Elliptic Curve Cryptography and Security of Embedded Devices
|
|
- Corey Simon
- 5 years ago
- Views:
Transcription
1 Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1 / 64
2 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 2 / 64
3 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 2 / 64
4 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 2 / 64
5 RSA (Rivest-Shamir-Adleman) A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 3 / 64
6 RSA (Rivest-Shamir-Adleman) Key generation pick at random two primes p and q, and compute n = p q choose e and compute d such that: e d 1 mod (p 1)(q 1) Public key A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, = {n,e} Private key = {p,q,d} V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 3 / 64
7 RSA (Rivest-Shamir-Adleman) Encryption / Decryption To encrypt a message m: c = m e To decrypt c: m = c d mod n mod n V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 4 / 64
8 RSA (Rivest-Shamir-Adleman) Encryption / Decryption To encrypt a message m: c = m e To decrypt c: m = c d mod n mod n Security assumption Given = {n,e}, how to recover d = e 1 mod (p 1)(q 1)? Factorize n to recover p and q! V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 4 / 64
9 Elliptic Curve Cryptography Independently introduced by Koblitz and Miller in V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 5 / 64
10 Elliptic Curve Equation Let K be a field, and E /K an elliptic curve. Then the set of K-rational points E (K) P 2 (K) is an abelian group, with neutral element O. On a field K = F p, p > 3, it has an affine equation: y 2 = x 3 + ax + b V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 6 / 64
11 Elliptic Curve Group Law Let P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), P 1,P 2 O. P 3 = P 1 + P 2 is given by: { x3 = m 2 x 1 x 2 P1 P 2 y 3 = m (x 1 x 3 ) y 1 K = R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 7 / 64
12 Elliptic Curve Group Law O Let P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), P 1,P 2 O. P 3 = P 1 + P 2 is given by: { x3 = m 2 x 1 x 2 y 3 = m (x 1 x 3 ) y 1 P 3 P 3 P1 P 2 m = y 2 y 1 x 2 x 1 if P 1 ±P 2 K = R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 7 / 64
13 Elliptic Curve Group Law Let P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), P 1,P 2 O. P 3 = P 1 + P 2 is given by: { x3 = m 2 x 1 x 2 P 1 = P 2 y 3 = m (x 1 x 3 ) y 1 K = R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 7 / 64
14 Elliptic Curve Group Law O Let P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), P 1,P 2 O. P 3 = P 1 + P 2 is given by: { x3 = m 2 x 1 x 2 y 3 = m (x 1 x 3 ) y 1 m = 3x a 2y 1 if P 1 = P 2 P 1 = P 2 P3 P 3 K = R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 7 / 64
15 Scalar Multiplication Given a point P in E (K) and a positive integer d, we denote dp = P + P + + P. }{{} d times V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 8 / 64
16 Scalar Multiplication Given a point P in E (K) and a positive integer d, we denote dp = P + P + + P. }{{} d times Elliptic Curve Discrete Logarithm Problem (ECDLP) Given P in E (K) and dp, 1 d #E (K), find d? Much harder than or factoring (which can be solved in subexponential time). V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 8 / 64
17 Cryptosystems Comparison Estimated equivalent key lengths for ECC and RSA: Security level ECC RSA z Very interesting in embedded devices having limited resources. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 9 / 64
18 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 9 / 64
19 Embedded Devices Constraints Efficiency Most transactions have to take less than 500 ms Small amount of RAM Very low power (hence low frequency) for contactless devices V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 10 / 64
20 Embedded Devices Constraints Efficiency Most transactions have to take less than 500 ms Small amount of RAM Very low power (hence low frequency) for contactless devices Arithmetic optimizations Exponentiation / scalar multiplication Group operations and point representation Modular arithmetic V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 10 / 64
21 Expensive operations F p Operations Theoretical Cost Significant operations Negligible operations V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64
22 Expensive operations Inversion (I) F p Operations Theoretical Cost Significant operations Negligible operations V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64
23 Expensive operations Inversion (I) F p Operations Theoretical Cost Significant operations Multiplication (M) Squaring (S, S/M 0.8) Negligible operations V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64
24 Expensive operations Inversion (I) F p Operations Theoretical Cost Significant operations Multiplication (M) Squaring (S, S/M 0.8) Negligible operations Addition (A) Subtraction (A) Negation (N) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64
25 Expensive operations Inversion (I) F p Operations Theoretical Cost Significant operations Multiplication (M) Squaring (S, S/M 0.8) Negligible operations Addition (A) Subtraction (A) Negation (N) For ECC keylengths, A/M 0.2 and N/M 0.1 on most smart cards. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 11 / 64
26 Exponentiation Algorithms Square and multiply Left-to-right Right-to-left ( ( m d = m d 0 m d 1... ( m d ) 2 ) ) 2 2 l 1... m d = m d l 12 l 1 m d l 22 l 2... m d 0 Input: m,n,d N Output: m d mod n a 1 for i = l 1 to 0 do a a 2 mod n if d i = 1 then a a m mod n return a Input: m,n,d N Output: m d mod n a 1 ; b m for i = 0 to l 1 do if d i = 1 then a a b mod n b b 2 mod n return a V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 12 / 64
27 Scalar Multiplication Algorithms Double and add Left-to-right dp = d 0 P + 2(d 1 P + 2( (d l 1 P)...)) Input: P E (K),d N Output: dp R O for i = l 1 to 0 do R 2R if d i = 1 then R R + P return R Right-to-left dp = d l 1 2 l 1 P + d l 2 2 l 2 P d 0 P Input: P E (K),d N Output: dp R O ; Q P for i = 0 to l 1 do if d i = 1 then R R + Q Q 2Q return R V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 13 / 64
28 Refined Algorithms Non-Adjacent Form (NAF) Signed representation minimizing the number of non-zero digits (1/3 vs 1/2). Hence minimize the number of additions. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64
29 Refined Algorithms Non-Adjacent Form (NAF) Signed representation minimizing the number of non-zero digits (1/3 vs 1/2). Hence minimize the number of additions. Sliding window algorithms Precompute 3P,5P,... to process several scalar bits at a time. Can be combined with the NAF method. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64
30 Refined Algorithms Non-Adjacent Form (NAF) Signed representation minimizing the number of non-zero digits (1/3 vs 1/2). Hence minimize the number of additions. Sliding window algorithms Precompute 3P,5P,... to process several scalar bits at a time. Can be combined with the NAF method. Co-Z Addition Euclidean Addition Chains [Meloni, WAIFI 2007] Co-Z binary ladder [Goundar, Joye & Miyaji, CHES 2010] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64
31 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64
32 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Outputs
33 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation leakages Device Outputs
34 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Device leakages Measurements Outputs
35 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Device leakages Measurements Model & assumptions Outputs
36 Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Device leakages Measurements Model & assumptions Outputs Information on secret key V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 15 / 64
37 Simple Side-Channel Analysis (SSCA) Left-to-right square & multiply Side-channel leakage: power, EM, etc. The whole exponent may be recovered using a single trace. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 16 / 64
38 Regular Exponentiation Left-to-right algorithms Square & multiply:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64
39 Regular Exponentiation Left-to-right algorithms Square & multiply:... Square & multiply always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64
40 Regular Exponentiation Left-to-right algorithms Square & multiply:... Square & multiply always:... Montgomery ladder:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64
41 Regular Exponentiation Algorithms Left-to-right Montgomery ladder Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: for i = l 1 to 0 do 4: R 1 di R 0 R 1 mod n 5: R di R di 2 mod n 6: return R 0 Right-to-left Joye ladder Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: for i = 0 to l 1 do 4: R 1 di R 1 di 2 mod n 5: R 1 di R 1 di R di mod n 6: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 18 / 64
42 Regular Scalar Multiplication Left-to-right algorithms Double & add:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64
43 Regular Scalar Multiplication Left-to-right algorithms Double & add:... Double & add always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64
44 Regular Scalar Multiplication Left-to-right algorithms Double & add:... Double & add always:... Montgomery ladders:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64
45 Regular Scalar Multiplication Algorithms Left-to-right Montgomery ladder Input: P E (K),d N Output: dp 1: R 0 O 2: R 1 P 3: for i = l 1 to 0 do 4: R 1 di R 0 + R 1 5: R di 2R di 6: return R 0 Right-to-left Joye ladder Input: P E (K),d N Output: dp 1: R 0 O 2: R 1 P 3: for i = 0 to l 1 do 4: R 1 di 2R 1 di 5: R 1 di R 1 di + R di 6: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 20 / 64
46 Regular Atomic Exponentiation Square & multiply:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 21 / 64
47 Regular Atomic Exponentiation Square & multiply:... Atomic multiply always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 21 / 64
48 Regular Atomic Scalar Multiplication Double & add:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64
49 Regular Atomic Scalar Multiplication Double & add:... Atomic add always (with a unified group addition):... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64
50 Regular Atomic Scalar Multiplication Double & add:... Atomic add always (with a unified group addition):... Atomic scalar multiplication using a smaller pattern:... Dbl. Dbl. Add. Dbl. Add.... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64
51 Leakage on Manipulated Data V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64
52 Leakage on Manipulated Data Noise is generally too high to exploit this leakage directly V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64
53 Leakage on Manipulated Data Noise is generally too high to exploit this leakage directly z Many acquisitions are used to reduce noise influence V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64
54 Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1,T 2,...,T n. T 1 T 2. t t t + ω t + ω T N t t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64
55 Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1,T 2,...,T n. T 1 align vertically the traces on the targeted operation using signal processing tools T 2. t t t + ω t + ω T N t t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64
56 Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1,T 2,...,T n. T 1 align vertically the traces on the targeted operation using signal processing tools perform statistical treatment between traces, known inputs or outputs and a guess on a few key bits T 2. T N t t t t + ω t + ω t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64
57 Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1,T 2,...,T n. T 1 align vertically the traces on the targeted operation using signal processing tools perform statistical treatment between traces, known inputs or outputs and a guess on a few key bits T 2. T N t t t t + ω t + ω t + ω z Validate the guess or not V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64
58 Differential Side-Channel Analysis Original method introduced in [Kocher, Jaffe & Jun, CRYPTO 99] Hamming weight leakage model Difference of means as a distinguisher V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 25 / 64
59 Differential Side-Channel Analysis Original method introduced in [Kocher, Jaffe & Jun, CRYPTO 99] Hamming weight leakage model Difference of means as a distinguisher Correlation analysis introduced in [Brier, Clavier & Olivier, CHES 2004] Hamming weight/distance leakage model Pearson correlation factor as a distinguisher V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 25 / 64
60 Countermeasures for RSA Exponentiation Exponent blinding d = d + r(p 1)(q 1) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64
61 Countermeasures for RSA Exponentiation Exponent blinding d = d + r(p 1)(q 1) Message/ciphertext additive blinding m = m + rn mod cn, r < c V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64
62 Countermeasures for RSA Exponentiation Exponent blinding d = d + r(p 1)(q 1) Message/ciphertext additive blinding m = m + rn mod cn, r < c Message/ciphertext multiplicative blinding m = r e m mod n, result recovered as r 1 (m ) d mod n V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64
63 Countermeasures for Scalar Multiplication From [Coron, CHES 99]: Scalar blinding d = d + r#e (F p ) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64
64 Countermeasures for Scalar Multiplication From [Coron, CHES 99]: Scalar blinding d = d + r#e (F p ) Base point projective coordinates blinding (r 2 X : r 3 Y : rz ) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64
65 Countermeasures for Scalar Multiplication From [Coron, CHES 99]: Scalar blinding d = d + r#e (F p ) Base point projective coordinates blinding (r 2 X : r 3 Y : rz ) Input point blinding Q = d(p + R), result recovered as Q S with S = dr V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64
66 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64
67 Our Contribution New atomic pattern for right-to-left scalar multiplication implementation Fastest implementation for standard curves considering addition cost A/M 0.1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 28 / 64
68 Our Contribution New atomic pattern for right-to-left scalar multiplication implementation Fastest implementation for standard curves considering addition cost A/M 0.1 Theoretical comparison (S/M = 0.8, A/M = 0.2) Previous right-to-left NAF atomic scalar multiplication: - 20 % (M/bit) Best previous scalar multiplication (Co-Z Montgomery ladder (X : Z )-only): % (M/bit) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 28 / 64
69 Atomic Right-to-Left Scalar Multiplication Mixed coordinates Multiplication Addition Negation Addition Operations expression using the atomic pattern Addition : [11M+5S] Doubling : [3M+5S] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64
70 Atomic Right-to-Left Scalar Multiplication Mixed coordinates Multiplication Addition Negation Addition Squaring Addition Negation Addition Operations expression using the atomic pattern Addition : [11M+5S] Doubling : [3M+5S] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64
71 Atomic Right-to-Left Scalar Multiplication Mixed coordinates Multiplication Addition Negation Addition Squaring Addition Negation Addition Operations expression using the atomic pattern Addition : [11M+5S] Doubling : [3M+5S] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64
72 Atomic Right-to-Left Scalar Multiplication Mixed coordinates Multiplication Addition Negation Addition Squaring Addition Negation Addition Operations expression using the atomic pattern Addition : [11M+5S] Doubling : [3M+5S] Extended pattern : V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64
73 Atomic Right-to-Left Scalar Multiplication Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64
74 Atomic Right-to-Left Scalar Multiplication Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Add. 1 Add. 2 R 1 Z 2 2 R 6 R 2 4 R 2 X 1 R 1 R 5 Z 1 Z 2 R 1 R 1 Z 2 Z 3 R 5 R 4 R 3 Y 1 R 1 R 2 R 2 R 6 R 1 R 1 R 1 Z 2 1 R 5 R 2 1 R 3 R 3 R 4 R 1 X 2 R 4 R 4 R 6 R R 4 R 6 R 5 + R 4 4 R R 4 R 2 + R 2 R 2 4 R R 1 Z 1 R 6 R 6 + R 2 1 R 3 R 3 R 4 X 3 R 2 + R 6 R R 1 R 1 Y 2 X 3 + R 2 2 R 1 R 1 R 2 Y R 1 R 3 R 3 + R 1 1 R 1 R 3 + R 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64
75 Atomic Right-to-Left Scalar Multiplication Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 6 R 2 4 R 2 X 1 R 1 R 5 Z 1 Z 2 R 1 R 1 Z 2 Z 3 R 5 R 4 R 3 Y 1 R 1 R 2 R 2 R 6 R 1 R 1 R 1 Z 2 1 R 5 R 2 1 R 3 R 3 R 4 R 1 X 2 R 4 R 4 R 6 R R 4 R 6 R 5 + R 4 4 R R 4 R 2 + R 2 R 2 4 R R 1 Z 1 R 6 R 6 + R 2 1 R 3 R 3 R 4 X 3 R 2 + R 6 R R 1 R 1 Y 2 X 3 + R 2 2 R 1 R 1 R 2 Y R 1 R 3 R 3 + R 1 1 R 1 R 3 + R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 4 R 4 R 3 R 3 + R 4 W 2 R 2 R 5 X 2 R 3 + R 4 R 2 R 2 R 6 R 4 + X 2 R 4 R 6 R 1 R 4 R 4 Y 2 R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64
76 Atomic Right-to-Left Scalar Multiplication Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 6 R 2 4 R 2 X 1 R 1 R 5 Z 1 Z 2 R 1 R 1 Z 2 Z 3 R 5 R 4 R 3 Y 1 R 1 R 2 R 2 R 6 R 1 R 1 R 1 Z 2 1 R 5 R 2 1 R 3 R 3 R 4 R 1 X 2 R 4 R 4 R 6 R R 4 R 6 R 5 + R 4 4 R R 4 R 2 + R 2 R 2 4 R R 1 Z 1 R 6 R 6 + R 2 1 R 3 R 3 R 4 X 3 R 2 + R 6 R R 1 R 1 Y 2 X 3 + R 2 2 R 1 R 1 R 2 Y R 1 R 3 R 3 + R 1 1 R 1 R 3 + R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 4 R 4 R 3 R 3 + R 4 W 2 R 2 R 5 X 2 R 3 + R 4 R 2 R 2 R 6 R 4 + X 2 R 4 R 6 R 1 R 4 R 4 Y 2 R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64
77 Atomic Right-to-Left Scalar Multiplication Sq. Mult. Mult. Mult. Neg. Sq. Neg. Mult. Neg. Mult. Neg. Mult. Neg. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 6 R 2 4 R 1 X 2 1 R 2 Y 1 + Y 1 R 2 X 1 R 1 R 1 R 1 Z 2 R 3 Y 1 R 1 R 1 Z 1 2 R 4 R 1 X 2 R 4 R 4 R 4 R 2 + R 4 R 1 Z 1 R 1 R 1 R 1 Y 2 R 1 R 1 R 1 R 3 + R 1 R 5 Z 1 Z 2 Z 3 R 5 R 4 R 2 R 2 R 6 R 1 R 1 R 5 R 2 1 R 3 R 3 R 4 R 4 R 6 R 6 R 5 + R 4 R 2 R 2 R 6 R 6 + R 2 R 3 R 3 R 4 X 3 R 2 + R 6 R 2 X 3 + R 2 R 1 R 1 R 2 Y 3 R 3 + R 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 4 R 4 R 3 R 3 + R 4 W 2 R 2 R 5 X 2 R 3 + R 4 R 2 R 2 R 6 R 4 + X 2 R 4 R 6 R 1 R 4 R 4 Y 2 R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64
78 Atomic Right-to-Left Scalar Multiplication Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 2 Y 1 Z 2 R 5 Y 2 Z 1 R 3 R 1 R 2 R 4 Z 2 1 R 2 R 5 R 4 R 2 R 2 R 3 R 5 R 1 X 1 R 6 X 2 R 4 R 6 R 6 R 5 R 1 R 6 2 R 4 R 5 R 1 R 5 R 1 R 6 R 1 Z 1 R 6 R 6 R 2 2 Z 3 R 1 Z 2 R 1 R 4 + R 4 R 6 R 6 R 1 R 1 R 5 R 3 X 3 R 6 R 5 R 4 R 4 X 3 R 3 R 4 R 2 Y 3 R 3 R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 3 R 3 R 4 W 2 R 2 R 5 X 2 R 3 R 4 R 6 R 4 X 2 R 4 R 6 R 1 Y 2 R 4 R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64
79 Atomic Right-to-Left Scalar Multiplication Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 2 Y 1 Z 2 R 5 Y 2 Z 1 R 3 R 1 R 2 R 4 Z 2 1 R 2 R 5 R 4 R 2 R 2 R 3 R 5 R 1 X 1 R 6 X 2 R 4 R 6 R 6 R 5 R 1 R 6 2 R 4 R 5 R 1 R 5 R 1 R 6 R 1 Z 1 R 6 R 6 R 2 2 Z 3 R 1 Z 2 R 1 R 4 + R 4 R 6 R 6 R 1 R 1 R 5 R 3 X 3 R 6 R 5 R 4 R 4 X 3 R 3 R 4 R 2 Y 3 R 3 R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 3 R 3 R 4 W 2 R 2 R 5 X 2 R 3 R 4 R 6 R 4 X 2 R 4 R 6 R 1 Y 2 R 4 R 2 8 multiplications 6 multiplications + 2 squarings V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64
80 Atomic Right-to-Left Scalar Multiplication Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 2 Y 1 Z 2 R 5 Y 2 Z 1 R 3 R 1 R 2 R 4 Z 2 1 R 2 R 5 R 4 R 2 R 2 R 3 R 5 R 1 X 1 R 6 X 2 R 4 R 6 R 6 R 5 R 1 R 6 2 R 4 R 5 R 1 R 5 R 1 R 6 R 1 Z 1 R 6 R 6 R 2 2 Z 3 R 1 Z 2 R 1 R 4 + R 4 R 6 R 6 R 1 R 1 R 5 R 3 X 3 R 6 R 5 R 4 R 4 X 3 R 3 R 4 R 2 Y 3 R 3 R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 3 R 3 R 4 W 2 R 2 R 5 X 2 R 3 R 4 R 6 R 4 X 2 R 4 R 6 R 1 Y 2 R 4 R 2 8 multiplications 6 multiplications + 2 squarings 16 additions 6 additions + 4 subtractions V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64
81 Atomic Right-to-Left Scalar Multiplication Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub. Add. 1 Add. 2 Dbl. R 1 Z 2 2 R 2 Y 1 Z 2 R 5 Y 2 Z 1 R 3 R 1 R 2 R 4 Z 2 1 R 2 R 5 R 4 R 2 R 2 R 3 R 5 R 1 X 1 R 6 X 2 R 4 R 6 R 6 R 5 R 1 R 6 2 R 4 R 5 R 1 R 5 R 1 R 6 R 1 Z 1 R 6 R 6 R 2 2 Z 3 R 1 Z 2 R 1 R 4 + R 4 R 6 R 6 R 1 R 1 R 5 R 3 X 3 R 6 R 5 R 4 R 4 X 3 R 3 R 4 R 2 Y 3 R 3 R 1 R 1 X 1 2 R 2 Y 1 + Y 1 Z 2 R 2 Z 1 R 4 R 1 + R 1 R 3 R 2 Y 1 R 6 R 3 + R 3 R 2 R 6 R 3 R 1 R 4 + R 1 R 1 R 1 + W 1 R 3 R 1 2 R 4 R 6 X 1 R 5 W 1 + W 1 R 3 R 3 R 4 W 2 R 2 R 5 X 2 R 3 R 4 R 6 R 4 X 2 R 4 R 6 R 1 Y 2 R 4 R 2 8 multiplications 6 multiplications + 2 squarings 16 additions 6 additions + 4 subtractions 8 negations 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64
82 Implementation 192 bits 30 MHz (CPU) & 50 MHz (CC) Original : 35 ms, Improved : 30 ms ( %) Comparable RAM ( 500 Bytes) and Code size ( 3 KB) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 32 / 64
83 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 32 / 64
84 Our Contribution New atomic algorithms using squarings only Immune to attacks distinguishing squarings from multiplications Better efficiency than regular ladders Exponentiation algorithms for parallelized squarings with best performances to our knowledge V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 33 / 64
85 Exponentiation Cost Summary Algorithm Cost / bit S/M = 1 S/M =.8 # reg Square & multiply 1,2,3 0.5M + 1S 1.5M 1.3M 2 Multiply always 2,3 1.5M 1.5M 1.5M 2 Regular ladders 1M + 1S 2M 1.8M 2 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S M discrimination 3 possible sliding window optimization V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 34 / 64
86 Replacing Multiplications by Squarings x y = (x + y)2 x 2 y 2 (1) 2 ( ) x + y 2 ( ) x y 2 x y = (2) 2 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 35 / 64
87 Regular Atomic Exponentiation Square & multiply:... Atomic Multiply always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 36 / 64
88 Regular Atomic Exponentiation Square & multiply:... Atomic Multiply always:... Atomic Square always:... V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 36 / 64
89 Atomic Left-to-Right Algorithm Input: m,n,d N Output: m d mod n 1: R 0 1 ; R 1 m ; R 2 1 2: R 3 m 2 /2 mod n 3: j 0 ; i k 1 4: while i 0 do 5: R Mj,0 R Mj,1 + R Mj,2 mod n 6: R Mj,3 R 2 Mj,3 mod n 7: R Mj,4 R Mj,5 /2 mod n 8: R Mj,6 R Mj,7 R Mj,8 mod n 9: j d i (1 + (j mod 3)) 10: i i M j,9 0 bit j = 0 1 bit j = 1 0 bit 1 bit j = 3 j = 2 11: return R M = V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 37 / 64
90 Atomic Right-to-Left Algorithm Input: m,n,d N Output: m d mod n 1: R 0 m ; R 1 1 ; R 2 1 2: i 0 ; j 0 3: while i k 1 do 4: j d i (1 + (j mod 3)) 5: R Mj,0 R Mj,1 + R 0 mod n 6: R Mj,2 R Mj,3 /2 mod n 7: R Mj,4 R Mj,5 R Mj,6 mod n 8: R Mj,3 R 2 Mj,3 mod n 9: i i + M j,7 0 bit j = 0 1 bit j = 1 0 bit 1 bit j = 3 j = 2 10: return R M = V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 38 / 64
91 Cost Comparison Algorithm Cost / bit S/M = 1 S/M =.8 # reg Square & multiply 1,2,3 0.5M + 1S 1.5M 1.3M 2 Multiply always 2,3 1.5M 1.5M 1.5M 2 Regular ladder 1M + 1S 2M 1.8M 2 L.-to-r. square always 3 2S 2M 1.6M 4 R.-to-l. square always 3 2S 2M 1.6M 3 11 % speed-up over Montgomery ladder 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S M discrimination 3 possible sliding window optimization V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 39 / 64
92 Implementation AT90SC 30MHz with AdvX arithmetic coprocessor: Algorithm Key len. (b) Code (B) RAM (B) Timing (ms) Mont. ladder Square Always % practical speed-up obtained in practice V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 40 / 64
93 Parallelization Motivation: Many devices are equipped with multi-core processors Parallelized Montgomery ladder : 1M / bit Squarings are independent in equations (1) and (2) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 41 / 64
94 Parallelization Motivation: Many devices are equipped with multi-core processors Parallelized Montgomery ladder : 1M / bit Squarings are independent in equations (1) and (2) We study how to optimize square always algorithms if two parallel squarings are available using space/time trade-offs. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 41 / 64
95 Cost Summary We demonstrate that the cost of our parallelized algorithm using λ extra registers tends to: ( ) S 4λ + 2 Algorithm General cost S/M = 1 S/M = 0.8 Parallel Montgomery ladder 1M 1M 1M Parallel square always λ = 1 7S/6 1.17M 0.93M Parallel square always λ = 2 11S/ M 0.88M Parallel square always λ = 3 15S/ M 0.86M.... Parallel square always λ 1S 1M 0.8M V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 42 / 64
96 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 42 / 64
97 Our Contribution New differential analysis on exponentiation using a single trace Any exponentiation algorithm can be subject to this attack Circumvent the exponent blinding countermeasure Require the knowledge of underlying modular multiplication implementation V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 43 / 64
98 Modular Multiplication Implementation Schoolbook long-integer multiplication x y in base b with x,y < b k Input: x = (x k 1 x k 2...x 0 ) b, y = (y k 1 y k 2...y 0 ) b Output: x y Uses: w = (w 2k 1 w 2k 2...w 0 ) 1: w (00...0) 2: for i = 0 to k 1 do 3: c 0 4: for j = 0 to k 1 do 5: (uv) b w i+j + x i y j + c 6: w i+j v 7: c u 8: w i+k c 9: return w V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 44 / 64
99 Modular Multiplication Implementation Rows and columns x k 1... x 2 x 1 x 0 y k 1... y 2 y 1 y 0 + x 0 y k 1... x 0 y 2 x 0 y 1 x 0 y 0 + x 1 y k 1 x 1 y k 2... x 1 y 1 x 1 y 0 + x 2 y k 1 x 2 y k 2 x 2 y k 3... x 2 y x k 2 y k 1... x k 2 y 2 x k 2 y 1 x k 2 y 0 + x k 1 y k 1 x k 1 y k 2... x k 1 y 1 x k 1 y 0 w 2k 1 w 2k 2 w 2k 3... w 2 w 1 w 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 45 / 64
100 Horizontal Correlation Analysis Vertical: Horizontal: Uses N segments from different traces. Uses k 2 segments from a single trace. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 46 / 64
101 Horizontal Side-Channel Analysis T 1 T 2 T 3 T s T s+1 T s+2 T T s 0,0 T s 0,2 T s 1,0 T s 1,2 T s 1,k 1 T s k 1,0 T s k 1,2 T s k 1,k We target single-multiplication segments T s i,j of the s-th modular multiplication inside a single leakage trace T. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 47 / 64
102 Horizontal Correlation Analysis Considering an atomic multiply-always implementation: Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i l 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i 8: i i 1 + t 9: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 48 / 64
103 Horizontal Correlation Analysis Considering an atomic multiply-always implementation: Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i l 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i 8: i i 1 + t Execute a single RSA signature m d mod n and collect the execution power trace T. 9: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 48 / 64
104 Horizontal Correlation Analysis Considering an atomic multiply-always implementation: Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i l 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i 8: i i 1 + t Execute a single RSA signature m d mod n and collect the execution power trace T. Assuming u most significant bits of d are known by the attacker: d = (d l 1...d l u d l (u+1)...d 1 d 0 ) 9: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 48 / 64
105 Horizontal Correlation Analysis Considering an atomic multiply-always implementation: Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i l 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i 8: i i 1 + t 9: return R 0 Execute a single RSA signature m d mod n and collect the execution power trace T. Assuming u most significant bits of d are known by the attacker: d = (d l 1...d l u d l (u+1)...d 1 d 0 ) Let R (u) 0 denote the value of R 0 after processing the u-th bit of d: R (u) 0 = m d l 1...d l u mod n V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 48 / 64
106 Horizontal Correlation Analysis Let v = u + HW(d l 1...d l u ) i.e. u-th bit multiplication T v T v+1 T v+2 d l u 1 = 1 R (u) 0 d l u 1 = 0 R (u) 0 R (u) 0 R (u) 0 R (u) 0 d l u 2 = 0,1 (u) 2 R 0 m R (u) 0 2 (u) 2 R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 49 / 64
107 Horizontal Correlation Analysis Let v = u + HW(d l 1...d l u ) i.e. u-th bit multiplication T v T v+1 T v+2 d l u 1 = 1 R (u) 0 d l u 1 = 0 R (u) 0 R (u) 0 R (u) 0 R (u) 0 d l u 2 = 0,1 (u) 2 R 0 m R (u) 0 2 (u) 2 R 0 Compute correlation between: trace segments T v+2 i,j and values D j = m j or trace segments T v+2 i,j and values D i,j = R (u) 0,i m j V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 49 / 64
108 Horizontal Correlation Analysis Let v = u + HW(d l 1...d l u ) i.e. u-th bit multiplication T v T v+1 T v+2 d l u 1 = 1 R (u) 0 d l u 1 = 0 R (u) 0 R (u) 0 R (u) 0 R (u) 0 d l u 2 = 0,1 (u) 2 R 0 m R (u) 0 2 (u) 2 R 0 Compute correlation between: trace segments T v+2 i,j and values D j = m j or trace segments T v+2 i,j and values D i,j = R (u) 0,i m j If correlation peak: d l (u+1) = 1, or d l (u+1) = 0 otherwise. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 49 / 64
109 Experimental Results Correlation trace result on series of Correlation trace result on series of traces T v+2 i,j with D j = m j segments T v+2 i,j with D i,j = R (u) 0,i m j V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 50 / 64
110 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 50 / 64
111 Our Contribution New countermeasure against differential analysis for RSA and ECC Designed to protect from horizontal analysis Implemented at the multi-precision multiplication level V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 51 / 64
112 Long-Integer Multiplication Shuffling rows and blinding columns Let us shuffle the rows of the multiplication: x k 1... x 2 x 1 x 0 y k 1... y 2 y 1 y 0 + x 0 y k 1... x 0 y 2 x 0 y 1 x 0 y 0 + x 1 y k 1 x 1 y k 2... x 1 y 1 x 1 y 0 + x 2 y k 1 x 2 y k 2 x 2 y k 3... x 2 y x k 2 y k 1... x k 2 y 2 x k 2 y 1 x k 2 y 0 + x k 1 y k 1 x k 1 y k 2... x k 1 y 1 x k 1 y 0 w 2k 1 w 2k 2 w 2k 3... w 2 w 1 w 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64
113 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c x k 1... x 2 x 1 x 0 y k 1... y 2 y 1 y 0 + x k 2 y k 1... x k 2 y 2 x k 2 y 1 x k 2 y 0 + x 0 y k 1... x 0 y 2 x 0 y 1 x 0 y 0 + x 2 y k 1 x 2 y k 2 x 2 y k 3... x 2 y x k 1 y k 1 x k 1 y k 2... x k 1 y 1 x k 1 y 0 + x 1 y k 1 x 1 y k 2... x 1 y 1 x 1 y 0 w 2k 1 w 2k 2 w 2k 3... w 2 w 1 w 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64
114 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c Still necessary to blind columns: For each row α(i), choose at random a word r, compute and store r x α(i), blind each single-precision multiplication: (c,w α(i)+j ) b = w α(i)+j + x α(i) (y j r) + r x α(i) + c V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64
115 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c Still necessary to blind columns: For each row α(i), choose at random a word r, compute and store r x α(i), blind each single-precision multiplication: (c,w α(i)+j ) b = w α(i)+j + x α(i) (y j r) + r x α(i) + c z Provides k! different sequences of single-precision multiplications. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64
116 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: Still necessary to blind columns: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c For each row α(i), choose at random a word r, compute and store r x α(i), blind each single-precision multiplication: (c,w α(i)+j ) b = w α(i)+j + x α(i) (y j r) + r x α(i) + c z Provides k! different sequences of single-precision multiplications. z Requires k extra multiplications and 3 extra words of storage. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64
117 Long-Integer Multiplication Shuffling rows and blinding columns Choose at random a permutation α of (0,1,...,k 1) and compute: Still necessary to blind columns: (c,w α(i)+j ) b = w α(i)+j + x α(i) y j + c For each row α(i), choose at random a word r, compute and store r x α(i), blind each single-precision multiplication: (c,w α(i)+j ) b = w α(i)+j + x α(i) (y j r) + r x α(i) + c z Provides k! different sequences of single-precision multiplications. z Requires k extra multiplications and 3 extra words of storage. z Saves k + 1 multiplications and 4k 1 words of storage compared to the full blinding countermeasure. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 52 / 64
118 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64
119 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: Choose at random two permutations α,β of (0,1,...,k 1) and compute: (c β(j),w α(i)+β(j) ) b = w α(i)+β(j) + x α(i) y β(j) Carry propagation is more complicated and requires a k-word array c. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64
120 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: Choose at random two permutations α,β of (0,1,...,k 1) and compute: (c β(j),w α(i)+β(j) ) b = w α(i)+β(j) + x α(i) y β(j) Carry propagation is more complicated and requires a k-word array c. z Provides (k!) 2 different sequences of single-precision multiplications. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64
121 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: Choose at random two permutations α,β of (0,1,...,k 1) and compute: (c β(j),w α(i)+β(j) ) b = w α(i)+β(j) + x α(i) y β(j) Carry propagation is more complicated and requires a k-word array c. z Provides (k!) 2 different sequences of single-precision multiplications. z Requires no extra multiplication but k extra words of storage. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64
122 Long-Integer Multiplication Shuffling rows and columns Let us now shuffle the rows and the columns of the multiplication: Choose at random two permutations α,β of (0,1,...,k 1) and compute: (c β(j),w α(i)+β(j) ) b = w α(i)+β(j) + x α(i) y β(j) Carry propagation is more complicated and requires a k-word array c. z Provides (k!) 2 different sequences of single-precision multiplications. z Requires no extra multiplication but k extra words of storage. z Saves k multiplications but uses additional storage compared to the previous countermeasure. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 53 / 64
123 Long-Integer Multiplication For instance, using a 32-bit multiplier: bit length k! (k!) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 54 / 64
124 Long-Integer Multiplication For instance, using a 32-bit multiplier: bit length k! (k!) z Also compatible with interleaved multiplications and reductions. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 54 / 64
125 Long-Integer Multiplication For instance, using a 32-bit multiplier: bit length k! (k!) z Also compatible with interleaved multiplications and reductions. z Studying the cost of these countermeasures for hardware implementations requires further investigation. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 54 / 64
126 Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 54 / 64
127 Our Contribution Improved collision-correlation techniques on AES defeating some first-order protected implementations Need less than 1500 acquisitions in our experiments No need to establish a consumption model for correlation V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 55 / 64
128 AES Overview We focus on AES-128: message M = (m 0 m 1... m 15 ) key K = (k 0 k 1... k 15 ) ciphertext C = (c 0 c 1... c 15 ) for i [0,15] we denote x i = m i k i AES message SubBytes ShiftRows MixColumns key subkey 1 ciphertext V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 56 / 64
129 AES Overview We focus on AES-128: message M = (m 0 m 1... m 15 ) key K = (k 0 k 1... k 15 ) ciphertext C = (c 0 c 1... c 15 ) for i [0,15] we denote x i = m i k i Our attack targets the first round SubBytes function AES message SubBytes ShiftRows MixColumns key subkey 1 ciphertext V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 56 / 64
130 Principle Detect internal collisions between data processed in blinded S-Boxes in the first AES round: data1 mask = data2 mask V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 57 / 64
131 Principle Detect internal collisions between data processed in blinded S-Boxes in the first AES round: data1 mask = data2 mask Two protections against first-order attacks are considered: 1. substitution table masking: S (x i u) = S(x i ) v, with u v same masks u and v for all bytes 2. masked pseudo-inversion in F 2 8 : I (x i u i ) = I(x i ) u i, for 0 i different masks but same input and output masks V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 57 / 64
132 Collision-Correlation Analysis Encrypt N times the same message M Collect the power traces T n, 0 n N 1 T 0 T 1. T N 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 58 / 64
133 Collision-Correlation Analysis Encrypt N times the same message M Collect the power traces T n, 0 n N 1 Consider two instructions whose processing starts at times t 0 and t 1 l points are acquired per instruction processing T 0 T 1. t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l T N 1 t 0 t 0 + l t 1 t 1 + l V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 58 / 64
134 Collision-Correlation Analysis Encrypt N times the same message M Collect the power traces T n, 0 n N 1 Consider two instructions whose processing starts at times t 0 and t 1 l points are acquired per instruction processing Construct the two series Θ 0 = (Tt n 0 ) n and Θ 1 = (Tt n 1 ) n of power consumptions segments T 0 T 1. T N 1 Θ 0 Θ 1 t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 58 / 64
135 Collision-Correlation Analysis Encrypt N times the same message M Collect the power traces T n, 0 n N 1 Consider two instructions whose processing starts at times t 0 and t 1 l points are acquired per instruction processing Construct the two series Θ 0 = (Tt n 0 ) n and Θ 1 = (Tt n 1 ) n of power consumptions segments T 0 T 1. T N 1 Θ 0 Θ 1 t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l t 0 t 0 + l t 1 t 1 + l Apply a statistical treatment to (Θ 0,Θ 1 ) to identify if same data was involved in T n t 0 and T n t 1 We choose the Pearson correlation factor ˆρ Θ0,Θ 1 (t) = cov(θ 0(t),Θ 1 (t)) σ Θ0 (t)σ Θ1 (t) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 58 / 64
136 First Attack Description (1) Principle: detect when two SubBytes inputs (and outputs) are equal in first AES round m 4 k 4 u = m 9 k 9 u x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S S S S S S S S S S S S S S S S y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 k 4 k 9 = m 4 m 9 Result: provide a relation between two key bytes V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 59 / 64
137 First Attack Description (2) Encrypt N times the same message M and collect the N traces of first AES round For the 120 possible pairs (i 1,i 2 ) compute ˆρ Θi1,Θ i2 (t) When a correlation peak appears a relation between k i1 and k i2 is found Repeat for several random messages M until enough relations are found V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 60 / 64
138 First Attack Description (2) Encrypt N times the same message M and collect the N traces of first AES round For the 120 possible pairs (i 1,i 2 ) compute ˆρ Θi1,Θ i2 (t) When a correlation peak appears a relation between k i1 and k i2 is found Repeat for several random messages M until enough relations are found zon average 59 messages are needed Total number of traces = 59 N V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 60 / 64
139 Experimental Results Correlation traces obtained on real traces for N = Correlation Correlation Time Time Total number of acquisitions : V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 61 / 64
140 Second Attack Description (1) Previous attack cannot be applied to masked inversion if masks are different for each byte 0 u 3 1 u 3 x 0 x 1 x 2 x 3 x 4... x 15 x 0 x 1 x 2 x 3 x 4... x 15 I I I I I... I or I I I I I... I y 0 y 1 y 2 y 3 y 4... y 15 y 0 y 1 y 2 y 3 y 4... y 15 0 u 3 1 u 3 Collision between input and output reveals one key byte except one bit: k i = m i or k i = m i 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 62 / 64
141 Practical Results Correlation traces obtained on simulated traces for the pseudo-inversion of the first byte in GF(2 8 ) with N = 16 1 Correlation Time V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 63 / 64
Square Always Exponentiation
Square Always Exponentiation Christophe Clavier 1 Benoit Feix 1,2 Georges Gagnerot 1,2 Mylène Roussellet 2 Vincent Verneuil 2,3 1 XLIM-Université de Limoges, France 2 INSIDE Secure, Aix-en-Provence, France
More informationPower Analysis to ECC Using Differential Power between Multiplication and Squaring
Power Analysis to ECC Using Differential Power between Multiplication and Squaring Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Information Technologies Laboratories, Tokyo, Japan akishita@pal.arch.sony.co.jp
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationSide-Channel Analysis on Blinded Regular Scalar Multiplications
Side-Channel Analysis on Blinded Regular Scalar Multiplications Extended Version Benoit Feix 1 and Mylène Roussellet 2 and Alexandre Venelli 3 1 UL Security Transactions, UK Security Lab benoit.feix@ul.com
More informationHorizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID:
More informationEfficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Efficient randomized regular modular exponentiation
More informationBlinded Fault Resistant Exponentiation FDTC 06
Previous Work Our Algorithm Guillaume Fumaroli 1 David Vigilant 2 1 Thales Communications guillaume.fumaroli@fr.thalesgroup.com 2 Gemalto david.vigilant@gemalto.com FDTC 06 Outline Previous Work Our Algorithm
More informationrecover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa
Resistance against Dierential Power Analysis for Elliptic Curve Cryptosystems Jean-Sebastien Coron Ecole Normale Superieure Gemplus Card International 45 rue d'ulm 34 rue Guynemer Paris, F-75230, France
More informationRandomized Signed-Scalar Multiplication of ECC to Resist Power Attacks
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks Jae Cheol Ha 1 and Sang Jae Moon 2 1 Division of Information Science, Korea Nazarene Univ., Cheonan, Choongnam, 330-718, Korea jcha@kornu.ac.kr
More informationSquare Always Exponentiation
Square Always Exponentiation Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent Verneuil To cite this version: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet,
More informationSide-Channel Analysis on Blinded Regular Scalar Multiplications
Side-Channel Analysis on Blinded Regular Scalar Multiplications Benoit Feix 1 and Mylène Roussellet 2 and Alexandre Venelli 3 1 UL Security Transactions, UK Security Lab benoit.feix@ul.com 2 Gemalto, La
More informationIntroduction to Side Channel Analysis. Elisabeth Oswald University of Bristol
Introduction to Side Channel Analysis Elisabeth Oswald University of Bristol Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage and very briefly Part 3: Countermeasures Part
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More informationCo-Z Addition Formulæ and Binary Ladders on Elliptic Curves. Raveen Goundar Marc Joye Atsuko Miyaji
Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Elliptic
More informationEfficient Leak Resistant Modular Exponentiation in RNS
Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1), Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2)
More informationA Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )
A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m ) Stefan Tillich, Johann Großschädl Institute for Applied Information Processing and
More informationResistance of Randomized Projective Coordinates Against Power Analysis
Resistance of Randomized Projective Coordinates Against Power Analysis William Dupuy and Sébastien Kunz-Jacques DCSSI Crypto Lab 51, bd de Latour-Maubourg, 75700 PARIS 07 SP william.dupuy@laposte.net,
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationImproved Collision-Correlation Power Analysis on First Order Protected AES
Improved Collision-Correlation Power Analysis on First Order Protected AES Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent Verneuil To cite this version: Christophe Clavier,
More informationFast and Regular Algorithms for Scalar Multiplication over Elliptic Curves
Fast and Regular Algorithms for Scalar Multiplication over Elliptic Curves Matthieu Rivain CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Elliptic curve cryptosystems are more and more widespread
More informationFPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD
University of Windsor Scholarship at UWindsor Electronic Theses and Dissertations 10-5-2017 FPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD Che Chen University of Windsor
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationA Refined Power-Analysis Attack on Elliptic Curve Cryptosystems
A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45, 78430Louveciennes Cedex, France lgoubin@slb.com Abstract.
More informationEfficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe Negre, Thomas Plantard, Jean-Marc Robert Team DALI (UPVD) and LIRMM (UM2, CNRS), France CCISR, SCIT, (University
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationAccelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl
Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationLow-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity
Low-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity [Published in IEEE Transactions on Computers 53(6):760-768, 00.] Benoît Chevallier-Mames 1, Mathieu Ciet, and Marc
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationFast SPA-Resistant Exponentiation Through Simultaneous Processing of Half-Exponents
Fast SPA-Resistant Exponentiation Through Simultaneous Processing of Half-Exponents Carlos Moreno and M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Canada cmoreno@uwaterloo.ca,
More informationDynamic Runtime Methods to Enhance Private Key Blinding
Dynamic Runtime Methods to Enhance Private Key Blinding Karine Gandolfi-Villegas and Nabil Hamzi Gemalto Security Labs {nabil.hamzi,karine.villegas}@gemalto.com Abstract. In this paper we propose new methods
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationError-free protection of EC point multiplication by modular extension
Error-free protection of EC point multiplication by modular extension Martin Seysen February 21, 2017 Giesecke & Devrient GmbH, Prinzregentenstraße 159, D-81677 München, e-mail: m.seysen@gmx.de Abstract
More informationPower Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.
Power Consumption Analysis General principle: measure the current I in the circuit Arithmetic Level Countermeasures for ECC Coprocessor Arnaud Tisserand, Thomas Chabrier, Danuta Pamula I V DD circuit traces
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationBranch Prediction based attacks using Hardware performance Counters IIT Kharagpur
Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationOptimal Use of Montgomery Multiplication on Smart Cards
Optimal Use of Montgomery Multiplication on Smart Cards Arnaud Boscher and Robert Naciri Oberthur Card Systems SA, 71-73, rue des Hautes Pâtures, 92726 Nanterre Cedex, France {a.boscher, r.naciri}@oberthurcs.com
More informationAlgorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis
Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January
More informationSide-channel attacks and countermeasures for curve based cryptography
Side-channel attacks and countermeasures for curve based cryptography Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org 28.05.2007 Tanja Lange SCA on curves p. 1 Overview Elliptic curves
More informationFast Point Multiplication on Elliptic Curves Without Precomputation
Published in J. von zur Gathen, J.L. Imaña, and Ç.K. Koç, Eds, Arithmetic of Finite Fields (WAIFI 2008), vol. 5130 of Lecture Notes in Computer Science, pp. 36 46, Springer, 2008. Fast Point Multiplication
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationPower Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems
Power Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Waterloo,
More informationFast Multiple Point Multiplication on Elliptic Curves over Prime and Binary Fields using the Double-Base Number System
Fast Multiple Point Multiplication on Elliptic Curves over Prime and Binary Fields using the Double-Base Number System Jithra Adikari, Vassil S. Dimitrov, and Pradeep Mishra Department of Electrical and
More informationNew Composite Operations and Precomputation Scheme for Elliptic Curve Cryptosystems over Prime Fields
New Composite Operations and Precomputation Scheme for Elliptic Curve Cryptosystems over Prime Fields Patrick Longa 1 and Ali Miri 2 1 Department of Electrical and Computer Engineering University of Waterloo,
More informationPower Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms
Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms Frederic Amiel 1,, Benoit Feix 2,, and Karine Villegas 1 1 GEMALTO, Security Labs, La Vigie, Avenue du Jujubier, ZI
More informationHybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography
Hybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography Jithra Adikari, Student Member, IEEE, Vassil Dimitrov, and Laurent Imbert Abstract Multi-exponentiation is a common
More informationLazy Leak Resistant Exponentiation in RNS
Lazy Leak Resistant Exponentiation in RNS Andrea Lesavourey, Christophe Negre, Thomas Plantard To cite this version: Andrea Lesavourey, Christophe Negre, Thomas Plantard. Lazy Leak Resistant Exponentiation
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationAffine Precomputation with Sole Inversion in Elliptic Curve Cryptography
Affine Precomputation with Sole Inversion in Elliptic Curve Cryptography Erik Dahmen, 1 Katsuyuki Okeya, 2 and Daniel Schepers 1 1 Technische Universität Darmstadt, Fachbereich Informatik, Hochschulstr.10,
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationRemote Timing Attacks are Practical
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationFast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form
Fast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form Toru Akishita Sony Corporation, 6-7-35 Kitashinagawa Shinagawa-ku, Tokyo, 141-0001, Japan akishita@pal.arch.sony.co.jp Abstract.
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationNew Strategy for Doubling-Free Short Addition-Subtraction Chain
Applied Mathematics & Information Sciences 2(2) (2008), 123 133 An International Journal c 2008 Dixie W Publishing Corporation, U. S. A. New Strategy for Doubling-Free Short Addition-Subtraction Chain
More informationNumber Theory. Modular Arithmetic
Number Theory The branch of mathematics that is important in IT security especially in cryptography. Deals only in integer numbers and the process can be done in a very fast manner. Modular Arithmetic
More informationExponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security
Exponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security Werner Schindler (Bundesamt für Sicherheit in der Informationstechnik (BSI)) and Kouichi Itoh (Fujitsu Laboratories
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationZero-Value Point Attacks on Elliptic Curve Cryptosystem
Zero-Value Point Attacks on Elliptic Curve Cryptosystem Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Ubiquitous Technology Laboratories, 6-7-35 Kitashinagawa Shinagawa-ku, Tokyo, 141-0001
More informationMulti-Exponentiation Algorithm
Multi-Exponentiation Algorithm Chien-Ning Chen Email: chienning@ntu.edu.sg Feb 15, 2012 Coding and Cryptography Research Group Outline Review of multi-exponentiation algorithms Double/Multi-exponentiation
More informationFast Algorithm in ECC for Wireless Sensor Network
Fast Algorithm in ECC for Wireless Sensor Network Xu Huang, Pritam Shah, and Dharmendra Sharma Abstract Elliptic curve cryptography (ECC) has been attractive to the people who are working in the field
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationThe RSA Cipher and its Algorithmic Foundations
Chapter 1 The RSA Cipher and its Algorithmic Foundations The most important that is, most applied and most analyzed asymmetric cipher is RSA, named after its inventors Ron Rivest, Adi Shamir, and Len Adleman.
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationOptimal Extension Field Inversion in the Frequency Domain
Optimal Extension Field Inversion in the Frequency Domain Selçuk Baktır, Berk Sunar WPI, Cryptography & Information Security Laboratory, Worcester, MA, USA Abstract. In this paper, we propose an adaptation
More informationPractical Fault Countermeasures for Chinese Remaindering Based RSA
Practical Fault Countermeasures for Chinese Remaindering Based RSA (Extended Abstract) Mathieu Ciet 1 and Marc Joye 2, 1 Gemplus R&D, Advanced Research and Security Centre La Vigie, ZI Athélia IV, Av.
More informationToward Secure Implementation of McEliece Decryption
Toward Secure Implementation of McEliece Decryption Mariya Georgieva & Frédéric de Portzamparc Gemalto & LIP6, 13/04/2015 1 MCELIECE PUBLIC-KEY ENCRYPTION 2 DECRYPTION ORACLE TIMING ATTACKS 3 EXTENDED
More informationRevisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves
Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves Franck Rondepierre Oberthur Technologies, Crypto Group 420, rue Estienne d Orves, 92 700 Colombes, France f.rondepierre@oberthur.com
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationCorrelation Power Analysis. Chujiao Ma
Correlation Power Analysis Chujiao Ma Power Analysis Simple Power Analysis (SPA) different operations consume different power Differential Power Analysis (DPA) different data consume different power Correlation
More informationLow-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves
Rochester Institute of Technology RIT Scholar Works Theses Thesis/Dissertation Collections 5-2016 Low-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves Brian Koziel bck6520@rit.edu
More informationHardware implementations of ECC
Hardware implementations of ECC The University of Electro- Communications Introduction Public- key Cryptography (PKC) The most famous PKC is RSA and ECC Used for key agreement (Diffie- Hellman), digital
More information6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)
6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 6.0 Introduction Elliptic curve cryptography (ECC) is the application of elliptic curve in the field of cryptography.basically a form of PKC which applies over the
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationEfficient regular modular exponentiation using multiplicative half-size splitting
J Cryptogr Eng (17) 7:45 53 DOI 1.17/s13389-16-134-5 SHORT COMMUNICATION Efficient regular modular exponentiation using multiplicative half-size splitting Christophe Negre 1, Thomas Plantard 3,4 Received:
More informationGeneric Cryptanalysis of Combined Countermeasures with Randomized BSD Representations
Generic Cryptanalysis of Combined Countermeasures with Randomized BSD Representations Tae Hyun Kim 1, Dong-Guk Han 2, Katsuyuki Okeya 3, and Jongin Lim 1 1 Center for Information and Security Technologies(CIST),
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationCryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages
Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. myrawang@iii.org.tw SUNG-MING
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationProvably Secure Higher-Order Masking of AES
Provably Secure Higher-Order Masking of AES Matthieu Rivain 1 and Emmanuel Prouff 2 1 CryptoExperts matthieu.rivain@cryptoexperts.com 2 Oberthur Technologies e.prouff@oberthur.com Abstract. Implementations
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationPerformance of Finite Field Arithmetic in an Elliptic Curve Cryptosystem
1 Performance of Finite Field Arithmetic in an Elliptic Curve Cryptosystem Abstract Zhi Li, John Higgins, Mark Clement 3361 TMCB Brigham Young University Provo, UT 8462 {zli,higgins,clement}@cs.byu.edu
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationHardware Security Side channel attacks
Hardware Security Side channel attacks R. Pacalet renaud.pacalet@telecom-paristech.fr May 24, 2018 Introduction Outline Timing attacks P. Kocher Optimizations Conclusion Power attacks Introduction Simple
More information