PB173 Domain specific
development: side-channel
analysis
Seminar 12: Presentation & Grading (Last Seminar)
Łukasz Chmielewski
chmiel@fi.muni.cz, Consultation: A406 Monday 14:00-
SoK: SCA-secure ECC in software –
mission impossible?
My recent work (published in 2023)
2
2
• Systematization of Knowledge (SoK) paper: a list of side-channel and faultinjection
attacks that the implementation needs to withstand against
• The sca25519 library consists of 3 implementations of X25519 for CortexM4
with countermeasures against all considered side-channel and faultinjection
attacks.
1.Unprotected implementation (constant-time);
2.Implementation containing countermeasures required for ephemeral
scalar multiplication;
3.Implementation containing the most countermeasures for the static
scalar multiplication.
• We also performed a side-channel evaluation including a single-trace
template attacks feasibility assessment.
Summary
“SoK: SCA-secure ECC in software – mission impossible?”
3
Unprotected Algorithm
6
Most
protected
Static
Algorithm
8
Not REALLY Readable
1.Stored key blinding/randomization.
– k is stored as k·f-1 together with f, which is a non-zero 64-bit random factor.
2.Point blinding
– Static random points R and S for input blinding, where S = [−k]R.
• Add R, perform scalar multiplication, and subtract S.
– Re-randomizing k·f-1, f, R, and S; these secrets should be securely stored.
3.Inversion is blinded.
– We use the extended Euclidean Algorithm (EEA) with multiplicative blinding.
Static Algorithm (Extra)
Countermeasures
9
Efficiency Analysis: price to pay for
security
(Plain ➔ Ephemeral ➔ Static)
11
11
• The above SCA traces are from a device running at 168MHz.
Efficiency Analysis: Related
Crypto Libraries.
12
• TVLA: fixed vs. random input and scalar
• Preliminary results on Single-Trace Template Attacks
• Profiled Device with turned-off countermeasures:
• Find POIs for single-trace attacks:
• Perform template attack
• address mask: 63-64%,
• masked scalar bit: 50.5%,
• plain scalar bit: 52%
Side-Channel Evaluation
13
• Resources:
• https://tches.iacr.org/index.php/TCHES/article/view/9962
plus artifact
• https://eprint.iacr.org/2021/1003
• Repository: https://github.com/sca-secure-library-
sca25519/sca25519
Links
14
ORGANIZATIONAL
15
Organization
• Group 1: Alignment
– https://github.com/2lol555/pb173-side-channel/tree/main
• Group 2: Parallel computations with acquisition
– https://github.com/makuga01/pb173-sidechannels
16
Remaining Seminars Plan
• 7: evaluation of progress on first steps: 1 point per person
per work done till today also based on the commits in GIT
• 8: evaluation of finished first steps : 3 points per group
(personalized per person based on the Github) + giving the
next tasks
9: work in progress
• 10: 4 points per group (personalized per person based on
the GitHub)
This seminar: real SCA setup
• 11/12: national holiday / online consultation
• 13: final 2 points for work + 2 points for presentations + 2
points for activity, grading.
19
FINAL SEMINAR + GRADING
20
Group 1: Alignment
• Installation easy
• Nice!
• Running hard
• No examples
• Did you push your recent
changes to main?
21
Group 1: Alignment
• Main:
• Commits:
• Explain work division, etc., recent inactivity in main
22
Group 1 Final Tasks:
1. Finalize Correlation Alignment on the provided traces.
– Potentially: investigate optimizations of calculating Normalized
Cross Correlation (NCC) between the static reference and target
traces. Lukasz’s idea: find out how it is efficiently done at
https://github.com/Riscure/Jlsca. There is an efficient
implementation there!
2. Make Peak Correlation + Window Resampling work
also for other trace sets:
– Before 02/05/2024 I will upload two new tracesets to IS.
3. Help Group 2 to incorporate peak alignment into their
acquisition pipeline.
23
Group 2: Parallel computations with
acquisition
• Nice!
• Installation looks
clear and nice
• I have not tried
running, @Milan?
• It seems clear which
script to run, but not
completely clear with
which target
24
Group 2: Parallel computations with
acquisition
25
It looks evenly distributed, but please describe the
division.
Group 2 Final Tasks:
1. Finish comparison of various settings with respect to the
number of threads and the amount of traces acquired.
– Clarify which approach is the best on your system.
– Possibly use a profiler (e.g., cProfile) to identify the most
important bottlenecks of your solution.
– Experiment with various numbers of samples used (or
acquired). Does it matter?
2. Add a peak alignment code from Group 1 to your
pipeline and perform experiments.
3. Optional: add bandpass filtering to your pipeline:
https://stackoverflow.com/questions/12093594/how-to-implement-
band-pass-butterworth-filter-with-scipy-signal-butter
26
Reminder: Colloquium
• To get the colloquium
– You must be present at seminars (2 absences OK)
– You must be active at seminars (+2 points given by me at
the end)
– You must submit and get:
• 50%: 7 points in total
(projects + presentation + activity = 14 points)
27
SUMMARY & PRESENTATIONS
THE FLOOR IS YOURS ☺
28
WRAPPING UP
29
Future Work (for me)
• I will try to run your code myself after the seminar
and that will influence the grade a bit too.
• @ALL: Thank you for your hard work and
participation!
• I potentiall would like to use your code in the future
to help in the next year’s seminars.
– Would that be ok with you?
30
Still Future Reading
• For interested people
• Side-Channel Analysis – blue book:
– http://dpabook.iaik.tugraz.at/
– The books is available at the uni.
– Look online
• The Hardware Hacking Handbook:
– https://nostarch.com/hardwarehacking
– I have an epub version.
31
Future Subjects
• PV080 (Information security and cryptography), PV079 (Applied
Cryptography), PA018 (Advanced Topics in Information Technology
Security)
• * PV181 (Laboratory of security and applied cryptography)
• * PV286/PA193 (Secure coding principles and practices)
• PV204 (Security Technologies)
• + Bachelor / Master (or even PhD) theses
32
Thank you very much for attending and
for your work!!!
33
34
| PA193 - Programming in the presence of side-channels /
faults
Questions