Timing Attacks on Elliptic Curve Cryptosystems (ECC)

1
Timing Attacks on Elliptic Curve Cryptosystems
(ECC)

• Zhijian Lu
• Matthew Mah
• Michael Neve
• Eric Peeters

2
Timing Attacks

• Side Channel Attack
• Use known texts to measure timings
• Use statistical methods to guess key from timings

3
How to Guess a Key Bit
100
100
100
200
4
Timing Attack on RSA

• Montgomery Algorithm to perform (md)
• x m
• for i n 2 downto 0
• x x2
• if (dj 1) then
• x x m // modular reduction?
• end
• return x

5
ECC
6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
ECC

• Public Key Cryptosystem
• Yy P

Public Key
Private Key
Security Difficult to solve for y by calculating
P, 2P, ...,yP Y But there is efficient algorithm
for computing kP
10
Timing Attack On ECC

• Montgomery Algorithm for ECC
• Output kP
• Q 0
• for i from t 1 downto 0 do
• Q 2Q
• if ki 1 then Q Q P
• Return Q

11
Steps Examined

• P Q R
• s (yP yQ) / (xP xQ)
• xR s2 s xP xQ a (parameter of curve)
• yR s(xP xR) xR yP

1/(xP xQ) s2
12
Timing Attack On ECC

• Montgomery Algorithm for ECC
• Output kP
• Q 0
• for i from t 1 downto 0 do
• Q 2Q
• if ki 1 then Q Q P
• Return Q

13
Timing Attack on ECC (cont)

• A vulnerable implementation
• if ki 1 then
• if
• sleep(1000)
• else
• sleep (100)
• Q Q P

14
Conclusions

• Timing attacks depend on implementation
• Timing attacks possible on many systems (RSA,
  ECC, etc.)

Never let your advisor choose your topic for
you...
15
El Gamal

• Known
• Elliptic Curve, P (Base Point), Y (public key)

Bob G'ya m'b-G'm
Alice m, k akP GkY bmG c(a,b)
proof m'b-G'b-yab-ykPb-kYmG-kYmkY-kYm
16
How to Guess a Key Bit
100
100
100
200