Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Daniel Mesquita1, Benoît Badrignans2, Lionel Torres2, Gilles Sassatelli2, Michel Robert2, Fernando Moraes3
1 2 3
Instituto de Engenharia de Sistemas e Université Montpellier II, LIRMM PUCRS – FACIN
Computadores – INESC-ID Montpellier –France Porto Alegre – Brasil
Lisboa – Portugal
{surname}@lirmm.fr moraes@inf.pucrs.br
mesquita@inesc-id.pt
the basis: the algorithm’s robustness relies on this concept. 3,50 Classic Implementation
The LRA proposes two approaches of data randomization: 3,00 LR²A 32 Bits
Time (seconds)
2,50
0,00
input data is provided by randomly choosing the elements of 1024 2048 4096
• Random change of bases before and during the Figure 4 – Comparison between LR²A and a classic
exponentiation: A generic algorithm is proposed in [22], e
implementation of the “a mod N”
offering many degrees of freedom in the implementation
and at the security level. Meanwhile, comparing the performance of the LR²A
The main goal of these approaches is to lead to a with other state-of-art architectures to compute modular
randomization of all intermediate data computed at the exponentiation, the Figure 5 shows clearly that the
cryptographic circuit for the same input data and output. improvements in security achieved by the LR²A do not
Based on the same principle of the DPA, if the data change compromise the performance. LR²A is capable to compute
during an operation, consequently the power consumption one 1024 bits modular exponentiation in the same time that
becomes non constant, thwarting DPA attacks. The security the most performing architecture reviewed by us.
of this method was demonstrated in [22].
6. Results
A. Area and Performance
The Table I shows the size of each PE for different
datapath sizes. Area is given in thousands of equivalent
logic gates (elg).
TABLE I
Synthesis for PEs with different datapath sizes
Datapath (bits) elg (k) Clock (MHz)
16 4,3 60
32 8,5 40
64 15,8 30
128 32 20
Figure 6 - Different traces for each base, with the same 7. Summary and Conclusions
computed A x B mod M The Leak Resistant Arithmetic improves the robustness
of cryptographic applications counteracting the principle of
By making a difference of the two curves, it is possible some hardware attacks, like DPA. Due its nature, the LRA
to see that the computed data is no longer related with the leads to a coarse grain reconfigurable architecture,
power consumption. In the Figure 7 we have the difference requiring important hardware resources.
of two computations of the same decimal data (I.e. the same Even with area penalties, the LR²A is competitive in
values for ‘A’ and for the exponent ‘e’). The Figure 7-(a) terms of performance, equivalent to state-of-art of
shows the difference between two computations of (Ae mod cryptographic accelerators. But in cryptographic
N) in a classical representation: it means that for the same applications, security always has a cost. The LR²A show
data set we always have the same consumption. that is possible to improve security remaining flexible and
performing.
By slightly modifying the PEs it is possible to run other
cryptographic or compression algorithms, but the main
further work is to make the PEs still more flexible, by
adding a fine grain reconfigurable area in each PE. In this
way, with a reconfigurable datapath, the LR²A could
implement a wide spectre of applications.
2
References
Figure 7 – The robustness analysis of the LR A:
[1] P. Kocher, al. “Differential Power Analysis : Leaking
On the other hand the Figure 7-(b) highlights the Secrets”. Advances in Cryptology: CRYPTO'99, pp.
difference of two modular exponentiation with the same 388-397. 1999.
‘A’ and ‘e’, but expressed in the LRA representation. As [2] – . “ Data Encryption Standard (DES)”. Federal
the first exponentiation is made in the base β1, and the Information Processing Standards Publications (FIPS
second one in base β2, the resulting consumption is PUBS) Nº 46-3. EUA.October 25, 1999.
different, avoiding a DPA analysis. [3] C. Walter. “Sliding Windows Succumbs to Big Mac
Attack”. Cryptographic Hardware and Embedded
C. Reconfiguration issue System: CHES’01, pp286-299. 2001.
The main security point of the LR²A is the base [4] L. Benini, et al. “Energy-aware design techniques for
extension. This is realized through a dynamic differential power analysis protection”. Design
reconfiguration. As can be viewed in the Algorithm 1, in a Automation Conference: DAC ‘03. Anaheim, USA.
first moment the architecture executes RNS operations June, 2003.
(points 1, 2 and 4). But when a base extension is required, [5] A. Razafindraibe, et al. “Asynchronous Dual rail Cells
due to its algorithmic nature, the architecture must be to Secure Cryptosystem Against SCA”.
reconfigured to execute new instructions. So, the RSCM Sophia-Antipolis Forum on MicroElectronics. Nice,
intervenes to manage the reconfiguration procedure. France, 2005.
The Reconfiguration Monitor determines the moment
when the base extension module is needed and notifies the
[6] H. Saputra, et al. “Masking behavior of DES Cryptographic Hardware and Embedded Systems,
encryption”. Design, Automation and Test Europe – CHES’02. pp 228-243, 2002.
DATE ‘03. Munich, Germany, 2003. [21] H. Garner. “The Residue Number System”. IRE
[7] M. Simon, et al. “Balanced Self-Checking Transactions in electronic Computers. Vol 8, pp.
Asynchronous Logic for Smart Card Applications”, 140-147, 1959.
Microprocessors and Microsystems Journal, 27. [22] J-C. Bajard, et al. “Leak Resistant Arithmetic”.
Elsevier, pp 421-430, October 2003. Cryptographic Hardware and Embedded Systems
[8] C. Clavier, et al. “Differential Power Analysis in the CHES’04. Pp 62-75, 2004.
presence of hardware countermeasures”. [23] C. Kim, et al. “A CRT-Based RSA Countermeasure
Cryptographic Hardware and Embedded Systems – against Physical Cryptanalysis”. Conference on High
CHES ’00. Pp 252-263, 2000. Performance Computing and Communications: HPCC
[9] J. Irwin, et al. “Instruction stream mutation for ’05. Pp 549-554, Naples, Italy, 2005.
non-deterministic processors”. International [24] J-C. Bajard, et al. “A Full RNS Implementation of
Conference on Application Specific Systems, RSA”.IEEE Transactions on Computers. Vol. 53, n° 6,
Architectures and Processors – ASAP 2002. IEEE pp. 769-774. 2004.
press. Pp 286-295. 2002. [25] M. Ciet, et al. “Parallel FPGA implementation of RSA
[10] D. May, et al. “Non-deterministic processors”. with residue number systems – can side-channel threats
Information security and privacy – ACISP’01. Sydney, be avoided?”. 46th. International Midwest Symposium
Australia. July 2001. on Circuits and Systems: MWSCAS ’03. Cairo, Egypt,
[11] S. Mangard, “Hardware countermeasures against December 2003.
DPA – a statistical analysis of their effectiveness”. [26] E. Carvalho, et al. “Reconfiguration Control for
Topics in Cryptology – CT-RSA’04. pp. 222 – 235. San Dynamically Reconfigurable Systems”. Conference on
Francisco, USA. 2004. Design of Circuits and Integrated Systems: DCIS ’04.
[12] D. Mesquita, et al. “Current Mask Generation: A New Bordeaux, France, 2004.
Hardware Countermeasure for Masking Signatures of [27] B. Badrignans, D. Mesquita, J-C. Bajard, L. Torres, G.
Cryptographic Cores”. International Conference on Sassatelli, and M. Robert. A parallel and secure
VLSI: IFIP VLSI SoC ’05. Perth, Australia, 2005. architecture for asymetric cryptography. In
[13] A. Shamir. “Protecting smart cards from passive power Proceedings of ReCoSoC, page in press, Montpellier,
analysis with detached power supplies”. France, 2006.
Cryptographic Hardware and Embedded Systems, [28] C. McIvor, M. McLoone, J. McCanny, and W.
CHES’00.Pp 71-77, 2000. Marnane. Fast montgomery modular multiplication
[14] J-S Coron. “Resistance against Differential Power and RSA cryptographic processor architectures. In
Analysis for Elliptic Curve Cryptosystems”. Proceedings of the Asilomar Conference, Pacific
Cryptographic Hardware and Embedded Systems, Groove, USA, 2003. IEEE Computer Society.
CHES’99. Pp 292-302, 1999.
[15] R. Rivest, et al. “A Method for Obtaining Digital [29] S. Örs, L. Batina, B. Preneel, and J. Vandewalle.
Signatures and Public-Key Cryptosystems”. ACM Hardware implementation of a montgomery modular
Communications, vol 21. pp 120-126. 1978. multiplier in a systolic array. In IPDPS, page 184,
[16] D. Chaum. “Security without identification: Nice, France, 2003. IEEE Computer Society.
transaction systems to make Big Brother obsolete”. [30] N. Nedjah and L. Mourelle. A review of modular
Communication of the ACM. Vol. 8., n° 10, pp multiplication methods and respective hardware
1030-144. 1985. implementations. Informatica, 30 :111–130, 2006.
[17] L. Goubin. “A refined power-analysis attack on ECC”. [31] A. Daly and W. Marnane. Efficient architectures for
Publick Key Cryptography: PKC ’03. pp 199-210. implementing montgomery modular multiplication and
2003. RSA modular exponentiation on reconfigurable logic.
[18] M. Hideyo, et al. “Efficient Countermeasures against
In Proceedings of the FPGA ’02, pages 40–49, 2002.
RPA, DPA, and SPA”. Cryptographic Hardware and
Embedded Systems, CHES’04. Pp 343-356, 2004. [32] J-P. Deschamps and G. Sutter. Fpga implementation of
[19] P. Kocher. “Timing Attacks on Implementations of modular multipliers. In Proceedings of the DCIS ’02,
Diffie-Hellman, RSA, DSS, and Other Systems”. 16th pages 107–112, 2002.
Workshop in Cryptology: Crypto ’96. pp 104-113. [33] D. Mesquita, B. Badrignans, L. Torres, G. Sassatelli,
Santa Barbara, USA. 1996. M. Robert, and F. Moraes. A leak resistant soc against
[20] B. Boer. “A DPA Attack against the Modular side channel attacks. In Proceedings of ISSoC, page in
Reduction within a CRT Implementation of RSA”. press, Tampere, Finlande, 2006.