Simple SCA Attacks on Point Multiplications

the private key or an ephemeral (secret) key. We briefly discuss the scenarios under which these operations are attacked.

• The modular multiplication of a known value and the private key needs to be computed in ECDSA. If the multiplication is implemented in such a way that the multiplier is the private key and the multiplication is carried out with a variant of the binary algorithm, then this implemen- tation is, in principle, vulnerable to side-channel analysis. However, this operation can be implemented securely by not using the private key as a multiplier.

• The scalar multiplication of a secret value with a known elliptic curve point, i.e., the point multiplication [ECC, Section IV.2], needs to be calculated in all elliptic curve cryptosystems. Also this operation is usually implemented by some version of the binary algorithm. It has been shown to be vulnerable to simple and differential side-channel analysis.

Probably the most important elliptic curve protocol is ECDSA. From the previous considerations it is clear that the operation that is difficult to secure is the point multiplication operation. It is also well known [262] that not all bits of the ephemeral ECDSA key need to be known in order to reconstruct the private key of the ECDSA. As a result, the point multiplication operation must be implemented to resist in particular simple side-channel analysis.

IV.4. Simple SCA Attacks on Point Multiplications

In the case of a simple SCA attack on an implementation of a point multiplication algorithm, the adversary is assumed to be able to monitor the side-channel leakage of one point multiplication, Q= [k]P, whereQ andP are points on an elliptic curveE andk∈Zis a scalar. The attacker’s goal is to learn the keykusing the information obtained from carefully observing the side-channel leakage (e.g. power trace) of a point multiplication. Such a point multiplication consists of a sequence of point addition, point subtraction and point doubling operations. Each elliptic curve operation itself consists of a sequence of field operations. In most implementations, the standard sequence of field operations in point addition differs from that in point doubling. Every field operation has its unique side-channel trace. Hence, the sequence of field operations of point addition has a different side-channel pattern than that of point doubling (see Figures IV.4 and IV.5 for an example with power traces).

IV.4.1. Attacking the Basic Double-and-Add Algorithm. It was al- ready observed in [87] that the implementation of the simplest form of a double-and-add algorithm, which is the binary algorithm (see Algorithm IV.1), is an easy target for simple side-channel analysis.

First we note that the conditional branch (i.e., Step 5 in Algorithm IV.1) only depends on a single bit of k. Hence, an attacker can inspect the power

0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500 6000 6500 7000 −3 −2 −1 0 1 2 3 4 5 6 7 clock cycle mA

Figure IV.4. _{A point addition power trace.}

0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500 6000 −3 −2 −1 0 1 2 3 4 5 6 7 clock cycle mA

Figure IV.5. A point doubling power trace.

trace of the point multiplication algorithm to determinek. We have assumed that it is possible to distinguish the point addition operation from the point doubling operation in the power trace. Since a point addition operation can

IV.4. SIMPLE SCA ATTACKS ON POINT MULTIPLICATIONS 79 0 0.56 1.08 1.63 2.3 2.89 3.56 4.1 4.69 x 104 −2 −1 0 1 2 3 4 5 6 7 clock cycle mA 0 0 1 1 0 0

Figure IV.6. _{The power consumption trace of an elliptic}

curve scalar point multiplication operation that was performed with a simple double-and-add algorithm. The used scalar can be read directly from this power consumption trace.

only be caused by a 1 in the bit representation ofk, deducing the key is trivial (see Figure IV.6 for an example) in this naive implementation.

Algorithm IV.1: _{Right-to-Left Binary Algorithm}

INPUT: Point P and -bit multiplier k=_j−₌₀1kj2j, kj ∈ {0,1}.

OUTPUT: Q= [k]P. 1. Q←P. 2. If k0= 1 then R←P else R← O. 3. For i= 1 to l−1 do: 4. Q←[2]Q. 5. If (ki= 1) then R←R+Q. 6. Return R.

More interesting to attack are algorithms that make use of the rich arith- metic on elliptic curves. This arithmetic allows the use of other representa- tions ofk, instead of only the binary representation. They offer some inherent resistance to straightforward simple SCA because they also make use of point subtraction. Because point addition and point subtraction only differ slightly, they can be implemented in such a way that their side-channel patterns look

alike. Therefore, an attacker cannot determine the key bits by just inspecting the side-channel trace.

IV.4.2. Attacking Double-Add-and-Subtract Algorithms. The task of an attacker is to deduce some information aboutk by using the informa- tion of the side-channel trace. In particular, an attacker wants to determine and exploit the relationship between the occurrence of certain sequences of bits and certain sequences of side-channel patterns. LetX be a random vari- able that denotes the sequence of patterns in the side-channel trace, i.e., an

AD-sequence (for example X=“DDD” orX=“DAD”). Let Y be a random

variable that denotes a sequence of patterns in the digit representation of k, i.e., a 01-sequence (for example Y = 000 or Y = 01). Then an attacker is interested in exploiting and calculating the conditional probability

Pr(Y =y|X =x) =Pr(Y =y∩X =x)

Pr(X =x) (IV.1)

for many different x and y. Such probabilities can be calculated by using Markov theory [155].

A Markov process, or in case of a finite state space also called Markov chain, is a rather simple statistical process. In a Markov process, the next state is dependent on the present state but independent of the way in which the present state arose from the states before. The transitions between the states are determined by random variables that are either known or have to be estimated.

Definition_IV.1. _{LetT be a(k×k)matrix with elementstij,1≤i, j≤k. A} random process(X0, X1, . . .)with finite state spaceS={s1, . . . , sk}is said to be aMarkov chainwith transition matrixT if, for allnalli, j∈ {1, . . . , k}, and all i0, . . . , in−1∈ {1, . . . , k}we have

Pr(Xn+1=sj|X0 =si0, . . . , Xn=si) =

Pr(Xn+1=sj|Xn=si) =tij.

A large class of such Markov processes has the two important properties of being irreducible and aperiodic.

The first property, i.e., that a process isirreducible, means that all states can be reached from all other states with a finite number of steps. The second property, i.e., that a process is aperiodic, means that all states are aperiodic. A state is aperiodic if the period is equal to 1, i.e., the probability of returning to a state is always positive. These two properties are conditions for the main theorem of Markov theory. Before we state this theorem we define the stationary distribution first.

Definition_IV.2. _{Let(X0, X1, . . .)be a Markov chain with state space given} by{s1, . . . , sk}and transition matrixT. A row vectorπ= (π1, . . . , πk)is said