Skip to main content
SpringerLink
Log in

Protecting the Most Significant Bits in Scalar Multiplication Algorithms

  • Conference paper
  • First Online:
Security, Privacy, and Applied Cryptography Engineering (SPACE 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13783))

  • 428 Accesses

Abstract

The Montgomery Ladder is widely used for implementing the scalar multiplication in elliptic curve cryptographic designs. This algorithm is efficient and provides a natural robustness against (simple) side-channel attacks. Previous works however showed that implementations of the Montgomery Ladder using Lopez-Dahab projective coordinates easily leak the value of the most significant bits of the secret scalar, which led to a full key recovery in an attack known as LadderLeak [3]. In light of such leakage, we analyse further popular methods for implementing the Montgomery Ladder. We first consider open source software implementations of the X25519 protocol which implement the Montgomery Ladder based on the ladderstep algorithm from Düll et al. [15]. We confirm via power measurements that these implementations also easily leak the most significant scalar bits, even when implementing Z-coordinate randomisations. We thus propose simple modifications of the algorithm and its handling of the most significant bits and show the effectiveness of our modifications via experimental results. Particularly, our re-designs of the algorithm do not incurring significant efficiency penalties. As a second case study, we consider open source hardware implementations of the Montgomery Ladder based on the complete addition formulas for prime order elliptic curves, where we observe the exact same leakage. As we explain, the most significant bits in implementations of the complete addition formulas can be protected in an analogous way as we do for Curve25519 in our first case study.

E. Alpirez Bock—Work partially done while at Radboud University.

L. Chmielewski—This work was partially supported by the Technology Innovation Institute (https://www.tii.ae/) and by Ai-SecTools (VJ02010010) project.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In this paper we will use the term balanced value to refer to large values or bitstrings containing similar amounts of 0s and 1s. While we expect operations on such values to consume a notably larger amount of power than operations on small values like zero or one, this may not always be clearly visible due, e.g. to software optimisations.

  2. 2.

    The source code from [4] is located in the following repository: https://github.com/sca-secure-library-sca25519/sca25519.

  3. 3.

    Note that in the X25519 protocol, the most significant (254th) bit of the secret scalars is always set to 1; this is done by anding the most significant scalar byte with 0x7F|0x40 in [4]. However, since we consider the ECDSA protocol then the most significant scalar bits can be 0 and we need to consider fully random scalars.

  4. 4.

    We refer to EdDSA with the parameters of Curve25519 as Ed25519 [7].

  5. 5.

    Note that 256th bit of the scalar is always set to 0 since \(p = 2^{255}-19\).

  6. 6.

    \(P_x= \texttt {0x67C5590EF5591AEEE312308D155579DC042E497FEC764BB3CAF3DE88597B8C24}\).

  7. 7.

    We acknowledge that the traces in Fig. 2 look different than the ones collected from the first implementation. This is caused not only by differences in implementations, but also due to the fact that these new traces were collected later on with a new physical setup (although probes and oscilloscopes were equivalent models).

  8. 8.

    We will provide a link to the code repository in the final version of the paper.

  9. 9.

    The target has however an instruction cache. This caching mechanism is randomized, but since the sequence of instructions is always the same in our algorithms, this potential timing difference is independent from the scalar.

  10. 10.

    The sequence of instructions performed by our algorithms is always the same but the instruction caching of our target seems to be random.

References

  1. Akishita, T., Takagi, T.: Zero-value point attacks on elliptic curve cryptosystem. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 218–233. Springer, Heidelberg (2003). https://doi.org/10.1007/10958513_17

    Chapter  Google Scholar 

  2. Andrikos, C., et al.: Location, location, location: revisiting modeling and exploitation for location-based side channel leakages. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 285–314. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_10

    Chapter  Google Scholar 

  3. Aranha, D.F., Novaes, F.R., Takahashi, A., Tibouchi, M., Yarom, Y.: LadderLeak: breaking ECDSA with Less than One Bit of Nonce Leakage, pp. 225–242. Association for Computing Machinery, New York (2020)

    Google Scholar 

  4. Batina, L., Chmielewski, L., Haase, B., Samwel, N., Schwabe, P.: Sca-secure ECC in software - mission impossible? IACR Cryptol. ePrint Arch., p. 1003 (2021)

    Google Scholar 

  5. Batina, L., Chmielewski, L., Papachristodoulou, L., Schwabe, P., Tunstall, M.: Online template attacks. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 21–36. Springer, Heidelberg (2014)

    Google Scholar 

  6. Becker, G.T., et al.: Test vector leakage assessment (TVLA) methodology in practice. In: International Cryptographic Module Conference (2013)

    Google Scholar 

  7. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14

    Chapter  Google Scholar 

  8. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_9

    Chapter  Google Scholar 

  9. Alpirez Bock, E., Dyka, Z., Langendoerfer, P.: Increasing the robustness of the montgomery kP-algorithm against SCA by modifying its initialization. In: Bica, I., Reyhanitabar, R. (eds.) SECITC 2016. LNCS, vol. 10006, pp. 167–178. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47238-6_12

    Chapter  Google Scholar 

  10. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_4

    Chapter  Google Scholar 

  11. Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO’96. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)

    Google Scholar 

  12. Bosma, W., Lenstra, H.W.: Complete system of two addition laws for elliptic curves. J. Number Theory (1995)

    Google Scholar 

  13. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group Action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

    Chapter  Google Scholar 

  14. CryptoJedi. Micro salt: \(\mu \)nacl - the networking and cryptography library for microcontrollers. http://munacl.cryptojedi.org/curve25519-cortexm0.shtml

  15. Düll, M., et al.: High-speed curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers. Des. Codes Cryptogr. 77(2–3), 493–514 (2015)

    Google Scholar 

  16. De Feo, L., et al.: Sike channels. Cryptology ePrint Archive, Paper 2022/054 (2022). https://eprint.iacr.org/2022/054

  17. Genêt, A., Kaluđerović, N.: Single-trace clustering power analysis of the point-swapping procedure in the three point ladder of cortex-M4 SIKE. In: Balasch, J., O’Flynn, C. (eds.) COSADE 2022. LNCS, vol. 13211, pp. 164–192. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99766-3_8

    Chapter  Google Scholar 

  18. Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation, niat. Workshop record of the NIST Non-Invasive Attack Testing Workshop (2011). csrc.nist.gov/CSRC/media/Events/Non-Invasive-Attack-Testing-Workshop/documents/08Goodwill.pdf

  19. Guntur, H., Ishii, J., Satoh, A.: Side-channel attack user reference architecture board sakura-g. In: 2014 IEEE 3rd Global Conference on Consumer Electronics (GCCE), pp. 271–274 (2014)

    Google Scholar 

  20. Heyszl, J., Ibing, A., Mangard, S., De Santis, F., Sigl, G.: Clustering algorithms for non-profiled single-execution attacks on exponentiations. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 79–93. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08302-5_6

    Chapter  Google Scholar 

  21. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

    Chapter  MATH  Google Scholar 

  22. López, J., Dahab, R.: Fast multiplication on elliptic curves over GF(2m) without precomputation. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_27

    Chapter  Google Scholar 

  23. Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_2

    Chapter  Google Scholar 

  24. Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  25. Nascimento, E., Chmielewski, Ł: Applying horizontal clustering side-channel attacks on embedded ECC implementations. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 213–231. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_13

    Chapter  Google Scholar 

  26. Nascimento, E., Chmielewski, L., Oswald, D.F., Schwabe, P.: Attacking embedded ECC implementations through cmov side channels. In: Selected Areas in Cryptography - SAC 2016–23rd International Conference, St. John’s, NL, Canada, 10–12 August, 2016, Revised Selected Papers, pp. 99–119 (2016)

    Google Scholar 

  27. Pirotte, N., Vliegen, J., Batina, L., Mentens, N.: Design of a fully balanced ASIC coprocessor implementing complete addition formulas on weierstrass elliptic curves. In: 2018 21st Euromicro Conference on Digital System Design (DSD), pp. 545–552 (2018)

    Google Scholar 

  28. Renes, J., Costello, C., Batina, L.: Complete addition formulas for prime order elliptic curves. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 403–428. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_16

    Chapter  Google Scholar 

  29. Certicom Research. Sec 2: Recommended elliptic curve domain parameters, version 2.0. www.secg.org/sec2-v2.pdf

  30. Riscure. Current probe. security test tool for embedded devices (2018). www.riscure.com/product/current-probe/. Accessed 05 May 2021

  31. Riscure. Side channel analysis security tools (2021). www.riscure.com/security-tools/inspector-sca/

Download references

Acknowledgments

The work of Estuardo Alpirez Bock was in part supported by MATINE, Ministry of Defence of Finland.

Author information

Authors and Affiliations

  1. Aalto University, Espoo, Finland

    Estuardo Alpirez Bock

  2. Masaryk University, Brno, Czechia

    Lukasz Chmielewski

  3. Radboud University, Nijmegen, The Netherlands

    Lukasz Chmielewski & Konstantina Miteloudi

Authors
  1. Estuardo Alpirez Bock
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lukasz Chmielewski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Konstantina Miteloudi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Estuardo Alpirez Bock .

Editor information

Editors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Lejla Batina

  2. Radboud University, Nijmegen, The Netherlands

    Stjepan Picek

  3. Indian Institute of Technology Kharagpur, Kharagpur, India

    Mainack Mondal

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alpirez Bock, E., Chmielewski, L., Miteloudi, K. (2022). Protecting the Most Significant Bits in Scalar Multiplication Algorithms. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2022. Lecture Notes in Computer Science, vol 13783. Springer, Cham. https://doi.org/10.1007/978-3-031-22829-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22829-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22828-5

  • Online ISBN: 978-3-031-22829-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation