In this paper we address the problem of protecting elliptic curve scalar multiplication implementations against side-channel analysis by using the atomicity principle. First of all we reexamine classical assumptions made by scalar multiplication designers and we point out that some of them are not relevant in the context of embedded devices. We then describe the state-of-the-art of atomic scalar multiplication and propose an atomic pattern improvement method. Compared to the most efficient atomic scalar multiplication published so far, our technique shows an average improvement of up to 10.6%.
Deep Dive into Atomicity Improvement for Elliptic Curve Scalar Multiplication.
In this paper we address the problem of protecting elliptic curve scalar multiplication implementations against side-channel analysis by using the atomicity principle. First of all we reexamine classical assumptions made by scalar multiplication designers and we point out that some of them are not relevant in the context of embedded devices. We then describe the state-of-the-art of atomic scalar multiplication and propose an atomic pattern improvement method. Compared to the most efficient atomic scalar multiplication published so far, our technique shows an average improvement of up to 10.6%.
We consider the problem of performing scalar multiplication on elliptic curves over F p in the context of embedded devices such as smart cards. In this context, efficiency and side-channel resistance are of utmost importance. Concerning the achievement of the first requirement, numerous studies dealing with scalar multiplication efficiency have given rise to efficient algorithms including slidingwindow and signed representation based methods [19].
Regarding the second requirement, side-channel attacks exploit the fact that physical leakages of a device (timing, power consumption, electromagnetic radiation, etc) depend on the operations performed and on the variables manipulated. These attacks can be divided into two groups: the Simple Side-Channel Analysis (SSCA) [25] which tries to observe a difference of behavior depending on the value of the secret key by using a single measurement, and the Differential Side-Channel Analysis (DSCA) [26] which exploits data value leakages by performing ⋆ A part of this work has been done while at Oberthur Technologies. statistical treatment over several hundreds of measurements to retrieve information on the secret key. Since 1996, many proposals have been made to protect scalar multiplication against these attacks [7,12,23]. Amongst them, atomicity introduced by Chevallier-Mames et al. in [9] is one of the most interesting methods to counteract SSCA. This countermeasure has been widely studied and Longa recently proposed an improvement for some scalar multiplication algorithms [27].
In this paper we present a new atomicity implementation for scalar multiplication, and we detail the atomicity improvement method we employed. This method can be applied to minimize atomicity implementation cost for sensitive algorithms with no security loss. In particular our method allows the implementation of atomic scalar multiplication in embedded devices in a more efficient way than any of the previous methods.
The rest of this paper is organized as follows. We finish this introduction by describing the scalar multiplication context which we are interested in and by mentioning an important observation on the cost of field additions. In Section 2 we recall some basics about Elliptic Curves Cryptography. In particular we present an efficient scalar multiplication algorithm introduced by Joye in 2008 [21]. Then we recall in Section 3 the principle of atomicity and we draw up a comparative chart of the efficiency of atomic scalar multiplication algorithms before this work. In Section 4, we propose an improvement of the original atomicity principle. In particular, we show that our method, applied to Joye’s scalar multiplication, allows a substantial gain of time compared to the original atomicity principle. Finally, Section 5 concludes this paper.
We restrict the context of this paper to practical applications on embedded devices which yields the constraint of using standardized curves over F p 4 . As far as we know, NIST curves [17] and Brainpool curves [14,15] cover almost all curves currently used in the industry. We thus exclude from our scope Montgomery curves [32], Hessian curves [20], and Edwards curves 5 [16] which do not cover NIST neither Brainpool curves.
Considering that embedded devices -in particular smart cards -have very constrained resources (i.e. RAM and CPU), methods requiring heavy scalar treatment are discarded as well. In particular it is impossible to store scalar precomputations for some protocols such as ECDSA [1] where the scalar is randomly generated before each scalar multiplication. Most of the recent advances in this 4 The curves over Fp are generally recommended for practical applications [33,34]. 5 An elliptic curve over Fp is expressible in Edwards form only if it has a point of order 4 [6] and is expressible in twisted Edwards form only if it has three points of order 2 [4]. Since NIST and Brainpool curves have a cofactor of 1 there is not such equivalence. Nevertheless, for each of these curves, it is possible to find an extension field Fpq over which the curve has a point of order 4 and is thus birationally equivalent to an Edwards curve. However the cost of a scalar multiplication over Fpq is prohibitive in the context of embedded devices.
field cannot thus be taken into account: Double Base Number System [13,31], multibase representation [28], Euclidean addition chains and Zeckendorf representation [30].
In the literature, the cost of additions and subtractions over F p is generally neglected compared to the cost of field multiplication. While this assumption is relevant in theory, we found out that these operations were not as insignificant as predicted for embedded devices. Smart cards for example have cryptocoprocessors in order to perform multi-precision arithmetic. These devices generally offer the following operations: addition, subtraction, multiplication, modular multiplication and sometimes modular squaring. Modular addition (respectively
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
