Cryptographic Hardware and Embedded Systems — CHES 2001

In this talk, I will speculate about the likely near-term and medium-term scientific developments in the protection of embedded systems. A common view of the Internet divides its history into three waves, the first being centered around mainframes and terminals, and the second (from about 1992 until now) on PCs, browsers, and a GUI. The third wave, starting now, will see the connection of all sorts of devices that are currently in proprietary networks, standalone, or even non-computerized. By the end of 2003, there might well be more mobile phones connected to the Internet than computers. Within a few years we will see many of the world’s fridges, heart monitors, bus ticket dispensers, burglar alarms, and electricity meters talking IP. By 2010, ‘ubiquitous computing’ will be part of our lives. Some of the likely effects of ubiquitous computing are already apparent. For example, applications with intermittent connectivity will have to maintain much of their security state locally rather than globally. This will create new markets for processors with appropriate levels of tamperresistance. But what will this mean? I will discuss protection requirements at four levels. Invasive attacks on hardware are likely to remain possible for capable motivated opponents, at least for devices that cannot be furnished with effective tamper responding barriers. That said, even commodity smartcards are much harder to probe than was the case five years ago. Decreasing feature sizes, 32-bit processors, and layout that makes bus lines harder to find and to probe, all combine to push up the entry cost. Attacks that could be done in a few weeks with ten thousand dollars’ worth of equipment now take months and require access to equipment costing several hundred thousand dollars. However, this field rides on the coat-tails of the semiconductor test industry, and will remain unpredictable. Every so often, bright ideas lead to powerful new low-cost testing tools, that may be used in attacks. The scanning capacitance microscope may be one such. Non-invasive attacks on hardware – such as power and glitch attacks – might become infeasible against even the smallest processors. However, this is not as easy as it seemed three or four years ago. Current techniques, such as randomised clocking, can only do so much. New ideas are needed, and I will discuss an EU-funded Ç.K. Koç, D. Naccache, and C. Paar (Eds.): CHES 2001, LNCS 2162, pp. 1–2, 2001. c © Springer-Verlag Berlin Heidelberg 2001

[1]  Rainer Laur,et al.  On the VLSI implementation of the international data encryption algorithm IDEA , 1995, Proceedings of ISCAS'95 - International Symposium on Circuits and Systems.

[2]  Robert Gross,et al.  A GENERALIZATION OF A CONJECTURE OF HARDY AND LITTLEWOOD TO ALGEBRAIC NUMBER FIELDS , 2000 .

[3]  Arjen K. Lenstra Efficient Identity Based Parameter Selection for Elliptic Curve Cryptosystems , 1999, ACISP.

[4]  Holger Sedlak,et al.  The RSA Cryptography Processor , 1987, EUROCRYPT.

[5]  Atsuko Miyaji,et al.  Elliptic Curves over Fp Suitable for Cryptosystems , 1992, AUSCRYPT.

[6]  Harvey Cohn,et al.  Advanced Number Theory , 1980 .

[7]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[8]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[9]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[10]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[11]  J. Littlewood,et al.  Some problems of ‘Partitio numerorum’; III: On the expression of a number as a sum of primes , 1923 .

[12]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[13]  Naofumi Takagi,et al.  A Radix-4 Modular Multiplication Hardware Algorithm for Modular Exponentiation , 1992, IEEE Trans. Computers.

[14]  Alfred Menezes,et al.  The State of Elliptic Curve Cryptography , 2000, Des. Codes Cryptogr..

[15]  Erkay Savas,et al.  A Scalable and Unified Multiplier Architecture for Finite Fields GF(p) and GF(2m) , 2000, CHES.

[16]  David A. Cox Primes of the Form x2 + ny2: Fermat, Class Field Theory, and Complex Multiplication , 1989 .

[17]  N. Koblitz PRIMALITY OF THE NUMBER OF POINTS ON AN ELLIPTIC CURVE OVER A FINITE FIELD , 1988 .

[18]  Horst G. Zimmer,et al.  Constructing elliptic curves with given group order over large finite fields , 1994, ANTS.

[19]  A. Atkin,et al.  ELLIPTIC CURVES AND PRIMALITY PROVING , 1993 .