Download Timing Attacks on Elliptic Curve Cryptosystems (ECC)

Timing Attacks on Elliptic Curve
Cryptosystems (ECC)
Zhijian Lu
Matthew Mah
Michael Neve
Eric Peeters
Timing Attacks
• Side Channel Attack
• Use known texts to
measure timings
• Use statistical methods
to guess key from
timings
Input Protocol, smartcard
Time
Output
How to Guess a Key Bit
1:00
1:00
1:00
2:00
Timing Attack on RSA
Montgomery Algorithm to perform (md):
m?
x=m
or
for i = n – 2 downto 0
x = x2
if (dj == 1) then
x = x * m // modular reduction?
end
return x
ECC
ECC
Public Key Cryptosystem
Public Key
Y=y P
Private Key
Security:
Difficult to solve for y by calculating P, 2P, ...,yP =Y
But there is efficient algorithm for computing kP
Timing Attack On ECC
Montgomery Algorithm for ECC
Output: kP
Q=0
for i from t –1 downto 0 do
Q = 2Q
if ki == 1 then Q = Q + P
Return Q
?
Steps Examined
P+Q=R
s = (yP + yQ) / (xP + xQ)
xR = s2 + s + xP + xQ + a (parameter of curve)
yR = s(xP + xR) + xR + yP
?
1/(xP + xQ)
s2
Timing Attack On ECC
Montgomery Algorithm for ECC
Output: kP
Q=0
for i from t –1 downto 0 do
Q = 2Q
?
if ki == 1 then Q = Q + P
Return Q
For implementation we found
Timing Attack on ECC (cont)
A vulnerable implementation
if ki == 1 then
if
sleep(1000)
else
sleep (100)
Q=Q+P
Conclusions
Timing attacks depend on implementation
Timing attacks possible on many systems
(RSA, ECC, etc.)
Never let your advisor choose your topic for
you...
El Gamal
Known:
Elliptic Curve, P (Base Point), Y (public key)
Alice
Bob
m, k
G'=ya
a=kP
m'=b-G'=m
G=kY
b=m+G
c=(a,b)
proof
m'=b-G'=b-ya=b-ykP=b-kY=m+G-kY=m+kY-kY=m