Energy-Scalable Montgomery-Curve ECDH Key Exchange for ARM Cortex-M3 Microcontrollers

2018 6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW) Pub Date : 2018-08-01 DOI:10.1109/W-FICLOUD.2018.00044

Christian Franck, J. Großschädl, Yann Le Corre, Cyrille Lenou Tago

{"title":"Energy-Scalable Montgomery-Curve ECDH Key Exchange for ARM Cortex-M3 Microcontrollers","authors":"Christian Franck, J. Großschädl, Yann Le Corre, Cyrille Lenou Tago","doi":"10.1109/W-FICLOUD.2018.00044","DOIUrl":null,"url":null,"abstract":"The number of smart devices connected to the Internet is growing at an enormous pace and will reach 30 billion within the next five years. A large fraction of these devices have limited processing capabilities and energy supply, which makes the execution of computation-intensive cryptographic algorithms very costly. This problem is exacerbated by the fact that basic optimization techniques like loop unrolling can not (always) be applied since cryptographic software for the IoT often needs to meet strict constraints on code size to not exceed the program storage capacity of the target device. In this paper we introduce SECCCM3, a \"lightweight\" software library for scalable elliptic curve cryptography on ARM Cortex-M3 microcontrollers. The current version of SECCCM3 is able to carry out variable-base scalar multiplication on Montgomery-form curves over pseudo-Mersenne prime fields, such as Curve25519, and can be used to implement static ECDH key exchange. SECCCM3 is scalable in the sense that it supports curves of different order (as long as certain conditions are met), thereby enabling trade-offs between security and execution time (resp. energy dissipation). We made an effort to protect the field arithmetic against Timing Attacks (TAs) and Simple Power Analysis (SPA), taking into account the so-called early-termination effect of the Cortex-M3 integer multiplier, which makes the latency of \"long\" multiply instructions operand-dependent. Our experiments show that the integration of countermeasures against information leakage caused by this effect increases the execution time by 34%, while the code size grows by 13%. A TA and SPA-resistant scalar multiplication on Curve25519 has an execution time of 4.565 million clock cycles and consumes approximately 2.3 mJ of energy when executed on a STM32L152RE Cortex-M3 microcontroller. SECCCM3 has a binary code size of 4.0 kB, which includes domain parameters for curves over 159, 191, 223, and 255-bit prime fields.","PeriodicalId":218683,"journal":{"name":"2018 6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW)","volume":"31 8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/W-FICLOUD.2018.00044","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

The number of smart devices connected to the Internet is growing at an enormous pace and will reach 30 billion within the next five years. A large fraction of these devices have limited processing capabilities and energy supply, which makes the execution of computation-intensive cryptographic algorithms very costly. This problem is exacerbated by the fact that basic optimization techniques like loop unrolling can not (always) be applied since cryptographic software for the IoT often needs to meet strict constraints on code size to not exceed the program storage capacity of the target device. In this paper we introduce SECCCM3, a "lightweight" software library for scalable elliptic curve cryptography on ARM Cortex-M3 microcontrollers. The current version of SECCCM3 is able to carry out variable-base scalar multiplication on Montgomery-form curves over pseudo-Mersenne prime fields, such as Curve25519, and can be used to implement static ECDH key exchange. SECCCM3 is scalable in the sense that it supports curves of different order (as long as certain conditions are met), thereby enabling trade-offs between security and execution time (resp. energy dissipation). We made an effort to protect the field arithmetic against Timing Attacks (TAs) and Simple Power Analysis (SPA), taking into account the so-called early-termination effect of the Cortex-M3 integer multiplier, which makes the latency of "long" multiply instructions operand-dependent. Our experiments show that the integration of countermeasures against information leakage caused by this effect increases the execution time by 34%, while the code size grows by 13%. A TA and SPA-resistant scalar multiplication on Curve25519 has an execution time of 4.565 million clock cycles and consumes approximately 2.3 mJ of energy when executed on a STM32L152RE Cortex-M3 microcontroller. SECCCM3 has a binary code size of 4.0 kB, which includes domain parameters for curves over 159, 191, 223, and 255-bit prime fields.

查看原文本刊更多论文

ARM Cortex-M3微控制器的能量可扩展montgomery曲线ECDH密钥交换

连接到互联网的智能设备的数量正在以惊人的速度增长，并将在未来五年内达到300亿。这些设备中的很大一部分具有有限的处理能力和能量供应，这使得执行计算密集型加密算法的成本非常高。由于物联网的加密软件通常需要满足对代码大小的严格限制，以不超过目标设备的程序存储容量，因此不能(总是)应用诸如循环展开之类的基本优化技术，这一事实加剧了这个问题。本文介绍了SECCCM3，一个用于ARM Cortex-M3微控制器上可扩展椭圆曲线加密的“轻量级”软件库。当前版本的SECCCM3能够在伪mersenne素数域(如Curve25519)上对montgomery型曲线进行变基标量乘法，并可用于实现静态ECDH密钥交换。SECCCM3是可伸缩的，因为它支持不同顺序的曲线(只要满足某些条件)，从而可以在安全性和执行时间之间进行权衡。能量耗散)。我们努力保护字段算法免受时序攻击(TAs)和简单功率分析(SPA)，考虑到所谓的Cortex-M3整数乘子的早期终止效应，这使得“长”乘法指令的延迟依赖于操作数。我们的实验表明，针对这种影响导致的信息泄漏的对策集成使执行时间增加了34%，而代码大小增加了13%。在STM32L152RE Cortex-M3微控制器上执行时，Curve25519上抗TA和spa的标量乘法的执行时间为456.5万个时钟周期，消耗约2.3 mJ的能量。SECCCM3的二进制码大小为4.0 kB，其中包括159、191、223和255位素数域曲线的域参数。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW)

自引率

0.00%

发文量