Cryptology ePrint Archive: Report 2021/1003

SCA-secure ECC in software – mission impossible?

Lejla Batina and Łukasz Chmielewski and Björn Haase and Niels Samwel and Peter Schwabe

Abstract: This paper describes an ECC implementation computing the X25519 key-exchange protocol on the ARM Cortex-M4 microcontroller. This software comes with extensive mitigations against various side-channel and fault attacks and is, to our best knowledge, the first to claim affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We also present the results of a comprehensive side-channel evaluation. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to protect the two is about 36% and 239% respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.

Category / Keywords: implementation / Elliptic Curve Cryptography, Side-Channel Analysis, Fault Injection

Date: received 28 Jul 2021, last revised 27 Sep 2021

Contact author: lukchmiel at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20210927:095300 (All versions of this report)

Short URL: ia.cr/2021/1003


[ Cryptology ePrint archive ]