Hardware Random Recoding Redundant Representations of Numbers, Side - PowerPoint PPT Presentation

Hardware Random Recoding Redundant Representations of Numbers, Side Channel Analysis, Elliptic Curve Cryptography Thomas Chabrier, Danuta Pamula, Arnaud Tisserand IRISA Laboratory, CAIRN Research Team 1/20

Plan Context Redundant Representations Proposed Solution and Implementation Results Conclusion and Future Prospects 2/20

Context Elliptic curve cryptography (ECC): Sum of 2 points on R ◮ considered finite field: F p with p a large prime (160–600 bits) ◮ simplified Weierstrass equation: y 2 = x 3 + ax + b where a , b ∈ F 2 p and ∆ = − 16 ( 4 a 3 + 27 b 2 ) � = 0 Hardware implementation issues: ◮ performance: speed, area, low power/energy consumption ◮ security: protection against side channel attacks Reference [3]: D. Hankerson, S. Vanstone, and A. Menezes, Guide to Elliptic Curve Cryptography , 2003 3/20

ECC Scalar Multiplication [ k ] P ◮ scalar multiplication: [ k ] P = P + P + . . . + P with k ∈ N � �� � k times right to left and left to right binary "double and add" algorithms to compute [ k ] P : 1: Q ← − ∞ Q ← − ∞ 2: for i from 0 to t-1 do for i from t-1 downto 0 do 3: if k i = 1 then Q ← − Q + P ADD Q ← − 2 Q DBL 4: P ← − 2 P DBL if k i = 1 then Q ← − Q + P ADD avg. cost: ( n − 1 ) · DBL and n 2 · ADD ◮ non adjacent form (NAF): l − 1 � where k i ∈ { ¯ k i 2 i k = 1 , 0 , 1 } k i k i + 1 = 0 i = 0 k = 267 = ( 1 0 0 0 0 1 0 1 1 ) 2 ( 1 0 0 0 1 0 1 0 1 ) 2 − NAF ( 1 0 0 0 0 1 0 0 3 ) 3 − NAF n avg. cost: ( n − 1 ) · DBL and w + 1 · ADD Notation: ¯ d ⇔ − d 4/20

Side Channel Analysis ◮ measure some external parameters on running device in order to deduce internal secret informations Reference [4]: S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards , 2007 5/20

Side Channel Analysis for ECC ◮ in ECC: identify point additions and point doublings operations in order to deduce the key value in [ k ] P Typical countermeasures: ◮ resistant algorithms (double and add always, Montgomery ladder, insert dummy operations, . . . ) − → regular behavior ◮ unified formulae ◮ randomization of the scalar Coron countermeasure (first): k ′ = k + r | E ( F p ) | random recoding with DBNS and signed digit representations ◮ randomization of the base point ◮ isomorphism randomization of the curve 6/20

ECC Processor counter- COMM. register file measures AGU key recode CTRL ± , × on F q ± , × on F q 1 /x on F q CTRL CTRL CTRL local register(s) local register(s) local register(s) ◮ functional units (FU): ± , × , 1 / x for F p and F 2 m , key recoding ◮ memory: register file + internal registers in the FUs ◮ control: operations ( E and F q levels) schedule 7/20

DBNS: Double-Based Number System n − 1 � k i 2 a i 3 b i k = with k i ∈ {− 1 , 1 } , a i , b i ≥ 0 i = 0 The double-base chain approach: ◮ representations of integers in two coprime bases ( 2 , 3 ) ◮ extremely redundant and sparse number system Example: 127 has 783 different representations: 127 = 2 2 3 3 + 2 1 3 2 + 2 0 3 0 = 2 2 3 3 + 2 4 3 0 + 2 0 3 1 = . . . Strictly chained DBNS representation (ref. [1]): ◮ compute [ k ] P = ⇒ Need a 0 ≥ . . . ≥ a n − 1 and b 0 ≥ . . . ≥ b n − 1 ◮ cost: ( n − 1 ) · ADD + a 0 · DBL + b 0 · TPL Reference [1]: C. Doche and L. Imbert, Extended double-base number system with applications to elliptic curve cryptography , INDOCRYPT, 2006. 8/20

Random Recoding Rules We focus on 4 recodings: � 2 i + 1 3 j − 1 + 2 i 3 j − 1 = 2 i 3 j [ R 1 ] reduction − ⇀ ◮ 1 + 2 expansion 3 ↽ − = ⇒ 2 i − 1 3 j + 1 − 2 i − 1 3 j = 2 i 3 j [ R 2 ] � 2 i − 2 3 j + 1 + 2 i − 2 3 j = 2 i 3 j [ R 3 ] red. − ⇀ 2 2 ◮ 1 + 3 ↽ − = ⇒ 2 i + 2 3 j − 1 − 2 i 3 j − 1 = 2 i 3 j [ R 4 ] exp. � 2 i + 3 3 j − 2 + 2 i 3 j − 2 = 2 i 3 j [ R 5 ] red. 3 2 = ◮ 1 + 2 3 − ⇀ ↽ − ⇒ 2 i − 3 3 j + 2 − 2 i − 3 3 j = 2 i 3 j [ R 6 ] exp. � 2 i + 1 3 j − 2 i 3 j = 2 i 3 j [ R 7 ] red. ◮ 1 + 1 − ⇀ ↽ − 2 = ⇒ 2 i − 1 3 j + 2 i − 1 3 j = 2 i 3 j [ R 8 ] exp. Rules have to respect decreasing exponents Random applications of the rules 9/20

Example of Some Possible DBNS Recodings for k = 140400 2 8 3 6 − 2 6 3 6 + 2 4 3 3 1 exp. R 2 red. R 4 2 6 3 7 + 2 4 3 3 2 7 3 7 − 2 7 3 6 − 2 6 3 6 + 2 4 3 3 2 3 exp. R 1 exp. R 4 2 7 3 6 + 2 6 3 6 + 2 4 3 3 2 6 3 7 + 2 6 3 2 − 2 4 3 2 4 5 [140400] P = [2 4 3 3 ]([2 2 3 3 ]([2 2 3 0 ] P − P ) + P ) [140400] P = [2 4 3 3 ]([2 2 3 3 ]([2 1 3 0 ] P + P ) + P ) 1 4 = [2 4 3 3 ]([2 2 3 4 ] P + P ) = [2 4 3 2 ]([2 2 3 0 ]([2 0 3 5 ] P + P ) − P ) 2 5 = [2 4 3 3 ]([2 2 3 3 ]([2 1 3 0 ]([2 0 3 1 ] P − P ) − P ) + P ) 3 expansion reduction 10/20

Binary Signed-Digit Representation n � with k i ∈ { ¯ k i 2 i k = 1 , 0 , 1 } i = 0 Example of some BSD representations for k = 11: 2 3 + 2 1 + 2 0 ( 01011 ) BSD = 2 3 + 2 2 − 2 1 + 2 0 ( 011 ¯ 11 ) BSD = . . . Number of BSD representations: λ ( k , n ) (ref. [2]) λ ( 149 , 9 ) = 50 Example: λ ( 1365 , 12 ) = 233 λ ( 87381 , 17 ) = 4181 Reference [2]: N. Ebeid and M.Hasan, On binary signed digit representations of integers , Des. Codes Cryptography, 2007 11/20

Recoding Rules for Randomization Recoding rules: 01 ⇔ 1 ¯ 1 and 0 ¯ 1 ⇔ ¯ 11 Random recoding approach: ◮ left–to–right or right–to–left algorithm ◮ serial scanning of all digits of k ◮ random bits r = ( r 2 , r 1 , r 0 ) Compute a random signed-digit representation of k = ( 0 k n − 1 · · · k 0 ) 2 : 1: for i from 1 to n-1 do 2: if r 2 = 1 then 3: if r 1 = 1 then ( k i + 1 , k i ) ← f ( k i + 1 , k i ) 4: if r 0 = 1 then ( k i , k i − 1 ) ← f ( k i , k i − 1 ) 5: else 6: if r 0 = 1 then ( k i , k i − 1 ) ← f ( k i , k i − 1 ) 7: if r 1 = 1 then ( k i + 1 , k i ) ← f ( k i + 1 , k i ) 8: return k 12/20

Recoding Example for k = 11 = ( 01011 ) 2 Problem: this representation may have too many 1s Solution: reduction of the Hamming weight in order to improve scalar multiplication 13/20

Width– w Signed-Digit n � with k i ∈ { 0 , ± 1 , ± 3 , . . . , ± ( 2 w − 1 ) } k i 2 i k = i = 0 ◮ maximum 1 digit � = 0 in w consecutive digits Example of width– w signed digit representations for k = 11: w = 2 w = 3 ( 01003 ) SD 2 ( 01003 ) SD 3 ( 0030 ¯ ( 1000 ¯ 1 ) SD 2 5 ) SD 3 ◮ precomputations: [ 2 i − 1 ] P for i from 2 to w ◮ average cost: ( n − 1 ) · DBL and n w + 1 · ADD ⇒ less representations: 3 = 011 = 1 ¯ 11 = 10 ¯ 1 14/20

Cost Comparison Curve Operation Complexity ADD J + A 8 [ m ] + 3 [ s ] α -DBL J 4 α [ m ] + ( 4 α + 2 )[ s ] α -TPL J ( 11 α − 1 )[ m ] + ( 4 α + 2 )[ s ] assumption in F p : 1 square ≈ 0 . 8 multiplication cost [ k ] P with: SD2 1500 [ m ] + 1575 [ s ] ≈ 2760 [ m ] SD3 1354 [ m ] + 1524 [ s ] ≈ 2573 [ m ] SD4 1284 [ m ] + 1494 [ s ] ≈ 2479 [ m ] DBNS recoding 1752 [ m ] + 930 [ s ] ≈ 2496 [ m ] 15/20

Circuit-Level Representations of Signed-Digits 2 implementation versions: SM (Sign Magnitude) and OH (One Hot) For w = 2, the digit set is { ¯ 3 , ¯ 1 , 0 , 1 , 3 } , and two circuit-level codings have been used: Benefit: constant number of transitions for 0 → 1 and 1 → 0 Cost: larger area and memory Remark: same approach for w = 3 16/20

Implementation Results - SM Version ISE version 12 . 4 standard efforts for synthesis and P&R Virtex 5 XC5VLX50T FPGA optimization max. freq. n w # registers # LUTs goal [MHz] area 451 2497 182 192 2 speed 1604 2970 222 area 457 2704 187 192 3 speed 1803 3251 212 area 515 2924 185 224 2 speed 1860 3081 179 area 521 3128 180 224 3 speed 2093 3653 195 17/20

Implementation Results - OH Version ISE version 12 . 4 standard efforts for synthesis and P&R Virtex 5 XC5VLX50T FPGA optimization max. freq. n w # registers # LUTs goal [MHz] area 838 2976 182 192 2 speed 2186 3606 195 area 847 3215 187 192 3 speed 2971 4215 170 area 966 3434 185 224 2 speed 2538 3874 179 area 975 3670 189 224 3 speed 3450 4489 187 18/20

Conclusion counter- COMM. register file ◮ use redundant measures representations of AGU key recode CTRL numbers ◮ random recoding ◮ hardware implementation with ± , × on F q ± , × on F q 1 /x on F q CTRL CTRL CTRL low overhead local register(s) local register(s) local register(s) Future prospects: ◮ integration in the ECC processor ◮ physical robustness evaluation 19/20

References Christophe Doche and Laurent Imbert. Extended double-base number system with applications to elliptic curve cryptography. In INDOCRYPT , pages 335–348. Springer, 2006. Nevine Ebeid and M. Anwar Hasan. On binary signed digit representations of integers. Des. Codes Cryptography , 42:43–65, January 2007. D. Hankerson, S. Vanstone, and A. Menezes. Guide to Elliptic Curve Cryptography . Springer-Verlag, 2003. S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks: Revealing the Secrets of Smart Cards . Springer, December 2007. 20/20