DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded.

Slides:

Advertisements

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Advertisements

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK

Confidential 1 Corporate Research © THOMSON multimedia, 1999 Mixing cryptography and watermarking for copy protection in consumer electronic devices FURON.

White-Box Cryptography

Lecture Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.

Block Ciphers and the Data Encryption Standard

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

PREVENTING CRYPTOGRAPHIC KEY LEAKAGE IN CLOUD VIRTUAL MACHINES STUDENT: FATEMAH ALHARBI PROFESSOR: NAEL ABU-GHAZALEH EE260 SEMINAR IN ELECTRICAL ENGINEERING.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

An Expandable Montgomery Modular Multiplication Processor Adnan Abdul-Aziz GutubAlaaeldin A. M. Amin Computer Engineering Department King Fahd University.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人：陳昱升.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,

By Abhijith Chandrashekar and Dushyant Maheshwary.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Long Modular Multiplication for Cryptographic Applications Laszlo Hars Seagate Research Workshop on Cryptographic Hardware and Embedded Systems, CHES 2004.

Fault Tolerant Infective Countermeasure for AES

Cryptography: RSA & DES Marcia Noel Ken Roe Jaime Buccheri.

Information Security Lab. Dept. of Computer Engineering 122/151 PART I Symmetric Ciphers CHAPTER 5 Advanced Encryption Standard 5.1 Evaluation Criteria.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK Colin D Walter.

CRYPTOGRAPHY How does it impact cyber security and why you need to know more?

LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Cryptography and Network Security (CS435) Part Eight (Key Management)

Some Perspectives on Smart Card Cryptography

Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.

Public / Private Keys was a big year… DES: Adopted as an encryption standard by the US government. It was an open standard. The NSA calls it “One.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Possible Testing Solutions and Associated Costs

Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management and Security, Korea University, Korea

Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.

Kouichi Itoh, Tetsuya Izu and Masahiko Takenaka Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Address-bit Differential.

Sliding Windows Succumbs to Big Mac Attack Colin D. Walter

A DPA Countermeasure by Randomized Frobenius Decomposition Tae-Jun Park, Mun-Kyu Lee*, Dowon Hong and Kyoil Chung * Inha University.

Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

Lecture 23 Symmetric Encryption

Elliptic Curve Cryptography

Faster Implementation of Modular Exponentiation in JavaScript

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)

DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)

Copyright 2012, Toshiba Corporation. A Survey on the Algebraic Surface Cryptosystems Koichiro Akiyama ( TOSHIBA Corporation ) Joint work with Prof. Yasuhiro.

Remote Timing Attacks are Practical David Brumley Dan Boneh [Modified by Somesh.

1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)

WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.

Study on Cryptographic Application for Smart Card Course Title : Computer Security & E-Payment System Faculty : 김 광 조 김 종 승

Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim

Biometric Encryption Base RSA Algorithm Supervisor: Ass. Prof. Dr. Dang Tran Khanh Student: Dung Ngo Dinh.

Motivation Basis of modern cryptosystems

Cryptography By: Nick Belhumeur. Overview What is Cryptography? What is Cryptography? 2 types of cryptosystems 2 types of cryptosystems Example of Encryption.

Attacks on Public Key Encryption Algorithms

Helen: Maliciously Secure Coopetitive Learning for Linear Models

Presentation transcript:

DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Fujitsu Laboratories LTD.

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Contents What is DPA? Previous DPA countermeasures Our DPA countermeasures Security of our countermeasures Performance comparison with other countermeasures

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Overview Fast encryption speed No additional parameter Applicable in both RSA and ECC Proposal of new effective DPA countermeasure(s) for public key cryptosystems Characteristics Objectives

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) What is DPA? (Differential Power Analysis) Analyze a secret key stored in the cryptographic device by monitoring its power consumption. (Kocher, CRYPTO’99) スマートカード秘密情報 Make a differential t V t V  Smartcard Secret key K Plaintext P i (i=1,2,...,N) Analyze Secret key K Monitor a power consumption

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Previous DPA Countermeasures for public key Cryptosystems Randomization of the private exponent (Coron, CHES’99) Randomized binary-method (Messerges-Dabbish-Sloan, CHES’99) Randomized projective coordinates (Coron, CHES’99) Exponent splitting (Clavier-Joye, CHES2001) d  d’ = d+r  ( r :random,  :order) d = d 1 + d 2, a d = a d 1  a d 2 (mod n), ( d 1,d 2 :random) (x,y)  (x  r, y  r, z  r) ( r :random) d = randomly choose MSB-to-LSB binary-method LSB-to-MSB binary-method

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Demerits of Previous DPA Countermeasures Slow encryption speed (Clavier-Joye, Messerges) Not applicable to both RSA and ECC(Coron) Additional parameter is required(Coron) Exponent splitting technique takes 2 times computation. Randomized projective coordinates technique is available only in ECC. When randomizing the private exponent, parameter  is used. RSA (normal) replace...  a, d, n a d (mod n) RSA (DPA protected) a d (mod n) a, d, n

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Merits of Our Countermeasures Fast encryption speed (Overhead is low) Applicable to both RSA and ECC No additional parameter In comparison with k-ary method, computational complexity is 105% in 1024-bit RSA, and is 119% in 160-bit ECC Vulnerable encrypt engine is easily replaced to secure one All countermeasures are based on the window method

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Our DPA Countermeasures We propose 3 countermeasures: Overlapping Window Method(O-WM) Randomized Table Window Method(RT-WM) Hybrid Randomizing Window Method(HR-WM) Each has unique characteristics (speed, security) A suitable countermeasure can be chosen according to the environment (encryption algorithm, key length...)

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Overlapping Window Method(O-WM) Data is randomized. Basic idea d w0w0 w1w1 w2w2 Traditional WM d w0w0 w1w1 w2w d w0w0 w1w1 w2w By overlapping w i and w i+1, various expressions are possible.

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Data is randomized. Basic idea d w0w0 w1w1 w2w2 Traditional WM 1 d RT-WM a 000 a 001 a 010 a 011 a 100 a 101 a 110 a 111 a r a r a r a r a r a r a r a r w0w0 w1w1 w2w r:r: Table lookup: Randomize Randomized Table Window Method (RT-WM) (random)

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Hybrid Randomizing Window Method (HR-WM) HR-WM = O-WM + RT-WM = (Overlapping) + (Randomized Table) d 1 a r a r a r a r a r a r a r a r w0w0 w1w1 w2w Randomized table r (random) : Overlapping window

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Security Evaluation of Our Countermeasures Basic idea without countermeasureUsing countermeasure Size of the spike will be smaller by the countermeasure Security is evaluated by the ratio of the sizes. (attenuation ratio = B/A) A B

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) DPA Attack Experiment RSA(Normal) attenuation ratio=1/10 RSA(O-WM)

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Security Evaluation Result RSA ECC(2D) ECC(3D) O-WM ~ ( * ) ~2 -80 ( * ) RT-WM HR-WM ~2 -61 ( * ) ECC(2D) : An implementation using affine coordinates ECC(3D) : An implementation using projective or Jacobian coordinates Attenuation Ratio(AR) for a fixed parameter ( * ) : The reason why AR varies, is described in the paper

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Performance Comparison among Our Countermeasures O-WMRT-WM Suitable for ECC (3D) Suitable for RSA HR-WM O-WMHR-WMRT-WM ECC(3D) (160-bit) TIME AR~2 -80 ~ RSA (1024- bit) TIME AR~ Shorter key length Longer key length TIME:number of addition/doubling(ECC) or multiplication/squaring(RSA) 210-bit 340-bit 160-bit1024-bit

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Comparison with Other Countermeasures TIME:number of addition/doubling(ECC) or multiplication/squaring(RSA) O-WMHR-WMRT-WMCoronMesserges ECC( 3D ) (160-bit) TIME AR ~2 -80 ~ RSA (1024- bit) TIME AR ~ Additional Parameter No YesNo vs Coron : Additional parameter is unnecessary vs Messerges : Much higher security in ECC, higher security and 13% faster in RSA Proposed and Coron : 4-bit window, Messerges : binary-method(RSA) or signed-binary(ECC)

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Conclusion We evaluated the security by attenuation ratio Fast encryption speed Applicable to both RSA and ECC No Additional parameter We proposed new DPA countermeasures, O-WM, RT-WM and HR-WM ECC : All countermeasures provide enough security RSA : RT-WM and HR-WM provide enough security

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002)

All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Questions & Comments