Hardware Random Recoding Redundant Representations of Numbers, Side - - PowerPoint PPT Presentation

1/20

Hardware Random Recoding

Redundant Representations of Numbers, Side Channel Analysis, Elliptic Curve Cryptography Thomas Chabrier, Danuta Pamula, Arnaud Tisserand

IRISA Laboratory, CAIRN Research Team

2/20

Plan

Context Redundant Representations Proposed Solution and Implementation Results Conclusion and Future Prospects

3/20

Context

Elliptic curve cryptography (ECC):

◮ considered finite field: Fp with p a

large prime (160–600 bits)

◮ simplified Weierstrass equation:

y2 = x3 + ax + b where a, b ∈ F2

p and

∆ = −16(4a3 + 27b2) = 0 Sum of 2 points on R Hardware implementation issues:

◮ performance: speed, area, low power/energy consumption ◮ security: protection against side channel attacks Reference [3]: D. Hankerson, S. Vanstone, and A. Menezes, Guide to Elliptic Curve Cryptography, 2003

4/20

ECC Scalar Multiplication [k]P

◮ scalar multiplication:

[k]P = P + P + . . . + P

• k times

with k ∈ N

right to left and left to right binary "double and add" algorithms to compute [k]P: 1: Q ← − ∞ Q ← − ∞ 2: for i from 0 to t-1 do for i from t-1 downto 0 do 3: if ki = 1 then Q ← − Q + P ADD Q ← − 2Q DBL 4: P ← − 2P DBL if ki = 1 then Q ← − Q + P ADD

• avg. cost: (n − 1) · DBL and n

2 · ADD

◮ non adjacent form (NAF):

k =

l−1

• i=0

ki2i where ki ∈ {¯ 1, 0, 1} kiki+1 = 0 k = 267 = ( 1 1 1 1 )2 ( 1 1 1 1 )2−NAF ( 1 1 3 )3−NAF

• avg. cost: (n − 1) · DBL and

n w+1 · ADD

Notation: ¯ d ⇔ −d

5/20

Side Channel Analysis

◮ measure some external parameters on running device in

• rder to deduce internal secret informations

Reference [4]: S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards, 2007

6/20

Side Channel Analysis for ECC

◮ in ECC: identify point additions and point doublings operations in

• rder to deduce the key value in [k]P

Typical countermeasures:

◮ resistant algorithms (double and add always, Montgomery ladder,

insert dummy operations, . . . ) − → regular behavior

◮ unified formulae ◮ randomization of the scalar

Coron countermeasure (first): k′ = k + r |E(Fp)| random recoding with DBNS and signed digit representations

◮ randomization of the base point ◮ isomorphism randomization of the curve

7/20

ECC Processor

±, × on Fq

local register(s) CTRL

±, × on Fq

local register(s) CTRL

1/x on Fq

local register(s) CTRL

register file CTRL COMM.

key recode AGU counter- measures ◮ functional units (FU): ±, ×, 1/x for Fp and F2m, key recoding ◮ memory: register file + internal registers in the FUs ◮ control: operations (E and Fq levels) schedule

8/20

DBNS: Double-Based Number System

k =

n−1

• i=0

ki2ai3bi with ki ∈ {−1, 1}, ai, bi ≥ 0 The double-base chain approach:

◮ representations of integers in two coprime bases (2, 3) ◮ extremely redundant and sparse number system

Example: 127 has 783 different representations: 127 = 2233 + 2132 + 2030 = 2233 + 2430 + 2031 = . . . Strictly chained DBNS representation (ref. [1]):

◮ compute [k]P =

⇒ Need a0 ≥ . . . ≥ an−1 and b0 ≥ . . . ≥ bn−1

◮ cost: (n − 1) · ADD + a0 · DBL + b0 · TPL Reference [1]: C. Doche and L. Imbert, Extended double-base number system with applications to elliptic curve cryptography, INDOCRYPT, 2006.

9/20

Random Recoding Rules

We focus on 4 recodings:

◮ 1 + 2

reduction

− ⇀ ↽ −

expansion 3

= ⇒ 2i+13j−1 + 2i3j−1 = 2i3j [R1] 2i−13j+1 − 2i−13j = 2i3j [R2]

◮ 1 + 3

red.

− ⇀ ↽ −

exp.

22 = ⇒ 2i−23j+1 + 2i−23j = 2i3j [R3] 2i+23j−1 − 2i3j−1 = 2i3j [R4]

◮ 1 + 23

red.

− ⇀ ↽ −

exp.

32 = ⇒ 2i+33j−2 + 2i3j−2 = 2i3j [R5] 2i−33j+2 − 2i−33j = 2i3j [R6]

◮ 1 + 1

red.

− ⇀ ↽ −

exp.

2 = ⇒ 2i+13j − 2i3j = 2i3j [R7] 2i−13j + 2i−13j = 2i3j [R8] Rules have to respect decreasing exponents Random applications of the rules

10/20

Example of Some Possible DBNS Recodings for k = 140400

1

2836 − 2636 + 2433

2

2637 + 2433

3

2737 − 2736 − 2636 + 2433

• red. R4
• exp. R2

4

2736 + 2636 + 2433

• exp. R1

5

2637 + 2632 − 2432

• exp. R4

1 2 3 4 5

[140400]P = [2433]([2233]([2230]P − P) + P) = [2433]([2234]P + P) = [2433]([2233]([2130]([2031]P − P) − P) + P) [140400]P = [2433]([2233]([2130]P + P) + P) = [2432]([2230]([2035]P + P) − P)

reduction expansion

11/20

Binary Signed-Digit Representation

k =

n

• i=0

ki2i with ki ∈ {¯ 1, 0, 1} Example of some BSD representations for k = 11: (01011)BSD = 23 + 21 + 20 (011¯ 11)BSD = 23 + 22 − 21 + 20 . . . Number of BSD representations: λ(k, n) (ref. [2]) Example: λ(149, 9) = 50 λ(1365, 12) = 233 λ(87381, 17) = 4181

Reference [2]: N. Ebeid and M.Hasan, On binary signed digit representations of integers, Des. Codes Cryptography, 2007

12/20

Recoding Rules for Randomization

Recoding rules: 01 ⇔ 1¯ 1 and 0¯ 1 ⇔ ¯ 11 Random recoding approach:

◮ left–to–right or right–to–left algorithm ◮ serial scanning of all digits of k ◮ random bits r = (r2, r1, r0)

Compute a random signed-digit representation of k = (0kn−1 · · · k0)2: 1: for i from 1 to n-1 do 2: if r2 = 1 then 3: if r1 = 1 then (ki+1, ki) ← f(ki+1, ki) 4: if r0 = 1 then (ki, ki−1) ← f(ki, ki−1) 5: else 6: if r0 = 1 then (ki, ki−1) ← f(ki, ki−1) 7: if r1 = 1 then (ki+1, ki) ← f(ki+1, ki) 8: return k

13/20

Recoding Example for k = 11 = (01011)2

Problem: this representation may have too many 1s Solution: reduction of the Hamming weight in order to improve scalar multiplication

14/20

Width–w Signed-Digit

k =

n

• i=0

ki2i with ki ∈ {0, ±1, ±3, . . . , ±(2w − 1)}

◮ maximum 1 digit = 0 in w consecutive digits

Example of width–w signed digit representations for k = 11: w = 2 w = 3 (01003)SD2 (01003)SD3 (0030¯ 1)SD2 (1000¯ 5)SD3

◮ precomputations: [2i − 1]P for i from 2 to w ◮ average cost: (n − 1) · DBL and n w+1 · ADD

⇒ less representations: 3 = 011 = 1¯ 11 = 10¯ 1

15/20

Cost Comparison

Curve Operation Complexity ADDJ +A 8[m] + 3[s] α-DBLJ 4α[m] + (4α + 2)[s] α-TPLJ (11α − 1)[m] + (4α + 2)[s] assumption in Fp: 1 square ≈ 0.8 multiplication cost [k]P with: SD2 1500[m] + 1575[s] ≈ 2760[m] SD3 1354[m] + 1524[s] ≈ 2573[m] SD4 1284[m] + 1494[s] ≈ 2479[m] DBNS recoding 1752[m] + 930[s] ≈ 2496[m]

16/20

Circuit-Level Representations of Signed-Digits

2 implementation versions: SM (Sign Magnitude) and OH (One Hot) For w = 2, the digit set is {¯ 3, ¯ 1, 0, 1, 3}, and two circuit-level codings have been used: Benefit: constant number of transitions for 0 → 1 and 1 → 0 Cost: larger area and memory

Remark: same approach for w = 3

17/20

Implementation Results - SM Version

ISE version 12.4 standard efforts for synthesis and P&R Virtex 5 XC5VLX50T FPGA

n w

• ptimization

# registers # LUTs

• max. freq.

goal [MHz] 192 2 area 451 2497 182 speed 1604 2970 222 192 3 area 457 2704 187 speed 1803 3251 212 224 2 area 515 2924 185 speed 1860 3081 179 224 3 area 521 3128 180 speed 2093 3653 195

18/20

Implementation Results - OH Version

ISE version 12.4 standard efforts for synthesis and P&R Virtex 5 XC5VLX50T FPGA

n w

• ptimization

# registers # LUTs

• max. freq.

goal [MHz] 192 2 area 838 2976 182 speed 2186 3606 195 192 3 area 847 3215 187 speed 2971 4215 170 224 2 area 966 3434 185 speed 2538 3874 179 224 3 area 975 3670 189 speed 3450 4489 187

19/20

Conclusion

◮ use redundant

representations of numbers

◮ random recoding ◮ hardware

implementation with low overhead

±, × on Fq

local register(s) CTRL

±, × on Fq

local register(s) CTRL

1/x on Fq

local register(s) CTRL

register file CTRL COMM.

key recode AGU counter- measures

Future prospects:

◮ integration in the ECC processor ◮ physical robustness evaluation

20/20

References

Christophe Doche and Laurent Imbert. Extended double-base number system with applications to elliptic curve cryptography. In INDOCRYPT, pages 335–348. Springer, 2006. Nevine Ebeid and M. Anwar Hasan. On binary signed digit representations of integers.

• Des. Codes Cryptography, 42:43–65, January 2007.
• D. Hankerson, S. Vanstone, and A. Menezes.

Guide to Elliptic Curve Cryptography. Springer-Verlag, 2003.

• S. Mangard, E. Oswald, and T. Popp.

Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, December 2007.