Mathieu Ciet

Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity

We introduce simple methods to convert a cryptographic algorithm into an algorithm protected against simple side-channel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to virtually any algorithm. In particular, we present several novel exponentiation algorithms, namely, a protected square-and-multiply algorithm, its right-to-left counterpart, and several protected sliding-window algorithms. We also illustrate our methodology applied to point multiplication on elliptic curves. All these algorithms share the common feature that the complexity is globally unchanged compared to the corresponding unprotected implementations.

Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults

Elliptic curve cryptosystems in the presence of faults were studied by Biehl et al., Advances in Cryptology CRYPTO 2000, Springer Verlag (2000) pp. 131–146. The first fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P. But these two latter models are less ‘practical’ in the sense that they assume that only a few bits of error are inserted (typically exactly one bit is supposed to be disturbed) either into P just prior to the point multiplication or during the course of the computation in a chosen location.This paper relaxes these assumptions and shows how random (and thus unknown) errors in either coordinates of point P, in the elliptic curve parameters or in the field representation enable the (partial) recovery of multiplier d. Then, from multiple point multiplications, we explain how this can be turned into a total key recovery. Simple precautions to prevent the leakage of secrets are also discussed.

Trading Inversions for Multiplications in Elliptic Curve Cryptography

Recently, Eisenträger et al. proposed a very elegant method for speeding up scalar multiplication on elliptic curves. Their method relies on improved formulas for evaluating S=(2P + Q) from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formulas save a field multiplication each time the operation is performed. This paper proposes a variant which is faster whenever a field inversion is more expensive than six field multiplications. We also give an improvement when tripling a point, and present a ternary/binary method to perform efficient scalar multiplication.

Virtually) Free Randomization Techniques for Elliptic Curve Cryptography

Randomization techniques play an important role in the protection of cryptosystems against implementation attacks. This paper studies the case of elliptic curve cryptography and propose three novel randomization methods, for the elliptic curve point multiplication, which do not impact the overall performance.

Parallel FPGA implementation of RSA with residue number systems - can side-channel threats be avoided?

In this paper, the authors presented a new parallel architecture to avoid side-channel analysis such as: timing attack, simple/differential power analysis, fault induction attack and simple/differential electromagnetic analysis. Montgomery multiplication based on residue number systems was used. Thanks to RNS, a design which is able to perform an RSA signature in parallel on was developed a set of identical and independent coprocessors. Of independent interest, the authors proposed a new DPA countermeasure when RNS are used that is only (slightly) memory consuming. Finally, the new architecture was synthesized on FPGA and it presents promising performance results. Even if the aim is to sketch a secure architecture, the RSA signature is performed in less than 150 ms, with competitive hardware resources. To the authors knowledge, this is the first proposal of an architecture counteracting electromagnetic analysis apart from hardware countermeasures reducing electromagnetic radiations

Faster scalar multiplication on Koblitz curves combining point halving with the Frobenius endomorphism

Let E be an elliptic curve defined over F-2n. The inverse operation of point doubling, called point halving, can be done up to three times as fast as doubling. Some authors have therefore proposed to perform a scalar multiplication by an halve-and-add algorithm, which is faster than the classical double-and-add method. If the coefficients of the equation defining the curve lie in a small subfield of F-2n, one can use the Frobenius endomorphism tau of the field extension to replace doublings. Since the cost of tau is negligible if normal bases are used, the scalar multiplication is written in base tau and the resulting tau-and-add algorithm gives very good performance. For elliptic Koblitz curves, this work combines the two ideas for the first time to achieve a novel decomposition of the scalar. This gives a new scalar multiplication algorithm which is up to 14.29% faster than the Robenius method, without any additional precomputation.

A Secure Family of Composite Finite Fields Suitable for Fast Implementation of Elliptic Curve Cryptography

In 1999 Silverman [21] introduced a family of binary finite fields which are composite extensions of F2 and on which arithmetic operations can be performed more quickly than on prime extensions of F2 of the same size.We present here a fast approach to elliptic curve cryptography using a distinguished subset of the set of Silverman fields F2N = Fhn. This approach leads to a theoretical computation speedup over fields of the same size, using a standard point of view (cf. [7]). We also analyse their security against prime extension fields F2p , where p is prime, following the method of Menezes and Qu [12]. We conclude that our fields do not present any significant weakness towards the solution of the elliptic curve discrete logarithm problem and that often the Weil descent of Galbraith-Gaudry-Hess-Smart (GGHS) does not offer a better attack on elliptic curves defined over F2N than on those defined over F2p, with a prime p of the same size as N.A noteworthy example is provided by F2226 : a generic elliptic curve Y2 + XY = X3 + ?X2 + s defined over F2226 is as prone to the GGHS Weil descent attack as a generic curve defined on the NIST field F2233.

An analysis of double base number systems and a sublinear scalar multiplication algorithm

In this paper we produce a practical and efficient algorithm to find a decomposition of type n n

XTR implementation on reconfigurable hardware

n= sumlimits^{k}_{i=1} 2{^s_i}3{^t_{i}}, s_{i},t_{i} in {mathbb N}cup{{0}} with k leq (c+o(1))frac{log n}{log log n}.