Hardware Random Recoding - Redundant Representations …iml.univ-mrs.fr/ati/crypto_puces/2011/slides/Mardi/chabrier.pdf · Hardware Random Recoding Redundant Representations of Numbers,

1/20

Hardware Random RecodingRedundant Representations of Numbers, Side Channel

Analysis, Elliptic Curve Cryptography

Thomas Chabrier, Danuta Pamula, Arnaud Tisserand

IRISA Laboratory, CAIRN Research Team

2/20

Plan

Context

Redundant Representations

Proposed Solution and Implementation Results

Conclusion and Future Prospects

3/20

ContextElliptic curve cryptography (ECC):

I considered finite field: Fp with p alarge prime (160–600 bits)

I simplified Weierstrass equation:y2 = x3 + ax + bwhere a, b ∈ F2

p and∆ = −16(4a3 + 27b2) 6= 0

Sum of 2 points on R

Hardware implementation issues:I performance: speed, area, low power/energy consumptionI security: protection against side channel attacks

Reference [3]: D. Hankerson, S. Vanstone, and A. Menezes, Guide to Elliptic Curve

Cryptography, 2003

4/20

ECC Scalar Multiplication [k ]PI scalar multiplication: [k ]P = P + P + . . .+ P︸ ︷︷ ︸

k times

with k ∈ N

right to left and left to right binary "double and add" algorithms to compute [k ]P:1: Q ←−∞ Q ←−∞2: for i from 0 to t-1 do for i from t-1 downto 0 do3: if ki = 1 then Q ←− Q + P ADD Q ←− 2Q DBL4: P ←− 2P DBL if ki = 1 then Q ←− Q + P ADD

avg. cost: (n − 1) · DBL and n2 · ADD

I non adjacent form (NAF):

k =l−1∑i=0

ki2i where ki ∈ {1̄,0,1} kiki+1 = 0

k = 267 = ( 1 0 0 0 0 1 0 1 1 )2

( 1 0 0 0 1 0 1 0 1 )2−NAF( 1 0 0 0 0 1 0 0 3 )3−NAF

avg. cost: (n − 1) · DBL and nw+1 · ADD

Notation: d̄ ⇔ −d

5/20

Side Channel Analysis

I measure some external parameters on running device inorder to deduce internal secret informations

Reference [4]: S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing

the Secrets of Smart Cards, 2007

6/20

Side Channel Analysis for ECC

I in ECC: identify point additions and point doublings operations inorder to deduce the key value in [k ]P

Typical countermeasures:I resistant algorithms (double and add always, Montgomery ladder,

insert dummy operations, . . . ) −→ regular behaviorI unified formulaeI randomization of the scalar

Coron countermeasure (first): k ′ = k + r |E(Fp)|random recoding with DBNS and signed digit representations

I randomization of the base pointI isomorphism randomization of the curve

7/20

ECC Processor

±,× on Fq

local register(s)

CT

RL±,× on Fq

local register(s)

CT

RL 1/x on Fq

local register(s)

CT

RL

regi

ster

file

CTRL

COMM.

key recode

AG

U

counter-measures

I functional units (FU): ±,×,1/x for Fp and F2m , key recodingI memory: register file + internal registers in the FUsI control: operations (E and Fq levels) schedule

8/20

DBNS: Double-Based Number System

k =n−1∑i=0

ki2ai 3bi with ki ∈ {−1,1}, ai ,bi ≥ 0

The double-base chain approach:I representations of integers in two coprime bases (2, 3)I extremely redundant and sparse number system

Example: 127 has 783 different representations:127 = 2233 + 2132 + 2030 = 2233 + 2430 + 2031 = . . .

Strictly chained DBNS representation (ref. [1]):I compute [k ]P =⇒ Need a0 ≥ . . . ≥ an−1 and b0 ≥ . . . ≥ bn−1I cost: (n − 1) · ADD + a0 · DBL + b0 · TPL

Reference [1]: C. Doche and L. Imbert, Extended double-base number system withapplications to elliptic curve cryptography, INDOCRYPT, 2006.

9/20

Random Recoding Rules

We focus on 4 recodings:

I 1 + 2reduction−⇀↽−expansion

3 =⇒{

2i+13j−1 + 2i3j−1 = 2i3j [R1]2i−13j+1 − 2i−13j = 2i3j [R2]

I 1 + 3red.−⇀↽−exp.

22 =⇒{

2i−23j+1 + 2i−23j = 2i3j [R3]2i+23j−1 − 2i3j−1 = 2i3j [R4]

I 1 + 23red.−⇀↽−exp.

32 =⇒{

2i+33j−2 + 2i3j−2 = 2i3j [R5]2i−33j+2 − 2i−33j = 2i3j [R6]

I 1 + 1red.−⇀↽−exp.

2 =⇒{

2i+13j − 2i3j = 2i3j [R7]2i−13j + 2i−13j = 2i3j [R8]

Rules have to respect decreasing exponents

Random applications of the rules

10/20

Example of Some Possible DBNS Recodings fork = 140400

1 2836 − 2636 + 2433

2 2637 + 2433 3 2737 − 2736 − 2636 + 2433

red. R4

exp. R2

4 2736 + 2636 + 2433

exp. R1

5 2637 + 2632 − 2432

exp. R4

1

2

3

4

5

[140400]P = [2433]([2233]([2230]P − P ) + P )

= [2433]([2234]P + P )

= [2433]([2233]([2130]([2031]P − P )− P ) + P )

[140400]P = [2433]([2233]([2130]P + P ) + P )

= [2432]([2230]([2035]P + P )− P )

reduction expansion

11/20

Binary Signed-Digit Representation

k =n∑

i=0

ki2i with ki ∈ {1̄,0,1}

Example of some BSD representations for k = 11:

(01011)BSD = 23 + 21 + 20

(0111̄1)BSD = 23 + 22 − 21 + 20

...

Number of BSD representations: λ(k ,n) (ref. [2])

Example:λ(149,9) = 50λ(1365,12) = 233λ(87381,17) = 4181

Reference [2]: N. Ebeid and M.Hasan, On binary signed digit representations of

integers, Des. Codes Cryptography, 2007

12/20

Recoding Rules for RandomizationRecoding rules: 01⇔ 11̄ and 01̄⇔ 1̄1

Random recoding approach:I left–to–right or right–to–left algorithmI serial scanning of all digits of kI random bits r = (r2, r1, r0)

Compute a random signed-digit representation ofk = (0kn−1 · · · k0)2:

1: for i from 1 to n-1 do2: if r2 = 1 then3: if r1 = 1 then (ki+1, ki)← f (ki+1, ki)4: if r0 = 1 then (ki , ki−1)← f (ki , ki−1)5: else6: if r0 = 1 then (ki , ki−1)← f (ki , ki−1)7: if r1 = 1 then (ki+1, ki)← f (ki+1, ki)8: return k

13/20

Recoding Example for k = 11 = (01011)2

Problem: this representation may have too many 1sSolution: reduction of the Hamming weight in order to improvescalar multiplication

14/20

Width–w Signed-Digit

k =n∑

i=0

ki2i with ki ∈ {0,±1,±3, . . . ,±(2w − 1)}

I maximum 1 digit 6= 0 in w consecutive digits

Example of width–w signed digit representations for k = 11:

w = 2 w = 3(01003)SD2 (01003)SD3(00301̄)SD2 (10005̄)SD3

I precomputations: [2i − 1]P for i from 2 to wI average cost: (n − 1) · DBL and n

w+1 · ADD

⇒ less representations: 3 = 011 = 11̄1 = 101̄

15/20

Cost Comparison

Curve Operation Complexity

ADDJ+A 8[m] + 3[s]

α-DBLJ 4α[m] + (4α + 2)[s]

α-TPLJ (11α− 1)[m] + (4α + 2)[s]

assumption in Fp: 1 square ≈ 0.8 multiplication

cost [k ]P with:SD2 1500[m] + 1575[s] ≈ 2760[m]SD3 1354[m] + 1524[s] ≈ 2573[m]SD4 1284[m] + 1494[s] ≈ 2479[m]DBNS recoding 1752[m] + 930[s] ≈ 2496[m]

16/20

Circuit-Level Representations of Signed-Digits2 implementation versions:

SM (Sign Magnitude) and OH (One Hot)

For w = 2, the digit set is {3̄, 1̄,0,1,3}, and two circuit-levelcodings have been used:

Benefit: constant number of transitions for 0→ 1 and 1→ 0Cost: larger area and memory

Remark: same approach for w = 3

17/20

Implementation Results - SM VersionISE version 12.4standard efforts for synthesis and P&RVirtex 5 XC5VLX50T FPGA

n woptimization

# registers # LUTsmax. freq.

goal [MHz]

192 2area 451 2497 182

speed 1604 2970 222

192 3area 457 2704 187

speed 1803 3251 212

224 2area 515 2924 185

speed 1860 3081 179

224 3area 521 3128 180

speed 2093 3653 195

18/20

Implementation Results - OH VersionISE version 12.4standard efforts for synthesis and P&RVirtex 5 XC5VLX50T FPGA

n woptimization

# registers # LUTsmax. freq.

goal [MHz]

192 2area 838 2976 182

speed 2186 3606 195

192 3area 847 3215 187

speed 2971 4215 170

224 2area 966 3434 185

speed 2538 3874 179

224 3area 975 3670 189

speed 3450 4489 187

19/20

Conclusion

I use redundantrepresentations ofnumbers

I random recodingI hardware

implementation withlow overhead

±,× on Fq

local register(s)

CT

RL±,× on Fq

local register(s)

CT

RL 1/x on Fq

local register(s)

CT

RL

regi

ster

file

CTRL

COMM.

key recode

AG

U

counter-measures

Future prospects:I integration in the ECC processorI physical robustness evaluation

20/20

References

Christophe Doche and Laurent Imbert.Extended double-base number system with applications to elliptic curvecryptography.In INDOCRYPT, pages 335–348. Springer, 2006.

Nevine Ebeid and M. Anwar Hasan.On binary signed digit representations of integers.Des. Codes Cryptography, 42:43–65, January 2007.

D. Hankerson, S. Vanstone, and A. Menezes.Guide to Elliptic Curve Cryptography.Springer-Verlag, 2003.

S. Mangard, E. Oswald, and T. Popp.Power Analysis Attacks: Revealing the Secrets of Smart Cards.Springer, December 2007.