ecc on small devices
play

ECC on small devices Junfeng Fan Katholieke Universiteit Leuven, - PowerPoint PPT Presentation

Apr 13, 2023 •225 likes •1.34k views

ECC on small devices Junfeng Fan Katholieke Universiteit Leuven, Belgium junfeng.fan@esat.kuleuven.be What is a small device? 2 What is a small device? 3 What is a small device? 4 What is a small device? Trusted Platform

  1. ➢ Common-Z trick (7 --> 6) Point Addition: Point Doubling: ● 7 registers in total: ( X 1 , Z 1 ) + ( X 2 , Z 2 ) 2( X 1 , Z 1 ) ( x 0 , X 1 , Z 1 , X 2 , Z 2 , T 1 , T 2 ) ● Further reduction: T 1 ← x 0 T 1 ← c ( x 0 , X 1 , X 2 , Z, T 1 , T 2 ) X 1 ← X 1 2 X 1 ← X 1 · X 2 Z 1 ← Z 1 2 Z 1 ← Z 1 · X 2 X 1 ← X 1 ·Z 2 T 1 ← Z 1 · T 1 T 2 ← X 1 · Z 1 X 2 ← X 2 ·Z 1 Z 1 ← X 1 · Z 1 Z 1 ← X 1 +Z 1 Z ← Z 1 ·Z 2 T 1 ← T 1 2 Z 1 ← Z 1 2 ● Cost for one iteration: X 1 ← X 1 2 X 1 ← T 1 · Z 1 X 1 ← X 1 +T 1 X 1 ← X 1 +T 2 6M+5S → 7M+4S Register: 7 Register: 3 Mul. : 4 Mul. : 2 Sqr. : 1 Sqr. : 4 56

  2. ➢ Circular-shift register file 57 Slides courtesy: Yongki Lee

  3. ➢ Power & Energy 58

  4. ➢ Power & Energy  To support the computations 59

  5. ➢ Power & Energy  To support the computations  To support a reasonable reading distance 60

  6. ➢ Power & Energy 61

  7. ➢ Power & Energy P d = α C V 2 f Dynamic Switch Vdd Clock Output Power Activity Frequency capacitance 62

  8. ➢ A bit-serial multiplier Input : A(x)= { a m-1 ,a m-2 …a 1 ,a 0 }, B(x)= { b m-1 ,b m-2 …b 1 ,b 0 } , and P(x)= { 1,p m-1 …p 1 ,1 } Output : C(x) = A(x)B(x ) mod P(x) 1: C(x) ← 0; 2: for i = m-1 to 0 do 3: C(x) ← xC(x)+ b i A(x); C(x) ← C(x) mod P(x); 4: end for Return: C(x) 63

  9. ➢ A bit-serial multiplier A(x) Input : A(x)= { a m-1 ,a m-2 …a 1 ,a 0 }, B(x)= { b m-1 ,b m-2 …b 1 ,b 0 } , b i and P(x)= { 1,p m-1 …p 1 ,1 } Output : C(x) = A(x)B(x ) mod P(x) 1: C(x) ← 0; C(x) 2: for i = m-1 to 0 do 3: C(x) ← xC(x)+ b i A(x); C(x) ← C(x) mod P(x); 4: end for C out (x) Return: C(x) Bit-serial multiplier [ Delay: ≈ m cycles ] 64

  10. ➢ Power & Energy A(x) b i C(x) A(x) b i Bit-serial Mul. C(x) Bit-serial Mul. ... Bit-serial Mul. C out (x) Digit-serial Multiplier Bit-serial multiplier [ Delay: ≈ m/d cycles ] [ Delay: ≈ m cycles ] 65

  11. ➢ Power & Energy  Target : One point multiplication within 0.25s 66

  12. ➢ Power & Energy  Target : One point multiplication within 0.25s 120 100 80 Area [kGE] Cycles [x10^4] Freq [x10kHz] 60 Power [uw] Energy [uJ] 40 20 0 1 2 3 4 5 Digit-size of the multiplier 67

  13. ➢ Physical attacks 68

  14. ➢ Physical attacks Side-Channel Analysis 69

  15. ➢ Physical attacks Side-Channel Analysis Fault Analysis 70

  16. ➢ Power analysis Oscilloscope VDD +3,3V ECC ECC Processor Processor R GND 71

  17. ➢ Simple power analysis k = (k l-1 ,k l-2 ,...,k 0 ) Left-to-right binary method for point multiplication R ← O for i=l-1 downto 0 do R ← [2] R if k i = 1 then R ← R + P end if end for 72

  18. ➢ Simple power analysis k = (k l-1 ,k l-2 ,...,k 0 ) Left-to-right binary method for point multiplication R ← O for i=l-1 downto 0 do R ← [2] R if k i = 1 then R ← R + P end if end for 73

  19. ➢ Montgomery Ladder? Algorithm 1: Montgomery Powering Ladder Input: k= {1, k t -1 ,.., k 0 } and point P Output: [ k ] P 1: P 1 ← P , P 2 ← [2] P 2: for i=t-1 to 0 do 3: if k i =1 then P 1 ← P 1 + P 2 , P 2 ← [2] P 2 else P 2 ← P 1 + P 2 , P 1 ← [2] P 1 4: end for Return P 1 74

  20. ➢ Montgomery Ladder? Algorithm 1: Montgomery Powering Ladder Input: k= {1, k t -1 ,.., k 0 } and point P Output: [ k ] P 1: P 1 ← P , P 2 ← [2] P 2: for i=t-1 to 0 do 3: if k i =1 then P 1 ← P 1 + P 2 , P 2 ← [2] P 2 else P 2 ← P 1 + P 2 , P 1 ← [2] P 1 4: end for Return P 1 75

  21. ➢ Montgomery Ladder? Algorithm 1: Montgomery Powering Ladder Input: k= {1, k t -1 ,.., k 0 } and point P Output: [ k ] P 1: P 1 ← P , P 2 ← [2] P 2: for i=t-1 to 0 do 3: if k i =1 then P 1 ← P 1 + P 2 , P 2 ← [2] P 2 else P 2 ← P 1 + P 2 , P 1 ← [2] P 1 4: end for Return P 1 76

  22. ➢ Differential power analysis 77

  23. ➢ Differential power analysis Power k Model 78

  24. ➢ Differential power analysis P 1 , P 2 , ..., P n Power k Model [ k ] P 1 , [ k ] P 2 , ...,[ k ] P n [ k ] P 1 [ k ] P 2 ... ... [ k ] P n 79

  25. ➢ Differential power analysis P 1 , P 2 , ..., P n Power k Key guess k = k' Model [ k ] P 1 , [ k ] P 2 , ...,[ k ] P n [ k ] P 1 [ k ] P 2 ... ... [ k ] P n 80

  26. ➢ Differential power analysis P 1 , P 2 , ..., P n P 1 , P 2 , ..., P n Power k Key guess k = k' Model [ k ] P 1 , [ k ] P 2 , ...,[ k ] P n [ k' ] P 1 , [ k' ] P 2 , ...,[ k' ] P n [ k ] P 1 [ k ] P 2 ... ... [ k ] P n 81

  27. ➢ Differential power analysis P 1 , P 2 , ..., P n P 1 , P 2 , ..., P n Power k Key guess k = k' Model [ k ] P 1 , [ k ] P 2 , ...,[ k ] P n [ k' ] P 1 , [ k' ] P 2 , ...,[ k' ] P n [ k ] P 1 [ k' ] P 1 [ k ] P 2 [ k' ] P 2 ... ... ... ... [ k ] P n [ k' ] P n 82

  28. ➢ Differential power analysis P 1 , P 2 , ..., P n P 1 , P 2 , ..., P n Power k Key guess k = k' Model [ k ] P 1 , [ k ] P 2 , ...,[ k ] P n [ k' ] P 1 , [ k' ] P 2 , ...,[ k' ] P n [ k ] P 1 [ k' ] P 1 [ k ] P 2 [ k' ] P 2 ... ... ... ... [ k ] P n [ k' ] P n 83

  29. ➢ Fault analysis 84

  30. ➢ Fault analysis 85

  31. ➢ Fault analysis (weak curve) [Biehl+'00] Q= [ k ] P P(x P ,y P ) k 86

  32. ➢ Fault analysis (weak curve) [Biehl+'00] Q= [ k ] P P(x P ,y P ) k  The specified curve is: E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, and P ( x P ,y P ) is on E.  Inject a fault: P( x P ,y P ) → P'( x P ,y ' P ), E' : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a' 6, 87

  33. ➢ Fault analysis (weak curve) [Biehl+'00] Q= [ k ] P P(x P ,y P ) k  The specified curve is: E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, and P ( x P ,y P ) is on E.  Inject a fault: P( x P ,y P ) → P'( x P ,y ' P ), E' : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a' 6, 88

  34. ➢ Fault analysis (weak curve) [Biehl+'00] Q= [ k ] P P(x P ,y P ) k  The specified curve is: E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, and P ( x P ,y P ) is on E. Not used for PA/PD  Inject a fault: P ( x P ,y P ) → P' ( x P ,y ' P ), E' : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a' 6, 89

  35. ➢ Point validation Q= [ k ] P P(x P ,y P ) k PV: Before the point multiplication : 1, check the integrity of curve E . 2, check if P is on the curve or not. 90

  36. ➢ Point validation Q= [ k ] P P(x P ,y P ) k PV: Before the point multiplication : 1, check the integrity of curve E . 2, check if P is on the curve or not. But: Can the adversary inject faults after the validation step? 91

  37. ➢ Fault analysis (twist curve) [Fouque+'08]  Consider a curve defined on F p : E : y 2 z = x 3 + a xz 2 + bz 3 . y coordinates is not needed for Montgomery ladder.  The twist of E :  E' : ε y 2 z = x 3 + a xz 2 + bz 3 , where ε is quadratic non-residue in F p.  Let ( x P , - ) be a point on E , then a random fault on x P may lead to a point on E' with a probability of 1/2. So, it is necessary to perform PV after point multiplication. 92

  38. ➢ Fault analysis (twist curve) [Fouque+'08]  Consider a curve defined on F p : E : y 2 z = x 3 + a xz 2 + bz 3 . y coordinates is not needed for Montgomery ladder.  The twist of E :  E' : ε y 2 z = x 3 + a xz 2 + bz 3 , where ε is quadratic non-residue in F p.  Let ( x P , - ) be a point on E , then a random fault on x P may lead to a point on E' with a probability of 1/2. So, it is necessary to perform PV after point multiplication. 93

  39. ➢ Fault analysis (twist curve) [Fouque+'08]  Consider a curve defined on F p : E : y 2 z = x 3 + a xz 2 + bz 3 . y coordinates is not needed for Montgomery ladder.  The twist of E :  E' : ε y 2 z = x 3 + a xz 2 + bz 3 , where ε is quadratic non-residue in F p.  Let ( x P , - ) be a point on E , then a random fault on x P may lead to a point on E' with a probability of 1/2. So, it is necessary to perform PV after point multiplication. 94

  40. ➢ Fault analysis (twist curve) [Fouque+'08]  Consider a curve defined on F p : E : y 2 z = x 3 + a xz 2 + bz 3 . y coordinates is not needed for Montgomery ladder.  The twist of E :  E' : ε y 2 z = x 3 + a xz 2 + bz 3 , where ε is quadratic non-residue in F p.  Let ( x P , - ) be a point on E , then a random fault on x P may lead to a point on E' with a probability of 1/2. So, it is necessary to perform PV after point multiplication. But: Can the adversary inject faults before the validation step? 95

  41. √ : Effective x : Attacked - : Not related H : helps the attack ? : Not clear or not published * : Implementation dependent Passive attacks Active attacks Safe-error Weak curve Differential SPA Temp- DPA Doubl. RPA Carry M C Invalid Invalid Twist Sign Diff. TA late Attack ZPA based type type Point curve curve change Fault √ - - ? - - - - - - - - - Indistinguishable PA/PD √ - - x - - - H - - - - - Double-add-always √ - - x ? - √* - - - H √ - Montgomery ladder ┴ √ - - x x - √* - - - √ - - Montgomery ladder ┬ - ? √ ? √ x - - - - ? ? ? Random key splitting - x x x √ x - - - - - ? ? Scalar randomization - x x x √ - - - ? *? - - ? Base point blinding - √ √ ? x - - - - - - - ? Randomized proj. coord. - ? √ ? x - - - - - - - ? Randomized EC Iso. - ? √ ? x - - - - - - - ? Randomized Field Iso. - - - - - - - H √ ? √┬ H √ Point validity check - - - - - - - - - √ - - Curve integrity check - - - - - - - H - ? - √* √ Coherence check 96

  42. ➢ Attacking points ● Tag's private key: x ● Tag's public key : X (=[ -x ] P ) Reader (Verifier) Tag (Prover) r 1 = TRNG( ) R 1 R 1 = [ r 1 ] P r 2 r 2 = TRNG( ) v v=xr 2 + r 1 mod n If [ v ] P + [ r 2 ] X == R 1 Then accept The Schnorr Protocol 97

  43. ➢ Attacking points ● Tag's private key: x ● Tag's public key : X (=[ -x ] P ) Reader (Verifier) Tag (Prover) r 1 = TRNG( ) R 1 R 1 = [ r 1 ] P r 2 r 2 = TRNG( ) v v=xr 2 + r 1 mod n If [ v ] P + [ r 2 ] X == R 1 Then accept The Schnorr Protocol 98

  44. ➢ Attacking points ● Tag's private key: x ● Tag's public key : X (=[ -x ] P ) Reader (Verifier) Tag (Prover) r 1 = TRNG( ) R 1 R 1 = [ r 1 ] P r 2 r 2 = TRNG( ) v v=xr 2 + r 1 mod n If [ v ] P + [ r 2 ] X == R 1 Then accept The Schnorr Protocol 99

  45. ➢ Attacking points ● Tag's private key: x ● Tag's public key : X (=[ -x ] P ) Reader (Verifier) Tag (Prover) r 1 = TRNG( ) R 1 R 1 = [ r 1 ] P r 2 r 2 = TRNG( ) v v=xr 2 + r 1 mod n If [ v ] P + [ r 2 ] X == R 1 Then accept The Schnorr Protocol 100

Recommend

Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques

Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques

Large XML on Small Devices: Large XML on Small Devices: Techniques Developed Techniques Developed in the Fuego Core Project in the Fuego Core Project Helsinki-Rutgers Ph.D. Workshop 2007 Tancred Lindholm, Jaakko Kangasharju

280 views • 27 slides
N anotechnology is the science of the small; the very small. 2 It is the manipulation and

N anotechnology is the science of the small; the very small. 2 It is the manipulation and

Nanotechnology 1 N anotechnology is the science of the small; the very small. 2 It is the manipulation and manufacture of materials and devices on the scale of atoms or small groups of atoms. The nanoscale is typically measured in

939 views • 14 slides
Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW implementations Small code size for SW implementation Low power or energy or both Reasonably fast computation time 2 This talk

676 views • 43 slides
Java for Small Devices Java 2 Microedition & Blackberry HASSO-PLATTNERINSTITUT f r S

Java for Small Devices Java 2 Microedition & Blackberry HASSO-PLATTNERINSTITUT f r S

Java for Small Devices Java 2 Microedition & Blackberry HASSO-PLATTNERINSTITUT f r S o f t w a r e s y s t e m t e c h n i k Agenda Introduction, Motivation, Overview The Mobile World Problems implied by Mobile Devices

1.14k views • 85 slides
Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John Steve Gribble Yoshi Kohno Hank Levy University of Washington The Move to Small, Powerful, Mobile Devices Small, powerful mobile devices are

363 views • 25 slides
Interaction Devices Mobile Keyboard Animation, Speech and Displays

Interaction Devices Mobile Keyboard Animation, Speech and Displays

Interaction Devices Mobile Keyboard Animation, Speech and Displays Small Pointing Novel device image, and Layouts auditory and Large Devices devices display s video interfaces

194 views • 7 slides
Small Devices, Big Impact. Belimo Company Presentation 2020 Belimo 2020 Our Products Seamless

Small Devices, Big Impact. Belimo Company Presentation 2020 Belimo 2020 Our Products Seamless

Small Devices, Big Impact. Belimo Company Presentation 2020 Belimo 2020 Our Products Seamless integration of innovative HVAC field-devices Control Valves Damper Actuators Sensors Non Fail-Safe Actuators Energy Valves Pipe

541 views • 37 slides
% of Proposed Fee % of Time/Resources 6% 5% 11% 12% Small Scales Small Scales 19% 10% Large

% of Proposed Fee % of Time/Resources 6% 5% 11% 12% Small Scales Small Scales 19% 10% Large

TABLE 1-A As of 8/8/18 Database from IT DEVICE Proposed No of Rev for each % of Entire KEY FEE Rev W/New Fees Add' Rev Actual Hours Worked Device Type % Increase CODE Fees Devices Dev Fee 6.69% 2084.24 Small Scales 67% 5,000

408 views • 3 slides
Mesh Stalkings Penetration Testing with Small Networked Devices Philip Polstra University of

Mesh Stalkings Penetration Testing with Small Networked Devices Philip Polstra University of

Mesh Stalkings Penetration Testing with Small Networked Devices Philip Polstra University of Dubuque @ppolstra DrPhil@polstra.org Please complete the Speaker Feedback Surveys. This will help speakers to improve and for Black Hat to make

901 views • 55 slides
What is RIOT? An operating system for IoT devices too small for Linux A free, open source

What is RIOT? An operating system for IoT devices too small for Linux A free, open source

What is RIOT? An operating system for IoT devices too small for Linux A free, open source software platform A community of developers Open source Free core Grassroots governance Since Summit 2016: RIOTs year in numbers

405 views • 9 slides
Page Replacement Mechanism for Small Foot-Print Database in Android Devices Pratik Patodi M.

Page Replacement Mechanism for Small Foot-Print Database in Android Devices Pratik Patodi M.

Outline Introduction SQLite Internals Our Approach Experiments and Results Adaptive Logging Object Oriented Database Conclusion Page Replacement Mechanism for Small Foot-Print Database in Android Devices Pratik Patodi M. Tech Project

1.08k views • 86 slides
What Tizen has been focusing on Profiles Devices OSP Mobile Common NFC Enlightment Security

What Tizen has been focusing on Profiles Devices OSP Mobile Common NFC Enlightment Security

Tizen Micro , small footprint Tizen for headless IoT devices Bingwei Liu ( ) Intel Open Source Technology Center ( ) What Tizen has been focusing on Profiles Devices OSP Mobile Common NFC Enlightment

250 views • 9 slides
Cohesive Devices Cohesive devices Cohesive devices are like

Cohesive Devices Cohesive devices Cohesive devices are like

Cohesive Devices Cohesive devices Cohesive devices are like road signs. They keep the text running smoothly , making it clear which direc8on to

431 views • 7 slides
Rogue Femtocell Owners: How Mallory Can Monitor My Devices David Malone, Darren F. Kavanagh and

Rogue Femtocell Owners: How Mallory Can Monitor My Devices David Malone, Darren F. Kavanagh and

Rogue Femtocell Owners: How Mallory Can Monitor My Devices David Malone, Darren F. Kavanagh and Niall R. Murphy 19 April 2013 Femtocells Small devices acting as cellular base stations. Deployed to extend coverage in homes, offices, . . .

450 views • 20 slides
A Lightweight Secure Cyber Foraging Infrastructure for Resource-Constrained Devices Sachin Goyal

A Lightweight Secure Cyber Foraging Infrastructure for Resource-Constrained Devices Sachin Goyal

A Lightweight Secure Cyber Foraging Infrastructure for Resource-Constrained Devices Sachin Goyal and John Carter School of Computing University of Utah 1 Todays Computing Environments Small, embedded, mobile devices Ubiquitous

245 views • 22 slides
Interacting with Small Devices in Big Ways Chris Harrison 1 Small Powerful + 2 Computing

Interacting with Small Devices in Big Ways Chris Harrison 1 Small Powerful + 2 Computing

Interacting with Small Devices in Big Ways Chris Harrison 1 Small Powerful + 2 Computing Factors Computing power Time 3 Computing Factors Computing power Storage Time 4 Computing Factors Computing power Storage

501 views • 31 slides
Memory Devices Small: Register file (group of numbered registers) Medium: SRAM (Static Random

Memory Devices Small: Register file (group of numbered registers) Medium: SRAM (Static Random

Memory Devices Small: Register file (group of numbered registers) Medium: SRAM (Static Random Access Memory) Large: DRAM (Dynamic Random Access Memory) Future? 1 Processor: Data Path Components 1 3 2 Instruction ALU Registers Memory Fetch

402 views • 22 slides
ASSISTIVE DEVICES ASSISTIVE DEVICES & RELAY SERVICES Communications & Alert Devices

ASSISTIVE DEVICES ASSISTIVE DEVICES & RELAY SERVICES Communications & Alert Devices

ASSISTIVE DEVICES ASSISTIVE DEVICES & RELAY SERVICES Communications & Alert Devices Flashing lights for doorbells & fire alarms, etc. Scrolling text & text inputs on g p shelter intercoms Vibrate for baby crying, etc.

251 views • 11 slides
Towards Small Portable VMs N. Bouraqadi and L. Fabresse

Towards Small Portable VMs N. Bouraqadi and L. Fabresse

Towards Small Portable VMs N. Bouraqadi and L. Fabresse Smtalltalks nov 2010 Mul@ple devices => Mul@ple VMs Image VM 1 VM 2 VM 3 OS

554 views • 29 slides
Single-electronics: the story so far For small enough structures and low enough temperatures,

Single-electronics: the story so far For small enough structures and low enough temperatures,

Single-electronics: the story so far For small enough structures and low enough temperatures, Coulomb charging effects can determine the conducting properties of circuits. Two-terminal double-junction devices can show complicated

478 views • 24 slides
Voltage-dependent coherent drift modes and turbulent transition regimes in small magnetron

Voltage-dependent coherent drift modes and turbulent transition regimes in small magnetron

Voltage-dependent coherent drift modes and turbulent transition regimes in small magnetron devices M. Cappelli T. Ito, N. Gascon, and A. Marcovati, C. Young Stanford University Magnetron Details Very small (~ 5 mm diameter discharge, 2 mm

816 views • 40 slides
Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip

Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip

Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip Hallam-Baker Principal Scientist VeriSign Inc. Small is not beautiful Not When you write the code PIC 16F88 368 bytes RAM 4K Word ROM 20MHz

390 views • 21 slides
Common Stormwater Controls between 0% (for small ponds and large between 0% (for small ponds and

Common Stormwater Controls between 0% (for small ponds and large between 0% (for small ponds and

Module 12: Detention Pond Module 12: Detention Pond Presentation Contents Design for Water Quality Design for Water Quality Improvement Improvement Small-scale settling devices Different types of stormwater ponds Wet pond

380 views • 26 slides
Input Input devices Text entry Positional input Input Devices 1 iPod Wheel Input Devices 2

Input Input devices Text entry Positional input Input Devices 1 iPod Wheel Input Devices 2

Input Input devices Text entry Positional input Input Devices 1 iPod Wheel Input Devices 2 MacBook Wheel (The Onion) - https://youtu.be/9BnLbv6QYcA - https://www.student.cs.uwaterloo.ca/~cs349/videos/macbook_wheel.mp4 Input Devices 3

737 views • 32 slides

More recommend