Timing Attacks on Elliptic Curve Cryptosystems ECC Zhijian

Timing Attacks on Elliptic Curve Cryptosystems (ECC) Zhijian Lu Matthew Mah Michael Neve Eric Peeters

Timing Attacks • Side Channel Attack • Use known texts to measure timings • Use statistical methods to guess key from timings Input Protocol, smartcard Time Output

How to Guess a Key Bit 1: 00 2: 00

Timing Attack on RSA Montgomery Algorithm to perform (md): m? x=m or for i = n – 2 downto 0 x = x 2 if (dj == 1) then x = x * m // modular reduction? end return x

ECC

ECC Public Key Cryptosystem Public Key Y=y P Private Key Security: Difficult to solve for y by calculating P, 2 P, . . . , y. P =Y But there is efficient algorithm for computing k. P

Timing Attack On ECC Montgomery Algorithm for ECC Output: k. P Q=0 for i from t – 1 downto 0 do Q = 2 Q if ki == 1 then Q = Q + P Return Q ?

Steps Examined P+Q=R s = (y. P + y. Q) / (x. P + x. Q) x. R = s 2 + s + x. P + x. Q + a (parameter of curve) y. R = s(x. P + x. R) + x. R + y. P ? 1/(x. P + x. Q) s 2

Timing Attack On ECC Montgomery Algorithm for ECC Output: k. P Q=0 for i from t – 1 downto 0 do Q = 2 Q ? if ki == 1 then Q = Q + P Return Q For implementation we found

Timing Attack on ECC (cont) A vulnerable implementation if ki == 1 then if sleep(1000) else sleep (100) Q=Q+P

Conclusions Timing attacks depend on implementation Timing attacks possible on many systems (RSA, ECC, etc. ) Never let your advisor choose your topic for you. . .

El Gamal Known: Elliptic Curve, P (Base Point), Y (public key) Alice Bob m, k G'=ya a=k. P m'=b-G'=m G=k. Y b=m+G c=(a, b) proof m'=b-G'=b-ya=b-yk. P=b-k. Y=m+G-k. Y=m+k. Y-k. Y=m