- The paper reveals that Chevallier-Mames atomic blocks fail to mask distinct EM signatures, leading to data-bit leakage during scalar multiplication.
- The methodology involved testing binary kP algorithms on FPGA and microcontroller platforms, using Pearson correlation to quantify EM trace distinguishability.
- Implications indicate that atomicity alone is insufficient, stressing the need for enhanced countermeasures like operand randomization and memory access masking.
Vulnerability Analysis of Binary kP Algorithms with Chevallier-Mames Atomic Blocks under Horizontal SCA
Context and Motivation
Elliptic curve cryptosystems are extensively used for key exchange, authentication, and digital signatures due to their strong security properties and resource efficiency. The scalar multiplication operation (kP) is foundational in these schemes, and its implementation is the focal point for Side-Channel Analysis (SCA) attacks. The atomicity principle, particularly using atomic block patterns such as those devised by Chevallier-Mames, aims to thwart simple SCA by homogenizing the power and EM signatures regardless of the bit value being processed. However, the paper rigorously demonstrates that both hardware and software implementations of binary kP algorithms employing Chevallier-Mames atomic blocks remain susceptible to single-trace SCA attacks.
Methodology
The investigation encompassed the implementation of left-to-right and right-to-left binary double-and-add kP algorithms using the Chevallier-Mames MANA atomic blocks on both FPGA and microcontroller platforms. Target devices included the TI LAUNCHXL-F28379D with the TMS320F28379D microcontroller, and Digilent Arty Z7-20 FPGA, executing the algorithms for NIST EC P-256. The software relied on the FLECC cryptographic library with constant-time field operations.
Electromagnetic emission measurements during kP execution were captured using high-precision microprobes and oscilloscopes, with the EM traces analyzed for distinguishability at the block level—specifically, for EC point addition (PA) and doubling (PD) operations. Variants with projective coordinate randomization, following the Coron method, were included to assess the efficacy of this countermeasure.
Empirical Results
Data-Bit Vulnerability
The EM traces revealed pronounced distinguishability in atomic block patterns, primarily resulting from operand-dependent energy consumption in field multiplications. Small operand values (such as $1$ and −3) cause lower energy usage and unique trace shapes, leading to immediate leakage. Numerical analysis showed that the shapes of atomic blocks within PA and PD operations were consistently different, even in supposedly constant-time implementations. The degree of trace similarity was quantified using Pearson correlation coefficients, with coefficients rarely reaching 1.0, indicating high variability and thus SCA vulnerability.
The left-to-right kP algorithm, despite atomic block homogenization, exhibited distinguishable trace features that could be correlated to the bit values processed. Notably, the right-to-left algorithm also displayed vulnerability when tested on the microcontroller. Randomized projective coordinates substantially reduced distinguishability, as special operand values were replaced with random long integers, making atomic blocks visually similar in EM traces.
Address-Bit Side-Channel Leakage
The paper extended its analysis to address-bit SCA leakage. Even with projective coordinate randomization, the use of different variables (data-flow) for atomic blocks creates exploitable distinctions at the memory/address level, observable in very short segments (e.g., the initial 24 clock cycles of each atomic block). This vulnerability remains largely unmitigated by current randomization and atomicity approaches. The correlation analysis showed that some atomic blocks still had distinguishable access patterns associated with their memory addresses, further facilitating horizontal SCA.
Implications for Secure EC Implementations
The strong empirical results demonstrate that Chevallier-Mames atomic block patterns, while intended as robust countermeasures, are insufficient against contemporary single-trace SCA attacks exploiting both data-bit and address-bit leakages. This finding is broadly applicable; implementations relying solely on atomicity without further randomization or masking are insecure across microcontroller and FPGA platforms.
In practical terms, the failure of atomic block homogenization underscores the need for more advanced and comprehensive SCA mitigation—particularly addressing operand randomization, register/memory address uniformity, and potentially masking techniques. Theoretical implications suggest that the model of "constant time" or "atomicity" alone is inadequate for cryptographic hardware and software, especially in environments where EM and power traces can be measured with high accuracy.
Given the persistence of address-bit leakage even with projective coordinate randomization, future research should systematically explore countermeasures that obscure memory access patterns, possibly integrating hardware-level solutions or more aggressive runtime randomization. Investigation into new atomic block constructions, such as those proposed by Longa and Miri [35] and Giraud-Verneuil [34], is warranted.
Conclusion
This work demonstrates that both hardware and software implementations of binary kP algorithms using Chevallier-Mames atomic block patterns are vulnerable to single-trace SCA attacks. Data-bit leakage dominates in the absence of projective coordinate randomization, while address-bit leakage persists even with randomization. The practical takeaway for cryptographic system designers is clear: atomicity alone is insufficient for SCA resistance, and enhanced strategies must be devised to ensure the non-distinguishability of processed data and accessed memory. Theoretical progress in this domain will necessarily involve more nuanced countermeasures that address both data-path and address-path vulnerabilities.