Efficient Arithmetic for Embedded Cryptography and Cryptanalysis (Efficiënte aritmetica voor ingebedde cryptografie en cryptanalyse)

Public Key Cryptography (PKC) is a critical component of today s information infrastructure. The use of PKC covers a wide spectrum of devices ranging from web servers to mobile handsets, from contact smart cards to passive RFID tags. Therefore, PKC implementations tailored to different environments need specific optimizations to meet the requirements for performance, power and security against physical attacks.This thesis focuses on arithmetic and architecture design for PKC. In thefirst part, we analyze the computation structures of RSA, Elliptic CurveCryptography (ECC), Hyperelliptic Curve Cryptography (HECC), Torus-based cryptography and Pairings, and explore various representations, algorithms and architectures for different design targets. In particular, we propose a multi-core Montgomery multiplier, a low-complexity modular multiplication algorithm for pairings, and two novel architectures for low-area implementations of HECC.In the second part, we use efficient arithmetic as the basis for hardware-based cryptanalysis. The security margin of a cryptosystem erodes continuously due to Moore s law. We study the power of FPGA clusters to break ECC using the parallelized Pollard rho method and implement this attack on an FPGA where we try to maximize the number of Pollard rho iterations per second. We also give an estimation of the effort to break ECC2-131 and ECC2k-160 with state-of-the-art FPGAs.In the third and final part, we provide a systematic overview of implementation attacks and countermeasures for ECC. By monitoring the timing, power consumption, electromagnetic emission of the device or by inserting faults, adversaries can gain information about internal data or operations and extract the secret key without mathematically breaking the primitives. We provide implementers of ECC with ready-to-use recommendations of which combinations of countermeasures result in a secure implementation.Abstract iii Contents xi List of Figures xvii List of Tables xix 1 1 Introduction 1.1 Summary of the Thesis . . . . . . . . . . . . . . . . . . . . . . . 2 Public Key Cryptography: Mathematical Background 3 7 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . 9 2.2.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.2 Torus-based Cryptosystem . . . . . . . . . . . . . . . . . 10 2.2.3 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . 11 2.2.4 Hyperelliptic Curve Cryptography . . . . . . . . . . . . 13 2.2.5 Pairing-based Cryptography . . . . . . . . . . . . . . . . 14 2.2.6 PKC Break-down . . . . . . . . . . . . . . . . . . . . . . 16 Fp Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.3.1 18 2.3.2 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . 19 2.3.3 2.4 Representations . . . . . . . . . . . . . . . . . . . . . . . Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 F2m Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.4.1 22 2.4.2 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . 22 2.4.3 Squaring . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.4.4 2.5 Representations . . . . . . . . . . . . . . . . . . . . . . . Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Montgomery Multiplication on A Multi-core Platform 23 25 3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.2 MMM on A Multi-core Platform . . . . . . . . . . . . . . . . . 26 3.2.1 Target Platform . . . . . . . . . . . . . . . . . . . . . . 27 3.2.2 Dependency Analysis and Task Partitioning . . . . . . . 30 3.2.3 Method-I vs. Method-II . . . . . . . . . . . . . . . . . . 33 3.2.4 Scalability Analysis . . . . . . . . . . . . . . . . . . . . 33 Case Study: ECC, RSA and CEILIDH . . . . . . . . . . . . . . 35 3.3.1 Software/Hardware Interface . . . . . . . . . . . . . . . 36 3.3.2 Control Hierarchy . . . . . . . . . . . . . . . . . . . . . 37 3.3.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3.3 3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4 Hybrid Modular Multiplication (HMM) and Its Application to 40 Pairings 4.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.2 Hybrid Modular Multiplication . . . . . . . . . . . . . . . . . . 42 4.2.1 43 Parallel Hybrid Modular Multiplication . . . . . . . . . 4.2.2 45 4.2.3 Faster Coefficient Reduction . . . . . . . . . . . . . . . . 47 4.2.4 4.3 Digit-serial Version . . . . . . . . . . . . . . . . . . . . . Complexity . . . . . . . . . . . . . . . . . . . . . . . . . 48 High Performance Pairing Processor Using HMM . . . . . . . . 50 4.3.1 Pairing-friendly Curves . . . . . . . . . . . . . . . . . . . 51 4.3.2 Pairing Computation . . . . . . . . . . . . . . . . . . . . 52 4.3.3 Parameter Selection for Pairing-friendly Curves . . . . . 53 4.3.4 Application to BN Curves . . . . . . . . . . . . . . . . . 55 4.3.5 HMM Multiplier . . . . . . . . . . . . . . . . . . . . . . 56 4.3.6 Implementation Results . . . . . . . . . . . . . . . . . . 58 4.4 Pairing Processor Using RNS . . . . . . . . . . . . . . . . . . . . 61 4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 HECC over F2m Using Unified Multiplier/Inverters 63 65 5.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 5.2 Unified Multiplier and Inverter . . . . . . . . . . . . . . . . . . 68 5.2.1 Multiplication Algorithms . . . . . . . . . . . . . . . . . 68 5.2.2 Inversion Algorithms . . . . . . . . . . . . . . . . . . . . 69 5.3 High-throughput UMI and HECC processor . . . . . . . . . . . . 71 5.3.1 5.3.2 75 Results and Comparison . . . . . . . . . . . . . . . . . . 77 Lightweight UMI and HECC Processor for RFID . . . . . . . . 79 5.4.1 Type-II UMI Architecture: Low Footprint . . . . . . . . 79 5.4.2 Type-II HECC Processor . . . . . . . . . . . . . . . . . . 81 5.4.3 5.5 Type-I HECC Processor . . . . . . . . . . . . . . . . . . 5.3.3 5.4 Type-I UMI Architecture: High Throughput . . . . . . . 71 Results and Comparison . . . . . . . . . . . . . . . . . . Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 82 6 Breaking ECC with Configurable Hardware 85 6.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 6.2 The Certicom Challenge . . . . . . . . . . . . . . . . . . . . . . 87 6.2.1 The Parallel Pollard Rho Attack . . . . . . . . . . . . . 88 6.2.2 FPGA-based Attacks . . . . . . . . . . . . . . . . . . . . 89 The Ev1l Project: Design Target . . . . . . . . . . . . . . . . . 90 6.3.1 90 6.3 6.4 The Iteration Function . . . . . . . . . . . . . . . . . . . Arithmetic and Complexity Analysis . . . . . . . . . . . . . . . . 91 6.4.1 Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Architecture Exploration . . . . . . . . . . . . . . . . . . . . . . 97 6.5.1 Architecture I: Load-Store, Polynomial basis . . . . . . 98 6.5.2 Architecture II: Load-Store, Type-II Normal Basis . . . 99 6.5.3 6.6 93 6.4.2 6.5 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . Architecture III: Fully Expanded, Type-II Polynomial Basis 99 Results and Comparison . . . . . . . . . . . . . . . . . . . . . . . 101 6.6.1 Total Effort Estimation . . . . . . . . . . . . . . . . . . 102 6.6.2 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . 102 6.7 Effort Estimation for ECC2-131 and ECC2K-163 . . . . . . . . 104 6.8 Conclusion 106 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusions 107 7.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 A Secure ECC Implementation: A Survey on Attacks and Protections 111 A.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 A.2 Typical Implementations . . . . . . . . . . . . . . . . . . . . . . 112 A.3 Passive Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 A.3.1 Simple Power Analysis . . . . . . . . . . . . . . . . . . . 114 A.3.2 Template Attacks . . . . . . . . . . . . . . . . . . . . . . 114 A.3.3 Differential Power Analysis . . . . . . . . . . . . . . . . 115 A.3.4 Comparative Side-Channel Analysis . . . . . . . . . . . 115 A.3.5 Refined Power Analysis . . . . . . . . . . . . . . . . . . 115 A.3.6 Zero-value Point Attack . . . . . . . . . . . . . . . . . . 115 A.3.7 Carry-based Attack . . . . . . . . . . . . . . . . . . . . 116 A.3.8 Address-bit DPA . . . . . . . . . . . . . . . . . . . . . . 116 A.4 Active Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 A.4.1 Safe-error Analysis . . . . . . . . . . . . . . . . . . . . 117 A.4.2 Weak Curve Based Analysis . . . . . . . . . . . . . . . . 117 A.4.3 Differential Fault Analysis . . . . . . . . . . . . . . . . . 118 A.4.4 Point-at-Infinity Attack . . . . . . . . . . . . . . . . . . 120 A.4.5 Summary of Attacks . . . . . . . . . . . . . . . . . . . . 120 A.5 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 A.5.1 SPA Countermeasures . . . . . . . . . . . . . . . . . . . 122 A.5.2 DPA Countermeasures . . . . . . . . . . . . . . . . . . . 124 A.5.3 FA Countermeasures . . . . . . . . . . . . . . . . . . . . 127 A.6 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 A.6.1 On the Magic of Randomness . . . . . . . . . . . . . . . 128 A.6.2 Countermeasure Selection . . . . . . . . . . . . . . . . . 128 A.6.3 Implementation Issues . . . . . . . . . . . . . . . . . . . 129 Bibliography 131 Curriculum 149 List of publications 151nrpages: 153status: publishe