pyecsca: Reverse engineering black-box elliptic curve cryptography via side-channel analysis

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14330%2F24%3A00136268" target="_blank" >RIV/00216224:14330/24:00136268 - isvavai.cz</a>

Výsledek na webu

<a href="https://tches.iacr.org/index.php/TCHES/article/view/11796" target="_blank" >https://tches.iacr.org/index.php/TCHES/article/view/11796</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.46586/tches.v2024.i4.355-381" target="_blank" >10.46586/tches.v2024.i4.355-381</a>

Jazyk výsledku

angličtina

Název v původním jazyce

pyecsca: Reverse engineering black-box elliptic curve cryptography via side-channel analysis

Popis výsledku v původním jazyce

Side-channel attacks on elliptic curve cryptography (ECC) often assume a white-box attacker who has detailed knowledge of the implementation choices taken by the target implementation. Due to the complex and layered nature of ECC, there are many choices that a developer makes to obtain a functional and interoperable implementation. These include the curve model, coordinate system, addition formulas and the scalar multiplier, or lower-level details such as the finite-field multiplication algorithm. This creates a gap between the attack requirements and a real-world attacker that often only has black-box access to the target -- i.e., has no access to the source code nor knowledge of specific implementation choices made. Yet, when the gap is closed, even real-world implementations of ECC succumb to side-channel attacks, as evidenced by attacks such as TPM-Fail, Minerva, the Side Journey to Titan or TPMScan. We study this gap by first analyzing open-source ECC libraries for insight into real-world implementation choices. We then examine the space of all ECC implementations combinatorially. Finally, we present a set of novel methods for automated reverse-engineering of black-box ECC implementations and release a documented and usable open-source toolkit for side-channel analysis of ECC called pyecsca. Our methods turn attacks around, instead of attempting to recover the private key, they attempt to recover the implementation configuration given control over the private and public inputs. We evaluate them on two simulation levels and study the effect of noise on their performance. Our methods are able to 1) reverse-engineer the scalar multiplication algorithm completely and 2) infer significant information about the coordinate system and addition formulas used in a target implementation. Furthermore, they can bypass coordinate and curve randomization countermeasures.

Název v anglickém jazyce

pyecsca: Reverse engineering black-box elliptic curve cryptography via side-channel analysis

Popis výsledku anglicky

Side-channel attacks on elliptic curve cryptography (ECC) often assume a white-box attacker who has detailed knowledge of the implementation choices taken by the target implementation. Due to the complex and layered nature of ECC, there are many choices that a developer makes to obtain a functional and interoperable implementation. These include the curve model, coordinate system, addition formulas and the scalar multiplier, or lower-level details such as the finite-field multiplication algorithm. This creates a gap between the attack requirements and a real-world attacker that often only has black-box access to the target -- i.e., has no access to the source code nor knowledge of specific implementation choices made. Yet, when the gap is closed, even real-world implementations of ECC succumb to side-channel attacks, as evidenced by attacks such as TPM-Fail, Minerva, the Side Journey to Titan or TPMScan. We study this gap by first analyzing open-source ECC libraries for insight into real-world implementation choices. We then examine the space of all ECC implementations combinatorially. Finally, we present a set of novel methods for automated reverse-engineering of black-box ECC implementations and release a documented and usable open-source toolkit for side-channel analysis of ECC called pyecsca. Our methods turn attacks around, instead of attempting to recover the private key, they attempt to recover the implementation configuration given control over the private and public inputs. We evaluate them on two simulation levels and study the effect of noise on their performance. Our methods are able to 1) reverse-engineer the scalar multiplication algorithm completely and 2) infer significant information about the coordinate system and addition formulas used in a target implementation. Furthermore, they can bypass coordinate and curve randomization countermeasures.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/VJ02010010" target="_blank" >VJ02010010: Nástroje pro verifikaci bezpečnosti kryptografických zařízení s využitím AI</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2024

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

IACR Transactions on Cryptographic Hardware and Embedded Systems

ISBN

—

ISSN

2569-2925

e-ISSN

—

Počet stran výsledku

27

Strana od-do

355-381

Název nakladatele

Ruhr-University of Bochum

Místo vydání

Německo

Místo konání akce

Halifax, Canada

Datum konání akce

1. 1. 2024

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—