SPA vulnerabilities of the binary extended Euclidean algorithm

Abstract

The execution flow of the binary extended Euclidean algorithm (BEEA) is heavily dependent on its inputs. Taking advantage of that fact, this work presents a novel simple power analysis (SPA) of this algorithm that reveals some exploitable power consumption-related leakages. The exposed leakages make it possible to retrieve some bits of the algorithm’s secret input without profiling the target device. The identified vulnerabilities can be exploited in many cryptographic protocols where the modular inversion operation is applied to a secret argument. In this work, the ECDSA protocol is used to exemplify how the presented SPA can be used to disclose in about 2 min all standardized private key sizes using less than 800 traces. In the context of ECDSA, a countermeasure previously proposed to mitigate a timing leakage during scalar multiplication is also analyzed, showing that, when it is improperly implemented, it enhances the proposed bit recovery method. Three countermeasures for removing SPA leakages from a BEEA implementation are also analyzed.

Appendices

Appendix 1: Proof of Theorem 1

Theorem 1

It is possible to recover the N LSBs of k when the first T SHIFTS[i] and \(T-2\) SUBS[i] are known, with \(N={\textstyle \sum _{i=1}^{T}{} \textit{SHIFTS}[i]}+1\).

Proof

The presented proof is divided into two steps. The first has to do with the number of SHIFTS[i] needed to recover N bits of k. When that number is T, the second step shows that \(T-2\) SUBS[i] are also required. In this appendix, the variable SHIFTS[i] is renamed as \(Z_{i}\) for the sake of notation simplicity.

Part 1 Proving that T \(Z_{i}\) are needed to recover the N LSBs of k such that \(N={\displaystyle {\textstyle \sum _{i=1}^{T}Z_{i}}+1}\).

At each iteration of the BEEA, u and v can be expressed as a linear combination of k and p (as (15) and (16), respectively) because only linear operations are applied to these variables.

$$\begin{aligned} u_{i}= & {} A_{i}k+B_{i}p \end{aligned}$$

(15)

$$\begin{aligned} v_{i}= & {} C_{i}k+D_{i}p \end{aligned}$$

(16)

where \(A_{i}\), \(B_{i}\), \(C_{i}\) and \(D_{i}\) are rational numbers that can be expressed in their lowest terms as (17) and (18).

$$\begin{aligned} A_{i}= & {} \frac{n_{i}^{A}}{d_{i}^{A}}\quad B_{i}=\frac{n_{i}^{B}}{d_{i}^{B}} \end{aligned}$$

(17)

$$\begin{aligned} C_{i}= & {} \frac{n_{i}^{C}}{d_{i}^{C}}\quad D_{i}=\frac{n_{i}^{D}}{d_{i}^{D}} \end{aligned}$$

(18)

When all \(Z_{j}\) and SUBS[j] are known for \(1\le j<i\), at any iteration i the difference between u and v (resulting from the execution of the sub-step procedure at iteration \(i-1\)) can be expressed in terms of k and p, with coefficients expressed in their lowest terms as in (19).

$$\begin{aligned} \frac{n_{i}^{k}}{d_{i}^{k}}k+\frac{n_{i}^{p}}{d_{i}^{p}}p \end{aligned}$$

(19)

Taking into account that the maximum power of two that divides (19) is equal to \(2^{Z_{i}}\), this can be expressed as the congruence (20), where the only unknown is k.

$$\begin{aligned} \frac{n_{i}^{k}}{d_{i}^{k}}k+\frac{n_{i}^{p}}{d_{i}^{p}}p\equiv 2^{Z_{i}}\mod 2^{Z_{i}+1} \end{aligned}$$

(20)

Rearranging the terms of (20) and solving for k lead to (21).

$$\begin{aligned} k\equiv \left( 2^{Z_{i}}-\frac{n_{i}^{p}}{d_{i}^{p}}p\right) \cdot d_{i}^{k}\cdot \left( n_{i}^{k}\right) ^{-1}\mod \left( d_{i}^{k}\cdot 2^{Z_{i}+1}\right) \nonumber \\ \end{aligned}$$

(21)

From (21), it only remains to prove that \(d_{i}^{k}=2^{{\scriptstyle \sum _{j=1}^{i-1}Z_{j}}}\) and \(n_{i}^{k}\) has inverse modulo \(d_{i}^{k}2^{Z_{i}+1}\). The second statement is a consequence of the first because if \(d_{i}^{k}\) is a power of two, then it is coprime with \(n_{i}^{k}\), and the latter is coprime with \(d_{i}^{k}2^{Z_{i}+1}\) too. Therefore, the proof of this part of Theorem 1 is reduced to proving that \(d_{i}^{k}=2^{{\scriptstyle \sum _{j=1}^{i-1}Z_{j}}}\) holds for any iteration \(i\,\ge \,2\). The presented proof is based on mathematical induction.

Initial Step (iteration \(i=2\))

At the beginning of the algorithm, \(u_{1}=k\) and \(v_{1}=p\). In accordance with Lemma 1, during the first iteration u is divided by \(2^{Z_{1}}\), so, when the first iteration ends, the denominator of the coefficient of k is equal to \(2^{Z_{1}}\), regardless of the value of SUBS[1]:

$$\begin{aligned} \left| \frac{u_{1}}{2^{Z_{1}}}-v_{1}\right| =\left| \frac{k}{2^{Z_{1}}}-p\right| \end{aligned}$$

(22)

Inductive Step

implies that the variable that is divided by \(2^{Z_{i}}\) at iteration i is u, so the inductive hypothesis allows us to state that \(d_{i}^{A}=2^{{\scriptstyle \sum _{j=1}^{i-1}Z_{j}}}\).

The absolute difference between u and v in the iteration \(i+1\) (resulting from the subtraction at the sub-step) can be obtained as follows:

$$\begin{aligned} \left| \frac{u_{i}}{2^{Z_{i}}}-v_{i}\right|= & {} \left| \frac{A_{i}k+B_{i}p}{2^{Z_{i}}}-\left( C_{i}k+D_{i}p\right) \right| \nonumber \\= & {} \left| \frac{\left( A_{i}-C_{i}2^{Z_{i}}\right) }{2^{Z_{i}}}k-\frac{\left( B_{i}-D_{i}2^{Z_{i}}\right) }{2^{Z_{i}}}p\right| \end{aligned}$$

(23)

Expressing \(A_{i}\) and \(C_{i}\) in their lowest terms, the coefficient of k in (23) is defined by (24).

$$\begin{aligned} \frac{n_{i+1}^{k}}{d_{i+1}^{k}}=\frac{\left( A_{i}-C_{i}2^{Z_{i}}\right) }{2^{Z_{i}}}=\frac{\frac{n_{i}^{A}}{d_{i}^{A}}-\frac{n_{i}^{C}}{d_{i}^{C}}\cdot 2^{Z_{i}}}{2^{Z_{i}}} \end{aligned}$$

(24)

So, taking into account that \(d_{i}^{A}=2^{{\scriptstyle \sum _{j=1}^{i-1}Z_{j}}}\), it can concluded that \(d_{i}^{A}\ge d_{i}^{C}\) because, at each iteration, u or v is divided by the corresponding \(2^{Z_{i}}\), and therefore, the highest denominator that could have the coefficients of k is precisely the one that incorporates the effect of the division by all the \(2^{Z_{i}}\), and the inductive hypothesis shows that this is precisely \(d_{i}^{A}\). Rewriting (24) as (25):

$$\begin{aligned} \frac{n_{i+1}^{k}}{d_{i+1}^{k}}=\frac{n_{i}^{A}-n_{i}^{C}\cdot 2^{Z_{i}}\cdot \frac{d_{i}^{A}}{d_{i}^{C}}}{d_{i}^{A}\cdot 2^{Z_{i}}} \end{aligned}$$

(25)

It can be concluded that (25) is expressed in lowest terms, because, by the inductive hypothesis, \(n_{i}^{A}\) is an odd number and, as proved previously, \(d_{i}^{A}\ge d_{i}^{C}\), therefore the numerator of (25) is an odd number too and hence coprime with \(d_{i}^{A}2^{Z_{i}}\). This demonstrates that when , \(d_{i}^{k}=d_{i}^{A}=2^{{\scriptstyle \sum _{j=1}^{i-1}Z_{j}}}\), as required in this part of presented Theorem 1 proof.

When , the proof can be obtained analogously to the previous case.

Part 2 Proving that the first \(T-2\) SUBS[i] are also needed to recover the N LSBs of k such that \(N={\textstyle \sum _{i=1}^{T}{} \textit{SHIFTS}[i]}+1\).

If \(T-2\) SUBS[i] are known, at the beginning of iteration \(T-1\) the variable that will be divided by \(2^{Z_{T-1}}\) (e.g., u) can be expressed as (26).

$$\begin{aligned} u_{T-1}=\frac{n_{T-1}^{k}}{d_{T-1}^{k}}k+\frac{n_{T-1}^{p}}{d_{T-1}^{p}}p \end{aligned}$$

(26)

Taking into account that the difference between \(u_{T-1}/2^{Z_{T-1}}\) and \(v_{T-1}\) is a multiple of \(2^{Z_{T}},\) the congruence (27) can be solved independently of the value of SUBS \([T-1]\).

$$\begin{aligned} \left| \frac{u_{T-1}}{2^{Z_{T-1}}}-v_{T-1}\right| \equiv 2^{Z_{T}}\mod 2^{Z_{T}+1} \end{aligned}$$

(27)

Expressing the left member of (27) as a linear combination of k and p and solving for the variable k lead to (28).

$$\begin{aligned} k\equiv d_{T}^{k}\cdot \left| 2^{Z_{T}}-\frac{n_{T}^{p}}{d_{T}^{p}}p\right| \cdot \left| n_{T}^{k}\right| ^{-1}\mod \left( d_{T}^{k}\cdot 2^{Z_{T}+1}\right) \end{aligned}$$

(28)

The modulus in (28) is equal to \(2^{N}\), where \(N={\textstyle \sum _{i=1}^{T}{} \textit{SHIFTS}[i]}+1\), because from the first part of this proof it can be concluded that the term \(d_{T}^{k}=2^{{\scriptstyle \sum _{i=1}^{T-1}Z_{i}}}\). From here, the recovery of the N LSBs of k is straightforward because the terms in the right member of (28) are known, \(n_{T}^{k}\) is coprime with N and \(d_{T}^{k}\ge d_{T}^{p}\), as was proved in the first part of this proof.

Appendix 2: Proof of Lemma 3

Lemma 3

When the fixed bit-length nonce countermeasure [10] is applied using a power of two as the multiplicative factor in (7), a chain of SUBS \([i]=\text {``}u\)” for \(1\le i\le n\) ensures the recovery of SUBS \([n+1]\).

In this appendix, the variable SHIFTS[i] is renamed as \(Z_{i}\) for the sake of notation simplicity.

Proof

A chain of n iterations for which SUBS \([i]=\text {``}u\)” implies that, at the start of any iteration, \(u_{i}\) and \(v_{i}\) are defined by (29) for \(2\le i\le n,\) where \(u_{1}=k\) and \(v_{1}=p\).

$$\begin{aligned} u_{i}= & {} \frac{u_{i-1}}{2^{Z_{i-1}}}-v_{1}\nonumber \\ v_{i}= & {} v_{1} \end{aligned}$$

(29)

This makes it possible to express the difference between \(u_{i}\) and \(v_{i}\) just before the comparison step to try to solve the inequation \(u_{i}-v_{i}{\scriptstyle \mathop {\ge }\limits ^{?}0}\), the solution of which implies the recovery of the value of SUBS[i]. Defining \(u'_{i}\) as the value of the variable u at iteration i just before the comparison step, it can be obtained as \(u'_{i}=u_{i}/2^{Z_{i}}\). An expansion of the inequation \(u'_{n+1}-v_{n+1}{\scriptstyle \mathop {\ge }\limits ^{?}0}\) where a chain of SUBS \([i]=\text {``}u\)” exists for \(1\le i\le n\) is given in (30).

$$\begin{aligned} \frac{k}{p}\mathop {\ge }\limits ^{?}2^{Z_{1}}+2^{Z_{1}+Z_{2}} +\cdots +2^{{\mathop {{\sum }Z_{i}}\limits _{i=1}^{n+1}}} \end{aligned}$$

(30)

When a fixed bit-length nonce countermeasure is applied and the value of the multiplier is a power of two (i.e., \(2^{m}\)), k / p is bounded by (31).

$$\begin{aligned} 2^{m}<\frac{k}{p}<2^{m}+1 \end{aligned}$$

(31)

Defining the right member of (30) as \(B_{n+1}\), the SUBS \([n+1]\) can be recovered using (32).

$$\begin{aligned} {\textit{SUBS}}[n+1]={\left\{ \begin{array}{ll} \text {``}u\text {''} &{} :\, B_{n+1}\le 2^{m}\\ \text {``}v\text {''} &{} :\, B_{n+1}\ge 2^{m}+1\\ \text {``}?\text {''} &{} :\,2^{m}<B_{n+1}<2^{m}+1 \end{array}\right. } \end{aligned}$$

(32)

From here, it only remains to prove that the \(B_{n+1}\) never lies within the unresolved range of (32) when a chain of SUBS \([i]=\text {``}u\)” occurs. If \(B_{n+1}\le 2^{m}\), then and the length of the chain is increased. But, when \(B_{n+1}>2^{m}\), as m and \(Z_{i}\) are nonnegative integer numbers, \(B_{n+1}\ge 1\) and \(2^{m}\ge 1\) for any value of n and m and any combination of \(Z_{i}\). This implies that if \(B_{n+1}>2^{m}\), then it will be greater than or equal to \(2^{m}+1\) (which implies that SUBS \([n+1]=\text {``}v\text {''}),\) because the difference between two different nonnegative integer numbers is always greater than or equal to one.