Paper 2021/1003
SCA-secure ECC in software – mission impossible?
Abstract
This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.
Metadata
- Available format(s)
- Category
- Implementation
- Publication info
- Preprint.
- Keywords
- Elliptic Curve Cryptography Side-Channel Analysis Fault Injection
- Contact author(s)
- lukchmiel @ gmail com
- History
- 2022-11-04: last of 5 revisions
- 2021-08-03: received
- See all versions
- Short URL
- https://ia.cr/2021/1003
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2021/1003, author = {Lejla Batina and Łukasz Chmielewski and Björn Haase and Niels Samwel and Peter Schwabe}, title = {{SCA}-secure {ECC} in software – mission impossible?}, howpublished = {Cryptology {ePrint} Archive, Paper 2021/1003}, year = {2021}, url = {https://eprint.iacr.org/2021/1003} }