软件中的sca安全ECC -不可能的任务?

IACR Trans. Cryptogr. Hardw. Embed. Syst. Pub Date : 2022-11-29 DOI:10.46586/tches.v2023.i1.557-589

L. Batina, L. Chmielewski, Björn Haase, Niels Samwel, P. Schwabe

{"title":"软件中的sca安全ECC -不可能的任务?","authors":"L. Batina, L. Chmielewski, Björn Haase, Niels Samwel, P. Schwabe","doi":"10.46586/tches.v2023.i1.557-589","DOIUrl":null,"url":null,"abstract":"This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.","PeriodicalId":13186,"journal":{"name":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","volume":"5 1","pages":"557-589"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"SoK: SCA-secure ECC in software - mission impossible?\",\"authors\":\"L. Batina, L. Chmielewski, Björn Haase, Niels Samwel, P. Schwabe\",\"doi\":\"10.46586/tches.v2023.i1.557-589\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.\",\"PeriodicalId\":13186,\"journal\":{\"name\":\"IACR Trans. Cryptogr. Hardw. Embed. Syst.\",\"volume\":\"5 1\",\"pages\":\"557-589\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-11-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IACR Trans. Cryptogr. Hardw. Embed. Syst.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.46586/tches.v2023.i1.557-589\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2023.i1.557-589","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

本文介绍了在Arm Cortex-M4微控制器上实现X25519密钥交换协议的ECC实现。为了提供针对各种侧信道和故障攻击的保护，我们首先审查已知的攻击和对策，然后提供带有广泛缓解措施的软件实现，最后我们提出初步的侧信道评估。据我们所知，这是第一个声称可以负担得起的针对多种攻击的公共软件，这些攻击是由不同的现实世界应用程序场景引起的。我们区分了使用临时密钥的X25519和使用静态密钥的X25519，并表明基线无保护实现的开销分别约为37%和243%。虽然这似乎是为安全性付出的高昂代价，但我们也表明，即使我们的(最受保护的)静态实现至少与广泛部署的ECC加密库一样高效，后者提供的保护要少得多。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

SoK: SCA-secure ECC in software - mission impossible?

This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IACR Trans. Cryptogr. Hardw. Embed. Syst.

自引率

0.00%

发文量

期刊最新文献

MMM: Authenticated Encryption with Minimum Secret State for Masking Don't Forget Pairing-Friendly Curves with Odd Prime Embedding Degrees LPN-based Attacks in the White-box Setting Enhancing Quality and Security of the PLL-TRNG Protecting Dilithium against Leakage Revisited Sensitivity Analysis and Improved Implementations