elliptic curve cryptography on embedded devices
play

Elliptic Curve Cryptography on Embedded Devices Scalar - PowerPoint PPT Presentation

Jul 21, 2023 •330 likes •2.22k views

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

  1. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms F p Operations Theoretical Cost Expensive operations • Inversion (I) Significant operations • Multiplication (M) • Squaring (S, S/M ≈ 0.8) Negligible operations • Addition (A) A/M ≈ 0 . 2 on most smart cards • Subtraction (S) • Negation (N) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  2. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Outline Elliptic Curve Cryptography 1 Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms Side-Channel Analysis 2 Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis Countermeasures 3 SSCA Countermeasures DSCA Countermeasures FA Countermeasures 4 Conclusion V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  3. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Digital Signature Algorithm (ECDSA) Public : E ( a , b , p , n = # E ) , P ∈ E ( F p ) , H I NPUT : d and m O UTPUT : ( r , s ) Choose at random k in [ 1 , n − 1 ] P 1 ← k · P r ← x P 1 mod n If r ≡ 0 mod n restart from the beginning s ← k − 1 ( H ( m )+ dr ) mod n If s ≡ 0 mod n restart from the beginning Return ( r , s ) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  4. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Digital Signature Algorithm (ECDSA) Public : E ( a , b , p , n = # E ) , P ∈ E ( F p ) , H I NPUT : d and m O UTPUT : ( r , s ) Choose at random k in [ 1 , n − 1 ] P 1 ← k · P r ← x P 1 mod n If r ≡ 0 mod n restart from the beginning s ← k − 1 ( H ( m )+ dr ) mod n If s ≡ 0 mod n restart from the beginning Return ( r , s ) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  5. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Digital Signature Algorithm (ECDSA) Public : E ( a , b , p , n = # E ) , P ∈ E ( F p ) , H I NPUT : d and m O UTPUT : ( r , s ) Choose at random k in [ 1 , n − 1 ] P 1 ← k · P r ← x P 1 mod n If r ≡ 0 mod n restart from the beginning s ← k − 1 ( H ( m )+ dr ) mod n If s ≡ 0 mod n restart from the beginning Return ( r , s ) d = s · k − H ( m ) mod n r V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  6. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Diffie-Hellman (ECDH) Key Exchange E ( a , b , p , n ) , P ∈ E ( F p ) Alice Bob Choose at random a ∈ [ 1 , n − 1 ] Choose at random b ∈ [ 1 , n − 1 ] ✲ P a = a · P P a ✛ P b P b = b · P P ab = a · P b P ab = b · P a V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  7. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Diffie-Hellman (ECDH) Key Exchange E ( a , b , p , n ) , P ∈ E ( F p ) Card Terminal Choose at random a ∈ [ 1 , n − 1 ] Choose at random b ∈ [ 1 , n − 1 ] ✲ P a = a · P P a ✛ P b P b = b · P P ab = a · P b P ab = b · P a V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  8. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Diffie-Hellman (ECDH) Key Exchange E ( a , b , p , n ) , P ∈ E ( F p ) Card Terminal Choose at random a ∈ [ 1 , n − 1 ] Choose at random b ∈ [ 1 , n − 1 ] ✲ P a = a · P P a ✛ P b P b = b · P P ab = a · P b P ab = b · P a V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  9. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Standards over F p V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  10. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Standards over F p NIST (U.S.) Keylengths : 192, 224, 256, 384, and 521 bits. V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  11. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Standards over F p NIST (U.S.) Keylengths : 192, 224, 256, 384, and 521 bits. Brainpool (BSI, Germany) Keylengths : 160, 192, 224, 256, 320, 384, and 512 bits. V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  12. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Elliptic Curve Standards over F p NIST (U.S.) Keylengths : 192, 224, 256, 384, and 521 bits. Brainpool (BSI, Germany) Keylengths : 160, 192, 224, 256, 320, 384, and 512 bits. Other standards (ANSI, ISO, IEEE, SECG) → NIST curves V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  13. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Outline Elliptic Curve Cryptography 1 Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms Side-Channel Analysis 2 Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis Countermeasures 3 SSCA Countermeasures DSCA Countermeasures FA Countermeasures 4 Conclusion V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  14. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Affine Representation A point of the curve E : y 2 = x 3 + ax + b is represented as ( x , y ) . No representation for O Add. : 1I + 2M + 1S, Doubl. : 1I + 2M + 2S V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  15. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Affine Representation A point of the curve E : y 2 = x 3 + ax + b is represented as ( x , y ) . No representation for O Add. : 1I + 2M + 1S, Doubl. : 1I + 2M + 2S V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  16. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Homogeneous Projective Representation A point is represented by an equivalence class ( X : Y : Z ) . ( X : Y : Z ) and ( λ X : λ Y : λ Z ) , λ � = 0 represent the same point O = ( 0 : 1 : 0 ) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  17. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Homogeneous Projective Representation A point is represented by an equivalence class ( X : Y : Z ) . ( X : Y : Z ) and ( λ X : λ Y : λ Z ) , λ � = 0 represent the same point O = ( 0 : 1 : 0 ) Aff. → Hom. conversion : ( x , y ) → ( x : y : 1 ) Hom. → Aff. conversion : ( X : Y : Z � = 0 ) → ( X / Z , Y / Z ) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  18. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Homogeneous Projective Representation A point is represented by an equivalence class ( X : Y : Z ) . ( X : Y : Z ) and ( λ X : λ Y : λ Z ) , λ � = 0 represent the same point O = ( 0 : 1 : 0 ) Aff. → Hom. conversion : ( x , y ) → ( x : y : 1 ) Hom. → Aff. conversion : ( X : Y : Z � = 0 ) → ( X / Z , Y / Z ) Add. : 12M + 2S, Doubl. : 6M + 6S V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  19. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Jacobian Projective Representation A point is represented by an equivalence class ( X : Y : Z ) . ( X : Y : Z ) and ( λ 2 X : λ 3 Y : λ Z ) , λ � = 0 represent the same point O = ( 1 : 1 : 0 ) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  20. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Jacobian Projective Representation A point is represented by an equivalence class ( X : Y : Z ) . ( X : Y : Z ) and ( λ 2 X : λ 3 Y : λ Z ) , λ � = 0 represent the same point O = ( 1 : 1 : 0 ) Aff. → Jac. conversion : ( x , y ) → ( x : y : 1 ) Jac. → Aff. conversion : ( X : Y : Z � = 0 ) → ( X / Z 2 , Y / Z 3 ) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  21. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Jacobian Projective Representation A point is represented by an equivalence class ( X : Y : Z ) . ( X : Y : Z ) and ( λ 2 X : λ 3 Y : λ Z ) , λ � = 0 represent the same point O = ( 1 : 1 : 0 ) Aff. → Jac. conversion : ( x , y ) → ( x : y : 1 ) Jac. → Aff. conversion : ( X : Y : Z � = 0 ) → ( X / Z 2 , Y / Z 3 ) Add. : 11M + 5S, Doubl. : 2M + 8S V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  22. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Modified Jacobian Projective Representation Introduced in [Cohen, Miyaji & Ono, Efficient elliptic curve exponentiation using mixed coordinates , Asiacrypt 1998]. V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  23. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Modified Jacobian Projective Representation Introduced in [Cohen, Miyaji & Ono, Efficient elliptic curve exponentiation using mixed coordinates , Asiacrypt 1998]. Based on the Jacobian projective representation. Plus an extra coordinate ( X : Y : Z : aZ 4 ) . V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  24. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Modified Jacobian Projective Representation Introduced in [Cohen, Miyaji & Ono, Efficient elliptic curve exponentiation using mixed coordinates , Asiacrypt 1998]. Based on the Jacobian projective representation. Plus an extra coordinate ( X : Y : Z : aZ 4 ) . Faster doubling than Jacobian projective : 3M + 5S But slower addition : 13M + 7S V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  25. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Outline Elliptic Curve Cryptography 1 Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms Side-Channel Analysis 2 Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis Countermeasures 3 SSCA Countermeasures DSCA Countermeasures FA Countermeasures 4 Conclusion V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  26. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Double & Add Algorithm Left-to-Right . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NPUT : P ∈ E ( F p ) , k = ( k ℓ − 1 ... k 1 k 0 ) 2 O UTPUT : k · P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O For i from ℓ − 1 to 0 do Q ← 2 Q If k i = 1 then Q ← Q + P Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  27. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Double & Add Algorithm Left-to-Right . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NPUT : P ∈ E ( F p ) , k = ( k ℓ − 1 ... k 1 k 0 ) 2 O UTPUT : k · P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . On average : ℓ · dbl + ℓ Q ← O 2 · add For i from ℓ − 1 to 0 do Q ← 2 Q If k i = 1 then Q ← Q + P Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  28. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms NAF Multiplication NAF Representation Signed binary representation. Minimize the number of non-zero digits (1/3 vs 1/2). Example : 187 = 10111011 ( 2 ) = 10 ¯ 1000 ¯ 10 ¯ 1 (NAF) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  29. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms NAF Multiplication NAF Representation Signed binary representation. Minimize the number of non-zero digits (1/3 vs 1/2). Example : 187 = 10111011 ( 2 ) = 10 ¯ 1000 ¯ 10 ¯ 1 (NAF) Interest • Minimize the number of additions • P → − P is cheap : ( X : Y : Z ) → ( X : − Y : Z ) V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  30. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms NAF Multiplication Right-to-Left . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NPUT : P ∈ E ( F p ) , k = ( k ℓ − 1 ... k 1 k 0 ) NAF O UTPUT : k · P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O R ← P For i from 0 to ℓ − 1 do If k i = 1 then Q ← Q + R If k i = − 1 then Q ← Q +( − R ) R ← 2 R Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  31. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms NAF Multiplication Right-to-Left . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NPUT : P ∈ E ( F p ) , k = ( k ℓ − 1 ... k 1 k 0 ) NAF Cost : O UTPUT : k · P ℓ · dbl + ℓ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 · add Q ← O R ← P For i from 0 to ℓ − 1 do If k i = 1 then Q ← Q + R If k i = − 1 then Q ← Q +( − R ) R ← 2 R Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  32. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms NAF Multiplication Right-to-Left . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NPUT : P ∈ E ( F p ) , k = ( k ℓ − 1 ... k 1 k 0 ) NAF Cost : O UTPUT : k · P ℓ · dbl + ℓ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 · add Q ← O R ← P Variant introduced in [Joye, Fast point multiplication on elliptic curves without For i from 0 to ℓ − 1 do precomputation , WAIFI 2008] : If k i = 1 then Q ← Q + R If k i = − 1 then Q ← Q +( − R ) R ← 2 R Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  33. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms NAF Multiplication Right-to-Left . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NPUT : P ∈ E ( F p ) , k = ( k ℓ − 1 ... k 1 k 0 ) NAF Cost : O UTPUT : k · P ℓ · dbl + ℓ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 · add Q ← O R ← P Variant introduced in [Joye, Fast point multiplication on elliptic curves without For i from 0 to ℓ − 1 do precomputation , WAIFI 2008] : If k i = 1 then Q ← Q + R • Q in Jacobian coordinates If k i = − 1 then Q ← Q +( − R ) R ← 2 R Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  34. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms NAF Multiplication Right-to-Left . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NPUT : P ∈ E ( F p ) , k = ( k ℓ − 1 ... k 1 k 0 ) NAF Cost : O UTPUT : k · P ℓ · dbl + ℓ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 · add Q ← O R ← P Variant introduced in [Joye, Fast point multiplication on elliptic curves without For i from 0 to ℓ − 1 do precomputation , WAIFI 2008] : If k i = 1 then Q ← Q + R • Q in Jacobian coordinates If k i = − 1 then • R in modified Jacobian Q ← Q +( − R ) coordinates R ← 2 R Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  35. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Other algorithms V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  36. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Other algorithms Sliding window algorithms Precompute 3 P , 5 P ,... to process several scalar bits at a time. Can be combined with the NAF method. V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  37. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Other algorithms Sliding window algorithms Precompute 3 P , 5 P ,... to process several scalar bits at a time. Can be combined with the NAF method. DBNS, multibase NAF... Heavy precomputations. Too expensive for the ECDSA in the embedded context. V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  38. Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms Other algorithms Sliding window algorithms Precompute 3 P , 5 P ,... to process several scalar bits at a time. Can be combined with the NAF method. DBNS, multibase NAF... Heavy precomputations. Too expensive for the ECDSA in the embedded context. Co-Z Addition Euclidean Addition Chains [Meloni, WAIFI 2007] Co-Z binary ladder [Goundar, Joye & Miyaji, CHES 2010] V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  39. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Outline Elliptic Curve Cryptography 1 Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms Side-Channel Analysis 2 Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis Countermeasures 3 SSCA Countermeasures DSCA Countermeasures FA Countermeasures 4 Conclusion V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  40. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Outline Elliptic Curve Cryptography 1 Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms Side-Channel Analysis 2 Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis Countermeasures 3 SSCA Countermeasures DSCA Countermeasures FA Countermeasures 4 Conclusion V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  41. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA A chip in details V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  42. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA A chip in details V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  43. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Attack Bench Non Invasive Attacks Computer ✡ ❪ ❏ ✡ ✣ ❏ ❏ ✡ ✡ ❏ ❏ ✡ ✡ ❏ ✡ ✢ ❏ ✡ ❫ ❏ ✲ ✛ Card Reader Oscilloscope V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  44. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Simple Analyse Example Leakage on Performed Operations RSA exponentiation V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  45. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Simple Analyse Example Leakage on Manipulated Data V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  46. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Milestones • Timing Attacks [Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , Crypto 1996] • Fault Attacks [Boneh et al., On the Importance of Checking Cryptographic Protocols for Faults , Eurocrypt 1997] • SPA and DPA [Kocher et al., Differential Power Analysis , Crypto 1999] V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  47. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Milestones • Timing Attacks [Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , Crypto 1996] • Fault Attacks [Boneh et al., On the Importance of Checking Cryptographic Protocols for Faults , Eurocrypt 1997] • SPA and DPA [Kocher et al., Differential Power Analysis , Crypto 1999] • DFA on ECC [Biehl et al., Differential Fault Attacks on Elliptic Curve Cryptosystems , Crypto 2000] • DPA on RSA [den Boer et al., A DPA Attack Against the Modular Reduction within a CRT Implementation of RSA , CHES 2002] V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  48. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Milestones • Timing Attacks [Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , Crypto 1996] • Fault Attacks [Boneh et al., On the Importance of Checking Cryptographic Protocols for Faults , Eurocrypt 1997] • SPA and DPA [Kocher et al., Differential Power Analysis , Crypto 1999] • DFA on ECC [Biehl et al., Differential Fault Attacks on Elliptic Curve Cryptosystems , Crypto 2000] • DPA on RSA [den Boer et al., A DPA Attack Against the Modular Reduction within a CRT Implementation of RSA , CHES 2002] • CPA [Brier et al., Correlation Power Analysis with a Leakage Model , CHES 2004] • CPA on PK [Amiel et al., Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms , SAC 2007] V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  49. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Outline Elliptic Curve Cryptography 1 Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms Side-Channel Analysis 2 Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis Countermeasures 3 SSCA Countermeasures DSCA Countermeasures FA Countermeasures 4 Conclusion V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  50. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Simple Analysis Principle Measure one side-channel leakage s function of t and consider the curve s ( t ) . V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  51. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Simple Analysis Principle Measure one side-channel leakage s function of t and consider the curve s ( t ) . V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  52. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Simple Analysis Principle Measure one side-channel leakage s function of t and consider the curve s ( t ) . SPA/SEMA V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  53. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Simple Analysis Principle Measure one side-channel leakage s function of t and consider the curve s ( t ) . SPA/SEMA • depicts the behavior of the chip depending on the performed operations / manipulated data V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  54. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Simple Analysis Principle Measure one side-channel leakage s function of t and consider the curve s ( t ) . SPA/SEMA • depicts the behavior of the chip depending on the performed operations / manipulated data • each measure enables direct reading V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  55. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Example Left-to-Right Double & add Algorithm Analysis Q ← O For i from ℓ − 1 to 0 do Q ← 2 Q If k i = 1 then Q ← Q + P Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  56. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Example Left-to-Right Double & add Algorithm Analysis Q ← O For i from ℓ − 1 to 0 do Q ← 2 Q If k i = 1 then Q ← Q + P Return Q V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  57. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Outline Elliptic Curve Cryptography 1 Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms Side-Channel Analysis 2 Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis Countermeasures 3 SSCA Countermeasures DSCA Countermeasures FA Countermeasures 4 Conclusion V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  58. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Principle Measure n times a side-channel leakage s function of t and consider the curves s 1 ( t ) , s 2 ( t ) ,..., s n ( t ) . V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  59. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Principle Measure n times a side-channel leakage s function of t and consider the curves s 1 ( t ) , s 2 ( t ) ,..., s n ( t ) . • targets a same operation on all curves but involving different data V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  60. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Principle Measure n times a side-channel leakage s function of t and consider the curves s 1 ( t ) , s 2 ( t ) ,..., s n ( t ) . • targets a same operation on all curves but involving different data • align vertically the curves on the targeted operation V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  61. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Principle Measure n times a side-channel leakage s function of t and consider the curves s 1 ( t ) , s 2 ( t ) ,..., s n ( t ) . • targets a same operation on all curves but involving different data • align vertically the curves on the targeted operation • process the curves with statistical treatment V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  62. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Depending on some known and variable input of the algorithm and of a few bits of the secret input. V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  63. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Depending on some known and variable input of the algorithm and of a few bits of the secret input. Original DPA/DEMA V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  64. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Depending on some known and variable input of the algorithm and of a few bits of the secret input. Original DPA/DEMA • For each possible value (guess) : V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  65. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Depending on some known and variable input of the algorithm and of a few bits of the secret input. Original DPA/DEMA • For each possible value (guess) : • sort the curves into two sets S 0 and S 1 depending of some intermediate result V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  66. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Depending on some known and variable input of the algorithm and of a few bits of the secret input. Original DPA/DEMA • For each possible value (guess) : • sort the curves into two sets S 0 and S 1 depending of some intermediate result • average and subtract : < S 0 > − < S 1 > , and look for peaks V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  67. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Depending on some known and variable input of the algorithm and of a few bits of the secret input. Original DPA/DEMA • For each possible value (guess) : • sort the curves into two sets S 0 and S 1 depending of some intermediate result • average and subtract : < S 0 > − < S 1 > , and look for peaks • Iterate until peaks are found V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  68. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Example V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  69. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Example C 1 C 2 . . . C N V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  70. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Example C 1 P 1 C 2 P 2 . . . . . . C N P N V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  71. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Example Guess : k i = 0 C 1 P 1 C 2 P 2 . . . . . . C N P N V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  72. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Example Guess : k i = 0 Q i C 1 P 1 1 Q i C 2 P 2 2 . . . . . . . . . Q i C N P N N V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  73. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Example Guess : k i = 0 Q i C 1 P 1 → S 0 1 Q i C 2 P 2 → S 0 2 . . . . . . . . . . . . Q i C N P N → S 1 N V. Verneuil Elliptic Curve Cryptography on Embedded Devices

  74. Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA Differential Analysis Statistical Treatment Example Guess : k i = 0 Q i C 1 P 1 → S 0 1 Q i C 2 P 2 → S 0 2 . . . . . . . . . . . . Q i C N P N → S 1 N Compute < S 0 > − < S 1 > : V. Verneuil Elliptic Curve Cryptography on Embedded Devices

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago &amp; energy (gas

1.07k views • 76 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views • 32 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March 21 st , 2016 1/13 A Brief Introduction to Elliptic Curve Cryptography Elliptic Curve 2/13 A

385 views • 13 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 24 May, 2007 Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May,

1.08k views • 69 slides
Bitcoin II &amp; Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II &amp; Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II &amp; Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview Bitcoin Transactions Elliptic Curve Cryptography Introduction Arithmetics Signature Bitcoin, the protocol A blockchain Each

992 views • 52 slides
Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May 19, 2017 university-logo-isi Rana Barua Introduction to Elliptic Curve Cryptography ElGamal Public Key Cryptosystem, 1984 Key Generation: Choose

417 views • 16 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November

Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November

University of Milano-Bicocca Department of Informatics, Systems and Communications Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November 14, 2017 Context (1/2): Cellular Automata One-dimensional

847 views • 47 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) K. Sakurai(ISIT) Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate

587 views • 23 slides
Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever ending list! essential in distributed systems Needham-Schroeder (1996) e-banking Microsoft Passport (2001) e-commerce Kerberos (2004) e-mail

571 views • 22 slides
An Introduction to Physical Attacks Application to Secret Specifications Algorithms

An Introduction to Physical Attacks Application to Secret Specifications Algorithms

An Introduction to Physical Attacks Application to Secret Specifications Algorithms Christophe Clavier GEMALTO Security Labs SSTIC Rennes May 30, 2007 Christophe Clavier SSTIC 07 Rennes Physical Attacks Against

708 views • 23 slides
1 FPGAs Attack Model Consider a device capable of implementing the FPGAs allow parallel

1 FPGAs Attack Model Consider a device capable of implementing the FPGAs allow parallel

Introduction Classic cryptography views the secure problems with mathematical abstractions The classic cryptanalysis has had a great

443 views • 11 slides

More recommend