ABSTRACT
This paper presents implementation results of several side channel countermeasures for protecting the scalar multiplication of ECC (Elliptic Curve Cryptography) implemented on an ARM Cortex M3 processor that is used in security sensitive wireless sensor nodes. Our implementation was done for the ECC curves P-256, brainpool256r1, and Ed25519. Investigated countermeasures include Double-And-Add Always, Montgomery Ladder, Scalar Randomization, Randomized Scalar Splitting, Coordinate Randomization, and Randomized Sliding Window. Practical side channel tests for SEMA (Simple Electromagnetic Analysis) and MESD (Multiple Exponent, Single Data) are included. Though more advanced side channel attacks are not evaluated, yet, our results show that an appropriate level of resistance against the most relevant attacks can be reached.
- RFC 5639: Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. https://tools.ietf.org/html/rfc5639.Google Scholar
- SECLAB_ECC. https://github.com/Thileen/SECLAB_ECC. revision:6d1cdaae8c80d65383eb4267c2603916bfdaf09e.Google Scholar
- T. Akishita and T. Takagi. Zero-value point attacks on elliptic curve cryptosystem. In C. Boyd and W. Mao, editors, Information Security, ISC 2003, volume 2851 of LNCS, pages 218--233. Springer, 2003.Google Scholar
- P. C. v. O. Alfred J. Menezes and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 2001. Google ScholarDigital Library
- L. Batina, L. Chmielewski, L. Papachristodoulou, P. Schwabe, and M. Tunstall. Online template attacks. In W. Meier and D. Mukhopadhyay, editors, Progress in Cryptology - INDOCRYPT 2014, volume 8885 of LNCS, pages 21--36. Springer, 2014.Google Scholar
- D. J. Bernstein. Curve25519: New Diffie-Hellman Speed Records. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors, PKC 2006, volume 3958 of LNCS, pages 207--228. Springer, 2006. Google ScholarDigital Library
- D. J. Bernstein, P. Birkner, M. Joye, T. Lange, and C. Peters. Twisted Edward Curves. In Cryptology ePrint Archive, 2008.Google Scholar
- D. J. Bernstein and T. Lange. Explicit-formulas database. http://hyperelliptic.org/EFD.Google Scholar
- D. J. Bernstein and T. Lange. Performance evaluation of a new coordinate system for elliptic curves. http://cr.yp.to/newelliptic/newelliptic-20070522.pdf, 2007.Google Scholar
- E. Brier and M. Joye. Weierstraß Elliptic Curves and Side-Channel Attacks. In D. Naccache and P. Paillier, editors, Public Key Cryptography, PKC 2002, volume 2274 of LNCS, pages 335--345. Springer, 2002. Google ScholarDigital Library
- S. Chari, J. R. Rao, and P. Rohatgi. Template attacks. In Jr. et al.citeDBLP:conf/ches/2002, pages 13--28. Google ScholarDigital Library
- J. Coron. Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In Koç and PaarciteDBLP:conf/ches/1999, pages 292--302. Google ScholarDigital Library
- J. Fan, X. Guo, E. D. Mulder, P. Schaumont, B. Preneel, and I. Verbauwhede. State-of-the-art of Secure ECC Implementations: A Survey on Known Side-channel Attacks and Countermeasures. In HOST 2010, Proceedings of the 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pages 76--87, 2010.Google Scholar
- P. Fouque and F. Valette. The doubling attack - phWhy Upwards Is Better than Downwards. In C. D. Walter, Ç. K. Koç, and C. Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2003, volume 2779 of LNCS, pages 269--280. Springer, 2003.Google Scholar
- L. Goubin. A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems. In Y. Desmedt, editor, Public Key Cryptography - PKC 2003, volume 2567 of LNCS, pages 199--210. Springer, 2003. Google ScholarDigital Library
- J. Ha and S. Moon. Randomized signed-scalar multiplication of ECC to resist power attacks. In Jr. et al.citeDBLP:conf/ches/2002, pages 551--563. Google ScholarDigital Library
- D. Hankerson, S. Vanstone, and A. J. Menezes. Guide to Elliptic Curve Cryptography. Springer, 2004. Google ScholarDigital Library
- H. Houssain, M. Badra, and T. F. Al-Somani. Power Analysis Attacks on ECC: A Major Security Threat. In International Journal of Advanced Computer Science and Applications, Volume 3, Issue 6, 2012.Google ScholarCross Ref
- M. Inc. LOTUS, High-Performance Wireless Sensor Network Platform, Datasheet. http://www.memsic.com/wireless-sensor-networks/.Google Scholar
- M. Joye and M. Tunstall. Fault Analysis in Cryptography. Springer, 2012. Google ScholarDigital Library
- B. S. K. Jr., Ç. K. Koç, and C. Paar, editors. Cryptographic Hardware and Embedded Systems - CHES 2002, volume 2523 of LNCS. Springer, 2003.Google Scholar
- W. Killmann, T. Lange, M. Lochter, W. Thumser, and G. Wicke. Minimum Requirements for Evaluating Side-Channel Attack Resistance of Elliptic Curve Implementations, Version 1.0.4. Bundesamt für Sicherheit in der Informationstechnik, Bonn, Germany, 2011.Google Scholar
- Ç. K. Koç and C. Paar, editors. Cryptographic Hardware and Embedded Systems, First International Workshop, CHES'99, volume 1717 of LNCS. Springer, 1999.Google Scholar
- P. C. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In N. Koblitz, editor, Advances in Cryptology - CRYPTO '96, volume 1109 of LNCS, pages 104--113. Springer, 1996. Google ScholarDigital Library
- P. C. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In M. J. Wiener, editor, Advances in Cryptology - CRYPTO '99, volume 1666 of LNCS, pages 388--397. Springer, 1999. Google ScholarDigital Library
- P.-Y. Liardet and N. P. Smart. Preventing SPA/DPA in ECC Systems Using the Jacobi Form. In Ç. K. Koç, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2001, volume 2162 of LNCS, pages 391--401. Springer, 2001. Google ScholarDigital Library
- S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks, Revealing the Secrets of Smart Cards. Vieweg Verlag, 2007. Google ScholarDigital Library
- T. S. Messerges, E. A. Dabbish, and R. H. Sloan. Power Analysis Attacks of Modular Exponentiation in Smartcards. In Koç and PaarciteDBLP:conf/ches/1999, pages 144--157. Google ScholarDigital Library
- A. Mirbach. Elliptische Kurven, Die Bestimmung ihrer Punktezahl und Anwendungen in der Krypotographie. Verlagshaus Monsenstein und Vannerdat, 2003.Google Scholar
- R. Moloney, G. McGuire, and M. Markowitz. Elliptic Curves in Montgomery Form with B=1 and Their Low Order Torsion. In Cryptology ePrint Archive, 2009.Google Scholar
- NIST. Recommended Elliptic Curves for Federal Government Use. http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf, July 1999.Google Scholar
- J. Samotyja, K. Lemke-Rust, and M. Ullmann. SEMA and MESD Leakage of TinyECC 2.0 on a LOTUS Sensor Node. In Cryptology ePrint Archive, 2015.Google Scholar
- S. C. Shantz. From Euclid's GCD to Montgomery Multiplication to the Great Divide. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.140.7944&rep=rep1&type=pdf, June 2001.Google Scholar
- C. D. Walter. Breaking the Liardet-Smart Randomized Exponentiation Algorithm. In P. Honeyman, editor, Proceedings of the Fifth Smart Card Research and Advanced Application Conference, CARDIS '02, pages 59--68. USENIX, 2002. Google ScholarDigital Library
Index Terms
- Practical Results of ECC Side Channel Countermeasures on an ARM Cortex M3 Processor
Recommendations
New families of hyperelliptic curves with efficient gallant-lambert-vanstone method
ICISC'04: Proceedings of the 7th international conference on Information Security and CryptologyThe Gallant-Lambert-Vanstone method [14] (GLV method for short) is a scalar multiplication method for elliptic curve cryptography (ECC). In WAP WTLS[47], SEC 2[42], ANSI X9.62[1] and X9.63[2], several domain parameters for applications of the GLV method ...
The $$\mathbb {Q}$$Q-curve Construction for Endomorphism-Accelerated Elliptic Curves
We give a detailed account of the use of $$\mathbb {Q}$$Q-curve reductions to construct elliptic curves over $$\mathbb {F}_{p^2}$$Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the ...
Optimizing Elliptic Curve Scalar Multiplication with Near-Factorization
ICETE 2014: Proceedings of the 11th International Joint Conference on e-Business and Telecommunications - Volume 4Elliptic curve scalar multiplication ( [k]P where k is an integer and P is a point on the elliptic curve) is widely used in encryption and signature generation. In this paper, we explore a factorization-based approach called Near-Factorization that can ...
Comments