 Hi, my name is Alejandro and I'm going to present the paper Online Templates Attacks Revisited. In this talk, we are going to revisit Online Templates Attacks. First, a background on elliptical cryptography and sidechannel template attacks is presented. Then we revisit previous Online Templates Attacks description regarding the input direction countermeasures and evaluation framework. In addition, we applied the Processed Analysis to Open Source Libraries regarding Micro-Architecture sidechannels, evaluating the insecurity regarding this type of attack. We finalized this research by mounting several attack instances on these libraries. Regarding elliptical cryptography, scalar multiplication and implementation are a common objective of sidechannel attacks. For instance, in the algorithm shown in the slide, common attacks touches are the number of executed iteration and the conditional branches. This leak implementation has been exploited using different sidechannels like power consumption and micro-architecture-based ones like gauge timings for contagion, etc. In sidechannel analysis, traditional scenarios assume attackers can capture a trace while the victim uses a security. Templates attack are very powerful sidechannels in NIC, where the adversary has access to a template implementation very similar to the target one. Additionally, the adversary can capture sidechannel traces using the template implementation for arbitrary chosen keys. An online template attack is a variant of original template attacks, where the main differences are summarized in this table. Classic template attacks are employed when the template space is small, for example an 8-bit variable. This makes it feasible to create the templates before the target trace is captured. On the other hand, online template attacks are useful when the template space is large, for example all points of an LED curve. In this case, templates are created after the target trace is captured. This means template traces are captured on demand. Before going deep into online template attack description, let's define some terms. Additionally, contraindications against trivial attacks on scalar multiplication algorithms aim at removing a scalar-dependent operation, making a transition like this example, where an explicit branch has been refactored so that the point addition execution doesn't depend on the scalar. After analyzing several scalar multiplication algorithms, we define a generic one to present our OTA analysis. First, the scalar k is encoded in a sequence, where each element represents partial information of it. Then, the starting state is initialized. This is often done using only bullet information, like the generator point. The state could be one or more point accumulators. The main loop of this algorithm processes each k-a element using two operations, select and process. Select chooses the state to be processed at each iteration based on the corresponding k-a and the previous state. This operation has taught how the k-dependent operation by branches, table lookups, etc. are implemented. However, we assume that they are implemented in such a way that they don't leak k-i. Thus, we assume select is protected against trivial attacks. The second operation processes the iteration state. For instance, it performs the corresponding elliptic curve point operation. The last step computes the output from the last state. The ability to affine coordinate convention is often executed at this point. Considering the generic scalar multiplication algorithms, let's describe an online template adaca. The adversary first captures a tangent trace cemented into suit traces, where each suit trace corresponds to the execution of process at each iteration. The second step involves template creation. Starting from the initial state, the attacker emulates the selected operation by guessing k-1. This way, the adversary gets a candidate for the processed state. Then using a template implementation that reproduces process operation leakage, the adversary gets a template trace for a given state candidate. The same procedure is repeated for every possible k-i, obtaining a set of template traces. During the third phase, each template trace is compared with the target process signal, in this case, p-1, the one that matches where she will the k-i. Repeating this procedure for the following iteration and backtracking if multiple matches are found, could allow to recover all bits of the scalar using a single trace. Previous words about online template attack only consider power consumption and electromagnetic site channels. These channels leak very differently from micro-architecture-based ones. For instance, power signals contain information about the executed addresses and processed values. That means an ODA can exploit circuit-dependent execution flow and circuit-dependent processed values leaks using these signals. However, in the micro-architecture realm, value basal leaks are not common. Therefore, attackers should rely only on added basal leakage, commonly known as non-constant time code. But wait, where is this non-constant time code conference? Well, an easy implementation is composed by three main layers, the scalar multiplication algorithm, the curve arithmetic, and the field arithmetic. Nowadays, it's very common to find scalar multiplication implementations with protection against trivial attacks, both industry and academy are very aware of their danger. For example, this is a code snippet from MBTLS library, where it can be seen that the scalar multiplication loop is very regular, not trivial leakage outside, you can ignore i in this case. Going one step down, we find the point-doubling implementation, again it seems very regular. Notice, there are calls to modular reduction wrappers at the end of each line. Then if we go deeper into the implementation, all these wrappers end into a cold-dough, this modular reduction function, where there are two input-dependent loops, a.k.a. potential such as leakage sources. This kind of leakage can be transparently exploited by an OTA. That is, the adversary doesn't need to know how a leakage model that links how these white loops relate to the scalar. In this work, we see previous OTA descriptions regarding attack inputs, direction requirements, content measures, and evaluation procedures. Additionally, we instantiate OTAs in the realm of micro-architecture leakages, while previous works focus on power and EN signals. Regarding attack inputs and direction, previous works assume that adversely knows the algorithm starting a state, highlighting green, then the attack continues in the forward direction. However, it can also be applied in the backward direction, starting from the last computed state. This line is closely related to the projected coordination attack, however, this attack can only recover a few bits of the scalar. On the other hand, a backward online template attack can be considered like an augmented projected coordination attack, as it allows full-scalar recovery from a single trace. The third scenario to consider is when the adversary knows any intermediate state and starts the attack either in the forward or backward direction. This is less likely a scenario, but neglecting it could be dangerous. Summarizing online template attack can be applied in any direction and using any computed state as a starting point. Related to previous analysis are online template attack requirements. We identify two, name, distinguisher, and reproducible. The first one is just that, as a channel signal from the process operation can be used to distinguish the processed state. The second is about the leakage reproducibility concerning the template implementation. In this regard, the template implementation can accept two kinds of inputs, a state or a scalar, and the requirements vary with them. In the state case, the adversary must know any state processed by the target. While for a scalar-based attack, if two scalar changes on KI, the state related to the processing of those KI must be the same. In this presentation, we focus on the state case, however, the paper covers both. The mitigations are oriented to prevent the fulfillment of one of at least one requirement. In the first case, the idea is to avoid that the process operation leaks the state, that means hiding the leakage. This is not trivial for power and EM side channels, due to the inherently value basal leaks. However, in the micro-adjecture world, content time code should be sufficient. The second approach is about wrecking the reproducibility requirement, enforcing that equal inputs produce different processing states. For instance, these can be accomplished by randomizing all states. These content measures can be implemented by randomizing the representation of the processed points. After having analyzed OTA requirements, we propose an OTA evaluation framework from the attacker's perspective. The first step assesses where the target implementation is deterministic regarding the considered side channel. If it is not, the right branch is taken. This branch is more related to pre-sport analysis due to the characteristic or noisy nature of forward and EM signals. However, the left branch can be used if the target implementation produces deterministic leakages. Note that a deterministic implementation implies that the reproducible requirement is fulfilled. In this work, we focus on deterministic case, as we will see that it can be a lot of determinists using software side channels. The next step is estimating how well the distinguished requirement is fulfilled. For this task, we propose to estimate the probability mass function BNF of the process leakage space. That is, for any different state, capture the corresponding traces and estimate the probability mass function. The number on different outcomes is the estimated cardinality of the process leakage set. It means that a state generates the same leakage traces. Therefore, it is likely that the implementation is auto-safe. On the other hand, if the cardinality is equal to the number of states, this scenario is ideal for the attacker, because it is very likely that the distinguished requirement is perfectly fulfilled. The third scenario to consider when the cardinality lies between these values. In this case, how bias is the distribution allows to state if the attack would be computationally hard or easy. This research was developed to see full OTAs with bias as high as easy to present. Then we use this value as a threshold between hard and easy OTAs. But please note, this threshold is a rough estimate as we didn't aim at improving it. OK, after the theoretical side of the talk, let's apply it to real implementation. At this phase, we consider OTA against trusted execution environments, employing what is not known as control-channel attacks. In this scenario, it is common to get noiseless such-channel signals. We consider two known side-channels named page tracers and copycat. The first one allows an attacker to track the sequence of executed memory pages. While copycat counts the number of executed instructions at each page. For instance, considering this sequence of executed instructions, where each color represents a memory page. The page tracers trace will be like this one, while the copycat one will indicate additional information regarding the number of executed instructions. We analyze the three open source libraries and apply the proposed OTA evaluation framework to them. We selected them because they were not designed to be constant time or layers. However, significant efforts have been put to make them secure at the scalar multiplication one. In all cases, we use a leakage emulator based on tracer grind as a template implementation. This tool is based on ball grind and generates execution tracers with information about each executed instruction, like address. Parts inside information allow us to get the corresponding page tracers and copycat tracers. We analyze it in the context of this signature scheme. This case is interesting as partial non-scalar leakage are not sufficient to compromise it. However, online template attack can recover the core scalar using a single trace. The scalar multiplication algorithm in this case is doubled and add always and we selected as process both point operation, doubling and addition. This operation employs 17 memory pages will lead to many combinations that can be used to mount an attack. We followed the evaluation framework for each page combination and collected the start about them regarding page tracer and copycat side channels. This table shows some data. For instance, the secure column stands for ideal and easy scenarios, meaning that several combinations allow to perform an OTA. No ideal combination was found for page tracers. However, using copycats is possible on half of them. The last column represents the number of mutually exclusive combinations and sizes. This data is relevant as these combinations can be used for noise handling by allowing to attack the same implementation using redundant leakages. It is also interesting how many memory pages are sufficient to perform an attack on this library. This graph shows how the cardinality behaves for insecure combinations, as can be seen ideal scenarios can be obtained with copycat with only two memory pages. The second analyzer library was MBTLS, where we attach the scalar multiplication algorithm that employs during an ECSA signature generation. The scalar multiplication follows a custom COM approach, and in this case we selected the point doubling as the process operation. This means that only leakage coming from its implementation stack is considered. In the previous case, the state is composed by a single point accumulator R. For MBTLS, the process operation employs 14 memory pages. The percentage of insecure combinations for both attacks is much worse than leakage in addition. Almost all combinations lead to ideal scenarios using either page tracers or copycat. Instantly, the number of mutilated exclusive combinations for copycat is equal to the number of pages employed by the point doubling operation, so there is a strong leakage anywhere in this implementation. Ideal scenarios can be achieved in this library starting from two and three memory pages for page tracers and copycat respectively. We also analyzed the whole SSL library regarding the same creative scheme. The scalar implementation is based on the multi-layer with protection against trivial attacks. In this case, we selected the point doubling operation as the process, and the state is composed by two point accumulator R and S. The point doubling operation in this library expands over seven memory pages, leading to 127 page combination. Similar to the other libraries, the number of insecure combinations is very high. We also noted combination with two equi-probable leakage traces. We tracked down this combination to code snippets like this one, where the parity of an intermediate value during the point doubling is checked before dividing by two. As a final step of our research, we developed several attacking instances on the analyzer libraries. We developed SCX enclaves for each library using the graphene framework. The page traces attack was mounted using the framework SCX step. On the other hand, the attacker environment is composed by the same template implementation used to analyze the libraries. That is an emulator based on trace line. Therefore, during the template matching phase, we compared real traces with emulated ones, leading to successful attacks. Therefore, trace line demonstrated to perform very well. Different attacks were mounted for each library, employing different approaches. A state-based attack work carried out against each library. In the case of Wolf SSL, we also executed a scale-based approach. A daily proof concept of the layer can be found following this QR. Both attacks direction were tested, and the selected PNF were as follows. In the case of Leage Crip, a random insecure combination was used. Whereas for MBTLS, we selected an ideal combination related to the modular reduction code snippet that served as a motivational example before. For Wolf SSL, we also used an ideal combination. Additionally, we also executed the attack with the two cardinality probable combination commented before. In all cases, we got a 100% successful rating. The conclusions of our research are the following. Online terpes attack are very powerful against software implementation. The library analysis highlights the need of full stack constant time code. Online terpes attack can also be used in power direction strategy from any non-state. Randomizing the input point might not be sufficient to prevent them. Or OTA doesn't require a leakage mode to succeed, since it can exploit non-constant time code very deep in implementation stack without a leakage module. Thank you.