Attacking Embedded ECC Implementations Through cmov Side Channels

Nascimento, Erick; Chmielewski, Łukasz; Oswald, David; Schwabe, Peter

doi:10.1007/978-3-319-69453-5_6

Cited by 43 publications

(48 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We have not evaluated the implementation against higher order attacks, like cross-correlation [34] (Observe that the scalar splitting should mitigate the cross-correlation attack. ), horizontal cross-correlation [35], single trace template attacks [31] and horizontal cluster attacks [36]. We leave evaluating the implementation against these attacks as future work.…”

Section: Resultsmentioning

confidence: 99%

“…Based on the results presented above, we conclude that the implementation protected with coordinate randomization does not leak the intermediate point values during the scalar multiplication. However, the implementation seems to leak the key bit values; therefore, we suspect that the implementation might be susceptible to attacks similar to address-based DPA [30] or address-based template attacks [31].…”

Section: Implementation Protected With Coordinate Randomizationmentioning

confidence: 99%

See 1 more Smart Citation

Completing the Complete ECC Formulae with Countermeasures

Chmielewski¹,

Massolino

Vliegen

et al. 2017

JLPEA

Self Cite

View full text Add to dashboard Cite

This work implements and evaluates the recent complete addition formulae for the prime order elliptic curves of Renes, Costello and Batina on an FPGA platform. We implement three different versions: (1) an unprotected architecture; (2) an architecture protected through coordinate randomization; and (3) an architecture with both coordinate randomization and scalar splitting in place. The evaluation is done through timing analysis and test vector leakage assessment (TVLA). The results show that applying an increasing level of countermeasures leads to an increasing resistance against side-channel attacks. This is the first work looking into side-channel security issues of hardware implementations of the complete formulae.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Implementation Protected With Coordinate Randomizationmentioning

confidence: 99%

Completing the Complete ECC Formulae with Countermeasures

Chmielewski¹,

Massolino

Vliegen

et al. 2017

JLPEA

Self Cite

View full text Add to dashboard Cite

show abstract

“…One way to increase resilience against this class of attacks is by randomizing the full table before each point extraction using coordinate randomization, and minimizing the attack surface through some clever masking via a linear pass over the full table (this in order to thwart attacks targeting memory accesses [40]). However, other more sophisticated countermeasures might be required to protect against recent onetrace template attacks that inspect memory accesses [39]. We remark that some variants of these attacks are only adequately mitigated at lower abstraction levels, i.e., the underlying hardware architecture should be noisy enough such that these attacks become impractical.…”

Section: Protected Scalar Multiplicationmentioning

confidence: 99%

FourQ on embedded devices with strong countermeasures against side-channel attacks

Liu

Longa

Pereira

et al. 2018

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Abstract. This work deals with the energy-efficient, high-speed and high-security implementation of elliptic curve scalar multiplication and elliptic curve Diffie-Hellman (ECDH) key exchange on embedded devices using FourQ and incorporating strong countermeasures to thwart a wide variety of side-channel attacks. First, we set new speed records for constant-time curve-based scalar multiplication and DH key exchange at the 128-bit security level with implementations targeting 8, 16 and 32-bit microcontrollers. For example, our software computes a static ECDH shared secret in ∼6.9 million cycles (or 0.86 seconds @8MHz) on a low-power 8-bit AVR microcontroller which, compared to the fastest Curve25519 and genus-2 Kummer implementations on the same platform, offers 2x and 1.4x speedups, respectively. Similarly, it computes the same operation in ∼496 thousand cycles on a 32-bit ARM Cortex-M4 microcontroller, achieving a factor-2.9 speedup when compared to the fastest Curve25519 implementation targeting the same platform. Second, we engineer a set of side-channel countermeasures taking advantage of FourQ's rich arithmetic and propose a secure implementation that offers protection against a wide range of sophisticated side-channel attacks. Finally, we perform a differential power analysis evaluation of our software running on an ARM Cortex-M4, and report that no leakage was detected with up to 10 million traces. These results demonstrate the potential of deploying FourQ on low-power applications such as protocols for IoT.

show abstract

“…The problem lies on the fact that the power consumption of setting all bits in a register is perceptibly higher than that of keeping the register with all its bits equal to zero. An attacker can exploit that fact and discover the secret key through a power measurement of the algorithm execution . We are able to mitigate this vulnerability by using the instruction BLENDV, as shown in Listing 5.…”

Section: Power Side‐channel Vulnerabilitymentioning

confidence: 99%

“…An attacker can exploit that fact and discover the secret key through a power measurement of the algorithm execution. 30 We are able to mitigate this vulnerability by using the instruction BLENDV, as shown in Listing 5. This vulnerability used to occur not only in the word rotation but also in all conditional copies implemented in the original version.…”

Section: Power Side-channel Vulnerabilitymentioning

confidence: 99%

Optimized implementation of QC‐MDPC code‐based cryptography

Guimarães

Aranha

Borin

2018

Concurrency and Computation

View full text Add to dashboard Cite

Summary This paper presents a new enhanced version of the QcBits key encapsulation mechanism, which is a constant‐time implementation of the Niederreiter cryptosystem using QC‐MDPC codes. In this version, we updated the implementation parameters to meet the 128‐bit quantum security level, replaced some of the core algorithms to avoid using slower instructions, vectorized the entire code using the AVX‐512 instruction set extension, and applied several other techniques to achieve a competitive performance level. Our implementation takes 928, 259, and 5008 thousand Skylake cycles to perform batch key generation (cost per key), encryption, and uniform decryption, respectively. Comparing with the current state‐of‐the‐art implementation for QC‐MDPC codes, BIKE, our code is 1.9 times faster when decrypting messages.

show abstract

Attacking Embedded ECC Implementations Through cmov Side Channels

Cited by 43 publications

References 51 publications

Completing the Complete ECC Formulae with Countermeasures

Completing the Complete ECC Formulae with Countermeasures

FourQ on embedded devices with strong countermeasures against side-channel attacks

Optimized implementation of QC‐MDPC code‐based cryptography

Contact Info

Product

Resources

About