Randomization of Arithmetic over Polynomial Modular Number System Laurent-Stéphane Didier, Fangan-Yssouf Dosso, Nadia El Mrabet, Jérémy Marrez, Pascal Véron

To cite this version:

Laurent-Stéphane Didier, Fangan-Yssouf Dosso, Nadia El Mrabet, Jérémy Marrez, Pascal Véron. Ran- domization of Arithmetic over Polynomial Modular Number System. 26th IEEE International Sym- posium on Computer Arithmetic, Jun 2019, Kyoto, Japan. pp.199-206, ￿10.1109/ARITH.2019.00048￿. ￿hal-02099713￿

HAL Id: hal-02099713 https://hal.archives-ouvertes.fr/hal-02099713 Submitted on 15 Apr 2019

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Randomization of Arithmetic over Polynomial Modular Number System

Laurent-Stéphane Didier⇤, Fangan Yssouf Dosso⇤, Nadia El Mrabet†, Jérémy Marrez ‡ and Pascal Véron ⇤ ⇤Laboratoire IMATH, Université de Toulon, France, didier,dosso,[email protected] †Ecole des Mines de St Etienne, France, [email protected] ‡LIP6, Sorbonne Université, France, [email protected]

Abstract—The Polynomial Modular Number Sys- tographic protocol in order to fully or partially tem (PMNS) is an integer number system designed recover the secret [22]. The leakage of information to speed up arithmetic operations modulo a prime p. can be the execution time, the power consumption Such a system is defined by a tuple = p, n,,⇢,E B ( ) where E Z X and E 0 mod p . In a PMNS, or the electromagnetic emission of the imple- 2 [ ] ( )⌘ ( ) an element a of Z pZ is represented by a polynomial mented algorithm. SCA have proven to be ecient / A such that: A a mod p , deg A < n and in ECC [1]. Countermeasures to those attacks ( )⌘ ( ) A <⇢. In [6], the authors mentioned that k k1 should be included in the implementation of the PMNS can be highly redundant but they didn’t scalar multiplication in ECC. This operation is really take advantage of this possibility. In this paper we use, for the first time, the redundancy of the main and most critical operation in ECC. It consists in adding a point on an elliptic curve PMNS to protect algorithms against Side Channel P Attacks (SCA). More precisely, we focus on elliptic E, k times. Existing countermeasures rely on the curve cryptography. We show how to randomize the addition of randomness during the computation. modular multiplication in order to be safe against The randomness could be included in the scalar existing SCA and we demonstrate the resistance of our construction. We describe the generation of a k [13], [12], [29], [10], [9] or in the coordinates of PMNS while guaranteeing, for all elements of Z pZ, the point [13]. It is also possible to randomize / P the minimum number of distinct representations the instructions flow of the field multiplications we want. We also show how to reach all these computed during the points addition [11]. Another representations. strategy is to introduce randomization at the arith- Keywords-Polynomial Modular Number System, metical level, which is the purpose of this paper. Side Channel Countermeasure, Modular Artith- Our goal is to protect elliptic curve scalar metic. multiplication (ECSM) against SCA [22] using the PMNS to represent the coordinates of any I. I curve points. All operations involved in PMNS Most protocols in public key cryptography re- representation use regular algorithms so they are quire modular arithmetic operations over large intrinsically Simple Power Analysis (SPA) im- integers, like for instance RSA [28] or Elliptic mune. Thus, it should be sucient to use regular Curve Cryptography (ECC) [21]. In practice, these algorithm (like the Montgomery powering lad- operations must be fast and secure. In order to der [24]) to perform the ECSM in order to be speed up modular arithmetic, specific represen- safe against SPA attacks. To protect the classical tations of integers such as the Residue Number scalar multiplication k against Dierential Power P System (RNS [17], [3]) or the Polynomial Modular Analysis (DPA) attacks, we first show how the Number System (PMNS [5], [6], [25], [26]) have conversion process which maps an integer to a been studied. The security concerns the resistance representative in PMNS can be easily modified to to side channel analysis, especially when the im- randomize the base point . Next, we show how to P plementation targets embedded devices. randomize all intermediate values involved in the Side channel attacks (SCA) use the leakage scalar multiplication by adding some randomness of information during the execution of a cryp- in the PMNS modular multiplication primitive. Randomization of the scalar k can be done using polynomial. The PMNS is defined by the tuple B classical countermeasures [15]. p, n,,⇢,E . In this system, arithmetic operations ( ) The remaining of the paper is organised as are performed on polynomials modulo E. follow. We recall the principal definition and prop- Several methods exists for computing the erties of a PMNS representation in Section II. PMNS parameters. Plantard [26] give a building In Section III we present both the randomiza- method for very ecient PMNS. Its main tion of inputs (Sec. III-B) and the multiplication drawback is that the parameter p cannot be set. It (Sec. III-C). In Section IV, we give costs of is computed through the process. In [7], [14] the modular multiplications in PMNS and describe authors show that it is always possible to build some specific advantages of PMNS regarding many PMNS for a given modulus p. some attacks like Goubin’s [18]. We conclude in Section V. In PMNS, the multiplication T = VW mod E , ( ) II. B PMNS with V x and W y , satisfies T xy ⌘ B ⌘ B ( )⌘ mod p because E 0 mod p . However, Modular arithmetic is one of the key point for ( ) ( )⌘ ( ) even if deg T < n, T might not be a representation ecient and secure cryptographic applications. A ( ) of xy mod p in , because its coecients could challenge is to obtain a number system which per- ( ) B be greater or equal to ⇢. In order to get this mits fast modular computations over large integers. representation in , a special primitive called the Bajard and al. [6] introduced the Modular Num- B internal reduction has to be applied. The operation ber System (MNS) which is a generalization of that reduces the size of the polynomial coecients positional number systems. The main idea is that is described in Section II-A. any integer x = n x i, can be seen as a poly- i=0 i In [26], [6], the authors show how to use nomial evaluated in . In MNS, the choice of is PMNS to speed up modular arithmetic. The main free under certainÕ conditions. This number system PMNS primitives are recalled in Section II-B, II-C is defined by the tuple p, n,,⇢ as follows. ( ) and II-D. Definition II.1. A modular number system (MNS) A. Internal reduction is defined by a tuple p, n,,⇢ , such that for B ( ) every integer 0 6 x < p, there exists a vector The goal of the internal reduction is to main- n 1 tain small enough coecients of polynomials in V = v ,...,v x = v i p 0 n 1 such that: i mod , PMNS. Let = p, n,,⇢,E be a PMNS. ( ) i=0 B ( ) with vi <⇢and 0 <⇢,product T of two MNS numbers V x ⌘ B (Alg. 1). It outputs a polynomial V˜ such that and W y satisfies T xy mod p . How- 1 ⌘ B ( )⌘ ( ) V˜ V r mod p . Using this version of the ever, T might not be in because its degree could ⌘ ( ) ( ) B internal reduction requires to convert the elements be greater or equal to n. The Polynomial Modular of Z pZ in the Montgomery domain during the Number System is an extension of MNS which / conversion process into the PMNS. An element keep the degree of the product bound by n. a Z pZ is represented by a polynomial A 2 / 2 B Definition II.2. A Polynomial Modular Number such that A a.r mod p . This way, we ( )⌘ ( ) System (PMNS) [6] is a MNS where is a root ensure the consistency of operations in the PMNS modulo p of an unitary polynomial E X Z X , while using this method for coecients reduction. ( )2 [ ] such that deg E = n and E is “small”. The choice of the polynomial M to ensure ( ) k k1 The polynomial E is named external reduction the existence of M 0 is discussed in [14]. The Algorithm 1 RedCoe- Montgomery like[25] Algorithm 2 RedCoe- Babaï like [16] Require: V Z X such that deg V < n; Require: V Z X with deg V < n, = 2 [ ] ( ) 2 [ ] ( ) B = p, n,,⇢,E ; M , such that p, n,,⇢,E B ( ) 2 B ( ) M 0 mod p ; an integer r and M 0 = Ensure: R V mod p ( )1 ⌘ ( ) ( )⌘ ( ) M mod E, r . Data: D = Di, 1 i n the LLL-reduced base ( ) 1 {   } Ensure: R V r mod p of the lattice associated to ( )⌘ ( ) ( ) B 1: Q V M mod E, r D = Di, 1 i n the Gram-Schmidt ⇥ 0 ( ) {   } 2: R V + Q M mod E base obtained from D 0 ( ⇥ ) 3: R R0 r 1: R eV f / 4: return R 2: for i = 1 to n do 2 3: c < R, Dn i+1 > Dn i+1 b /k k e 4: R R c Dn i+1 ⇥ Proposition II.1, from [25], gives a bound on the 5: end for e e coecients of the polynomial computed with the 6: return R Algorithm 1. Here, E X = Xn , with Z\ 0 . ( ) 2 { } Proposition II.1. Let m = M . If V, ⇢ and m k k1 are such that: V 6 n ⇢2, ⇢ > 2 nm and k k1 | | | | reduced modulo the external reduction polynomial r 2 n⇢ then the Algorithm 1 computes R such > | | E. Then, an internal reduction is performed to that R <⇢(i.e R . obtain a result in . k k1 2 B) B We will generalise this bound in Section II-B The polynomial E is such that: E X = Xn ( ) for E X = Xn X . X Z X . In order to reduce a polynomial V ( ) ( ) ( )2 [ ] 2) Internal reduction via a Babaï-like method: modulo E, we proceed step by step by replacing The Babaï-like algorithm (Alg. 2) does not require the term Xn in V by X until deg V < n.We ( ) ( ) to maintain the elements of Z pZ in another consider here PMNS with reduction polynomials / k domain and does not attempt to compute the result E of degree n 2, with X = k X + + X + ( ) ··· 1 by using a polynomial M with specific properties. and k n . 0  2 In this approach, we consider the Euclidean lat- From this technique, we compute polynomials tice L associated with the PMNS . Here, L B B B of degree lower than n to represent the powers is the set of all polynomials having as root Xi modulo E, for 0 i 2 n 2, with modulo p and which degree is at most n 1: i k+i n  l X mod E = l=i n l i+n X when n i < L = A X Z X , such that: deg A < n and i n 1  l B { ( )2 [ ] ( ) 2 n k and X mod E = l=i n l+n i X + A 0 mod p . 2k2n+i l Õ l ( )⌘ ( )} l=0 j=0 j l+2 n 2 j X for 2 n k i The lattice L is defined from one of its bases, ( ) Õ   B 2 n 2. whose elements are A X = p and Ai+ X = Õ Õ 1( ) 1( ) Then, any polynomial V can be reduced modulo Xi i, for 1 i < n, from which we compute  E by multiplying the vector of the coecients of D, the LLL-reduced base of L , and the Gram- B V by the 2 n 1 n matrix S whose rows represent Schmidt base D obtained from D, whose elements ( )⇥ the coecients of each power Xi modulo E, for are orthogonal but not necessarily in L . [27]. B 0 i 2 n 2. We can deducee from [16] and [27] that:   We denote s the 1-norm S 1 of the matrix S, Proposition II.2. If ⇢ is such that ⇢ k k 3n 1 > and deduce the following proposition. 1 2 1 n 2 2 p / , then the Algorithm 2 computes R such that R <⇢(i.e R . Proposition II.3. Let A, B Z X be two poly- k k1 2 B) 2 [ ] nomials, such that: deg A < n and deg B < n. B. Multiplication ( ) ( ) We have: A B mod E < ns A B . The elements in PMNS are polynomials of k ⇥ k1 k k1 k k1 degree at most n 1. Their multiplication is done From this proposition the bound given in Propo- using classical polynomial multiplication. How- sition II.1 can be rewritten by substituting by | | ever, the result (of degree at most 2 n 2) must be s. C. Addition and b in PMNS representation to be more resistant to SCA, using either Algorithm 5 or Algorithm 6. Addition procedure is done using classical poly- nomial addition in Z X followed by an internal [ ] A. Random polynomial generation reduction in order to obtain a result in . B In order to randomize data in the PMNS, we generate a random polynomial Z Z X such that: D. Conversion procedures 2 [ ] Z z and deg Z < n with z N. The value k k1  2 The conversion procedures maps an integer to a z is chosen during the PMNS generation process. representation in and vice-versa. They depend B This integer z defines the minimum number of on internal reduction step that can be achieved distinct representations of any element of Z pZ in / using any one of the two procedure previously . Once z is fixed, there are exactly 2 z + 1 n B ( ) described. The corresponding algorithms are de- polynomials Z. We will show how to use Z in scibed in section 4.3 of [6]. order to guarantee that there are at least 2 z + 1 n ( ) distinct representations of any element of Z pZ. / III. R Hereafter we use a function randPoly(z) for generating random polynomials which coecients Our motivation is to present algorithms that will are in the set z,...,z . We consider this func- { } ensure the resistance of the scalar multiplication tion to be safe (see [4] for example). against existing SCA. The scalar multiplication in ECC takes a point over a public elliptic curve, a B. Randomization of the input data P private integer k and computes k . This operation Here, we show how to randomize the conversion P can be implemented using the classical double procedure from binary to the PMNS in order to ob- and add method, but is not resistant to SCA [22]. tain randomized input data. Let = p, n,,⇢,E B ( ) The Montgomery ladder [24] and its variant [8], be a PMNS. Let a Z pZ be an integer. We want 2 / [23], [19], [20] are more resistant but are still to compute a randomized representation of a in attackable [1]. The recent survey [1] presents . B existing side channel attacks and countermeasures 1) Conversion randomization using the for the scalar multiplication over ECC. Existing Mongtomery-like method: This algorithm is countermeasures rely either on the randomization a slight modification of the initial conversion of the scalar k [13], [12], [29], [10], [9], or on the algorithm described in [6]. The randomized randomization of the point . The randomization conversion method introduces a polynomial P of point can be calculated using the randomiza- multiplication (line 4) before the internal P tion of projective coordinates [13] or the addition reduction. Doing so, we ensure that with the of a random point [13]. Only one countermea- same input and dierent random polynomials this R sure is designed on the field multiplication using algorithm produces dierent representations. a random permutation [11]. Theorem III.1. Let = p, n,,⇢,E a PMNS. We provide here two possibilities to randomize B ( ) Let a Z pZ be an integer and r = 2j , j 1. the scalar multiplication: 2 / Let M be a polynomial such that: M 0 randomization of each initial coordinate of 2 B ( )⌘ • P mod p and gcd(r, resultant(E, M)) = 1. Let z each time this point is used during the scalar mul- ( ) be the input of the randPoly procedure. We tiplication algorithm. This protects against SCA, consider , a, r, M and z as the inputs and where the attacker tries to find out the secret B data of Algorithm 3. Let m = M . If ⇢ and using the knowledge of the point [22] and k k1 P r satisfy ⇢ 2 nsm 1 + z + z and r 2 ns⇢,, ensures the resistance to specific point attacks r then Algorithm 3 can generate 2 z + 1 n distinct [18], [2]. We use either Algorithm 3 or Algo- ( ) outputs, all representing a and belonging to the rithm 4 as a conversion procedure depending on PMNS = p, n,,⇢,E . the RedCoeff method that will be used later for B ( ) internal reduction; Proof: We give a sketch of the proof. First, randomization of each multiplication a b for a it can be easily checked that V U • ⇥ ( )⌘ ( ) Algorithm 3 Randomized conversion to PMNS Algorithm 4 Randomized conversion to PMNS via Montgomery via Babaï Require: a Z pZ and = p, n,,⇢,E Require: a Z pZ and = p, n,,⇢,E 2 / B ( ) 2 / B ( ) Ensure: A ar mod p Ensure: A a mod p ( )⌘i ( ) ( )⌘i ( ) Data: Pi ⇢ , for i = 0,...,n 1, z N, Data: Pi ⇢ , for i = 0,...,n 1, D = ⌘( )B 2 ⌘( )B r = 2j , j 1 and M with M 0 Di, 1 i n , D = Di, 1 i n , 2 B ( )⌘ {   } {   n } mod p and gcd(r, resultant(E, M)) = 1. v N such that V v with V Z the ( ) 2 k k1  2 1: Z randPoly(z) mask vector, z N suche thatf Z z with n 2 k k1  2: a ar2 mod p Z Z the shift vector. ( ) 2 ,..., ⇢ 1: V randPoly(v), Z randPoly(z) 3: b an 1 a0 ⇢ # radix- decomposition (n 1 ) ,..., ⇢ 2: b an 1 a0 ⇢ # radix- decomposition 4: U bi Pi (n 1 ) n 1 i=0 3: T bi Pi , A T + vi Di+1 5: V U + r + 1 Z M mod E Õ (( ) ⇥ ) i=0 i=0 6: A RedCoe V 4: for i =Õ1 to n do Õ ( ) 2 7: A 5: c < A, Dn i+1 > Dn i+1 + zn i return b /k k e 6: A A c Dn i+1 ⇥ 7: end for e e 8: return A mod p . Next, in order to ensure A <⇢ ( ) k k1 we choose r and ⇢ such that r 2 ns⇢ and ⇢ 2 nsm 1 + z + z . Thus, A is a represen- r = p, n,,⇢,E . tation of ar mod p in the PMNS. Finally, we B ( ) ( ) prove by contradiction that, for the same entry Proof: We only give a sketch of the proof. a Z pZ and two distinct random polynomials, First, it is obvious that the polynomial T, in 2 / this algorithm returns two distinct outputs A1 and Algorithm 4, is such that: T a mod p . ( )⌘ ( ) A2. Moreover, as D is a LLL-reduced base of the lattice associated to , it is always true that 2) Randomization using the Babaï-like method: B A T mod p . Thus, A a mod p . This algorithm is a slight modification of Al- ( )⌘ ( )( ) ( )⌘ ( ) gorithm 2 using the Babai-like method for co- Next condition on ⇢ guarantees that A will be ecients reduction. Here, the representations in in the PMNS after the internal reduction process. the PMNS system are seen as vectors, the i-th Finally, for two distinct random polynomials Z1 and Z with the same entry a Z pZ, it can coordinate corresponding to the i-th coecient 2 2 / of the polynomial form of the representation. We be proved that the algorithm returns two distinct consider a PMNS and its associated lattice outputs A1 and A2. B L with a LLL-reduced base, denoted D. The B C. Randomization of the multiplication randomization of the Babaï-like method is based on two random vectors: In PMNS the randomization of the multipli- A mask vector V used to generate a linear cation provides an additional level of security • combination of the elements of D to randomize when used with the randomized conversion. How- computations without aecting the result. ever, combining these two randomizations leads A shift vector Z used to randomize the output. to stronger constraints on some parameters of the • PMNS. Theorem III.2. Let = p, n,,⇢,E a PMNS. B ( ) In both versions, we randomize one input in Let a Z pZ be an integer. Let v and z be the in- 2 / order to randomize all the intermediate results. puts of the randPoly procedure respectively for Moreover, for the same input and dierent random the mask and the shift polynomial. We consider , B polynomials (shift vectors for Babaï), the results a, v and z as the inputs and data of Algorithm 4. computed by these algorithms are dierent repre- 3n 1 1 1 n If ⇢ satisfies ⇢ + z 2 2 p / , then Algo- sentations of the same integer in Z pZ. 2 / rithm 4 can generate 2 z + 1 n distinct outputs, 1) Randomization via Montgomery: This algo- ⇣ ( ⌘⇣ ) ⌘ all representing a and belonging to the PMNS rithm is a variation of the Montgomery modular multiplication. conversion described in Section III-B2. The ran- domness is introduced in the multiplication trough Algorithm 5 Randomized Montgomery PMNS the mask V and the translation Z. Multiplication Randomized Babaï PMNS Multipli- Require: = p, n,,⇢,E and A, B Algorithm 6 B ( )1 2 B cation Ensure: R = A B r mod p ( j) ( ) ( ) Require: = p, n,,⇢,E and A, B Data: r = 2 , j 1, z N, M , such that: B ( ) 2 B 2 2 B Ensure: R and R = A B mod p M 0 mod p and gcd(r, resultant(E, 2 B i ( ) ( ) ( ) ( )⌘ ( ) 1 Data: Pi ⇢ , for i = 0,...,n 1, D = M)) = 1, M 0 = M mod E, r . ⌘( )B ( ) Di, 1 i n , D = Di, 1 i n , 1: Z randPoly(z) {   } {   } v N such that V v with V Zn the 2: J Z M mod E, B0 B + J 2 k k1  2 ⇥ mask vector, z N suche thatf Z z with 3: C A B0 mod E 2 k k1  ( ⇥ ) Z Zn the shift vector. 4: Q C M 0 mod E, r 2 ( ⇥ ) ( ) 1: V randPoly(v), Z randPoly(z) 5: R0 C + Q M mod E n 1 ( ⇥ ) 6: R R0 r + 2 J 2: J vi Di+1 / ⇥ i=0 7: return R 3: B0 B + J, R A B0 mod E Õ ⇥ Theorem III.3. Let = p, n,,⇢,E a PMNS. 4: for i := 1 to n do B ( ) 2 Let z N be the bound of the random poly- 5: c < R, Dn i+1 > Dn i+1 + zn i 2 b /k k e nomials and r = 2j , j 1. Let M be 6: R R c Dn i+1 2 B e⇥ e a polynomial such that: M 0 mod p and 7: end for ( )⌘ ( ) gcd(r, resultant(E, M)) = 1. Let A and B be 8: return R two elements of . We consider , A, B, M, z B B and r as the inputs and data of Algorithm 5. Let Theorem III.2 applies equally to Algorithm 6, m = M . If ⇢ and r satisfy ⇢ 2 nsm 2z + 1 which can generate 2 z + 1 n distinct outputs k k1 ( ) 5 ( ) = and r 2 ns⇢ max z, 4 , then Algorithm 5 can representing A B mod p in the PMNS ⇥ ( ) ( ) 3n 1 B n 1 2 1 n generate 2 z+1 distinct⇣ outputs,⌘ all representing p, n,,⇢,E with ⇢ 2 + z 2 p / and no ( 1 ) ( ) A B r mod p and belonging to the PMNS collision. ( ) ( ) ( ) ⇣ ⌘⇣ ⌘ = p, n,,⇢,E . B ( ) IV. C Proof: We only give a sketch of the proof We describe here the theoretical cost estimation which is similar to the proof of Th. III.1. First, of the multiplication algorithms presented in the we have M 0 mod p , so J 0 mod p ( )⌘ ( ) ( )⌘ ( ) previous section. They are expressed as a func- and Q M 0 mod p . Thus, R ( ) ( )⌘ ( ) ( )⌘ tion of the number of w-bit size multiplications, A B r 1 mod p . ( ) ( ) ( ) additions, divisions and shifts. Next, R < 5 ns⇢2 r +nsm 2 z +1 . Hence, 1 4 We assume that the inputs of these algorithms k k / ( ⇢ ) for r 2 ns⇢ ⇣ max z, ⌘5 , R < + nsm 2 z + belong to = p, n,,⇢,E , with ⇢ = 2w, E X = ⇥ ( 4 ) k k1 2 ( B ( ) ( ) 1 . This way, condition on ⇢ guarantees that Xn and = 2u with w, u N. It has been ) ± 2 R <⇢. Finally, it can be proven that for shown in [14] that it is always possible to build k k1 two distinct random polynomials and the same such PMNS. As an example, with such notations entries A and B, the algorithm returns two distinct the addition of two c-bit integers requires c w d / e outputs. w-bit additions. Instead of using the bounds on ⇢ and r from Let M and A respectively denote the multipli- Theorem III.1 for conversion in the PMNS, the cation and the sum of two w-bits integers, I the bounds of Theorem III.3 have to be used for division by an integer of 2 w log n bits and R b 2( )c conversion if multiplications are to be randomized the cost of one call to the randPoly function. We i i as described above. also respectively denote Sl and Sr a left shift and 2) Randomization via Babaï: This conversion a right shift of i bits. In Table I, we compare the lies on the same principles than the randomized cost of the randomized multiplication in PMNS with their non-randomized counterparts. The non- elliptic curve scalar multiplication k . Moreover, P randomized version is a simple polynomial mul- we showed that randomizing only the conversion tiplication followed by a Babaï-like (Alg. 2) or process suces to protect against Goubin’s at- Montgomery-like (Alg. 1) internal reduction. tack. As a comparison, a safe countermeasure In order to protect the ECSM k against DPA using the classical binary representation, requires P attacks, classical countermeasures randomize be- an additional ECSM k for some random point R forehand the scalar k and the point [15]. Then, [15]. These results are a first step in using P R during the computation process, the intermediate randomization for arithmetic operations in PMNS. points that are computed are also randomized. The This work opens up new perspectives in the area expectation of these approaches is to prevent an of countermeasures for SCA attacks. A deeper attacker to get information about k or to make study on practical eciency and an exhaustive useful assumption about the intermediate values comparison with existing countermeasures will of the ECSM. soon follow in order to establish the relevance of In classical binary representation, these com- these methods ... mon countermeasures appear to be inecient against Goubin’s attack [18]. This attack can be A done on curves that have at least one point with This work was supported by ARRAND ANR- one coordinate equals to zero. On such a curve, 15-CE39-0002-01. We thank the anonymous re- using such a point, the attacker can find informa- viewers for their careful reading of our manuscript tion about the secret key. It is possible to thwart and their many insightful comments and sugges- this attack at the cost of an additional ECSM tions. which must be done in addition to the common countermeasures [15]. R A first advantage of our PMNS based random- [1] R. Abarzúa, C. Valencia, and J. López. Survey for per- ized solutions is that regardless the type of curve, formance and security problems of passive side-channel this attack cannot be performed. Indeed, there are attacks countermeasures in ECC. Cryptology ePrint at least 2z + 1 n distinct representatives of 0 Archive, Report 2019/010, 2019. ( ) 2 [2] T. Akishita and T. Takagi. Zero-value point attacks Z pZ and these representatives do not have special / on elliptic curve cryptosystem. In Information Security, shapes. Thus, for z big enough, the attacker should 6th International Conference, ISC 2003, pages 218–233, 2003. not be able to exploit any information to perform [3] S. Antão, J. C. Bajard, and L. Sousa. RNS based this attack. Consequently, the only randomization elliptic curve point multiplication for massive parallel of the conversion process using Algorithms 3 or 4 architectures. The Computer Journal, 55(5):629–647, suces to counter the Goubin’s attack even if non- 2012. [4] V. Bahadur, D. Selvakumar, and P. M. Sobha. Reconfig- randomized multiplications are used later. urable side channel attack resistant true random number Another advantage of our approach is that it generator. In International Conference on VLSI Systems, Architectures, Technology and Applications, pages 1–6, operates at arithmetic level. Hence it can be com- 2016. bined with other classical countermeasures (point [5] J-C. Bajard, L. Imbert, and T. Plantard. Modular number blinding, scalar blinding) to randomize and the systems: Beyond the mersenne family. In Selected Areas P intermediate points. in Crytography: 11th International Workshop, LNCS, pages 159–169. Springer, 2004. [6] J. C. Bajard, L. Imbert, and T. Plantard. Arithmetic V. C operations in the polynomial modular number system. In 17th IEEE Symposium on Computer Arithmetic, pages In this paper, we show for the first time how 206–213, 2005. to use the redundancy of the PMNS to define [7] J. C. Bajard, J. Marrez, and T. Plantard. Polynomial arithmetical protections against DPA attacks. We modular number systems and the roots of their reduction polynomial in the field Z/pZ. submitted, 2019. described how to randomize the inputs during [8] E. Brier and M. Joye. Weierstraß elliptic curves and side- the forward conversion to PMNS through two channel attacks. In Public Key Cryptography, volume methods. We also gave two randomized modular 2274 of LNCS, pages 335–345. Springer, 2002. [9] B. Chevallier-Mames. Self-randomized exponentiation multiplications in PMNS. These methods can be algorithms. In CT-RSA, volume 2964 of LNCS, pages used to apply classical countermeasures on the 236–249. Springer, 2004. TABLE I T , E X = X n = 2u , r = 2j . ( ) ± Mult. Method Montgomery-like Babaï-like Polynomial Mult. n2M + 2n2 4n + 2 A n2M + 2n2 4n + 2 A ( ) ( ) External reduct. 2 n 1 A + n 1 Su 2 n 1 A + n 1 Su ( ) ( ) l ( ) ( ) l 2 2 j 2 2 Internal reduct. 2n M + 3n n A + nSr 3n M + 3n 2n A + nI ( ) j ( ) Total 3n2M + 5n2 3n A + n 1 Su + nS 4n2M + 5n2 4n A + nI + n 1 Su ( ) ( ) l r ( ) ( ) l Mult. Method Montgomery randomized (Alg. 5) Babaï randomized (Alg. 6) Polynomial Mult. 2n2M + 3n2 4n + 2 A + R 2n2M + 3n2 4n + 2 A + 2R ( ) ( ) External reduct. 2 n 1 A + n 1 Su 2 n 1 A + n 1 Su ( ) ( ) l ( ) ( ) l 2 2 j 1 2 2 Internal reduct. 2n M + 3n A + n Sr + Sl 3n M + 3n n A + nI ( ) j ( ) Total 4n2M + 6n2 2n A + n 1 Su + n S1 + S + R 5n2M + 6n2 3n A + nI + n 1 Su + 2R ( ) ( ) l ( l r ) ( ) ( ) l

[10] M. Ciet and M. Joye. (virtually) Free randomization [20] M. Joye and S.-M. Yen. The montgomery powering techniques for elliptic curve cryptography. In ICICS, ladder. In CHES, volume 2523 of LNCS, pages 291–302. volume 2836 of LNCS, pages 348–359. Springer, 2003. Springer, 2002. [11] C. Clavier, B. Feix, G. Gagnerot, M. Roussellet, and [21] N. Koblitz. A family of jacobians suitable for discrete V. Verneuil. Horizontal correlation analysis on exponen- log cryptosystems. In CRYPTO, volume 403 of LNCS, tiation. In ICICS, volume 6476 of LNCS, pages 46–61. pages 94–99. Springer, 1988. Springer, 2010. [22] P. Kocher. Timing attacks on implementations of die- [12] C. Clavier and M. Joye. Universal exponentiation algo- hellman, RSA, DSS, and other systems. In CRYPTO, rithm. In CHES, volume 2162 of LNCS, pages 300–308. LNCS, pages 104–113. Springer, 1996. Springer, 2001. [23] J. López and R. Dahab. Fast multiplication on elliptic [13] J.-S. Coron. Resistance against dierential power analysis curves over gf(2m) without precomputation. In CHES, for elliptic curve cryptosystems. In CHES, volume 1717 LNCS, pages 316–327. Springer, 1999. of LNCS, pages 292–302, 1999. [24] P. Montgomery. Speeding the Pollard and elliptic curve [14] L.-S. Didier, F.-Y. Dosso, and P. Véron. Ecient and method of factorization. In Mathematics of computation, secure modular operations using the adapted modular pages 243–264. Springer, 1987. number system. https://arxiv.org/abs/1901.11485, 2018. [25] C. Nègre and T. Plantard. Ecient modular arithmetic in [15] J. Fan and I. Verbauwhede. An updated survey on adapted modular number system using Lagrange repre- secure ECC implementations: Attacks, countermeasures sentation. In 13th Australasian conference on Information and cost. In Cryptography and Security: From Theory to Security and Privacy, pages 463–477. Springer, 2008. Applications, pages 265–282. Springer, 2012. [26] T. Plantard. Modular arithmetic for cryptography(PhD [16] Steven Galbraith. Algorithms for the closest and shortest in french). PhD thesis, LIRMM, Université Montpellier vector problem. Mathematics of Public Key Cryptogra- 2, 2005. phy, 2011. [27] T. Plantard, W. Susilo, and Z. Zhang. LLL for ideal [17] H. L. Garner. The residue number system. IRE Transac- lattices: re-evaluation of the security of gentry–halevi’s tions on Electronic Computers, EL 8(6):140–147, 1959. fhe scheme. Designs, Codes and Cryptography, volume [18] L. Goubin. A refined power-analysis attack on elliptic 76(no 2):325–344, 2015. curve cryptosystems. In Public Key Cryptography, vol- [28] R. Rivest, A. Shamir, and L. Adleman. A method for ob- ume 2567 of LNCS, pages 199–210. Springer, 2003. taining digital signatures and public-key cryptosystems. [19] R. Goundar, M. Joye, A. Miyaji, M. Rivain, and Commun. ACM, 21(2):120–126, 1978. A. Venelli. Scalar multiplication on weierstraß elliptic [29] E. Trichina and A. Bellezza. Implementation of ellip- curves from co-Z arithmetic. J. Cryptographic Engineer- tic curve cryptography with built-in counter measures ing, 1(2):161–176, 2011. against side channel attacks. In CHES, LNCS, pages 98– 113. Springer, 2002.