Efficient Implementation of Elliptic Curve Cryptography on FPGAs

This work presents the design strategies of an FPGA-based elliptic curve co-processor. Elliptic curve cryptography is an important topic in cryptography due to its relatively short key length and higher efficiency as compared to other well-known public key crypto-systems like RSA. The most important contributions of this work are: - Analyzing how different representations of finite fields and points on elliptic curves effect the performance of an elliptic curve co-processor and implementing a high performance co-processor. - Proposing a novel dynamic programming approach to find the optimum combination of different recursive polynomial multiplication methods. Here optimum means the method which has the smallest number of bit operations. - Designing a new normal-basis multiplier which is based on polynomial multipliers. The most important part of this multiplier is a circuit of size $O(n \log n)$ for changing the representation between polynomial and normal basis

Multiplication in Finite Fields and Elliptic Curves

La cryptographie à clef publique permet de s'échanger des clefs de façon distante, d'effectuer des signatures électroniques, de s'authentifier à distance, etc. Dans cette thèse d'HDR nous allons présenter quelques contributions concernant l'implantation sûre et efficace de protocoles cryptographiques basés sur les courbes elliptiques. L'opération de base effectuée dans ces protocoles est la multiplication scalaire d'un point de la courbe. Chaque multiplication scalaire nécessite plusieurs milliers d'opérations dans un corps fini.Dans la première partie du manuscrit nous nous intéressons à la multiplication dans les corps finis car c'est l'opération la plus coûteuse et la plus utilisée. Nous présentons d'abord des contributions sur les multiplieurs parallèles dans les corps binaires. Un premier résultat concerne l'approche sous-quadratique dans une base normale optimale de type 2. Plus précisément, nous améliorons un multiplieur basé sur un produit de matrice de Toeplitz avec un vecteur en utilisant une recombinaison des blocs qui supprime certains calculs redondants. Nous présentons aussi un multiplieur pous les corps binaires basé sur une extension d'une optimisation de la multiplication polynomiale de Karatsuba.Ensuite nous présentons des résultats concernant la multiplication dans un corps premier. Nous présentons en particulier une approche de type Montgomery pour la multiplication dans une base adaptée à l'arithmétique modulaire. Cette approche cible la multiplication modulo un premier aléatoire. Nous présentons alors une méthode pour la multiplication dans des corps utilisés dans la cryptographie sur les couplages : les extensions de petits degrés d'un corps premier aléatoire. Cette méthode utilise une base adaptée engendrée par une racine de l'unité facilitant la multiplication polynomiale basée sur la FFT. Dans la dernière partie de cette thèse d'HDR nous nous intéressons à des résultats qui concernent la multiplication scalaire sur les courbes elliptiques. Nous présentons une parallélisation de l'échelle binaire de Montgomery dans le cas de E(GF(2^n)). Nous survolons aussi quelques contributions sur des formules de division par 3 dans E(GF(3^n)) et une parallélisation de type (third,triple)-and-add. Dans le dernier chapitre nous développons quelques directions de recherches futures. Nous discutons d'abord de possibles extensions des travaux faits sur les corps binaires. Nous présentons aussi des axes de recherche liés à la randomisation de l'arithmétique qui permet une protection contre les attaques matérielles

Normal and optimal normal bases in finite fields

Arithmetic operations in finite fields have many applications in cryptography, coding theory, and computer algebra. The realization of these operations can often be made more efficient by the normal basis representation of the field elements. This thesis is aimed at giving a survey of recent results concerning normal bases and efficient ways of multiplication, inversion, and exponentiation when the normal basis representation is used

AIM: Symmetric Primitive for Shorter Signatures with Stronger Security (Full Version)

Post-quantum signature schemes based on the MPC-in-the-Head (MPCitH) paradigm are recently attracting significant attention as their security solely depends on the one-wayness of the underlying primitive, providing diversity for the hardness assumption in post-quantum cryptography. Recent MPCitH-friendly ciphers have been designed using simple algebraic S-boxes operating on a large field in order to improve the performance of the resulting signature schemes. Due to their simple algebraic structures, their security against algebraic attacks should be comprehensively studied. In this paper, we refine algebraic cryptanalysis of power mapping based S-boxes over binary extension fields, and cryptographic primitives based on such S-boxes. In particular, for the Gröbner basis attack over $\mathbb{F}_2$, we experimentally show that the exact number of Boolean quadratic equations obtained from the underlying S-boxes is critical to correctly estimate the theoretic complexity based on the degree of regularity. Similarly, it turns out that the XL attack might be faster when all possible quadratic equations are found and used from the S-boxes. This refined cryptanalysis leads to more precise algebraic analysis of cryptographic primitives based on algebraic S-boxes. Considering the refined algebraic cryptanalysis, we propose a new one-way function, dubbed $\mathsf{AIM}$, as an MPCitH-friendly symmetric primitive with high resistance to algebraic attacks. The security of $\mathsf{AIM}$ is comprehensively analyzed with respect to algebraic, statistical, quantum, and generic attacks. $\mathsf{AIM}$ is combined with the BN++ proof system, yielding a new signature scheme, dubbed $\mathsf{AIMer}$. Our implementation shows that $\mathsf{AIMer}$ outperforms existing signature schemes based on symmetric primitives in terms of signature size and signing time

A microcoded elliptic curve cryptographic processor.

Leung Ka Ho.Thesis (M.Phil.)--Chinese University of Hong Kong, 2001.Includes bibliographical references (leaves [85]-90).Abstracts in English and Chinese.Abstract --- p.iAcknowledgments --- p.iiiList of Figures --- p.ixList of Tables --- p.xiChapter 1 --- Introduction --- p.1Chapter 1.1 --- Motivation --- p.1Chapter 1.2 --- Aims --- p.3Chapter 1.3 --- Contributions --- p.3Chapter 1.4 --- Thesis Outline --- p.4Chapter 2 --- Cryptography --- p.6Chapter 2.1 --- Introduction --- p.6Chapter 2.2 --- Foundations --- p.6Chapter 2.3 --- Secret Key Cryptosystems --- p.8Chapter 2.4 --- Public Key Cryptosystems --- p.9Chapter 2.4.1 --- One-way Function --- p.10Chapter 2.4.2 --- Certification Authority --- p.10Chapter 2.4.3 --- Discrete Logarithm Problem --- p.11Chapter 2.4.4 --- RSA vs. ECC --- p.12Chapter 2.4.5 --- Key Exchange Protocol --- p.13Chapter 2.4.6 --- Digital Signature --- p.14Chapter 2.5 --- Secret Key vs. Public Key Cryptography --- p.16Chapter 2.6 --- Summary --- p.18Chapter 3 --- Mathematical Background --- p.19Chapter 3.1 --- Introduction --- p.19Chapter 3.2 --- Groups and Fields --- p.19Chapter 3.3 --- Finite Fields --- p.21Chapter 3.4 --- Modular Arithmetic --- p.21Chapter 3.5 --- Polynomial Basis --- p.21Chapter 3.6 --- Optimal Normal Basis --- p.22Chapter 3.6.1 --- Addition --- p.23Chapter 3.6.2 --- Squaring --- p.24Chapter 3.6.3 --- Multiplication --- p.24Chapter 3.6.4 --- Inversion --- p.30Chapter 3.7 --- Summary --- p.33Chapter 4 --- Literature Review --- p.34Chapter 4.1 --- Introduction --- p.34Chapter 4.2 --- Hardware Elliptic Curve Implementation --- p.34Chapter 4.2.1 --- Field Processors --- p.34Chapter 4.2.2 --- Curve Processors --- p.36Chapter 4.3 --- Software Elliptic Curve Implementation --- p.36Chapter 4.4 --- Summary --- p.38Chapter 5 --- Introduction to Elliptic Curves --- p.39Chapter 5.1 --- Introduction --- p.39Chapter 5.2 --- Historical Background --- p.39Chapter 5.3 --- Elliptic Curves over R2 --- p.40Chapter 5.3.1 --- Curve Addition and Doubling --- p.41Chapter 5.4 --- Elliptic Curves over Finite Fields --- p.44Chapter 5.4.1 --- Elliptic Curves over Fp with p>〉3 --- p.44Chapter 5.4.2 --- Elliptic Curves over F2n --- p.45Chapter 5.4.3 --- Operations of Elliptic Curves over F2n --- p.46Chapter 5.4.4 --- Curve Multiplication --- p.49Chapter 5.5 --- Elliptic Curve Discrete Logarithm Problem --- p.51Chapter 5.6 --- Public Key Cryptography --- p.52Chapter 5.7 --- Elliptic Curve Diffie-Hellman Key Exchange --- p.54Chapter 5.8 --- Summary --- p.55Chapter 6 --- Design Methodology --- p.56Chapter 6.1 --- Introduction --- p.56Chapter 6.2 --- CAD Tools --- p.56Chapter 6.3 --- Hardware Platform --- p.59Chapter 6.3.1 --- FPGA --- p.59Chapter 6.3.2 --- Reconfigurable Hardware Computing --- p.62Chapter 6.4 --- Elliptic Curve Processor Architecture --- p.63Chapter 6.4.1 --- Arithmetic Logic Unit (ALU) --- p.64Chapter 6.4.2 --- Register File --- p.68Chapter 6.4.3 --- Microcode --- p.69Chapter 6.5 --- Parameterized Module Generator --- p.72Chapter 6.6 --- Microcode Toolkit --- p.73Chapter 6.7 --- Initialization by Bitstream Reconfiguration --- p.74Chapter 6.8 --- Summary --- p.75Chapter 7 --- Results --- p.76Chapter 7.1 --- Introduction --- p.76Chapter 7.2 --- Elliptic Curve Processor with Serial Multiplier (p = 1) --- p.76Chapter 7.3 --- Projective verses Affine Coordinates --- p.78Chapter 7.4 --- Elliptic Curve Processor with Parallel Multiplier (p > 1) --- p.79Chapter 7.5 --- Summary --- p.80Chapter 8 --- Conclusion --- p.82Chapter 8.1 --- Recommendations for Future Research --- p.83Bibliography --- p.85Chapter A --- Elliptic Curves in Characteristics 2 and3 --- p.91Chapter A.1 --- Introduction --- p.91Chapter A.2 --- Derivations --- p.91Chapter A.3 --- "Elliptic Curves over Finite Fields of Characteristic ≠ 2,3" --- p.92Chapter A.4 --- Elliptic Curves over Finite Fields of Characteristic = 2 --- p.94Chapter B --- Examples of Curve Multiplication --- p.95Chapter B.1 --- Introduction --- p.95Chapter B.2 --- Numerical Results --- p.9

Effective and Efficient Masking with Low Noise Using Small-Mersenne-Prime Ciphers

Embedded devices used in security applications are natural targets for physical attacks. Thus, enhancing their side-channel resistance is an important research challenge. A standard solution for this purpose is the use of Boolean masking schemes, as they are well adapted to current block ciphers with efficient bitslice representations. Boolean masking guarantees that the security of an implementation grows exponentially in the number of shares under the assumption that leakages are sufficiently noisy (and independent). Unfortunately, it has been shown that this noise assumption is hardly met on low-end devices. In this paper, we therefore investigate techniques to mask cryptographic algorithms in such a way that their resistance can survive an almost complete lack of noise. Building on seed theoretical results of Dziembowski et al., we put forward that arithmetic encodings in prime fields can reach this goal. We first exhibit the gains that such encodings lead to thanks to a simulated information theoretic analysis of their leakage (with up to six shares). We then provide figures showing that on platforms where optimized arithmetic adders and multipliers are readily available (i.e., most MCUs and FPGAs), performing masked operations in small to medium Mersenne-prime fields as opposed to binary extension fields will not lead to notable implementation overheads. We compile these observations into a new AES-like block cipher, called AES-prime, which is well-suited to illustrate the remarkable advantages of masking in prime fields. We also confirm the practical relevance of our findings by evaluating concrete software (ARM Cortex-M3) and hardware (Xilinx Spartan-6) implementations. Our experimental results show that security gains over Boolean masking (and, more generally, binary encodings) can reach orders of magnitude despite the same amount of information being leaked per share

Effective and Efficient Masking with Low Noise using Small-Mersenne-Prime Ciphers

Embedded devices used in security applications are natural targets for physical attacks. Thus, enhancing their side-channel resistance is an important research challenge. A standard solution for this purpose is the use of Boolean masking schemes, as they are well adapted to current block ciphers with efficient bitslice representations. Boolean masking guarantees that the security of an implementation grows exponentially in the number of shares under the assumption that leakages are sufficiently noisy (and independent). Unfortunately, it has been shown that this noise assumption is hardly met on low-end devices. In this paper, we therefore investigate techniques to mask cryptographic algorithms in such a way that their resistance can survive an almost complete lack of noise. Building on seed theoretical results of Dziembowski et al., we put forward that arithmetic encodings in prime fields can reach this goal. We first exhibit the gains that such encodings lead to thanks to a simulated information theoretic analysis of their leakage (with up to six shares). We then provide figures showing that on platforms where optimized arithmetic adders and multipliers are readily available (i.e., most MCUs and FPGAs), performing masked operations in small to medium Mersenne-prime fields as opposed to binary extension fields will not lead to notable implementation overheads. We compile these observations into a new AES-like block cipher, called AES-prime, which is well-suited to illustrate the remarkable advantages of masking in prime fields. We also confirm the practical relevance of our findings by evaluating concrete software (ARM Cortex-M3) and hardware (Xilinx Spartan-6) implementations. Our experimental results show that security gains over Boolean masking (and, more generally, binary encodings) can reach orders of magnitude despite the same amount of information being leaked per share

Design of Stream Ciphers and Cryptographic Properties of Nonlinear Functions

Block and stream ciphers are widely used to protect the privacy of digital information. A variety of attacks against block and stream ciphers exist; the most recent being the algebraic attacks. These attacks reduce the cipher to a simple algebraic system which can be solved by known algebraic techniques. These attacks have been very successful against a variety of stream ciphers and major efforts (for example eSTREAM project) are underway to design and analyze new stream ciphers. These attacks have also raised some concerns about the security of popular block ciphers. In this thesis, apart from designing new stream ciphers, we focus on analyzing popular nonlinear transformations (Boolean functions and S-boxes) used in block and stream ciphers for various cryptographic properties, in particular their resistance against algebraic attacks. The main contribution of this work is the design of two new stream ciphers and a thorough analysis of the algebraic immunity of Boolean functions and S-boxes based on power mappings. First we present WG, a family of new stream ciphers designed to obtain a keystream with guaranteed randomness properties. We show how to obtain a mathematical description of a WG stream cipher for the desired randomness properties and security level, and then how to translate this description into a practical hardware design. Next we describe the design of a new RC4-like stream cipher suitable for high speed software applications. The design is compared with original RC4 stream cipher for both security and speed. The second part of this thesis closely examines the algebraic immunity of Boolean functions and S-boxes based on power mappings. We derive meaningful upper bounds on the algebraic immunity of cryptographically significant Boolean power functions and show that for large input sizes these functions have very low algebraic immunity. To analyze the algebraic immunity of S-boxes based on power mappings, we focus on calculating the bi-affine and quadratic equations they satisfy. We present two very efficient algorithms for this purpose and give new S-box constructions that guarantee zero bi-affine and quadratic equations. We also examine these S-boxes for their resistance against linear and differential attacks and provide a list of S-boxes based on power mappings that offer high resistance against linear, differential, and algebraic attacks. Finally we investigate the algebraic structure of S-boxes used in AES and DES by deriving their equivalent algebraic descriptions