Hardware and Arithmetic for Hyperelliptic Curves Cryptography

HAL Id: hal-01134020

https://hal.inria.fr/hal-01134020

Submitted on 29 Mar 2015

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Hardware and Arithmetic for Hyperelliptic Curves

Cryptography

Gabriel Gallin, Arnaud Tisserand, Nicolas Veyrat-Charvillon

To cite this version:

Gabriel Gallin, Arnaud Tisserand, Nicolas Veyrat-Charvillon. Hardware and Arithmetic for

Hyperel-liptic Curves Cryptography. RAIM: 7ème Rencontre Arithmétique de l’Informatique Mathématique,

Apr 2015, Rennes, France. 2015. �hal-01134020�

HAH Project, IRISA–IRMAR

Hardware and Arithmetic for Hyperelliptic

Curves Cryptography

Gabriel Gallin, Arnaud Tisserand & Nicolas Veyrat-Charvillon

1. Elliptic Curve Cryptography (ECC)

encryption

signature

key gen.

etc

pr

otocol

le

vel

[

k ]

P

ADD

(

P, Q)

DBL

(

P)

P + P

cur

ve

le

vel

x

±

y

x

×

y

. . .

field

le

vel

E : y

2

=

x

3

+

4x + 20 over GF(1009)

Points on E :

P, Q= (x , y ) or (x , y , z)

Coordinates: x , y , z ∈ GF(·)

GF(p), GF(2

m

), t :

160–600

bits

k = (k

_t−1

k

_t−2

. . .

k

₁

k

₀

)

₂

_{∈ N}

Scalar multiplication operation

for

i

from

0

to

t − 1

do

if

k

_i

=

1

then

Q =

ADD

(

P, Q)

P =

DBL

(

P)

Point addition/doubling operations

sequence of finite field operations

DBL

: v

₁

=

z

₁

2

,

v

₂

=

x

₁

− v

₁

, . . .

ADD

: w

₁

=

z

₁

2

,

w

₂

=

z

₁

× w

₁

, . . .

GF(p) or GF(2

m

) operations

operation modulo large prime (GF(p))

or irreducible polynomial (GF(2

m

))

2. Side Channel Attacks (SCAs)

DBL DBL DBL

ADD

DBL

ADD

DBL DBL

0 0 0

1

1

0

Side channels:

I

Power consumption

I

Electromagnetic radiation

I

Computation timings

Attacks:

I

Simple analysis

I

Differential analysis (statistics)

I

Templates and learning

3. Protections & Counter-Measures Against SCAs

I

Uniform comp. durations

I

Uniform power/EM profile

I

Random behavior

I

Circuit reconfiguration

I

detection/correction codes

I

Add noise (!)

Example: use redundant number systems

k

R

₁

(k )

[R

₁

(k )]

P

R

₂

(k )

[R

₂

(k )]

P

R

₃

(k )

[R

₃

(k )]

P

R

₄

(k )

[R

₄

(k )]

P

R

₅

(k )

[R

₅

(k )]

P

R

₆

(k )

[R

₆

(k )]

P

. . .

. . .

Random recoding: ∀i

[

R

_i

(

k )]

P = [k ]P

4. From ECC to HECC

field size

ADD

DBL

ECC

`

bits

mul RX OUT

sub RY OUT mul RZ OUT PZ mul PZ mul PZ mul PZ PX PX mul PY mul PY QY QY QX QX QZ QZ QZ QZ mul v18 add v12 add sub v13 mul v10 v10 v10 mul v11 v11 sub v11 mul v16 v17 v14 v14 sub v0 v1 v1 v2 v2 sqr v2 sub v3 v4 v4 v5 sqr v5 mul v6 v7 v7 v8 v9 v9

Cost: 12M + 2S

mul RX OUT sub RY OUT add RZ OUT PZ mul PZ mul PZ PX sqr PX mul PX PY PY mul PY a a add add v18 v18 add v19 v19 sub add v12 v12 sub v12 v13 add add v10 v10 v10 v11 mul v16 sqr v17 v17 v15 mul v23 add v23 sqr v22 v20 add v25 v25 v24 v24 add v0 add v1 v1 add v1 v2 v3 v4 sqr v4 v5 v6 v6 v6 v6 v7 v7 add v8 v8 v9 v9

Cost: 6M + 5S

HECC

₂

`

bits

mul RU0 OUT mul RU1 OUT

add RV0 OUT add RV1 OUT mul RZ OUT PZ mul PZ mul PZ mul PZ add PZ mul PZ mul PZ mul PZ mul PZ QV0 QV0 QV1 QV1 QU1 add QU1 QU1 QU0 QU0 QU0 PU0 mul PU0 mul PU0 mul PU0 PU1 PU1 mul PU1 mul PU1 PV1 PV1 mul QZ mul QZ QZ QZ QZ QZ PV0 PV0 sub v18 mul v18 add v19 mul v19 add v12 mul v13 mul v13 mul v10 sqr v11 add v16 mul v17 sqr v14 mul v14 mul v14 v15 add v85 mul v84 mul v87 add v86 add sub v81 mul v80 sub v83 v82 sqr v69 v69 mul v69 mul sub v68 sub v67 mul v67 sub v66 v66 sub v65 add v64 v64 mul v63 v63 sub v61 v60 v60 add v78 v79 v74 v76 mul v77 mul v70 v70 v71 v72 mul v73 v73 v23 mul mul v41 sub v40 mul v43 v43 v43 v43 mul v43 mul v43 add v42 add mul v45 add v44 sub add v47 add v46 v49 v48 sub v22 mul v22 v21 v21 v21 v21 v20 mul v27 v26 v26 add v25 sub v25 sub v24 v29 v28 mul v56 add v56 v56 sub v57 add v54 v54 v54 v52 v53 v50 v51 v58 v58 v59 v30 v30 v30 v30 mul v30 mul v30 v31 v31 v31 v31 v32 v32 v32 v32 v33 mul v34 v35 v35 sqr v35 add v35 v35 v36 add v37 v37 v38 v39 v0 v0 v0 v0 v0 v1 sub v1 v2 v3 v3 v3 sub v4 v5 v5 v5 v6 v6 v6 v6 v6 v6 v6 v6 add v7 v8 v9 v9 v9

Cost: 47M + 4S

mul RU0 OUT mul RU1 OUT sub RV0 OUT sub RV1 OUT mul RZ OUT PZ mul PZ mul PZ sub PZ mul PZ mul PZ sub PZ mul PZ mul PZ mul PZ mul PZ sqr PZ mul PZ mul PZ PU0 add PU0 PU0 mul PU0 add PU0 mul PU0 mul PU0 PU1 sqr PU1 add PU1 mul PU1 PU1 mul PU1 mul PU1 PU1 Z sub Z PV1 mul PV1 sqr PV1 add PV1 PV1 PV0 mul PV0 add PV0 PV0 add sub v18 add v18 v18 v19 add mul v12 add v13 v13 v13 add v13 mul mul v10 sqr v10 mul v10 v11 mul v11 v16 v17 v14 v15 v15 v15 v80 v69 mul v68 v68 sub v67 mul v66 v65 add v65 sqr v64 v64 mul v64 mul v63 add v62 mul v62 sub v61 v60 v60 add v78 v79 mul sub v74 v75 sub v76 v77 v71 add v72 v73 v41 v40 v40 v40 v40 sub sqr v43 mul v43 v42 mul add v45 add v44 mul v47 v46 v49 v48 sub v23 v22 v21 add v20 sub v27 add v26 mul v26 v25 v24 v29 v28 sub v56 v57 v57 v57 v54 add v54 v54 v55 v53 v53 v53 v50 v51 v51 v51 mul v59 v59 v59 v30 v30 v31 sub v32 v33 add v33 v34 v34 add v34 v35 v36 v37 v38 v38 v38 v38 v39 v39 v39 v0 v0 v1 mul v1 sub v2 v3 v4 v4 v4 add v5 v6 v6 sqr v6 v7 v8 v9 v9

Cost: 38M + 6S

Examples of computation expressions for projective coordinates

5. HAH Project Objectives

I

Efficient algorithms and representations for HECC

I

HECC protections against SCAs (passive and active)

I

Fast, low-power and secure hardware implementations (open

source hardware code and programming tools)

I

Intensive security evaluation using our SCA setup

6. Developed Crypto-Processor(s) from PAVOIS ANR Project

AU

1

AU

2

AU

3

points

mem.

CTRL

@coord.

pr

g.

mem.

inst.

@inst.

key

recode

k

i

k

inst. 21 bits

address

control

data w bits

scalar

word

digit

I

Arithmetic Units (AUs): ±, ×, ÷ over GF(p)/GF(2

m

)

various configurations (area vs speed, internal protection)

I

Various key recoding methods (and dedicated units)

I

Configuration: field size, internal word size, #AUs, type(AUs)

I

Circuit/architecture level protections

7. Programming Tools for Our Crypto-Processor(s)

HW modules

. . .

configur

ations

CAD tools

selection

user

crypto. lib.

assembler

binary code

implementation

compiler

Sage

API/TLS-SSL

commands

8. Implementation Results on FPGA

XC6SLX75 FPGA, GF(p), 256-bit ECC or 128-bit HECC, internal word size w = 32 bits

Recoding units:

Recoding

BIN

NAF-2

NAF-3

NAF-4

area slices (FF/LUT)

565 (1321/1461) 570 (1340/1479) 571 (1344/1495) 503 (1348/1489)

freq. (MHz)

225

228

237

217

Area/speed trade-offs for ECC and HECC configurations:

#mult. BRAM

mult. 1 col.

mult. 2 col.

mult. 4 col.

ECC

1

2

503 (1348/1489) 217 626 (1450/1643) 230 694 (1649/1891) 211

2

2

689 (1744/1894) 219 754 (1948/2208) 234 931 (2345/2712) 220

3

2

809 (2146/2245) 205 942 (2449/2704) 222 1105 (3046/3436) 222

HECC

1

2

522 (1344/1405) 228 520 (1434/1535) 217

2

2

634 (1746/1786) 226 689 (1926/2055) 220

area

freq.

4

2

852 (2552/2531) 201 917 (2912/3045) 195 slices (FF/LUT) MHz

8

2

1347 (4145/3882) 204 1601 (4865/4928) 209

9. Algorithms and Architecture Impacts on SCAs

Activity traces from CABA

1

simulations (after filtering) for several

configurations of the field multiplier (area/speed)

small/slow

medium/medium

large/fast

ADD

0

200

400

600

800

1000

1200

0

5000

10000

15000

20000

25000

activity [#transitions]

time [clock cycles]

0

200

400

600

800

1000

1200

0

2000

4000

6000

8000 10000 12000 14000 16000

activity [#transitions]

time [clock cycles]

0

200

400

600

800

1000

1200

0

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000

activity [#transitions]

time [clock cycles]

DBL

0

200

400

600

800

1000

1200

0

5000

10000

15000

20000

25000

activity [#transitions]

time [clock cycles]

0

200

400

600

800

1000

1200

0

2000

4000

6000

8000

10000 12000 14000

activity [#transitions]

time [clock cycles]

0

200

400

600

800

1000

1200

0

1000 2000 3000 4000 5000 6000 7000 8000 9000

activity [#transitions]

time [clock cycles]

1

_{Cycle Accurate Bit Accurate (i.e. simulations close to real power measurements)}