Elliptic Curve Cryptography and Security of Embedded Devices

Size: px

Start display at page:

Download "Elliptic Curve Cryptography and Security of Embedded Devices"

Corey Simon
5 years ago
Views:

1 Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1 / 64

2 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 2 / 64

3 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 2 / 64

4 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 2 / 64

5 RSA (Rivest-Shamir-Adleman) A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 3 / 64

6 RSA (Rivest-Shamir-Adleman) Key generation pick at random two primes p and q, and compute n = p q choose e and compute d such that: e d 1 mod (p 1)(q 1) Public key A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, = {n,e} Private key = {p,q,d} V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 3 / 64

7 RSA (Rivest-Shamir-Adleman) Encryption / Decryption To encrypt a message m: c = m e To decrypt c: m = c d mod n mod n V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 4 / 64

8 RSA (Rivest-Shamir-Adleman) Encryption / Decryption To encrypt a message m: c = m e To decrypt c: m = c d mod n mod n Security assumption Given = {n,e}, how to recover d = e 1 mod (p 1)(q 1)? Factorize n to recover p and q! V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 4 / 64

9 Elliptic Curve Cryptography Independently introduced by Koblitz and Miller in V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 5 / 64

10 Elliptic Curve Equation Let K be a field, and E /K an elliptic curve. Then the set of K-rational points E (K) P 2 (K) is an abelian group, with neutral element O. On a field K = F p, p > 3, it has an affine equation: y 2 = x 3 + ax + b V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 6 / 64

11 Elliptic Curve Group Law Let P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), P 1,P 2 O. P 3 = P 1 + P 2 is given by: { x3 = m 2 x 1 x 2 P1 P 2 y 3 = m (x 1 x 3 ) y 1 K = R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 7 / 64

12 Elliptic Curve Group Law O Let P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), P 1,P 2 O. P 3 = P 1 + P 2 is given by: { x3 = m 2 x 1 x 2 y 3 = m (x 1 x 3 ) y 1 P 3 P 3 P1 P 2 m = y 2 y 1 x 2 x 1 if P 1 ±P 2 K = R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 7 / 64

13 Elliptic Curve Group Law Let P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), P 1,P 2 O. P 3 = P 1 + P 2 is given by: { x3 = m 2 x 1 x 2 P 1 = P 2 y 3 = m (x 1 x 3 ) y 1 K = R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 7 / 64

14 Elliptic Curve Group Law O Let P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), P 1,P 2 O. P 3 = P 1 + P 2 is given by: { x3 = m 2 x 1 x 2 y 3 = m (x 1 x 3 ) y 1 m = 3x a 2y 1 if P 1 = P 2 P 1 = P 2 P3 P 3 K = R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 7 / 64

15 Scalar Multiplication Given a point P in E (K) and a positive integer d, we denote dp = P + P + + P. }{{} d times V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 8 / 64

16 Scalar Multiplication Given a point P in E (K) and a positive integer d, we denote dp = P + P + + P. }{{} d times Elliptic Curve Discrete Logarithm Problem (ECDLP) Given P in E (K) and dp, 1 d #E (K), find d? Much harder than or factoring (which can be solved in subexponential time). V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 8 / 64

17 Cryptosystems Comparison Estimated equivalent key lengths for ECC and RSA: Security level ECC RSA z Very interesting in embedded devices having limited resources. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 9 / 64

18 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 9 / 64

19 Embedded Devices Constraints Efficiency Most transactions have to take less than 500 ms Small amount of RAM Very low power (hence low frequency) for contactless devices V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 10 / 64

20 Embedded Devices Constraints Efficiency Most transactions have to take less than 500 ms Small amount of RAM Very low power (hence low frequency) for contactless devices Arithmetic optimizations Exponentiation / scalar multiplication Group operations and point representation Modular arithmetic V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 10 / 64

21 Expensive operations F p Operations Theoretical Cost Significant operations Negligible operations V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64

22 Expensive operations Inversion (I) F p Operations Theoretical Cost Significant operations Negligible operations V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64

23 Expensive operations Inversion (I) F p Operations Theoretical Cost Significant operations Multiplication (M) Squaring (S, S/M 0.8) Negligible operations V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64

24 Expensive operations Inversion (I) F p Operations Theoretical Cost Significant operations Multiplication (M) Squaring (S, S/M 0.8) Negligible operations Addition (A) Subtraction (A) Negation (N) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64

25 Expensive operations Inversion (I) F p Operations Theoretical Cost Significant operations Multiplication (M) Squaring (S, S/M 0.8) Negligible operations Addition (A) Subtraction (A) Negation (N) For ECC keylengths, A/M 0.2 and N/M 0.1 on most smart cards. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64

26 Exponentiation Algorithms Square and multiply Left-to-right Right-to-left ( ( m d = m d 0 m d 1... ( m d ) 2 ) ) 2 2 l 1... m d = m d l 12 l 1 m d l 22 l 2... m d 0 Input: m,n,d N Output: m d mod n a 1 for i = l 1 to 0 do a a 2 mod n if d i = 1 then a a m mod n return a Input: m,n,d N Output: m d mod n a 1 ; b m for i = 0 to l 1 do if d i = 1 then a a b mod n b b 2 mod n return a V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 12 / 64

27 Scalar Multiplication Algorithms Double and add Left-to-right dp = d 0 P + 2(d 1 P + 2( (d l 1 P)...)) Input: P E (K),d N Output: dp R O for i = l 1 to 0 do R 2R if d i = 1 then R R + P return R Right-to-left dp = d l 1 2 l 1 P + d l 2 2 l 2 P d 0 P Input: P E (K),d N Output: dp R O ; Q P for i = 0 to l 1 do if d i = 1 then R R + Q Q 2Q return R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 13 / 64

28 Refined Algorithms Non-Adjacent Form (NAF) Signed representation minimizing the number of non-zero digits (1/3 vs 1/2). Hence minimize the number of additions. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64

29 Refined Algorithms Non-Adjacent Form (NAF) Signed representation minimizing the number of non-zero digits (1/3 vs 1/2). Hence minimize the number of additions. Sliding window algorithms Precompute 3P,5P,... to process several scalar bits at a time. Can be combined with the NAF method. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64

30 Refined Algorithms Non-Adjacent Form (NAF) Signed representation minimizing the number of non-zero digits (1/3 vs 1/2). Hence minimize the number of additions. Sliding window algorithms Precompute 3P,5P,... to process several scalar bits at a time. Can be combined with the NAF method. Co-Z Addition Euclidean Addition Chains [Meloni, WAIFI 2007] Co-Z binary ladder [Goundar, Joye & Miyaji, CHES 2010] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64

31 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64

32 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Outputs

33 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation leakages Device Outputs

34 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Device leakages Measurements Outputs

35 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Device leakages Measurements Model & assumptions Outputs

36 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Device leakages Measurements Model & assumptions Outputs Information on secret key V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 15 / 64

37 Simple Side-Channel Analysis (SSCA) Left-to-right square & multiply Side-channel leakage: power, EM, etc. The whole exponent may be recovered using a single trace. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 16 / 64

38 Regular Exponentiation Left-to-right algorithms Square & multiply:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64

39 Regular Exponentiation Left-to-right algorithms Square & multiply:... Square & multiply always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64

40 Regular Exponentiation Left-to-right algorithms Square & multiply:... Square & multiply always:... Montgomery ladder:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64

41 Regular Exponentiation Algorithms Left-to-right Montgomery ladder Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: for i = l 1 to 0 do 4: R 1 di R 0 R 1 mod n 5: R di R di 2 mod n 6: return R 0 Right-to-left Joye ladder Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: for i = 0 to l 1 do 4: R 1 di R 1 di 2 mod n 5: R 1 di R 1 di R di mod n 6: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 18 / 64

42 Regular Scalar Multiplication Left-to-right algorithms Double & add:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64

43 Regular Scalar Multiplication Left-to-right algorithms Double & add:... Double & add always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64

44 Regular Scalar Multiplication Left-to-right algorithms Double & add:... Double & add always:... Montgomery ladders:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64

45 Regular Scalar Multiplication Algorithms Left-to-right Montgomery ladder Input: P E (K),d N Output: dp 1: R 0 O 2: R 1 P 3: for i = l 1 to 0 do 4: R 1 di R 0 + R 1 5: R di 2R di 6: return R 0 Right-to-left Joye ladder Input: P E (K),d N Output: dp 1: R 0 O 2: R 1 P 3: for i = 0 to l 1 do 4: R 1 di 2R 1 di 5: R 1 di R 1 di + R di 6: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 20 / 64

46 Regular Atomic Exponentiation Square & multiply:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 21 / 64

47 Regular Atomic Exponentiation Square & multiply:... Atomic multiply always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 21 / 64

48 Regular Atomic Scalar Multiplication Double & add:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64

49 Regular Atomic Scalar Multiplication Double & add:... Atomic add always (with a unified group addition):... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64

50 Regular Atomic Scalar Multiplication Double & add:... Atomic add always (with a unified group addition):... Atomic scalar multiplication using a smaller pattern:... Dbl. Dbl. Add. Dbl. Add.... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64

51 Leakage on Manipulated Data V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64

52 Leakage on Manipulated Data Noise is generally too high to exploit this leakage directly V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64

53 Leakage on Manipulated Data Noise is generally too high to exploit this leakage directly z Many acquisitions are used to reduce noise influence V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64

54 Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1,T 2,...,T n. T 1 T 2. t t t + ω t + ω T N t t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64

55 Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1,T 2,...,T n. T 1 align vertically the traces on the targeted operation using signal processing tools T 2. t t t + ω t + ω T N t t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64

56 Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1,T 2,...,T n. T 1 align vertically the traces on the targeted operation using signal processing tools perform statistical treatment between traces, known inputs or outputs and a guess on a few key bits T 2. T N t t t t + ω t + ω t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64

57 Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1,T 2,...,T n. T 1 align vertically the traces on the targeted operation using signal processing tools perform statistical treatment between traces, known inputs or outputs and a guess on a few key bits T 2. T N t t t t + ω t + ω t + ω z Validate the guess or not V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64

58 Differential Side-Channel Analysis Original method introduced in [Kocher, Jaffe & Jun, CRYPTO 99] Hamming weight leakage model Difference of means as a distinguisher V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 25 / 64

59 Differential Side-Channel Analysis Original method introduced in [Kocher, Jaffe & Jun, CRYPTO 99] Hamming weight leakage model Difference of means as a distinguisher Correlation analysis introduced in [Brier, Clavier & Olivier, CHES 2004] Hamming weight/distance leakage model Pearson correlation factor as a distinguisher V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 25 / 64

60 Countermeasures for RSA Exponentiation Exponent blinding d = d + r(p 1)(q 1) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64

61 Countermeasures for RSA Exponentiation Exponent blinding d = d + r(p 1)(q 1) Message/ciphertext additive blinding m = m + rn mod cn, r < c V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64

62 Countermeasures for RSA Exponentiation Exponent blinding d = d + r(p 1)(q 1) Message/ciphertext additive blinding m = m + rn mod cn, r < c Message/ciphertext multiplicative blinding m = r e m mod n, result recovered as r 1 (m ) d mod n V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64

63 Countermeasures for Scalar Multiplication From [Coron, CHES 99]: Scalar blinding d = d + r#e (F p ) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64

64 Countermeasures for Scalar Multiplication From [Coron, CHES 99]: Scalar blinding d = d + r#e (F p ) Base point projective coordinates blinding (r 2 X : r 3 Y : rz ) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64

65 Countermeasures for Scalar Multiplication From [Coron, CHES 99]: Scalar blinding d = d + r#e (F p ) Base point projective coordinates blinding (r 2 X : r 3 Y : rz ) Input point blinding Q = d(p + R), result recovered as Q S with S = dr V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64

66 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64

67 Our Contribution New atomic pattern for right-to-left scalar multiplication implementation Fastest implementation for standard curves considering addition cost A/M 0.1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 28 / 64

68 Our Contribution New atomic pattern for right-to-left scalar multiplication implementation Fastest implementation for standard curves considering addition cost A/M 0.1 Theoretical comparison (S/M = 0.8, A/M = 0.2) Previous right-to-left NAF atomic scalar multiplication: - 20 % (M/bit) Best previous scalar multiplication (Co-Z Montgomery ladder (X : Z )-only): % (M/bit) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 28 / 64

69 Atomic Right-to-Left Scalar Multiplication Mixed coordinates Multiplication Addition Negation Addition Operations expression using the atomic pattern Addition : [11M+5S] Doubling : [3M+5S] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64

70 Atomic Right-to-Left Scalar Multiplication Mixed coordinates Multiplication Addition Negation Addition Squaring Addition Negation Addition Operations expression using the atomic pattern Addition : [11M+5S] Doubling : [3M+5S] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64

71 Atomic Right-to-Left Scalar Multiplication Mixed coordinates Multiplication Addition Negation Addition Squaring Addition Negation Addition Operations expression using the atomic pattern Addition : [11M+5S] Doubling : [3M+5S] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64

72 Atomic Right-to-Left Scalar Multiplication Mixed coordinates Multiplication Addition Negation Addition Squaring Addition Negation Addition Operations expression using the atomic pattern Addition : [11M+5S] Doubling : [3M+5S] Extended pattern : V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64

73 Atomic Right-to-Left Scalar Multiplication Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

74 Atomic Right-to-Left Scalar Multiplication Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Add. 1 Add. 2 R 1 Z 2 2 R 6 R 2 4 R 2 X 1 R 1 R 5 Z 1 Z 2 R 1 R 1 Z 2 Z 3 R 5 R 4 R 3 Y 1 R 1 R 2 R 2 R 6 R 1 R 1 R 1 Z 2 1 R 5 R 2 1 R 3 R 3 R 4 R 1 X 2 R 4 R 4 R 6 R R 4 R 6 R 5 + R 4 4 R R 4 R 2 + R 2 R 2 4 R R 1 Z 1 R 6 R 6 + R 2 1 R 3 R 3 R 4 X 3 R 2 + R 6 R R 1 R 1 Y 2 X 3 + R 2 2 R 1 R 1 R 2 Y R 1 R 3 R 3 + R 1 1 R 1 R 3 + R 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

75 Atomic Right-to-Left Scalar Multiplication Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 6 R 2 4 R 2 X 1 R 1 R 5 Z 1 Z 2 R 1 R 1 Z 2 Z 3 R 5 R 4 R 3 Y 1 R 1 R 2 R 2 R 6 R 1 R 1 R 1 Z 2 1 R 5 R 2 1 R 3 R 3 R 4 R 1 X 2 R 4 R 4 R 6 R R 4 R 6 R 5 + R 4 4 R R 4 R 2 + R 2 R 2 4 R R 1 Z 1 R 6 R 6 + R 2 1 R 3 R 3 R 4 X 3 R 2 + R 6 R R 1 R 1 Y 2 X 3 + R 2 2 R 1 R 1 R 2 Y R 1 R 3 R 3 + R 1 1 R 1 R 3 + R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 4 R 4 R 3 R 3 + R 4 W 2 R 2 R 5 X 2 R 3 + R 4 R 2 R 2 R 6 R 4 + X 2 R 4 R 6 R 1 R 4 R 4 Y 2 R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

76 Atomic Right-to-Left Scalar Multiplication Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 6 R 2 4 R 2 X 1 R 1 R 5 Z 1 Z 2 R 1 R 1 Z 2 Z 3 R 5 R 4 R 3 Y 1 R 1 R 2 R 2 R 6 R 1 R 1 R 1 Z 2 1 R 5 R 2 1 R 3 R 3 R 4 R 1 X 2 R 4 R 4 R 6 R R 4 R 6 R 5 + R 4 4 R R 4 R 2 + R 2 R 2 4 R R 1 Z 1 R 6 R 6 + R 2 1 R 3 R 3 R 4 X 3 R 2 + R 6 R R 1 R 1 Y 2 X 3 + R 2 2 R 1 R 1 R 2 Y R 1 R 3 R 3 + R 1 1 R 1 R 3 + R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 4 R 4 R 3 R 3 + R 4 W 2 R 2 R 5 X 2 R 3 + R 4 R 2 R 2 R 6 R 4 + X 2 R 4 R 6 R 1 R 4 R 4 Y 2 R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

77 Atomic Right-to-Left Scalar Multiplication Sq. Mult. Mult. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 6 R 2 4 R 1 X 2 1 R 2 Y 1 + Y 1 R 2 X 1 R 1 R 1 R 1 Z 2 R 3 Y 1 R 1 R 1 Z 1 2 R 4 R 1 X 2 R 4 R 4 R 4 R 2 + R 4 R 1 Z 1 R 1 R 1 R 1 Y 2 R 1 R 1 R 1 R 3 + R 1 R 5 Z 1 Z 2 Z 3 R 5 R 4 R 2 R 2 R 6 R 1 R 1 R 5 R 2 1 R 3 R 3 R 4 R 4 R 6 R 6 R 5 + R 4 R 2 R 2 R 6 R 6 + R 2 R 3 R 3 R 4 X 3 R 2 + R 6 R 2 X 3 + R 2 R 1 R 1 R 2 Y 3 R 3 + R 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 4 R 4 R 3 R 3 + R 4 W 2 R 2 R 5 X 2 R 3 + R 4 R 2 R 2 R 6 R 4 + X 2 R 4 R 6 R 1 R 4 R 4 Y 2 R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

78 Atomic Right-to-Left Scalar Multiplication Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 2 Y 1 Z 2 R 5 Y 2 Z 1 R 3 R 1 R 2 R 4 Z 2 1 R 2 R 5 R 4 R 2 R 2 R 3 R 5 R 1 X 1 R 6 X 2 R 4 R 6 R 6 R 5 R 1 R 6 2 R 4 R 5 R 1 R 5 R 1 R 6 R 1 Z 1 R 6 R 6 R 2 2 Z 3 R 1 Z 2 R 1 R 4 + R 4 R 6 R 6 R 1 R 1 R 5 R 3 X 3 R 6 R 5 R 4 R 4 X 3 R 3 R 4 R 2 Y 3 R 3 R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 3 R 3 R 4 W 2 R 2 R 5 X 2 R 3 R 4 R 6 R 4 X 2 R 4 R 6 R 1 Y 2 R 4 R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64

79 Atomic Right-to-Left Scalar Multiplication Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 2 Y 1 Z 2 R 5 Y 2 Z 1 R 3 R 1 R 2 R 4 Z 2 1 R 2 R 5 R 4 R 2 R 2 R 3 R 5 R 1 X 1 R 6 X 2 R 4 R 6 R 6 R 5 R 1 R 6 2 R 4 R 5 R 1 R 5 R 1 R 6 R 1 Z 1 R 6 R 6 R 2 2 Z 3 R 1 Z 2 R 1 R 4 + R 4 R 6 R 6 R 1 R 1 R 5 R 3 X 3 R 6 R 5 R 4 R 4 X 3 R 3 R 4 R 2 Y 3 R 3 R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 3 R 3 R 4 W 2 R 2 R 5 X 2 R 3 R 4 R 6 R 4 X 2 R 4 R 6 R 1 Y 2 R 4 R 2 8 multiplications 6 multiplications + 2 squarings V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64

80 Atomic Right-to-Left Scalar Multiplication Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 2 Y 1 Z 2 R 5 Y 2 Z 1 R 3 R 1 R 2 R 4 Z 2 1 R 2 R 5 R 4 R 2 R 2 R 3 R 5 R 1 X 1 R 6 X 2 R 4 R 6 R 6 R 5 R 1 R 6 2 R 4 R 5 R 1 R 5 R 1 R 6 R 1 Z 1 R 6 R 6 R 2 2 Z 3 R 1 Z 2 R 1 R 4 + R 4 R 6 R 6 R 1 R 1 R 5 R 3 X 3 R 6 R 5 R 4 R 4 X 3 R 3 R 4 R 2 Y 3 R 3 R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 3 R 3 R 4 W 2 R 2 R 5 X 2 R 3 R 4 R 6 R 4 X 2 R 4 R 6 R 1 Y 2 R 4 R 2 8 multiplications 6 multiplications + 2 squarings 16 additions 6 additions + 4 subtractions V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64

81 Atomic Right-to-Left Scalar Multiplication Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 2 Y 1 Z 2 R 5 Y 2 Z 1 R 3 R 1 R 2 R 4 Z 2 1 R 2 R 5 R 4 R 2 R 2 R 3 R 5 R 1 X 1 R 6 X 2 R 4 R 6 R 6 R 5 R 1 R 6 2 R 4 R 5 R 1 R 5 R 1 R 6 R 1 Z 1 R 6 R 6 R 2 2 Z 3 R 1 Z 2 R 1 R 4 + R 4 R 6 R 6 R 1 R 1 R 5 R 3 X 3 R 6 R 5 R 4 R 4 X 3 R 3 R 4 R 2 Y 3 R 3 R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 3 R 3 R 4 W 2 R 2 R 5 X 2 R 3 R 4 R 6 R 4 X 2 R 4 R 6 R 1 Y 2 R 4 R 2 8 multiplications 6 multiplications + 2 squarings 16 additions 6 additions + 4 subtractions 8 negations 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64

Implementation 192 bits ECDSA @ 30 MHz (CPU) & 50 MHz (CC) Original : 35 ms, Improved : 30 ms (- 14.

82 Implementation 192 bits 30 MHz (CPU) & 50 MHz (CC) Original : 35 ms, Improved : 30 ms ( %) Comparable RAM ( 500 Bytes) and Code size ( 3 KB) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 32 / 64

83 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 32 / 64

84 Our Contribution New atomic algorithms using squarings only Immune to attacks distinguishing squarings from multiplications Better efficiency than regular ladders Exponentiation algorithms for parallelized squarings with best performances to our knowledge V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 33 / 64

85 Exponentiation Cost Summary Algorithm Cost / bit S/M = 1 S/M =.8 # reg Square & multiply 1,2,3 0.5M + 1S 1.5M 1.3M 2 Multiply always 2,3 1.5M 1.5M 1.5M 2 Regular ladders 1M + 1S 2M 1.8M 2 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S M discrimination 3 possible sliding window optimization V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 34 / 64

86 Replacing Multiplications by Squarings x y = (x + y)2 x 2 y 2 (1) 2 ( ) x + y 2 ( ) x y 2 x y = (2) 2 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 35 / 64

87 Regular Atomic Exponentiation Square & multiply:... Atomic Multiply always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 36 / 64

88 Regular Atomic Exponentiation Square & multiply:... Atomic Multiply always:... Atomic Square always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 36 / 64

89 Atomic Left-to-Right Algorithm Input: m,n,d N Output: m d mod n 1: R 0 1 ; R 1 m ; R 2 1 2: R 3 m 2 /2 mod n 3: j 0 ; i k 1 4: while i 0 do 5: R Mj,0 R Mj,1 + R Mj,2 mod n 6: R Mj,3 R 2 Mj,3 mod n 7: R Mj,4 R Mj,5 /2 mod n 8: R Mj,6 R Mj,7 R Mj,8 mod n 9: j d i (1 + (j mod 3)) 10: i i M j,9 0 bit j = 0 1 bit j = 1 0 bit 1 bit j = 3 j = 2 11: return R M = V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 37 / 64

90 Atomic Right-to-Left Algorithm Input: m,n,d N Output: m d mod n 1: R 0 m ; R 1 1 ; R 2 1 2: i 0 ; j 0 3: while i k 1 do 4: j d i (1 + (j mod 3)) 5: R Mj,0 R Mj,1 + R 0 mod n 6: R Mj,2 R Mj,3 /2 mod n 7: R Mj,4 R Mj,5 R Mj,6 mod n 8: R Mj,3 R 2 Mj,3 mod n 9: i i + M j,7 0 bit j = 0 1 bit j = 1 0 bit 1 bit j = 3 j = 2 10: return R M = V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 38 / 64

91 Cost Comparison Algorithm Cost / bit S/M = 1 S/M =.8 # reg Square & multiply 1,2,3 0.5M + 1S 1.5M 1.3M 2 Multiply always 2,3 1.5M 1.5M 1.5M 2 Regular ladder 1M + 1S 2M 1.8M 2 L.-to-r. square always 3 2S 2M 1.6M 4 R.-to-l. square always 3 2S 2M 1.6M 3 11 % speed-up over Montgomery ladder 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S M discrimination 3 possible sliding window optimization V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 39 / 64

92 Implementation AT90SC 30MHz with AdvX arithmetic coprocessor: Algorithm Key len. (b) Code (B) RAM (B) Timing (ms) Mont. ladder Square Always % practical speed-up obtained in practice V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 40 / 64

93 Parallelization Motivation: Many devices are equipped with multi-core processors Parallelized Montgomery ladder : 1M / bit Squarings are independent in equations (1) and (2) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 41 / 64

94 Parallelization Motivation: Many devices are equipped with multi-core processors Parallelized Montgomery ladder : 1M / bit Squarings are independent in equations (1) and (2) We study how to optimize square always algorithms if two parallel squarings are available using space/time trade-offs. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 41 / 64

95 Cost Summary We demonstrate that the cost of our parallelized algorithm using λ extra registers tends to: ( ) S 4λ + 2 Algorithm General cost S/M = 1 S/M = 0.8 Parallel Montgomery ladder 1M 1M 1M Parallel square always λ = 1 7S/6 1.17M 0.93M Parallel square always λ = 2 11S/ M 0.88M Parallel square always λ = 3 15S/ M 0.86M.... Parallel square always λ 1S 1M 0.8M V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 42 / 64

96 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 42 / 64

97 Our Contribution New differential analysis on exponentiation using a single trace Any exponentiation algorithm can be subject to this attack Circumvent the exponent blinding countermeasure Require the knowledge of underlying modular multiplication implementation V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 43 / 64

98 Modular Multiplication Implementation Schoolbook long-integer multiplication x y in base b with x,y < b k Input: x = (x k 1 x k 2...x 0 ) b, y = (y k 1 y k 2...y 0 ) b Output: x y Uses: w = (w 2k 1 w 2k 2...w 0 ) 1: w (00...0) 2: for i = 0 to k 1 do 3: c 0 4: for j = 0 to k 1 do 5: (uv) b w i+j + x i y j + c 6: w i+j v 7: c u 8: w i+k c 9: return w V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 44 / 64

99 Modular Multiplication Implementation Rows and columns x k 1... x 2 x 1 x 0 y k 1... y 2 y 1 y 0 + x 0 y k 1... x 0 y 2 x 0 y 1 x 0 y 0 + x 1 y k 1 x 1 y k 2... x 1 y 1 x 1 y 0 + x 2 y k 1 x 2 y k 2 x 2 y k 3... x 2 y x k 2 y k 1... x k 2 y 2 x k 2 y 1 x k 2 y 0 + x k 1 y k 1 x k 1 y k 2... x k 1 y 1 x k 1 y 0 w 2k 1 w 2k 2 w 2k 3... w 2 w 1 w 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 45 / 64

100 Horizontal Correlation Analysis Vertical: Horizontal: Uses N segments from different traces. Uses k 2 segments from a single trace. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 46 / 64

101 Horizontal Side-Channel Analysis T 1 T 2 T 3 T s T s+1 T s+2 T T s 0,0 T s 0,2 T s 1,0 T s 1,2 T s 1,k 1 T s k 1,0 T s k 1,2 T s k 1,k We target single-multiplication segments T s i,j of the s-th modular multiplication inside a single leakage trace T. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 47 / 64

102 Horizontal Correlation Analysis Considering an atomic multiply-always implementation: Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i l 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i 8: i i 1 + t 9: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 48 / 64

103 Horizontal Correlation Analysis Considering an atomic multiply-always implementation: Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i l 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i 8: i i 1 + t Execute a single RSA signature m d mod n and collect the execution power trace T. 9: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 48 / 64

104 Horizontal Correlation Analysis Considering an atomic multiply-always implementation: Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i l 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i 8: i i 1 + t Execute a single RSA signature m d mod n and collect the execution power trace T. Assuming u most significant bits of d are known by the attacker: d = (d l 1...d l u d l (u+1)...d 1 d 0 ) 9: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 48 / 64

105 Horizontal Correlation Analysis Considering an atomic multiply-always implementation: Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i l 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i 8: i i 1 + t 9: return R 0 Execute a single RSA signature m d mod n and collect the execution power trace T. Assuming u most significant bits of d are known by the attacker: d = (d l 1...d l u d l (u+1)...d 1 d 0 ) Let R (u) 0 denote the value of R 0 after processing the u-th bit of d: R (u) 0 = m d l 1...d l u mod n V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 48 / 64

106 Horizontal Correlation Analysis Let v = u + HW(d l 1...d l u ) i.e. u-th bit multiplication T v T v+1 T v+2 d l u 1 = 1 R (u) 0 d l u 1 = 0 R (u) 0 R (u) 0 R (u) 0 R (u) 0 d l u 2 = 0,1 (u) 2 R 0 m R (u) 0 2 (u) 2 R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 49 / 64

107 Horizontal Correlation Analysis Let v = u + HW(d l 1...d l u ) i.e. u-th bit multiplication T v T v+1 T v+2 d l u 1 = 1 R (u) 0 d l u 1 = 0 R (u) 0 R (u) 0 R (u) 0 R (u) 0 d l u 2 = 0,1 (u) 2 R 0 m R (u) 0 2 (u) 2 R 0 Compute correlation between: trace segments T v+2 i,j and values D j = m j or trace segments T v+2 i,j and values D i,j = R (u) 0,i m j V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 49 / 64

108 Horizontal Correlation Analysis Let v = u + HW(d l 1...d l u ) i.e. u-th bit multiplication T v T v+1 T v+2 d l u 1 = 1 R (u) 0 d l u 1 = 0 R (u) 0 R (u) 0 R (u) 0 R (u) 0 d l u 2 = 0,1 (u) 2 R 0 m R (u) 0 2 (u) 2 R 0 Compute correlation between: trace segments T v+2 i,j and values D j = m j or trace segments T v+2 i,j and values D i,j = R (u) 0,i m j If correlation peak: d l (u+1) = 1, or d l (u+1) = 0 otherwise. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 49 / 64

= m j segments T v+2 i,j with D i,j = R (u) 0,i m j V.

109 Experimental Results Correlation trace result on series of Correlation trace result on series of traces T v+2 i,j with D j = m j segments T v+2 i,j with D i,j = R (u) 0,i m j V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 50 / 64

110 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 50 / 64

111 Our Contribution New countermeasure against differential analysis for RSA and ECC Designed to protect from horizontal analysis Implemented at the multi-precision multiplication level V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 51 / 64

112 Long-Integer Multiplication Shuffling rows and blinding columns Let us shuffle the rows of the multiplication: x k 1... x 2 x 1 x 0 y k 1... y 2 y 1 y 0 + x 0 y k 1... x 0 y 2 x 0 y 1 x 0 y 0 + x 1 y k 1 x 1 y k 2... x 1 y 1 x 1 y 0 + x 2 y k 1 x 2 y k 2 x 2 y k 3... x 2 y x k 2 y k 1... x k 2 y 2 x k 2 y 1 x k 2 y 0 + x k 1 y k 1 x k 1 y k 2... x k 1 y 1 x k 1 y 0 w 2k 1 w 2k 2 w 2k 3... w 2 w 1 w 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64

113 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c x k 1... x 2 x 1 x 0 y k 1... y 2 y 1 y 0 + x k 2 y k 1... x k 2 y 2 x k 2 y 1 x k 2 y 0 + x 0 y k 1... x 0 y 2 x 0 y 1 x 0 y 0 + x 2 y k 1 x 2 y k 2 x 2 y k 3... x 2 y x k 1 y k 1 x k 1 y k 2... x k 1 y 1 x k 1 y 0 + x 1 y k 1 x 1 y k 2... x 1 y 1 x 1 y 0 w 2k 1 w 2k 2 w 2k 3... w 2 w 1 w 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64

114 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c Still necessary to blind columns: For each row α(i), choose at random a word r, compute and store r x α(i), blind each single-precision multiplication: (c,w α(i)+j ) b = w α(i)+j + x α(i) (y j r) + r x α(i) + c V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64

115 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c Still necessary to blind columns: For each row α(i), choose at random a word r, compute and store r x α(i), blind each single-precision multiplication: (c,w α(i)+j ) b = w α(i)+j + x α(i) (y j r) + r x α(i) + c z Provides k! different sequences of single-precision multiplications. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64

116 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: Still necessary to blind columns: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c For each row α(i), choose at random a word r, compute and store r x α(i), blind each single-precision multiplication: (c,w α(i)+j ) b = w α(i)+j + x α(i) (y j r) + r x α(i) + c z Provides k! different sequences of single-precision multiplications. z Requires k extra multiplications and 3 extra words of storage. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64

117 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: Still necessary to blind columns: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c For each row α(i), choose at random a word r, compute and store r x α(i), blind each single-precision multiplication: (c,w α(i)+j ) b = w α(i)+j + x α(i) (y j r) + r x α(i) + c z Provides k! different sequences of single-precision multiplications. z Requires k extra multiplications and 3 extra words of storage. z Saves k + 1 multiplications and 4k 1 words of storage compared to the full blinding countermeasure. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64

118 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64

119 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: Choose at random two permutations α,β of (0,1,...,k 1) and compute: (c β(j),w α(i)+β(j) ) b = w α(i)+β(j) + x α(i) y β(j) Carry propagation is more complicated and requires a k-word array c. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64

120 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: Choose at random two permutations α,β of (0,1,...,k 1) and compute: (c β(j),w α(i)+β(j) ) b = w α(i)+β(j) + x α(i) y β(j) Carry propagation is more complicated and requires a k-word array c. z Provides (k!) 2 different sequences of single-precision multiplications. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64

121 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: Choose at random two permutations α,β of (0,1,...,k 1) and compute: (c β(j),w α(i)+β(j) ) b = w α(i)+β(j) + x α(i) y β(j) Carry propagation is more complicated and requires a k-word array c. z Provides (k!) 2 different sequences of single-precision multiplications. z Requires no extra multiplication but k extra words of storage. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64

122 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: Choose at random two permutations α,β of (0,1,...,k 1) and compute: (c β(j),w α(i)+β(j) ) b = w α(i)+β(j) + x α(i) y β(j) Carry propagation is more complicated and requires a k-word array c. z Provides (k!) 2 different sequences of single-precision multiplications. z Requires no extra multiplication but k extra words of storage. z Saves k multiplications but uses additional storage compared to the previous countermeasure. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64

123 Long-Integer Multiplication For instance, using a 32-bit multiplier: bit length k! (k!) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 54 / 64

124 Long-Integer Multiplication For instance, using a 32-bit multiplier: bit length k! (k!) z Also compatible with interleaved multiplications and reductions. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 54 / 64

125 Long-Integer Multiplication For instance, using a 32-bit multiplier: bit length k! (k!) z Also compatible with interleaved multiplications and reductions. z Studying the cost of these countermeasures for hardware implementations requires further investigation. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 54 / 64

126 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 54 / 64

127 Our Contribution Improved collision-correlation techniques on AES defeating some first-order protected implementations Need less than 1500 acquisitions in our experiments No need to establish a consumption model for correlation V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 55 / 64

128 AES Overview We focus on AES-128: message M = (m 0 m 1... m 15 ) key K = (k 0 k 1... k 15 ) ciphertext C = (c 0 c 1... c 15 ) for i [0,15] we denote x i = m i k i AES message SubBytes ShiftRows MixColumns key subkey 1 ciphertext V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 56 / 64

129 AES Overview We focus on AES-128: message M = (m 0 m 1... m 15 ) key K = (k 0 k 1... k 15 ) ciphertext C = (c 0 c 1... c 15 ) for i [0,15] we denote x i = m i k i Our attack targets the first round SubBytes function AES message SubBytes ShiftRows MixColumns key subkey 1 ciphertext V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 56 / 64

130 Principle Detect internal collisions between data processed in blinded S-Boxes in the first AES round: data1 mask = data2 mask V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 57 / 64

131 Principle Detect internal collisions between data processed in blinded S-Boxes in the first AES round: data1 mask = data2 mask Two protections against first-order attacks are considered: 1. substitution table masking: S (x i u) = S(x i ) v, with u v same masks u and v for all bytes 2. masked pseudo-inversion in F 2 8 : I (x i u i ) = I(x i ) u i, for 0 i different masks but same input and output masks V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 57 / 64

132 Collision-Correlation Analysis Encrypt N times the same message M Collect the power traces T n, 0 n N 1 T 0 T 1. T N 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 58 / 64

133 Collision-Correlation Analysis Encrypt N times the same message M Collect the power traces T n, 0 n N 1 Consider two instructions whose processing starts at times t 0 and t 1 l points are acquired per instruction processing T 0 T 1. t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l T N 1 t 0 t 0 + l t 1 t 1 + l V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 58 / 64

134 Collision-Correlation Analysis Encrypt N times the same message M Collect the power traces T n, 0 n N 1 Consider two instructions whose processing starts at times t 0 and t 1 l points are acquired per instruction processing Construct the two series Θ 0 = (Tt n 0 ) n and Θ 1 = (Tt n 1 ) n of power consumptions segments T 0 T 1. T N 1 Θ 0 Θ 1 t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 58 / 64

135 Collision-Correlation Analysis Encrypt N times the same message M Collect the power traces T n, 0 n N 1 Consider two instructions whose processing starts at times t 0 and t 1 l points are acquired per instruction processing Construct the two series Θ 0 = (Tt n 0 ) n and Θ 1 = (Tt n 1 ) n of power consumptions segments T 0 T 1. T N 1 Θ 0 Θ 1 t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l Apply a statistical treatment to (Θ 0,Θ 1 ) to identify if same data was involved in T n t 0 and T n t 1 We choose the Pearson correlation factor ˆρ Θ0,Θ 1 (t) = cov(θ 0(t),Θ 1 (t)) σ Θ0 (t)σ Θ1 (t) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 58 / 64

136 First Attack Description (1) Principle: detect when two SubBytes inputs (and outputs) are equal in first AES round m 4 k 4 u = m 9 k 9 u x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S S S S S S S S S S S S S S S S y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 k 4 k 9 = m 4 m 9 Result: provide a relation between two key bytes V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 59 / 64

137 First Attack Description (2) Encrypt N times the same message M and collect the N traces of first AES round For the 120 possible pairs (i 1,i 2 ) compute ˆρ Θi1,Θ i2 (t) When a correlation peak appears a relation between k i1 and k i2 is found Repeat for several random messages M until enough relations are found V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 60 / 64

138 First Attack Description (2) Encrypt N times the same message M and collect the N traces of first AES round For the 120 possible pairs (i 1,i 2 ) compute ˆρ Θi1,Θ i2 (t) When a correlation peak appears a relation between k i1 and k i2 is found Repeat for several random messages M until enough relations are found zon average 59 messages are needed Total number of traces = 59 N V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 60 / 64

139 Experimental Results Correlation traces obtained on real traces for N = Correlation Correlation Time Time Total number of acquisitions : V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 61 / 64

140 Second Attack Description (1) Previous attack cannot be applied to masked inversion if masks are different for each byte 0 u 3 1 u 3 x 0 x 1 x 2 x 3 x 4... x 15 x 0 x 1 x 2 x 3 x 4... x 15 I I I I I... I or I I I I I... I y 0 y 1 y 2 y 3 y 4... y 15 y 0 y 1 y 2 y 3 y 4... y 15 0 u 3 1 u 3 Collision between input and output reveals one key byte except one bit: k i = m i or k i = m i 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 62 / 64

141 Practical Results Correlation traces obtained on simulated traces for the pseudo-inversion of the first byte in GF(2 8 ) with N = 16 1 Correlation Time V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 63 / 64

Square Always Exponentiation

Square Always Exponentiation Christophe Clavier 1 Benoit Feix 1,2 Georges Gagnerot 1,2 Mylène Roussellet 2 Vincent Verneuil 2,3 1 XLIM-Université de Limoges, France 2 INSIDE Secure, Aix-en-Provence, France