Biblio

Binary Edwards curves (BEC) over finite fields can be used as an additive cyclic elliptic curve group to enable elliptic curve cryptography (ECC), where the most time consuming is scalar multiplication. This operation is computed by means of the group operation, either point addition or point doubling. The most notorious property of these curves is that their group operation is complete, which mitigates the need to verify for special cases. Different formulae for the group operation in BECs have been reported in the literature. Of particular interest are those designed to work with the differential properties of the Montgomery ladder, which offer constant time computation of the scalar multiplication as well as reduced field operations count. In this work, we review and compare the complexity of BEC differential addition and doubling in terms of field operations. We also provide software implementations of scalar multiplications which employ these formulae under a fair scenario. Our work provides insights on the advantages of using BECs in ECC. Our study of the different formulae for group addition in BEC also showcases the advantages and limitations of the different design strategies employed in each case.

The modular exponentiation is crucial to the RSA cryptographic protocol, and variants inspired by the Montgomery ladder have been studied to provide more secure algorithms. In this paper, we abstract away the iterative conditional branching used in the Montgomery ladder, and formalize systems of equations necessary to obtain what we call the semi-interleaved and fully-interleaved ladder properties. In particular, we design fault-injection attacks able to obtain bits of the secret against semi-interleaved ladders, including the Montgomery ladder, but not against fully-interleaved ladders that are more secure. We also apply these equations to extend the Montgomery ladder for both the semi- and fully-interleaved cases, thus proposing novel and more secure algorithms to compute the modular exponentiation.

In this paper we report on the results of selected horizontal SCA attacks against two open-source designs that implement hardware accelerators for elliptic curve cryptography. Both designs use the complete addition formula to make the point addition and point doubling operations indistinguishable. One of the designs uses in addition means to randomize the operation sequence as a countermeasure. We used the comparison to the mean and an automated SPA to attack both designs. Despite all these countermeasures, we were able to extract the keys processed with a correctness of 100%.

Elliptical curve cryptography (ECC) is being used more and more in public key cryptosystems. Its main advantage is that, at a given security level, key sizes are much smaller compared to classical asymmetric cryptosystems like RSA. Smaller keys imply less power consumption, less cryptographic computation and require less memory. Besides performance, security is another major problem in embedded devices. Cryptosystems, like ECC, that are considered mathematically secure, are not necessarily considered safe when implemented in practice. An attacker can monitor these interactions in order to mount attacks called fault attacks. A number of countermeasures have been developed to protect Montgomery Scalar Multiplication algorithm against fault attacks. In this work, we proposed an efficient countermeasure premised on duplication scheme and the scrambling technique for Montgomery Scalar Multiplication algorithm against fault attacks. Our approach is simple and easy to hardware implementation. In addition, we perform injection-based error simulations and demonstrate that the error coverage is about 99.996%.