Defeating Simple Power Analysis on Koblitz Curves

Vuillaume, Camille; Okeya, Katsuyuki; Takagi, Tsuyoshi

doi:10.1093/ietfec/e89-a.5.1362

Cited by 9 publications

(17 citation statements)

References 17 publications

(39 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…ρ ideal X,Y = 1. The MPL method is considered as one of the SPAresistant algorithms in many papers [10,11,12]. However, a naïve hardware implementation of the algorithm becomes vulnerable to SPA attacks.…”

Section: Spa Attack For the Mpl Methodsmentioning

confidence: 99%

See 1 more Smart Citation

A New Approach for Implementing the MPL Method toward Higher SPA Resistance

Izumi

Sakiyama

Ohta

2009

2009 International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Recent years, the information security is emphasized with a development ofInternet systems. In the measures as securing digital information, there are cryptosystems that protect secrecy of digital documents and digital signature scheme that ensure validity of digital documents. In the case of reality, i.e. hardware devices are used in cryptosystems, there is a possibility that secret information leaks via sidechannel. Simple Power Analysis (SPA) attacks are one of the side-channel attacks. To prevent a SPA, one of the sidechannel attacks, the Montgomery Powering Ladder (MPL) method has been considered as one of the countermeasures. In this paper, we show that a naïve implementation of the MPL method is vulnerable for SPA attacks by observing the power consumption of the controller block of the RSA hardware. Furthermore, in order to avoid such information leakage, we propose a new hardware architecture for RSA using the MPL method to enhance SPA resistance.

show abstract

Section: Spa Attack For the Mpl Methodsmentioning

confidence: 99%

“…2, the secret key cannot be identified by power trace easily. This is why much previous work report the MPL method is secure against SPA attacks [10,11,12]. However, the power trace still shows irregular shapes depending on the key bit.…”

mentioning

confidence: 99%

A New Approach for Implementing the MPL Method toward Higher SPA Resistance

Izumi

Sakiyama

Ohta

2009

2009 International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…Signed bits are allowed for B for two reasons: (a) Koblitz curve cryptosystems are typically implemented by using the τ NAF) representation [24] or some other representation with signed bits (e.g., [22,27]) and (b) this allows computing subtractions with the same algorithm. Adding the two expansions gives the following expansion:…”

Section: Addition In the τ -Adic Domainmentioning

confidence: 99%

“…Figure 3 presents an architecture that implements Algorithm 1 for μ = 1. Because B i ∈ {−1, 0, 1}, it can be used for K given using signed-bit representations (e.g., [22,24,27]). Because t 0 ∈ [−3, 3] and A i + B i ∈ [−1, 2], r ∈ [−4, 5] and we need 4 bits to represent it.…”

Section: Architecturementioning

confidence: 99%

“…Ensuring this property (ideally) guarantees that the smallest key-dependent statistical moment in the leakage distribution is d + 1. It has been shown (in different, more or less specialized settings [6,10,21,27]) that the data complexity of side-channel attacks against such implementations increases exponentially with the number of shares. More precisely, in the usual context of (close to) Gaussian noise, this data complexity is proportional to (σ 2 n ) d , with σ 2 n the noise variance.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation