Timing Attacks on Elliptic Curve Cryptosystems ECC Zhijian
- Slides: 15
Timing Attacks on Elliptic Curve Cryptosystems (ECC) Zhijian Lu Matthew Mah Michael Neve Eric Peeters
Timing Attacks • Side Channel Attack • Use known texts to measure timings • Use statistical methods to guess key from timings Input Protocol, smartcard Time Output
How to Guess a Key Bit 1: 00 2: 00
Timing Attack on RSA Montgomery Algorithm to perform (md): m? x=m or for i = n – 2 downto 0 x = x 2 if (dj == 1) then x = x * m // modular reduction? end return x
ECC
ECC Public Key Cryptosystem Public Key Y=y P Private Key Security: Difficult to solve for y by calculating P, 2 P, . . . , y. P =Y But there is efficient algorithm for computing k. P
Timing Attack On ECC Montgomery Algorithm for ECC Output: k. P Q=0 for i from t – 1 downto 0 do Q = 2 Q if ki == 1 then Q = Q + P Return Q ?
Steps Examined P+Q=R s = (y. P + y. Q) / (x. P + x. Q) x. R = s 2 + s + x. P + x. Q + a (parameter of curve) y. R = s(x. P + x. R) + x. R + y. P ? 1/(x. P + x. Q) s 2
Timing Attack On ECC Montgomery Algorithm for ECC Output: k. P Q=0 for i from t – 1 downto 0 do Q = 2 Q ? if ki == 1 then Q = Q + P Return Q For implementation we found
Timing Attack on ECC (cont) A vulnerable implementation if ki == 1 then if sleep(1000) else sleep (100) Q=Q+P
Conclusions Timing attacks depend on implementation Timing attacks possible on many systems (RSA, ECC, etc. ) Never let your advisor choose your topic for you. . .
El Gamal Known: Elliptic Curve, P (Base Point), Y (public key) Alice Bob m, k G'=ya a=k. P m'=b-G'=m G=k. Y b=m+G c=(a, b) proof m'=b-G'=b-ya=b-yk. P=b-k. Y=m+G-k. Y=m+k. Y-k. Y=m
- Ecc timing
- Ecdlp
- Elliptic curve cryptography
- Elliptic curve diffie hellman example
- Elliptic curve discrete logarithm problem
- Elliptic curve
- Elliptic curve cryptography
- Motivationsbasis
- Elliptic curve backdoor
- Elliptic curve cryptography applications
- Rsa attacks
- Cryptosystem
- Cryptography goals
- Chapter 10: other public-key cryptosystems
- Classical cryptosystems
- Why cryptosystems fail