Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations

Järvinen, Kimmo; Balasch, Josep

doi:10.1007/978-3-319-54669-8_9

Cited by 12 publications

(9 citation statements)

References 54 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the more general unsupervised setting (see e.g. [8][9][10][11][12]17]), the access to a training device is not possible. The attacker acquires as many traces as possible and induces a maximal value for b that can be handled through the attack.…”

Section: Overall Attack Processmentioning

confidence: 99%

Side-Channel Attacks on Blinded Scalar Multiplications Revisited

Roche¹,

Imbert

Lomné³

2020

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

In a series of recent articles (from 2011 to 2017), Schindler et al. show that exponent/scalar blinding is not as effective a countermeasure as expected against side-channel attacks targeting RSA modular exponentiation and ECC scalar multiplication. Precisely, these works demonstrate that if an attacker is able to retrieve many randomizations of the same secret, this secret can be fully recovered even when a significative proportion of the blinded secret bits are erroneous. With a focus on ECC, this paper improves the best results of Schindler et al. in both the generic case of random-order elliptic curves and the specific case of structured-order elliptic curves. Our results show that larger blinding material and higher error rates can be successfully handled by an attacker in practice. This study also opens new directions in this line of work by the proposal of a three-steps attack process that isolates the attack critical path (in terms of complexity and success rate) and hence eases the development of future solutions.

show abstract

Section: Overall Attack Processmentioning

confidence: 99%

Side-Channel Attacks on Blinded Scalar Multiplications Revisited

Roche¹,

Imbert

Lomné³

2020

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

show abstract

“…The scalar multiplication algorithm is based on the curve arithmetic of the Ed25519 implementation presented in [24], which is available online at http://cryptojedi.org/crypto/# avrnacl. The elliptic curve used in Ed25519 is the twisted Edwards curve E : −x 2 + y 2 = 1 + dx 2 For more details on Ed25519 and this specific curve, see [6,7].…”

Section: Target Implementation and Experimental Setupmentioning

confidence: 99%

“…The whole underlying field and curve arithmetic is the same as in [24]. This means in particular that points are internally represented in extended coordinates as proposed in [22].…”

Section: Target Implementation and Experimental Setupmentioning

confidence: 99%

See 1 more Smart Citation

Online template attacks

Batina

Chmielewski²,

Papachristodoulou

et al. 2017

J Cryptogr Eng

View full text Add to dashboard Cite

Template attacks are a special kind of sidechannel attacks that work in two stages. In a first stage, the attacker builds up a database of template traces collected from a device which is identical to the attacked device, but under the attacker's control. In the second stage, traces from the target device are compared to the template traces to recover the secret key. In the context of attacking elliptic curve scalar multiplication with template attacks, one can interleave template generation and template matching and reduce the amount of template traces. This paper enhances the power of this technique by defining and applying the concept of online template attacks, a general attack technique with minimal assumptions for an attacker, who has very very limited control over the template device. We show that online template attacks need only one power consumption trace of a scalar multiplication on the target device; they are thus suitable not only against ECDSA and static elliptic curve Diffie-Hellman (ECDH), but also against elliptic curve scalar multiplication in ephemeral ECDH. In addition, online template attacks need only one template trace per scalar bit and they can be applied to a broad variety of scalar multiplication algorithms. To demonstrate the power of online template attacks, we recover scalar bits of a scalar multiplication using the double-and-add-always algorithm on a twisted Edwards curve running on a smartcard with an ATmega163 CPU.

show abstract

“…However, it is worth noting that [HMHW09] and [UW14] mount correlation power analysis on multi-precision integer multiplication using the product scanning method in ECDSA and optimal-Ate pairings, respectively. Also, [JB16] launches (repeated) single-trace correlation/clustering attacks against the operand-scanning field multiplications in elliptic curve scalar multiplication with precomputations, and claims its applicability to the product scanning method. Streamlined NTRU Prime has positive integer parameters p, q, and w: p and q are primes; 2p ≥ 3w; q ≥ 16w + 1; x p − x − 1 is irreducible in (Z/qZ) [x].…”

Section: Introductionmentioning

confidence: 99%

Power Analysis on NTRU Prime

Huang¹,

Chen²,

Yang³

2019

TCHES

View full text Add to dashboard Cite

This paper applies a variety of power analysis techniques to several implementations of NTRU Prime, a Round 2 submission to the NIST PQC Standardization Project. The techniques include vertical correlation power analysis, horizontal indepth correlation power analysis, online template attacks, and chosen-input simple power analysis. The implementations include the reference one, the one optimized using smladx, and three protected ones. Adversaries in this study can fully recover private keys with one single trace of short observation span, with few template traces from a fully controlled device similar to the target and no a priori power model, or sometimes even with the naked eye. The techniques target the constant-time generic polynomial multiplications in the product scanning method. Though in this work they focus on the decapsulation, they also work on the key generation and encapsulation of NTRU Prime. Moreover, they apply to the ideal-lattice-based cryptosystems where each private-key coefficient comes from a small set of possibilities.

show abstract

Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations

Cited by 12 publications

References 54 publications

Side-Channel Attacks on Blinded Scalar Multiplications Revisited

Side-Channel Attacks on Blinded Scalar Multiplications Revisited

Online template attacks

Power Analysis on NTRU Prime

Contact Info

Product

Resources

About