Side-Channel Attack using Order 4 Element against Curve25519 on ATmega328P Yoshinori Uetake, Akihiro Sanada, Leo´ Weissbart Sylvain Duquesne Takuya Kusaka, and Yasuyuki Nogami Grenoble INP-Esisar : Univ Rennes, CNRS, Graduate School of Advanced Systems and IRMAR - UMR 6625, Natural Science and Technology, Networks, France F-35000 Rennes, France Okayama University, Japan [email protected] [email protected] fyoshinori.uetake, [email protected] fkusaka-t, [email protected] Abstract—With the matter of secure communication between for cryptographic use, and confirms the possibility of SPA devices, and especially for IoT devices, more and more applica- exploiting this failure without memory access such as conven- tions need trustful protocols to communicate using public key tional methods. cryptography. Elliptic curve cryptography is nowadays a very secure and efficient public key cryptography method. One of After explaining the mathematical fundamentals used in the most recent and secure curve is Curve25519 and one of its ECC, we will explain the plan of the attack and the setup failure is attack on low-order elements during a Diffie-Hellman we used to, finally present our results and the conclusion we key exchange. This document demonstrates that an attack using can draw from them. an order 4 point is possible on an embedded system with a simple power analysis, pointing out every IoT using Curve255119 as a II. FUNDAMENTALS cryptographic method, a potential target to side-channel attacks. A. Elliptic Curve I. INTRODUCTION F Elliptic Curve Cryptography (ECC) has been introduced in Let denote the finite field p defined by it characteristic p, 1985 by Neal Koblitz [1] and Victor S. Miller [2] as a new a prime number. And let E be the elliptic curve defined over F cryptographic method that can concurrence e.g. RSA [3] or the prime field p in the simplified Weierstrass form [9]. DSA [4]. Since then, ECC has become a popular method for E : y2 = x3 + ax + b; a; b 2 F (1) cryptography because it can offer the same level of security as p other cryptographic method by using a shorter public key and We say that a point is on the elliptic curve if it is a rational faster computations. This asset makes ECC one of the most point. Every rational point including the point at infinity O explored cryptographic mean in todays security issues. forms the additive abelian group E(Fp). In 2006, Daniel J. Bernstein proposed the Curve25519 [5] Elliptic curve cryptography using general type of Elliptic as a new secure elliptic curve. The key exchange protocol curve is not efficient and is also not secure. In fact, computa- X25519 is based on Diffie-Hellman key exchange protocol tion of ECA and ECD needs inversion which is a very heavy using Curve25519 and have been designed to be efficient, operation on finite fields with a big prime number. The next secure and easy to implement. Curve25519 has been adopted section will introduce a particular type of elliptic curve that by IETF as one of the next generation curve for the widely can do calculation without inversion. used cryptography standard on Internet, TLS [6]. More recently, Daniel Genkin, and Luke Valenta and Yuval B. Montgomery Curve Yarom have successfully exploited a failure in X25519 with a software based attack using order 4 elements [7]. Contrary The Montgomery curves as defined in [10] is defined as to Flush+Reload method presented in the previous paper, this follows: 2 3 2 paper is focus on a power consumption SPA, showing simple E : By = x + Ax + x (2) power analysis is also successful method to extract the secret Where A; B 2 F and where B(A2 − 4) =6 0 (mod p). information. p By moving to projective coordinates, a rational point P = To confirm order 4 elements can be a threat to X25519, (x; y) on Montgomery curve is represented with coordinates our study use the existing open source library µNaCl devel- P = (X : Z) where x = X=Z for Z =6 0. oped in [8] to implement scalar multiplication (SCM) over Curve25519 on Arduino UNO and perform a side-channel • ECA with Montgomery Curve attack (SCA) to do a simple power analysis (SPA) and retrieve Let P = (Xi : Zi) and Q = (Xj : Zj) be two different secret information in X25519 using low-order element. rational points. Let also consider the points represented by This research proves Curve25519 possess dangerous elements U = P − Q with coordinates U = (Xi−j : Zi−j). Their addition R = P +Q have coordinates R = (Xi+j : Zi+j) and C. Montgomery Ladder (ML) are calculated as follows: The Montgomery ladder is an algorithm introduced in [10], 2 Xi+j=Zi−j[(Xi−Zi)(Xj+Zj)+(Xi+Zi)(Xj−Zj)] and is an efficient method to perform SCM for a rational point 2 (3) Zi+j=Xi−j[(Xi−Zi)(Xj+Zj)−(Xi+Zi)(Xj−Zj)] P and a scalar s = (sn−1; sn−2 : : : s1; s0)2. The ML is an efficient SCM technique and is calculated as follows: Algorithm 1 ECA Algorithm 3 SCM with Montgomery Ladder − − Input: P = (Xi;Zi); Q = (Xj;Zj); U = (Xi j;Zi j) Input: P ; s = (sn−1; sn−2 : : : s1; s0)2 Output: R = (Xi+j;Zi+j) Output: T1 = [s]P 1: t1; t2; t3; t4; t5; t6; t7 1: T1 O 2: − t1 = xi zi 2: T2 P 3: t2 = xj + zj 3: for i = n − 1 to 0 do do 4: t3 = xi + zi 4: if si = 1 then 5: − t4 = xj zj 5: T1 T1 + T2 6: · t5 = t1 t2 6: T2 2T2 · 7: t6 = t3 t4 7: else 8: t7 = t5 + t6 8: T2 T1 + T2 9: · t7 = t7 t7 9: T1 2T1 · 10: Xi+j = Zi−j t7 10: end if − 11: t7 = t5 t6 11: end for 12: · t7 = t7 t7 12: return T1 13: Zi+j = Xi−j · t7 • ECD with Montgomery Curve D. Curve25519 Let P = (X : Z) be a rational point. Consider the point The curve Curve25519 is a Montgomery curve introduced by Daniel J. Bernstein [5] in 2006. This curve has received addition R = P + P , where R = (XR : ZR) is defined as follows: a great interest in modern cryptography and is at this day 2 2 XR = (X + Z) (X − Z) used in hundreds of applications for its efficiency and rapidity. 2 2 255 T = (X + Z) − (X − Z) (4) Curve25519 is defined over prime field Fq of order q = 2 − − 2 A+2 · ZR = T [(X Z) + 4 T ] 19 and its equation is defined as follows: 2 3 2 E25519 : y = x + 486662x + x (5) Algorithm 2 ECD Curve25519 has characteristic low-order points,p (0, 0) on the A+2 Input: P (X; Z); α = 4 affine coordinates is a order 2 point and (1; 486664) is a Output: 2P (X2;Z2) order 4 point over Fq. 1: t1; t2; t3 E. Side-channel Attack (SCA) 2: t1 = X + Z 3: t1 = t1 · t1 Side-channel attack [11] is the method of analyzing the 4: t2 = X − Z physical behavior of a cryptographic module to recover secret 5: t2 = t2 · t2 information. 6: X2 = t1 · t2 A cryptographic module is included on an integrated circuit 7: t1 = t1 − t2 (IC) and is composed of numerous CMOS gates handling 8: t3 = α · t1 secret information. With the cryptographic processing, a cur- 9: t2 = t3 + t2 rent accompanying the switching of the MOS transistor is 10: Z2 = t1 · t2 generated, causing fluctuations in the power supply voltage and electromagnetic radiation. The number of gates changing With the Montgomery curves, ECA and ECD are more state depends on plain text, ciphertext, and secret key. efficient and do not rely on inversion operations. However, as In other words, by observing unintended physical data a consequence of this representation, P − Q must be known (or so-called side-channel information) at the time of cryp- in order to compute P + Q and by this fact making the tographic processing, there is a possibility of leaking the computation of y coordinate in this representation unnecessary. secret information. The consumption level of IC is different Elliptic Curve Diffie-Hellman (ECDH) based cryptography when switching from low to high and the opposite. SCA relies on scalar multiplication (SCM) over the elliptic curve takes advantage of this characteristic to analyze either power to generate a session key. During this operation the algorithm consumption or electromagnetic field radiations of the IC. can potentially be attacked. Analyzing power consumption to visually examine its trace is called simple power analysis (SPA). III. IMPLEMENTATION P define as a chosen-ciphertext. P = (X = β : Z = β); β =6 0 A. Computational Environment when use projective coordinates. The result of doubling P is order 2 point 2P , represented by 2P = (X = 0 : Z =6 0). This section describes the means used during the experi- 3P = P + 2P is same with P on the projective coordinates ments to perform SCA on Curve25519 with Arduino UNO. because the y-coordinate of 3P is just y-axis opposition of As the values of Curve25519 are contained in the prime field P and there is no need to consider about y-coordinate. In of characteristic q = 2255 −19, one value should be interpreted addition, point at infinity O is defined O = (X =6 0 : Z = 0). as a 256 bits machine word. The relations between these points are as follows: Working with a precision arithmetic library is necessary to store these values (the secret key, base points’ coordinates, O + P = P; O + 2P = 2P etc.).