SPA vulnerabilities of the binary extended Euclidean algorithm

The execution flow of the binary extended Euclidean algorithm (BEEA) is heavily dependent on its inputs. Taking advantage of that fact, this work presents a novel simple power analysis (SPA) of this algorithm that reveals some exploitable power consumption-related leakages. The exposed leakages make...

Full description

Saved in:
Bibliographic Details
Published in:Journal of cryptographic engineering Vol. 7; no. 4; pp. 273 - 285
Main Authors: Aldaya, Alejandro Cabrera, Sarmiento, Alejandro J. Cabrera, Sánchez-Solano, Santiago
Format: Journal Article
Language:English
Published: Berlin/Heidelberg Springer Berlin Heidelberg 01.11.2017
Springer Nature B.V
Subjects:
Algorithms
Circuits and Systems
Communications Engineering
Computer Communication Networks
Computer Science
Cryptography
Cryptology
Data encryption
Data Structures and Information Theory
Networks
Operating Systems
Power consumption
Regular Paper
Target recognition
Lattice attack
Side-channel analysis
Binary Euclidean algorithm
SPA
ECDSA
ISSN:2190-8508, 2190-8516
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The execution flow of the binary extended Euclidean algorithm (BEEA) is heavily dependent on its inputs. Taking advantage of that fact, this work presents a novel simple power analysis (SPA) of this algorithm that reveals some exploitable power consumption-related leakages. The exposed leakages make it possible to retrieve some bits of the algorithm’s secret input without profiling the target device. The identified vulnerabilities can be exploited in many cryptographic protocols where the modular inversion operation is applied to a secret argument. In this work, the ECDSA protocol is used to exemplify how the presented SPA can be used to disclose in about 2 min all standardized private key sizes using less than 800 traces. In the context of ECDSA, a countermeasure previously proposed to mitigate a timing leakage during scalar multiplication is also analyzed, showing that, when it is improperly implemented, it enhances the proposed bit recovery method. Three countermeasures for removing SPA leakages from a BEEA implementation are also analyzed.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2190-8508
2190-8516
DOI:10.1007/s13389-016-0135-4