< retour aux publications

Tuning of randomized windows against simple power analysis for scalar multiplication on elliptic curves

Auteur(s) : S. Pontié, P. Maistri, R. Leveugle

Doc. Source: Third Workshop on Trustworthy Manufacturing and Utilization of Secure Devices (TRUDEVICE'15)

The elliptic curve cryptography (ECC) is relevant in embedded systems, since it can provide an elevated level of security with keys much shorter than the current de-facto standard in public key cryptography, RSA. However, an implementation of ECC may leak information in side-channels (time of computation, power consumption ...). Thus, the operation that manipulates the secret key must be implemented with the goal of reducing such leakage. In this paper we focus on the simple power analysis (SPA) attack: this technique is based on identifying patterns in single power consumption trace that would allow obtaining the sequence of operations performed in the group (addition and doubling of points in the case of elliptic curves). SPA attacks target the scalar multiplication because this operation manipulates the secret key, which is used as the coefficient of the scalar multiplication. Windows methods can improve the performance and the security with respect to the simple Double and Add algorithm. On a Weierstrass curve, however, point operands of group operations cannot be the infinity point; therefore, empty windows (all bits equal to zero) can be still detected by an SPA attack. The leakage of critical data can be decreased by using windows of random width, and by inserting dummy group operations at random times in order to mask the size of windows. However, we show here that computing SPA on several scalar multiplications (using the same secret key and different points) still allows finding long sequences of zero bits in the secret key. We present here an experimental and statistical approach to quantify this attack, allowing the designer to tune the parameters of the scalar multiplication algorithm.