Microcontroller Implementation of Simultaneous Protections Against Observation and Perturbation Attacks for ECC Audrey Lucas1 and Arnaud Tisserand2 1CNRS, IRISA UMR 6074, INRIA Centre Rennes - Bretagne Atlantique and Univ Rennes, Lannion, France 2CNRS, Lab-STICC UMR 6285 and University South Britany, Lorient, France Keywords: Elliptic Curve Cryptography, Side Channel Attack, Fault Injection Attack, Protection, Countermeasure. Abstract: Scalar multiplication is the main operation in elliptic curve cryptography. In embedded systems, it is vulner- able to both observation and perturbation attacks. Most of protections only target one of these two types of attacks. Unfortunately, many protections against one type of attack may reduce the protection against the other one. In this paper, we simultaneously deal with protections against both types of attacks. Two countermea- sures are presented for scalar multiplication and implemented on a Cortex-M0 microcontroller. The first one protects finite field operations over point coordinates. The second one protects the scalar (or key) bits. 1 INTRODUCTION tacks. In this work, we simultaneously deal with protec- Elliptic curve cryptography (ECC) is promoted for tions against both types of attacks. We propose two providing public-key cryptography (PKC) support in countermeasures, developed onto specific curves, for embedded systems due to its smaller cost, e.g. sil- scalar multiplication (SM) in ECC. They are probably icon area and energy, and better performances than adaptable onto other curves. The first one protects fi- RSA (Cohen and Frey, 2005; Hankerson et al., 2004). nite field operations over point coordinates. The sec- Embedded systems are widespread in our society, ond one protects the scalar itself during SM. thus their protection against various types of attacks Our paper is organized as follows. Sections 2, 3 is essential. Due to their proximity with other users, and 4 respectively recall background elements on potentially malicious ones, embedded circuits are vul- ECC, SCAs/FAs attacks and ECC attacks and pro- nerable to physical attacks. In this paper, we focus on tections. Our two propositions are presented in Sec- side channel attacks (SCAs) and fault attacks (FAs). tion 5. Section 6 reports implementation results The first ones, use observations of physical parame- on Cortex-M0 microcontrollers and the µNaCl li- ters, such as computation timings or power consump- brary (Dull¨ et al., ). tion, which are analyzed using statistical tools to de- duce links between physical measurements and inter- nal secret values. The second ones, use perturbations 2 BACKGROUND ON ECC of the circuit such as variations of the power supply or electromagnetic radiations to inject fault(s) during ECC (Hankerson et al., 2004; Cohen and Frey, 2005) algorithms execution. These faults are exploited to is a PKC based on elliptic curves (ECs). deduce internal secret values. In the case of prime fields Fp, short Weierstrass Numerous countermeasures exist against SCAs curves form EWS and Montgomery (Montgomery, and FAs at various levels: mathematics, algorithm, 1987) curves EM are defined, with a,b Fp and spe- architecture, circuit. Most of these protections only cific conditions on a,b (see books (Hankerson∈ et al., target one type of attack. For example, uniformiza- 2004; Cohen and Frey, 2005)), respectively by: tion schemes are efficient against SCAs but not for 2 3 EWS : y = x + ax + b, FAs. Some error correcting codes can be used against 2 3 2 (1) FAs but not for SCAs. Unfortunately, many protec- EM : by = x + ax + x. tions, against one type of attack, leave or may make In this paper, we only consider these curves onto the implementation vulnerable to the other type of at- prime fields Fp. 404 Lucas, A. and Tisserand, A. Microcontroller Implementation of Simultaneous Protections Against Observation and Perturbation Attacks for ECC. DOI: 10.5220/0006884604040411 In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE 2018) - Volume 2: SECRYPT, pages 404-411 ISBN: 978-989-758-319-3 Copyright © 2018 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved Microcontroller Implementation of Simultaneous Protections Against Observation and Perturbation Attacks for ECC The most critical operation in ECC is the scalar 768 bits a few years ago. In this work, we do not con- multiplication (SM) [k]P between a curve point P and sider these attacks. Physical attacks are totally dif- a scalar k (either the public or private key). When k is ferent from logical ones and require specific protec- private, it must be protected. SM can be performed by tions. Embedded systems have to be protected against various algorithms based on point addition (ADD) and them since circuits in charge of security tasks can be point doubling (DBL) operations at curve level. When very close to the attackers. Typical physical attacks ADD and DBL have different behaviors, their differ- include: reverse engineering, observation (or SCAs) ences can be a leakage source in observation attacks. and perturbation (or FAs). In this paper, we only con- The easiest way to perform SM is the double and sider SCAs and FAs. It is possible to combine them add (DA) algorithm 1. In case of EM, the Montgomery such as (Roche et al., 2011). ladder (ML) algorithm 2. is commonly used. 3.1 SCAs and Countermeasures Algorithm 1: SM - double and add. Input: P and k = (km 1,...,k0)2 SCAs observe physical parameters such as tim- Result: [k] P − ings (Kocher, 1996), power consummation (Man- · 1 T O ← gard et al., 2007) or electromagnetic radia- 2 for i = m 1 to 0 do − tions (EM) (Agrawal et al., 2002) at run time. 3 T 2 T DBL ← · They exploit potential correlations between measure- 4 if ki = 1 then 5 T T + P ADD ments of physical parameter(s) and some secret data ← manipulated during execution. 6 return T SCAs are often decomposed into two types. On one hand, simple power analysis (SPA) uses a sin- gle trace of power measurements. For instance, algorithm 1 is vulnerable to SPA. On the other Montgomery ladder Algorithm 2: SM - . hand, various attacks use multiple traces and statis- Input: P and k = (km 1,...,k0)2 tical tools. For instance, differential power analy- Result: [k] P − · sis (DPA) (Kocher et al., 2011) uses difference of av- 1 T O, T P 1 ← 2 ← erages and correlation power analysis (CPA) (Brier 2 for i = m 1 to 0 do − 3 if ki = 1 then et al., 2004) uses Pearson correlation. Both simple 4 T T + T ADD and differential-like attacks exist for other physical 1 ← 1 2 5 T 2 T DBL parameters (e.g. EM). 2 ← · 2 6 else For SCA protection, one must avoid, or strongly 7 T T + T ADD 2 ← 1 2 reduce, dependencies between secret values and ob- 8 T 2 T DBL 1 ← · 1 servable variations of the physical parameter(s). A 9 return T1 first type of protection is denoted uniformization: op- erations sequences must be indistinguishable what- ever the actual secret bits manipulated in the circuit. In order to perform T1 + T2, the x coordinate of Useless operations can be added to uniformize some T1 T2 can be known. During ML [k]P internal itera- algorithms. A second type of SCA protection is de- tions,− T T is always equal to the base point P. 1 − 2 noted randomization: a random activity generates a Several ADD and DBL formulas for different curves scramble in the measurements. Statistic tools con- are available on the EFD website (Bernstein and sider this random activity as data and their results Lange, ). are disturbed. For instance, random useless opera- tions or random masks can be added. Many variations and combinations of uniformization and randomiza- 3 BACKGROUND ON PHYSICAL tion protections have been proposed. ATTACKS 3.2 FAs and Countermeasures Embedded systems have to face attacks at both logi- cal and physical levels. Logical attacks target mathe- Lasers, electromagnetic radiations, variations in sup- matical properties of cryptosystems, networking pro- ply voltage or circuit temperature, glitches in clock tocols, weak software implementations, etc. For in- signals are used to disturb the circuit by injecting stance, very efficient factorization algorithms and par- fault(s) during algorithm execution (Bar-El et al., allel implementations have been used against RSA 2006; Verbauwhede et al., 2011). These faults can 405 SECRYPT 2018 - International Conference on Security and Cryptography be temporary or permanent and equivalent at logical 1 0 0 0 1 level to a bit flip, bit set, bit reset or bit stuck-at (on DBL ADD DBL DBL DBL DBL ADD single or multiple bits). FAs exploit some unspecified circuit behavior, di- Figure 1: Basic DA algorithm. rectly or not, in order to deduce the secret. For instance, they can use differences between faulty Valette, 2003). In practice, some randomization and correct outputs thanks to differential fault anal- schemes can be applied against DPA-like attacks in ysis (DFA) (Biham and Shamir, 1997). many protocols. Then SPA-like ones are considered Safe-error analysis (SEA) (Yen and Joye, 2000) as a major threat in ECC. In this paper, we only deal checks if the injected fault has an impact on the final with SPA-like attacks. result. By determining whether a corrupted data was Among SCA protections uniformization and ran- effectively used or not, SEA is very efficient against domization have been widely used in ECC. SCA protections based on useless/dummy operations. Among uniformization countermeasures, double Attackers can produce fault(s) on data, control or and add always (DAA) (Coron, 1999) and ML are external memory. In this paper, we only consider typical SPA protections. The DAA algorithm is simi- faults on data since we target software implementa- lar to DA where a useless ADD is added when the key tions with on-chip memory.