1 / 21

A DPA Countermeasure by Randomized Frobenius Decomposition

A DPA Countermeasure by Randomized Frobenius Decomposition. Tae-Jun Park, Mun-Kyu Lee*, Dowon Hong and Kyoil Chung. * Inha University. Side channel analysis. Frobenius expansion. Random decomposition. Conclusion. III. IV. II. I. Outline. Power Analysis.

metea
Download Presentation

A DPA Countermeasure by Randomized Frobenius Decomposition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A DPA Countermeasure by Randomized Frobenius Decomposition Tae-Jun Park, Mun-Kyu Lee*, Dowon Hong and Kyoil Chung * Inha University

  2. Side channel analysis Frobenius expansion Random decomposition Conclusion III IV II I Outline WISA 2005

  3. Power Analysis • Kocher, Crypto 99 • Powerful technique to recover the secret information by monitoring power signal • Two kinds of power analysis • SPA : Simple power analysis • DPA : Differential power analysis WISA 2005

  4. Power Analysis on Elliptic Curve • Coron, CHES 99 • Naïve implementation of ECC are highly vulnerable to SPA and DPA • Various methods have been proposed • Hasan suggested several countermeasures on • Koblitz curves, 2001, IEEE Transactions on computers • Ciet et al. proposed randomizing the GLV decomposition to prevent DPA in GLV curves • CHES 2002 WISA 2005

  5. The Goal of This Talk • New Countermeasure against DPA on ECC • Applied to any curve where Frobenius method can be used • Two dimensional generalization of Coron’s method • 15.3 ~34.0% extra computations WISA 2005

  6. y x Elliptic Curve • Let be the prime power • is of or • Otherwise - To avoid the MOV attack Use only nonsupersingular elliptic curve WISA 2005

  7. Frobenius Endomorphism • The Frobenius endomorphisms of • The minimal polynomial of the Frobenius endomorphism WISA 2005

  8. Frobenius Expansion-(1) • The endomorphism ring of nonsupersingular elliptic curve is the order in the imaginary quadratic field • The ring is a subring of the endomorphism ring • Mueller proposed a Frobenius expansion method by iterating divisions - fast scalar multiplication on elliptic curves over small fields of characteristic two - Division by the Frobenius endomorphism in the ring WISA 2005

  9. Frobenius Expansion-(2) • Division by in the looks like division by complex number in the Gaussian integer • Lemma: Suppose that be even (resp., odd) prime power. Let . There exists an integer and an element s.t. WISA 2005

  10. Frobenius Expansion-(3) • By iterating the process of divisions by with remainder, one can expand with WISA 2005

  11. Division by in -(1) WISA 2005

  12. Division by in -(2) • Let be the lattice generated by 1 and : is isomorphic to • All elements in which can be divided by for example, all numbers divided by 2 is of the form • The set of such elements is generated by and : WISA 2005

  13. Division by in -(3) • Divide by with remainder • If , then there exist • s. t. - If not, move horizontally left or right to for suitable WISA 2005

  14. Random Decomposition-(1) • Transform to random lattice - Choose random integer where WISA 2005

  15. Random Decomposition-(2) WISA 2005

  16. Random Decomposition-(3) WISA 2005

  17. Random Decomposition-(4) • Lemma : For any , we can find s. t. with the Euclidean length of is bounded by WISA 2005

  18. Random Decomposition-(5) WISA 2005

  19. Scalar Multiplication • Scalar multiplication - is expanded as - By Mueller’s expansion method - A scalar multiplication WISA 2005

  20. Overhead WISA 2005

  21. Conclusion • Our method can be applied to all kind of elliptic curves • It can be used in conjunction with other countermeasure • It will be generalized to hyperelliptic curves WISA 2005

More Related