Randomization of Arithmetic over Polynomial Modular Number System Laurent-Stéphane Didier, Fangan-Yssouf Dosso, Nadia El Mrabet, Jérémy Marrez, Pascal Véron
To cite this version:
Laurent-Stéphane Didier, Fangan-Yssouf Dosso, Nadia El Mrabet, Jérémy Marrez, Pascal Véron. Ran- domization of Arithmetic over Polynomial Modular Number System. 26th IEEE International Sym- posium on Computer Arithmetic, Jun 2019, Kyoto, Japan. pp.199-206, 10.1109/ARITH.2019.00048. hal-02099713
HAL Id: hal-02099713 https://hal.archives-ouvertes.fr/hal-02099713 Submitted on 15 Apr 2019
HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Randomization of Arithmetic over Polynomial Modular Number System
Laurent-Stéphane Didier⇤, Fangan Yssouf Dosso⇤, Nadia El Mrabet†, Jérémy Marrez ‡ and Pascal Véron ⇤ ⇤Laboratoire IMATH, Université de Toulon, France, didier,dosso,[email protected] †Ecole des Mines de St Etienne, France, [email protected] ‡LIP6, Sorbonne Université, France, [email protected]
Abstract—The Polynomial Modular Number Sys- tographic protocol in order to fully or partially tem (PMNS) is an integer number system designed recover the secret [22]. The leakage of information to speed up arithmetic operations modulo a prime p. can be the execution time, the power consumption Such a system is defined by a tuple = p, n, ,⇢,E B ( ) where E Z X and E 0 mod p . In a PMNS, or the electromagnetic emission of the imple- 2 [ ] ( )⌘ ( ) an element a of Z pZ is represented by a polynomial mented algorithm. SCA have proven to be e cient / A such that: A a mod p , deg A < n and in ECC [1]. Countermeasures to those attacks ( )⌘ ( ) A <⇢. In [6], the authors mentioned that k k1 should be included in the implementation of the PMNS can be highly redundant but they didn’t scalar multiplication in ECC. This operation is really take advantage of this possibility. In this paper we use, for the first time, the redundancy of the main and most critical operation in ECC. It consists in adding a point on an elliptic curve PMNS to protect algorithms against Side Channel P Attacks (SCA). More precisely, we focus on elliptic E, k times. Existing countermeasures rely on the curve cryptography. We show how to randomize the addition of randomness during the computation. modular multiplication in order to be safe against The randomness could be included in the scalar existing SCA and we demonstrate the resistance of our construction. We describe the generation of a k [13], [12], [29], [10], [9] or in the coordinates of PMNS while guaranteeing, for all elements of Z pZ, the point [13]. It is also possible to randomize / P the minimum number of distinct representations the instructions flow of the field multiplications we want. We also show how to reach all these computed during the points addition [11]. Another representations. strategy is to introduce randomization at the arith- Keywords-Polynomial Modular Number System, metical level, which is the purpose of this paper. Side Channel Countermeasure, Modular Artith- Our goal is to protect elliptic curve scalar metic. multiplication (ECSM) against SCA [22] using the PMNS to represent the coordinates of any I. I curve points. All operations involved in PMNS Most protocols in public key cryptography re- representation use regular algorithms so they are quire modular arithmetic operations over large intrinsically Simple Power Analysis (SPA) im- integers, like for instance RSA [28] or Elliptic mune. Thus, it should be su cient to use regular Curve Cryptography (ECC) [21]. In practice, these algorithm (like the Montgomery powering lad- operations must be fast and secure. In order to der [24]) to perform the ECSM in order to be speed up modular arithmetic, specific represen- safe against SPA attacks. To protect the classical tations of integers such as the Residue Number scalar multiplication k against Di erential Power P System (RNS [17], [3]) or the Polynomial Modular Analysis (DPA) attacks, we first show how the Number System (PMNS [5], [6], [25], [26]) have conversion process which maps an integer to a been studied. The security concerns the resistance representative in PMNS can be easily modified to to side channel analysis, especially when the im- randomize the base point . Next, we show how to P plementation targets embedded devices. randomize all intermediate values involved in the Side channel attacks (SCA) use the leakage scalar multiplication by adding some randomness of information during the execution of a cryp- in the PMNS modular multiplication primitive. Randomization of the scalar k can be done using polynomial. The PMNS is defined by the tuple B classical countermeasures [15]. p, n, ,⇢,E . In this system, arithmetic operations ( ) The remaining of the paper is organised as are performed on polynomials modulo E. follow. We recall the principal definition and prop- Several methods exists for computing the erties of a PMNS representation in Section II. PMNS parameters. Plantard [26] give a building In Section III we present both the randomiza- method for very e cient PMNS. Its main tion of inputs (Sec. III-B) and the multiplication drawback is that the parameter p cannot be set. It (Sec. III-C). In Section IV, we give costs of is computed through the process. In [7], [14] the modular multiplications in PMNS and describe authors show that it is always possible to build some specific advantages of PMNS regarding many PMNS for a given modulus p. some attacks like Goubin’s [18]. We conclude in Section V. In PMNS, the multiplication T = VW mod E , ( ) II. B PMNS with V x and W y , satisfies T xy ⌘ B ⌘ B ( )⌘ mod p because E 0 mod p . However, Modular arithmetic is one of the key point for ( ) ( )⌘ ( ) even if deg T < n, T might not be a representation e cient and secure cryptographic applications. A ( ) of xy mod p in , because its coe cients could challenge is to obtain a number system which per- ( ) B be greater or equal to ⇢. In order to get this mits fast modular computations over large integers. representation in , a special primitive called the Bajard and al. [6] introduced the Modular Num- B internal reduction has to be applied. The operation ber System (MNS) which is a generalization of that reduces the size of the polynomial coe cients positional number systems. The main idea is that is described in Section II-A. any integer x = n x i, can be seen as a poly- i=0 i In [26], [6], the authors show how to use nomial evaluated in . In MNS, the choice of is PMNS to speed up modular arithmetic. The main free under certainÕ conditions. This number system PMNS primitives are recalled in Section II-B, II-C is defined by the tuple p, n, ,⇢ as follows. ( ) and II-D. Definition II.1. A modular number system (MNS) A. Internal reduction is defined by a tuple p, n, ,⇢ , such that for B ( ) every integer 0 6 x < p, there exists a vector The goal of the internal reduction is to main- n 1 tain small enough coe cients of polynomials in V = v ,...,v x = v i p 0 n 1 such that: i mod , PMNS. Let = p, n, ,⇢,E be a PMNS. ( ) i=0 B ( ) with vi <⇢and 0 <⇢,