On Power-Analysis Resistant Hardware Implementations of ECC-Based Cryptosystems

摘要

Power-analysis (PA) based side-channel attacks are effective methods to attack RSA encryption systems and elliptic-curve cryptography (ECC). In this paper, we describe PA-based side-channel attacks aiming to extract the (randomly chosen) private key for an ECC-based cryptosystem in detail. We assume that for the cryptosystem to be attacked the private key will not be available for more than one basic operation. Hence, statistical methods, commonly applied in differential power analysis attacks to enhance the signal-to-noise ratio (SNR), may not be applied. To reach the required SNR for a successful attack, we have extended the analysis by frequency-selective filtering followed by data fragmentation and correlation. We show that the implementation of a "double-and-add-always" scheme for ECC point multiplication, which according to literature has been considered safe against simple PA, will not resist our analytical attack method. We argue that memory accesses are the root cause for a successful attack, and propose an extension of the double-and-add-always scheme to harden ECC hardware implementations adequately.