteed. On the other hand, our results inspire cryptographers to design advanced leakage resilient cryptographic schemes whose practical security is independent of the specific details of its mathematical realization

Template Attack on Blinded Scalar Multiplication with Asynchronous perf-ioctl Calls

In recent years, performance counters have been used as a side channel source for the branch mispredictions which has been used to attack ciphers with user privileges. However, existing research considers blinding techniques, like scalar blinding, scalar splitting as a mechanism of thwarting such attacks. In this endeavour, we reverse engineer the undisclosed model of Intel’s Broadwell and Sandybridge branch predictor and further utilize the largely unexplored perf ioctl calls in sampling mode to granularly monitor the branch prediction events asynchronously when a victim cipher is executing. With these artifacts in place, we target scalar blinding and splitting countermeasures to develop a key retrieval process using what is called as Deduce & Remove. The Deduce step uses template based on the number of branch misses as expected from the 3-bit model of the BPU to infer the matched candidate values. In the Remove step, we correct any erroneous conclusions that are made, by using the properties of the blinding technique under attack. It may be emphasized that as in iterated attacks the cost of a mistaken deduction could be significant, the blinding techniques actually aids in removing wrong guesses and in a way auto-corrects the key retrieval process. Finally, detailed experimental results have been provided to illustrate all the above steps for point blinding, scalar blinding, and scalar splitting to show that the secret scalar can be correctly recovered with high confidence. The paper concludes with recommendation on some suitable countermeasure at the algorithm level to thwart such attacks

On the Worst-Case Side-Channel Security of ECC Point Randomization in Embedded Devices

Point randomization is an important countermeasure to protect Elliptic Curve Cryptography (ECC) implementations against side-channel attacks. In this paper, we revisit its worst-case security in front of advanced side-channel adversaries taking advantage of analytical techniques in order to exploit all the leakage samples of an implementation. Our main contributions in this respect are the following: first, we show that due to the nature of the attacks against the point randomization (which can be viewed as Simple Power Analyses), the gain of using analytical techniques over simpler divide-and-conquer attacks is limited. Second, we take advantage of this observation to evaluate the theoretical noise levels necessary for the point randomization to provide strong security guarantees and compare different elliptic curve coordinates systems. Then, we turn this simulated analysis into actual experiments and show that reasonable security levels can be achieved by implementations even on low-cost (e.g. 8-bit) embedded devices. Finally, we are able to bound the security on 32-bit devices against worst-case adversaries