Template Attack On ECDSA : Extracting Keys Via The Other Side

The last couple of decades side-channel analysis has proved to be an adequate method to extract confidential material such as cryptographic keys in unforeseen ways. This thesis extends that notion by compromising the secret ECDSA key used while signing a message, by applying the concept of an online template attack via its verification counterpart. Via the attack it is possible for an adversary to reconstruct a secret scalar bit by bit where only one power trace is needed of the target, and two templates per bit to recover. Once the scalar is known, the secret key can be computed trivially. The attack is feasible because there is an operation when signing which depends on a bit value of the secret scalar, a squaring in the case of our investigated Montgomery ladder as scalar multiplication method. From the verification side, this operation can be imitated by an adversary with different inputs, which allows the creation and thereafter matching of templates. In order to prevent this attack from happening, dissimilarities between the signing and verification part of ECDSA should be created. That is, somehow we should make it nearly impossible for an attacker to build meaningful templates. An effective method to achieve this goal is to make use of randomized projective coordinates while signing. In this case it becomes nearly impossible for an attacker to calculate intermediate values of the Montgomery ladder which are required to create templates. As a consequence, the discussed attack becomes unfeasible.