Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks - PowerPoint PPT Presentation

1 / 20

About This Presentation

Title:

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks

Description:

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks ... Use randomized projective coordinates. Oswald, et al : Randomized Addition ... – PowerPoint PPT presentation

Number of Views:56

Avg rating:3.0/5.0

Slides: 21

Provided by: cheswo

Category:

more less

Transcript and Presenter's Notes

Title: Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks

1
Randomized Signed-Scalar Multiplication of ECC to
Resist Power Attacks

JaeCheol Ha and SangJae Moon
Korea Nazarene University
jcha_at_kornu.ac.kr
Kyungpook National University
sjmoon_at_knu.ac.kr

2
History of Power Attacks
Timing attack
1996
Power analysis attack
Practical Implementation of Timing Attack in
CARDIS 98
1998
J. F. Dhem

Power Analysis Attacks of Modular Exponentiation
in CHES99 T. S. Messerges, et al
2000
Resistance against DPA for ECC in CHES99 J. S.
Coron
Randomized Addition-Subtraction Chains against
PA in CHES01 E. Oswald et al
2002
3
Related Works

Coron Resistance against DPA for ECC
Compute QkP
Random number r d k r ?E(K), QdP
Random point R Q k(RP), QQ-kR
Use randomized projective coordinates
Oswald, et al Randomized Addition-
Subtraction Chains against PA
Randomizing the binary algorithm itself
Use the Morain-Olivos method for speeding up the
binary alg.
Vulnerable to SPA (by Okeya-Sakurai in ACISP02)

4
Our Contributions

Propose a countermeasure against DPA
Randomized signed representation of a scalar
integer based on the NAF recoding algorithm
Probability analysis of each symbol in the
proposed random recording algorithm
Propose a addition-subtraction multiplication
algorithm against SPA

5
Preliminaries

Elliptic curve over K E(K)
K ? 2, 3 y2x3 ax b, a,b ? K
K2 y2xy x3 ax2 b
Point(x, y) Solution of a EC equation
Scalar multiplication QkP
Input point P
n-bit scalar integer k,

6
Preliminaries

Binary scalar multiplication
QO
for in -1 to 0 by-1 do
Q2Q Doubling
if (ki1) then QQ P Addition
Return Q
of doubling n, average of addition n/2

7
Preliminaries

Point operations K ? 2, 3
P (x1, y1), Q (x2, y2), -P (x1, -y1),
Doubling 2P (x3, y3)
x3 ?2 - x1 - x2 y3 ?(x1 - x3) - y1
? (3x12 a)/2y1
Addition (PQ) (x3, y3)
x3 ?2 - x1 - x2 y3 ?(x1 - x3) - y1
? (y2 - y1)/(x2 - x1)

8
Countermeasures to Power Attacks

SPA distinguish between point doubling and
addition from a measured power signal
SPA-immune alg.(by Coron)
Q0O
for in -1 to 0 by-1 do
Q02Q0 Doubling
Q1Q0P Addition
Q0Qki Selection
Return Q0
DPA exploit secret key by a statistical
analysis of many power consumptions
Coron three countermeasures
Oswald, et al random addition-subtraction alg.

9
Our Idea

Requirement to prevent from SPA
Independency of secret information and
computational procedures
Requirement to prevent from DPA
Randomization of computing objects
Our idea (DPA)
Randomize the scalar(secret) integer
Insert a random factor in the NAF alg.

10
NAF Representation

NAF(Non-Adjacent Form)
Signed-digit form,
Lowest weight form among all signed-digit
representation of a given k
Addition-Subtraction alg. QdP
Input point P, Secret scalar integer d, n1d
QO
for in to 0 by-1 do
Q2Q
Doubling
if (di1 ) then QQP Addition
or if (di ) then QQ -P
Subtraction
Return Q
of doubling n1, average of addition n/3

11
NAF recoding algorithm

NAF recoding algorithm
Ex) k ( 1 1 1 0 1 1 1 1 0 )
478 c ( 1 1 1 1 1 1 1 1 0
0 )NAF d ( 1 0 0 0 0 0 0 0
) 29 25 21 478
where, ki ci ci1 21 di 20 (ci1
di ), ci1 carry, di sum
Key idea (ci1 di ) 0 1 1 for
a signed-digit form

Input Input Input Output Output
k i1 k i c i c i1 d i
0 0 0 0 0
0 0 1 0 1
0 1 0 0 1
0 1 1 1 0
1 0 0 0 0
1 0 1 1
1 1 0 1
1 1 1 1 0
12
New Countermeasure(1/5)

Random signed-scalar recoding alg.

Input Input Input Input Output Output Output
k i1 k i c i r i c i1 d i Remarks
0 0 0 0 0 0 NAF
0 0 0 1 0 0 NAF
0 0 1 0 0 1 NAF
0 0 1 1 1 AF
0 1 0 0 0 1 NAF
0 1 0 1 1 AF
0 1 1 0 1 0 NAF
0 1 1 1 1 0 NAF
1 0 0 0 0 0 NAF
1 0 0 1 0 0 NAF
1 0 1 0 1 NAF
1 0 1 1 0 1 AF
1 1 0 0 1 NAF
1 1 0 1 0 1 AF
1 1 1 0 1 0 NAF
1 1 1 1 1 0 NAF
If ri1 (ki ? ci ) 1, AF recoding 01?1 1 ?01
13
Numerical Examples

NAF recoding
k ( 1 1 1 0 1 1 1 1 0 ) 478 d
( 1 0 0 0 0 0 0 0 ) 478
Random recoding (case 1)
k ( 1 1 1 0 1 1 1 1 0 ) 478
c ( 1 1 1 1 1 1 1 0 0 0 )
r ( 1 0 1 0 1 0 0 1 1 )
d ( 1 0 0 0 0 0 1 0 ) 29
25 -22 21 478
Random recoding (case 2)
r ( 1 1 0 1 0 1 0 0 1 )
d ( 1 0 0 1 0 0 0 0 ) 29 26
25 21 478

14
New Countermeasure(2/5)

Probability of symbols (O. Egecioglu C. K Koc)
State variable si
Input quadruplets (ki1, ki, ci, ri)
Output (ci1, di)
Next state (ki2, ki1, ci1, ri1)
? ?
The next state is determined by (ki2, ri1)

15
New Countermeasure(3/5)

Probability of each symbol
Assumption P(ki 0)P(ki 1) 1/2
P(ri 0)P(ri 1) 1/2
P(ki2, ri1) 1/4
Analyze using a Markov chain model
Analysis result P(di 0)1/2
P(di 1)1/4
P(di )1/4

16
New Countermeasure(4/5)

SPA resistant Addition-Subtraction alg.
Output QdP,
d random signed-scalar integer
Insert dummy operations
Q0O
P0P, P1P, P -P
for in to 0 by-1 do
Q02Q0 Doubling
Q1Q0Pdi Addition or
Q Q1 Subtraction
Q0Qdi
Selection
Return Q0

17
New Countermeasure(5/5)

Comparison
n bit length of scalar integer k
Corons SPA-immune alg.
Corons first countermeasure against DPA
d k r E(K)
mr (in practice, m 20 bits)

Algorithm additions doublings
Unprotected ordinary binary n/2 n
Unprotected NAF n/3 n1
Protected ordinary binary against SPA n n
Protected ordinary binary against DPASPA nm nm
Our proposed algorithm against DPA n/2 n1
Our proposed algorithm against DPA SPA n1 n1
18
Experimental Result(1/2)