Correlations in CW305_ECC

Hello everyone,
The plot listed here depicts the correlation coefficients of x, y, z coordinates, in the section “Correlation Attack”, whose colors are orange, purple, and green, respectively.
Does this plot coincide with the descriptions, " The correlation with the y-coordinate read is very good…"?
I just cannot tell any information from this purple curve. Or, does this the curve shape depend on my environment? Did I get a bad curve?

Alan

Hi Alan,
I don’t understand your question; to me the information about k is very clear on your purple curve:

Can you explain what you mean?

For reference, this is what I get:

For some reason you are getting somewhat different results, however the leakage is still clearly present; the attack should still succeed, although you may need to adjust some parameters (like `initial_threshold` and `regular_threshold`).

Jean-Pierre

Hey Jean,

1. Thank you for your kind reply, I just wonder whether my CW305 would inherit some discrepancies from yours such that I cannot tell any information from my purple curve.

2. My secret number k= 0x70a12c2db16845ed56ff68cfc21a472b3f04d7d6851bf6349f2d7d5b3452b38a, which shows some differences from your opinions. But I’ still stunned that how can you tell there is a leading one in the very beginning?

3. Moreover, the thresholds confused me a lot, how to determine these values?
Unfortunately, my attack failed in the end.

Hi Alan,

2- I’m not sure I understand your question… Are you sure you haven’t gotten mixed up with your k values? i.e. was the plot that you shared above obtained with that random-looking k?. We can tell about the leading one’s presence just by observation; in the plots above, the sudden change around k index = 16 corresponds exactly with the position of the leading 1 in the k used to generate those plots. Moreover if you repeat the experiment with a different k, where you move around the leading 1 (but keeping all other bits the same, to make the change more obvious), you’ll see that the first “jump” always lines up with the location of the leading one.

3- As shown in the notebook, when we use a known k with easily identifiable patterns of 1’s and 0’s we obtain something like this:

and we simply manually set a threshold at the halfway point between the power metric for 1’s vs that of 0’s. The “initial threshold” business complicates this a little bit but it’s the same idea.

Jean-Pierre

1 Like

Hey Jean,

1. Sorry, you are right, I just mixed up k with that random-looking one, here k is

k = 0x0000ffffffffffff0000000000000000aaaa0000cccc00001111000033330000.

How do you know the patterns in the k index = 64~ 127 are zeros? I thought the zeros’ patterns should be low, but in this plot, they gained much higher than ones in the k index = 32~63.

1. Ok, I need some time to chew on this idea.

Alan.

Easy - we know because we know! When building the attack, k is known. One could get into the physics of why the marker is higher when k=0, and not vice-versa. But from a side-channel attack (or defense!) point of view, this really doesn’t matter. What matters to us is that the marker is consistent, and thus useful towards a side-channel attack.

Jean-Pierre

1 Like

Hey Jean,

Could I ask why do we add a zero if the correlation at that bit is greater than the threshold? Shouldn’t it be smaller than threshold?

Alan.

Good question; this is indeed counterintuitive. If you follow the Verilog source you’ll see that the k-dependent memory writes are blocked when k is high, not when it is low. Why that is, I don’t know. One would expect, based on a textbook implementation of point multiplication, for it to be the opposite. Now if I wanted to fully understand the nuts and bolts of this ECC implementation, I would figure out why. But this isn’t necessary for side-channel attacks. Or, to quote an excellent paper (also on ECC) that I recently read:

Details of the real implementation are not our concern here, a high-level understanding of the countermeasures is good enough.

So that is why zeros have a higher correlation.

Jean-Pierre

1 Like