Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Side ide-Chan Channel nel Res Resis istant tant Scalar calar Multiplication ultiplication Algorithms Algorithms ov over er Finite Finite Fields Fields Alexandre VENELLI 1,2 François DASSANCE 1 • 2 - IML – ERISCS 1 - ATMEL • Secure Microcontroller Solutions • Université de la Méditerranée • Rousset, FRANCE • Marseille, FRANCE
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Outli line Elliptic Curve Cryptosystems (ECC) Side-channel attacks against ECC Classical side-channel resistant scalar multiplication algorithms Our proposed alternatives SAR-SSI 2010, May 18-21 2
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Ba Background on ECC (1 ECC (1) Public Key (Asymmetric) cryptosystem Based on a hard problem : Elliptic Curve Discrete Logarithm Problem (ECDLP) Given an elliptic curve, points P and Q, find k such that Q=kP Hardness of ECDLP = Security level of ECC protocols No sub-exponential algorithms known for ECDLP SAR-SSI 2010, May 18-21 3
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Ba Background on ECC (2 ECC (2) At the base of ECC operations is finite field algebra with either : Prime finite fields (GF(p)) or Binary extension finite fields (GF(2 m )) ECC depends on : Finite field selection, Elliptic curve type, Point representation, Protocol, Hardware/software breakdown, Memory available, … SAR-SSI 2010, May 18-21 4
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields El Elli liptic ic Cu Curve ve Short Weierstrass curves Curves used in norms : FIPS, ANSI, … Elliptic curve on binary field : 2 3 2 n : ( , ( 2 ), 0 ) E y xy x ax b a b GF b Elliptic curve on prime field : 2 3 3 2 E : y x ax b ( a , b GF ( p ), 4 a 27 b 0 , p 3 ) • All points satisfying E • Abelian group with and infinity point O addition law SAR-SSI 2010, May 18-21 5
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Generic ic Ad Addit ition ion on E EC P ( x , y ), P ( x , y ), P ( x , y ) E Let 1 1 1 2 2 2 3 3 3 EC Doubling (ECDBL) : P P P 2 P 3 1 1 1 EC Addition (ECADD) : P P P ( P P ) 3 1 2 1 2 On GF(p), Jacobian coordinates : ECDBL = 4M + 5S ECADD = 14M + 5S On GF(2 m ), López-Dahab coordinates : ECDBL = 3M + 5S ECADD = 13M + 4S • HTTP :// WWW . HYPERELLIPTIC . ORG /EFD/ SAR-SSI 2010, May 18-21 6
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields ECC ECC Operations ions Hier ierarchy ECC •ECDSA, ECDH, ECIES, … protocol EC point • Scalar multiplication : kP operation • Fundamental and most time consuming operation • Point addition : P P P EC ADD / DBL 3 1 2 P • Point doubling : 2 P 3 1 Basic field operation • GF addition : a + b mod p • GF subtraction : a – b mod p • GF multiplication : a * b mod p • GF inversion : 1 / a mod p
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields ‘ Si Simp mpli lifie fied ’ Addition on EC Let P ( X , Y , Z ), P ( X , Y , Z ) E 1 1 1 2 2 2 ~ SimpleAdd ( P , P ) ( P , P P ) with Z Z ~ 1 2 1 1 2 P P P 1 2 1 On GF(p), Jacobian coordinates : 5M + 2S (Meloni 2007) On GF(2 m ), Jacobian coordinates : 7M + 2S (this work) Formulae not interesting with a standard scalar multiplication algorithm our propositions SAR-SSI 2010, May 18-21 8
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Sca Scalar lar Mult ltipli iplication ion on E EC kP Scalar Multiplication Double-and-add P E , k ( k k ) , k 1 n 1 0 2 n 1 Q • binary representation P 1. n i 2 0 2. From downto ECDBL Q 2 Q Q Q P k 1 ECADD if then i Q 3. Return 51 P ( 110011 ) P Ex : 2 6 P 25 P P 3 P 12 P 24 P 2 P • D • D • D • A • D • A 50 P 51 P • D • A SAR-SSI 2010, May 18-21 9
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Imp Impleme lementation ion Att Attacks SAR-SSI 2010, May 18-21 10
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Famil milies ies of f Si Side-Ch Channel l Att Attacks Simple Power Analysis (SPA) Observe the power consumption of devices in a single computation and detect the secret key Differential Power Analysis (DPA) Observe many power consumptions and analyze these information together with statistic tools Fault Analysis (FA) Using the knowledge of correct results, faulted results and the precise place of induced faults an adversary is able to compute the secret key SAR-SSI 2010, May 18-21 11
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Bri Brief His istory of S f SCA CA 1996 : Kocher et al. Timing attacks Boneh et al. Fault injection 1998 : Kocher et al. Power analysis 2000 : Quisquater et al. Electromagnetic analysis SAR-SSI 2010, May 18-21 12
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Pow Power An Analy lysi sis : : Ch Cheap and Easy Easy SAR-SSI 2010, May 18-21 13
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields SPA ag SPA against inst ECC ECC ( (Co Coron 1999) 1999) ECDBL ECADD • ECDBL • ECADD 51 • Ex : • Secret revealed ! P ( 110011 ) P 2 • D • A • D • D • D • A • D • A • 1 1 0 0 1 1 SAR-SSI 2010, May 18-21 14
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Do Double le-and and-add add-alw lways ys (Co Coron 1999) 1999) • ECDBL • ECADD • Ex : 51 P ( 110011 ) P 2 • dummy • dummy • D • A • D • A • D • A • D • A • D • A 1 0 or 1? 0 or 1? 0 or 1? 0 or 1? 0 or 1? SAR-SSI 2010, May 18-21 15
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields SPA SPA Re Resi sist stant but no not FA FA Re Resi sist stant • dummy • dummy 51 P • D • A • D • A • D • A • D • A • D • A 51 P • D • A • D • A • D • A • D • A • D • A 51 P • D • A • D • A • D • A • D • A • D • A SAR-SSI 2010, May 18-21 16
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Montgomery mery Ladder Ladder (Bri (Brier, , Joye ye 2002) 2002) SAR-SSI 2010, May 18-21 17
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Montgomery mery Ladder Ladder, , it it works ! 51 Ex : P ( 110011 ) P 2 k 5 = 1 k 4 = 1 P 0 = P P 0 =P 0 +P 1 = 3P P 1 = 2P P 1 =2P 1 = 4P k 3 = 0 k 2 = 0 P 1 =P 0 +P 1 = 7P P 1 =P 0 +P 1 = 13P P 0 =2P 0 = 6P P 0 =2P 0 = 12P k 1 = 1 k 0 = 1 P 0 =P 0 +P 1 = 25P P 0 =P 0 +P 1 = 51P P 1 =2P 1 = 26P P 1 =2P 1 = 52P SAR-SSI 2010, May 18-21 18
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Our P Proposi sition ion Montgomery ladder idea + ‘ simplified ’ addition = side-channel resistant + efficient algorithm Problem : Montgomery ladder needs a EC doubling each round In the next round, we need for the ‘ simplified ’ addition points with the same Z-coordinate We would need to transform the output of the doubling so that it has the correct Z-coordinate Extremely inefficient We need to get rid of EC doubling in the algorithm only use fast ‘ simplified ’ additions SAR-SSI 2010, May 18-21 19
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Modifi ified Montgomery mery Ladder Ladder SAR-SSI 2010, May 18-21 20
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Modifi ified Montgome mery y Ladder Ladder, , st stil ill works ! 51 Ex : P ( 110011 ) P 2 k 5 = 1 k 4 = 1 P 1 = P P 1 =P 1 +P 2 = 3P P 2 = 2P P 2 =P 1 +P = 4P k 3 = 0 k 2 = 0 P 1 =P 1 +P 2 = 7P P 1 =P 1 +P 2 = 13P P 2 =P 1 -P = 6P P 2 =P 1 -P = 12P k 1 = 1 k 0 = 1 P 1 =P 1 +P 2 = 25P P 1 =P 1 +P 2 = 51P P 2 =P 1 +P = 26P P 2 =P 1 +P = 52P SAR-SSI 2010, May 18-21 21
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Tw Tweak ‘ Si Simp mpli lifie fied ’ Addition Problem : we need the point P with the correct Z- coordinate at each round Computing both addition and subtraction in a modified ‘ simplified ’ addition ~ SimpledAdd Sub ( P , P P , P P ) 1 1 2 1 2 • Complexity in field operations GF(2 m ) GF(p) SimpleAdd 5M+2S 7M+2S SimpleAddSub 6M+3S 11M+2S SAR-SSI 2010, May 18-21 22
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Pr Propose sed Alg Algorit ithm SAR-SSI 2010, May 18-21 23
Recommend
More recommend
