A DPA Countermeasure by Randomized Frobenius Decomposition Tae-Jun Park, Mun-Kyu Lee, Dowon Hong and Kyoil Chung Inha University.

Slides:

Advertisements

Similar presentations

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Advertisements

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Mathematics of Cryptography Part II: Algebraic Structures

1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.

Lecture 8: Lattices and Elliptic Curves

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK

What is Elliptic Curve Cryptography?

Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Advanced Information Security 4 Field Arithmetic

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hashing Techniques.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Chapter II. THE INTEGERS

4. Convergence of random variables  Convergence in probability  Convergence in distribution  Convergence in quadratic mean  Properties  The law of.

1 ITC242 – Introduction to Data Communications Week 10 Topic 16 Data link control.

Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith.

I.1 ii.2 iii.3 iv.4 1+1=. i.1 ii.2 iii.3 iv.4 1+1=

Quantum Algorithms II Andrew C. Yao Tsinghua University & Chinese U. of Hong Kong.

Chapter 5. Operations on Multiple R. V.'s 1 Chapter 5. Operations on Multiple Random Variables 0. Introduction 1. Expected Value of a Function of Random.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

RSA Question 2 Bob thinks that p and q are primes but p isn’t. Then, Bob thinks ©Bob:=(p-1)(q-1) = Á(n). Is this true ? Bob chooses a random e (1 < e

Topic 18: RSA Implementation and Security

By Abhijith Chandrashekar and Dushyant Maheshwary.

The RSA Algorithm Rocky K. C. Chang, March

1 Chapter 7 NUMERICAL INTEGRATION. 2 PRELIMINARIES We use numerical integration when the function f(x) may not be integrable in closed form or even in.

1.3 EVALUATING LIMITS ANALYTICALLY. Direct Substitution If the the value of c is contained in the domain (the function exists at c) then Direct Substitution.

CS 627 Elliptic Curves and Cryptography Paper by: Aleksandar Jurisic, Alfred J. Menezes Published: January 1998 Presented by: Sagar Chivate.

Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.

1 Fingerprinting techniques. 2 Is X equal to Y? = ? = ?

Blind Pattern Matching Attack on Watermark Systems D. Kirovski and F. A. P. Petitcolas IEEE Transactions on Signal Processing, VOL. 51, NO. 4, April 2003.

Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.

Cryptanalysis and Improvement of an Access Control in User Hierarchy Based on Elliptic Curve Cryptosystem Reporter : Tzer-Long Chen Information Sciences.

Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.

Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.

ECE643 Course Project, Fall /21/20081 Optimum histogram pair based image lossless data embedding By G. Xuan, Y. Q. Shi, etc. Summarized By: Zhi.

Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep.

Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management and Security, Korea University, Korea

DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded.

Kouichi Itoh, Tetsuya Izu and Masahiko Takenaka Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Address-bit Differential.

Future Cryptography: Standards Are Not Enough Tomáš Rosa Decros-ICZ, CTU FEE

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)

Copyright 2012, Toshiba Corporation. A Survey on the Algebraic Surface Cryptosystems Koichiro Akiyama ( TOSHIBA Corporation ) Joint work with Prof. Yasuhiro.

Power Analysis Attack on the Masking Type Conversion Algorithm Using Exponentiation Young In Cho', Dong-GukHan g, Seokhie Hong', Young-Ho Park a 'LIST.

11 RSA Variants.  Scheme ◦ Select s.t. p and q = 3 mod 4 ◦ n=pq, public key =n, private key =p,q ◦ y= e k (x)=x (x+b) mod n ◦ x=d k (y)=  y mod n.

1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)

WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter

Security of Using Special Integers in Elliptic Scalar Multiplication Mun-Kyu Lee o Jin Wook Kim Kunsoo Park School of CSE, Seoul National University.

Lecture 11: Elliptic Curve Cryptography Wayne Patterson SYCS 653 Fall 2008.

Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

Zeros (Solutions) Real Zeros Rational or Irrational Zeros Complex Zeros Complex Number and its Conjugate.

Network Security Design Fundamentals Lecture-13

Advanced Information Security 6 Side Channel Attacks

DIFFERENTIATION & INTEGRATION

Aesun Park1 , Kyung-Ah Shim2*, Namhun Koo2, and Dong-Guk Han1

University of South Florida and Eindhoven University of Technology

Cryptology Design Fundamentals

z , and therefore u =  x ~ /s is an approximation of p z.

Network Security Design Fundamentals Lecture-13

A Quadratic-Residue-based Fragile Watermarking Scheme

Presentation transcript:

A DPA Countermeasure by Randomized Frobenius Decomposition Tae-Jun Park, Mun-Kyu Lee*, Dowon Hong and Kyoil Chung * Inha University

WISA Outline Side channel analysis Side channel analysis I Frobenius expansion Frobenius expansion II Random decomposition Random decomposition III Conclusion Conclusion IV

WISA Power Analysis  Kocher, Crypto 99 Powerful technique to recover the secret information by monitoring power signal Two kinds of power analysis - SPA : Simple power analysis - DPA : Differential power analysis

WISA Power Analysis on Elliptic Curve  Coron, CHES 99 Naïve implementation of ECC are highly vulnerable to SPA and DPA Various methods have been proposed - Hasan suggested several countermeasures on Koblitz curves, 2001, IEEE Transactions on computers - Ciet et al. proposed randomizing the GLV decomposition to prevent DPA in GLV curves CHES 2002

WISA The Goal of This Talk New Countermeasure against DPA on ECC Applied to any curve where Frobenius method can be used Two dimensional generalization of Coron’s method 15.3 ~34.0% extra computations

WISA Elliptic Curve  Let be the prime power is of or Otherwise x y - To avoid the MOV attack Use only nonsupersingular elliptic curve

WISA Frobenius Endomorphism The Frobenius endomorphisms of The minimal polynomial of the Frobenius endomorphism

WISA Frobenius Expansion-(1) The endomorphism ring of nonsupersingular elliptic curve is the order in the imaginary quadratic field The ring is a subring of the endomorphism ring Mueller proposed a Frobenius expansion method by iterating divisions - fast scalar multiplication on elliptic curves over small fields of characteristic two - Division by the Frobenius endomorphism in the ring

WISA Division by in the looks like division by complex number in the Gaussian integer Lemma: Suppose that be even (resp., odd) prime power. Let. There exists an integer and an element s.t. Frobenius Expansion-(2)

WISA Frobenius Expansion-(3) By iterating the process of divisions by with remainder, one can expand with

WISA Division by in -(1)

WISA Let be the lattice generated by 1 and : is isomorphic to All elements in which can be divided by for example, all numbers divided by 2 is of the form The set of such elements is generated by and : Division by in -(2)

WISA Divide by with remainder - If, then there exist s. t. - If not, move horizontally left or right to for suitable Division by in -(3)

WISA Random Decomposition-(1) Transform to random lattice - Choose random integer where

WISA Random Decomposition-(2)

WISA Random Decomposition-(3)

WISA Random Decomposition-(4) Lemma : For any, we can find s. t. with the Euclidean length of is bounded by

WISA Random Decomposition-(5)

WISA Scalar Multiplication Scalar multiplication - is expanded as - By Mueller’s expansion method - A scalar multiplication

WISA Overhead

WISA Conclusion Our method can be applied to all kind of elliptic curves It can be used in conjunction with other countermeasure It will be generalized to hyperelliptic curves