Abstract
Profiling attacks, especially those based on machine learning, proved to be very successful techniques in recent years when considering the side-channel analysis of symmetric-key crypto implementations. At the same time, the results for implementations of asymmetric-key cryptosystems are very sparse. This paper considers several machine learning techniques to mount side-channel attacks on two implementations of scalar multiplication on the elliptic curve Curve25519. The first implementation follows the baseline implementation with complete formulae as used for EdDSA in WolfSSl, where we exploit power consumption as a side-channel. The second implementation features several countermeasures, and in this case, we analyze electromagnetic emanations to find side-channel leakage. Most techniques considered in this work result in potent attacks, and especially the method of choice appears to be convolutional neural networks (CNNs), which can break the first implementation with only a single measurement in the attack phase. The same convolutional neural network demonstrated excellent performance for attacking AES cipher implementations. Our results show that some common grounds can be established when using deep learning for profiling attacks on very different cryptographic algorithms and their corresponding implementations.
Highlights
Various cyber-physical devices have become integral parts of our lives
This paper considers profiled side-channel attacks on two implementations of scalar multiplication on one of the most popular elliptic curves for applications, i.e., Curve25519
We investigate the applicability of one visualization technique for deep learning when attacking public-key implementations
Summary
Various cyber-physical devices have become integral parts of our lives. They provide basic services, and as such, need to fulfill appropriate security requirements. The first implementation is of EdDSA using Ed25519 as in WolfSSL This implementation is based on the work of Bernstein et al [4] and is a window-based method with radix-16, making use of a precomputed table containing results of the scalar multiplication of 16i|ri| · G, where ri ∈ [−8, 7] ∩ Z and G is the base point of Curve25519. This method is popular because of its tradeoff between memory usage and computation speed, and because the implementation is time-constant and does not feature any branch condition nor array indices and is presumably secure against timing attacks. We can attack this implementation and extract the ephemeral key r from Step 5 in Algorithm 1
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
