Cryptology ePrint Archive: Report 2017/1204

Horizontal Clustering Side-Channel Attacks on Embedded ECC Implementations (Extended Version)

Erick Nascimento and Lukasz Chmielewski

Abstract: Side-channel attacks are a threat to cryptographic algorithms running on embedded devices. Public-key cryptosystems, including elliptic curve cryptography (ECC), are particularly vulnerable because their private keys are usually long-term. Well known countermeasures like regularity, projective coordinates and scalar randomization, among others, are used to harden implementations against common side-channel attacks like DPA. Horizontal clustering attacks can theoretically overcome these countermeasures by attacking individual side-channel traces. In practice horizontal attacks have been applied to overcome protected ECC implementations on FPGAs. However, it has not been known yet whether such attacks can be applied to protected implementations working on embedded devices, especially in a non-profiled setting. In this paper we mount non-profiled horizontal clustering attacks on two protected implementations of the Montgomery Ladder on Curve25519 available in the ÁNaCl library targeting electromagnetic (EM) emanations. The first implementation performs the conditional swap (cswap) operation through arithmetic of field elements (cswap-arith), while the second does so by swapping the pointers (cswap-pointer). They run on a 32-bit ARM Cortex-M4F core. Our best attack has success rates of 97.64% and 99.60% for cswap-arith and cswap-pointer, respectively. This means that at most 6 and 2 bits are incorrectly recovered, and therefore, a subsequent brute-force can fix them in reasonable time. Furthermore, our horizontal clustering framework used for the aforementioned attacks can be applied against other protected implementations.

Category / Keywords: implementation / side-channel attack, SCA, ECC, EM analysis, ARM, horizontal clustering

Original Publication (with minor differences): Proceedings of the 17th Smart Card Research and Advanced Application Conference

Date: received 15 Dec 2017, last revised 31 Dec 2017

Contact author: enascimento pub at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20171231:231804 (All versions of this report)

Short URL: ia.cr/2017/1204


[ Cryptology ePrint archive ]