当前位置:
X-MOL 学术
›
IEEE Trans. Comput.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Branch Prediction Attack on Blinded Scalar Multiplication
IEEE Transactions on Computers ( IF 3.7 ) Pub Date : 2020-05-01 , DOI: 10.1109/tc.2019.2958611 Sarani Bhattacharya , Clementine Maurice , Shivam Bhasin , Debdeep Mukhopadhyay
IEEE Transactions on Computers ( IF 3.7 ) Pub Date : 2020-05-01 , DOI: 10.1109/tc.2019.2958611 Sarani Bhattacharya , Clementine Maurice , Shivam Bhasin , Debdeep Mukhopadhyay
In recent years, performance counters have been used as a side channel source to monitor branch mispredictions, in order to attack cryptographic algorithms. However, the literature considers blinding techniques as effective countermeasures against such attacks. In this article, we present the first template attack on the branch predictor. We target blinded scalar multiplications with a side-channel attack that uses branch misprediction traces. Since an accurate model of the branch predictor is a crucial element of our attack, we first reverse-engineer the branch predictor. Our attack proceeds with a first online acquisition step, followed by an offline template attack with a template building phase and a template matching phase. During the template matching phase, we use a strategy we call Deduce & Remove, to first infer the candidate values from templates based on a model of the branch predictor, and subsequently eliminate erroneous observations. This last step uses the properties of the target blinding technique to remove wrong guesses and thus naturally provides error correction in key retrieval. In the later part of this article, we demonstrate a template attack on Curve1174 where the double-and-add always algorithm implementation is free from conditional branching on the secret scalar. In that case, we target the data-dependent branching based on the modular reduction operations of long integer multiplications. Such implementations still exist in open source software and can be vulnerable, even if top level safeguards like blinding are used. We provide experimental results on scalar splitting, scalar randomization, and point blinding to show that the secret scalar can be correctly recovered with high confidence. Finally, we conclude with recommendations on countermeasures to thwart such attacks.
中文翻译:
盲标量乘法的分支预测攻击
近年来,性能计数器已被用作侧信道源来监控分支错误预测,以攻击密码算法。然而,文献认为致盲技术是针对此类攻击的有效对策。在本文中,我们展示了对分支预测器的第一次模板攻击。我们通过使用分支错误预测跟踪的侧信道攻击来针对盲标量乘法。由于分支预测器的准确模型是我们攻击的关键要素,因此我们首先对分支预测器进行逆向工程。我们的攻击从第一个在线获取步骤开始,然后是具有模板构建阶段和模板匹配阶段的离线模板攻击。在模板匹配阶段,我们使用了一种我们称之为 Deduce & Remove 的策略,首先根据分支预测器的模型从模板中推断候选值,然后消除错误的观察结果。最后一步使用目标盲法的特性来消除错误的猜测,从而自然地在密钥检索中提供错误纠正。在本文的后面部分,我们演示了对 Curve1174 的模板攻击,其中双加总是算法实现没有秘密标量上的条件分支。在这种情况下,我们针对基于长整数乘法的模归约运算的数据相关分支。此类实现仍然存在于开源软件中,并且可能存在漏洞,即使使用了诸如盲法之类的顶级保护措施。我们提供标量分裂、标量随机化、和点盲法表明可以高置信度地正确恢复秘密标量。最后,我们提出了有关阻止此类攻击的对策的建议。
更新日期:2020-05-01
中文翻译:
盲标量乘法的分支预测攻击
近年来,性能计数器已被用作侧信道源来监控分支错误预测,以攻击密码算法。然而,文献认为致盲技术是针对此类攻击的有效对策。在本文中,我们展示了对分支预测器的第一次模板攻击。我们通过使用分支错误预测跟踪的侧信道攻击来针对盲标量乘法。由于分支预测器的准确模型是我们攻击的关键要素,因此我们首先对分支预测器进行逆向工程。我们的攻击从第一个在线获取步骤开始,然后是具有模板构建阶段和模板匹配阶段的离线模板攻击。在模板匹配阶段,我们使用了一种我们称之为 Deduce & Remove 的策略,首先根据分支预测器的模型从模板中推断候选值,然后消除错误的观察结果。最后一步使用目标盲法的特性来消除错误的猜测,从而自然地在密钥检索中提供错误纠正。在本文的后面部分,我们演示了对 Curve1174 的模板攻击,其中双加总是算法实现没有秘密标量上的条件分支。在这种情况下,我们针对基于长整数乘法的模归约运算的数据相关分支。此类实现仍然存在于开源软件中,并且可能存在漏洞,即使使用了诸如盲法之类的顶级保护措施。我们提供标量分裂、标量随机化、和点盲法表明可以高置信度地正确恢复秘密标量。最后,我们提出了有关阻止此类攻击的对策的建议。
京公网安备 11010802027423号