Random Digit Representation of Integers

Modular exponentiation is core to today\u27s main stream public key cryptographic systems. In this article, we generalize the classical fractional $w$NAF method for modular exponentiation -- the classical method uses a digit set of the form $\{1,3,\dots,m\}$ which is extended here to any set of odd integers of the form $\{1,d_2,\dots, d_n\}$. We give a formula for the average density of non-zero terms in this new representation and discuss its asymptotic behavior when those digits are randomly chosen from a given set. We also propose a specific method for the precomputation phase of the exponentiation algorithm

Key Randomization Countermeasures to Power Analysis Attacks on Elliptic Curve Cryptosystems

It is essential to secure the implementation of cryptosystems in embedded devices agains side-channel attacks. Namely, in order to resist differential (DPA) attacks, randomization techniques should be employed to decorrelate the data processed by the device from secret key parts resulting in the value of this data. Among the countermeasures that appeared in the literature were those that resulted in a random representation of the key known as the binary signed digit representation (BSD). We have discovered some interesting properties related to the number of possible BSD representations for an integer and we have proposed a different randomization algorithm. We have also carried our study to the $\tau$-adic representation of integers which is employed in elliptic curve cryptosystems (ECCs) using Koblitz curves. We have then dealt with another randomization countermeasure which is based on randomly splitting the key. We have investigated the secure employment of this countermeasure in the context of ECCs

Fault attacks on RSA and elliptic curve cryptosystems

This thesis answered how a fault attack targeting software used to program EEPROM can threaten hardware devices, for instance IoT devices. The successful fault attacks proposed in this thesis will certainly warn designers of hardware devices of the security risks their devices may face on the programming leve

Side-Channel Analysis: Countermeasures and Application to Embedded Systems Debugging

Side-Channel Analysis plays an important role in cryptology, as it represents an important class of attacks against cryptographic implementations, especially in the context of embedded systems such as hand-held mobile devices, smart cards, RFID tags, etc. These types of attacks bypass any intrinsic mathematical security of the cryptographic algorithm or protocol by exploiting observable side-effects of the execution of the cryptographic operation that may exhibit some relationship with the internal (secret) parameters in the device. Two of the main types of side-channel attacks are timing attacks or timing analysis, where the relationship between the execution time and secret parameters is exploited; and power analysis, which exploits the relationship between power consumption and the operations being executed by a processor as well as the data that these operations work with. For power analysis, two main types have been proposed: simple power analysis (SPA) which relies on direct observation on a single measurement, and differential power analysis (DPA), which uses multiple measurements combined with statistical processing to extract information from the small variations in power consumption correlated to the data. In this thesis, we propose several countermeasures to these types of attacks, with the main themes being timing analysis and SPA. In addition to these themes, one of our contributions expands upon the ideas behind SPA to present a constructive use of these techniques in the context of embedded systems debugging. In our first contribution, we present a countermeasure against timing attacks where an optimized form of idle-wait is proposed with the goal of making the observable decryption time constant for most operations while maintaining the overhead to a minimum. We show that not only we reduce the overhead in terms of execution speed, but also the computational cost of the countermeasure, which represents a considerable advantage in the context of devices relying on battery power, where reduced computations translates into lower power consumption and thus increased battery life. This is indeed one of the important themes for all of the contributions related to countermeasures to side- channel attacks. Our second and third contributions focus on power analysis; specifically, SPA. We address the issue of straightforward implementations of binary exponentiation algorithms (or scalar multiplication, in the context of elliptic curve cryptography) making a cryptographic system vulnerable to SPA. Solutions previously proposed introduce a considerable performance penalty. We propose a new method, namely Square-and-Buffered- Multiplications (SABM), that implements an SPA-resistant binary exponentiation exhibiting optimal execution time at the cost of a small amount of storage --- O(\sqrt(\ell)), where \ell is the bit length of the exponent. The technique is optimal in the sense that it adds SPA-resistance to an underlying binary exponentiation algorithm while introducing zero computational overhead. We then present several new SPA-resistant algorithms that result from a novel way of combining the SABM method with an alternative binary exponentiation algorithm where the exponent is split in two halves for simultaneous processing, showing that by combining the two techniques, we can make use of signed-digit representations of the exponent to further improve performance while maintaining SPA-resistance. We also discuss the possibility of our method being implemented in a way that a certain level of resistance against DPA may be obtained. In a related contribution, we extend these ideas used in SPA and propose a technique to non-intrusively monitor a device and trace program execution, with the intended application of assisting in the difficult task of debugging embedded systems at deployment or production stage, when standard debugging tools or auxiliary components to facilitate debugging are no longer enabled in the device. One of the important highlights of this contribution is the fact that the system works on a standard PC, capturing the power traces through the recording input of the sound card

Randomized Mixed-Radix Scalar Multiplication

A covering system of congruences can be defined as a set of congruence relations of the form: $\{r_1 \pmod{m_1}, r_2 \pmod{m_2}, \dots, r_t \pmod{m_t}\}$ for $m_1, \dots, m_t \in \mathbb{N}$ satisfying the property that for every integer $k$ in $\mathbb{Z}$, there exists at least an index $i \in \{1, \dots, t\}$ such that $k \equiv r_i \pmod{m_i}$. First, we show that most existing scalar multiplication algorithms can be formulated in terms of covering systems of congruences. Then, using a special form of covering systems called exact \mbox{$n$-covers}, we present a novel uniformly randomized scalar multiplication algorithm with built-in protections against various types of side-channel attacks. This algorithm can be an alternative to Coron\u27s scalar blinding technique for elliptic curves, in particular when the choice of a particular finite field tailored for speed compels to use a large random factor

Using Random Digit Representation for Elliptic Curve Scalar Multiplication

Elliptic Curve Cryptography (ECC) was introduced independently by Miller and Koblitz in 1986. Compared to the integer factorization based Rivest-Shamir-Adleman (RSA) cryptosystem, ECC provides shorter key length with the same security level. Therefore, it has advantages in terms of storage requirements, communication bandwidth and computation time. The core and the most time-consuming operation of ECC is scalar multiplication, where the scalar is an integer of several hundred bits long. Many algorithms and methodologies have been proposed to speed up the scalar multiplication operation. For example, non-adjacent form (NAF), window-based NAF (wNAF), double bases form, multi-base non-adjacent form and so on. The random digit representation (RDR) scheme can represent any scalar using a set that contains random odd digits including the digit 1. The RDR scheme is efficient in terms of the average number of non-zeros and it also provides resistance to power analysis attacks. In this thesis, we propose a variant of the RDR scheme. The proposed variant, referred to as implementation-friendly recoding algorithm (IFRA), is advantageous over RDR in hardware implementation for two reasons. First, IFRA uses simple operations such as scan, match, and shift. Second, it requires no long adder to update the scalar. In this thesis we also investigate the average density of non-zero digits of IFRA. It is shown that the average density of the variant is close to the average density of RDR. Moreover, a hardware implementation of the variant scheme is presented using pre-computed values stored in one dual-port memory. A performance comparison for different recoding schemes is presented by demonstrating the run-time efficiency of IFRA compared to other recoding schemes. Finally, the IFRA is applied to scalar multiplication on ECC and we compare its computation time against those based on NAF, wNAF, and RDR

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Sécurité physique de la cryptographie sur courbes elliptiques

Elliptic Curve Cryptography (ECC) has gained much importance in smart cards because of its higher speed and lower memory needs compared with other asymmetric cryptosystems such as RSA. ECC is believed to be unbreakable in the black box model, where the cryptanalyst has access to inputs and outputs only. However, it is not enough if the cryptosystem is embedded on a device that is physically accessible to potential attackers. In addition to inputs and outputs, the attacker can study the physical behaviour of the device. This new kind of cryptanalysis is called Physical Cryptanalysis. This thesis focuses on physical cryptanalysis of ECC. The first part gives the background on ECC. From the lowest to the highest level, ECC involves a hierarchy of tools: Finite Field Arithmetic, Elliptic Curve Arithmetic, Elliptic Curve Scalar Multiplication and Cryptographie Protocol. The second part exhibits a state-of-the-art of the different physical attacks and countermeasures on ECC.For each attack, the context on which it can be applied is given while, for each countermeasure, we estimate the lime and memory cost. We propose new attacks and new countermeasures. We then give a clear synthesis of the attacks depending on the context. This is useful during the task of selecting the countermeasures. Finally, we give a clear synthesis of the efficiency of each countermeasure against the attacks.La Cryptographie sur les Courbes Elliptiques (abréviée ECC de l'anglais Elliptic Curve Cryptography) est devenue très importante dans les cartes à puces car elle présente de meilleures performances en temps et en mémoire comparée à d'autres cryptosystèmes asymétriques comme RSA. ECC est présumé incassable dans le modèle dit « Boite Noire », où le cryptanalyste a uniquement accès aux entrées et aux sorties. Cependant, ce n'est pas suffisant si le cryptosystème est embarqué dans un appareil qui est physiquement accessible à de potentiels attaquants. En plus des entrés et des sorties, l'attaquant peut étudier le comportement physique de l'appareil. Ce nouveau type de cryptanalyse est appelé cryptanalyse physique. Cette thèse porte sur les attaques physiques sur ECC. La première partie fournit les pré-requis sur ECC. Du niveau le plus bas au plus élevé, ECC nécessite les outils suivants : l'arithmétique sur les corps finis, l'arithmétique sur courbes elliptiques, la multiplication scalaire sur courbes elliptiques et enfin les protocoles cryptographiques. La deuxième partie expose un état de l'art des différentes attaques physiques et contremesures sur ECC. Pour chaque attaque, nous donnons le contexte dans lequel elle est applicable. Pour chaque contremesure, nous estimons son coût en temps et en mémoire. Nous proposons de nouvelles attaques et de nouvelles contremesures. Ensuite, nous donnons une synthèse claire des attaques suivant le contexte. Cette synthèse est utile pendant la tâche du choix des contremesures. Enfin, une synthèse claire de l'efficacité de chaque contremesure sur les attaques est donnée

FPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD

Elliptic curve cryptography plays a crucial role in network and communication security. However, implementation of elliptic curve cryptography, especially the implementation of scalar multiplication on an elliptic curve, faces multiple challenges. One of the main challenges is side channel attacks (SCAs). SCAs pose a real threat to the conventional implementations of scalar multiplication such as binary methods (also called doubling-and-add methods). Several scalar multiplication algorithms with countermeasures against side channel attacks have been proposed. Among them, Montgomery Powering Ladder (MPL) has been shown an effective countermeasure against simple power analysis. However, MPL is still vulnerable to certain more sophisticated side channel attacks. A recently proposed modified MPL utilizes a combination of sequence masking (SM), exponent splitting (ES) and point randomization (PR). And it has shown to be one of the best countermeasure algorithms that are immune to many sophisticated side channel attacks [11]. In this thesis, an efficient hardware architecture for this algorithm is proposed and its FPGA implementation is also presented. To our best knowledge, this is the first time that this modified MPL with SM, ES, and PR has been implemented in hardware