Abstract
At EUROCRYPT 2004, Naccache et al. showed that the projective coordinates representation of the resulting point of an elliptic curve scalar multiplication potentially allows to recover some bits of the scalar. However, this attack has received little attention by the scientific community, and the status of deployed mitigations to prevent it in widely adopted cryptography libraries is unknown. In this paper, we aim to fill this gap, by analyzing several cryptography libraries in this context. To demonstrate the applicability of the attack, we use a side-channel attack to exploit this vulnerability within libgcrypt in the context of ECDSA. To the best of our knowledge, this is the first practical attack instance. It targets the insecure binary extended Euclidean algorithm implementation using a microarchitectural side-channel attack that allows recovering the projective representation of the output point of scalar multiplication during ECDSA signature generation. We captured 100k traces to estimate the number of traces an attacker would need to compromise the libgcrypt ECDSA implementation, resulting in less than 2k for commonly used elliptic curve secp256r1, demonstrating the attack feasibility. During exploitation, we found two additional vulnerabilities. However, we remark the purpose of this paper is not merely exploiting a library but about providing an analysis on the projective coordinates vulnerability status in widely deployed open-source libraries, filling a gap between its original description in the academic literature and the adoption of countermeasures to thwart it in real-world applications.
Highlights
Side-channel attacks (SCA) are a major concern in the context of secure cryptography implementations
While this attack does not have a direct application to elliptic curve digital signature algorithm (ECDSA), as the projective representation of the scalar multiplication is not made public at the protocol specification level, it could apply if the adversary can recover this projective representation using SCA, for example
We focused this study on simplified Weierstrass elliptic curves defined over prime finite fields, the analysis can be extended to others as well
Summary
Side-channel attacks (SCA) are a major concern in the context of secure cryptography implementations. In 2004 Naccache, Smart, and Stern [NSS04] demonstrated how the projective representation resulting from the computation of a scalar multiplication can be related to some bits of the scalar While this attack does not have a direct application to ECDSA, as the projective representation of the scalar multiplication is not made public at the protocol specification level, it could apply if the adversary can recover this projective representation using SCA, for example. Maimut et al [Mai+13] is the only related work we are aware of, where the authors proposed a set of fault attack models that could be used to recover the projective coordinate Z, allowing them to perform the attack Neither this nor the original paper targets a real implementation. We find and discuss two other vulnerabilities in the ECDSA path
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
