 안녕하세요, 여러분. 안녕하세요. 저는 성연입니다. 한국의 대학생의 PhD 학생입니다. 저는 체스러스에 반영합니다. 이 학생들은 시큐어 ECDSA 인플리멘테이션을 제공할 것입니다. 이 학생은 성연, 님들과 성민의 시옷과 함께하고 있었습니다. 이시드 S.A.는 디지털 시그니처 스킨에 대한 리플리젼테이티브 디지털 시그니처 스킨에 대한 엘리티컵 크리프트 그래픽이 있습니다. 이시드 S.A.는 디지털 시그니처에 대한 중요한 롤링을 제공하고 있습니다. 이시드 S.A.는 시끄리티 서비스의 wide variety of security services. 이시드 S.A.는 RSA와 speed and memory-compared strength, thus it is prepared to be used in constrained environments such as smart cards. On one hand, size-channel analysis is known as practical means to break a crypto system. Although such a crypto system is designed to be secure theoretically, it causes size-channel leakage such as power consumption, electromagnetic emission, and timing when the crypto system is executed in a real environment. Since such leakage are called depending on a secret, attacker can recover the secret by using the leakage. Thus, it is well known that crypto system must be implemented securely against size-channel analysis. However, the signature implementation might not be trivial. Also, it is needed hard work constantly because another attack might be appeared such as this presentation. Next, I will show the overview of 이시드 S.A. sign algorithm and size-channel analysis against it. Let me explain 이시드 S.A. sign algorithm first. The following is a brief version of 이시드 S.A. sign algorithm. First, if a model key or non-sk is chosen randomly. Second, scalar multiplication kp is computed. Then, signature is computed through long integer calculations. In this procedure, scalar multiplication and long integer calculation trace secret key d and non-sk. If these operations are implemented naively, then it works depending on the secret values, and it is reflected in leakage such as power, em, or timing. Size-channel attacker can recover secret from such leakage. I will present a few of size-channel analysis against 이시드 S.A. sign generation as overview. Size-channel analysis is divided into single-trace attack and multiple-trace attack depending on the required number of trace. Let's first show single-trace attack. S.P.A. is a simplest side-channel attack. Here is a power consumption trace of scalar multiplication as a representative example of S.P.A. Since this trace has two distinguishable patterns representing point doubling and point addition, attacker can identify secret immediately by identifying such patterns. To counteracting S.P.A., scalar multiplication can be implemented by performing regular operation like this, using double and add or raise algorithm, or using only unified point addition. However, advanced single-trace attack, collision attack, can recover even protected by such countermeasures. There are several collision attacks, but here I will introduce only H.E.C.C.A. and Rosetta. Scalar multiplication has two core operations which are point doubling and point addition. DG point operation are based on finite field arithmetic. Also, each finite field arithmetic is implemented based on long integer arithmetic. Thus, single-point operation can be separated into multiple-word arithmetic. H.E.C.C.A. and Rosetta exploit the collision characteristics between base arithmetic of target point operation. Attacker can know whether collision occur or not by comparing two sets of word arithmetic of target long integer operation. With this characteristic, the attacker can discriminate secret scalar. On the other hand, the other kind of side channel analysis is the multiple-trace attack. This class of attack uses statistical method for finding secret. Like S.P.A. in single-trace attack, D.P.A. and C.P.A. are representative multiple-trace attack using different sub-means and correlation as a distinguishing list respectively. So called HMP, hidden number problem is the other representative multiple-trace attack. If the attacker can get partial information from scalar multiplication or long integer operation, such partial information can be converted into the closest vector problem related to secret key. Then, the attacker can solve using solver algorithm of lattice problem, such as LLL lattice basis reduction or Babay's realist plane algorithm. In this talk, our attack is a new multiple-trace attack, but use the collision technique for sub-trace clustering. Regular table-based scalar multiplication is our target algorithm, so I will introduce more detailed. Regular means that scalar multiplication perform an identical sequence of point operation independent to scalar. One hand, table-based scalar multiplication is widely employed when it computes over a fixed point like ECDSA's signing. It handles some scalar bits chunkwise at a time, not a single bit. Thus, it is well known that it is efficient. Fixed-based CUM, NAF-Windowing, TSM are the example of table-based scalar multiplication. Regular table-based scalar multiplication can provide no perfect security but give practical security against side-channel analysis. In next slide, I will show how table-based scalar multiplication is working. Table-based scalar multiplication consists of two processes. Each process is algorithm 2 and algorithms 3 respectively. First procedure is a preparation of pre-computation table. The pre-computation table is computed according to a specific scalar multiplication algorithm. Each entry is a consequence of scalar multiplication on corresponding specific scalar. Second procedure is a scalar multiplication using the table. First, index sequence KS is computed for inputed K. This sequence consists of low index, which of entry for referencing entry in the table for loop. In the main loop, two operation is computed. Appropriate doubling is first computed according to function WS. And entry in a column corresponding to the loop is loaded and accumulated according to the index sequence KS. I will explain how scalar multiplication is work by example. Let's assume index sequence K is given according to inputed scalar K. Each component of KS represents a low index of each column for referencing table entry. Like this, each entry is accumulated according to KS for each loop. This procedure can be also presented as an expression as follows. And expanding this expression, we get a linear expression of the level to entries. In here, W is a doubling-related term, and T is a chunk of scalar-related term. This can be interpreted as each entry reference has an effect same weight. Now, I will explain on Abelky recovery hotel. This attack requires two assumptions. First assumption is that WS is a function of index J. Simply speaking, doubling operation depends on your loop index. The second assumption is that side-channel attacker can get sufficient trace on multiple ECDSA signing with fixed-private key and pre-computation table. This can be considered as common sense in view of multiple trace attack scenario. With these two assumptions, our attack can recover secret key by exploiting only collision characteristics between unknown entry referencing. In this slide, I will explain concept of our attack. When multiple ECDSA signature generations are performed, attacker can collect trace on scalar multiplication. Each trace occurs during this below expression is computed. Trace include leakage on each entry referencing. We use this leakage. With visual inspection or some side-channel analysis technique, attacker can extract sub-trace related to each loop or referencing table entry. Then, on two sub-trace corresponding to the same loop, in other words on vertical sub-trace, the attacker can distinguish whether the two vertical sub-trace is on referencing the same entry or not by collision attack. This can be possible although there is no information on the table entries. For all vertical sub-trace on each loop, attacker can group and label it by pairwise collision attack. Let's name the label sequence as collision information. On one hand, ECDSA signature expression can be converted like this. Note that attacker don't know information on nodes. However, if two collision information has same group label in same index, this means each nodes has the same table entry as your component having same weight. In short, collision information is a relation information between nodes. Thus, if attacker can find linear dependency of nodes only exploiting this collision information, attacker can recover secret ID. Next slide, I will how attacker can find linear dependency. For the convenience of explaining, we consider 3x3 pre-computation table as an example. Attacker has no information on the pre-computation table, but by means of side-channel analysis, the attacker can easily guess secret parameter like the size of the table. Upper mentioned, each trace includes a leakage on table entry referencing. Attacker can cluster sub-trace vertically and get collision information. Each collision information present how nodes are related. Attacker don't know real value of entry and low index from collision information. However, attacker's goal is to find linear dependency of nodes only using this collision information for recovering secret key. Thus, with this setting, I will how to find the linear dependency in next slide. Attacker has no information on the relation between different group labels. Thus, we consider each group as to be independent. For that, convert vertical group label in one-heart representation. Since the pre-computation table has 3 rows, a label is converted into 3-dimension one-heart representation. So, in this case, collision information is transformed 9-dimensional vector and call it converted vector. Then, the value of converted vector means that how many corresponding entries in the table is used for constructing nodes. However, attacker don't know how each component of converted vector map the table. But no whether same entry is included between nodes or not with this converted vector. At this time, if there is converted vectors only one more than the dimension of vector space, there must exist a linear dependency of the vectors and the attacker can find a linear dependency by Gaussian elimination. Then, linear dependency of converted vectors is equal to linear dependency of nodes. Therefore, attacker can know a linear dependency of nodes resulting zero. Finally, from this, attacker can recover secret key by simple algebra. Furthermore, if attacker find the basis of converted vector space, then all table entries will be founded but without index information. As I have mentioned many times, this attack can be possible even when there is no information on entries by only exploiting collision between side channel leakage. But in current, there are some limitations. For finding linear dependency, collision information must have no error. If error occurs, attacker cannot find meaningful linear dependency. Thus, if error can be possible, current only solution is doing trial and error process with sufficient flow of trace until success. However, clustering error can be possible due to signal to noise ratio. I will show the probability of error is significantly low in ideal environment. The ideal environment means that signal to noise ratio SNR is so high that side channel leakage clustering algorithm is working well. So, set the leakage property. Let consider leakage is loading entry of pre-computation table. Then, the entry is the coordinate of point Kp. Since the coordinate of Kp are determined by scalar K, for convenience of explaining, let's assume loading entry in table is just loading scalar 30 to bit word wisely. Also, let's assume hamming weight model. Then, the target leakage consist of 8 points. In this setting, error occurs when different points have same hamming weight leakage. Thus, we confuse the probability. First, the probability of two hamming weight of the two different words being equal is the below. Then, when two different entries are chosen, the probability of two leakage being equal is the below. This probability is quietly low. Thus, if SNR is sufficient, then our think must success. Next, I will show our attack is simply applied to fixed-base comb and TSM as case studies. First case study is on fixed-base comb's color multiplication. It is a representative table-based color multiplication. For the shake of simplicity, we consider original version of fixed-base comb method. Fixed-base to comb algorithm is not in here. Please refer to paper for the algorithm. Fixed-base comb's color multiplication for only one point doubling for loop. Thus, Ws is a constant function output only two. And since fixed-base comb using the same table during the main loop, let's consider the original table as a single column in our setting. Then, this can be interpreted as our attack straight forwardly. Then, according to the security parameter of fixed-base comb method, we can compute other parameters, especially the dimension of converted vector. Thus, from this, we can determine how many traits are sufficient to succeed our attack necessarily. Second case is TSM's color multiplication. This algorithm is designed only for counteracting single-trace attack. With different to general color multiplication, TSM have output k and kp. In other words, TSM cannot compute kp over inputed k. Thus, TSM has limited employment such as ECDSA signature generation. Unlike fixed-base comb, TSM is not familiar to you. So, I give color multiplication algorithm. TSM uses two pre-computation tables of color and point. Each entry in scala table is a randomly chosen, and each entry in point table is computed according to corresponding entry in scala table. TSM's color multiplication shows low randomly and accumulate corresponding low entry in main loop. This works with our target algorithm safely. Thus, our attack can be applied easily. From TSM's color multiplication algorithm, we know TSM have no doubling operation in main loop. Thus, we set ws and table size the follows. Then, as in the previous case, according to the security parameter, we can compute the dimension of converted vector and we can determine how many traits are sufficient to succeed our attack necessarily. Finally, I will show experimental result as a proof of work. We experimented on 256-bit TSM's color multiplication having 4x120a pre-computation table. With a practical view, we implemented first accumulation of scala in point just by loading it. And in remain loops, we implemented to perform long integer addition and point addition for accumulation. On chibisporto stm target microcontroller, we collect only 513 power consumption traits on TSM's color multiplication. According to our attack complexity, it is sufficient to succeed attack. This is the total power consumption traits for TSM's color multiplication. Attacker can guess security parameter easily by simple means of side-channel analysis such as visual inspection or cross-correlation. Then, the attacker can identify and extract all targets of traits from the total traits. We describe a detailed process on faithful. Please refer to our faithful for it. For prefailing collision information, we first find interest points on load leakage using Perlian's traits. In each quadrant, upper plots show real group labels, and bottom plots show Perlian's traits. Great box indicates selected interesting points for load leakage. Left upper part is about loading scala and point in the first loop. In this case, load leakage is clearly presented on Perlian's traits. The remaining parts is about sub-trace corresponding to last loop operation. Right upper part is about sub-trace for scala accumulation. Two bottom parts are about sub-trace for each coordinate when point accumulation is performed. With different parts to loop, load leakage is not clearly presented on Perlian's traits in all three parts. But because load operation is performed priorly, attacker can guess it with some trials. We had succeeded clustering with no error using this load leakage. I skipped the clustering algorithm in here. But in our paper, we provided correlation-based clustering algorithm for full class. And this clustering algorithm works well in our case. Please refer to our paper for detail again. Therefore, we finally had found secret keys through our attack. Thank you for listening. If you have any question, feel free to send me e-mail. Thank you.