52 Things: Number 44: Describe some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC.
52 Things: Number 44: Describe some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC.
52 Things: Number 44: Describe some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC.
52件事:第44件:描述文獻中為ECC提出的一些針對側(cè)信道攻擊的基本(可能無效)防御措施。
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This week we consider what can be done to mitigate the threat of side-channels against ECC implementations...
這是一系列博客文章中的最新一篇,旨在解決“每個博士生在做密碼學時應該知道的52件事”:這是一組問題,旨在讓博士生在第一年結(jié)束時了解他們應該知道什么。本周,我們將考慮如何減輕副通道對ECC實施的威脅。。。
In this blog post we will discuss "some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC". This can be seen as a complement to last weeks blog which asked the same question for AES.
在這篇博客文章中,我們將討論“文獻中為ECC提出的一些針對側(cè)信道攻擊的基本(可能無效)防御”。這可以被視為對上周為AES提出同樣問題的博客的補充。
Before we start the discussion, I want to clarify what kind of countermeasures we will be considering. From this point forward we will only be considering implementation level countermeasures, I will not consider hardware countermeasures such as Dual Rail Logic, or location security such as putting it in a concrete box. While the title says "maybe ineffective" I will stick to designs that at least have some hope of working, for example wearing a tinfoil hat will not secure my credit card and will clearly not work and so will not be discussed.
在我們開始討論之前,我想澄清一下我們將考慮什么樣的對策。從這一點來看,我們將只考慮實施層面的對策,我不會考慮硬件對策,如雙軌邏輯,或位置安全,如將其放在混凝土盒子中。雖然標題上寫著“可能無效”,但我會堅持那些至少有希望奏效的設(shè)計,例如,戴一頂錫箔帽不會保護我的信用卡,顯然也不會奏效,因此不會被討論。
Elliptic curve cryptography as a rule is reasonably good when it comes to resisting side channel attacks but there are still some points that are worth considering.
橢圓曲線密碼作為一種規(guī)則,在抵御側(cè)信道攻擊方面相當不錯,但仍有一些值得考慮的地方。
Scalar Multiplication 標量乘法
As with most cryptography scalar multiplication (normally exponentiation in other schemes) is a very leaky operation, this is well studied in RSA. This is no different in elliptic curve cryptography because the addition operator and the double operator behave differently. Various techniques that can be applied to RSA can also be applied here, such as exponent blinding where for each scalar multiplication you choose a value r such that [a]P=[a+r]P where a is the value you require to keep secret and P is a generator of the curve. Since scalar multiplication only leaks information about the scalar this technique only needs to be applied when you want to keep the scalar secret. Recently there has been work to create elliptic curves which have the same operation for double and add which would resolve this issue.
與大多數(shù)密碼學一樣,標量乘法(在其他方案中通常為冪運算)是一種非常漏洞百出的運算,這在RSA中得到了很好的研究。這在橢圓曲線密碼學中沒有什么不同,因為加法運算符和雙運算符的行為不同。可以應用于RSA的各種技術(shù)也可以在這里應用,例如指數(shù)盲法,其中對于每個標量乘法,您選擇一個值 r ,這樣#1,其中#2是您需要保密的值,#3是曲線的生成器。由于標量乘法只會泄露有關(guān)標量的信息,因此僅當您希望對標量保密時才需要應用此技術(shù)。最近已經(jīng)有工作來創(chuàng)建橢圓曲線,該橢圓曲線對二重和加法具有相同的運算,這將解決這個問題。
Is a point on the curve?
曲線上有點嗎?
Sometimes an x value is chosen and to learn if it is on the curve you use the Jacobi symbol to learn if x3+a?x+b is square. If it is (x,y) is an elliptic curve point. As can be seen by the algorithm in the link, the process of calculating the Jacobi symbol is variable length and thus may leak information about the secret value x3+a?x+b. Since we are only interesed if x3+a?x+b is square, we note that x3+a?x+b is square if and only if r2?(x3+a?x+b) is, for random r. Using this technique we can check if x is a valid point on the curve but since it has been blinded by a random r this will not leak anything about the underlying point.
有時會選擇 x 值,為了了解它是否在曲線上,您可以使用Jacobi符號來了解 x3+a?x+b 是否為方形。如果是#2,則是一個橢圓曲線點。從鏈接中的算法可以看出,計算雅可比符號的過程是可變長度的,因此可能泄露有關(guān)秘密值 x3+a?x+b 的信息。由于我們只在#4是平方的情況下被插入,所以我們注意到 x3+a?x+b 是平方的當且僅當 r2?(x3+a?x+b) 是,對于隨機 r 。使用此技術(shù),我們可以檢查 x 是否是曲線上的有效點,但由于它已被隨機的 r 遮擋,因此不會泄露任何關(guān)于基礎(chǔ)點的信息。
Theoretically secure 理論上安全
While against known side channel attacks elliptic curves are reasonably secure without much help, it is possible to secret share certain schemes to enhance the security. Providing that each share leaks independently it is possible to create schemes which are provably secure against arbitrary leakage functions (including ones which can only happen in theory and not in practice). This area of cryptography has become known as Leakage Resilient Cryptography.
雖然橢圓曲線在沒有太多幫助的情況下對已知的側(cè)信道攻擊是相當安全的,但可以秘密共享某些方案來增強安全性。假設(shè)每個共享獨立地泄漏,就有可能創(chuàng)建針對任意泄漏函數(shù)(包括只能在理論上發(fā)生而不能在實踐中發(fā)生的泄漏函數(shù))可證明安全的方案。密碼學的這一領(lǐng)域被稱為泄漏彈性密碼學。
這是一系列博客文章中的最新一篇,旨在解決“每個博士生在做密碼學時應該知道的52件事”:這是一組問題,旨在讓博士生在第一年結(jié)束時了解他們應該知道什么。本周,我們將考慮如何減輕副通道對ECC實施的威脅。。。
In this blog post we will discuss "some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC". This can be seen as a complement to last weeks blog which asked the same question for AES.
在這篇博客文章中,我們將討論“文獻中為ECC提出的一些針對側(cè)信道攻擊的基本(可能無效)防御”。這可以被視為對上周為AES提出同樣問題的博客的補充。
Before we start the discussion, I want to clarify what kind of countermeasures we will be considering. From this point forward we will only be considering implementation level countermeasures, I will not consider hardware countermeasures such as Dual Rail Logic, or location security such as putting it in a concrete box. While the title says "maybe ineffective" I will stick to designs that at least have some hope of working, for example wearing a tinfoil hat will not secure my credit card and will clearly not work and so will not be discussed.
在我們開始討論之前,我想澄清一下我們將考慮什么樣的對策。從這一點來看,我們將只考慮實施層面的對策,我不會考慮硬件對策,如雙軌邏輯,或位置安全,如將其放在混凝土盒子中。雖然標題上寫著“可能無效”,但我會堅持那些至少有希望奏效的設(shè)計,例如,戴一頂錫箔帽不會保護我的信用卡,顯然也不會奏效,因此不會被討論。
Elliptic curve cryptography as a rule is reasonably good when it comes to resisting side channel attacks but there are still some points that are worth considering.
橢圓曲線密碼作為一種規(guī)則,在抵御側(cè)信道攻擊方面相當不錯,但仍有一些值得考慮的地方。
Scalar Multiplication 標量乘法
As with most cryptography scalar multiplication (normally exponentiation in other schemes) is a very leaky operation, this is well studied in RSA. This is no different in elliptic curve cryptography because the addition operator and the double operator behave differently. Various techniques that can be applied to RSA can also be applied here, such as exponent blinding where for each scalar multiplication you choose a value r such that [a]P=[a+r]P where a is the value you require to keep secret and P is a generator of the curve. Since scalar multiplication only leaks information about the scalar this technique only needs to be applied when you want to keep the scalar secret. Recently there has been work to create elliptic curves which have the same operation for double and add which would resolve this issue.
與大多數(shù)密碼學一樣,標量乘法(在其他方案中通常為冪運算)是一種非常漏洞百出的運算,這在RSA中得到了很好的研究。這在橢圓曲線密碼學中沒有什么不同,因為加法運算符和雙運算符的行為不同。可以應用于RSA的各種技術(shù)也可以在這里應用,例如指數(shù)盲法,其中對于每個標量乘法,您選擇一個值 r ,這樣#1,其中#2是您需要保密的值,#3是曲線的生成器。由于標量乘法只會泄露有關(guān)標量的信息,因此僅當您希望對標量保密時才需要應用此技術(shù)。最近已經(jīng)有工作來創(chuàng)建橢圓曲線,該橢圓曲線對二重和加法具有相同的運算,這將解決這個問題。
Is a point on the curve?
曲線上有點嗎?
Sometimes an x value is chosen and to learn if it is on the curve you use the Jacobi symbol to learn if x3+a?x+b is square. If it is (x,y) is an elliptic curve point. As can be seen by the algorithm in the link, the process of calculating the Jacobi symbol is variable length and thus may leak information about the secret value x3+a?x+b. Since we are only interesed if x3+a?x+b is square, we note that x3+a?x+b is square if and only if r2?(x3+a?x+b) is, for random r. Using this technique we can check if x is a valid point on the curve but since it has been blinded by a random r this will not leak anything about the underlying point.
有時會選擇 x 值,為了了解它是否在曲線上,您可以使用Jacobi符號來了解 x3+a?x+b 是否為方形。如果是#2,則是一個橢圓曲線點。從鏈接中的算法可以看出,計算雅可比符號的過程是可變長度的,因此可能泄露有關(guān)秘密值 x3+a?x+b 的信息。由于我們只在#4是平方的情況下被插入,所以我們注意到 x3+a?x+b 是平方的當且僅當 r2?(x3+a?x+b) 是,對于隨機 r 。使用此技術(shù),我們可以檢查 x 是否是曲線上的有效點,但由于它已被隨機的 r 遮擋,因此不會泄露任何關(guān)于基礎(chǔ)點的信息。
Theoretically secure 理論上安全
While against known side channel attacks elliptic curves are reasonably secure without much help, it is possible to secret share certain schemes to enhance the security. Providing that each share leaks independently it is possible to create schemes which are provably secure against arbitrary leakage functions (including ones which can only happen in theory and not in practice). This area of cryptography has become known as Leakage Resilient Cryptography.
雖然橢圓曲線在沒有太多幫助的情況下對已知的側(cè)信道攻擊是相當安全的,但可以秘密共享某些方案來增強安全性。假設(shè)每個共享獨立地泄漏,就有可能創(chuàng)建針對任意泄漏函數(shù)(包括只能在理論上發(fā)生而不能在實踐中發(fā)生的泄漏函數(shù))可證明安全的方案。密碼學的這一領(lǐng)域被稱為泄漏彈性密碼學。
The Working Class Must Lead!
浙公網(wǎng)安備 33010602011771號