Paper 2021/549

High-assurance field inversion for curve-based cryptography

Benjamin Salling Hvass, Aarhus University
Diego F. Aranha, Aarhus University
Bas Spitters, Aarhus University
Abstract

The security of modern cryptography depends on multiple factors, from sound hardness assumptions to correct implementations that resist side-channel cryptanalysis. Curve-based cryptography is not different in this regard, and substantial progress in the last few decades has been achieved in both selecting parameters and devising secure implementation strategies. In this context, the security of implementations of field inversion is sometimes overlooked in the research literature, because (i) the approach based on Fermat's Little Theorem (FLT) suffices performance-wise for many parameters used in practice; (ii) it is typically invoked only at the very end of a cryptographic computation, with a small impact on performance; (iii) it is challenging to implement securely for general parameters without a significant performance penalty. However, field inversion can process sensitive information and must be protected with side-channel countermeasures like any other cryptographic operation, as illustrated by recent attacks. In this work, we focus on implementing field inversion for primes of cryptographic interest with security against timing attacks, irrespective of whether the FLT-based inversion can be efficiently implemented. We extend the Fiat-Crypto framework, which synthesizes provably correct-by-construction implementations, to implement the Bernstein-Yang inversion algorithm as a step towards this goal. This allows a correct implementation of prime field inversion to be synthesized for any prime. We benchmark the implementations across a range of primes for curve-based cryptography and they outperform traditional FLT-based approaches in most cases, with observed speedups up to 2 for the largest parameters. Our work is already used in production in the MirageOS unikernel operating system, $\mathtt{zig}$ programming language, and the ECCKiila framework.

Note: Correcting typo.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. IEEE CSF2023
DOI
10.1109/CSF57540.2023.00008
Keywords
Field inversionConstant-time executionImplementation securityFormal verification.
Contact author(s)
bsh @ cs au dk
dfaranha @ cs au dk
spitters @ cs au dk
History
2024-05-20: last of 5 revisions
2021-04-27: received
See all versions
Short URL
https://ia.cr/2021/549
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/549,
      author = {Benjamin Salling Hvass and Diego F.  Aranha and Bas Spitters},
      title = {High-assurance field inversion for curve-based cryptography},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/549},
      year = {2021},
      doi = {10.1109/CSF57540.2023.00008},
      url = {https://eprint.iacr.org/2021/549}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.