Some Side Channel Attacks On Elliptic Curve Cryptosystem

About This Presentation

Title:

Some Side Channel Attacks On Elliptic Curve Cryptosystem

Description:

Isogeny Defense against ZVP Attack is not secure (Akishita-Takagi 2004) ... Any isogeny cannot map to the curve with that is secure against ZVP attack. ... – PowerPoint PPT presentation

Number of Views:79

Avg rating:3.0/5.0

Slides: 30

Provided by: drtsuyos

Category:

more less

Transcript and Presenter's Notes

Title: Some Side Channel Attacks On Elliptic Curve Cryptosystem

1
Some Side Channel AttacksOn Elliptic Curve
Cryptosystem

Tsuyoshi Takagi
Technische Universtät Darmstadt
Fachbereich Informatik
http//www.informatik.tu-darmstadt.de/KP/

2
Overview

Elliptic Curve Cryptosystems (ECC)
Power Analysis against ECC
Goubins Attack
Zero-Value Point Attack
Smarts Isogeny Defense

3
Elliptic Curve

Elliptic curve on binary field
Elliptic curve on prime field

All points satisfying and infinity point
Abelian group by the following addition
group identity
4
Addition Formulae on EC

EC Doubling (ECDBL)

EC Addition (ECADD)

5
Addition Formulae on EC(Jacobian Coordinates)

ECDBL

ECADD

6
Scalar Multiplication on EC

Scalar Multiplication
Binary Method
For downto
ECDBL
if , ECADD
Return

binary representation
Ex.
7
Power Analysis

Simple Power Analysis (SPA)
Observe the power consumption of devices in a
single computation and detect the secret key
Differential Power Analysis (DPA)
Observe many power consumptions and analyze
these information together with statistic tools

8
SPA against ECC (Coron 1999)

Binary method
For downto
ECDBL
if , ECADD
Return

ECDBL
ECADD

Ex.
9
SPA Countermeasure (Coron 1999)

Scalar Multiplication
Double-and-add-always method
For downto
ECDBL
ECADD
Return

10
Double-and-add-always method(Coron 1999)
Ex.
dummy
dummy
11
Experiment by Coron (CHES1999)

We gather many power consumption of computing
4Pi.
4Pi is computed if and only if the most 2nd
bit of d is 0.
(2) Let si be any specific bit of 4Pi. We use the
following
correlation function g(t) Power(si0)
Power(si 1)

Cited from Coron, Resistant against Resistance
against Differential Power Analysis for Elliptic
Curve Cryptosystems, CHES 1999, pp.292-302,
1999.
If 4Pi is computed, there is a difference
between Power(si0) and Power(si1).
If point 4Pi is never computed, there is no spike
in the graph.
12
DPA against Double-and-add-always method (Coron
1999)

is fixed and the attacker can choose
ElGamal encryption, single-pass ECDH
Power consumption of double-and-add-always method
for each input looks same, but is slightly
different.
Power consumption is correlated to any bit of
processing point.

13
DPA Countermeasure (Coron 1999)

Randomize point representation in Jacobian
coordinates
Scalar Multiplication
Choose randomly
Compute
Return

14
DPA Countermeasure(Joye-Tymen 2001)

Use a random isomorphic curve to the original
curve
Scalar multiplication
Choose randomly
and
Compute on
Return

15
Goubins Attack (Goubin 2003)

Cannot randomize the points and
Assume
Input

16
Condition of Goubins Attack

point
Not exist in elliptic curve
of prime order.
If exist, the input can be discarded.
point
is quadratic residue modulo

Order is 2
If b is random, this probability is about 50
17
Goubins Points on Standard Curves

SECG Curves

18
Isogeny of Elliptic Curve

19
Smarts Isogeny Defense(Smart 2003)

Countermeasure against Goubins attack
Isogeny of degree

20
Smarts Isogeny Defense against Goubins attack
efficient curve
21
ZVP Attack (Akishita-Takagi 2003)

Zero-value point attack
Generalization of Goubins attack
Goubins attack pays attention to only
representation of processing points.
We consider that intermediate values of addition
formulae are equal to 0.
If the point has no zero-value coordinate, the
intermediate values might become zero.

22
ZVP in ECDBL