SIMPLE SCA ATTACKS ON POINT MULTIPLICATIONS

Side-Channel Analysis E Oswald

IV.4. SIMPLE SCA ATTACKS ON POINT MULTIPLICATIONS

to be astationary distributionfor the Markov chain if it satisﬁes

πi≥0∀i, and n

i=1

πi = 1, and (IV.2)

πT = π. (IV.3)

Theorem _IV.3. _{For any irreducible and aperiodic Markov chain, there exists} a unique stationary distribution π, and any distribution µn _{of the chain at} timenapproaches π asn→ ∞, regardless of the initial distributionµ0_.

This theorem states that, for Markov processes having the properties of being aperiodic and irreducible, a steady state always exists. By using the transition matrixT and the steady-state vector, we can calculate the conditional probabilities (IV.1).

Example: Consider a simple double-add-and-subtract algorithm as shown in Algorithm IV.2.

Algorithm IV.2: _{Double-Add-and-Subtract Algorithm}

INPUT: Point P and -bit multiplier k=_j−₌₀1kj2j, kj ∈ {0,1}.

OUTPUT: Q= [k]P. 1. R0← O, R1←P, s←0. 2. For i= 0 to l−1 do: 3. If ki= 0 then 4. If s= 11 then R0←R0+R1. 5. s←0, R1←[2]R1. 6. If ki= 1 then 7. If s= 0 then R0←R0+R1, R1←[2]R1, s←1. 8. If s= 1 then R0←R0−R1, R1←[2]R1, s←11. 9. If s= 11 then R1←[2]R1. 10. If s= 11 then R0←R0+R1. 11. Return R0

There are three diﬀerent states s in this algorithm. The initial state is always 0. Under the assumption that Pr(ki = 0) = Pr(ki = 1) = 1/2, the

transition matrix for this algorithm is

T =  00..5 05 0.5 00.5 0 0.5 0.5  . (IV.4)

From the transition matrix the steady-state vector, which is (1/2,1/4,1/4), can be calculated. The number of elliptic curve operations that are induced by an -bit number can be calculated as well. In each state, a point doubling has to be calculated. Hence, there are point doublings. In addition, in half

of the cases in each state, a point addition has to be calculated. Hence, there are (1/4 + 1/8 + 1/8) point additions. In total, 3/2 elliptic curve operations are calculated.

A hidden Markov process is a Markov process in which we can only observe a sequence of emissions (theAD-sequence), but we do not know the sequence of states, which are related to the key bits (the 01-sequence) the process went through. A hidden Markov model can be characterized by the quintuple

(S, O, T, E, s0). The notation used here is similar to the one used before:

the transition matrix is denoted by T and the ﬁnite set of states is called S. The emissions are denoted by the set O. The emission matrix E is a

|S| × |O| matrix and contains the conditional probability that an emission symbol of the set E was produced in state S: Eij = Pr(Oj|Si). The initial

state distribution is denoted by s0. Given a (hidden) Markov model, the task of the attacker is to ﬁnd for a givenAD-sequence, a corresponding state sequence that explains the givenAD-sequence best. One approach to tackle this problem is to choose sub-sequences that are individually most likely, i.e., which have the highest conditional probabilities [269].

Example: Suppose we use Algorithm IV.2 to perform a point multiplication with the scalar k = 560623. As a ﬁrst step, we calculate suﬃciently many conditional probabilities (see Table IV.1) by using the Markov model that we derived in the previous example.

Table IV.1. Non-zero conditional probabilities. In this table we use an abbreviated notation, i.e., we write p(000|DDD) instead ofp(Y = 000|X =DDD). We use the LSB ﬁrst representation.

Pr(000|DDD) = 1/2 Pr(01|DAD) = 1/2 Pr(11|ADAD) = 1/2

Pr(100|DDD) = 1/4 Pr(10|DAD) = 1/4 Pr(10|ADAD) = 1/4

Pr(111|DDD) = 1/4 Pr(11|DAD) = 1/4 Pr(01|ADAD) = 1/4

contains the AD-sequence that we deduced from the power trace. In the

second row, this sequence is split into sub-sequences. In a practical attack, the length of the sub-sequences will depend on the computational capabilities of the attacker. However, it will be much larger than in this toy example. In the third, fourth and ﬁfth rows, the possible bit-patterns are listed according to their conditional probabilities.

IV.4. SIMPLE SCA ATTACKS ON POINT MULTIPLICATIONS 83

Table IV.2. k= 11110111101100010001, LSB First Representation ADADDDADADADDDADADADADDDADDDDAD

ADAD DDAD ADAD DDAD ADAD ADDD ADDD DAD

11 001 11 001 11 100 100 01

10 101 10 101 10 000 000 10

01 110 01 110 01 111 111 11

We are interested in the number of possible scalar values that have to be tested before the correctkis found. Let denote the number of bits ofkand nthe average length of the sub-sequences. In the worst case, if we only take the non-zero conditional probabilities into account, but not their individual values, we have to test 0.5×33/2n _{keys on average. Let} _m _{be the number}

of sub-sequences, i.e.,m = 3 /2nin this example, andg(x, y) =x_y2x−y_{. If}

we take the individual conditional probabilities into account, this reduces to 0.5m_{+ 0}_.₅m−1 i=0 0.5 i₀_.₂₅m−i_{1 +}_g₍_{m, i}_{) + 2}m j=i+1g(m, j) g(m, i) keys on average [270].

The approach that we used in the previous example was to choose sub- sequences that are individually most likely. This strategy guarantees us ﬁnd- ing the key k; however, it does not take sequences of sub-sequences into account. Another widely used strategy is to ﬁnd the single best path. A well known technique for this approach is the Viterbi algorithm and has been used successfully to attack double-add-and-subtract algorithms [195]. In case of a randomized version of the algorithm that was discussed in the previous example, the Viterbi algorithm determines approximately 88% of all intermediate states correctly. The remaining and unknown states can be determined by a meet-in-the-middle technique that is sketched in the following section.

Improvements : Assume that the point Q is given byQ = [k]P, where k=xb+y denotes the private keykandP the public base-point. Then we know that for the correct values ofx, bandythe equationQ−[y]P = [xb]P must hold. By computing and comparing the values of the left- and the right-hand sides of this equation, we can determinek. Hence, if kis almost determined, the remaining bits can be guessed and veriﬁed by checking the previous equation. This approximately halves the search space fork.

Other Attack Scenarios : Suppose an attacker has the ability to force a device to use the same scalark for several point multiplication operations. Due to the randomization, the same scalar will produce diﬀerent power traces that all give information about the used scalar. Combining the information gained from several traces, a scalar value can usually be determined with very few (approximately 10) measurements [265], [340].

IV.4.3. The Doubling Attack. This attack relies on the fact that similar intermediate values are manipulated when working with a point P and its double [2]P [122]. We assume that an attacker can identify point doubling operations with identical data in two power traces.

Algorithm IV.3: _{Double-and-Add-Always Algorithm}

INPUT: Point P and -bit multiplier k=_j−₌₀1kj2j, kj ∈ {0,1}.

OUTPUT: Q= [k]P. 1. R0←P. 2. For j= −2 to 0 by −1 do: 3. R0←[2]R0. 4. R1−kj←R1−kj+P. 5. Return R0.

Algorithm IV.3 is secure against simple SCA on a ﬁrst glance as in each iteration a point doubling and a point addition operation is executed. The value of the variableR0afterj+1 iterations isQj(P) = [

i=j i=02

j−i_]_P_{. Rewrit-}

ing this expression in terms of [2]P leads to Qj(P) =Qj−1([2]P) + [d−j]P.

Thus, the intermediate result of the algorithm with inputP (which is stored

inR0) at stepjis equal to the intermediate result of the algorithm with input

[2]P at stepj−1 if and only ifd−j is zero. Hence, we just need to compare

the doubling operation at stepj+ 1 forP and at step j for [2]P to recover the bitd−j.

In document Advances in Elliptic Curve Cryptography pdf (Page 99-102)