Timing Attacks on Elliptic Curve Cryptosystems (ECC) Zhijian Lu Matthew Mah Michael Neve Eric Peeters

Timing Attacks Side Channel Attack Use known texts to measure timings Time Input Output Protocol, smartcard Side Channel Attack Use known texts to measure timings Use statistical methods to guess key from timings

How to Guess a Key Bit 1:00 1:00 1:00 2:00

Timing Attack on RSA Montgomery Algorithm to perform (md): x = m for i = n – 2 downto 0 x = x2 if (dj == 1) then x = x * m // modular reduction? end return x m? or

ECC

ECC Public Key Cryptosystem Y=y P Security: Private Key Security: Difficult to solve for y by calculating P, 2P, ...,yP =Y But there is efficient algorithm for computing kP

Timing Attack On ECC Montgomery Algorithm for ECC Output: kP Q = 0 for i from t –1 downto 0 do Q = 2Q if ki == 1 then Q = Q + P Return Q ?

Steps Examined P + Q = R s = (yP + yQ) / (xP + xQ) xR = s2 + s + xP + xQ + a (parameter of curve) yR = s(xP + xR) + xR + yP ? 1/(xP + xQ) s2

Timing Attack On ECC Montgomery Algorithm for ECC Output: kP Q = 0 for i from t –1 downto 0 do Q = 2Q if ki == 1 then Q = Q + P Return Q For implementation we found ?

Timing Attack on ECC (cont) A vulnerable implementation if ki == 1 then if sleep(1000) else sleep (100) Q = Q + P

Conclusions Timing attacks depend on implementation Timing attacks possible on many systems (RSA, ECC, etc.) Never let your advisor choose your topic for you...

El Gamal Known: Elliptic Curve, P (Base Point), Y (public key) Alice m, k a=kP G=kY b=m+G c=(a,b) Bob G'=ya m'=b-G'=m proof m'=b-G'=b-ya=b-ykP=b-kY=m+G-kY=m+kY-kY=m