Power Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.

Similar documents
Summary. Secured Arithmetic Operators for Cryptography. Introduction. Terminology

Outline. Computer Arithmetic for Cryptography in the Arith Group. LIRMM Montpellier Laboratory of Computer Science, Robotics, and Microelectronics

References on Elliptic Curves Most of examples/notations used in this presentation come from:

Lecture 8: Sequential Multipliers

Elliptic Curve Cryptography and Security of Embedded Devices

Residue Number Systems Ivor Page 1

Numeration and Computer Arithmetic Some Examples

Implementation Of Digital Fir Filter Using Improved Table Look Up Scheme For Residue Number System

ECE380 Digital Logic. Positional representation

Hybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography

A VLSI Algorithm for Modular Multiplication/Division

Lecture 8. Sequential Multipliers

Optimal Use of Montgomery Multiplication on Smart Cards

KEYWORDS: Multiple Valued Logic (MVL), Residue Number System (RNS), Quinary Logic (Q uin), Quinary Full Adder, QFA, Quinary Half Adder, QHA.

Représentation RNS des nombres et calcul de couplages

Numbers. Çetin Kaya Koç Winter / 18

Small FPGA-Based Multiplication-Inversion Unit for Normal Basis over GF(2 m )

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand

Fast Multiple Point Multiplication on Elliptic Curves over Prime and Binary Fields using the Double-Base Number System

A low-time-complexity and secure dual-field scalar multiplication based on co-z protected NAF

Reduced-Area Constant-Coefficient and Multiple-Constant Multipliers for Xilinx FPGAs with 6-Input LUTs

Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography

Efficient Leak Resistant Modular Exponentiation in RNS

Hardware implementations of ECC

New Algorithm for Classical Modular Inverse

Computer Architecture 10. Residue Number Systems

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Multi-Exponentiation Algorithm

An Optimized Hardware Architecture of Montgomery Multiplication Algorithm

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks

Power Analysis to ECC Using Differential Power between Multiplication and Squaring

Design and Implementation of a Low Power RSA Processor for Smartcard

GENERALIZED ARYABHATA REMAINDER THEOREM

A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )

A High-Speed Realization of Chinese Remainder Theorem

Information encoding and decoding using Residue Number System for {2 2n -1, 2 2n, 2 2n +1} moduli sets

International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research)

Arithmetic in Integer Rings and Prime Fields

Fast and Regular Algorithms for Scalar Multiplication over Elliptic Curves

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Dual-Field Arithmetic Unit for GF(p) and GF(2 m ) *

14:332:231 DIGITAL LOGIC DESIGN. Why Binary Number System?

Entropy Evaluation for Oscillator-based True Random Number Generators

Square Always Exponentiation

The goal differs from prime factorization. Prime factorization would initialize all divisors to be prime numbers instead of integers*

Hardware Operator for Simultaneous Sine and Cosine Evaluation

Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?

Efficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications

Exponentiation and Point Multiplication. Çetin Kaya Koç Spring / 70

Addition of QSD intermediat e carry and sum. Carry/Sum Generation. Fig:1 Block Diagram of QSD Addition

On the Complexity of Error Detection Functions for Redundant Residue Number Systems

Optimization of new Chinese Remainder theorems using special moduli sets

Improving Modular Inversion in RNS using the Plus-Minus Method

Arithmetic Operators for Pairing-Based Cryptography

Design and FPGA Implementation of Radix-10 Algorithm for Division with Limited Precision Primitives

VLSI Arithmetic. Lecture 9: Carry-Save and Multi-Operand Addition. Prof. Vojin G. Oklobdzija University of California

Applied Cryptography and Computer Security CSE 664 Spring 2018

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

EECS150 - Digital Design Lecture 24 - Arithmetic Blocks, Part 2 + Shifters

Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves. Raveen Goundar Marc Joye Atsuko Miyaji

Chapter 5 Arithmetic Circuits

Reduce-by-Feedback: Timing resistant and DPA-aware Modular Multiplication plus: How to Break RSA by DPA

International Journal of Advanced Research in Computer Science and Software Engineering

Chapter 1: Solutions to Exercises

Basic elements of number theory

Basic elements of number theory

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

4 Number Theory and Cryptography

A new algorithm for residue multiplication modulo

Combining leak resistant arithmetic for elliptic curves defined over F p and RNS representation

Algorithmic Number Theory and Public-key Cryptography

Volume 3, No. 1, January 2012 Journal of Global Research in Computer Science RESEARCH PAPER Available Online at

Residue Number Systems. Alternative number representations. TSTE 8 Digital Arithmetic Seminar 2. Residue Number Systems.

Introduction to Side Channel Analysis. Elisabeth Oswald University of Bristol

Forward and Reverse Converters and Moduli Set Selection in Signed-Digit Residue Number Systems

Binary-Ternary Plus-Minus Modular Inversion in RNS

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

E40M. Binary Numbers. M. Horowitz, J. Plummer, R. Howe 1

Scalar Multiplication on Koblitz Curves using

Subquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases

3 The fundamentals: Algorithms, the integers, and matrices

Leak Resistant Arithmetic

Modular Multiplication in GF (p k ) using Lagrange Representation

An Effective New CRT Based Reverse Converter for a Novel Moduli Set { 2 2n+1 1, 2 2n+1, 2 2n 1 }

Side-channel attacks on PKC and countermeasures with contributions from PhD students

Random Delay Insertion: Effective Countermeasure against DPA on FPGAs

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Optimizing scalar multiplication for koblitz curves using hybrid FPGAs

Mathematics of Cryptography

Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations

Hardware Architectures for Public Key Algorithms Requirements and Solutions for Today and Tomorrow

High Performance GHASH Function for Long Messages

GF(2 m ) arithmetic: summary

A Bit-Serial Unified Multiplier Architecture for Finite Fields GF(p) and GF(2 m )

Single Base Modular Multiplication for Efficient Hardware RNS Implementations of ECC

assume that the message itself is considered the RNS representation of a number, thus mapping in and out of the RNS system is not necessary. This is p

An Efficient Multiplier/Divider Design for Elliptic Curve Cryptosystem over GF(2 m ) *

ELEN Electronique numérique

Lazy Leak Resistant Exponentiation in RNS

A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations

Transcription:

Power Consumption Analysis General principle: measure the current I in the circuit Arithmetic Level Countermeasures for ECC Coprocessor Arnaud Tisserand, Thomas Chabrier, Danuta Pamula I V DD circuit traces CNRS, IRISA laboratory, CAIRN research team Claude Shannon Institute Workshop on Coding & Cryptography May 7-8,, UCC GND Simple Power Analysis Differential Power Analysis Correlation Power Analysis Template Attacks... Notations: V DD power supply (5,,.5,.,.9 V), GND ground Similar attacks: electromagnetic radiations (EMR) and timing analysis A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Countermeasures Prevent attacks by using: additional protection block(s) modification(s) of the original circuit (i.e. secure version) Examples: electrical shielding use uniform computation durations use uniform power consumption add noise (e.g. useless instructions/computations) circuit reconfiguration at runtime modify the datapath modify the representation of values modify the computation algorithms Our solution: arithmetic level protection(s) Arithmetic Operators for Cryptography Values are elements of: prime finite field F p (p is a large prime) extensions of the binary field F m extensions of small fields F p m (e.g.: p = ) Typical sizes for public-key cryptography: RSA = 4 to 89 bits ECC = 6 to 6 bits Operations: addition, subtraction multiplication multiplication by a constant inversion exponentiation A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 4/4

Inputs: Output : Algorithm: (A + B) mod M = Addition Modulo M A, B {,,,,..., M } M (A + B) mod M { A + B A + B M MSB if A + B < M if A + B M Addition Modulo n Inputs: A, B {,,,,..., n } Output: (A + B) mod ( n ) Basic method: A + B if A + B < n (A + B) mod ( n ) = A + B ( n ) if A + B n }{{} A+B+ A + B M A B Problem: the test A + B n is costly A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 5/4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 6/4 Addition Modulo n : improved version Activity in F p Arithmetic Operators (/) (A + B) mod ( n ) = { A + B A + B + if A + B + < n if A + B + n a + b.75.5.5 9 6 8 96 64 A a b.75.5.5 B c out a + cst.75.5.5 9 9 6 6 8 8 96 96 64 64 a and b are random elements of F p, cst is a constant (curve parameter) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 7/4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 8/4

Activity in F p Arithmetic Operators (/).. l=5 l=6.. Modular Exponentiation for RSA Algorithm: square and multiply 9 6 8 96 64 9 6 8 96 64.. l=7.. 9 6 8 96 64 9 6 8 96.. l=9.. l=8 64 l= 9 6 8 96 64 9 6 8 96 64 Activity profiles for l-bit windows (same transitions for all the bits of the window) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 9/4 I n p u t s : x, d = (d m... d d ) Output : y = x d R i m while (i ) do 4 R R square 5 i f (d i = ) then 6 R R x multiply 7 e n d i f 8 i i 9 endwhile return R A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Attack: SPA Difference at each loop iteration: Square and multiply is Weak! d i = = square and multiply d i = = square only Trace example: Differences & External Signature An algorithm has a current signature and a time signature: r = c f o r i from to n do i f a i = then r = r + c e l s e r = r c T T + T I t A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 I + I i a i 4 5 6 7 8 t A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4

SPA Countermeasure: Square and multiply always I n p u t s : x, d = (d m... d d ) Output : y = x d R i m while (i ) do 4 R R square 5 R R x multiply 6 i f (d i = ) then 7 R R 8 e l s e 9 R R e n d i f i i endwhile return R This is the main operation for ECC ECC: Scalar Multiplication Inputs: P a point of the curve E, a large integer k = n i= k i i Output: the point Q = [k]p = P + P + P +... + P }{{} k times Basic algorithm: double-and-add : Q P : for i from n- to do : Q P 4: if k i = then Q Q + P Same problem: weak for SPA! A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 4/4 Countermeasure: Key Recoding Recoding: w-naf (non-adjacent form) With n k = k i i, k i {, } i= use k with digits in windows of w bits Example: k i < w k = 67 = ( ) ( ) NAF ( ) NAF ( 5 ) 4 NAF ( ) 5 NAF Cost: n DBL and n w+ ADD Notation: d = d where d is a digit A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 5/4 Addition Chains (PhD thesis of Nicolas Méloni) In scalar multiplication [k]p, only use point additions on the curve robust against SPA ADD(P, P ) = (P + P, P ) with P and P already computed problem find a short chain Example: addition chains for k = 6 4 4 4 4 4 4 4 5 6 7 4 5 9 4 57 7 85 99 4 5 5 4 4 9 47 4 5 9 4 9 47 66 Collaboration with UCC code and crypto group (6 8) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 6/4

Signed-Digit Redundant Number Systems Avizienis 96: radix β representation replace the digit set {,,,..., β } by the digit set { α, α +,...,,..., α, α} with α β If α + > β some numbers have several possible representations Example: radix β =, digits from the set D = {9,...,,,,..., 9} Carry-Save Adder In carry-save, the number A is represented in radix using digits a i {,, } coded by bits such that a i = a i,c + a i,s where a i,c {, } and a i,s {, } n n A = a i i = (a i,c + a i,s ) i i= i= = () β,d a b a b a b a b = (9) β,d = (99) β,d = (8) β,d 4 = (89) β,d =... 4 In a redundant number system there is constant-time addition algorithm (without carry propagation) where all computations are done in parallel A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 7/4 s 4 s s s s Carry-save addition: delay of cells (T = ()) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 8/4 Borrow-Save Addition In borrow-save, the number A is represented in radix using digits a i {,, } coded by bits such that a i = a + i a i where a + i {, } and a i {, } n n A = a i i = (a + i a i ) i i= i= + + + + + + + + a b a b a b a b a b a b a b a b 4 a + b + d c + s Cell Arithmetic equation: c + s = a + +b + d Logic equation: s = a + b + d c = a + b + + a + d + b + d a b d + a + b d 4 + + + + + s 4 s4 s s s s s s s s Borrow-save addition: delay of cells (T = ()) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 9/4 c s c+ s A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4

Double-Base Number Systems (DBNS) (/) Redundant representation based the sum of powers of AND : x = n x i a i b i, with x i {, }, a i, b i i= Example: 7 = 8 + 6 + = 7 + 54 + =... 4 8 6 9 7 Source: L. Imbert 4 8 9 7 Double-Base Number Systems (DBNS) (/) Smallest x > with n DBNS terms in its decomposition: n unsigned signed 5 5 5 4 4 (4985) 5 8,4? 6,448,7 7,44,896,9 8? DBNS is a very sparse and redundant representation Example: 7 has 78 DBNS representations among which 6 are canonic: 7 = (8 + 8 + ) = (8 + 6 + ) = (96 + 7 + 4) = (7 + 54 + ) = (64 + 54 + 9) = (64 + 6 + 7) A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Double-Base Number Systems (DBNS) (/) Application: ECC scalar multiplication 459 = 4 9 + 8 [459]P = [ 4 9 ]P + [ 8 ]P P cost: DBL + TPL + ADD Protection at the Arithmetic Level Redundant number system = a way to improve the performance of some operations a way to represent a value with different representations k 459 = 4 9 6 [459]P = ((( ([ 4 ]P P) P) P) P cost: 4 DBL + 9 TPL + 5 ADD R (k) R (k) R (k) R 4 (k)... Recoding rules: + + 4... [R (k)]p [R (k)]p [R (k)]p [R 4 (k)]p... [k]p A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Proposed solution: use random redundant representations of k A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 4/4

countermeasures key recode Towards an ECC (co)processor COMM. CTRL AGU register file TRNG Circuits with On-Line Quality Evaluation Tested True Random Number Generator TRNG DAS Internal random bits Reconfigurable clock generator Embedded Statistical Tests AIS FIPS 4- FPGA Evaluation results Quality of a TRNG depends on: type of TRNG target circuit (FPGA, ASIC,... ) V dd, EMR, temp., attacks... data rate (Mbit/s) ±, on F q local register(s) CTRL ±, on F q local register(s) CTRL /x on F q local register(s) Functional units (FU): ±,, /x for F p and F m, key recoding Memory: register file + internal registers in the FUs Control: operations (E and F q levels) schedule, parameters management... A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 5/4 CTRL Objectives: TRNGs with embedded quality tests for security applications Comparison of various TRNGs TRNG Dichtl al. Find optimal data rate of a TRNG by and 4 5 6 7 8 9 Success percentage (%) 9 8 7 6 5 4 Run test AIS Data rates (Mb/s) ASIC: nm circuit HCMOS9GP (CMP) V : June 9 (% OK), V : Q FPGAs: Xilinx, Altera, Actel A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 6/4 x 6 Residue Number System (RNS) Base B = (m, m,..., m k ) of k relatively prime moduli Size of the base: k A = {a, a,..., a k }, i a i = A mod m i Operations: A ± B = ( a ± b m,..., a k ± b k mk ) A B = ( a b m,..., a k b k mk ) Residue Number System: Example (/) Base: B = (8, 7, 5, ) Dynamic range: M = 8 7 5 = 84, i.e., A < M A std A RNS [,,, ] [,,, ] [,,, ] [,,, ] 4 [4, 4, 4, ] 5 [5, 5,, ] 6 [6, 6,, ] 7 [7,,, ] 8 [,,, ] A std A RNS 9 [,, 4, ] [,,, ] [, 4,, ] [4, 5,, ] [5, 6,, ] 4 [6,, 4, ] 5 [7,,, ] 6 [,,, ] 7 [,,, ] A std A RNS 8 [, 4,, ] 9 [, 5, 4, ] [4, 6,, ] [5,,, ] [6,,, ] [7,,, ] 4 [,, 4, ] 5 [, 4,, ] 6 [, 5,, ] A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 7/4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 8/4

Residue Number System: Example (/) Residue Number System: Conversions From standard to RNS: Operands: A = 6 = [6, 6,, ] and B = 6 = [,,, ] i a i = A mod m i Addition: (6 + ) mod 8 = 6 (6 + ) mod 7 = ( + ) mod 5 = ( + ) mod = Verification: = [6,,, ] Multiplication: (6 ) mod 8 = (6 ) mod 7 = 5 ( ) mod 5 = ( ) mod = Verification: 96 = [, 5,, ] From RNS to standard: Using a constructing proof of the Chinese Remainder Theorem (CRT) where A = k i= a i M i M i mi mod M M = k i= m i, A < M M i = M/m i M i mi is the inverse of M i modulo m i A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 9/4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 Residue Number System: Summary Advantages: parallel addition/subtraction and multiplication no carry propagation (between the blocks) natural way to split large numbers = simple scheduling no order in the elements (RNS is not a positional number system) Disadvantages: difficult comparison (< and >) difficult division difficult sign test difficult magnitude computation Circuit-Level Representations of Digits Standard representation of a bit b: V DD = b =, GND = b = Dual-rail representation of a bit b: r = V DD r = GND = b = r = GND r = V DD = b = r Benefit: same number of transitions for and Cost: larger area and memory High-radix coding: radix 4 with digits in {,,,, } ± ± b r A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4

Conclusion attacks are more and more efficient security is mandatory at all levels (specification, algorithm, operation, implementation) security = tradeoff between performances and robustness security = computer science + microelectronics + mathematics Current research topics: redundant number systems non-positional number systems circuit reconfigurations (representations, algorithms) circuits with reduced activity variations links between scheduling and circuit activity design space exploration Contact: The end, some questions? mailto:arnaud.tisserand@irisa.fr http://www.irisa.fr/prive/arnaud.tisserand/ CAIRN Group http://www.irisa.fr/cairn/ IRISA Laboratory, CNRS INRIA Univ. Rennes 6 rue Kérampont, BP 858, F-5 Lannion cedex, France Thank you A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor /4 A. Tisserand, T. Chabrier, D. Pamula, IRISA. Arithmetic Level Countermeasures for ECC Coprocessor 4/4

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback