@@ -75,3 +75,74 @@ private and public inputs. We evaluate them on two simulation levels and study t
7575effect of noise on their performance. Our methods are able to 1) reverse-engineer
7676the scalar multiplication algorithm completely and 2) infer significant information
7777about the coordinate system and addition formulas used in a target implementation
78+
79+
80+
81+ ECTester: Reverse-engineering side-channel countermeasures of ECC implementations
82+ =================================================================================
83+
84+ Vojtech Suchanek, Jan Jancar, Jan Kvapil, Petr Svenda, Lukasz Chmielewski
85+
86+ `CHES 2025, Kuala Lumpur, Malaysia <https://ches.iacr.org/2025/ >`_
87+
88+ .. grid ::
89+ :margin: 2 0 0 2
90+ :padding: 2 0 0 2
91+
92+ .. grid-item ::
93+ :columns: auto
94+
95+ .. button-link :: _static/ectester_ches25.pdf
96+ :color: secondary
97+
98+ :fas: `file-alt;fa-fw ` Preprint
99+
100+ .. grid-item ::
101+ :columns: auto
102+
103+ .. button-link :: https://github.com/crocs-muni/ECTester
104+ :color: secondary
105+
106+ :fas: `file-zipper;fa-fw ` Artifact
107+
108+ .. dropdown :: BibTeX
109+ :color: secondary
110+ :name: pyecsca-bibtex
111+ :class-container: bibtex-dropdown
112+
113+ .. code-block :: Bibtex
114+
115+ @InProceedings{2025-ches-jancar,
116+ title = {ECTester: Reverse-engineering side-channel countermeasures of ECC implementations},
117+ author = {Vojtech Suchanek and Jan Jancar and Jan Kvapil and Petr Svenda and Lukasz Chmielewski},
118+ booktitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems},
119+ publisher = {Ruhr-University of Bochum},
120+ year = {2025}
121+ }
122+
123+
124+ --------
125+
126+ Developers implementing elliptic curve cryptography (ECC) face a wide
127+ range of implementation choices created by decades of research into elliptic curves.
128+ The literature on elliptic curves offers a plethora of curve models, scalar multipliers,
129+ and addition formulas, but this comes with the price of enabling attacks to also
130+ use the rich structure of these techniques. Navigating through this area is not
131+ an easy task and developers often obscure their choices, especially in black-box
132+ hardware implementations. Since side-channel attackers rely on the knowledge of the
133+ implementation details, reverse engineering becomes a crucial part of attacks.
134+
135+ This work presents **ECTester ** – a tool for testing black-box ECC implementations.
136+ Through various test suites, ECTester observes the behavior of the target implementation
137+ against known attacks but also non-standard inputs and elliptic curve parameters.
138+ We analyze popular ECC libraries and smartcards and show that some libraries and
139+ most smartcards do not check the order of the input points and improperly handle
140+ the infinity point. Based on these observations, we design new techniques for
141+ reverse-engineering scalar randomization countermeasures that are able to distinguish
142+ between group scalar randomization, additive, multiplicative or Euclidean splitting.
143+ Our techniques do not require side-channel measurements; they only require the
144+ ability to set custom domain parameters, and are able to extract not only the size but
145+ also the exact value of the random mask used. Using the techniques, we successfully
146+ reverse-engineered the countermeasures on 13 cryptographic smartcards from 5 major
147+ manufacturers – all but one we tested on. Finally, we discuss what mitigations can
148+ be applied to prevent such reverse engineering, and whether it is possible at all.
0 commit comments