Cryptography Reference
In-Depth Information
α
=
X
1
X
2
Y
1
Y
2
;
A
=
Z
1
w
Z
2
w
;
B
=
X
1
w
Y
2
w
;
C
=
Y
1
w
X
2
w
;
D
=
X
1
w
X
2
w
;
E
=
Y
1
w
Y
2
w
;
F
=
d
α
;
G
=
B
+
C
+
2
α
;
H
=
D
+
E
−
2
α
;
A
2
F
2
K
=
+
;
L
=
AF
;
M
=
K
−
2
L
;
N
=
K
+
2
L
;
X
3
w
=
AG M
;
Y
3
w
=
AHN
;
Z
3
w
=
MN
;
The total operation count for this predictor unit will be 14
M
+7
A
. Note that all
the operations in this setup are modulo
p
, where
p
is the prime that generates the
finite field the elliptic curve is defined over.
The hardware implementation of this technique is shown in Fig.
11.12
.Inthis
figure, the block on the left is the original, nonredundant data path that computes the
unified point addition. The predictor block mainly implements the
X
3
w
,
Y
3
w
, and
Z
3
w
computations defined above. Next, the output coordinates are squared to compute
their checksums. Finally, the EDN compares the results of these two paths. If all the
results match, this means that the conducted operation is fault-free. However, if there
is a mismatch in any one of the coordinate comparisons, this points to an injected
fault. Hence, an error signal is asserted. Once the error signal is asserted, either the
secret can be flushed or the device can be reset. For details on ECC security using
nonlinear codes, the reader is referred to [9].
11.8.4 Area Estimation for the Proposed ECC Protection
Technique
The area overhead caused by the application of our scheme is dependent on the
areas of arithmetic unit implementations in a particular system. Without knowing
the relative area ratios of division, multiplication and addition/subtraction units, it
is not possible to provide an exact overhead measure. However, given the higher
complexity of divisions and multiplications with respect to additions/subtractions,
it is reasonable to ignore additions and subtractions to obtain an estimation of the
overhead. Also, we assume that the area of a multiplication unit is on the order of
a division unit. This is a reasonable assumption because it does not make sense to
have an affine system where the area of a divider is much larger than the area of a
multiplier.
Having made these assumptions, the estimated percentage overheads of the non-
linear error detection schemes we propose for point operations are presented in
Table
11.5
. Note that this table provides results for both Weierstrass and Edwards
curves for different coordinate systems. We observe that the Weierstrass-based ellip-
tic curve systems can be protected with reasonable area overhead. Note that the
application of our scheme causes 175, 169, and 130 % overheads for the affine point
doubling, Jacobian point addition, and Jacobian point doubling operations, respec-
tively. The worst case for securing Weierstrass operations is the affine point addition,
which causes an area overhead of 300 %. In addition, we also observe that the predic-
