New minimal weight representations for left-to-right window methods

Abstract. For an integer w ≥ 2, a radix 2 representation is called a width-w nonadjacent form (w-NAF, for short) if each nonzero digit is an odd integer with absolute value less than 2 w−1, and of any w consecutive digits, at most one is nonzero. In elliptic curve cryptography, the w-NAF window method is used to efficiently compute nP where n is an integer and P is an elliptic curve point. We introduce a new family of radix 2 representations which use the same digits as the w-NAF but have the advantage that they result in a window method which uses less memory. This memory savings results from the fact that these new representations can be deduced using a very simple left-to-right algorithm. Further, we show that like the w-NAF, these new representations have a minimal number of nonzero digits. 1 Window Methods An operation fundamental to elliptic curve cryptography is scalar multiplication; that is, computing nP for an integer, n, and an elliptic curve point, P. A number of different algorithms have been proposed to perform this operation efficiently (see Ch. 3 of [4] for a recent survey). A variety of these algorithms, known as window methods, use the approach described in Algorithm 1.1. For example, suppose D = {0, 1, 3, 5, 7}. Using this digit set, Algorithm 1.1 first computes and stores P, 3P, 5P and 7P. After a D-radix 2 representation of n is computed its digits are read from left to right by the “for ” loop and nP is computed using doubling and addition operations (and no subtractions). One way to compute a D-radix 2 representation of n is to slide a 3-digit window from right to left across the {0, 1}-radix 2 representation of n (see Section 4). Using negative digits takes advantage of the fact that subtracting an elliptic curve point can be done just as efficiently as adding it. Suppose now that D

Fast multi-computations with integer similarity strategy

Abstract. Multi-computations in finite groups, such as multiexponentiations and multi-scalar multiplications, are very important in ElGamallike public key cryptosystems. Algorithms to improve multi-computations can be classified into two main categories: precomputing methods and recoding methods. The first one uses a table to store the precomputed values, and the second one finds a better binary signed-digit (BSD) representation. In this article, we propose a new integer similarity strategy for multi-computations. The proposed strategy can aid with precomputing methods or recoding methods to further improve the performance of multi-computations. Based on the integer similarity strategy, we propose two efficient algorithms to improve the performance for BSD sparse forms. The performance factor can be improved from 1.556 to 1.444 and to 1.407, respectively

Practical Electromagnetic Template Attack on HMAC

The original publication is available at www.springerlink.comInternational audienceIn this paper, we show that HMAC can be attacked using a very efficient side channel attack which reveals the Hamming distance of some registers. After a profiling phase which requires access to a similar device that can be configured by the adversary, the attack recovers the secret key on one recorded execution of HMAC-SHA-1 for example, on an embedded device. We perform experimentations using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. Besides the high efficiency of this attack, $2^32\cdot 3^k$ where $k$ is the number of 32-bit words of the key, that we tested with experimentations, our results also shed some light on the on the requirements in term of side channel attack for the future SHA-3 function. Finally, we show that our attack can also be used to break the confidentiality of network protocols usually implemented on embedded devices. We have performed experiments using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. We hope that our results shed some light on the requirements in term of side channel attack for the future SHA-3 function

MoTE-ECC: Energy-Scalable Elliptic Curve Cryptography for Wireless Sensor Networks

Wireless Sensor Networks (WSNs) are susceptible to a wide range of malicious attacks, which has stimulated a body of research on "light-weight" security protocols and cryptographic primitives that are suitable for resource-restricted sensor nodes. In this paper we introduce MoTE-ECC, a highly optimized yet scalable ECC library for Memsic's MICAz motes and other sensor nodes equipped with an 8-bit AVR processor. MoTE-ECC supports scalar multiplication on Montgomery and twisted Edwards curves over Optimal Prime Fields (OPFs) of variable size, e.g. 160, 192, 224, and 256 bits, which allows for various trade-offs between security and execution time (resp. energy consumption). OPFs are a special family of "low-weight" prime fields that, in contrast to the NIST-specified fields, facilitate a parameterized implementation of the modular arithmetic so that one and the same software function can be used for operands of different length. To demonstrate the performance of MoTE-ECC, we take (ephemeral) ECDH key exchange between two nodes as example, which requires each node to execute two scalar multiplications. The first scalar multiplication is performed on a fixed base point (to generate a key pair), whereas the second scalar multiplication gets an arbitrary point as input. Our implementation uses a fixed-base comb method on a twisted Edwards curve for the former and a simple ladder approach on a birationally-equivalent Montgomery curve for the latter. Both scalar multiplications require about 9*10^6 clock cycles in total and occupy only 380 bytes in RAM when the underlying OPF has a length of 160 bits. We also describe our efforts to harden MoTE-ECC against side-channel attacks (e.g. simple power analysis) and introduce a highly regular implementation of the comb method

Side channel analysis of some hash based MACs:A response to SHA-3 requirements

The forthcoming NIST's Advanced Hash Standard (AHS) competition to select SHA-3 hash function requires that each candidate hash function submission must have at least one construction to support FIPS 198 HMAC application. As part of its evaluation, NIST is aiming to select either a candidate hash function which is more resistant to known side channel attacks (SCA) when plugged into HMAC, or that has an alternative MAC mode which is more resistant to known SCA than the other submitted alternatives. In response to this, we perform differential power analysis (DPA) on the possible smart card implementations of some of the recently proposed MAC alternatives to NMAC (a fully analyzed variant of HMAC) and HMAC algorithms and NMAC/HMAC versions of some recently proposed hash and compression function modes. We show that the recently proposed BNMAC and KMDP MAC schemes are even weaker than NMAC/HMAC against the DPA attacks, whereas multi-lane NMAC, EMD MAC and the keyed wide-pipe hash have similar security to NMAC against the DPA attacks. Our DPA attacks do not work on the NMAC setting of MDC-2, Grindahl and MAME compression functions. This talk outlines our results

Drive-by Key-Extraction Cache Attacks from Portable Code

We show how malicious web content can extract cryptographic secret keys from the user\u27s computer. The attack uses portable scripting languages supported by modern browsers to induce contention for CPU cache resources, and thereby gleans information about the memory accesses of other programs running on the user\u27s computer. We show how this side-channel attack can be realized in both WebAssembly and PNaCl; how to attain very fine-grained measurements; and how to use these to extract ElGamal, ECDH and RSA decryption keys from various cryptographic libraries. The attack does not rely on bugs in the browser\u27s nominal sandboxing mechanisms, or on fooling users. It applies even to locked-down platforms with strong confinement mechanisms and browser-only functionality, such as Chromebook devices. Moreover, on browser-based platforms the attacked software too may be written in portable JavaScript; and we show that in this case even implementations of supposedly-secure constant-time algorithms, such as Curve25519\u27s, are vulnerable to our attack