New Adaptive Template Attacks Against Montgomery-Ladder-Based ECCs in IoT Devices

• Published in: IEEE internet of things journal Vol. 11; no. 12; pp. 22716 - 22725
• Main Authors: You, Chun-Heng, Chiang, Chih-Hao, Chao, Paul C. -P., Lin, Wen-Ching, Chuang, Kai-Hsin
• Format: Journal Article
• Language: English
• Published: Piscataway IEEE 15.06.2024; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Accelerators; Algorithms; Correlation analysis; Cryptography; Curves; Differential power analysis (DPA); Digital signatures; Edwards-curve digital signature algorithm (EdDSA); Elliptic curve cryptography; Elliptic curves; Field programmable gate arrays; Internet of Things; Internet of Things (IoT) devices; Leakage; Modules; Montgomery ladder (ML); Points of Interest (POIs); Random numbers; Randomization; template attack (TA); Timing
• ISSN: 2327-4662; 2327-4662
• DOI: 10.1109/JIOT.2024.3384076

This study proposes a new adaptive template attack scheme for extracting secret keys in Montgomery-ladder (ML)-based elliptic curve cryptography (ECC) by effectively exploiting the leakage difference between key bits 1 and 0. To determine the key length and number of computation cycles per bit of the ECC to be attacked, the proposed adaptive attack employs an adaptive leakage-windowing technique and correlation analysis on the power trace obtained from an ECC module with a secret key. The point of interest (POI) is identified at the bit with the maximum difference in leakage between key bits 1 and 0 using the leakage window per bit. The trace from the victim ECC hardware with secret key is compared to those collected in prior templates with key bits 1 and 0 to recover the key. To validate the performance, a Xilinx Artix-7 FPGA chip was used to implement an Edward-curve digital signature algorithm (EdDSA) with Ed25519 and SHA-512 accelerators. The experimental results show a favorable key recovery rate of 100%. Further attack results are presented for the ECC modules with advanced countermeasures against side-channel attack, such as projective coordinate and/or scalar randomization. It is validated that the proposed adaptive attack is able to exploit successfully 100% of the keys of ML-based ECC accelerators without and with countermeasures of projective coordinate or scalar randomization. Only a heavily resource-consumed ECC module with implemented projective coordinate, scalar randomization, and a cryptographic secure random number generator is capable of defending the proposed attack.