Power Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.

Transcription

1 Power Consumption Analysis General principle: measure the current I in the circuit Arithmetic Level Countermeasures for ECC Coprocessor Arnaud Tisserand, Thomas Chabrier, Danuta Pamula I V DD circuit traces CNRS, IRISA laboratory, CAIRN research team Claude Shannon Institute Workshop on Coding & Cryptography May 7-8,, UCC GND Simple Power Analysis Differential Power Analysis Correlation Power Analysis Template Attacks... Notations: V DD power supply (5,,.5,.,.9 V), GND ground Similar attacks: electromagnetic radiations (EMR) and timing analysis A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Countermeasures Prevent attacks by using: additional protection block(s) modification(s) of the original circuit (i.e. secure version) Examples: electrical shielding use uniform computation durations use uniform power consumption add noise (e.g. useless instructions/computations) circuit reconfiguration at runtime modify the datapath modify the representation of values modify the computation algorithms Our solution: arithmetic level protection(s) Arithmetic Operators for Cryptography Values are elements of: prime finite field F p (p is a large prime) extensions of the binary field F m extensions of small fields F p m (e.g.: p = ) Typical sizes for public-key cryptography: RSA = 4 to 89 bits ECC = 6 to 6 bits Operations: addition, subtraction multiplication multiplication by a constant inversion exponentiation A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 4/4

2 Inputs: Output : Algorithm: (A + B) mod M = Addition Modulo M A, B {,,,,..., M } M (A + B) mod M { A + B A + B M MSB if A + B < M if A + B M Addition Modulo n Inputs: A, B {,,,,..., n } Output: (A + B) mod ( n ) Basic method: A + B if A + B < n (A + B) mod ( n ) = A + B ( n ) if A + B n }{{} A+B+ A + B M A B Problem: the test A + B n is costly A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 5/4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 6/4 Addition Modulo n : improved version Activity in F p Arithmetic Operators (/) (A + B) mod ( n ) = { A + B A + B + if A + B + < n if A + B + n a + b A a b B c out a + cst a and b are random elements of F p, cst is a constant (curve parameter) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 7/4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 8/4

3 Activity in F p Arithmetic Operators (/).. l=5 l=6.. Modular Exponentiation for RSA Algorithm: square and multiply l= l=9.. l=8 64 l= Activity profiles for l-bit windows (same transitions for all the bits of the window) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 9/4 I n p u t s : x, d = (d m... d d ) Output : y = x d R i m while (i ) do 4 R R square 5 i f (d i = ) then 6 R R x multiply 7 e n d i f 8 i i 9 endwhile return R A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Attack: SPA Difference at each loop iteration: Square and multiply is Weak! d i = = square and multiply d i = = square only Trace example: Differences & External Signature An algorithm has a current signature and a time signature: r = c f o r i from to n do i f a i = then r = r + c e l s e r = r c T T + T I t A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 I + I i a i t A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4

4 SPA Countermeasure: Square and multiply always I n p u t s : x, d = (d m... d d ) Output : y = x d R i m while (i ) do 4 R R square 5 R R x multiply 6 i f (d i = ) then 7 R R 8 e l s e 9 R R e n d i f i i endwhile return R This is the main operation for ECC ECC: Scalar Multiplication Inputs: P a point of the curve E, a large integer k = n i= k i i Output: the point Q = [k]p = P + P + P P }{{} k times Basic algorithm: double-and-add : Q P : for i from n- to do : Q P 4: if k i = then Q Q + P Same problem: weak for SPA! A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 4/4 Countermeasure: Key Recoding Recoding: w-naf (non-adjacent form) With n k = k i i, k i {, } i= use k with digits in windows of w bits Example: k i < w k = 67 = ( ) ( ) NAF ( ) NAF ( 5 ) 4 NAF ( ) 5 NAF Cost: n DBL and n w+ ADD Notation: d = d where d is a digit A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 5/4 Addition Chains (PhD thesis of Nicolas Méloni) In scalar multiplication [k]p, only use point additions on the curve robust against SPA ADD(P, P ) = (P + P, P ) with P and P already computed problem find a short chain Example: addition chains for k = Collaboration with UCC code and crypto group (6 8) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 6/4

5 Signed-Digit Redundant Number Systems Avizienis 96: radix β representation replace the digit set {,,,..., β } by the digit set { α, α +,...,,..., α, α} with α β If α + > β some numbers have several possible representations Example: radix β =, digits from the set D = {9,...,,,,..., 9} Carry-Save Adder In carry-save, the number A is represented in radix using digits a i {,, } coded by bits such that a i = a i,c + a i,s where a i,c {, } and a i,s {, } n n A = a i i = (a i,c + a i,s ) i i= i= = () β,d a b a b a b a b = (9) β,d = (99) β,d = (8) β,d 4 = (89) β,d =... 4 In a redundant number system there is constant-time addition algorithm (without carry propagation) where all computations are done in parallel A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 7/4 s 4 s s s s Carry-save addition: delay of cells (T = ()) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 8/4 Borrow-Save Addition In borrow-save, the number A is represented in radix using digits a i {,, } coded by bits such that a i = a + i a i where a + i {, } and a i {, } n n A = a i i = (a + i a i ) i i= i= a b a b a b a b a b a b a b a b 4 a + b + d c + s Cell Arithmetic equation: c + s = a + +b + d Logic equation: s = a + b + d c = a + b + + a + d + b + d a b d + a + b d s 4 s4 s s s s s s s s Borrow-save addition: delay of cells (T = ()) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 9/4 c s c+ s A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4

6 Double-Base Number Systems (DBNS) (/) Redundant representation based the sum of powers of AND : x = n x i a i b i, with x i {, }, a i, b i i= Example: 7 = = = Source: L. Imbert Double-Base Number Systems (DBNS) (/) Smallest x > with n DBNS terms in its decomposition: n unsigned signed (4985) 5 8,4? 6,448,7 7,44,896,9 8? DBNS is a very sparse and redundant representation Example: 7 has 78 DBNS representations among which 6 are canonic: 7 = ( ) = ( ) = ( ) = ( ) = ( ) = ( ) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Double-Base Number Systems (DBNS) (/) Application: ECC scalar multiplication 459 = [459]P = [ 4 9 ]P + [ 8 ]P P cost: DBL + TPL + ADD Protection at the Arithmetic Level Redundant number system = a way to improve the performance of some operations a way to represent a value with different representations k 459 = [459]P = ((( ([ 4 ]P P) P) P) P cost: 4 DBL + 9 TPL + 5 ADD R (k) R (k) R (k) R 4 (k)... Recoding rules: [R (k)]p [R (k)]p [R (k)]p [R 4 (k)]p... [k]p A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Proposed solution: use random redundant representations of k A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 4/4

7 countermeasures key recode Towards an ECC (co)processor COMM. CTRL AGU register file TRNG Circuits with On-Line Quality Evaluation Tested True Random Number Generator TRNG DAS Internal random bits Reconfigurable clock generator Embedded Statistical Tests AIS FIPS 4- FPGA Evaluation results Quality of a TRNG depends on: type of TRNG target circuit (FPGA, ASIC,... ) V dd, EMR, temp., attacks... data rate (Mbit/s) ±, on F q local register(s) CTRL ±, on F q local register(s) CTRL /x on F q local register(s) Functional units (FU): ±,, /x for F p and F m, key recoding Memory: register file + internal registers in the FUs Control: operations (E and F q levels) schedule, parameters management... A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 5/4 CTRL Objectives: TRNGs with embedded quality tests for security applications Comparison of various TRNGs TRNG Dichtl al. Find optimal data rate of a TRNG by and Success percentage (%) Run test AIS Data rates (Mb/s) ASIC: nm circuit HCMOS9GP (CMP) V : June 9 (% OK), V : Q FPGAs: Xilinx, Altera, Actel A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 6/4 x 6 Residue Number System (RNS) Base B = (m, m,..., m k ) of k relatively prime moduli Size of the base: k A = {a, a,..., a k }, i a i = A mod m i Operations: A ± B = ( a ± b m,..., a k ± b k mk ) A B = ( a b m,..., a k b k mk ) Residue Number System: Example (/) Base: B = (8, 7, 5, ) Dynamic range: M = = 84, i.e., A < M A std A RNS [,,, ] [,,, ] [,,, ] [,,, ] 4 [4, 4, 4, ] 5 [5, 5,, ] 6 [6, 6,, ] 7 [7,,, ] 8 [,,, ] A std A RNS 9 [,, 4, ] [,,, ] [, 4,, ] [4, 5,, ] [5, 6,, ] 4 [6,, 4, ] 5 [7,,, ] 6 [,,, ] 7 [,,, ] A std A RNS 8 [, 4,, ] 9 [, 5, 4, ] [4, 6,, ] [5,,, ] [6,,, ] [7,,, ] 4 [,, 4, ] 5 [, 4,, ] 6 [, 5,, ] A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 7/4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 8/4

8 Residue Number System: Example (/) Residue Number System: Conversions From standard to RNS: Operands: A = 6 = [6, 6,, ] and B = 6 = [,,, ] i a i = A mod m i Addition: (6 + ) mod 8 = 6 (6 + ) mod 7 = ( + ) mod 5 = ( + ) mod = Verification: = [6,,, ] Multiplication: (6 ) mod 8 = (6 ) mod 7 = 5 ( ) mod 5 = ( ) mod = Verification: 96 = [, 5,, ] From RNS to standard: Using a constructing proof of the Chinese Remainder Theorem (CRT) where A = k i= a i M i M i mi mod M M = k i= m i, A < M M i = M/m i M i mi is the inverse of M i modulo m i A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 9/4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Residue Number System: Summary Advantages: parallel addition/subtraction and multiplication no carry propagation (between the blocks) natural way to split large numbers = simple scheduling no order in the elements (RNS is not a positional number system) Disadvantages: difficult comparison (< and >) difficult division difficult sign test difficult magnitude computation Circuit-Level Representations of Digits Standard representation of a bit b: V DD = b =, GND = b = Dual-rail representation of a bit b: r = V DD r = GND = b = r = GND r = V DD = b = r Benefit: same number of transitions for and Cost: larger area and memory High-radix coding: radix 4 with digits in {,,,, } ± ± b r A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4

9 Conclusion attacks are more and more efficient security is mandatory at all levels (specification, algorithm, operation, implementation) security = tradeoff between performances and robustness security = computer science + microelectronics + mathematics Current research topics: redundant number systems non-positional number systems circuit reconfigurations (representations, algorithms) circuits with reduced activity variations links between scheduling and circuit activity design space exploration Contact: The end, some questions? mailto:arnaud.tisserand@irisa.fr CAIRN Group IRISA Laboratory, CNRS INRIA Univ. Rennes 6 rue Kérampont, BP 858, F-5 Lannion cedex, France Thank you A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 4/4