Boffins boost IETF crypto efforts
Nice elliptic curves, now show us your hardware so we can do this to TLS
A pair of German engineers want to give a push to the adoption of new crypto in the IETF by pushing the curves in RFC 7748 into hardware.
RFC 7748, here, is a research-level document that describes proposed new elliptic curves for use in applications like Transport Layer Security (TLS).
Moving from research to the real world needs implementations, and as researchers Pascal Sasdrich and Tim Güneysu write, that poses a problem for the two curves, known as Curve25519 and Curve448: they were only designed for software implementation.
With software in mind, the paper says, the cache/timing side channel is considered the relevant physical threat, whereas on dedicated hardware, attackers can analyse electromagnetic emissions, the power used by the device, and so on.
Hardware implementation offers a way to use the curves where higher performance is needed – but that risks opening the algorithm to side-channel attacks, which have been demonstrated many times over the years.
The pair, from Ruhr-Universität Bochum and the University of Bremen and DFKI, reckon they've cracked the problem for Curve448 (others had already worked on putting Curve25519 in hardware).
Attractively, their approach isn't particularly demanding: it “can be implemented on a Xilinx XC7Z7020 at moderate costs of just 963 logic and 30 DSP slices and performs a scalar multiplication in 2.5ms”, they write.
To defeat attackers, the hardware Curve448 implementation uses address shuffling, coordinate randomisation, and scalar blinding (the last being the most computationally expensive). For those that understand the mathematics behind cryptography, the paper discusses the countermeasures in depth.
The resulting performance – 400 elliptic-curve Diffie-Hellman scalar multiplications per second on an everyday development board (the Xylinx Zynq XC7Z7020) is, they write, “sufficient for most practical applications”. ®