Highly Optimized Curve448 and Ed448 design in wolfSSL and Side-Channel Evaluation on Cortex-M4
Mila Anastasova, Rabih El Khatib, Aimee Laclaustra, Reza Azarderakhsh, Mehran Mozaffari Kermani
Abstract
The compact key sizes and the low computational latency of the Elliptic Curve Cryptography (ECC) family of curves sparked high interest in their integration into network protocols. The recently suggested Curve448, assuring 224-bit security, is an ideal curve choice for integrating into cryptographic libraries according to a late study on backdoors on other ECC instances compromising their security, which results in the integration of Curve448 into the TLS1.3 protocol. Curve448 and its birationally equivalent untwisted Edwards curve Ed448, used for key exchange and authentication, respectively, present a perfect fit for low-end embedded cryptographic libraries due to their minimal memory requirements. In this work, we deploy optimized Montgomery Ladder point multiplication into the widely employed IoT-focused cryptographic library wolfSSL and present side-channel robust and efficient ECDH and EdDSA based on Curve448 and Ed448. We evaluate the performance of the newly integrated architectures against the NIST recommended CortexM4 STM32F407-DK ARM-based platform. We perform thorough side-channel evaluation of the proposed Montgomery Ladder implementation via powerful TVLA analysis revealing DPA data leakage. We integrate countermeasures to protect our design, evaluate their effectiveness and analyze the latency overhead. We achieve SCA robust Curve448 and Ed448 at the cost of around $1 .2 {MCC } ( 1 . 36 \times$ the execution time). Finally, we report the performance of our fully SCA protected Curve448 and Ed448 as part of TLS1.3 wolfSSL, reporting $1 . 04 \times$ performance compared to the original wolfSSL code.