Efficient Doubling on Genus Two Curves over Binary Fields

In most algorithms involving elliptic and hyperelliptic curves, the costliest part consists in computing multiples of ideal classes. This paper investigates how to compute faster doubling over fields of characteristic two. We derive explicit doubling formulae making strong use of the defining equation of the curve. We analyze how many field operations are needed depending on the curve making clear how much generality one loses by the respective choices. Note, that none of the proposed types is known to be weak – one only could be suspicious because of the more special types. Our results allow to choose curves from a large enough variety which have extremely fast doubling needing only half the time of an addition. Combined with a sliding window method this leads to fast computation of scalar multiples. We also speed up the general case

Parallelized Side-Channel Attack Resisted Scalar Multiplication Using q-Based Addition-Subtraction k-chains

This paper presents parallel scalar multiplication techniques for elliptic curve cryptography using q-based addition-subtraction k-chain which can also effectively resist side-channel attack. Many techniques have been discussed to improve scalar multiplication, for example, double-and-add, NAF, w-NAF, addition chain and addition-subtraction chain. However, these techniques cannot resist side-channel attack. Montgomery ladder, random w-NAF and uniform operation techniques are also widely used to prevent side-channel attack, but their operations are not efficient enough comparing to those with no side-channel attack prevention. We have found a new way to use k-chain for this purpose. In this paper, we extend the definition of k-chain to q-based addition-subtraction k-chain and modify an algorithm proposed by Jarvinen et al. to generate the q-based addition-subtraction k-chain. We show the upper and lower bounds of its length which lead to the computation time using the new chain techniques. The chain techniques are used to reduce the cost of scalar multiplication in parallel ways. Comparing to w-NAF, which is faster than double-and-add and Montgomery ladder technique, the maximum computation time of our q-based addition-subtraction k-chain techniques can have up to 25.92% less addition costs using only 3 parallel computing cores. We also discuss on the optimization for multiple operand point addition using hybrid-double multiplier which is proposed by Azarderakhsh and Reyhani-Masoleh. The proposed parallel chain techniques can also tolerate side-channel attack efficiently

Efficient Comb Elliptic Curve Multiplication Methods Resistant to Power Analysis

Elliptic Curve Cryptography (ECC) has found wide applications in smart cards and embedded systems. Point multiplication plays a critical role in ECC. Many efficient point multiplication methods have been proposed. One of them is the comb method which is much more efficient than other methods if precomputation points are calculated in advance or elsewhere. Unfortunately, Many efficient point multiplication methods including the comb method are vulnerable to power-analysis attacks. Various algorithms to make elliptic curve point multiplication secure to power-analysis attacks have been proposed recently, such as the double-and-add-always method, Möller\u27s window method, Okeya et al.\u27s odd-only window method, and Hedabou et al.\u27s comb method. In this paper, we first present a novel comb recoding algorithm which converts an integer to a sequence of signed, odd-only comb bit-columns. Using this recoding algorithm, we then present several comb methods, both Simple Power Analysis (SPA)-nonresistant and SPA-resistant, for point multiplication. These comb methods are more efficient than the original SPA-nonresistant comb method and Hedabou et al.\u27s SPA-resistant comb method. Our comb methods inherit the advantage of a comb method, running much faster than Möller\u27s window method and Okeya et al.\u27s odd-only window method, as well as other window methods such as the efficient signed $m$-ary window method, if only the evaluation phase is taken into account. Combined with randomization projective coordinates or other randomization techniques and certain precautions in selecting elliptic curves and parameters, our SPA-resistant comb methods are resistant to all power-analysis attacks

Differential Power Analysis Resistant Hardware Implementation Of The Rsa Cryptosystem

Tez (Yüksek Lisans) -- İstanbul Teknik Üniversitesi, Fen Bilimleri Enstitüsü, 2007Thesis (M.Sc.) -- İstanbul Technical University, Institute of Science and Technology, 2007Bu çalışmada, RSA kripto sistemi donanımsal olarak gerçeklenmiş ve daha sonra bir Yan-Kanal Analizi çeşidi olan Diferansiyel Güç Analizi (DGA) ile yapılacak saldırılara karşı dayanıklı hale getirilmiştir. RSA kripto sisteminde şifreleme ve şifre çözmede modüler üs alma işlemi yapılır: M^E(mod N). Bu çalışmadaki RSA kripto sisteminde, Xilinx Sahada Programlanabilir Kapı Dizisi (FPGA) donanım olarak kullanılmıştır. Modüler üs alma işlemi, art arda çarpmalar ile yapılır. Bu gerçeklemede kullanılan Montgomery modüler çarpıcı, Elde Saklamalı Toplayıcılar ile gerçeklenmiştir. Saldırgan, Güç Analizi yaparak kripto sistemin gizli anahtarını ele geçirebilir. Bu tezde ilk gerçekleştirilen RSA devresi DGA’ya karşı korumasızdır. XCV1000E üzerinde gerçeklendiğinde, 81,06 MHz maksimum saat frekansı, 104,85 Kb/s işlem hacmi ve 4,88 ms toplam üs alma süresine sahip olduğu ve 9037 dilimlik alan kapladığı görülmüştür. Itoh ve diğ. tarafından önerilen Rastgele Tablolu Pencere Yöntemi (RT-WM) algoritması ile RSA şifreleme algoritmasına getirilen değişiklik, algoritmik karşı durma yöntemlerinden biridir ve donanım üzerinde gerçeklenmemiştir. Yapılan ikinci gerçeklemede, ilk gerçeklemenin üzerine bu algoritmanın getirdiği değişiklikler uygulanmıştır. RT-WM’nin donanım gerçeklemesi, 512-bit anahtar uzunluğu, 2-bit pencere genişliği ve 3-bitlik bir rastgele sayı kullanarak, XCV1000E üzerinde yapıldığında, 66,66 MHz maksimum saat frekansı, 84,42 Kb/s işlem hacmi ve 6,06 ms toplam üs alma süresine sahip olduğu ve XCV1000E içinde hazır bulunan blok SelectRAM yapısının kullanılmasıyla birlikte 10986 dilimlik alan kapladığı görülmüştür. Korumalı gerçekleme, korumasız ile karşılaştırıldığında, toplam sürenin %24,2 arttığı, işlem hacminin de %19,5 azaldığı görülmektedir.In this study, RSA cryptosystem was implemented on hardware and afterwards it was modified to be resistant against Differential Power Analysis (DPA) attacks, which are a type of Side-Channel Analysis Attacks. The encryption and decryption in an RSA cryptosystem is modular exponentiation. In this study, Xilinx Field Programmable Gate Array (FPGA) devices have been used as hardware. Modular exponentiation is realized with sequential multiplications. The Montgomery modular multiplier in this implementation has been realized with Carry-Save Adders. By doing a Power Analysis, the attacker can extract the secret key of the cryptosystem. In this thesis, the primarily implemented RSA circuit is unprotected against DPA attacks. Implemented on XCV1000E, it has 81,06 MHz maximum clock frequency, 104,85 Kb/s of throughput, and 4,88 ms of total exponentiation time, occupying an area of 9037 slices. The modification to the RSA encryption algorithm that comes with the Randomized Table Window Method (RT-WM), proposed by Itoh et al., is one of the algorithmic countermeasures against DPA and has not been implemented on hardware. Realized using 512-bit key length, 2-bit window length, and, a 3-bit random number, on XCV1000E, the RT-WM hardware implementation resulted in 66,66 MHz maximum clock frequency, 84,42 Kb/s of throughput, and 6,06 ms of total exponentiation time and occupied an area of 10986 slices with the use of the built-in block SelectRAM structure inside XCV1000E. When comparing the protected implementation with the unprotected, it can be seen that the total time has increased by 24,2% while the throughput has decreased 19,5%.Yüksek LisansM.Sc