# Lecture

### Pages to are hidden for

"Lecture"

```					 Some Side Channel Attacks
On Elliptic Curve Cryptosystem

Tsuyoshi Takagi

Fachbereich Informatik

Effiziente Kryptographie     1
Overview
   Elliptic Curve Cryptosystems (ECC)
   Power Analysis against ECC
   Goubin’s Attack
   Zero-Value Point Attack
   Smart’s Isogeny Defense

Effiziente Kryptographie   2
Elliptic Curve
   Elliptic curve on binary field
E : y 2  xy  x 3  ax 2  b (a, b  GF (2 n ), b  0)
   Elliptic curve on prime field
E : y 2  x 3  ax  b (a, b  GF ( p), 4a 3  27 b 2  0, p  3)
x, y  GF ( p)

All points satisfying E                          Abelian group
and infinity point O                             by the following addition
E (GF ( p))                                     O : group identity

Effiziente Kryptographie                             3
P  ( x1 , y1 ), P2  ( x2 , y2 ), P3  ( x3 , y3 )  E (GF ( p))
1

P3  P  P  2P
1   1    1                              P3  P  P2
1           ( P  P2 )
1

       3x  a 
2       2
       y2  y1 
2

 x3   1          2 x1                     x3  
       2y                                          x  x   x1  x2

      1                                     2 1
                                             
       3x12  a                                   y2  y1 
 y3   2 y x1  x3   y1
                                      y3   x  x  x1  x3   y1
         
            1                                     2 1

Affine coordinate( x, y)                  Jacobian coordinates ( X : Y : Z )
x  X Z 2, y  Y Z 3

Effiziente Kryptographie                               4
(Jacobian Coordinates)
P  ( X 1 : Y1 : Z1 ), P2  ( X 2 : Y2 : Z 2 ), P3  ( X 3 : Y3 : Z 3 )
1

P3  P  P  2P
1   1    1                               P3  P  P2
1            ( P  P2 )
1

X3  T ,                                       X 3   H 3  2U1 H 2  R 2 ,

Y3   S1 H  RU1 H  X 3 ,

Y3  8Y1  M S  T ,
4                                                  3          2

Z  2Y Z ,                                    Z  Z Z H ,
 3     1 1                                     3      1 2

U1  X 1Z 2 , U 2  X 2 Z1 , S1  Y1Z 2
2           2              3
S  4 X 1Y1 , M  3 X 1  aZ1
2          2          4

S 2  Y2 Z1 , H  U 2  U1 , R  S 2  S1
3
T  2S  M 2

Effiziente Kryptographie                               5
Scalar Multiplication on EC

    Scalar Multiplication dP
   Binary Method P  E , d  (d n 1  d 0 ) 2 , d n 1  1
1. QP                    binary representation
2. For i  n  2 downto 0
Q  2Q                 ECDBL
if d i  1, Q  Q  P ECADD
3. Return Q
Ex. 51P  (110011 ) 2 P
P D 2P A 3P D 6P D 12P D 24P A 25P
D
50P A 51P
Effiziente Kryptographie                 6
Power Analysis
   Simple Power Analysis (SPA)
Observe the power consumption of devices in a single
computation and detect the secret key
   Differential Power Analysis (DPA)
Observe many power consumptions and analyze these
information together with statistic tools

Effiziente Kryptographie          7
SPA against ECC (Coron 1999)
Binary method                                              ECDBL
1.       QP
2.       For i  n  2 downto 0
Q  2Q                 ECDBL                     ECADD
if d i  1 , Q  Q  P ECADD
3.       Return Q

Ex. 51P  (110011 ) 2 P                      Attacker can guess bit information

D       A      D      D          D              A   D       A
1          1          0      0                 1               1

Effiziente Kryptographie                           8
SPA Countermeasure (Coron 1999)
   Scalar Multiplication dP                          P  E , d  (d n 1 d 0 ) 2
1.   QP
2.   For i  n  2 downto 0
Q[0]  2Q                              ECDBL
Q[1]  Q[0]  P                        ECADD
Q  Q[d i ]
3.   Return Q

Effiziente Kryptographie                            9
(Coron 1999)
Ex. 51P  (110011 ) 2 P dummy                                       dummy
P D 2P A 3P D 6P A 7P                                       12P A 13P          24P
D                           D

A
25P D 50P A 51P

dummy                 dummy

D          A   D          A        D          A              D         A    D         A
1       0 or 1?        0 or 1?              0 or 1?                  0 or 1?        0 or 1?

Attacker cannot guess bit information
Effiziente Kryptographie                              10
Experiment by Coron (CHES1999)
(1) We gather many power consumption of computing 4Pi.
4Pi is computed if and only if the most 2nd bit of d is 0.

(2) Let si be any specific bit of 4Pi. We use the following
correlation function: g(t) = Power(si=0) – Power(si = 1)
Cited from “Coron, Resistant against Resistance against Differential Power
Analysis for Elliptic Curve Cryptosystems, CHES 1999, pp.292-302, 1999.”

If point 4Pi is never computed,             If 4Pi is computed, there is a difference
there is no spike in the graph.             between Power(si=0) and Power(si=1).

Effiziente Kryptographie                                                                 11
method (Coron 1999)
   d is fixed and the attacker can choose P
ElGamal encryption, single-pass ECDH
method for each input looks same, but is slightly
different.
   Power consumption is correlated to any bit of
processing point.

Effiziente Kryptographie        12
DPA Countermeasure (Coron 1999)
    Randomize point representation in Jacobian
coordinates
    Scalar Multiplication dP
1.   Choose randomly r  [1, p  1]
2.   Q  (r 2 x p : r 3 y p : r )
3.   Compute Q  dP
4.   Return Q

Effiziente Kryptographie   13
DPA Countermeasure
(Joye-Tymen 2001)
    Use a random isomorphic curve to the original
curve
    Scalar multiplication dP
1.   Choose randomly r  [1, p  1]
a  r 4 a, b'  r 6b and P  (r x p , r y p )
2       3
2.
3.   Compute Q  dP on E : y 2  x 3  ax  b
4.   xQ  r 2 xQ , yQ  r 3 yQ
5.   Return Q  ( xQ , yQ )

Effiziente Kryptographie   14
Goubin’s Attack (Goubin 2003)
   Cannot randomize the points (x,0) and (0, y )
 ( x,0)  ( r x : 0 : r ), (0, y )  (0 : r y : r )
2                             3

   Assume d n  2  1
                           
Input P  61 mod # E (0, y )
2P         3P   4P
d n2  0
P D 2P        A
3P          4P
D                                D       A        D

d n2  1                                                 2P         3P   6P
X 0
P D 2P         A
3P D 6P
(0, y )            D       A        D

irregular power consumption
Effiziente Kryptographie                           15
Condition of Goubin’s Attack
   point (x,0)      Order is 2

 Not  exist in elliptic curve E : y 2  x 3  ax  b of
prime order.
 If exist, the input can be discarded.

   point (0, y )
y2  b         b is quadratic residue modulo p

If b is random, this probability is about 50%

Effiziente Kryptographie            16
Goubin’s Points on Standard Curves
   SECG Curves
(0, y )
SECG secp112r1                     -
SECG secp128r1                     o
SECG secp160r1                     o
SECG secp160r2                     o
SECG secp192r1                     o
SECG secp224r1                     -
SECG secp256r1                     o
SECG secp384r1                     o
SECG secp521r1                     o
Effiziente Kryptographie             17
Isogeny of Elliptic Curve

 ji : j  invariant of Ei
l ( X , Y ) : modular polynomial of degree l

 l ( j1 , j2 )  0          E1 , E2 : isogeny of degree l

 E1  E2

l : 


  (       

( x, y)  gf1( xx2) , yg f(2x() 3x )
)

cost of mapping  l depends on degree l

Effiziente Kryptographie               18
Smart’s Isogeny Defense
(Smart 2003)
   Countermeasure against Goubin’s attack
   Isogeny of degree l  l : E  E
E has (0, y)        E has no (0, y)

P       scalar multiplica tion on E
Q  dP
insecure against Goubin’s attack
l                                           l   1

P      scalar multiplica tion on E
Q  dP
secure against Goubin’s attack

additional cost depends on degree l
Effiziente Kryptographie                       19
Smart’s Isogeny Defense against
Goubin’s attack
efficient curve   a  3

Minimal degree         Preferred degree
SECG secp112r1              1                        1
SECG secp128r1              7                        7
SECG secp160r1             13                       13
SECG secp160r2             19                       41
SECG secp192r1             23                       73
SECG secp224r1              1                        1
SECG secp256r1              3                       11
SECG secp384r1             19                       19
SECG secp521r1              5                        5

Effiziente Kryptographie                              20
ZVP Attack (Akishita-Takagi 2003)
   Zero-value point attack
   Generalization of Goubin’s attack
 Goubin’s   attack pays attention to only
representation of processing points.
 We consider that intermediate values of addition
formulae are equal to 0.
 If the point has no zero-value coordinate, the
intermediate values might become zero.

Effiziente Kryptographie           21
ZVP in ECDBL

   ECDBL           P3  2P1

P  ( X 1 : Y1 : Z1 ), P3  ( X 3 : Y3 : Z 3 )
1
3x1  a  0
2

3 X 1  aZ1
2                4

X3  T ,
                                                                  
 Z1 3 X 1 Z 1  a
4                  2
 
Y3  8Y1  M S  T ,                                           3x            
4
 Z1                 a
4         2

Z  2Y Z ,
1
M 0
 3     1 1

S  4 X 1Y1 , M  3 X 1  aZ1
2             2            4

T  2S  M 2

Effiziente Kryptographie                                       22
X3  T ,

ZVP Attack                                                    Y3  8Y1  M S  T ,
4

Z  2Y Z ,
 3
P0  ( x, y ) that satisfy 3x 2  a  0
1 1

S  4 X 1Y1 , M  3 X 1  aZ1
2          2          4

   Assume d n  2  1                                        T  2S  M 2
             
Input P  31 mod # E P0
2P            3P     4P
d n2  0
P D 2P       A
3P          4P
D                                D         A          D

d n2  1                                                2P            3P     6P
P D 2P        A
3P D 6P
P0                                                     M 0
D         A          D

irregular power consumption
Effiziente Kryptographie                                 23
ZVP in ECDBL
   (ED1)   3x 2  a  0
   (ED2)   5x  2ax  4bx  a  0
4       2             2

   (ED3)   the order of P is equal to 3         trivial

   (ED4)   x0
Goubin’s point
   (ED5)   y0

Effiziente Kryptographie             24
   ECADD[J] P3  P  P2
1

P  ( X 1 : Y1 : Z1 ), P2  ( X 2 : Y2 : Z 2 ), P3  ( X 3 : Y3 : Z 3 )
1

P  cP, P2  P
 X 3   H  2U1 H  R ,
3         2       2                       1

                                                        H 3  2U1H 2
Y3   S1 H 3  RU1 H 2  X 3 ,                        H 2 U1  U 2 
Z  Z Z H ,
  H 2 Z1 Z 2  x1  x2 
2   2
 3      1 2

U1  X 1Z 2 , U 2  X 2 Z1 , S1  Y1Z 2
2             2                      3

S 2  Y2 Z1 , H  U 2  U1 , R  S 2  S1
3                                                division polynomial
(can solve for only small c)

Effiziente Kryptographie                                    25
ZVP on Standard Curves
   SECG Curves
(0, y )             (ED1)   (ED2)
SECG secp112r1             -                  o       o
SECG secp128r1             o                  -       -
SECG secp160r1             o                  -       -
SECG secp160r2             o                  -       o
SECG secp192r1             o                  o       o
SECG secp224r1             -                  -       o
SECG secp256r1             o                  -       o
SECG secp384r1             o                  o       -
SECG secp521r1             o                  o       -
Effiziente Kryptographie                   26
Isogeny Defense against ZVP Attack is
not secure (Akishita-Takagi 2004)
   We cannot find preferred isogeny degree less
than 107 for three curves. Why?

Let E be an elliptic curve with a  3 and p satisfy
( 3 p)  1. Any elliptic curve E with odd order
satisfies (ED1) 3x 2  a  0.

Let E be an elliptic curve with odd order and p
satisfy ( 3 p)  1. Any isogeny cannot map E to the
curve with a  3 that is secure against ZVP attack.

Effiziente Kryptographie           27
Smart’s Isogeny Defense against
ZVP attack
   (ED1) 3x 2  a  0                             efficient curve a  3

Minimal degree         Preferred degree
SECG secp112r1              7                     > 107
SECG secp128r1              7                        7
SECG secp160r1             13                       13
SECG secp160r2             19                       41
SECG secp192r1             23                     > 107
SECG secp224r1              1                        1
SECG secp256r1              3                       23
SECG secp384r1             31                     > 107
SECG secp521r1              5                        5
Effiziente Kryptographie                            28
Choice of the base field ?
   A class of curves that satisfies the following
three conditions is insecure against the ZVP
attack.
1. ( 3 p)  1
2. E   has prime order     security and efficiency
3. a  3

( 3 p)  1 may be recommended ?

Effiziente Kryptographie        29

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 7 posted: 3/12/2011 language: English pages: 29