An Efficient Countermeasure against Correlation Power-Analysis Attacks with Randomized Montgomery Operations for DF-ECC Processor

Lee, Jen-Wei; Chung, Szu-Chi; Chang, Hsie-Chia; Lee, Chen‐Yi

doi:10.1007/978-3-642-33027-8_32

Cited by 10 publications

(18 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many implementations of ECC processors choose the Montgomery ladder algorithm to compute the scalar multiplication because it is safe against SPA and timing analysis attacks [11] [12]. On the other hand, DPA attacks [5] succeed against this algorithm.…”

Section: Discussionmentioning

confidence: 96%

See 1 more Smart Citation

Design of a secure architecture for scalar multiplication on elliptic curves

Pontié¹,

Maistri²

2014

2014 10th Conference on Ph.D. Research in Microelectronics and Electronics (PRIME)

View full text Add to dashboard Cite

International audienceEmbedded systems support more and more features. Authentication and confidentiality are part of them. These systems have limitations that put the public-key RSA algorithm at a disadvantage: Elliptic curve cryptography (ECC) becomes more attractive because it requires less energy and less area. A lot of attacks exploit physical access on cryptographic hardware device: power analysis attacks (SPA, DPA), or timing analysis attacks. The coprocessor presented here supports all critical operations of an ECC cryptosystem and has been secured against side channel attacks

show abstract

Section: Discussionmentioning

confidence: 96%

“…On the other hand, DPA attacks [5] succeed against this algorithm. The DPA attacks can be made more difficult by field operations with random computation to obtain representations of the points in a random Montgomery domain [12]. Our countermeasure is at the algorithm level and can be mixed with random representations of points.…”

Section: Discussionmentioning

confidence: 99%

Design of a secure architecture for scalar multiplication on elliptic curves

Pontié¹,

Maistri²

2014

2014 10th Conference on Ph.D. Research in Microelectronics and Electronics (PRIME)

View full text Add to dashboard Cite

show abstract

“…For multibits fault, the only difference Usually, attackers can reveal the 256-bit by enabling the device to execute twice and comparing the two different results by our fault attack. [25][26][27]; they are as follows.…”

Section: Fault Attack and Countermeasures On Sm9mentioning

confidence: 99%

Side-Channel Attacks and Countermeasures for Identity-Based Cryptographic Algorithm SM9

Zhou

Wang

Niu³

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Identity-based cryptographic algorithm SM9, which has become the main part of the ISO/IEC 14888-3/AMD1 standard in November 2017, employs the identities of users to generate public-private key pairs. Without the support of digital certificate, it has been applied for cloud computing, cyber-physical system, Internet of Things, and so on. In this paper, the implementation of SM9 algorithm and its Simple Power Attack (SPA) are discussed. Then, we present template attack and fault attack on SPA-resistant SM9. Our experiments have proved that if attackers try the template attack on an 8-bit microcontrol unit, the secret key can be revealed by enabling the device to execute one time. Fault attack even allows the attackers to obtain the 256-bit key of SM9 by performing the algorithm twice and analyzing the two different results. Accordingly, some countermeasures to resist the three kinds of attacks above are given.

show abstract

“…Our work. In this paper, we show that the countermeasure proposed in [26] is flawed and can be efficiently broken by first-order CPA, even in presence of a large amount of noise in the measurements. After a presentation of the techniques proposed by Lee et al in Sect.…”

Section: Introductionmentioning

confidence: 96%

“…In practice, masking is always applied (possibly combined with hiding) since it provides strong security guaranty. Recently, Lee et al [26] proposed a new efficient countermeasure to overcome first-order CPA 2 attacks. It assumes that the field operations are performed in the Montgomery domain [30] and consists in randomizing the Montgomery representation of the internal results (thus defining a so-called Randomized Montgomery Domain).…”

Section: Introductionmentioning

confidence: 99%

Side-Channel Analysis of Montgomery’s Representation Randomization

Jaulmes

Prouff

Wild

2014

Selected Areas in Cryptography -- SAC 2014

View full text Add to dashboard Cite

Elliptic curve cryptography is today widely spread in embedded systems and the protection of their implementation against side-channel attacks has been largely investigated. At CHES 2012, a countermeasure has been proposed which adapts Montgomery's arithmetic to randomize the intermediate results during scalar point multiplications. The approach turned out to be a valuable alternative to the previous strategies based on hiding and/or masking techniques. It was argued to be specifically dedicated to hardware implementations and it aimed to defeat first-order side-channel attacks involving Pearson's correlation as distinguisher. In this paper however, we exhibit an important flaw in the countermeasure and we show, through various simulations, that it leads to efficient first-order correlation-based attacks.

show abstract

An Efficient Countermeasure against Correlation Power-Analysis Attacks with Randomized Montgomery Operations for DF-ECC Processor

Cited by 10 publications

References 22 publications

Design of a secure architecture for scalar multiplication on elliptic curves

Design of a secure architecture for scalar multiplication on elliptic curves

Side-Channel Attacks and Countermeasures for Identity-Based Cryptographic Algorithm SM9

Side-Channel Analysis of Montgomery’s Representation Randomization

Contact Info

Product

Resources

About