Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep.

Published byJasper Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep."— Presentation transcript:

1 Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep Mukhopadhyay

2 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Today’s talk  Introduction  ECC implementation vulnerabilities – power analysis  HCCA  Our Countermeasure  Conclusion

3 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Private-Key Cryptography Key is shared by both sender and receiver if the key is disclosed communications are compromised also known as symmetric, both parties are equal ◦ hence does not protect sender from receiver forging a message & claiming is sent by sender

4 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Public-Key Cryptography probably most significant advance in the 3000 year history of cryptography uses two keys – a public key and a private key asymmetric since parties are not equal uses clever application of number theory concepts to function complements rather than replaces private key cryptography

5 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Public-Key Cryptography

6 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Public-Key Cryptography developed to address two key issues: ◦ key distribution – how to have secure communications in general without having to trust a KDC with your key ◦ digital signatures – how to verify a message comes intact from the claimed sender public invention due to Whitfield Diffie & Martin Hellman at Stanford U. in 1976 ◦ known earlier in classified community

7 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Public-Key Cryptography Public key schemes utilise problems that are easy (P type) one way but hard (NP type) the other way, e.g. exponentiation vs logs, multiplication vs factoring. 2 most popular public-key crypto-primitives are ◦ RSA ◦ ECC

8 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur ECC vs RSA

9 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Elliptic Curve scalar multiplication k.P = (P + P +.. + P) k times Naïve Double-and-Add Algorithm

10 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur ECDLP security Theoretically secure against ECDLP ECDLP (Elliptic Curve Discrete Logarithm Problem): Suppose E is an elliptic curve over.. Given a multiple Q of P, the elliptic curve discrete logarithm problem is to find given Q = k.P

11 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Vulnerabilities Simple power analysis of a naïve Double- and-Add algorithm. Power trace for key bit 5

12 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Remedies for preventing SPA [CHES ‘99] SPA-resistant Double-and-Add algorithm

13 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Disadvantages cost overhead of dummy operations prone to C-Safe Error Attack vulnerable to DPA (Differential Power Analysis)

14 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Alternatives Atomic formula-based Algorithms applicable to NIST curves  [IEEE TC 2004] Chavelliar-Mames and others, Low-cost solutions for preventing simple side-channel analysis.  [IACR eprint 2008] Patrick Longa and others, Accelerating the elliptic curve cryptosystems over prime fields.  [CARDIS 2010] Giraud and others, Atomicity improvement for elliptic curve scalar multiplication.

15 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur More Alternatives … Unified Addition formula inherently secure against SPA – same formula for both addition and doubling operations.  [PKC 2002] Eric Brier and others,Weierstrass elliptic curves and side-channel attacks.  [ASIACRYPT 2007] Bernstein and others, Faster addition and doubling on elliptic curves. proposed use of Edward Curves in ECC

16 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur [PKC 2002] Brier-Joye Addition formula Y 2 Z = X 3 + aXZ 2 + bZ 3, (X, Y, Z) E(F p ), (a,b) ∈ F p ∈

17 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur [ASIACRYPT 2007] Edward Curve unified formula

18 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur [SAC 2013] Horizontal Collision Correlation Analysis Assumptions:  Underlying field multiplication uses school- book long integer multiplication algorithm  Adversary can detect whether a pair of field multiplications share any common operand  (AXB, CXD)  (AXB, CXB)  (AXB, AXB)

19 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Horizontal Collision Correlation Analysis We define: property 1: when a pair of field multiplications (m i, m j ) share one/ two common operands among themselves. ◦ property 1a: when a pair of multiplications share exactly one common operand, e.g. – (AB, CB) ◦ property 1b: when a pair of multiplications share exactly two common operands e.g. – (AB, AB) property 2: when a pair of field multiplications (m i, m j ) share no common operand among themselves, e.g. – (AB, CD) property 3: Given two sets containing field multiplications, only one of the two sets satisfy property 1.

20 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Horizontal Collision Correlation Analysis

21 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Horizontal Collision Correlation Analysis

22 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Horizontal Collision Correlation Analysis HCCA scenario 1: condition: Only one of addition and doubling should satisfy condition property 3 HCCA scenario 2: - can be launched unconditionally

23 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Our Contribution  A zero-cost countermeasure that prevents scenario 1 of HCCA  A randomized countermeasure that requires minimal cost to prevent HCCA scenario 2  First practical results on HCCA, and our countermeasure validation

24 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Asymmetric Leakage of Field Multipliers Long Integer Multiplication Algorithm

25 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Asymmetric Leakage of Field Multipliers Information Leakage model to approximate the correlation between power consumptions of two field multiplications:

26 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Asymmetric Leakage of Field Multipliers Let us define: Corr(AB,CB) Corr(AB,BC)

27 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Asymmetric Leakage of Field Multipliers Corr(AB,CD)

28 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Asymmetric Leakage of Field Multipliers Observation 1: Observation 2: Observation 3: for a multiplication pair with property 1b

29 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Conversion of ECC algorithm to secure sequence - Example

30 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Conversion for the Brier-Joye formula

31 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Secure-sequence conversion Algorithm – Countermeasure 1 Create_Graph(); Find_Graphcomponents(); Find_Safeseq();

32 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Countermeasure 2 – algorithm:

33 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Countermeasure 1 – zero-cost Countermeasure 2 – minimal cost HCCA security achieved !!

34 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Simulation results on HCCA and countermeasure validation Results on Curve1174 (Edward curve) using a 16-bit architecture model

35 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Results on SASEBO-GII

36 11-08-2015Weekly Talk 15, SEAL, IIT Kharagpur Conclusion Currently focusing on experimental validations Future work – ◦ Can we apply our countermeasure to other ECC algorithms (atomic-formula based algorithms, pairing-based ECC algorithms) ?

Download ppt "Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep."

Similar presentations

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Public Key Cryptography and the RSA Algorithm

Public Key Cryptography and the RSA Algorithm
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 9 – Public Key Cryptography and RSA Private-Key Cryptography  traditional private/secret/single key cryptography uses one key  shared by both.

Chapter 9 – Public Key Cryptography and RSA Private-Key Cryptography  traditional private/secret/single key cryptography uses one key  shared by both.
Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
The RSA Algorithm JooSeok Song 2007. 11. 13. Tue.

The RSA Algorithm JooSeok Song Tue.
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google