Elliptic Curve Cryptography on Embedded Devices Scalar - - PowerPoint PPT Presentation

Elliptic Curves Side-Channel Countermeasures Conclusion

Elliptic Curve Cryptography on Embedded Devices

Scalar Multiplication and Side-Channel Attacks Vincent Verneuil1,2

1Inside Secure 2Institut de Math´

ematiques de Bordeaux

S´ eminaire Arithm´ etique et Th´ eorie de l’Information Institut de Math´ ematiques de Luminy 01 / 2011

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Inside Secure in (very) short

✲ ✲ Manufacturer Chip Embedder Issuer

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Inside Secure in (very) short

✲ ✲ Manufacturer Chip Embedder Issuer

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Equation

Considering a field Fp, p > 3, the points (x,y) of E/Fp : y2 = x3 +ax +b and the “point at infinity” O form a group.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Equation

Considering a field Fp, p > 3, the points (x,y) of E/Fp : y2 = x3 +ax +b and the “point at infinity” O form a group.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Equation

Considering a field Fp, p > 3, the points (x,y) of E/Fp : y2 = x3 +ax +b and the “point at infinity” O form a group.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Scalar Multiplication

Given a point P in E(Fp) and an integer k, we fix k ·P = P +P +···+P

• k times

.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Scalar Multiplication

Given a point P in E(Fp) and an integer k, we fix k ·P = P +P +···+P

• k times

.

Elliptic Curve Discrete Logarithm Problem (ECDLP)

Given P in E(Fp) and α·P, 1 ≤ α ≤ #E(Fp), find α ? Much harder than DLP on finite fields, or factoring.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Scalar Multiplication

Given a point P in E(Fp) and an integer k, we fix k ·P = P +P +···+P

• k times

.

Elliptic Curve Discrete Logarithm Problem (ECDLP)

Given P in E(Fp) and α·P, 1 ≤ α ≤ #E(Fp), find α ? Much harder than DLP on finite fields, or factoring.

Security 280 2112 2128 2192 ElGamal p/q 160/1024 224/2048 256/3072 384/8192 RSA 1024 2048 3072 8192 ECC 160 224 256 384 Keylengths for roughly equivalent security

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Two Levels Arithmetic

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Two Levels Arithmetic

Points group of the elliptic curve

• E (Fp) : point set
• additive law
• point additions and doublings
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Two Levels Arithmetic

Points group of the elliptic curve

• E (Fp) : point set
• additive law
• point additions and doublings

Base field

• Fp : equivalence classes of integers modulo p
• additive and multiplicative laws
• modular additions and multiplications
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Embedded Devices Constraints

Efficiency

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Embedded Devices Constraints

Efficiency

• Most transactions have to take less than 500 ms
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Embedded Devices Constraints

Efficiency

• Most transactions have to take less than 500 ms
• Small amount of RAM
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Embedded Devices Constraints

Efficiency

• Most transactions have to take less than 500 ms
• Small amount of RAM
• Very low power (then frequency) for contactless devices
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Embedded Devices Constraints

Efficiency

• Most transactions have to take less than 500 ms
• Small amount of RAM
• Very low power (then frequency) for contactless devices

Arithmetic optimizations

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Embedded Devices Constraints

Efficiency

• Most transactions have to take less than 500 ms
• Small amount of RAM
• Very low power (then frequency) for contactless devices

Arithmetic optimizations

• At the base field level (addition formulas, points representation)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Embedded Devices Constraints

Efficiency

• Most transactions have to take less than 500 ms
• Small amount of RAM
• Very low power (then frequency) for contactless devices

Arithmetic optimizations

• At the base field level (addition formulas, points representation)
• At the points group level (scalar multiplication algorithm)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Fp Operations Theoretical Cost

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Fp Operations Theoretical Cost

Expensive operations

• Inversion (I)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Fp Operations Theoretical Cost

Expensive operations

• Inversion (I)

Significant operations

• Multiplication (M)
• Squaring (S, S/M ≈ 0.8)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Fp Operations Theoretical Cost

Expensive operations

• Inversion (I)

Significant operations

• Multiplication (M)
• Squaring (S, S/M ≈ 0.8)

Negligible operations

• Addition (A)
• Subtraction (S)
• Negation (N)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Fp Operations Theoretical Cost

Expensive operations

• Inversion (I)

Significant operations

• Multiplication (M)
• Squaring (S, S/M ≈ 0.8)

Negligible operations

• Addition (A)

A/M ≈ 0.2 on most smart cards

• Subtraction (S)
• Negation (N)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Digital Signature Algorithm (ECDSA)

Public : E(a,b,p,n = #E), P ∈ E(Fp), H INPUT : d and m OUTPUT : (r,s) Choose at random k in [1,n −1] P1 ← k ·P r ← xP1 mod n If r ≡ 0 mod n restart from the beginning s ← k−1 (H(m)+dr) mod n If s ≡ 0 mod n restart from the beginning Return (r,s)

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Digital Signature Algorithm (ECDSA)

Public : E(a,b,p,n = #E), P ∈ E(Fp), H INPUT : d and m OUTPUT : (r,s) Choose at random k in [1,n −1] P1 ← k ·P r ← xP1 mod n If r ≡ 0 mod n restart from the beginning s ← k−1 (H(m)+dr) mod n If s ≡ 0 mod n restart from the beginning Return (r,s)

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Digital Signature Algorithm (ECDSA)

Public : E(a,b,p,n = #E), P ∈ E(Fp), H INPUT : d and m OUTPUT : (r,s) Choose at random k in [1,n −1] P1 ← k ·P r ← xP1 mod n If r ≡ 0 mod n restart from the beginning s ← k−1 (H(m)+dr) mod n If s ≡ 0 mod n restart from the beginning Return (r,s) d = s·k −H(m) r mod n

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Diffie-Hellman (ECDH) Key Exchange

E(a,b,p,n), P ∈ E(Fp)

Alice Bob Choose at random a ∈ [1,n−1] Choose at random b ∈ [1,n−1] Pa = a·P ✲ Pa Pb ✛ Pb = b ·P Pab = a·Pb Pab = b ·Pa

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Diffie-Hellman (ECDH) Key Exchange

E(a,b,p,n), P ∈ E(Fp)

Card Terminal Choose at random a ∈ [1,n−1] Choose at random b ∈ [1,n−1] Pa = a·P ✲ Pa Pb ✛ Pb = b ·P Pab = a·Pb Pab = b ·Pa

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Diffie-Hellman (ECDH) Key Exchange

E(a,b,p,n), P ∈ E(Fp)

Card Terminal Choose at random a ∈ [1,n−1] Choose at random b ∈ [1,n−1] Pa = a·P ✲ Pa Pb ✛ Pb = b ·P Pab = a·Pb Pab = b ·Pa

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Standards over Fp

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Standards over Fp

NIST (U.S.)

Keylengths : 192, 224, 256, 384, and 521 bits.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Standards over Fp

NIST (U.S.)

Keylengths : 192, 224, 256, 384, and 521 bits.

Brainpool (BSI, Germany)

Keylengths : 160, 192, 224, 256, 320, 384, and 512 bits.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Elliptic Curve Standards over Fp

NIST (U.S.)

Keylengths : 192, 224, 256, 384, and 521 bits.

Brainpool (BSI, Germany)

Keylengths : 160, 192, 224, 256, 320, 384, and 512 bits. Other standards (ANSI, ISO, IEEE, SECG) → NIST curves

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Affine Representation

A point of the curve E : y2 = x3 +ax +b is represented as (x,y). No representation for O

• Add. : 1I + 2M + 1S, Doubl. : 1I + 2M + 2S
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Affine Representation

A point of the curve E : y2 = x3 +ax +b is represented as (x,y). No representation for O

• Add. : 1I + 2M + 1S, Doubl. : 1I + 2M + 2S
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Homogeneous Projective Representation

A point is represented by an equivalence class (X : Y : Z). (X : Y : Z) and (λX : λY : λZ), λ = 0 represent the same point

O = (0 : 1 : 0)

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Homogeneous Projective Representation

A point is represented by an equivalence class (X : Y : Z). (X : Y : Z) and (λX : λY : λZ), λ = 0 represent the same point

O = (0 : 1 : 0)

• Aff. → Hom. conversion :

(x,y) → (x : y : 1)

• Hom. → Aff. conversion :

(X : Y : Z = 0) → (X/Z,Y/Z)

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Homogeneous Projective Representation

A point is represented by an equivalence class (X : Y : Z). (X : Y : Z) and (λX : λY : λZ), λ = 0 represent the same point

O = (0 : 1 : 0)

• Aff. → Hom. conversion :

(x,y) → (x : y : 1)

• Hom. → Aff. conversion :

(X : Y : Z = 0) → (X/Z,Y/Z)

• Add. : 12M + 2S, Doubl. : 6M + 6S
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Jacobian Projective Representation

A point is represented by an equivalence class (X : Y : Z). (X : Y : Z) and (λ2X : λ3Y : λZ), λ = 0 represent the same point

O = (1 : 1 : 0)

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Jacobian Projective Representation

A point is represented by an equivalence class (X : Y : Z). (X : Y : Z) and (λ2X : λ3Y : λZ), λ = 0 represent the same point

O = (1 : 1 : 0)

• Aff. → Jac. conversion :

(x,y) → (x : y : 1)

• Jac. → Aff. conversion :

(X : Y : Z = 0) → (X/Z 2,Y/Z 3)

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Jacobian Projective Representation

A point is represented by an equivalence class (X : Y : Z). (X : Y : Z) and (λ2X : λ3Y : λZ), λ = 0 represent the same point

O = (1 : 1 : 0)

• Aff. → Jac. conversion :

(x,y) → (x : y : 1)

• Jac. → Aff. conversion :

(X : Y : Z = 0) → (X/Z 2,Y/Z 3)

• Add. : 11M + 5S, Doubl. : 2M + 8S
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Modified Jacobian Projective Representation

Introduced in [Cohen, Miyaji & Ono, Efficient elliptic curve exponentiation using mixed coordinates, Asiacrypt 1998].

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Modified Jacobian Projective Representation

Introduced in [Cohen, Miyaji & Ono, Efficient elliptic curve exponentiation using mixed coordinates, Asiacrypt 1998].

Based on the Jacobian projective representation. Plus an extra coordinate (X : Y : Z : aZ 4).

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Modified Jacobian Projective Representation

Introduced in [Cohen, Miyaji & Ono, Efficient elliptic curve exponentiation using mixed coordinates, Asiacrypt 1998].

Based on the Jacobian projective representation. Plus an extra coordinate (X : Y : Z : aZ 4). Faster doubling than Jacobian projective : 3M + 5S But slower addition : 13M + 7S

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Double & Add Algorithm

Left-to-Right

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INPUT : P ∈ E (Fp), k = (kℓ−1 ...k1k0)2 OUTPUT : k ·P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O For i from ℓ−1 to 0 do Q ← 2Q If ki = 1 then Q ← Q +P Return Q

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Double & Add Algorithm

Left-to-Right

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INPUT : P ∈ E (Fp), k = (kℓ−1 ...k1k0)2 OUTPUT : k ·P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O For i from ℓ−1 to 0 do Q ← 2Q If ki = 1 then Q ← Q +P Return Q On average : ℓ·dbl+ ℓ 2 ·add

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

NAF Multiplication

NAF Representation

Signed binary representation. Minimize the number of non-zero digits (1/3 vs 1/2). Example : 187 = 10111011(2) = 10¯ 1000¯ 10¯ 1(NAF)

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

NAF Multiplication

NAF Representation

Signed binary representation. Minimize the number of non-zero digits (1/3 vs 1/2). Example : 187 = 10111011(2) = 10¯ 1000¯ 10¯ 1(NAF)

Interest

• Minimize the number of additions
• P → −P is cheap : (X : Y : Z) → (X : −Y : Z)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

NAF Multiplication

Right-to-Left

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INPUT : P ∈ E (Fp), k = (kℓ−1 ...k1k0)NAF OUTPUT : k ·P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O R ← P For i from 0 to ℓ−1 do If ki = 1 then Q ← Q +R If ki = −1 then Q ← Q +(−R) R ← 2R Return Q

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

NAF Multiplication

Right-to-Left

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INPUT : P ∈ E (Fp), k = (kℓ−1 ...k1k0)NAF OUTPUT : k ·P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O R ← P For i from 0 to ℓ−1 do If ki = 1 then Q ← Q +R If ki = −1 then Q ← Q +(−R) R ← 2R Return Q Cost : ℓ·dbl+ ℓ 3 ·add

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

NAF Multiplication

Right-to-Left

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INPUT : P ∈ E (Fp), k = (kℓ−1 ...k1k0)NAF OUTPUT : k ·P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O R ← P For i from 0 to ℓ−1 do If ki = 1 then Q ← Q +R If ki = −1 then Q ← Q +(−R) R ← 2R Return Q Cost : ℓ·dbl+ ℓ 3 ·add

Variant introduced in [Joye, Fast point multiplication on elliptic curves without precomputation, WAIFI 2008] :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

NAF Multiplication

Right-to-Left

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INPUT : P ∈ E (Fp), k = (kℓ−1 ...k1k0)NAF OUTPUT : k ·P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O R ← P For i from 0 to ℓ−1 do If ki = 1 then Q ← Q +R If ki = −1 then Q ← Q +(−R) R ← 2R Return Q Cost : ℓ·dbl+ ℓ 3 ·add

Variant introduced in [Joye, Fast point multiplication on elliptic curves without precomputation, WAIFI 2008] :

• Q in Jacobian coordinates
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

NAF Multiplication

Right-to-Left

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INPUT : P ∈ E (Fp), k = (kℓ−1 ...k1k0)NAF OUTPUT : k ·P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q ← O R ← P For i from 0 to ℓ−1 do If ki = 1 then Q ← Q +R If ki = −1 then Q ← Q +(−R) R ← 2R Return Q Cost : ℓ·dbl+ ℓ 3 ·add

Variant introduced in [Joye, Fast point multiplication on elliptic curves without precomputation, WAIFI 2008] :

• Q in Jacobian coordinates
• R in modified Jacobian

coordinates

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Other algorithms

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Other algorithms

Sliding window algorithms

Precompute 3P,5P,... to process several scalar bits at a time. Can be combined with the NAF method.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Other algorithms

Sliding window algorithms

Precompute 3P,5P,... to process several scalar bits at a time. Can be combined with the NAF method.

DBNS, multibase NAF...

Heavy precomputations. Too expensive for the ECDSA in the embedded context.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Generalities Protocols Points Representation Algorithms

Other algorithms

Sliding window algorithms

Precompute 3P,5P,... to process several scalar bits at a time. Can be combined with the NAF method.

DBNS, multibase NAF...

Heavy precomputations. Too expensive for the ECDSA in the embedded context.

Co-Z Addition

Euclidean Addition Chains [Meloni, WAIFI 2007] Co-Z binary ladder [Goundar, Joye & Miyaji, CHES 2010]

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

A chip in details

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

A chip in details

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Attack Bench

Non Invasive Attacks

Computer ✡ ✡ ✡ ✡ ✢ ✡ ✡ ✡ ✡ ✣ ❏ ❏ ❏ ❏ ❫ ❏ ❏ ❏ ❏ ❪ ✲ ✛ Card Reader Oscilloscope

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Simple Analyse Example

Leakage on Performed Operations

RSA exponentiation

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Simple Analyse Example

Leakage on Manipulated Data

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Milestones

• Timing Attacks [Kocher, Timing Attacks on Implementations of

Diffie-Hellman, RSA, DSS, and Other Systems, Crypto 1996]

• Fault Attacks [Boneh et al., On the Importance of Checking

Cryptographic Protocols for Faults, Eurocrypt 1997]

• SPA and DPA [Kocher et al., Differential Power Analysis, Crypto 1999]
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Milestones

• Timing Attacks [Kocher, Timing Attacks on Implementations of

Diffie-Hellman, RSA, DSS, and Other Systems, Crypto 1996]

• Fault Attacks [Boneh et al., On the Importance of Checking

Cryptographic Protocols for Faults, Eurocrypt 1997]

• SPA and DPA [Kocher et al., Differential Power Analysis, Crypto 1999]
• DFA on ECC [Biehl et al., Differential Fault Attacks on Elliptic Curve

Cryptosystems, Crypto 2000]

• DPA on RSA [den Boer et al., A DPA Attack Against the Modular

Reduction within a CRT Implementation of RSA, CHES 2002]

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Milestones

• Timing Attacks [Kocher, Timing Attacks on Implementations of

Diffie-Hellman, RSA, DSS, and Other Systems, Crypto 1996]

• Fault Attacks [Boneh et al., On the Importance of Checking

Cryptographic Protocols for Faults, Eurocrypt 1997]

• SPA and DPA [Kocher et al., Differential Power Analysis, Crypto 1999]
• DFA on ECC [Biehl et al., Differential Fault Attacks on Elliptic Curve

Cryptosystems, Crypto 2000]

• DPA on RSA [den Boer et al., A DPA Attack Against the Modular

Reduction within a CRT Implementation of RSA, CHES 2002]

• CPA [Brier et al., Correlation Power Analysis with a Leakage Model,

CHES 2004]

• CPA on PK [Amiel et al., Power Analysis for Secret Recovering and

Reverse Engineering of Public Key Algorithms, SAC 2007]

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Simple Analysis Principle

Measure one side-channel leakage s function of t and consider the curve s(t).

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Simple Analysis Principle

Measure one side-channel leakage s function of t and consider the curve s(t).

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Simple Analysis Principle

Measure one side-channel leakage s function of t and consider the curve s(t).

SPA/SEMA

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Simple Analysis Principle

Measure one side-channel leakage s function of t and consider the curve s(t).

SPA/SEMA

• depicts the behavior of the chip depending on the performed
• perations / manipulated data
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Simple Analysis Principle

Measure one side-channel leakage s function of t and consider the curve s(t).

SPA/SEMA

• depicts the behavior of the chip depending on the performed
• perations / manipulated data
• each measure enables direct reading
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Example

Left-to-Right Double & add Algorithm Analysis

Q ← O For i from ℓ−1 to 0 do Q ← 2Q If ki = 1 then Q ← Q +P Return Q

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Example

Left-to-Right Double & add Algorithm Analysis

Q ← O For i from ℓ−1 to 0 do Q ← 2Q If ki = 1 then Q ← Q +P Return Q

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis Principle

Measure n times a side-channel leakage s function of t and consider the curves s1(t),s2(t),...,sn(t).

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis Principle

Measure n times a side-channel leakage s function of t and consider the curves s1(t),s2(t),...,sn(t).

• targets a same operation
• n all curves but involving

different data

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis Principle

Measure n times a side-channel leakage s function of t and consider the curves s1(t),s2(t),...,sn(t).

• targets a same operation
• n all curves but involving

different data

• align vertically the curves
• n the targeted operation
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis Principle

Measure n times a side-channel leakage s function of t and consider the curves s1(t),s2(t),...,sn(t).

• targets a same operation
• n all curves but involving

different data

• align vertically the curves
• n the targeted operation
• process the curves with

statistical treatment

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input.

Original DPA/DEMA

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input.

Original DPA/DEMA

• For each possible value (guess) :
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input.

Original DPA/DEMA

• For each possible value (guess) :
• sort the curves into two sets S0 and S1 depending of some

intermediate result

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input.

Original DPA/DEMA

• For each possible value (guess) :
• sort the curves into two sets S0 and S1 depending of some

intermediate result

• average and subtract : < S0 > − < S1 >, and look for peaks
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input.

Original DPA/DEMA

• For each possible value (guess) :
• sort the curves into two sets S0 and S1 depending of some

intermediate result

• average and subtract : < S0 > − < S1 >, and look for peaks
• Iterate until peaks are found
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

C1 C2 . . . CN

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

C1 P1 C2 P2 . . . . . . CN PN

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 0 C1 P1 C2 P2 . . . . . . CN PN

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 0 C1 P1 Qi

1

C2 P2 Qi

2

. . . . . . . . . CN PN Qi

N

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 0 C1 P1 Qi

1

→ S0 C2 P2 Qi

2

→ S0 . . . . . . . . . . . . CN PN Qi

N

→ S1

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 0 C1 P1 Qi

1

→ S0 C2 P2 Qi

2

→ S0 . . . . . . . . . . . . CN PN Qi

N

→ S1 Compute < S0 > − < S1 > :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 0 C1 P1 Qi

1

→ S0 C2 P2 Qi

2

→ S0 . . . . . . . . . . . . CN PN Qi

N

→ S1 Compute < S0 > − < S1 > :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 1 C1 P1 Qi

1

C2 P2 Qi

2

. . . . . . . . . CN PN Qi

N

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 1 C1 P1 Qi

1

→ S1 C2 P2 Qi

2

→ S0 . . . . . . . . . . . . CN PN Qi

N

→ S0

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 1 C1 P1 Qi

1

→ S1 C2 P2 Qi

2

→ S0 . . . . . . . . . . . . CN PN Qi

N

→ S0 Compute < S0 > − < S1 > :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Example

Guess : ki = 1 C1 P1 Qi

1

→ S1 C2 P2 Qi

2

→ S0 . . . . . . . . . . . . CN PN Qi

N

→ S0 Compute < S0 > − < S1 > :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input (as DPA).

CPA/CEMA

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input (as DPA).

CPA/CEMA

• For each possible value (guess) :
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input (as DPA).

CPA/CEMA

• For each possible value (guess) :
• compute correlation curves between si and HW of some

intermediate result depending on the guess

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Differential Analysis

Statistical Treatment

Depending on some known and variable input of the algorithm and of a few bits of the secret input (as DPA).

CPA/CEMA

• For each possible value (guess) :
• compute correlation curves between si and HW of some

intermediate result depending on the guess

• average the correlation curves and apply a threshold
• Iterate until the threshold is reached
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Fault Attacks on Scalar Multiplication

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Fault Attacks on Scalar Multiplication

• Inject a fault : xP ← xP′
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Fault Attacks on Scalar Multiplication

• Inject a fault : xP ← xP′
• Since b is not involved in the scalar multiplication,

P′ ∈ E′(Fp), with E′ : y2 = x3 +ax +b′ and b′ = yP2 −x′

P 3 −ax′ P

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Fault Attacks on Scalar Multiplication

• Inject a fault : xP ← xP′
• Since b is not involved in the scalar multiplication,

P′ ∈ E′(Fp), with E′ : y2 = x3 +ax +b′ and b′ = yP2 −x′

P 3 −ax′ P

• Then the scalar multiplication Q′ = k ·P′ takes place on E′
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Fault Attacks on Scalar Multiplication

• Inject a fault : xP ← xP′
• Since b is not involved in the scalar multiplication,

P′ ∈ E′(Fp), with E′ : y2 = x3 +ax +b′ and b′ = yP2 −x′

P 3 −ax′ P

• Then the scalar multiplication Q′ = k ·P′ takes place on E′
• DLP for Q′ = k ·P′ is easy to solve if ordE′(P′) is small
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion Introduction SPA DPA FA

Fault Attacks on Scalar Multiplication

• Inject a fault : xP ← xP′
• Since b is not involved in the scalar multiplication,

P′ ∈ E′(Fp), with E′ : y2 = x3 +ax +b′ and b′ = yP2 −x′

P 3 −ax′ P

• Then the scalar multiplication Q′ = k ·P′ takes place on E′
• DLP for Q′ = k ·P′ is easy to solve if ordE′(P′) is small
• Iterate and apply the chinese reminder theorem to recover k.
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• Highly regular : Montgomery ladder [Montgomery, 1987]
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• Highly regular : Montgomery ladder [Montgomery, 1987]
• Unified formulas
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• Highly regular : Montgomery ladder [Montgomery, 1987]
• Unified formulas
• Homogeneous projective coordinates [Brier & Joye, 2002]
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• Highly regular : Montgomery ladder [Montgomery, 1987]
• Unified formulas
• Homogeneous projective coordinates [Brier & Joye, 2002]
• Specific curves formulas (Hessian, Edwards, etc.)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• Highly regular : Montgomery ladder [Montgomery, 1987]
• Unified formulas
• Homogeneous projective coordinates [Brier & Joye, 2002]
• Specific curves formulas (Hessian, Edwards, etc.)
• Atomicity
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• Highly regular : Montgomery ladder [Montgomery, 1987]
• Unified formulas
• Homogeneous projective coordinates [Brier & Joye, 2002]
• Specific curves formulas (Hessian, Edwards, etc.)
• Atomicity
• Original ECC pattern [Chevallier et al., 2003]
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• Highly regular : Montgomery ladder [Montgomery, 1987]
• Unified formulas
• Homogeneous projective coordinates [Brier & Joye, 2002]
• Specific curves formulas (Hessian, Edwards, etc.)
• Atomicity
• Original ECC pattern [Chevallier et al., 2003]
• Longa ECC patterns [Longa, 2007]
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

SPA/SEMA Protection

Mostly three kinds of countermeasures :

• Regular algorithms
• Dummy curve operations : Double and Add Always [Coron, 1999]
• Highly regular : Montgomery ladder [Montgomery, 1987]
• Unified formulas
• Homogeneous projective coordinates [Brier & Joye, 2002]
• Specific curves formulas (Hessian, Edwards, etc.)
• Atomicity
• Original ECC pattern [Chevallier et al., 2003]
• Longa ECC patterns [Longa, 2007]
• Improved ECC pattern [Giraud and Verneuil, 2010]
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Regular Algorithms

Double & add always

Q,T ← O For i from ℓ−1 to 0 do Q ← 2Q If ki = 1 then Q ← Q +P Else T ← Q +P Return Q

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Regular Algorithms

Double & add always

Q,T ← O For i from ℓ−1 to 0 do Q ← 2Q If ki = 1 then Q ← Q +P Else T ← Q +P Return Q

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Regular Algorithms

Double & add always

Q,T ← O For i from ℓ−1 to 0 do Q ← 2Q If ki = 1 then Q ← Q +P Else T ← Q +P Return Q On average : ℓ·dbl+ℓ·add

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Regular Algorithms

Double & add always

Q,T ← O For i from ℓ−1 to 0 do Q ← 2Q If ki = 1 then Q ← Q +P Else T ← Q +P Return Q On average : ℓ·dbl+ℓ·add Prone to safe errors.

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Regular Algorithms

Montgomery ladder

Q1 ← P Q2 ← 2P For i from l −2 to 0 do Q1−ki ← Q1 +Q2 Qki ← 2Qi Return Q1

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Regular Algorithms

Montgomery ladder

Q1 ← P Q2 ← 2P For i from l −2 to 0 do Q1−ki ← Q1 +Q2 Qki ← 2Qi Return Q1

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Regular Algorithms

Montgomery ladder

Q1 ← P Q2 ← 2P For i from l −2 to 0 do Q1−ki ← Q1 +Q2 Qki ← 2Qi Return Q1 Trick : Y1 and Y2 computation can be avoided.

• Brier & Joye, PKC 2002
• Izu & Takagi, PKC 2002
• Fischer et al., ePrint 2002
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Unified Formulas

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Unified Formulas

A single formula for addition and doubling

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Unified Formulas

A single formula for addition and doubling

• Homogeneous projective coordinates : 12M + 6S
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Unified Formulas

A single formula for addition and doubling

• Homogeneous projective coordinates : 12M + 6S
• Edwards curves : 10M + 1S
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Unified Formulas

A single formula for addition and doubling

• Homogeneous projective coordinates : 12M + 6S
• Edwards curves : 10M + 1S in Fp6 with standard curves :(
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Unified Formulas

A single formula for addition and doubling

• Homogeneous projective coordinates : 12M + 6S
• Edwards curves : 10M + 1S in Fp6 with standard curves :(
• Twisted Edwards curves : 9M + 1S
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Unified Formulas

A single formula for addition and doubling

• Homogeneous projective coordinates : 12M + 6S
• Edwards curves : 10M + 1S in Fp6 with standard curves :(
• Twisted Edwards curves : 9M + 1S in Fp3 with standard curves :(
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity

Introduced in [Chevallier-Mames, Ciet & Joye, Low-cost solutions for preventing simple side-channel analysis..., ePrint 2003].

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity

Introduced in [Chevallier-Mames, Ciet & Joye, Low-cost solutions for preventing simple side-channel analysis..., ePrint 2003].

Idea : always repeat the same pattern of operations

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity

Introduced in [Chevallier-Mames, Ciet & Joye, Low-cost solutions for preventing simple side-channel analysis..., ePrint 2003].

Idea : always repeat the same pattern of operations Example : RSA (square & multiply)

• S, M, S, S, S, M, S, S, M, S, M, ...
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity

Introduced in [Chevallier-Mames, Ciet & Joye, Low-cost solutions for preventing simple side-channel analysis..., ePrint 2003].

Idea : always repeat the same pattern of operations Example : RSA (square & multiply)

• S, M, S, S, S, M, S, S, M, S, M, ...
• M, M, M, M, M, M, M, M, M, M, M, ...
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity

Introduced in [Chevallier-Mames, Ciet & Joye, Low-cost solutions for preventing simple side-channel analysis..., ePrint 2003].

Idea : always repeat the same pattern of operations Example : RSA (square & multiply)

• S, M, S, S, S, M, S, S, M, S, M, ...
• M, M, M, M, M, M, M, M, M, M, M, ...

→ Cost

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity for Elliptic Curves

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity for Elliptic Curves

Principle

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity for Elliptic Curves

Principle

Always repeat the same pattern :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity for Elliptic Curves

Principle

Always repeat the same pattern :     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity for Elliptic Curves

Principle

Always repeat the same pattern :     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity for Elliptic Curves

Principle

Always repeat the same pattern :     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition ...

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity for Elliptic Curves

Principle

Always repeat the same pattern :     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition ... No more squarings :(

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity for Elliptic Curves

Principle

Always repeat the same pattern :     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition     ◮ Multiplication ◮ Addition ◮ Negation ◮ Addition ... No more squarings :( Many dummy additions/negations :(

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Longa Atomicity

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Longa Atomicity

Other patterns

In [Longa, Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems over Prime Fields, 2007] are proposed 2 new patterns :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Longa Atomicity

Other patterns

In [Longa, Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems over Prime Fields, 2007] are proposed 2 new patterns :           ◮ Multiplication ◮ Negation ◮ Addition ◮ Multiplication ◮ Negation ◮ Addition ◮ Addition

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Longa Atomicity

Other patterns

In [Longa, Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems over Prime Fields, 2007] are proposed 2 new patterns :           ◮ Multiplication ◮ Negation ◮ Addition ◮ Multiplication ◮ Negation ◮ Addition ◮ Addition           ◮ Squaring ◮ Negation ◮ Addition ◮ Multiplication ◮ Negation ◮ Addition ◮ Addition

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity Improvement

Full paper : [Giraud & Verneuil, Atomicity Improvement for Elliptic Curve Scalar Multiplication, CARDIS 2010]

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity Improvement

Full paper : [Giraud & Verneuil, Atomicity Improvement for Elliptic Curve Scalar Multiplication, CARDIS 2010]

Two steps

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity Improvement

Full paper : [Giraud & Verneuil, Atomicity Improvement for Elliptic Curve Scalar Multiplication, CARDIS 2010]

Two steps

• First define the largest atomic pattern possible
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity Improvement

Full paper : [Giraud & Verneuil, Atomicity Improvement for Elliptic Curve Scalar Multiplication, CARDIS 2010]

Two steps

• First define the largest atomic pattern possible
• Then remove as many possible dummy operations
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity Improvement

Full paper : [Giraud & Verneuil, Atomicity Improvement for Elliptic Curve Scalar Multiplication, CARDIS 2010]

Two steps

• First define the largest atomic pattern possible
• Then remove as many possible dummy operations

Advantages

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity Improvement

Full paper : [Giraud & Verneuil, Atomicity Improvement for Elliptic Curve Scalar Multiplication, CARDIS 2010]

Two steps

• First define the largest atomic pattern possible
• Then remove as many possible dummy operations

Advantages

• Potentially applicable to every algorithm (no curve restriction)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomicity Improvement

Full paper : [Giraud & Verneuil, Atomicity Improvement for Elliptic Curve Scalar Multiplication, CARDIS 2010]

Two steps

• First define the largest atomic pattern possible
• Then remove as many possible dummy operations

Advantages

• Potentially applicable to every algorithm (no curve restriction)
• Prevents from the SPA at a lower cost than classical atomicity
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Atomic Joye’s Multiplication

Best pattern

• Add. 1
• Add. 2

Dbl. Sq. Add. Mult. Add. Mult. Add. Mult. Add. Add. Sq. Mult. Add. Sub. Mult. Sub. Sub. Mult. Sub.                                 R1 ← Z22 ⋆ R2 ← Y1 ·Z2 ⋆ R5 ← Y2 ·Z1 ⋆ R3 ← R1 ·R2 ⋆ ⋆ R4 ← Z12 R2 ← R5 ·R4 ⋆ R2 ← R2 −R3 R5 ← R1 ·X1 ⋆ ⋆ R6 ← X2 ·R4 R6 ← R6 −R5                                 R1 ← R62 ⋆ R4 ← R5 ·R1 ⋆ R5 ← R1 ·R6 ⋆ R1 ← Z1 ·R6 ⋆ ⋆ R6 ← R22 Z3 ← R1 ·Z2 R1 ← R4 +R4 R6 ← R6 −R1 R1 ← R5 ·R3 X3 ← R6 −R5 R4 ← R4 −X3 R3 ← R4 ·R2 Y3 ← R3 −R1                                 R1 ← X12 R2 ← Y1 +Y1 Z2 ← R2 ·Z1 R4 ← R1 +R1 R3 ← R2 ·Y1 R6 ← R3 +R3 R2 ← R6 ·R3 R1 ← R4 +R1 R1 ← R1 +W1 R3 ← R12 R4 ← R6 ·X1 R5 ← W1 +W1 R3 ← R3 −R4 W2 ← R2 ·R5 X2 ← R3 −R4 R6 ← R4 −X2 R4 ← R6 ·R1 Y2 ← R4 −R2

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

DPA/DEMA Protection

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

DPA/DEMA Protection

Classical countermeasures :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

DPA/DEMA Protection

Classical countermeasures :

• Scalar blinding : k′ = k +r#E (Fp)
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

DPA/DEMA Protection

Classical countermeasures :

• Scalar blinding : k′ = k +r#E (Fp)
• Point coordinates blinding : (X : Y : Z) = (r 2X : r 3Y : rZ), r = 0
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

DPA/DEMA Protection

Classical countermeasures :

• Scalar blinding : k′ = k +r#E (Fp)
• Point coordinates blinding : (X : Y : Z) = (r 2X : r 3Y : rZ), r = 0
• Random curve isomorphism :

a′ ← r 4a b′ ← r 6b P′ ← (r 2XP,r 3YP,rZP) Q ← (xQ′/r 2,yQ′/r 3)

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Fault Protection

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Fault Protection

Classical countermeasures :

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Fault Protection

Classical countermeasures :

• Redundancy, verification...
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion SSCA DSCA FA

Fault Protection

Classical countermeasures :

• Redundancy, verification...
• Verify that P,Q ∈ E (Fp).
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Outline

1

Elliptic Curve Cryptography Generalities Protocols Points Representation and Formulas Scalar Multiplication Algorithms

2

Side-Channel Analysis Introduction Simple Side-Channel Analysis Differential Side-Channel Analysis Fault Analysis

3

Countermeasures SSCA Countermeasures DSCA Countermeasures FA Countermeasures

4

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Conclusion

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Conclusion

• Scalar multuplication efficiency has been extensively studied.
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Conclusion

• Scalar multuplication efficiency has been extensively studied.
• Edwards curve standardization ?
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Conclusion

• Scalar multuplication efficiency has been extensively studied.
• Edwards curve standardization ?
• Research on side-channel attacks keeps progressing.
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Conclusion

• Scalar multuplication efficiency has been extensively studied.
• Edwards curve standardization ?
• Research on side-channel attacks keeps progressing.
• Using security models for proving the resistance against attacks ?
• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Thank you for your attention !

Contact : vverneuil@insidefr.com www.math.u-bordeaux1.fr/~vverneui/

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices

Elliptic Curves Side-Channel Countermeasures Conclusion

Additions Cost on a Chip

192-bit integers A/M ≈ 0.2, S = A, and N/M ≈ 0.1

• V. Verneuil

Elliptic Curve Cryptography on Embedded Devices