A Simulator for Evaluating the Leakage in Arithmetic Circuits

Audrey LUCAS

CNRS, IRISA UMR 6074

CryptArchi 2018
Outline

1. Introduction
2. Simulator for Evaluating the Leakage in Arithmetic Circuits
3. Experimentation Results
4. Conclusion
Elliptic Curves Cryptography (ECC) over $\mathbb{F}_p$

$E : y^2 = x^3 + ax + b$

Point doubling:(DBL)

Point addition:ADD

Scalar multiplication (SM)

$[k]P = P + P + \ldots + P$

$k$ times
Algorithm 1: Double and add

Input: $P$ and $k = (k_{m-1}, \ldots, k_0)_2$

Result: $[k] \cdot P$

$T \leftarrow 0$

for $i = m - 1$ to 0 do

$n$ $1$ $0$ $0$ $0$ $1$

$T \leftarrow 2 \cdot T$ \text{ DBL}

if $k_i = 1$ then

$T \leftarrow T + P$ \text{ ADD}

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]

\[\quad\]
Physical Attacks

Observation: Side Channel Attacks (SCA)
- Computation time, power consumption, electromagnetic radiation, ... 
- Simple power analysis (SPA), differential power analysis (DPA), ... 

Side channel attacks

CryptArchi ➔ Cryptosystem ➔ hu#dzs7axm
Physical Attacks

Perturbation: Fault Attacks (FA)
- Clock, supply voltage, laser, ...
- Bit flip fault, stuck-at fault, ...
- Safe error, differential fault analysis (DFA), ...

CryptArchi $\rightarrow$ Cryptosystem $\rightarrow$ hu#dz7axm0avc

CryptArchi $\rightarrow$ Crypto%#0tem $\rightarrow$ hu#dze14@qaf
Physical Attacks

Countermeasures against SCAs

- Randomization: scalar masking, point blinding, scalar recoding, ...
- Uniformization: uniform curve, regular algorithm, ...
- Hardware: specific logic styles, reconfiguration, ...

Countermeasures against FAs

- Hardware: shielding, sensor, ...
- Redundancy calculation: time, space, ...
- ECC case: verification of point coordinates onto the elliptic curve.
Protection for one type of attacks may leave the system vulnerable on other type of attacks.

<table>
<thead>
<tr>
<th>1</th>
<th>1</th>
<th>0</th>
<th>0</th>
<th>1</th>
</tr>
</thead>
<tbody>
<tr>
<td>DBL</td>
<td>ADD</td>
<td>DBL</td>
<td>ADD</td>
<td>DBL</td>
</tr>
</tbody>
</table>

**Regular SM**

<table>
<thead>
<tr>
<th>1</th>
<th>1</th>
<th>0</th>
<th>0</th>
<th>1</th>
</tr>
</thead>
<tbody>
<tr>
<td>DBL</td>
<td>ADD</td>
<td>DBL</td>
<td>ADD</td>
<td>DBL</td>
</tr>
</tbody>
</table>

Are FA countermeasures resistant against SCA?
Outline

1. Introduction

2. Simulator for Evaluating the Leakage in Arithmetic Circuits
   - Simulator Characteristics
   - Simulator Behavior

3. Experimentation Results

4. Conclusion
Simulator for Evaluating the Leakage in Arithmetic Circuits

Objective

Detection of strength/weakness of:
- Data representation (field element, point of curve)
- Computation algorithms (field and curve levels)

Attacks:
- Identify potential arithmetic leaks
- Use these leaks for preparing some SCAs (e.g. template attacks)
  attacker knows where to search in real traces

Protections:
- Help designer to locate the leaks at design time
- Countermeasures evaluation (e.g. against FA)
Preliminary

The simulator should be accurate but fast (VHDL simulations are too slow).

**Typical Targeted Architecture**

- \( w \)-bit microcontroller:
  - arithmetic units: adder (\(w\text{add}\)), multiplier (\(w\text{mul}\))
  - control
  - register file
  - ...

**Simulated Architecture for Experiment**

- Focus on \( w = 32 \) and arithmetic units
- Target small core (1 \(w\text{add}\), 1 \(w\text{mul}\))
- Can be extend to larger cores (\(n_a\ \text{\(w\text{add}\)}, \ n_m\ \text{\(w\text{mul}\)}))
Preliminary

Implemented in Python and SageMath

Arithmetic

- Field operation modulo $p$ ($p$ generic)
- Montgomery representation ($\beta = 2^{32}$)
- Multiplication with Karatsuba
- Montgomery reduction

Notations

- Field addition: $f\text{add}$
- Field multiplication: $f\text{mul}$
Formulas Integration

Create a table for formulas
- 1 line corresponds to 1 field operation
- Field operation: 2 inputs and 1 output

Operation scheduling according to dependencies
Add "step" notion (latency)
- 1 fmul by step
- many fadd by step

Writing code file for SM

<table>
<thead>
<tr>
<th>Output</th>
<th>Inputs</th>
<th>Ope</th>
<th>Step</th>
</tr>
</thead>
<tbody>
<tr>
<td>xx</td>
<td>X₁,X₁</td>
<td>fmul</td>
<td>1</td>
</tr>
<tr>
<td>T₀</td>
<td>X₁,Y₁</td>
<td>fadd</td>
<td></td>
</tr>
<tr>
<td>T₁</td>
<td>T₀,T₀</td>
<td>fadd</td>
<td></td>
</tr>
<tr>
<td>M</td>
<td>T₁,T₀</td>
<td>fadd</td>
<td></td>
</tr>
<tr>
<td>A</td>
<td>M,M</td>
<td>fmul</td>
<td>2</td>
</tr>
<tr>
<td>T₂</td>
<td>xx,T₁</td>
<td>fadd</td>
<td></td>
</tr>
<tr>
<td>B</td>
<td>T₂,T₀</td>
<td>fadd</td>
<td></td>
</tr>
<tr>
<td>X</td>
<td>B,B</td>
<td>fadd</td>
<td></td>
</tr>
</tbody>
</table>
Formulas Integration
Activity Monitoring

- Each field operation uses several arithmetic units
- Recording of input and output in all arithmetic units
- Obtained activity traces for field operations estimated by Hamming weight (HW) variation

Field Addition Example

\[ X = (x_0, x_1, \ldots)_{2^{32}} \]
\[ Y = (y_0, y_1, \ldots)_{2^{32}} \]
- 32-bit words
Fusion of Traces

The global trace is constructed by fusion of field operations traces:
- During $\text{fmul}$, adder is sometimes idle.
- When adder is idle in $\text{fmul} \Rightarrow \text{fadd}$ is performed in parallel of $\text{fmul}$.

Parallelization aspect in order to be close to processor.
Outline

1. Introduction
2. Simulator for Evaluating the Leakage in Arithmetic Circuits
3. Experimentation Results
4. Conclusion
Experimentation

- Operation sequence: 3 fadds
- fadd algorithm: $\mu NaCl$ library
  - Cryptography library for microcontrollers
  - ECC: Montgomery curve
- Random inputs
Trace of 3 Field Additions
Trace of 3 Field Additions

Experimentation Results

Audrey LUCAS (CNRS, IRISA UMR 6074)
Arithmetic Simulator
CryptArchi 2018 20 / 24
Discussion

Mathematical validation

Comparison between result simulation of computation with SageMath

Strengths

- Faster simulation than using VHDL description
  - data width > 100-bit ⇒ Very slow in VHDL
- Simulator can be configurable
- Adaptable to many curves, algorithms and mathematical objects representations
- Adaptable to various numbers of wadd and wmul

Future work

Calibration of the architecture model with real measurement
Outline

1. Introduction
2. Simulator for Evaluating the Leakage in Arithmetic Circuits
3. Experimentation Results
4. Conclusion
Conclusion

What is done

Low level arithmetic simulator:
- for Weierstrass curve
- for Montgomery curve

Future works

- Architecture model calibration
- Implementation and evaluation of protections against FA
- Use the simulator for prepare and optimize attacks
Thank you for your attention.

Questions?