The differential power analysis (DPA) is a powerful attack against the implementation of cryptographic schemes on mobile devices. This paper proposes an alternative DPA using the addresses of registers of elliptic curve based cryptosystems (ECC) implemented on smart cards. We call the analysis the address-bit DPA in this paper. The analysis was originally investigated by Messerges, Dabbish and Sloan, however it was thought to be of no effect if the intermediate data are randomized. We extend the analysis and show how the extended analysis works against scalar exponentiations even if the implementation is resistant against the data-based DPA. We show experimental results of our analysis of cryptographic schemes OK-ECDH and OK-ECDSA, which are candidates of the CRYPTREC project in Japan, and evidence of their weakness.
We describe the implementation of an elliptic curve cryptographic (ECC) coprocessor over GF (2 m) on an FPGA and also the result of simulations evaluating its LSI implementation. This coprocessor is suitable for server systems that require efficient ECC operations for various parameters. For speeding-up an elliptic scalar multiplication, we developed a novel configuration of a multiplier over GF (2 m), which enables the multiplication of any bit length by using our data conversion method. The FPGA implementation of the coprocessor with our multiplier, operating at 3 MHz, takes 80 ms for 163-bit elliptic scalar multiplication on a pesudo-random curve and takes 45 ms on a Koblitz curve. The 0.25 µm ASIC implementation of the coprocessor, operating at 66 MHz and having a hardware size of 165 Kgates, would take 1.1 ms for 163-bit elliptic scalar multiplication on a pesudo-random curve and would take 0.65 ms on a Koblitz curve.
We propose new fast implementation method of public-key cryptography suitable for DSP. We improved modular multiplication and elliptic doubling to increase speed. For modular multiplication, we devised a new implementation method of Montgomery multiplication, which is suitable for pipeline processing. For elliptic doubling, we devised an improved computation for the number of multiplications and additions.We implemented RSA, DSA and ECDSA on the latest DSP (TMS320C6201, Texas Instruments), and achieved a performance of 11.7 msec for 1024bit RSA signing, 14.5 msec for 1024-bit DSA verification and 3.97 msec for 160-bit ECDSA verification.
The power analysis on smart cards is a real threat for cryptographic applications. In spite of continuous efforts of previous countermeasures, recent improved and sophisticated attacks against Elliptic Curve Cryptosystems are not protected. This paper proposes two new countermeasures, the Randomized Linearly-transformed Coordinates (RLC) and the Randomized Initial Point (RIP) against the attacks including the Refined Power Analysis (RPC) by Goubin and the Zero-value Point Analysis (ZPA) by Akishita-Takagi. Proposed countermeasures achieve notable speed-up without reducing the security level.Keywords: Smart cards, power analysis, Elliptic Curve Cryptosystems, countermeasure IntroductionSmart cards are becoming a new infrastructure in the coming IT society for their applications such as the SIM cards for mobile phones, identification cards for entrance systems and electronic tickets for movies. However, the power analysis attacks against these devices are real threats for these applications. In these attacks, an adversary observes traces of the power consumption of the device, and then, he detects a correlation between this information and some secret information hidden in the device. The simple power analysis (SPA) and the differential power analysis (DPA) are classical but typical examples [17, 18, 22]. Fortunately, various countermeasures which is not only secure but also efficient, have been proposed before 2002 [5, 15].Recently, improved and sophisticated power analysis on Elliptic Curve Cryptosystems (ECC) have been proposed. In 2003, Goubin presented a new analysis, the Refined Power Analysis (RPA), which detects special points with 0-coordinate on the curve by chosen messages [9]. Then, Akishita-Takagi extended RPA to the Zero-value Point Analysis (ZPA), which detects 0 value in additions and doublings [2]. Some previous countermeasures resist RPA 100 T. Itoh, T.Izu, and M.Takenaka and ZPA [1, 5, 6], however, they require larger amount of processing time. A practical countermeasure was proposed by Ciet-Joye [7]. Note that Smart's countermeasure resists only RPA [32]; it does not always resist ZPA [3].In this paper, we propose two practical countermeasures for ECC, the Randomized Linearly-transformed Coordinates countermeasure (RLC) and the Randomized Initial Point countermeasure (RIP), which resist power analysis including above newer attacks, and provide efficient processing speed for scalar multiplications. Proposed countermeasures achieve notable speed-up without reducing the security level.The rest of this paper is organized as follows: we briefly review Elliptic Curve Cryptosystems (ECC) in section 2. Side channel attacks and countermeasures are in section 3. Then section 4 describes our proposed countermeasures. A comparison of countermeasures are described in section 5. Concrete algorithms of proposed countermeasures are in the appendix. Elliptic CurveThis section describes a brief review of elliptic curves defined over finite fields with prime elements. This is just for a simlicity an...
We propose three differential power analysis (DPA) countermeasures for securing the public key cryptosystems. All countermeasures are based on the window method, and can be used in both RSA and elliptic curve cryptosystems (ECC). By using the optimal countermeasure, performance penalty is small. In comparison with k-ary method, computation time of our countermeasure is only 105% in 1024-bit RSA and 119% in 160-bit ECC.
Abstract. The differential power analysis (DPA) enables an adversary to reveal the secret key hidden in a smart card by observing power consumption. The address-bit DPA is a typical example of DPA which analyzes a correlation between addresses of registers and power consumption. In this paper, we propose a practical countermeasure, the randomized addressing countermeasure, against the address-bit DPA which can be applied to the exponentiation part in RSA or ECC with and without pre-computed table. Our countermeasure has almost no overhead for the protection, namely the processing speed is no slower than that without the countermeasure. We also report experimental results of the countermeasure in order to show its effect. Finally, a complete comparison of countermeasures from various view points including the processing speed and the security level is given.
No abstract
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.