Joye M.Cryptographic hardware and embedded systems.2005

multiplications since it has the fastest doubling. We refer to [24] for the formulae.

We now see in an example – the addition formula in affine coordinates – how lazy and incomplete reductions are used in practice. Table 3 is derived from results in [24], but restricted to the odd characteristic case. The detailed breakdown of the REDCs we can save follows:

1.In Step 1 we can save one REDC in the computation of since we do not need the reduced value of and anywhere else.

2.In Step 3 we do not reduce since it is used in the computation of and which are sums of products of two elements. So only 3 REDCs are required to implement Step 3: for and for the final results of and This is a saving of two REDCs.

3.In Step 5, it would be desirable to leave the coefficients and of unreduced, since they are used in the following two steps only in additions with other products of two elements. But is a problem: we cannot add reduced and unreduced

TEAM LinG

quantities (see Remark 1). We circumvent this by computing the unreduced products (in place of and Two REDCs are saved.

4.In Step 6, it is We need only one REDC to compute the (reduced) sum of the first four products: Note

that, at this point, is already known and we already counted the saving of one REDC associated to it. So, we save a total of two REDCs.

Summarizing, for one addition in affine coordinates in the most common case, we need 12 Muls, 13 MulNoREDCs and 6 REDCs. Thus, we save 7REDCs.

We implemented addition and doubling in all coordinate systems. To speed up scalar multiplication, we also implemented addition in the cases where one of the two group elements to be added is given in and the second summand and the result are both given either in or

In Table 2 we write the operation counts of the implemented operations. The table contains also the counts for EC and genus 3 curves (see the next paragraph). The number of modular reductions is always significantly smaller than the number of multiplications.

Genus 3. Affine coordinates are the only coordinate system currently available for genus 3 curves. The formulae in [32,33] contain some errors in odd characteristic. We took the formulae of [40] – which are for general curves of the form and have been implemented only in even characteristic with – and simplified them for the case of odd characteristic, and vanishing second most significant coefficient of A pleasant aspect of these formulae is that a large proportion of modular reductions can be saved: at least 21 in the addition and 14 in the doubling (see Table 2).

2.4 Scalar Multiplication

There are many methods for computing a scalar multiplication in a generic group, which

addition is replaced by an assignment).

On EC and HEC, adding and subtracting an element have the same cost. Hence one

A generalization of the NAF uses “sliding windows”: The wNAF [37,8] of the integer

TEAM LinG

158 R.M. Avanzi

The wNAF has average density To compute a scalar multiplication based on the wNAF one first precomputes the ideal classes D, and then performs a double-and-add step like (2). A left-to-right recoding with the same density as the wNAF can be found in [4].

3 Results, Comparisons, and Conclusions

Table 4 reports the timings of our implementation. Since nuMONGO provides support only for moduli up to 256 bits, EC are tested only on fields up to that size. For genus 2 curves on a 256 bit field, a group up to 513 bits is possible: We choose this group size as a limit also for the genus 3 curves.

All benchmarks were performed on a 1 GHz AMD Athlon (Model 4) PC, under the Linux operating system (kernel version 2.4). The compilers used were the GNU C Compiler (gcc), versions 2.95.3 and 3.3.1 and all the performance considerations made in § 2.1 apply.

All groups have prime or almost prime order. The elliptic curves up to 256 bits have been found by point counting on random curves, the larger ones as well as the genus 2 and 3 curves have been constructed with the CM method.

For each combination of curve type, coordinate system and group size, we averaged the timings of several thousands scalar multiplications with random scalars, using three different recodings of the scalar: the binary representation, the NAF, and the wNAF. For the wNAF we report only the best timing and the corresponding value of We always keep the base ideal class and its multiples in affine coordinates, since adding an affine point to a point in any coordinate system other than affine is faster than adding two points in that coordinate system. The timings always include the precomputations.

In Table 5 we provide timings for ecc and hec using gmp and the double-and-add scalar multiplication based on the unsigned binary representation. We also provide in Table 6 timings with nuMONGO but without lazy and incomplete reduction. For comparison with our timings, Lange [23] reported timings of 8.232 and 9.121 milliseconds for genus 2 curves with group and respectively on a gmp-based implementation of affine coordinates on a 1.5 GHz Pentium 4 PC. In [23] the double-and-add algorithm based on the unsigned binary representation is used. In [35], a timing of 98 milliseconds for a genus 3 curve of about 180 bits on an Alpha 21164A CPU running at 600MHz is reported. The speed of these two CPUs is close to that of the machine we used for our tests.

A summary of the results follows:

1.Using a specialized software library one can get a speed-up by a factor of 3 to 4.5 for EC with respect to a traditional implementation. The speed-up for genus 2 and 3 curves is up to 8.

2.Lazy and incomplete reduction bring a speed-up from 3% to 10%.

3.For EC, the performance of the systems and is almost identical. The reason lies in the fact that with no modular reductions can be saved.

4.HEC are still slower than EC, but the gap has been narrowed.

a)Affine coordinates for genus 2 HEC are significantly faster than those for EC. Those for genus 3 are faster from 144 bits upwards.

TEAM LinG

TEAM LinG

160 R.M. Avanzi

b)Comparing the best coordinate systems and scalar multiplication algorithms for genus 2 HEC and EC, we see that:

(i)For 192 bit, resp. 256 bit groups, EC is only 14%, resp. 15% faster than

HEC. In fact, consider the best timings for EC and HEC with genus 2 with 192 bits: (1.623 – 1.395)/1.623 =

(ii)For other group sizes the difference is often around 50%.

c)Genus 3 curves are slower than genus 2 ones. With gmp the difference is 80% to 100% for 160 to 512 bit groups, but using nuMONGO the gap is often as small as 50%.

5.Using nuMONGO we can successfully eliminate most of the overheads, thus proving the soundness of our approach.

a)In the gmp-based implementation, the timings with different coordinate systems are closer to each other than with nuMONGO because of the big amount of time lost

in the overheads. For HEC we have the paradoxical result that andare slower than because they require more function calls for each group operation than

Therefore, with standard libraries the overheads can dominate the running time.

b) For affine coordinates the most expensive part of the operation is the field inversion, hence the speed-up given by nuMONGO is not big, and is close to that in Table 1 for the inversion alone.

6. If the field size for a given group is not close to a multiple of the machine word size there is a relative drop in performance with respect to other groups where the field size is almost a multiple of For example, a 160-bit group can be given by a genus 2 curve over a 80-bit field, but then 96-bit arithmetic must be used on a 32-bit CPU. Similarly, with 224-bit groups, a genus 2 HEC is penalized by the 112-bit field arithmetic. For 144-bit groups, genus 3 curves can exploit 48-bit arithmetic, which has been made faster by suitable implementation tricks (an approach which did not work for 80 and 112 bit fields), hence the gap to genus 2 is only 50%.

We conclude that the performance of hyperelliptic curves over prime fields is satisfactory enough to be considered as a valid alternative to elliptic curves, especially when large point groups are desired, and the bit length of the characteristic is close to (but smaller than) a multiple of the machine word length.

In software implementations not only should we employ a custom software library, as done for elliptic curves in [6], but for a further speed-up the use of lazy and incomplete reduction is recommended. Development of new explicit formulae should take into account the possibility of delaying modular reductions.

TEAM LinG

Acknowledgemts. The author thanks Gerhard Frey for his constant support. Tanja Lange greatly influenced this paper at several levels, theoretical and practical, considerably improving its quality. The author acknowledges feedback, support and material from Christophe Doche, Pierrick Gaudry, Johnny Großschädl, Christof Paar, Jean-Jacques Quisquater, Jan Pelzl, Nicolas Thériault and Thomas Wollinger. Thanks also to the anonymous referees for several useful suggestions.

References

1.AMD Corporation. AMD-K6-2 Processor Data Sheet. http://www.amd.com/ us-en/assets/content_type/white_papers_and_tech_docs/21850.pdf

2.R.M. Avanzi. Countermeasures against differential power analysis for hyperelliptic curve cryptosystems. Proc. CHES 2003. LNCS 2779, 366–381. Springer, 2003.

3.R.M. Avanzi and Generic Efficient Arithmetic Algorithms for PAFFs (Processor Adequate Finite Fields) and Related Algebraic Structures. Proc. SAC 2003. LNCS 3006, 320–334. Springer 2004.

4.R.M. Avanzi. A note on the sliding window integer recoding and its left-to-right analogue.

Submitted.

5.A. Bosselaers, R. Govaerts and J. Vandewalle. Comparison of three modular reduction functions. Proc. Crypto ’93. LNCS 773, 175-186. Springer, 1994.

6.M.K. Brown, D. Hankerson, J, Lopez and A. Menezes. Software implementation of the NIST elliptic curves over prime fields. Proc. CT-RSA 2001. LNCS 2020, 250–265. Springer, 2001.

7.D. Cantor. Computing in the Jacobian of a Hyperelliptic Curve. Math. Comp. 48 (1987), 95–101.

8.H. Cohen, A. Miyaji and T. Ono. Efficient elliptic curve exponentiation. Proc. ICICS 1997, LNCS 1334, 282–290. Springer, 1997.

9.H. Cohen, A. Miyaji and T. Ono. Efficient Elliptic Curve Exponentiation Using Mixed Coordinates, Proc. ASIACRYPT 1998. LNCS 1514, 51–65. Springer, 1998.

10.P.G. Comba. Exponentiation cryptosystems on the IBM PC. IBM Systems Journal, 29 (Oct. 1990), 526–538.

11.S.R. Dussé and B.S. Kaliski. A cryptographic library for the Motorola DSP56000. Proc. EUROCRYPT ’90. LNCS 473, 230–244. Springer, 1991.

12.P. Gaudry, An algorithm for solving the discrete log problem on hyperelliptic curves. Proc. EUROCRYPT 2000. LNCS 1807, 19–34. Springer, 2000.

13.P. Gaudry and E. Schost. Construction of Secure Random Curves of Genus 2 over Prime Fields. Proc. EUROCRYPT 2004. LNCS 3027, 239–256. Springer, 2004.

14.M. Gonda, K. Matsuo, K. Aoki, J. Chao, and S. Tsuji. Improvements of addition algorithm on genus 3 hyperelliptic curves and their implementations. Proc. SCIS 2004, 995–1000.

15.D.M. Gordon. A survey of fast exponentiation methods. J. of Algorithms 27 (1998), 129–146.

16.T. Grandlund. GMP. A software library for arbitrary precision integers.

Available from: http://www.swox.com/gmp/

17.R. Harley. Fast Arithmetic on Genus Two Curves.

Available at http://cristal.inria.fr/~harley/hyper/

18.T. Jebelean. A Generalization of the Binary GCD Algorithm. Proc. ISSAC 1993, 111–116.

19.B.S. Kaliski Jr.. The Montgomery inverse and its applications. IEEE Transactions on Computers, 44(8), 1064–1065, August 1995.

20.A. Karatsuba and Y. Ofman. Multiplication of Multidigit Numbers on Automata, Soviet Physics - Doklady, 7 (1963), 595–596.

21.N. Koblitz. Hyperelliptic Cryptosystems. J. of Cryptology 1 (1989), 139–150.

TEAM LinG

162R.M. Avanzi

22.U. Krieger. signature.c: Anwendung hyperelliptischer Kurven in der Kryptographie. M.S. Thesis, Mathematik und Informatik, Universität Essen, Fachbereich 6, Essen, Germany.

23.T. Lange. Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite Fields via Explicit Formulae. Cryptology ePrint Archive, Report 2002/121, 2002. http://eprint.iacr.org/

24.T. Lange. Formulae for Arithmetic on Genus 2 Hyperelliptic Curves. To appear in: J. AAECC.

25.A.K. Lenstra and E.R. Verheul. Selecting Cryptographic Key Sizes. J. of Cryptology 14 (2001), 255–293.

26.R. Lercier. Algorithmique des courbes elliptiques dans les corps finis. These. Available from http://www.medicis.polytechnique.fr/~lercier/

27.C.H. Lim, H.S. Hwang. Fast implementation of Elliptic Curve Arithmetic in Proc. PKC 2000, LNCS 1751, 405–421. Springer 2000.

28.A. Menezes,Y.-H. Wu and R. Zuccherato. An Elementary Introduction to Hyperelliptic Curves. In N. Koblitz, Algebraic aspects of cryptography. Springer, 1998.

29.J.-F. Mestre. Construction des courbes de genre 2 a partir de leurs modules. Progr. Math. 94

(1991), 313–334.

30.Y. Miyamoto, H. Doi, K. Matsuo, J. Chao, and S. Tsuji. A Fast Addition Algorithm of Genus Two Hyperelliptic Curve. Proc. SCIS 2002, IEICE Japan, 497–502, 2002. In Japanese.

31.P.L. Montgomery. Modular multiplication without trial division. Math. Comp. 44 (1985), 519–521.

32.J. Pelzl. Fast Hyperelliptic Curve Cryptosystems for Embedded Processors. Master’s Thesis. Dept. of Elec. Eng. and Infor. Sci., Ruhr-University of Bochum, 2002.

33.J. Pelzl, T. Wollinger, J. Guajardo, J. and C. Paar. Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves. CHES 2003, LNCS 2779, 351–365. Springer, 2003.

34.G.W. Reitwiesner. Binary arithmetic. Advances in Computers 1 (1960), 231–308.

35.Y. Sakai, and K. Sakurai. On the Practical Performance of Hyperelliptic Curve Cryptosystems in Software Implementation. IEICE-Tran. Fund. Elec., Comm. and Comp. Sci. Vol. E83-A No.4., 692–703.

36.N.P. Smart. On the Performance of Hyperelliptic Cryptosystems. Proc. EUROCRYPT ‘99, LNCS 1592, 165–175. Springer, 1999.

37.J.A. Solinas. An improved algorithm for arithmetic on a family of elliptic curves. Proc. CRYPTO ’97, LNCS 1294, 357–371. Springer, 1997.

38.N. Thériault. Index calculus attack for hyperelliptic curves of small genus. Proc. Asiacrypt 2003. LNCS 2894, 75–92. Springer, 2003.

39.A. Weng. Konstruktion kryptographisch geeigneter Kurven mit komplexer Multiplikation.

PhD thesis, Universität Gesamthochschule Essen, 2001.

40.T. Wollinger, J. Pelzl, V. Wittelsberger, C. Paar, G. Saldamli, and Ç.K. Koç. Elliptic & Hy-

perelliptic Curves on Embedded Special issue on Embedded Systems and Security of the ACM Transactions in Embedded Computing Systems.

41.T. Wollinger. Engineering Aspects of Hyperelliptic Curves. Ph.D. Thesis. Dept. of Elec. Eng. and Infor. Sci., Ruhr-University of Bochum. July 2004.

TEAM LinG

A Collision-Attack on AES Combining Side Channeland Differential-Attack

Kai Schramm, Gregor Leander, Patrick Felke, and Christof Paar

Horst Görtz Institute for IT Security Ruhr-Universität Bochum, Germany Universitätsstrasse 150

44780 Bochum, Germany

{schramm, cpaar}@crypto.rub.de,

{leander, felke}@itsc.rub.de,

www.crypto.rub.de

Abstract. Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks.

Keywords: AES, side channel attacks, internal collisions, birthday paradox.

1Introduction

An internal collision occurs, if a function within a cryptographic algorithm processes different input arguments, but returns an equal output argument. A typical example of subfunctions where internal collisions may occur are non-injective mappings, e.g., the S-boxes of DES, which map 6 to 4 bits. Moreover, partial

164 K. Schramm et al.

collisions may also appear at the output of injective and non-injective transformations, e.g. in 3 bytes (24 bits) of a 4 byte (32 bit) output value. In the case of AES we will show that key dependent collisions can occur in one of the output bytes of the mix column transformation. We show that these internal collisions can be detected by power analysis techniques, therefore collision attacks should be regarded as a sub-category of Simple Power Analysis (SPA). The term internal collision implies itself that the collision cannot be detected at the output of the algorithm. In cooperation with Hans Dobbertin it was shown in [SWP03], that cross-correlation of power traces (or possibly EM radiation traces) makes it possible to detect internal collisions which provide information about the secret key. Furthermore, in [Nov03, Cla04] it is even claimed that internal collisions can be used to reverse-engineer substitution blocks of secret ciphers, such as unknown implementations of the A3/A8 GSM algorithm. Implementations which solely use countermeasures such as random wait states or dummy cycles will most probably succumb to internal collision attacks, since cross-correlation of power traces with variable time offsets will defeat these countermeasures. Also, in [Wie03] it was shown that the software countermeasure known as the duplication method [GP99] may not succeed against internal collisions. Another advantage of collision attacks over side channel attacks such as Simple Power Analysis (SPA) and Differential Power Analysis (DPA) [KJJ99, KJJ98] is the fact that an internal collision will usually affect a sequence of instructions whereas SPA and DPA usually evaluate the power trace at a particular instance of time. For example, in the case of DES a collision in the output of the non-linear function in round one will affect almost the entire second round. Detecting collisions by examining a sequence of instructions may be advantageous in terms of measurement costs. On the other hand, it must be noted that DPA based attacks against AES have the advantage of being known plaintext attacks whereas our proposed collision attack is a chosen plaintext attack.

The rest of this publication is organized as follows: in Section 2 the collision attack originally proposed in [SWP03] is applied against the AES. It is shown that partial collisions can occur in a single output byte of the mix column transformation and that these collisions depend on the secret key. In Section 3, an optimization of this attack is presented. It uses precomputed tables of a total size of 540 MB and on average yields 32 key bits with 31 encryptions (measurements). If the attack is applied in parallel to all four columns, 128 key bits can be determined with only 40 encryptions (measurements). In Section 4, we give information about our PC simulated attacks and practical attacks against a 8051 based microcontroller running AES in assembly. Finally, in Section 5, we summarize our results and give some conclusions.

2Collisions in AES

2.1Collisions in the Mix Column Transformation

In this section, we first briefly review the mix column transformation in AES. Then, we show how key dependent collisions can be caused in a single output byte of the mix column transformation.

TEAM LinG

The mix column transformation is linear and bijective. It maps a four-byte column to a four-byte column. Its main purpose is diffusion. Throughout this paper we follow the notation used in [DR02]. The mathematical background of the mix

The input polynomial is multiplied with the fixed polynomial

where 01, 02 and 03 refer to the elements 1, and respectively. If we refer to the input column as and to the output column as the mix column transformation can be stated as

If we look at the first output byte it is given by1

If we focus on the first round, we can substitute and with and The output byte can then be written as

The main idea of this attack is to find two different plaintext pairs with the

Suppose that an adversary has the necessary experience and measurement instrumentation to detect this collision in (or any other output byte of the mix column transformation) with side channel analysis. First, he sets the two plaintext bytes and to a random value As next, he encrypts the corresponding plaintext, measures the power trace and stores it on his

1 The symbol + denotes an addition modulo 2, i.e. the binary exclusive-or operation. 2 These are the diagonal elements of the plaintext and initial round key matrix due

to the prior shift row transformation.

TEAM LinG