Simple Power Analysis of Unified Code for ECC Double and Add Colin D. Walter Colin.Walter@comodo.com

Overview Aims History A Leaky Mod Mult Algorithm Unified Code for Add/Double Choosing “good” Initial Points Simulation Results: Example Counter-Measures Conclusion

Aims I The aim is to question possible mis-conceptions about: the strength of SPA/DPA counter-measures the uniformity of leakage over the input space Investigate which combinations of the following counter- measures do not guarantee a high degree of tamper resistance? Unified code for ECC Add and Double Coron’s 3 standard Blinding Counter-measures Constant-time code Double and always add point multiplication etc

Aims II Here we assume the following counter-measures: Brier-Joye Unified code for ECC Add and Double Coron’s 3 standard Blinding Counter-measures and we assume the following set-up: Leaky Modular Multiplication with reasonable probability of detecting if two given products have identical arguments. Standard square-and-multiply exponentiation algorithm We will conclude that secret keys may sometimes be recovered. It may not be sufficient to upgrade SW on old HW Some inputs leak more than others A single use of a key (as in ECDSA) may be unsafe.

History Occasional refs in patents: Kocher et al (CRYPTO 1996, 1999): To ensure that the data carrier consumes the same amount of current whether the requested operation is authorized or unauthorized, a bit is stored in the memory in either event. [Abstract, US Patent 4211919, filed Aug 1978] Kocher et al (CRYPTO 1996, 1999): Timing and Power Attacks on smart cards – the concepts. Coron (CHES 1999): Lists three standard randomising counter-measures for ECC. Brier & Joye (PKC 2002): Unified code for Double & Add. Here: The above counter-measures are sometimes insufficient.

Leaky HW Modr Multn (here: Montgomery) Notation: r = base of representation; R = rn = Montgomery factor. { Pre-condition: 0 £ A < R = rn } P ¬ 0 ; For i ¬ 0 to n-1 do Begin q ¬ (p0+aib0)(–m0–1) mod r ; P ¬ (P + aiB + qM) div r ; End ; If P ≥ M then P ¬ P–M ; (Leaky!) { Post-condition: Prn º A×B mod M }

Main Assumptions There is a side channel “oracle” which says when the conditional subtraction occurs. Standard l-to-r “Square-and-Multiply” expn is used. The correctness of secret key d can be checked. (Knowledge of I/O to the expn routine is not assumed.) Use of the Brier-Joye Unified Code for ECC Double and Add:

Brier-Joye Formulae Suppose Pi = (xi,yi,zi) and P3 = P1 + P2 for ECC over Fp. P3 is given by (same code for Add and Double): x3 = ... y3 = ... z3 = ... where u1 = x1z2 ; u2 = x2z1 ; s1 = y1z2 ; s2 = y2z1 ; ... If P1 = P2 then the same formula applies, and: u1 = x1z2 and u2 = x2z1 are the same computation, s1 = y1z2 and s2 = y2z1 are the same computation. So Mod Mult will produce two pairs of identical leakage.

Attack Idea Choose a signing where there are fewest undetermined ops. Different behaviour in one or both pairs → Pt Add Identical behaviour in both pairs → probably Pt Double An operation next to an Add must be a Double. Choose a signing where there are fewest undetermined ops. Try all possibilities for the key, the most likely first.

Some Probabilities Montgomery Mod Mult (MMM) was picked for illustration because it is well-understood. Prob of final conditional subtraction mod P : Multiplication by const C: pC = ½ Cr–n General Multiplication: pM = ¼ Pr–n ≈ ¼ (for EC-DSA, characteristic = gend Mersenne prime P ≈ r–n) For square and multiply to compute kP1, the same pt P1 is re-used every time. So use pC = ½ Cr–n.

Optimal Initial Points For randomly blinded inputs, some P1 = (x1,y1,z1) will have small x1 & y1, and large z1. So, for random P2, u1 = x1z2 and s1 = y1z2 have condl subn with pr ≈ 0 u2 = x2z1 and s2 = y2z1 have condl subn with pr ≈ ½ This maximises the proby of distinguishing u1 from u2 or s1 from s2 This maximises the proby of deducing a Point Add (≈ ¾) This maximises the number of pt ops we can determine for a given secret key.

Optimal Keys For randomly blinded keys k, there are cases where more set bits means fewer undetermined ops. For some keys, the spacing of undetermined ops leads to a smaller search space, e.g. 3 undetermined ops might lead to 8 choices; but 3 neighbouring ops must have a pattern: DDD, ADD, DAD, DDA or ADA – only 5 choices.

Example – Simulation Results Key 1 1 1 0 0 1 0 0 1 0 0 100 1 1 100 1… Pt Opn DA DA D D DA D D DA D DDADDDADADADDDA… u1 subn 01 01 0 1 00 0 0 11 0 011000101010100… u2 subn 01 00 0 1 01 0 0 11 0 010000001000100… s1 subn 00 00 1 0 00 1 1 10 0 101000011110000… s2 subn 01 01 1 0 00 1 1 10 0 101000110100001… Diffnce Y Y Y Y Y Y Y Y… Known YY YY Y N YY Y N NN N NYYYNYYYYYYYNYY…

Computational Feasibility EC-DSA curve P-192, sample of 512 signings: Lowest #unknown adds: 19 (on average) Search Space: 217.6 keys Effort (including key test): 1 minute on Pentium IV (less if I/O data is collected during side channel attack) This, and hence the attack, is computationally feasible. With 10n times the effort, 2n keys can be extracted. (for small n at least)

Counter-Measures The attack depends on: Leaky Modular Multiplier to help distinguish Add from Double; Exponentiation algorithm that reveals key from distinguishing Add from Double; Good randomisation / blinding – as in Coron’s counter-measures! So: Choose a more robust expn algorithm. If possible, choose less leaky HW

Conclusion Many essential and first-class SW counter-measures can be inadequate on their own. In particular, improving SW is probably not enough to fix existing leaky HW. Some keys can leak more than others. Keys used just once may be attacked. Randomisation may improve the chances of a successful attack.