The Montgomery Powering Ladder

Size: px

Start display at page:

Download "The Montgomery Powering Ladder"

Horace Walsh
6 years ago
Views:

The Montgomery Powering Ladder Marc Joye Gemplus Card International Gémenos, France marc.joye@gemplus.com http://www.geocities.

1 The Montgomery Powering Ladder Marc Joye Gemplus Card International Gémenos, France Sung-Ming Yen LCIS, National Central University Chung-Li, Taiwan yensm/ CHES 2002, San Francisco Bay, August 13 15,

2 Agenda Montgomery Powering Ladder Efficiency Analysis Security Analysis Conclusion 13/08/02 2/9

3 Agenda Montgomery Powering Ladder Efficiency Analysis Security Analysis Conclusion 13/08/02 2/9

4 Montgomery Powering Ladder Goal: given, compute in 13/08/02 3/9

5 Montgomery Powering Ladder in, compute Goal: given Key observation and define 13/08/02 3/9

6 Montgomery Powering Ladder Goal: given Key observation define, compute and in Montgomery powering ladder: 13/08/02 3/9

7 Montgomery Powering Ladder in, compute Goal: given Key observation and define Montgomery powering ladder: if if 13/08/02 3/9

8 Montgomery Powering Ladder in, compute Goal: given Key observation and define Montgomery powering ladder: if if 13/08/02 3/9

9 Montgomery Powering Ladder in, compute Goal: given Key observation and define Montgomery powering ladder: if if 13/08/02 3/9

10 Montgomery Powering Ladder in, compute Goal: given Key observation and define Montgomery powering ladder: if if if if 13/08/02 3/9

11 # Montgomery Powering Ladder The algorithm Input: Output: do downto "! for then # "$ if % ] $ else [if return 13/08/02 3/9

12 # Montgomery Powering Ladder The algorithm Input: Output: do downto "! for then # "$ if ] $ else [if return 13/08/02 3/9

13 Agenda Montgomery Powering Ladder Efficiency Analysis Security Analysis Conclusion 13/08/02 4/9

14 Efficiency Analysis Lucas chains structure 13/08/02 5/9

15 Efficiency Analysis Lucas chains structure is invariant [ ] 13/08/02 5/9

16 # Efficiency Analysis ] Lucas chains structure is invariant [ do downto "! for # then $ if ] $ else [if return 13/08/02 5/9

17 # Efficiency Analysis ] Lucas chains structure is invariant [ do downto "! for then # $ if ] $ else [if return 13/08/02 5/9

18 Efficiency Analysis Lucas chains structure is invariant [ elliptic curve over a field ] 13/08/02 5/9

19 Efficiency Analysis Lucas chains structure is invariant [ ] elliptic curve over a field computations can be carried out with -coordinate only 13/08/02 5/9

20 Efficiency Analysis Lucas chains structure is invariant [ ] elliptic curve over a field computations can be carried out with -coordinate only the -coordinates need not to be handled a lot of multiplications (in ) are saved fewer memory is required 13/08/02 5/9

21 Efficiency Analysis Lucas chains structure is invariant [ ] elliptic curve over a field computations can be carried out with -coordinate only the -coordinates need not to be handled a lot of multiplications (in ) are saved fewer memory is required similarly for full Lucas sequences computations can be carried out with the -sequence only 13/08/02 5/9

22 Efficiency Analysis Parallel computing 13/08/02 5/9

23 # # Efficiency Analysis Parallel computing simplified presentation for "! downto do if $ then % else [if $ ] return 13/08/02 5/9

24 # # Efficiency Analysis Parallel computing simplified presentation for if $ "! else [if downto then $ ] do return 13/08/02 5/9

25 # Efficiency Analysis Parallel computing simplified presentation for "! downto do return 13/08/02 5/9

26 # Efficiency Analysis Parallel computing simplified presentation for "! downto do return the 2 multiplications are independent 13/08/02 5/9

27 # Efficiency Analysis Parallel computing parallel Montgomery ladder for "! % downto do /* Processor 1 */ /* Processor 2 */ return 13/08/02 5/9

28 # Efficiency Analysis Parallel computing parallel Montgomery ladder for "! % downto do /* Processor 1 */ /* Processor 2 */ return twice faster with 2 processors 13/08/02 5/9

29 Efficiency Analysis Common-multiplicand property 13/08/02 5/9

30 # # Efficiency Analysis Common-multiplicand property (resp. ) is common to the 2 multiplications for if $ "! else [if downto then $ ] do return 13/08/02 5/9

31 # # Efficiency Analysis Common-multiplicand property (resp. ) is common to the 2 multiplications for if $ "! else [if downto then $ ] do return 13/08/02 5/9

32 Efficiency Analysis Common-multiplicand property (resp. ) is common to the 2 multiplications the CM-multiplication by Yen is applicable 13/08/02 5/9

33 Efficiency Analysis Common-multiplicand property (resp. ) is common to the 2 multiplications the CM-multiplication by Yen is applicable similar savings for more complicated groups e.g., when elliptic curve over, several multiplications (in ) are identical 13/08/02 5/9

34 Agenda Montgomery Powering Ladder Efficiency Analysis Security Analysis Conclusion 13/08/02 6/9

35 Security Analysis Side-channel attacks 13/08/02 7/9

36 Security Analysis Side-channel attacks SPA-like attacks Montgomery ladder behaves regularly whatever the scanned bit, 13/08/02 7/9

37 # Security Analysis Side-channel attacks SPA-like attacks Montgomery ladder behaves regularly whatever the scanned bit, for "! downto do return 13/08/02 7/9

38 Security Analysis Side-channel attacks SPA-like attacks Montgomery ladder behaves regularly whatever the scanned bit, SPA-resistant, provided that is indistinguishable from writing in squaring of is indistinguishable from squaring of writing in 13/08/02 7/9

39 Security Analysis Side-channel attacks SPA-like attacks Montgomery ladder behaves regularly whatever the scanned bit, SPA-resistant, provided that is indistinguishable from writing in squaring of is indistinguishable from squaring of DPA-like attacks prevented using standard blinding techniques writing in 13/08/02 7/9

40 Security Analysis Fault attacks C safe-error attacks 13/08/02 7/9

41 Security Analysis Fault attacks C safe-error attacks principle: timely induce a computational fault into the ALU for determining whether an operation is dummy (when the final result is correct), or effective (when the final result is incorrect) 13/08/02 7/9

42 Security Analysis Fault attacks C safe-error attacks principle: timely induce a computational fault into the ALU for determining whether an operation is dummy (when the final result is correct), or effective (when the final result is incorrect) this reveals bit-by-bit the value of exponent in the classical protected binary ladders: the square-and-multiply always algorithm, and its right-to-left counterpart 13/08/02 7/9

43 # Security Analysis Fault attacks C safe-error attacks there are no dummy operations (mult.) in the Montgomery ladder for "! downto do return 13/08/02 7/9

44 Security Analysis Fault attacks C safe-error attacks there are no dummy operations (mult.) in the Montgomery ladder the C safe-error model does not apply 13/08/02 7/9

45 Security Analysis Fault attacks M safe-error attacks 13/08/02 7/9

46 Security Analysis Fault attacks M safe-error attacks principle: timely induce a memory fault inside register during the evaluation of for determining whether the result is written in (when the final result is correct), or (when the final result is incorrect) 13/08/02 7/9

47 Security Analysis Fault attacks M safe-error attacks principle: timely induce a memory fault inside register during the evaluation of for determining whether the result is written in (when the final result is correct), or (when the final result is incorrect) this attack readily applies to Montgomery ladder 13/08/02 7/9

48 Security Analysis Fault attacks M safe-error attacks principle: timely induce a memory fault inside register during the evaluation of for determining whether the result is written in (when the final result is correct), or (when the final result is incorrect) this attack readily applies to Montgomery ladder BUT a slight modification makes the attack inapplicable 13/08/02 7/9

49 # Security Analysis Fault attacks M safe-error attacks original Montgomery ladder for "! downto do return 13/08/02 7/9

50 # Security Analysis Fault attacks M safe-error attacks modified Montgomery ladder for "! downto do return 13/08/02 7/9

51 # Security Analysis Fault attacks M safe-error attacks modified Montgomery ladder for "! downto do return the M safe-error model does no longer apply 13/08/02 7/9

52 Agenda Montgomery Powering Ladder Efficiency Analysis Security Analysis Conclusion 13/08/02 8/9

53 Conclusion Efficiency Lucas chains structure parallel computing common-multiplicand property 13/08/02 9/9

54 Conclusion Efficiency Lucas chains structure parallel computing common-multiplicand property Security against SPA-like attacks against C safe-error attacks against M safe-error attacks after modification 13/08/02 9/9

55 Conclusion Efficiency Lucas chains structure parallel computing common-multiplicand property Security against SPA-like attacks against C safe-error attacks against M safe-error attacks after modification Montgomery ladder is well suited for efficient and secure exponentiation (in ) in constrained devices 13/08/02 9/9

A Scalable and High Performance Elliptic Curve Processor with Resistance to Timing Attacks

A Scalable and High Performance Elliptic Curve Processor with Resistance to Timing Attacks Alireza Hodjat, David D. Hwang, Ingrid Verbauwhede, University of California, Los Angeles Katholieke Universiteit