Definition 1 Advanced Computational Diffie-Hellman [BFPV11])
4.6 A Few Words on Measurement Conditions
In this short section, we come back to the scenario used in the previous para- graph (testing the different probes on the smart-card-like chip during anARKSBOX operation). Each probe is tested using the scenario where we have 1000 differ- ent messages with each message repeated 10 times. To come to such a scenario, we focussed on one probe (say probe B-2 which seemed to have a high SNR) which we tested in several conditions. First we varied the number of different input messages, each message being played once. We can observe, by comparing Figures 27, 29 and 31, that the higher the number of messages used, the smaller the SNR becomes. However the maximum correlation peak is always the same (at around 29%). Then we kept the number of messages constant and varied the repeat time, that is the number of times each message is replayed (and the mean calculated over all those repeated curves for each message. This time, the
Fig. 27. Corr. curves for several key guesses for B-2 with 250 messages, no re- peat, 29% max corr.
Fig. 28.Corr. curves for probe B-2, 250 messages, repeated 10 times, 50% max corr.
Fig. 29. Corr. curves for several key guesses for B-2 with 500 messages, no re- peat, 29% max corr.
Fig. 30.Corr. curves for probe B-2, 500 messages, repeated 10 times, 50% max corr.
Fig. 31. Corr. curves for several key guesses for B-2 with 1000 random mes- sages, no repeat, 29% max corr.
Fig. 32.Corr. curves for probe B-2, 1000 messages, repeated 10 times, 50% max corr.
SNR remains the same but the maximum correlation obtained increases with the number of repeat time, as seen by comparing Figures 27 and 28, Figures 29 and 30 and Figures 31 and 32. Hence we could see that:
– The larger the number of different random messages used, the smaller is the SNR present on the wrong guesses and hence the more visible the correlation peak corresponding to the correct key becomes.
– The more is each message repeated (and the EM curve calculated by av- eraging over the EM curves for each repeat), the higher is the maximum correlation factor obtained for each curve.
5 Conclusion and Discussions
In this paper, we describe a method for characterising different EM probes for security purposes. With this approach, several probes have been tested to find out about their degree of relevance for use cases like CEMA [14]. The early re- sults reported in this article confirm that, similar to EMC-like applications, in the case of security analysis, probes’ dimensions, number of loops and position- ing all contribute to make better data dependant EM measurements. But above all, this paper illustrates that there are still plenty unexplored fields of research to precisely define the characteristics of EM probes for security analysis: may it not only be on the shape of the probes themselves but also on the DuT’s technology, spectral characteristics and layout or also on the type of operation under observation. This paper also illustrates that the conclusions reached by doing security-related characterisations on a smart card like chip are coherent with those reached by doing characterisations of elementary circuits like the Si lines used in Section 4.3. Doing measurements on such elementary circuits would allow precise and detailed analyses as to the EM radiation of different lay-outs and typologies of data signals on integrated circuits (relative positioning of data wires, direction of data flow, study of different data encoding schemes. . . ). Car- rying measurements on simpler circuits like the silicon wires provide precious results which help in further understanding the Electro-Magnetic emission phe- nomenon and which constitute valuable inputs to tools used for modelling and simulating EM radiation at design-time of secure circuits. To our best knowledge, this paper is the first to fully focus on the characterisation of Electro-Magnetic probes for security analyses of integrated circuits.
Acknowledgements. The experiments were done on the MicroPackSTM plat- form. Part of this research work has been funded by the SECRICOM project under FP7-SEC-2007-1 grant # 218123 in Topic SEC-2007-4.2-04 Wireless com- munication for EU crisis management. The authors would also like to thank Gemalto for providing the Silicon lines chip.
References
1. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) 2. Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and
other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113.
Springer, Heidelberg (1996)
3. Quisquater, J.-J., Samyde, D.: A new tool for non-intrusive analysis of smart cards based on electro-magnetic emissions, theSEMAandDEMAmethods. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807. Springer, Heidelberg (2000) 4. Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results.
In: Koác, K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–
261. Springer, Heidelberg (2001)
5. Quisquater, J.-J., Samyde, D.: ElectroMagnetic analysis (EMA): Measures and counter-measures for smart cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001.
LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)
6. Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM Side Channel(s).
In: Kaliski Jr., B.S., Koác, Cá .K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp.
29–45. Springer, Heidelberg (2003)
7. Dahele, J., Cullen, A.: ElectricProbe Measurements onMicrostrip. IEEE Trans- actions on Microwave Theory and Techniques 28, 752–755 (1980)
8. Gao, Y., Wolff, I.: A new miniature magnetic field probe for measuring three- dimensional fields in planar high-frequency circuits. IEEE Transactions on Mi- crowave Theory and Techniques 44, 911–918 (1996)
9. Jarrix, S., Dubois, T., Adam, R., Nouvel, P., Azais, B., Gasquet, D.: Probe Characterization for Electromagnetic Near-Field Studies. IEEE Transactions on Instrumentation and Measurement 59(2), 292–300 (2010)
10. Whiteside, H., King, R.: The loop antenna as a probe. IEEE Transactions on Antennas and Propagation 12, 291–297 (1964)
11. Haelvoet, K., Criel, S., Dobbelaere, F., Martens, L., De Langhe, P., De Smedt, R.: Near-field scanner for the accurate characterization of electromagnetic fields in the close vicinity of electronic devices and systems. In: Instrumentation and Measurement Technology Conference, IMTC-1996. Conference Proceedings. Qual- ity Measurements: The Indispensable Bridge between Theory and Reality, vol. 2, pp. 1119–1123. IEEE, Los Alamitos (1996)
12. Moore, S., Anderson, R., Cunningham, P., Mullins, R., Taylor, G.: Improving SmartCardSecurity using Self-timed Circuits. In: Proceedings of 8th IEEE In- ternational Symposium on Asynchronous Circuits and Systems ASYNC 2002, pp.
23–58. IEEE, Los Alamitos (2002)
13. NIST, Specification for the Advanced Encryption Standard, Tech. Rep. FIPS PUB 197, Federal Information Processing Standards, (November 26, 2001)
14. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model.
In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29.
Springer, Heidelberg (2004)
Implementations:
Attacks, Countermeasures and Cost
Junfeng Fan and Ingrid Verbauwhede
Katholieke Universiteit Leuven, ESAT/SCD-COSIC and IBBT Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium
{jfan,iverbauwhede}@esat.kuleuven.be
Abstract. Unprotected implementations of cryptographic primitives are vulnerable to physical attacks. While the adversary only needs to succeed in one out of many attack methods, the designers have to consider all the known attacks, whenever applicable to their system, simultaneously.
Thus, keeping an organized, complete and up-to-date table of physical attacks and countermeasures is of paramount importance to system de- signers. This paper summarises known physical attacks and countermea- sures on Elliptic Curve Cryptosystems. For implementers of elliptic curve cryptography, this paper can be used as a road map for countermeasure selection in the early design stages.
Keywords: Elliptic curve cryptosystems, side-channel attacks, fault attacks.
1 Introduction
The advent of physical attacks on cryptographic device has created a big chal- lenge for implementers. By monitoring the timing, power consumption, electro- magnetic (EM) emission of the device or by inserting faults, adversaries can gain information about internal data or operations and extract the key with- out mathematically breaking the primitives. With new tampering methods and new attacks being continuously proposed and accumulated, designing a secure cryptosystem becomes increasingly difficult. While the adversary only needs to succeed in one out of many attack methods, the designers have to prevent all the applicable attacks simultaneously. Moreover, countermeasures of one attack may surprisingly benefit another attack. As a result, keeping abreast of the most recent developments in the field of implementation attacks and with the corre- sponding countermeasures is a never ending task.
In this paper we provide a systematic overview of implementation attacks and countermeasures of one specific cryptographic primitive: Elliptic Curve Cryptog- raphy (ECC) [32,39]. This survey is an updated version of a previous report [16], and has been influenced by Avanzi’s report [2], by the books of Blake et al. [6]
and by Avanzi et al. [3]. Due to the space limit, we only give a catalogue-like
D. Naccache (Ed.): Quisquater Festschrift, LNCS 6805, pp. 265–282, 2012.
c Springer-Verlag Berlin Heidelberg 2012
summary of the known attacks and countermeasures. Implementers can use this paper as a road map. For the details of each attack or protection, we refer the readers to the original papers.
The rest of this paper is organised as follows. Section 2 gives a short intro- duction about the background of ECC. Section 3 and 4 gives details of known passive and active attacks on ECC, respectively. In Section 6, we discuss known countermeasures and their effectiveness. Section 6 gives several cautionary notes on the use of countermeasures. We conclude the paper in Section 7.
2 Background
We give a brief introduction to Elliptic Curve Cryptography in this section. A comprehensive introduction to ECC can be found in [6, 3]. For a thorough sum- mary of power analysis attacks, by far the most popular class of implementation attacks, we refer the reader to [35].
Throughout this paper we assume the notations below are defined as follows:
– K: a finite field (Fp for prime field andF2m for binary field);
– char(K): the characteristic ofK;
– E(a1, a2, a3, a4, a6) : an elliptic curve with coefficientsa1, a2, a3, a4, a6; – P(x, y): a point with coordinates (x, y);
– O: point at infinity;
– E(K) : a group formed by the points on an elliptic curveE defined over the finite fieldK;
– #E: the number of points on curveE, i.e. the order ofE;
– weakcurve: a curve whose order does not have big prime divisors;
– the order of pointP: the smallest integerr such thatrP =O;
– affine coordinates: a point is represented with a two-tuple of numbers (x, y);
– projective coordinates: a point (x, y) is represented as (X, Y, Z), wherex= X/Z, y=Y/Z;
– Jacobian projective coordinates: a point (x, y) is represented as (X, Y, Z), wherex=X/Z2, y=Y/Z3.