International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

SoK: SCA-secure ECC in software – mission impossible?

Authors:
Lejla Batina , Radboud University, Nijmegen, The Netherlands
Łukasz Chmielewski , Masaryk University, Brno, Czech Republic; Radboud University, Nijmegen, The Netherlands
Björn Haase , Endress+Hauser Liquid Analysis GmbH&Co. KG, Germany
Niels Samwel , Radboud University, Nijmegen, The Netherlands
Peter Schwabe , Max Planck Institute for Security and Privacy, Bochum, Germany; Radboud University, Nijmegen, The Netherlands
Download:
DOI: 10.46586/tches.v2023.i1.557-589
URL: https://tches.iacr.org/index.php/TCHES/article/view/9962
Search ePrint
Search Google
Abstract: This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.
BibTeX
@article{tches-2022-32696,
  title={SoK: SCA-secure ECC in software – mission impossible?},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2023, Issue 1},
  pages={557-589},
  url={https://tches.iacr.org/index.php/TCHES/article/view/9962},
  doi={10.46586/tches.v2023.i1.557-589},
  author={Lejla Batina and Łukasz Chmielewski and Björn Haase and Niels Samwel and Peter Schwabe},
  year=2022
}