Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

We propose efficient algorithms and formulas that improve the performance of side-channel protected scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.’s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient technique that interleaves ARM-based and NEON-based multiprecision operations over an extension field, as typically found on GLS curves and pairing computations, to improve performance on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over \(\mathbb{F}_{p^2}\), which supports a four dimensional decomposition of the scalar and runs in constant time, i.e., it is fully protected against timing attacks. For instance, using a precomputed table of only 512 bytes, we compute a variable-base scalar multiplication in 92,000 cycles on an Intel Ivy Bridge processor and in 244,000 cycles on an ARM Cortex-A15 processor. Our benchmark results and the proposed techniques contribute to the improvement of the state-of-the-art performance of elliptic curve computations. Most notably, our techniques allow us to reduce the cost of adding protection against timing attacks in the GLV-based variable-base scalar multiplication computation to below 10%.

[1]  Michael Scott,et al.  Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves , 2009, Journal of Cryptology.

[2]  Francisco Rodríguez-Henríquez,et al.  Lambda Coordinates for Binary Elliptic Curves , 2013, CHES.

[3]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[4]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[5]  Marc Joye,et al.  Exponent Recoding and Regular Exponentiation Algorithms , 2009, AFRICACRYPT.

[6]  Elisabeth Oswald,et al.  Profiling DPA: Efficacy and Efficiency Trade-Offs , 2013, CHES.

[7]  Craig Costello,et al.  Fast Cryptography in Genus 2 , 2013, Journal of Cryptology.

[8]  Patrick Longa,et al.  Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication (Full version) , 2014 .

[9]  Seungjoo Kim,et al.  A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack , 2001, ICISC.

[10]  Patrick Longa,et al.  Four-Dimensional Gallant–Lambert–Vanstone Scalar Multiplication , 2011, Journal of Cryptology.

[11]  Phong Q. Nguyen,et al.  Advances in Cryptology – EUROCRYPT 2013 , 2013, Lecture Notes in Computer Science.

[12]  Serge Vaudenay Progress in Cryptology - AFRICACRYPT 2008, First International Conference on Cryptology in Africa, Casablanca, Morocco, June 11-14, 2008. Proceedings , 2008, AFRICACRYPT.

[13]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[14]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[15]  Damian Weber,et al.  The Solution of McCurley's Discrete Log Challenge , 1998, CRYPTO.

[16]  Kwangjo Kim,et al.  Information Security and Cryptology — ICISC 2001 , 2002, Lecture Notes in Computer Science.

[17]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[18]  Patrick Schaumont,et al.  Cryptographic Hardware and Embedded Systems – CHES 2012 , 2012, Lecture Notes in Computer Science.

[19]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[20]  Patrick Longa,et al.  Faster Explicit Formulas for Computing Pairings over Ordinary Curves , 2011, EUROCRYPT.

[21]  Peter Schwabe,et al.  NEON Crypto , 2012, CHES.

[22]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[23]  Patrick Longa,et al.  Efficient Techniques for High-Speed Elliptic Curve Cryptography , 2010, CHES.

[24]  Josef Pieprzyk,et al.  Advances in Cryptology - ASIACRYPT 2008, 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 7-11, 2008. Proceedings , 2008, ASIACRYPT.

[25]  Patrick Longa,et al.  Implementing the 4-dimensional GLV method on GLS elliptic curves with j-invariant 0 , 2012, Des. Codes Cryptogr..

[26]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings , 2011, CHES.

[27]  David Pointcheval Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings , 2006, CT-RSA.

[28]  Moti Yung,et al.  A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[29]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[30]  Kenneth G. Paterson Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings , 2011, EUROCRYPT.

[31]  Stefan Mangard,et al.  Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings , 2010, CHES.

[32]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[33]  Sorina Ionica,et al.  Four-Dimensional GLV via the Weil Restriction , 2013, ASIACRYPT.

[34]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[35]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[36]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[37]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[38]  Mustapha Hedabou,et al.  Countermeasures for Preventing Comb Method Against SCA Attacks , 2005, ISPEC.

[39]  Patrick Longa,et al.  Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV–GLS curves (extended version) , 2014, Journal of Cryptographic Engineering.

[40]  Bart Preneel Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21-25, 2009. Proceedings , 2009, AFRICACRYPT.

[41]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[42]  Alfred Menezes,et al.  Analyzing the Galbraith-Lin-Scott Point Multiplication Method for Elliptic Curves over Binary Fields , 2009, IEEE Transactions on Computers.

[43]  Marcin Wójcik,et al.  Does My Device Leak Information? An a priori Statistical Power Analysis of Leakage Detection Tests , 2013, ASIACRYPT.

[44]  Pierrick Gaudry,et al.  The mpFq library and implementing curve-based key exchanges , 2007 .

[45]  Bodo Möller Algorithms for Multi-exponentiation , 2001, Selected Areas in Cryptography.

[46]  Ç. Koç,et al.  Incomplete reduction in modular arithmetic , 2002 .

[47]  Shipeng Li,et al.  Signed MSB-Set Comb Method for Elliptic Curve Point Multiplication , 2006, ISPEC.

[48]  Ed Dawson,et al.  Twisted Edwards Curves Revisited , 2008, IACR Cryptol. ePrint Arch..

[49]  Shipeng Li,et al.  Efficient Comb Elliptic Curve Multiplication Methods Resistant to Power Analysis , 2005, IACR Cryptol. ePrint Arch..

[50]  Martijn Stam,et al.  Understanding Adaptivity: Random Systems Revisited , 2012, ASIACRYPT.

[51]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[52]  Francisco Rodríguez-Henríquez,et al.  NEON Implementation of an Attribute-Based Encryption Scheme , 2013, ACNS.

[53]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[54]  Marc Joye,et al.  Topics in Cryptology — CT-RSA 2003 , 2003 .

[55]  Michael Hamburg,et al.  Fast and compact elliptic-curve cryptography , 2012, IACR Cryptol. ePrint Arch..

[56]  Craig Costello,et al.  High-Performance Scalar Multiplication Using 8-Dimensional GLV/GLS Decomposition , 2013, CHES.

[57]  Benjamin Smith,et al.  Families of fast elliptic curves from Q-curves , 2013, IACR Cryptol. ePrint Arch..

[58]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[59]  Tsuyoshi Takagi,et al.  The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks , 2003, CT-RSA.