Enhanced Side-Channel Analysis on ECDSA Employing Fixed-Base Comb Method

Abstract

Table-based scalar multiplication provides practical security for ECDSA signature generation. However, a novel key recovery attack against this form of ECDSA signature generation that exploits the collisions between entries was recently proposed at CHES 2021. This attack is possible even if table entries are unknown, such as with random permutated entry ordering. In this paper, we enhance the efficiency of the key recovery attack against secure ECDSA signature generation based on fixed-base comb scalar multiplication. We significantly reduce the required number of traces by compressing collision information using the mathematical relationship between table entry collisions. We verify this is a practical threat by performing an experiment on fixed-base comb method with window width w = 4. Using our method, up to 27 traces are needed, much fewer than 1,019 traces required in the CHES publication. We cluster real traces measured using 32-bit STM32F4 microcontroller. In the experiment, we provide a selection method of points of interest using variance traces and unsupervised clustering-based leakage detection. With the selection method, we succeed in clustering leakages into 16 classes with a 100% success rate with 32-bit MCU. This represents the first experiment to cluster the more leakage classes with a 32-bit MCU than in literature.