52 Things: Number 44: Describe some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC.
52 Things: Number 44: Describe some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC.
52件事:第44件:描述文献中为ECC提出的一些针对侧信道攻击的基本(可能无效)防御措施。
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This week we consider what can be done to mitigate the threat of side-channels against ECC implementations...
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周,我们将考虑如何减轻副通道对ECC实施的威胁。。。
In this blog post we will discuss "some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC". This can be seen as a complement to last weeks blog which asked the same question for AES.
在这篇博客文章中,我们将讨论“文献中为ECC提出的一些针对侧信道攻击的基本(可能无效)防御”。这可以被视为对上周为AES提出同样问题的博客的补充。
Before we start the discussion, I want to clarify what kind of countermeasures we will be considering. From this point forward we will only be considering implementation level countermeasures, I will not consider hardware countermeasures such as Dual Rail Logic, or location security such as putting it in a concrete box. While the title says "maybe ineffective" I will stick to designs that at least have some hope of working, for example wearing a tinfoil hat will not secure my credit card and will clearly not work and so will not be discussed.
在我们开始讨论之前,我想澄清一下我们将考虑什么样的对策。从这一点来看,我们将只考虑实施层面的对策,我不会考虑硬件对策,如双轨逻辑,或位置安全,如将其放在混凝土盒子中。虽然标题上写着“可能无效”,但我会坚持那些至少有希望奏效的设计,例如,戴一顶锡箔帽不会保护我的信用卡,显然也不会奏效,因此不会被讨论。
Elliptic curve cryptography as a rule is reasonably good when it comes to resisting side channel attacks but there are still some points that are worth considering.
椭圆曲线密码作为一种规则,在抵御侧信道攻击方面相当不错,但仍有一些值得考虑的地方。
Scalar Multiplication 标量乘法
As with most cryptography scalar multiplication (normally exponentiation in other schemes) is a very leaky operation, this is well studied in RSA. This is no different in elliptic curve cryptography because the addition operator and the double operator behave differently. Various techniques that can be applied to RSA can also be applied here, such as exponent blinding where for each scalar multiplication you choose a value r such that [a]P=[a+r]P where a is the value you require to keep secret and P is a generator of the curve. Since scalar multiplication only leaks information about the scalar this technique only needs to be applied when you want to keep the scalar secret. Recently there has been work to create elliptic curves which have the same operation for double and add which would resolve this issue.
与大多数密码学一样,标量乘法(在其他方案中通常为幂运算)是一种非常漏洞百出的运算,这在RSA中得到了很好的研究。这在椭圆曲线密码学中没有什么不同,因为加法运算符和双运算符的行为不同。可以应用于RSA的各种技术也可以在这里应用,例如指数盲法,其中对于每个标量乘法,您选择一个值 r ,这样#1,其中#2是您需要保密的值,#3是曲线的生成器。由于标量乘法只会泄露有关标量的信息,因此仅当您希望对标量保密时才需要应用此技术。最近已经有工作来创建椭圆曲线,该椭圆曲线对二重和加法具有相同的运算,这将解决这个问题。
Is a point on the curve?
曲线上有点吗?
Sometimes an x value is chosen and to learn if it is on the curve you use the Jacobi symbol to learn if x3+a⋅x+b is square. If it is (x,y) is an elliptic curve point. As can be seen by the algorithm in the link, the process of calculating the Jacobi symbol is variable length and thus may leak information about the secret value x3+a⋅x+b. Since we are only interesed if x3+a⋅x+b is square, we note that x3+a⋅x+b is square if and only if r2⋅(x3+a⋅x+b) is, for random r. Using this technique we can check if x is a valid point on the curve but since it has been blinded by a random r this will not leak anything about the underlying point.
有时会选择 x 值,为了了解它是否在曲线上,您可以使用Jacobi符号来了解 x3+a⋅x+b 是否为方形。如果是#2,则是一个椭圆曲线点。从链接中的算法可以看出,计算雅可比符号的过程是可变长度的,因此可能泄露有关秘密值 x3+a⋅x+b 的信息。由于我们只在#4是平方的情况下被插入,所以我们注意到 x3+a⋅x+b 是平方的当且仅当 r2⋅(x3+a⋅x+b) 是,对于随机 r 。使用此技术,我们可以检查 x 是否是曲线上的有效点,但由于它已被随机的 r 遮挡,因此不会泄露任何关于基础点的信息。
Theoretically secure 理论上安全
While against known side channel attacks elliptic curves are reasonably secure without much help, it is possible to secret share certain schemes to enhance the security. Providing that each share leaks independently it is possible to create schemes which are provably secure against arbitrary leakage functions (including ones which can only happen in theory and not in practice). This area of cryptography has become known as Leakage Resilient Cryptography.
虽然椭圆曲线在没有太多帮助的情况下对已知的侧信道攻击是相当安全的,但可以秘密共享某些方案来增强安全性。假设每个共享独立地泄漏,就有可能创建针对任意泄漏函数(包括只能在理论上发生而不能在实践中发生的泄漏函数)可证明安全的方案。密码学的这一领域被称为泄漏弹性密码学。
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周,我们将考虑如何减轻副通道对ECC实施的威胁。。。
In this blog post we will discuss "some basic (maybe ineffective) defences against side channel attacks proposed in the literature for ECC". This can be seen as a complement to last weeks blog which asked the same question for AES.
在这篇博客文章中,我们将讨论“文献中为ECC提出的一些针对侧信道攻击的基本(可能无效)防御”。这可以被视为对上周为AES提出同样问题的博客的补充。
Before we start the discussion, I want to clarify what kind of countermeasures we will be considering. From this point forward we will only be considering implementation level countermeasures, I will not consider hardware countermeasures such as Dual Rail Logic, or location security such as putting it in a concrete box. While the title says "maybe ineffective" I will stick to designs that at least have some hope of working, for example wearing a tinfoil hat will not secure my credit card and will clearly not work and so will not be discussed.
在我们开始讨论之前,我想澄清一下我们将考虑什么样的对策。从这一点来看,我们将只考虑实施层面的对策,我不会考虑硬件对策,如双轨逻辑,或位置安全,如将其放在混凝土盒子中。虽然标题上写着“可能无效”,但我会坚持那些至少有希望奏效的设计,例如,戴一顶锡箔帽不会保护我的信用卡,显然也不会奏效,因此不会被讨论。
Elliptic curve cryptography as a rule is reasonably good when it comes to resisting side channel attacks but there are still some points that are worth considering.
椭圆曲线密码作为一种规则,在抵御侧信道攻击方面相当不错,但仍有一些值得考虑的地方。
Scalar Multiplication 标量乘法
As with most cryptography scalar multiplication (normally exponentiation in other schemes) is a very leaky operation, this is well studied in RSA. This is no different in elliptic curve cryptography because the addition operator and the double operator behave differently. Various techniques that can be applied to RSA can also be applied here, such as exponent blinding where for each scalar multiplication you choose a value r such that [a]P=[a+r]P where a is the value you require to keep secret and P is a generator of the curve. Since scalar multiplication only leaks information about the scalar this technique only needs to be applied when you want to keep the scalar secret. Recently there has been work to create elliptic curves which have the same operation for double and add which would resolve this issue.
与大多数密码学一样,标量乘法(在其他方案中通常为幂运算)是一种非常漏洞百出的运算,这在RSA中得到了很好的研究。这在椭圆曲线密码学中没有什么不同,因为加法运算符和双运算符的行为不同。可以应用于RSA的各种技术也可以在这里应用,例如指数盲法,其中对于每个标量乘法,您选择一个值 r ,这样#1,其中#2是您需要保密的值,#3是曲线的生成器。由于标量乘法只会泄露有关标量的信息,因此仅当您希望对标量保密时才需要应用此技术。最近已经有工作来创建椭圆曲线,该椭圆曲线对二重和加法具有相同的运算,这将解决这个问题。
Is a point on the curve?
曲线上有点吗?
Sometimes an x value is chosen and to learn if it is on the curve you use the Jacobi symbol to learn if x3+a⋅x+b is square. If it is (x,y) is an elliptic curve point. As can be seen by the algorithm in the link, the process of calculating the Jacobi symbol is variable length and thus may leak information about the secret value x3+a⋅x+b. Since we are only interesed if x3+a⋅x+b is square, we note that x3+a⋅x+b is square if and only if r2⋅(x3+a⋅x+b) is, for random r. Using this technique we can check if x is a valid point on the curve but since it has been blinded by a random r this will not leak anything about the underlying point.
有时会选择 x 值,为了了解它是否在曲线上,您可以使用Jacobi符号来了解 x3+a⋅x+b 是否为方形。如果是#2,则是一个椭圆曲线点。从链接中的算法可以看出,计算雅可比符号的过程是可变长度的,因此可能泄露有关秘密值 x3+a⋅x+b 的信息。由于我们只在#4是平方的情况下被插入,所以我们注意到 x3+a⋅x+b 是平方的当且仅当 r2⋅(x3+a⋅x+b) 是,对于随机 r 。使用此技术,我们可以检查 x 是否是曲线上的有效点,但由于它已被随机的 r 遮挡,因此不会泄露任何关于基础点的信息。
Theoretically secure 理论上安全
While against known side channel attacks elliptic curves are reasonably secure without much help, it is possible to secret share certain schemes to enhance the security. Providing that each share leaks independently it is possible to create schemes which are provably secure against arbitrary leakage functions (including ones which can only happen in theory and not in practice). This area of cryptography has become known as Leakage Resilient Cryptography.
虽然椭圆曲线在没有太多帮助的情况下对已知的侧信道攻击是相当安全的,但可以秘密共享某些方案来增强安全性。假设每个共享独立地泄漏,就有可能创建针对任意泄漏函数(包括只能在理论上发生而不能在实践中发生的泄漏函数)可证明安全的方案。密码学的这一领域被称为泄漏弹性密码学。
The Working Class Must Lead!