IEICE TRANSACTIONS on Fundamentals
Template Attacks on ECDSA Hardware and Theoretical Estimation of the Success Rate
Summary :
In this work, template attacks that aimed to leak the nonce were performed on 256-bit ECDSA hardware to evaluate the resistance against side-channel attacks. The target hardware was an ASIC and was revealed to be vulnerable to the combination of template attacks and lattice attacks. Furthermore, the attack result indicated it was not enough to fix the MSB of the nonce to 1 which is a common countermeasure. Also, the success rate of template attacks was estimated by simulation. This estimation does not require actual hardware and enables us to test the security of the implementation in the design phase. To clarify the acceptable amount of the nonce leakage, the computational cost of lattice attacks was compared to that of ρ method which is a cryptanalysis method. As a result, the success rate of 2-bit leakage of the nonce must be under 62% in the case of 256-bit ECDSA. In other words, SNR must be under 2-4 in our simulation model.
- Publication
- IEICE TRANSACTIONS on Fundamentals Vol.E107-A No.3 pp.575-582
- Publication Date
- 2024/03/01
- Publicized
- 2023/08/31
- Online ISSN
- 1745-1337
- DOI
- 10.1587/transfun.2023VLP0010
- Type of Manuscript
- Special Section PAPER (Special Section on VLSI Design and CAD Algorithms)
- Category
- VLSI Design Technology and CAD
Authors
Kotaro ABE
The University of Tokyo
Makoto IKEDA
The University of Tokyo
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Kotaro ABE, Makoto IKEDA, "Template Attacks on ECDSA Hardware and Theoretical Estimation of the Success Rate" in IEICE TRANSACTIONS on Fundamentals,
vol. E107-A, no. 3, pp. 575-582, March 2024, doi: 10.1587/transfun.2023VLP0010.
Abstract: In this work, template attacks that aimed to leak the nonce were performed on 256-bit ECDSA hardware to evaluate the resistance against side-channel attacks. The target hardware was an ASIC and was revealed to be vulnerable to the combination of template attacks and lattice attacks. Furthermore, the attack result indicated it was not enough to fix the MSB of the nonce to 1 which is a common countermeasure. Also, the success rate of template attacks was estimated by simulation. This estimation does not require actual hardware and enables us to test the security of the implementation in the design phase. To clarify the acceptable amount of the nonce leakage, the computational cost of lattice attacks was compared to that of ρ method which is a cryptanalysis method. As a result, the success rate of 2-bit leakage of the nonce must be under 62% in the case of 256-bit ECDSA. In other words, SNR must be under 2-4 in our simulation model.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2023VLP0010/_p
Copy
@ARTICLE{e107-a_3_575,
author={Kotaro ABE, Makoto IKEDA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Template Attacks on ECDSA Hardware and Theoretical Estimation of the Success Rate},
year={2024},
volume={E107-A},
number={3},
pages={575-582},
abstract={In this work, template attacks that aimed to leak the nonce were performed on 256-bit ECDSA hardware to evaluate the resistance against side-channel attacks. The target hardware was an ASIC and was revealed to be vulnerable to the combination of template attacks and lattice attacks. Furthermore, the attack result indicated it was not enough to fix the MSB of the nonce to 1 which is a common countermeasure. Also, the success rate of template attacks was estimated by simulation. This estimation does not require actual hardware and enables us to test the security of the implementation in the design phase. To clarify the acceptable amount of the nonce leakage, the computational cost of lattice attacks was compared to that of ρ method which is a cryptanalysis method. As a result, the success rate of 2-bit leakage of the nonce must be under 62% in the case of 256-bit ECDSA. In other words, SNR must be under 2-4 in our simulation model.},
keywords={},
doi={10.1587/transfun.2023VLP0010},
ISSN={1745-1337},
month={March},}
Copy
TY - JOUR
TI - Template Attacks on ECDSA Hardware and Theoretical Estimation of the Success Rate
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 575
EP - 582
AU - Kotaro ABE
AU - Makoto IKEDA
PY - 2024
DO - 10.1587/transfun.2023VLP0010
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E107-A
IS - 3
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - March 2024
AB - In this work, template attacks that aimed to leak the nonce were performed on 256-bit ECDSA hardware to evaluate the resistance against side-channel attacks. The target hardware was an ASIC and was revealed to be vulnerable to the combination of template attacks and lattice attacks. Furthermore, the attack result indicated it was not enough to fix the MSB of the nonce to 1 which is a common countermeasure. Also, the success rate of template attacks was estimated by simulation. This estimation does not require actual hardware and enables us to test the security of the implementation in the design phase. To clarify the acceptable amount of the nonce leakage, the computational cost of lattice attacks was compared to that of ρ method which is a cryptanalysis method. As a result, the success rate of 2-bit leakage of the nonce must be under 62% in the case of 256-bit ECDSA. In other words, SNR must be under 2-4 in our simulation model.
ER -
English
