[PPT] - Side ide-Chan Channel nel Res Resis istant tant Scalar calar PowerPoint Presentation

SLIDE 1

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Side ide-Chan Channel nel Res Resis istant tant Scalar calar Multiplication ultiplication Algorithms Algorithms ov

ver

er Finite Finite Fields Fields

Alexandre VENELLI1,2 François DASSANCE1

1 - ATMEL

Secure Microcontroller Solutions
Rousset, FRANCE
2 - IML – ERISCS
Université de la Méditerranée
Marseille, FRANCE

SLIDE 2

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Outli line

 Elliptic Curve Cryptosystems (ECC)  Side-channel attacks against ECC  Classical side-channel resistant scalar multiplication algorithms  Our proposed alternatives

SAR-SSI 2010, May 18-21 2

SLIDE 3

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Ba Background on ECC (1 ECC (1)

 Public Key (Asymmetric) cryptosystem  Based on a hard problem :

Elliptic Curve Discrete Logarithm Problem (ECDLP)
Given an elliptic curve, points P and Q, find k such that Q=kP
Hardness of ECDLP = Security level of ECC protocols
No sub-exponential algorithms known for ECDLP

SAR-SSI 2010, May 18-21 3

SLIDE 4

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Ba Background on ECC (2 ECC (2)

 At the base of ECC operations is finite field algebra with either :

Prime finite fields (GF(p)) or
Binary extension finite fields (GF(2m))

 ECC depends on :

Finite field selection,
Elliptic curve type,
Point representation,
Protocol,
Hardware/software breakdown,
Memory available,
…

SAR-SSI 2010, May 18-21 4

SLIDE 5

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

El Elli liptic ic Cu Curve ve

 Short Weierstrass curves

Curves used in norms: FIPS, ANSI, …

 Elliptic curve on binary field :  Elliptic curve on prime field :

SAR-SSI 2010, May 18-21 5

) ), 2 ( , ( :

2 3 2

      b GF b a b ax x xy y E

n

) 3 , 27 4 ), ( , ( :

2 3 3 2

       p b a p GF b a b ax x y E

All points satisfying E

and infinity point O

Abelian group with

addition law

SLIDE 6

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Generic ic Ad Addit ition ion on E EC

 Let  EC Doubling (ECDBL) :  EC Addition (ECADD) :  On GF(p), Jacobian coordinates :

ECDBL = 4M + 5S
ECADD = 14M + 5S

 On GF(2m), López-Dahab coordinates :

ECDBL = 3M + 5S
ECADD = 13M + 4S

SAR-SSI 2010, May 18-21 6

E y x P y x P y x P     ) , ( ), , ( ), , (

3 3 3 2 2 2 1 1 1 1 1 1 3

2P P P P    ) (

2 1 2 1 3

P P P P P   

HTTP://WWW.HYPERELLIPTIC.ORG/EFD/

SLIDE 7

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

ECC ECC Operations ions Hier ierarchy ECC protocol EC point

peration

EC ADD / DBL Basic field operation

ECDSA, ECDH, ECIES, …
Scalar multiplication : kP
Fundamental and most time consuming operation
Point addition :
Point doubling :

2 1 3

P P P  

1 3

2P P 

GF addition : a + b mod p
GF subtraction : a – b mod p
GF multiplication : a * b mod p
GF inversion : 1 / a mod p

SLIDE 8

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

‘Si Simp mpli lifie fied’ Addition on EC

 Let  On GF(p), Jacobian coordinates :

5M + 2S (Meloni 2007)

 On GF(2m), Jacobian coordinates :

7M + 2S (this work)

 Formulae not interesting with a standard scalar multiplication algorithm  our propositions

SAR-SSI 2010, May 18-21 8

E Z Y X P Z Y X P    ) , , ( ), , , (

2 2 2 1 1 1

2 1 1

~ 2 1 1 2 1

with ) , ~ ( ) , (

P P P

Z Z P P P P P SimpleAdd



  

SLIDE 9

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Sca Scalar lar Mult ltipli iplication ion on E EC

 Scalar Multiplication

Double-and-add

1. 2. From downto

ECDBL

if then

ECADD

3. Return

Ex :

SAR-SSI 2010, May 18-21 9

1 , ) ( ,

1 2 1

  

  n n

k k k k E P 

kP

binary representation

P Q  2   n i Q Q 2  1 

i

k P Q Q   Q P P

2

) 110011 ( 51 

P P 6

D

P 12

D

P 50

D

P 51

A

P 24

D

P 25

A

P 2

D

P 3

A

SLIDE 10

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Imp Impleme lementation ion Att Attacks

SAR-SSI 2010, May 18-21 10

SLIDE 11

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Famil milies ies of f Si Side-Ch Channel l Att Attacks

 Simple Power Analysis (SPA) Observe the power consumption of devices in a single computation and detect the secret key  Differential Power Analysis (DPA) Observe many power consumptions and analyze these information together with statistic tools  Fault Analysis (FA) Using the knowledge of correct results, faulted results and the precise place of induced faults an adversary is able to compute the secret key

SAR-SSI 2010, May 18-21 11

SLIDE 12

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Bri Brief His istory of S f SCA CA

 1996 :

Kocher et al.  Timing attacks
Boneh et al.  Fault injection

 1998 :

Kocher et al.  Power analysis

 2000 :

Quisquater et al.  Electromagnetic analysis

SAR-SSI 2010, May 18-21 12

SLIDE 13

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Pow Power An Analy lysi sis : : Ch Cheap and Easy Easy

SAR-SSI 2010, May 18-21 13

SLIDE 14

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

SPA ag SPA against inst ECC ECC ( (Co Coron 1999) 1999)

SAR-SSI 2010, May 18-21 14

 ECDBL  ECADD

D
D
D
D
D
A
A
A
Ex :

P P

2

) 110011 ( 51 

Secret revealed !
1 1 0 0 1 1
ECDBL
ECADD

SLIDE 15

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Do Double le-and and-add add-alw lways ys (Co Coron 1999) 1999)

SAR-SSI 2010, May 18-21 15

Ex :

P P

2

) 110011 ( 51 

1 0 or 1? 0 or 1? 0 or 1? 0 or 1? 0 or 1?

D
A
D
A
D
A
D
A
D
A
dummy
dummy
ECDBL
ECADD

SLIDE 16

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

SPA SPA Re Resi sist stant but no not FA FA Re Resi sist stant

SAR-SSI 2010, May 18-21 16

D
A
D
A
D
A
D
A
D
A
dummy
dummy

P 51 

D
A
D
A
D
A
D
A
D
A

P 51 

D
A
D
A
D
A
D
A
D
A

P 51 

SLIDE 17

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Montgomery mery Ladder Ladder (Bri (Brier, , Joye ye 2002) 2002)

SAR-SSI 2010, May 18-21 17

SLIDE 18

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

 Ex :

SAR-SSI 2010, May 18-21 18

P P

2

) 110011 ( 51 

k5 = 1 P0 = P P1 = 2P k4 = 1 P0=P0+P1 = 3P P1=2P1 = 4P k3 = 0 P1=P0+P1 = 7P P0=2P0 = 6P k2 = 0 P1=P0+P1 = 13P P0=2P0 = 12P k1 = 1 P0=P0+P1 = 25P P1=2P1 = 26P k0 = 1 P0=P0+P1 = 51P P1=2P1 = 52P

Montgomery mery Ladder Ladder, , it it works !

SLIDE 19

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Our P Proposi sition ion

 Montgomery ladder idea + ‘simplified’ addition = side-channel resistant + efficient algorithm  Problem :

Montgomery ladder needs a EC doubling each round
In the next round, we need for the ‘simplified’ addition points

with the same Z-coordinate

We would need to transform the output of the doubling so

that it has the correct Z-coordinate

Extremely inefficient

 We need to get rid of EC doubling in the algorithm  only use fast ‘simplified’ additions

SAR-SSI 2010, May 18-21 19

SLIDE 20

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Modifi ified Montgomery mery Ladder Ladder

SAR-SSI 2010, May 18-21 20

SLIDE 21

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Modifi ified Montgome mery y Ladder Ladder, , st stil ill works !

SAR-SSI 2010, May 18-21 21

 Ex :

P P

2

) 110011 ( 51 

k5 = 1 P1 = P P2 = 2P k4 = 1 P1=P1+P2 = 3P P2=P1+P = 4P k3 = 0 P1=P1+P2 = 7P P2=P1-P = 6P k2 = 0 P1=P1+P2 = 13P P2=P1-P = 12P k1 = 1 P1=P1+P2 = 25P P2=P1+P = 26P k0 = 1 P1=P1+P2 = 51P P2=P1+P = 52P

SLIDE 22

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Tw Tweak ‘Si Simp mpli lifie fied’ Addition

 Problem : we need the point P with the correct Z- coordinate at each round  Computing both addition and subtraction in a modified ‘simplified’ addition

SAR-SSI 2010, May 18-21 22

) , , ~ (

2 1 2 1 1

P P P P P Sub SimpledAdd   

GF(p) GF(2m) SimpleAdd 5M+2S 7M+2S SimpleAddSub 6M+3S 11M+2S

Complexity in field operations

SLIDE 23

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Pr Propose sed Alg Algorit ithm

SAR-SSI 2010, May 18-21 23

SLIDE 24

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Effici Efficiency Eval Evaluation o ion on G GF(2 (2m)

SAR-SSI 2010, May 18-21 24

Algorithm Complexity (per bit of scalar) Generic Montgomery Ladder 18M+10S ≈ 28M Lopez et al. (1999) 6M+5S ≈ 11M BasicScalarMult 22M+4S ≈ 26M

SLIDE 25

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Effici Efficiency Eval Evaluation o ion on G GF(p (p)

SAR-SSI 2010, May 18-21 25

Algorithm Complexity (per bit of scalar) Generic Montgomery Ladder 12M+13S ≈ 25M Brier et al. (2002) 15M+5S ≈ 20M Izu et al. (2002) 13M+4S ≈ 17M BasicScalarMult 12M+6S ≈ 18M OptScalarMult 10M+6S ≈ 16M

SLIDE 26

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Co Conclusion lusion

 Side-channel resistance is a major issue in constrained devices…  … however efficiency should not suffer  We wanted to improve scalar multiplication, the main part

f ECC, on these 2 points

 Our results :

an alternative algorithm on GF(2m),
very interesting replacement on GF(p)

SAR-SSI 2010, May 18-21 26

SLIDE 27

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Th Thank yo you. . Que Quest stion ions s ?

SAR-SSI 2010, May 18-21 27