The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
본 연구에서는 부채널 공격에 대한 저항력을 평가하기 위해 nonce 유출을 목표로 하는 템플릿 공격을 256비트 ECDSA 하드웨어에서 수행했습니다. 대상 하드웨어는 ASIC으로 템플릿 공격과 래티스 공격이 복합적으로 취약한 것으로 드러났다. 또한 공격 결과 일반적인 대응책인 nonce의 MSB를 1로 고정하는 것만으로는 충분하지 않은 것으로 나타났습니다. 또한 시뮬레이션을 통해 템플릿 공격의 성공률을 추정했습니다. 이 추정에는 실제 하드웨어가 필요하지 않으며 설계 단계에서 구현 보안을 테스트할 수 있습니다. 허용 가능한 논스 유출량을 명확히 하기 위해 격자 공격의 계산 비용을 암호해독 방법인 ρ 방법의 계산 비용과 비교했습니다. 결과적으로 2비트 ECDSA의 경우 nonce의 62비트 유출 성공률은 256% 미만이어야 합니다. 즉, SNR은 2 미만이어야 합니다.-4 우리의 시뮬레이션 모델에서.
Kotaro ABE
The University of Tokyo
Makoto IKEDA
The University of Tokyo
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
부
Kotaro ABE, Makoto IKEDA, "Template Attacks on ECDSA Hardware and Theoretical Estimation of the Success Rate" in IEICE TRANSACTIONS on Fundamentals,
vol. E107-A, no. 3, pp. 575-582, March 2024, doi: 10.1587/transfun.2023VLP0010.
Abstract: In this work, template attacks that aimed to leak the nonce were performed on 256-bit ECDSA hardware to evaluate the resistance against side-channel attacks. The target hardware was an ASIC and was revealed to be vulnerable to the combination of template attacks and lattice attacks. Furthermore, the attack result indicated it was not enough to fix the MSB of the nonce to 1 which is a common countermeasure. Also, the success rate of template attacks was estimated by simulation. This estimation does not require actual hardware and enables us to test the security of the implementation in the design phase. To clarify the acceptable amount of the nonce leakage, the computational cost of lattice attacks was compared to that of ρ method which is a cryptanalysis method. As a result, the success rate of 2-bit leakage of the nonce must be under 62% in the case of 256-bit ECDSA. In other words, SNR must be under 2-4 in our simulation model.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2023VLP0010/_p
부
@ARTICLE{e107-a_3_575,
author={Kotaro ABE, Makoto IKEDA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Template Attacks on ECDSA Hardware and Theoretical Estimation of the Success Rate},
year={2024},
volume={E107-A},
number={3},
pages={575-582},
abstract={In this work, template attacks that aimed to leak the nonce were performed on 256-bit ECDSA hardware to evaluate the resistance against side-channel attacks. The target hardware was an ASIC and was revealed to be vulnerable to the combination of template attacks and lattice attacks. Furthermore, the attack result indicated it was not enough to fix the MSB of the nonce to 1 which is a common countermeasure. Also, the success rate of template attacks was estimated by simulation. This estimation does not require actual hardware and enables us to test the security of the implementation in the design phase. To clarify the acceptable amount of the nonce leakage, the computational cost of lattice attacks was compared to that of ρ method which is a cryptanalysis method. As a result, the success rate of 2-bit leakage of the nonce must be under 62% in the case of 256-bit ECDSA. In other words, SNR must be under 2-4 in our simulation model.},
keywords={},
doi={10.1587/transfun.2023VLP0010},
ISSN={1745-1337},
month={March},}
부
TY - JOUR
TI - Template Attacks on ECDSA Hardware and Theoretical Estimation of the Success Rate
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 575
EP - 582
AU - Kotaro ABE
AU - Makoto IKEDA
PY - 2024
DO - 10.1587/transfun.2023VLP0010
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E107-A
IS - 3
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - March 2024
AB - In this work, template attacks that aimed to leak the nonce were performed on 256-bit ECDSA hardware to evaluate the resistance against side-channel attacks. The target hardware was an ASIC and was revealed to be vulnerable to the combination of template attacks and lattice attacks. Furthermore, the attack result indicated it was not enough to fix the MSB of the nonce to 1 which is a common countermeasure. Also, the success rate of template attacks was estimated by simulation. This estimation does not require actual hardware and enables us to test the security of the implementation in the design phase. To clarify the acceptable amount of the nonce leakage, the computational cost of lattice attacks was compared to that of ρ method which is a cryptanalysis method. As a result, the success rate of 2-bit leakage of the nonce must be under 62% in the case of 256-bit ECDSA. In other words, SNR must be under 2-4 in our simulation model.
ER -