Side-Channel Resistant Scalar Multiplication ... - Alexandre Venelli

Algorithms over Finite Fields. Background on ECC (1). ▫ Public Key (Asymmetric) cryptosystem. ▫ Based on a hard problem : ▫ Elliptic Curve Discrete Logarithm ...
Télécharger le PDF
632KB taille 7 téléchargements 338 vues
commentaire
Report
Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Alexandre VENELLI1,2

François DASSANCE1

1 - ATMEL

•2 - IML – ERISCS

•Secure Microcontroller Solutions

•Université de la Méditerranée

•Rousset, FRANCE

•Marseille, FRANCE

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Outline

 Elliptic Curve Cryptosystems (ECC)  Side-channel attacks against ECC  Classical side-channel resistant scalar multiplication algorithms

 Our proposed alternatives

SAR-SSI 2010, May 18-21

2

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Background on ECC (1)  Public Key (Asymmetric) cryptosystem

 Based on a hard problem :  Elliptic Curve Discrete Logarithm Problem (ECDLP)  Given an elliptic curve, points P and Q, find k such that Q=kP

 Hardness of ECDLP = Security level of ECC protocols  No sub-exponential algorithms known for ECDLP

SAR-SSI 2010, May 18-21

3

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Background on ECC (2)  At the base of ECC operations is finite field algebra with either :  Prime finite fields (GF(p)) or  Binary extension finite fields (GF(2m))

 ECC depends on :  Finite field selection,  Elliptic curve type,  Point representation,  Protocol,  Hardware/software breakdown,

 Memory available,  …

SAR-SSI 2010, May 18-21

4

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Elliptic Curve  Short Weierstrass curves  Curves used in norms: FIPS, ANSI, …

 Elliptic curve on binary field :

E : y 2  xy  x3  ax 2  b (a, b  GF (2n ), b  0)  Elliptic curve on prime field :

E : y 2  x3  ax  b (a, b  GF ( p), 4a3  27b2  0, p  3) •All points satisfying E and infinity point O SAR-SSI 2010, May 18-21

•Abelian group with addition law 5

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Generic Addition on EC  Let

P1  ( x1 , y1 ), P2  ( x2 , y2 ), P3  ( x3 , y3 )  E

 EC Doubling (ECDBL) :

P3  P1  P1  2P1

 EC Addition (ECADD) :

P3  P1  P2

( P1  P2 )

 On GF(p), Jacobian coordinates :  ECDBL = 4M + 5S  ECADD = 14M + 5S

 On GF(2m), López-Dahab coordinates :  ECDBL = 3M + 5S  ECADD = 13M + 4S SAR-SSI 2010, May 18-21

•HTTP://WWW.HYPERELLIPTIC.ORG/EFD/ 6

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

ECC Operations Hierarchy ECC protocol EC point operation EC ADD / DBL Basic field operation

•ECDSA, ECDH, ECIES, …

•Scalar multiplication : kP •Fundamental and most time consuming operation

•Point addition : P3  P1  P2 •Point doubling : P3  2P1 •GF addition :

a + b mod p

•GF subtraction :

a – b mod p

•GF multiplication :

a * b mod p

•GF inversion :

1 / a mod p

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

‘Simplified’ Addition on EC  Let

P1  ( X1 , Y1 , Z ), P2  ( X 2 , Y2 , Z )  E

~ SimpleAdd ( P1 , P2 )  ( P1 , P1  P2 ) with Z P~1  Z P1  P2  On GF(p), Jacobian coordinates :  5M + 2S

(Meloni 2007)

 On GF(2m), Jacobian coordinates :  7M + 2S

(this work)

 Formulae not interesting with a standard scalar multiplication algorithm  our propositions SAR-SSI 2010, May 18-21

8

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Scalar Multiplication on EC

kP

 Scalar Multiplication

P  E, k  (kn1 k0 ) 2 , kn1  1

 Double-and-add

1.

2.

QP From i  n  2 Q  2Q if

ki  1

3. Return



Ex :

P •D 2 P

•binary representation downto

then

0 ECDBL

Q Q P

ECADD

Q

51P  (110011) 2 P •A

3P •D 6 P •D 12 P •D 24 P •A 25P 50 P •A 51P •D

SAR-SSI 2010, May 18-21

9

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Implementation Attacks

SAR-SSI 2010, May 18-21

10

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Families of Side-Channel Attacks  Simple Power Analysis (SPA) Observe the power consumption of devices in a single computation and detect the secret key  Differential Power Analysis (DPA) Observe many power consumptions and analyze these information together with statistic tools  Fault Analysis (FA) Using the knowledge of correct results, faulted results and the precise place of induced faults an adversary is able to compute the secret key

SAR-SSI 2010, May 18-21

11

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Brief History of SCA  1996 :  Kocher et al.  Timing attacks  Boneh et al.  Fault injection

 1998 :  Kocher et al.  Power analysis

 2000 :  Quisquater et al.  Electromagnetic analysis

SAR-SSI 2010, May 18-21

12

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Power Analysis : Cheap and Easy

SAR-SSI 2010, May 18-21

13

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

SPA against ECC (Coron 1999)  ECDBL

 ECADD •ECDBL •ECADD

•Ex :

51P  (110011) 2 P

•D

•1

•A

1

•D

0 SAR-SSI 2010, May 18-21

•Secret revealed !

•D

0

•D

•A

1

•D

•A

1 14

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Double-and-add-always (Coron 1999)

•ECDBL •ECADD

•Ex :

51P  (110011) 2 P •dummy

•D

1

•A

0 or 1?

•D

•A

0 or 1? SAR-SSI 2010, May 18-21

•dummy

•D

•A

0 or 1?

•D

•A

0 or 1?

•D

•A

0 or 1? 15

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

SPA Resistant but not FA Resistant •dummy

•dummy

 51P •D

•A

•D

•A

•D

•A

•D

•A

•D

•A

 51P •D

•A

•D

•A

•D

•A

•D

•A

•D

•A

 51P •D

•A

•D

•A

SAR-SSI 2010, May 18-21

•D

•A

•D

•A

•D

•A

16

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Montgomery Ladder (Brier, Joye 2002)

SAR-SSI 2010, May 18-21

17

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Montgomery Ladder, it works !  Ex :

51P  (110011) 2 P

k5 = 1

k4 = 1

P0

= P

P0=P0+P1 = 3P

P1

= 2P

P1=2P1

k3 = 0

k2 = 0

P1=P0+P1 = 7P P0=2P0

= 4P

= 6P

k1 = 1

P1=P0+P1

= 13P

P0=2P0

= 12P

k0 = 1

P0=P0+P1

= 25P

P0=P0+P1

= 51P

P1=2P1

= 26P

P1=2P1

= 52P

SAR-SSI 2010, May 18-21

18

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Our Proposition  Montgomery ladder idea + ‘simplified’ addition = side-channel resistant + efficient algorithm  Problem :  Montgomery ladder needs a EC doubling each round  In the next round, we need for the ‘simplified’ addition points with the same Z-coordinate  We would need to transform the output of the doubling so that it has the correct Z-coordinate  Extremely inefficient

 We need to get rid of EC doubling in the algorithm  only use fast ‘simplified’ additions SAR-SSI 2010, May 18-21

19

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Modified Montgomery Ladder

SAR-SSI 2010, May 18-21

20

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Modified Montgomery Ladder, still works !  Ex :

51P  (110011) 2 P

k5 = 1

k4 = 1

P1

= P

P1=P1+P2 = 3P

P2

= 2P

P2=P1+P

k3 = 0

k2 = 0

P1=P1+P2 = 7P P2=P1-P

= 4P

= 6P

k1 = 1

P1=P1+P2

= 13P

P2=P1-P

= 12P

k0 = 1

P1=P1+P2

= 25P

P1=P1+P2

= 51P

P2=P1+P

= 26P

P2=P1+P

= 52P

SAR-SSI 2010, May 18-21

21

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Tweak ‘Simplified’ Addition  Problem : we need the point P with the correct Zcoordinate at each round  Computing both addition and subtraction in a modified ‘simplified’ addition

~ SimpledAdd Sub  ( P1 , P1  P2 , P1  P2 ) •Complexity in field operations GF(p)

GF(2m)

SimpleAdd

5M+2S

7M+2S

SimpleAddSub

6M+3S

11M+2S

SAR-SSI 2010, May 18-21

22

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Proposed Algorithm

SAR-SSI 2010, May 18-21

23

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Efficiency Evaluation on GF(2m)

Algorithm

Complexity (per bit of scalar)

Generic Montgomery Ladder

18M+10S ≈ 28M

Lopez et al. (1999)

6M+5S ≈ 11M

BasicScalarMult

22M+4S ≈ 26M

SAR-SSI 2010, May 18-21

24

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Efficiency Evaluation on GF(p)

Algorithm

Complexity (per bit of scalar)

Generic Montgomery Ladder

12M+13S ≈ 25M

Brier et al. (2002)

15M+5S ≈ 20M

Izu et al. (2002)

13M+4S ≈ 17M

BasicScalarMult

12M+6S ≈ 18M

OptScalarMult

10M+6S ≈ 16M

SAR-SSI 2010, May 18-21

25

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Conclusion  Side-channel resistance is a major issue in constrained devices…  … however efficiency should not suffer  We wanted to improve scalar multiplication, the main part of ECC, on these 2 points

 Our results :  an alternative algorithm on GF(2m),

 very interesting replacement on GF(p)

SAR-SSI 2010, May 18-21

26

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields

Thank you. Questions ?

SAR-SSI 2010, May 18-21

27