Programmable and Parallel ECC Coprocessor Architecture: Tradeoffs between Area, Speed and Security

Elliptic Curve Cryptography implementations are known to be vulnerable to various side-channel attacks and fault injection attacks, and many countermeasures have been proposed. However, selecting and integrating a set of countermeasures targeting multiple attacks into an ECC design is far from trivial. Security, performance and cost need to be considered together. In this paper, we describe a generic ECC coprocessor architecture, which is scalable and programmable. We demonstrate the coprocessor architecture with a set of countermeasures to address a collection of side-channel attacks and fault attacks. The programmable design of the coprocessor enables tradeoffs between area, speed, and security.

[1]  Francisco Rodríguez-Henríquez,et al.  Cryptographic Algorithms on Reconfigurable Hardware (Signals and Communication Technology) , 2006 .

[2]  Hamad Alrimeih,et al.  Security-Performance Trade-offs in Embedded Systems Using Flexible ECC Hardware , 2007, IEEE Design & Test of Computers.

[3]  Yoo-Jin Baek,et al.  How to Prevent DPA and Fault Attack in a Unified Way for ECC Scalar Multiplication - Ring Extension Method , 2007, ISPEC.

[4]  Manuel Koschuch,et al.  Hardware/Software Co-design of Elliptic Curve Cryptography on an 8051 Microcontroller , 2006, CHES.

[5]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[6]  Patrick Schaumont,et al.  Multilevel design validation in a secure embedded system , 2005, Tenth IEEE International High-Level Design Validation and Test Workshop, 2005..

[7]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[8]  Jean-Pierre Seifert,et al.  Sign Change Fault Attacks on Elliptic Curve Cryptosystems , 2006, FDTC.

[9]  Francisco Rodríguez-Henríquez,et al.  Cryptographic Algorithms on Reconfigurable Hardware , 2010 .

[10]  Marc Joye,et al.  On the Security of a Unified Countermeasure , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[11]  Marc Joye,et al.  (Virtually) Free Randomization Techniques for Elliptic Curve Cryptography , 2003, ICICS.

[12]  Patrick Schaumont,et al.  Optimizing the Control Hierarchy of an ECC Coprocessor Design on an FPGA Based SoC Platform , 2009, ARC.

[13]  Manuel Koschuch,et al.  Workload Characterization of a Lightweight SSL Implementation Resistant to Side-Channel Attacks , 2008, CANS.

[14]  Ingrid Verbauwhede,et al.  Superscalar Coprocessor for High-Speed Curve-Based Cryptography , 2006, CHES.

[15]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[16]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[17]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[18]  Benoit Feix,et al.  Passive and Active Combined Attacks: Combining Fault Attacks and Side Channel Analysis , 2007, Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007).

[19]  Christophe Clavier,et al.  Passive and Active Combined Attacks on AES Combining Fault Attacks and Side Channel Analysis , 2007 .

[20]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[21]  J. Grossschadl,et al.  A low-power bit-serial multiplier for finite fields GF(2/sup m/) , 2001, ISCAS 2001. The 2001 IEEE International Symposium on Circuits and Systems (Cat. No.01CH37196).

[22]  Jean-Jacques Quisquater,et al.  How can we overcome both side channel analysis and fault attacks on RSA-CRT? , 2007 .

[23]  Jean-Jacques Quisquater,et al.  How can we overcome both side channel analysis and fault attacks on RSA-CRT? , 2007, Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007).

[24]  Seungjoo Kim,et al.  A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack , 2001, ICISC.

[25]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[26]  S. Yang,et al.  AES-Based Security Coprocessor IC in 0.18-$muhbox m$CMOS With Resistance to Differential Power Analysis Side-Channel Attacks , 2006, IEEE Journal of Solid-State Circuits.

[27]  Christof Paar,et al.  Optimum Digit Serial GF(2^m) Multipliers for Curve-Based Cryptography , 2006, IEEE Transactions on Computers.

[28]  Zhimin Chen,et al.  Dual-Rail Random Switching Logic: A Countermeasure to Reduce Side Channel Leakage , 2006, CHES.

[29]  Moti Yung,et al.  A Comparative Cost/Security Analysis of Fault Attack Countermeasures , 2006, FDTC.

[30]  Patrick Schaumont,et al.  Design methods for Security and Trust , 2007, 2007 Design, Automation & Test in Europe Conference & Exhibition.

[31]  Agustin Dominguez-Oviedo,et al.  On Fault-based Attacks and Countermeasures for Elliptic Curve Cryptosystems , 2008 .

[32]  Patrick Schaumont,et al.  Optimizing the HW/SW boundary of an ECC SoC design using control hierarchy and distributed storage , 2009, 2009 Design, Automation & Test in Europe Conference & Exhibition.

[33]  Eric Peeters,et al.  Parallel FPGA implementation of RSA with residue number systems - can side-channel threats be avoided? , 2003, 2003 46th Midwest Symposium on Circuits and Systems.

[34]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[35]  Johann Großschädl,et al.  A low-power bit-serial multiplier for finite fields GF(2m) , 2001, ISCAS.

[36]  B. Preneel,et al.  Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem , 2005, EUROCON 2005 - The International Conference on "Computer as a Tool".

[37]  Ingrid Verbauwhede,et al.  HW/SW Co-design of TA/SPA-resistant Public-key Cryptosystems , 2005 .

[38]  Ingrid Verbauwhede,et al.  Balanced point operations for side-channel protection of elliptic curve cryptography , 2005 .

[39]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[40]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[41]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.