Exploring RFC 7748 for Hardware Implementation: Curve25519 and Curve448 with Side-Channel Protection

Recent revelations on manipulations and back-doors in modern ECC have initiated the revision of existing schemes and led to the selection of two new solutions for next-generation TLS proposed in RFC 7748: Curve25519 and Curve448. Unfortunately, both curves were designed and optimized primarily for software implementations; their implementation in hardware and physical protection against SCA has been neglected during the design phase. In this work, we demonstrate that both curves can indeed be efficiently and securely mapped to hardware structures of modern FPGAs while including advanced protection mechanisms against physical attacks and still providing high performance and throughput. In particular, our Curve25519 architecture provides more than 1 700 point multiplications per second, using only 1 006 logic slices (LSs) and 20 digital signal processors (DSPs) of a mid-range Xilinx XC7Z020 FPGA. Furthermore, our Curve448 architecture still achieves more than 600 operations per second at a significantly higher security level of 224 bits, using not more than 1 985 LSs and 33 DSPs on the same device. In addition, we performed a practical, test-based leakage assessment for both architectures. More precisely, we investigated the detection of scalar- and base-point-dependable leakage individually while our designs were incorporated scalar blinding and point randomization countermeasures. Eventually, our findings prove with high confidence, that we cannot detect any scalar- and base-point-dependable leakage even after evaluating 1 000 000 power measurements.

[1]  Romain Poussier,et al.  A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks , 2017, CHES.

[2]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[3]  Debdeep Mukhopadhyay,et al.  Tile before multiplication: An efficient strategy to optimize DSP multiplier for accelerating prime field ECC for NIST curves , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[4]  Ingrid Verbauwhede,et al.  Reconfigurable Modular Arithmetic Logic Unit for High-Performance Public-Key Cryptosystems , 2006, ARC.

[5]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[6]  Hamad Alrimeih,et al.  Fast and Flexible Hardware Support for ECC Over Multiple Standard Prime Fields , 2014, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[7]  Ingrid Verbauwhede,et al.  An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost , 2012, Cryptography and Security.

[8]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[9]  Patrick Schaumont,et al.  State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures , 2010, 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[10]  Ingrid Verbauwhede,et al.  Differential power and electromagnetic attacks on a FPGA implementation of elliptic curve cryptosystems , 2007, Comput. Electr. Eng..

[11]  Tim Güneysu,et al.  Cryptography for next generation TLS: Implementing the RFC 7748 elliptic Curve448 cryptosystem in hardware , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[12]  Tim Güneysu,et al.  Ultra High Performance ECC over NIST Primes on Commercial FPGAs , 2008, CHES.

[13]  Tim Güneysu,et al.  Implementing Curve25519 for Side-Channel--Protected Elliptic Curve Cryptography , 2015, ACM Trans. Reconfigurable Technol. Syst..

[14]  Sylvain Guilley,et al.  Dismantling Real-World ECC with Horizontal and Vertical Template Attacks , 2016, COSADE.

[15]  Christof Paar,et al.  A Scalable GF(p) Elliptic Curve Processor Architecture for Programmable Hardware , 2001, CHES.

[16]  Tim Güneysu,et al.  Efficient Elliptic-Curve Cryptography Using Curve25519 on Reconfigurable Devices , 2014, ARC.

[17]  Joos Vandewalle,et al.  Hardware implementation of an elliptic curve processor over GF(p) , 2003, Proceedings IEEE International Conference on Application-Specific Systems, Architectures, and Processors. ASAP 2003.

[18]  Reza Azarderakhsh,et al.  Four ℚ on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields , 2016, CHES.

[19]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[20]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[21]  Michael Tunstall,et al.  Applying TVLA to Public Key Cryptographic Algorithms , 2016, IACR Cryptol. ePrint Arch..

[22]  Michael Hamburg,et al.  Ed448-Goldilocks, a new elliptic curve , 2015, IACR Cryptol. ePrint Arch..

[23]  Jean-Jacques Quisquater,et al.  High-speed hardware implementations of Elliptic Curve Cryptography: A survey , 2007, J. Syst. Archit..