Arithmetic operators on GF(2m) for cryptographic applications: performance - power consumption - security tradeoffs Danuta Pamula To cite this version: Danuta Pamula. Arithmetic operators on GF(2m) for cryptographic applications: performance - power consumption - security tradeoffs. Computer Arithmetic. Université Rennes 1, 2012. English. tel-00767537 HAL Id: tel-00767537 https://tel.archives-ouvertes.fr/tel-00767537 Submitted on 20 Dec 2012 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. N° d’ordre : 2012REN1E011 ANNÉE 2012 THÈSE / UNIVERSITÉ DE RENNES 1 sous le sceau de l’Université Européenne de Bretagne pour le grade de DOCTEUR DE L’UNIVERSITÉ DE RENNES 1 Mention : Informatique École doctorale Matisse présentée par Danuta Pamula préparée à l’unité de recherche IRISA (UMR 6074) Institut de Recherche en Informatique et Systèmes Aléatoires Équipe CAIRN - ENSSAT et L’École Politechnique de Silésie à Gliwice Faculté d'Automatique, Électronique et Informatique, Institut d’Électronique Thèse soutenue à Gliwice, Pologne Intitulé de la thèse : le 17 Décembre 2012 Opérateurs devant le jury composé de : Aleksander NAWRAT arithmétiques sur Professeur à l'École polytechnique de Silésie / président m Liam MARNANE GF(2 ): étude de Professeur Université de Cork / rapporteur Tadeusz LUBA compromis Professeur à l'École polytechnique de Varsovie / rapporteur performances- Romuald ROCHER Maître de Conférences Université Rennes 1 - IUT Lannion / examinateur consommation- Arnaud TISSERAND Chargé de Recherche CNRS / directeur de thèse sécurité. Edward HRYNKIEWICZ Professeur à l'École polytechnique de Silésie / co- directeur de thèse Silesian University of Technology Faculty of Automatic Control, Electronics and Computer Science Institute of Electronics University of Rennes 1 IRISA A DISSERTATION Arithmetic operators on GF (2m) for cryptographic applications: performance - power consumption - security tradeoffs Author: Danuta Pamuła Supervisors: dr hab. inż. Edward Hrynkiewicz, prof. nzw. w Politechnice Śląskiej (PL) Arnaud Tisserand, CNRS researcher, HDR (FR) Submitted in total fulfillment of the requirements of the degree of Doctor of Philosophy under a Cotutelle agreement with Silesian University of Technology (PL) and University of Rennes 1 (FR). Gliwice 2012 Acknowledgements I would like to thank Professor Edward Hrynkiewicz and Arnaud Tisserand, my research su pervisors, for their patient guidance, enthusiastic encouragement and useful critiques of this research work. Contents Nomenclature viii 1. Introduction 1 1.1. Modern cryptology - basics, goals, applications and threats . 7 1.1.1. Cryptology basics . 7 1.1.2. Symmetric cryptography (SecretKey Cryptography) . 10 1.1.3. Asymmetric cryptography (PublicKey Cryptography) . 11 1.1.4. Modern cryptosystems - application, requirements, security (robustness) . 14 1.2. Dissertation overview . 16 2. Elliptic curves over finite fields - application to cryptography (overview) 19 2.1. Elliptic curves and cryptography . 19 2.1.1. Elliptic curves . 20 2.1.2. Elliptic Curve Cryptography . 23 2.2. Finite Fields . 26 2.2.1. Binary finite field extensions GF (2m) .................... 29 2.3. Problem definition . 29 2.4. Thesis formulation and research objectives . 31 3. Arithmetic operators on GF (2m) 33 3.1. Finite Field Addition . 35 3.2. Finite Field Multiplication . 36 3.2.1. Twostep algorithms . 37 3.2.2. Interleaved algorithms . 56 3.2.3. Summary, conclusions and comparison . 66 4. Physical security of ECC cryptosystems 69 4.1. Physical security of hardware GF (2m) arithmetic operators . 74 4.1.1. Security level verification, problem identification . 77 4.1.2. Proposed countermeasures, circuit modifications . 80 4.1.3. Conclusions . 89 5. Summary and Conclusions 91 iii List of Figures 1.1. Typical plain (not secured) communication model . 8 1.2. Secure communication model . 9 1.3. Secretkey cryptography communication model . 10 1.4. PKC communication model . 12 1.5. Security layer model [8, 98] . 17 1.6. ECC cryptosystem layers . 17 2.1. Elliptic curves over R. ................................. 21 2.2. Elliptic curves over Fp. ................................ 21 2.3. Addition and Doubling of a point on E(K) ..................... 23 3.1. Idea of circuit performing shiftandadd method for m = 4 . 43 3.2. Classic divideandconquer approach . 46 3.3. KaratsubaOfman approach . 46 3.4. Illustration of AL matrix partitioning for m = 233 . 59 3.5. Illustration of AH matrix partitioning for m = 233 . 60 3.6. Illustration of R partitioning matrix for m = 233 . 60 3.7. Illustration of Mastrovito matrix partitioning for m = 233 . 63 4.1. Differential power analysis principle [80] . 71 4.2. Useful (left) and parasitic (right) transitions. 75 4.3. Activity counter architecture for a 1bit signal s(t) (control not represented). 76 4.4. Useful activity measurement results for random GF (2m) multiplications with clas sical algorithm (left). Extract for a single representative multiplication (right). 78 4.5. Useful activity measurement results for random GF (2m) multiplications with Montgomery algorithm (left). Extract for a single representative multiplication (right). 79 4.6. Useful activity measurement results for random GF (2m) multiplications with Mastrovito algorithm (left). Extract for a single representative multiplication (right). 79 4.7. Useful activity measurement results for random GF (2m) multiplications with modified classical algorithm. 80 v 4.8. Useful activity measurement results for random GF (2m) multiplications with Montgomery algorithm. 81 4.9. Illustration of Mastrovito matrix partitioning for m = 233 . 82 4.10. Useful activity measurement results for random GF (2m) multiplications with 4 versions of modified Mastrovito algorithm. 83 4.11. Random start sequence generator based on 4bit LFSR. 84 4.12. Data dependency on activity variations curves for Mastrovito multiplier . 85 4.13. FFT analysis results for unprotected and protected versions of multipliers (top: classic algorithm, middle and bottom: Mastrovito algorithm for various versions). 86 4.14. Useful activity measurement results for 2P operation for unprotected (top figure) and protected (bottom figure) GF (2m) operators. 87 4.15. Comparison of activity traces and current measurements for: Mastrovito multiplier unprotected version – 5 multiplications in a row and pro tected version (uniformised) – 3 multiplications in a row . 88 vi Nomenclature [k]P scalar point multiplication Fq finite field AT efficiency factor f(x) irreducible polynomial, field generator m GF (2 ), F2m binary extension fields GF (p), Fp prime field m field size ASIC Application Specific Integrated Circuits DLP Discrete logarithm problem DPA Differential Power Analysis ECC Elliptic curve cryptography ECDLP Elliptic curve discrete logarithm problem FFT Fast Fourier Transform FFT Fast Fourier Transform FPGA Field Programmable Gate Arrays FSM finite state machine HDL Hardware Description Language LFSR Linear feedback shift register LUT lookup table MSB most significant bit NIST National Institute of Standards and Technology NPhard nondeterministic polynomialtime hard PKC Public Key Cryptography RSA RivestShamirAdleman SCA Side Channel Attack vii SECG Standards for Efficient Cryptography Group SFM Spectral Flatness Measure SPA Simple Power Analysis viii 1. Introduction Digital systems and Internet are nowadays spanning most domains of our lives. They are respon sible for communication between people, institutions, for controlling airport systems, transport systems, managing medical systems, etc. Digital systems start to appear everywhere and are responsible for more and more important and confidential processes. We are flooded with digital data, which are not always easy to authenticate, manage and secure. Generally majority of com mon users of digital systems do not care much about authentication, confidentiality, integrity and security of their data. They are still little aware of possibilities of stealing, tampering or using their digital data or what is worse their digital identity (identity fraud is a serious threat [90]). They are even less aware of consequences resulting from such abuses or negligence of security matters [90, 63]. Fortunately security awareness slowly increases mainly due to rapid development and increase of number of services performed in a digital way. People start to perceive the meaning (necessity) of securing data. Everyone wants to securely perform banking transactions, safely sign impor tant documents, protect confidential data (tax, medical, etc.) or just safely shop online. On the other hand, nobody wants to be bothered about securing data and nobody wants that the process will in any way interrupt normal work of a system. Luckily most system developers have information security awareness and tend to equip digital systems and communication channels with efficient security mechanisms, depending on application and requirements. The security of a system has to be very often verified because although users start to take precautions and new ways for securing data are developed, new ways