hardware random recoding - redundant representations...
Post on 21-Apr-2018
218 Views
Preview:
TRANSCRIPT
1/20
Hardware Random RecodingRedundant Representations of Numbers, Side Channel
Analysis, Elliptic Curve Cryptography
Thomas Chabrier, Danuta Pamula, Arnaud Tisserand
IRISA Laboratory, CAIRN Research Team
2/20
Plan
Context
Redundant Representations
Proposed Solution and Implementation Results
Conclusion and Future Prospects
3/20
ContextElliptic curve cryptography (ECC):
I considered finite field: Fp with p alarge prime (160–600 bits)
I simplified Weierstrass equation:y2 = x3 + ax + bwhere a, b ∈ F2
p and∆ = −16(4a3 + 27b2) 6= 0
Sum of 2 points on R
Hardware implementation issues:I performance: speed, area, low power/energy consumptionI security: protection against side channel attacks
Reference [3]: D. Hankerson, S. Vanstone, and A. Menezes, Guide to Elliptic Curve
Cryptography, 2003
4/20
ECC Scalar Multiplication [k ]PI scalar multiplication: [k ]P = P + P + . . .+ P︸ ︷︷ ︸
k times
with k ∈ N
right to left and left to right binary "double and add" algorithms to compute [k ]P:1: Q ←−∞ Q ←−∞2: for i from 0 to t-1 do for i from t-1 downto 0 do3: if ki = 1 then Q ←− Q + P ADD Q ←− 2Q DBL4: P ←− 2P DBL if ki = 1 then Q ←− Q + P ADD
avg. cost: (n − 1) · DBL and n2 · ADD
I non adjacent form (NAF):
k =l−1∑i=0
ki2i where ki ∈ {1̄,0,1} kiki+1 = 0
k = 267 = ( 1 0 0 0 0 1 0 1 1 )2
( 1 0 0 0 1 0 1 0 1 )2−NAF( 1 0 0 0 0 1 0 0 3 )3−NAF
avg. cost: (n − 1) · DBL and nw+1 · ADD
Notation: d̄ ⇔ −d
5/20
Side Channel Analysis
I measure some external parameters on running device inorder to deduce internal secret informations
Reference [4]: S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing
the Secrets of Smart Cards, 2007
6/20
Side Channel Analysis for ECC
I in ECC: identify point additions and point doublings operations inorder to deduce the key value in [k ]P
Typical countermeasures:I resistant algorithms (double and add always, Montgomery ladder,
insert dummy operations, . . . ) −→ regular behaviorI unified formulaeI randomization of the scalar
Coron countermeasure (first): k ′ = k + r |E(Fp)|random recoding with DBNS and signed digit representations
I randomization of the base pointI isomorphism randomization of the curve
7/20
ECC Processor
±,× on Fq
local register(s)
CT
RL±,× on Fq
local register(s)
CT
RL 1/x on Fq
local register(s)
CT
RL
regi
ster
file
CTRL
COMM.
key recode
AG
U
counter-measures
I functional units (FU): ±,×,1/x for Fp and F2m , key recodingI memory: register file + internal registers in the FUsI control: operations (E and Fq levels) schedule
8/20
DBNS: Double-Based Number System
k =n−1∑i=0
ki2ai 3bi with ki ∈ {−1,1}, ai ,bi ≥ 0
The double-base chain approach:I representations of integers in two coprime bases (2, 3)I extremely redundant and sparse number system
Example: 127 has 783 different representations:127 = 2233 + 2132 + 2030 = 2233 + 2430 + 2031 = . . .
Strictly chained DBNS representation (ref. [1]):I compute [k ]P =⇒ Need a0 ≥ . . . ≥ an−1 and b0 ≥ . . . ≥ bn−1I cost: (n − 1) · ADD + a0 · DBL + b0 · TPL
Reference [1]: C. Doche and L. Imbert, Extended double-base number system withapplications to elliptic curve cryptography, INDOCRYPT, 2006.
9/20
Random Recoding Rules
We focus on 4 recodings:
I 1 + 2reduction−⇀↽−expansion
3 =⇒{
2i+13j−1 + 2i3j−1 = 2i3j [R1]2i−13j+1 − 2i−13j = 2i3j [R2]
I 1 + 3red.−⇀↽−exp.
22 =⇒{
2i−23j+1 + 2i−23j = 2i3j [R3]2i+23j−1 − 2i3j−1 = 2i3j [R4]
I 1 + 23red.−⇀↽−exp.
32 =⇒{
2i+33j−2 + 2i3j−2 = 2i3j [R5]2i−33j+2 − 2i−33j = 2i3j [R6]
I 1 + 1red.−⇀↽−exp.
2 =⇒{
2i+13j − 2i3j = 2i3j [R7]2i−13j + 2i−13j = 2i3j [R8]
Rules have to respect decreasing exponents
Random applications of the rules
10/20
Example of Some Possible DBNS Recodings fork = 140400
1 2836 − 2636 + 2433
2 2637 + 2433 3 2737 − 2736 − 2636 + 2433
red. R4
exp. R2
4 2736 + 2636 + 2433
exp. R1
5 2637 + 2632 − 2432
exp. R4
1
2
3
4
5
[140400]P = [2433]([2233]([2230]P − P ) + P )
= [2433]([2234]P + P )
= [2433]([2233]([2130]([2031]P − P )− P ) + P )
[140400]P = [2433]([2233]([2130]P + P ) + P )
= [2432]([2230]([2035]P + P )− P )
reduction expansion
11/20
Binary Signed-Digit Representation
k =n∑
i=0
ki2i with ki ∈ {1̄,0,1}
Example of some BSD representations for k = 11:
(01011)BSD = 23 + 21 + 20
(0111̄1)BSD = 23 + 22 − 21 + 20
...
Number of BSD representations: λ(k ,n) (ref. [2])
Example:λ(149,9) = 50λ(1365,12) = 233λ(87381,17) = 4181
Reference [2]: N. Ebeid and M.Hasan, On binary signed digit representations of
integers, Des. Codes Cryptography, 2007
12/20
Recoding Rules for RandomizationRecoding rules: 01⇔ 11̄ and 01̄⇔ 1̄1
Random recoding approach:I left–to–right or right–to–left algorithmI serial scanning of all digits of kI random bits r = (r2, r1, r0)
Compute a random signed-digit representation ofk = (0kn−1 · · · k0)2:
1: for i from 1 to n-1 do2: if r2 = 1 then3: if r1 = 1 then (ki+1, ki)← f (ki+1, ki)4: if r0 = 1 then (ki , ki−1)← f (ki , ki−1)5: else6: if r0 = 1 then (ki , ki−1)← f (ki , ki−1)7: if r1 = 1 then (ki+1, ki)← f (ki+1, ki)8: return k
13/20
Recoding Example for k = 11 = (01011)2
Problem: this representation may have too many 1sSolution: reduction of the Hamming weight in order to improvescalar multiplication
14/20
Width–w Signed-Digit
k =n∑
i=0
ki2i with ki ∈ {0,±1,±3, . . . ,±(2w − 1)}
I maximum 1 digit 6= 0 in w consecutive digits
Example of width–w signed digit representations for k = 11:
w = 2 w = 3(01003)SD2 (01003)SD3(00301̄)SD2 (10005̄)SD3
I precomputations: [2i − 1]P for i from 2 to wI average cost: (n − 1) · DBL and n
w+1 · ADD
⇒ less representations: 3 = 011 = 11̄1 = 101̄
15/20
Cost Comparison
Curve Operation Complexity
ADDJ+A 8[m] + 3[s]
α-DBLJ 4α[m] + (4α + 2)[s]
α-TPLJ (11α− 1)[m] + (4α + 2)[s]
assumption in Fp: 1 square ≈ 0.8 multiplication
cost [k ]P with:SD2 1500[m] + 1575[s] ≈ 2760[m]SD3 1354[m] + 1524[s] ≈ 2573[m]SD4 1284[m] + 1494[s] ≈ 2479[m]DBNS recoding 1752[m] + 930[s] ≈ 2496[m]
16/20
Circuit-Level Representations of Signed-Digits2 implementation versions:
SM (Sign Magnitude) and OH (One Hot)
For w = 2, the digit set is {3̄, 1̄,0,1,3}, and two circuit-levelcodings have been used:
Benefit: constant number of transitions for 0→ 1 and 1→ 0Cost: larger area and memory
Remark: same approach for w = 3
17/20
Implementation Results - SM VersionISE version 12.4standard efforts for synthesis and P&RVirtex 5 XC5VLX50T FPGA
n woptimization
# registers # LUTsmax. freq.
goal [MHz]
192 2area 451 2497 182
speed 1604 2970 222
192 3area 457 2704 187
speed 1803 3251 212
224 2area 515 2924 185
speed 1860 3081 179
224 3area 521 3128 180
speed 2093 3653 195
18/20
Implementation Results - OH VersionISE version 12.4standard efforts for synthesis and P&RVirtex 5 XC5VLX50T FPGA
n woptimization
# registers # LUTsmax. freq.
goal [MHz]
192 2area 838 2976 182
speed 2186 3606 195
192 3area 847 3215 187
speed 2971 4215 170
224 2area 966 3434 185
speed 2538 3874 179
224 3area 975 3670 189
speed 3450 4489 187
19/20
Conclusion
I use redundantrepresentations ofnumbers
I random recodingI hardware
implementation withlow overhead
±,× on Fq
local register(s)
CT
RL±,× on Fq
local register(s)
CT
RL 1/x on Fq
local register(s)
CT
RL
regi
ster
file
CTRL
COMM.
key recode
AG
U
counter-measures
Future prospects:I integration in the ECC processorI physical robustness evaluation
20/20
References
Christophe Doche and Laurent Imbert.Extended double-base number system with applications to elliptic curvecryptography.In INDOCRYPT, pages 335–348. Springer, 2006.
Nevine Ebeid and M. Anwar Hasan.On binary signed digit representations of integers.Des. Codes Cryptography, 42:43–65, January 2007.
D. Hankerson, S. Vanstone, and A. Menezes.Guide to Elliptic Curve Cryptography.Springer-Verlag, 2003.
S. Mangard, E. Oswald, and T. Popp.Power Analysis Attacks: Revealing the Secrets of Smart Cards.Springer, December 2007.
top related