Cryptology ePrint Archive: Report 2021/1003

SCA-secure ECC in software – mission impossible?

Lejla Batina and Łukasz Chmielewski and Björn Haase and Niels Samwel and Peter Schwabe

Abstract: This paper describes an ECC implementation computing the X25519 key-exchange protocol on the ARM-Cortex M4 microcontroller. This software comes with extensive mitigations against various side-channel and fault attacks and is, to our best knowledge, the first to claim affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We also present the results of a comprehensive side-channel evaluation. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to protect the two is about 36% and 239% respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is more efficient than widely deployed ECC cryptographic libraries, which offer much fewer protections.

Category / Keywords: implementation / Elliptic Curve Cryptography, Side-Channel Analysis, Fault Injection

Date: received 28 Jul 2021, last revised 4 Aug 2021

Contact author: lukchmiel at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20210804:222746 (All versions of this report)

Short URL: ia.cr/2021/1003


[ Cryptology ePrint archive ]