HS-Based Error Correction Algorithm for Noisy Binary GCD Side-Channel Sequences

Abstract

The secure implementation of the Greatest Common Divisor (GCD) algorithm is fundamental for many cryptographic schemes. The binary GCD algorithm has a highly input-dependent behavior. Therefore, we must carefully implement the binary GCD used in cryptographic systems. However, it has been noted that the binary GCD algorithm implemented in OpenSSL 1.1.0-1.1.0h and 1.0.2b-1.0.2o is not secure. Aldaya et al. presented this vulnerability at CHES2019. They also proposed a side-channel attack to collect sequences of operations performed by the binary GCD algorithm and an error correction algorithm (AGTB algorithm) to recover the LSBs of secret keys from the noisy sequences. In this paper, we propose an error correction algorithm that, like the AGTB algorithm, focuses on only a single type of error. We evaluate our algorithm using numerical experiments that reveal that our algorithm achieves a higher recovery rate than the AGTB algorithm.

Appendices

A Finding \(\varepsilon \) Such that \(P_\textrm{SCA}\) and \(P_\textrm{APPROX}\) are Closest

We use the conditional relative entropy as the distance between \(P_\textrm{SCA}\) and \(P_\textrm{ARROX}\). Consider \(\hat{\varepsilon }\), which minimizes the conditional relative entropy. For the joint probability distribution \( P_\textrm{ARROX}(\tilde{z} \mid z), \, P_\textrm{SCA}(\tilde{z} \mid z)\), the conditional relative entropy is as follows.

$$ D(P_\textrm{ARROX}(\tilde{z} \mid z)\, \mid \mid \, P_\textrm{SCA}(\tilde{z} \mid z)) = \sum _z P_\textrm{ARROX}(z) \sum _{\tilde{z}} P_\textrm{ARROX}(\tilde{z} | z) \log {\frac{ P_\textrm{ARROX}(\tilde{z}\, | \, z)}{ P_\textrm{SCA}(\tilde{z}\, | \, z)}} $$

Now, we have the optimal \(\hat{\varepsilon }\) as \(\hat{\varepsilon } {:}{=}\arg {\min _\varepsilon {D(P_\textrm{ARROX}(\tilde{z} \mid z) \, \mid \mid \, P_\textrm{SCA}(\tilde{z} \mid z))}}\).

$$\begin{aligned}&D(P_\textrm{ARROX}(\tilde{z} \mid z)\, \mid \mid \, P_\textrm{SCA}(\tilde{z} \mid z)) = \sum _z P_\textrm{ARROX}(z) \sum _{\tilde{z}} P_\textrm{ARROX}(\tilde{z} | z) \log {\frac{ P_\textrm{ARROX}(\tilde{z}\, | \, z)}{ P_\textrm{SCA}(\tilde{z}\, | \, z)}} \nonumber \\&= \sum _z \left( \frac{1}{2}\right) ^z \left[ (1-\varepsilon ) \log {\frac{1-\varepsilon }{ P_\textrm{SCA}(z\, | \, z)}} + \frac{\varepsilon }{2} \log {\frac{\varepsilon /2}{ P_\textrm{SCA}(z+1\, | \, z)}} + \frac{\varepsilon }{2} \log {\frac{\varepsilon /2}{ P_\textrm{SCA}(z-1\, | \, z)}} \right] \end{aligned}$$

(14)

The partial derivative \(\partial D/\partial \varepsilon \) of Eq. (14) is as follows.

$$\begin{aligned}&\frac{\partial D}{\partial \varepsilon } = \sum _z \left( \frac{1}{2}\right) ^z \left[ - \log {\frac{1-\varepsilon }{ P_\textrm{SCA}(z\, | \, z)}} + \frac{1}{2} \log {\frac{\varepsilon /2}{ P_\textrm{SCA}(z+1\, | \, z)}} + \frac{1}{2} \log {\frac{\varepsilon /2}{ P_\textrm{SCA}(z-1\, | \, z)}} \right] \nonumber \\&\approx \sum _z^{12} \left( \frac{1}{2}\right) ^z \left[ - \log {\frac{1-\varepsilon }{ P_\textrm{SCA}(z\, | \, z)}} + \frac{1}{2} \log {\frac{\varepsilon /2}{ P_\textrm{SCA}(z+1\, | \, z)}} + \frac{1}{2} \log {\frac{\varepsilon /2}{ P_\textrm{SCA}(z-1\, | \, z)}} \right] \end{aligned}$$

(15)

Using Eq. (15), the point where \(\partial D/\partial \varepsilon = 0\) is \(\hat{\varepsilon }\); therefore, \(\hat{\varepsilon } \approx 0.0247\). If we use \(\hat{\varepsilon }\) as the error rate \(\varepsilon ^{\prime }\) for computing the likelihood-based loss function in Sect. 5.3, \(P_\textrm{APPROX}(\tilde{z} \mid z)\) and \(P_\textrm{SCA}(\tilde{z} \mid z)\) are close.

B Details About the AGTB Algorithm

We give details about the AGTB algorithm [2]. In particular, this section summarizes the parameters used as input for the AGTB algorithm and how Prune is performed in this study. This section also summarizes the experimental results for the AGTB algorithm performed in this study.

1.1 B.1 Prune

Candidate solutions generated by Expand are removed by Prune. In the AGTB algorithm, the parameters g, G, \(\textsf{cons}\) and \(\textsf{th}\) determine which candidate solutions are removed. In particular, the most important parameters are g and G, and the AGTB algorithm keeps at most \(g\times G\) candidate solutions. \(e_{\textrm{min}}\) is the smallest value of \(e_{x_1} + e_{x_2} + e_{\textrm{mult}}\) among the candidate solutions. Furthermore, \(\textsf{cons}\) is the number of consecutive additions or deletions up to that phase. In Prune, for each candidate solution, the following criteria are applied to decide whether to remove it. In other words, for the following criteria, only candidate solutions that have not been removed are kept and used in the next phase of error correction.

1. 1.

   Remove candidate solutions that exceed the value of \(\textsf{cons}\) for the number of consecutive 0 insertions or 0 deletions in Expand.

2. 2.

   Remove candidate solutions that do not satisfy \(e_{x_1} + e_{x_2} + e_{\textrm{mult}} \le \textsf{th}\).

3. 3.

   Remove candidate solutions that do not satisfy \(e_{x_1} + e_{x_2} + e_{\textrm{mult}} \le e_{\textrm{min}} + g\).

4. 4.

   Classify by the value of \(e_{x_1} + e_{x_2} + e_{\textrm{mult}}\). In addition, sort by the value of \(e_\textrm{mult}\) in each class, keep only G candidate solutions from the beginning in each class, and remove the others.

For the AGTB algorithm, g, G, \(\textsf{cons}\), and \(\textsf{th}\) are the criteria for Prune.

1.2 B.2 Implementation of the AGTB Algorithm

In the experiment with Sect. 5, the erroneous Z-sequences generated by our SCA may have \(\tilde{Z}_i=0\). When \(\tilde{Z}_i=0\), the structure of the \(\tilde{x}_1\) and \(\tilde{x}_2\) in the binary representation changes. It becomes difficult to correct errors by focusing on the number of 0s between 1 and 1 in the binary representations of \(\tilde{x}_1\) and \(\tilde{x}_2\). From the discussion in Sect. 2.2, as \(Z_i \ge 1\) always holds, for \(\tilde{Z}_i=0\), \(\tilde{Z}_i \leftarrow 1\). We can then immediately solve this problem. In this paper, we add this process as a pre-computation that we set \(\tilde{Z}_i \leftarrow 1\) for all elements with \(\tilde{Z}_i=0\) in noisy Z-sequences. In fact, the pre-computation improves the performance of the AGTB algorithm. We implement the AGTB algorithm following the above flow and use it in Sect. 5.2 and Sect. 5.3.

1.3 B.3 Setting Parameters as Input for the AGTB Algorithm

This section describes how to set g, G, \(\textsf{cons}\), and \(\textsf{th}\), which are the input parameters of the AGTB algorithm. In the experiment to recover primes by [2], \(g=10, \, G=15000, \, \textsf{cons}=3, \, \textsf{th}=150\).

Fig. 8.

Success rates of the AGTB algorithm when correcting errors in noisy sequences that are artificially generated

The most basic parameters are g and G. This is because the upper limit of the number of candidate solutions to be kept is \(g \times G\) in the AGTB algorithm. Taking into account the performance of our available computers, we set \(g, \, G\) to satisfy \(g \times G = 2 ^{16}\) in the experiments in this paper. Moreover, according to \(P_\textrm{ARROX}(\tilde{z} \mid z)\), errors do not occur continuously; therefore, \(\textsf{cons} = 2, \, 3\) is sufficient.

1.4 B.4 Experiment to Evaluate the AGTB Algorithm

We describe experiments using the AGTB algorithm in Sect. 5.2 and Sect. 5.3. Figure 8 and Table 4 show the result of the error correction of the artificially generated sequence described in Sect. 5.2. From this result, the best performance is obtained when \(g=2^{4}, \, G=2^{12}, \, \textsf{cons} = 3, \, \textsf{th}=200\).

Table 4. CPU times (means) of the AGTB algorithm when correcting errors in noisy sequences that are artificially generated

Table 5. Success rates and CPU times (means) of the AGTB algorithm when performing error correction on noisy sequences of a dataset

Table 5 shows the results obtained when the sequence is obtained by using the actual SCA described in Sect. 5.3. In this case, \((g=2^3,\, G=2^{13},\, \textsf{cons}=3,\, \textsf{th}=50)\) and \((g=2^ 4,\, G=2^{12},\, \textsf{cons}=3,\, \textsf{th}=50)\) give the best success rate.