Presentation is loading. Please wait.

Presentation is loading. Please wait.

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

Published byJavion Colegrove Modified over 10 years ago

Similar presentations

Presentation on theme: "Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **"— Presentation transcript:

1 Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University jcha@kornu.ac.kr ** Kyungpook National University sjmoon@knu.ac.kr

2 CHES 2002 2 ::: ::: History of Power Attacks 1996 1998 Timing Attacks in Crypto ’96 Paul C. Kocher Differential Power Analysis in CRYPTO ’99 Paul C. Kocher, et al 2000 Practical Implementation of Timing Attack in CARDIS ’98 J. F. Dhem Power Analysis Attacks of Modular Exponentiation in CHES’99 T. S. Messerges, et al Timing attack Power analysis attack 2002 Resistance against DPA for ECC in CHES’99 J. S. Coron Randomized Addition-Subtraction Chains against PA in CHES’01 E. Oswald et al

3 CHES 2002 3 Related Works Coron : Resistance against DPA for ECC Compute Q=kP Random number r : d= k + r  #E(K), Q=dP Random point R : Q ’ =k(R+P), Q=Q ’ -kR Use randomized projective coordinates Oswald, et al : Randomized Addition- Subtraction Chains against PA Randomizing the binary algorithm itself Use the Morain-Olivos method for speeding up the binary alg. Vulnerable to SPA (by Okeya-Sakurai in ACISP ’ 02)

4 CHES 2002 4 Our Contributions Propose a countermeasure against DPA Randomized signed representation of a scalar integer based on the NAF recoding algorithm Probability analysis of each symbol in the proposed random recording algorithm Propose a addition-subtraction multiplication algorithm against SPA

5 CHES 2002 5 Preliminaries Elliptic curve over K : E(K) K  2, 3 : y 2 =x 3 + ax + b, a,b  K K=2 : y 2 +xy =x 3 + ax 2 + b Point(x, y) : Solution of a EC equation Scalar multiplication : Q=kP Input point : P n-bit scalar integer k,

6 CHES 2002 6 Preliminaries Binary scalar multiplication Q=O for i=n -1 to 0 by–-1 do { Q=2Q : Doubling  if (k i ==1) then Q=Q + P } : Addition  Return Q # of doubling : n, average # of addition: n/2

7 CHES 2002 7 Preliminaries Point operations : K  2, 3 P =(x 1, y 1 ), Q =(x 2, y 2 ), -P =(x 1, -y 1 ), Doubling : 2P = (x 3, y 3 )  x 3 = 2 - x 1 - x 2 y 3 = (x 1 - x 3 ) - y 1  = (3x 1 2 +a)/2y 1 Addition : (P+Q) = (x 3, y 3 )  x 3 = 2 - x 1 - x 2 y 3 = (x 1 - x 3 ) - y 1  = (y 2 - y 1 )/(x 2 - x 1 )

8 CHES 2002 8 Countermeasures to Power Attacks SPA : distinguish between point doubling and addition from a measured power signal SPA-immune alg.(by Coron) Q[0]=O  for i=n -1 to 0 by–-1 do {  Q[0]=2Q[0] : Doubling  Q[1]=Q[0]+P : Addition  Q[0]=Q[k i ] } : Selection  Return Q[0] DPA : exploit secret key by a statistical analysis of many power consumptions Coron : three countermeasures Oswald, et al : random addition-subtraction alg.

9 CHES 2002 9 Our Idea Requirement to prevent from SPA Independency of secret information and computational procedures Requirement to prevent from DPA Randomization of computing objects Our idea (DPA) Randomize the scalar(secret) integer Insert a random factor in the NAF alg.

10 CHES 2002 10 NAF Representation NAF(Non-Adjacent Form) Signed-digit form, Lowest weight form among all signed-digit representation of a given k Addition-Subtraction alg. : Q=dP  Input point P, Secret scalar integer d, n+1= |d| Q=O  for i=n to 0 by–-1 do {  Q=2Q : Doubling  if (d i ==1 ) then Q=Q+P : Addition or if (d i == ) then Q=Q -P } : Subtraction  Return Q # of doubling : n+1, average # of addition: n/3

11 CHES 2002 11 NAF recoding algorithm Ex) k = ( 1 1 1 0 1 1 1 1 0 ) = 478 c = ( 1 1 1 1 1 1 1 1 0 0 ) NAF d = ( 1 0 0 0 0 0 0 0 ) = 2 9 –2 5 –2 1 =478 where, k i + c i = c i+1 2 1 + d i 2 0 = (c i+1 d i ), c i+1 : carry, d i : sum Key idea : (c i+1 d i ) = 0 1 = 1 for a signed-digit form NAF recoding algorithm InputOutput k i+1 k i c i c i+1 d i 00000 00101 01001 01110 10000 1011 1101 11110

12 CHES 2002 12 New Countermeasure(1/5) Random signed-scalar recoding alg. InputOutput k i+1 k i c i r i c i+1 d i Remarks 000000 NAF 000100 001001 00111 AF 010001 NAF 01011 AF 011010 NAF 011110 100000 100100 10101 101101 AF 11001 NAF 110101 AF 111010 NAF 111110 If r i =1 & (k i  c i ) =1, AF recoding 01  1 1  01

13 CHES 2002 13 Numerical Examples NAF recoding  k = ( 1 1 1 0 1 1 1 1 0 ) = 478 d = ( 1 0 0 0 0 0 0 0 ) = 478 Random recoding (case 1)  k = ( 1 1 1 0 1 1 1 1 0 ) = 478  c = ( 1 1 1 1 1 1 1 0 0 0 )  r = ( 1 0 1 0 1 0 0 1 1 )  d = ( 1 0 0 0 0 0 1 0 ) = 2 9 –2 5 -2 2 + 2 1 =478 Random recoding (case 2)  r = ( 1 1 0 1 0 1 0 0 1 )  d = ( 1 0 0 1 0 0 0 0 ) = 2 9 –2 6 +2 5 – 2 1 =478

14 CHES 2002 14 New Countermeasure(2/5) Probability of symbols (O. Egecioglu & C. K Koc) State variable s i  Input : quadruplets (k i+1, k i, c i, r i ) Output : (c i+1, d i ) Next state : (k i+2, k i+1, c i+1, r i+1 ) ? ? The next state is determined by (k i+2, r i+1 ) 

15 CHES 2002 15 New Countermeasure(3/5) Probability of each symbol Assumption : P(k i =0)=P(k i =1) =1/2  P(r i =0)=P(r i =1) =1/2 P(k i+2, r i+1 ) =1/4  Analyze using a Markov chain model Analysis result P(d i =0)=1/2  P(d i =1)=1/4 P(d i = )=1/4 

16 CHES 2002 16 SPA resistant Addition-Subtraction alg. Output : Q=dP, d : random signed-scalar integer Insert dummy operations Q[0]=O  P[0]=P, P[1]=P, P[ ]= -P  for i=n to 0 by–-1 do {  Q[0]=2Q[0] : Doubling  Q[1]=Q[0]+P[d i ] : Addition or  Q[ ]=Q[1] Subtraction  Q[0]=Q[d i ] } : Selection Return Q[0] New Countermeasure(4/5)

17 CHES 2002 17 New Countermeasure(5/5) Comparison n : bit length of scalar integer k * : Coron ’ s SPA-immune alg. ** : Coron ’ s first countermeasure against DPA d = k + r #E(K) m =|r| ( in practice, m =20 bits) Algorithmadditionsdoublings Unprotected ordinary binaryn/2n Unprotected NAFn/3n+1 Protected ordinary binary against SPA*nn Protected ordinary binary against DPA**+SPA*n+mn+mn+mn+m Our proposed algorithm against DPAn/2n+1 Our proposed algorithm against DPA+ SPAn+1

18 CHES 2002 18 Experimental Result(1/2) Experiments Data signal Response Control signal Trigger signal Control signal Measuring signal Card reader

19 CHES 2002 19 Experimental Result(2/2) MESD( Multiple-Exponent Single-Data )Attack Assumption : attacker can choose scalar integers and compare two card ’ s averaged power signal Correct scalar digits : (1,0,0,......)  Averaged power difference over 300 traces  (1,0,0,X,…) - (1,0,1,X,…) (1,0,0,X,…) - (New alg.)  No Protected Protected with random scalar

20 CHES 2002 20 Conclusion Propose a new countermeasure to make DPA infeasible Randomized signed-scalar representation Propose a SPA-immune Addition- Subtraction multiplication alg. Analyze symbol probability of new method using a finite Markov chain model To protect DPA : n/2 additions, n+1 doublings To protect DPA+SPA  : n+1 additions, n+1 doublings

Download ppt "Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **"

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Bellwork If you roll a die, what is the probability that you roll a 2 or an odd number? P(2 or odd) 2. Is this an example of mutually exclusive, overlapping,

Bellwork If you roll a die, what is the probability that you roll a 2 or an odd number? P(2 or odd) 2. Is this an example of mutually exclusive, overlapping,
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
0 - 0.

0 - 0.
ALGEBRAIC EXPRESSIONS

ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)

MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
MULTIPLICATION EQUATIONS 1. SOLVE FOR X 3. WHAT EVER YOU DO TO ONE SIDE YOU HAVE TO DO TO THE OTHER 2. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE.

MULTIPLICATION EQUATIONS 1. SOLVE FOR X 3. WHAT EVER YOU DO TO ONE SIDE YOU HAVE TO DO TO THE OTHER 2. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)

FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)
Addition Facts 1 - 20.

Addition Facts
ALGEBRAIC EXPRESSIONS

ALGEBRAIC EXPRESSIONS
Year 6 mental test 10 second questions Numbers and number system Numbers and the number system, fractions, decimals, proportion & probability.

Year 6 mental test 10 second questions Numbers and number system Numbers and the number system, fractions, decimals, proportion & probability.

Similar presentations

Ads by Google