1 / 21

Enhanced Doublng Attacks on Signed-All-Bits Set Recoding

Enhanced Doublng Attacks on Signed-All-Bits Set Recoding. Hee-seok Kim 1 , Tae Hyun Kim 1 , Jeong Choon Ryoo 1 , Dong-Guk Han 2 , Ho Won Kim 2 , and Jongin Lim 1. 1 Graduate School of Information Management and Security, Korea University, Korea http://cist.korea.ac.kr.

brook
Download Presentation

Enhanced Doublng Attacks on Signed-All-Bits Set Recoding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enhanced Doublng Attacks on Signed-All-Bits Set Recoding Hee-seok Kim1, Tae Hyun Kim1, Jeong Choon Ryoo1, Dong-Guk Han2, Ho Won Kim2, and Jongin Lim1 • 1 Graduate School of Information Management and Security, • Korea University, Korea http://cist.korea.ac.kr • 2 Electronics and Telecommunications Research Institute(ETRI), Korea http://www.etri.re.kr/ WISTP 2007

  2. Contents • Side Channel attacks-Power analysis • Scalar multiplication & Simple power analysis to ECC • Countermeasures & Original Doubling Attack ( DA ) • Countermeasure1 - Coron’s dummy method • Countermeasure2 - sABS recoding method • DA & Weakness of Coron’s dummy method • Security of sABS recoding against DA • Proposed Attacks • Recursive attack • Initializing attack • Experiments & Statistical approach of noise reduction • Countermeasures & Conclusion

  3. Which are Side Channel Attacks 1. Timing Attacks - Kocher (1996) 2. Differential Fault Analysis (DFA) - Biham-Shamir (1997) 3. Simple Power Analysis (SPA) - Kocher, Jaffe, Jun (1998) 4. Differential Power Analysis (DPA) - Kocher, Jaffe, Jun (1998)

  4. Power attacks • Kocher et al., June 1998: Measure instantaneous power consumption of a device while it runs a cryptographic algorithm • Different power consumption when operating on logical ones vs. logical zeroes.

  5. D A D A D D A Simple Power analysis to ECC General scalar multiplication algorithm d : secret exponent Point Doubling ( D ) : Execution in all bit values of secret key Point Addition ( A ) : Execution when bit value is only ‘1’ In general, Addition has different power consumption from Doubling. – C. Clavier et al. [3]

  6. DA DA DA DA D D DA DA Countermeasure against SPA-Coron’s method Coron’s dummy method Point Doubling ( D ) , Point Addition ( A ) : Execution in all bit values of secret key 15P A

  7. Countermeasure against SPA-sABS recoding sABS recoding The power consumption of Addition is similar to that of Subtraction !!  It’s secure against original SPA . D : Doubling, A : Addition, S : Subtraction

  8. Doubling Attack ( DA ) – Fouque et al. Assumption Attacker has an ability to decide whether A=B or not when a smartcard computes ECDBL(A) and ECDBL(B). When input values are P and 2P, Coron’s dummy method carries out the same doubling in the vicinity of the bit value ‘0’. Characteristics Attack method

  9. Doubling Attack ( DA ) – Fouque et al. Key : 1 010 . . . . = ≠ =

  10. Security of sABS recoding against DA Because sABS recoded value has not ‘0’ bit, it is secure against original DA Characteristics Example

  11. Proposed attacks Object New power attacks on scalar multiplication using recoding countermeasures (sABS recoding) Characteristics SPA-based attacks on one-bit of key Proposed ‘initializing attack’ - Combination of ‘doubling attack’ and ‘Goubin’s attack’ Feasible attack – Supporting a concrete method for experiment

  12. Proposed attack 1 - Recursive Attack Object New power attack on scalar multiplication using recoding countermeasures (sABS recoding) Characteristic • If an attacker knows upper n bits of secret key, he can find the upper (n+1)-th bit by this attack. • By this method, attacker can find all bits of secret key in sequence. An attacker that knows upper n bits of secret key ( = d’ ) selects two inputs A, B for originating same ECDBL in the vicinity of upper (n+1)-th bit( = t ) . A = d’P, B = (2d’+1) P  if t = 1, (2d’+1)A = d’B ift = -1, (2d’+1)A ≠d’B

  13. Proposed attack 1 - Recursive Attack A = d’P, B = (2d’+1) P  if t = 1, (2d’+1)A = d’B ift = -1, (2d’+1)A ≠d’B d’=11 1

  14. Proposed attack 2 - Initializing Attack An attacker that knows upper n bits of secret key ( = d’ ), he selects one input A for originating ECDBL(P) in the upper (n+1)-th bit( = t ) . A = (2d’+1)-1P  if t = 1, (2d’+1)A = P ift = -1, (2d’+1)A ≠P • An attacker acquires the first doubling signal-ECDBL(P) in the signal according to input point ‘P’. • the first doubling signal-ECDBL(P) in the signal according to input point ‘P’ compares with the (n+1)-th doubling signal-ECDBL(P) in the power signal according to input point ‘(2d’+1)-1P’

  15. Proposed attack 2 - Initializing Attack A = (2d’+1)-1P  if t = 1, (2d’+1)A = P ift = -1, (2d’+1)A ≠P The order of curve : 73 (2*11+1)-1 mod 73 = 54 d’=11 1

  16. PIC Microcontroller Experiments & Statistical approach of noise reduction Power supply – 5V Function generator – 1MHz Setting Oscilloscope

  17. m1=E(X1), m2=E(X2), a1=max(X1), b1=min(X2) Experiments & Statistical approach of noise reduction k points

  18. Experiments & Statistical approach of noise reduction

  19. Key 1 Experiments & Statistical approach of noise reduction Key : 1 1 -1 . . . . ?? 1 1 ?? -1 uk points k points INPUT : 3P INPUT : 7P Disc < D Disc > D INPUT : P

  20. Countermeasures & Conclusion • Characteristics of proposed attacks • These new attacks is applicable to sABS recoding countermeasure. • SPA-based attacks on one-bit of key. • Initializing attack is more powerful than Goubin’s attack. • Countermeasures • Using a Projective coordinates – affine coordinates is not secure. • BRIP can be applied to our attacks [13] .

  21. Questions and Comments Hee Seok Kim : heeseokkim@cist.korea.ac.kr

More Related