Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management and Security, Korea University, Korea

Published byAdelia Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management and Security, Korea University, Korea"— Presentation transcript:

1 Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management and Security, Korea University, Korea http://cist.korea.ac.kr Hee-seok Kim 1, Tae Hyun Kim 1, Jeong Choon Ryoo 1, Dong-Guk Han 2, Ho Won Kim 2, and Jongin Lim 1 2 Electronics and Telecommunications Research Institute(ETRI), Korea http://www.etri.re.kr/ WISTP 2007

2 Side Channel attacks-Power analysis Side Channel attacks-Power analysis Scalar multiplication & Simple power analysis to ECC Scalar multiplication & Simple power analysis to ECC Countermeasures & Original Doubling Attack ( DA ) Countermeasures & Original Doubling Attack ( DA )  Countermeasure1 - Coron ’ s dummy method  Countermeasure2 - sABS recoding method  DA & Weakness of Coron ’ s dummy method  Security of sABS recoding against DA Proposed Attacks Proposed Attacks  Recursive attack  Initializing attack Experiments & Statistical approach of noise reduction Experiments & Statistical approach of noise reduction Countermeasures & Conclusion Countermeasures & Conclusion Contents

3 WISTP 2007 Which are Side Channel Attacks 1. Timing Attacks - Kocher (1996) 2. Differential Fault Analysis (DFA) - Biham-Shamir (1997) 3. Simple Power Analysis (SPA) - Kocher, Jaffe, Jun (1998) 4. Differential Power Analysis (DPA) - Kocher, Jaffe, Jun (1998)

4 WISTP 2007 Power attacks  Kocher et al., June 1998: Measure instantaneous power consu mption of a device while it runs a cryptographic algorithm  Different power consumption when operating on logical ones vs. logical zeroes.

5 WISTP 2007 In general, Addition has different power consumption from Doubling. – C. Clavier et al. [3] Simple Power analysis to ECC Point Doubling ( D ) : Execution in all bit values of secret key d : secret exponent Point Addition ( A ) : Execution when bit value is only ‘ 1 ’ DDDAAAD General scalar multiplication algorithm

6 WISTP 2007 Countermeasure against SPA-Coron ’ s method d11101 P2P6P14P28P 3P7P29P Point Doubling ( D ), Point Addition ( A ) : Execution in all bit values of secret key Coron ’ s dummy method d11101 P2P6P14P28P 3P7P29P D A D 15P D A D A

7 WISTP 2007 Countermeasure against SPA-sABS recoding sABS recoding d111 1 P2P D 6P D 14P D 26P D 50P D 102P D 3P A 7P A 13P S 25P S 51P A 101P S D : Doubling, A : Addition, S : Subtraction The power consumption of Addition is similar to that of Subtraction !!  It ’ s secure against original SPA.

8 WISTP 2007 Doubling Attack ( DA ) – Fouque et al. Characteristics Assumption Attacker has an ability to decide whether A=B or not when a smartcard computes ECDBL(A) and ECDBL(B). When input values are P and 2P, Coron ’ s dummy method carries out the same doubling in the vicinity of the bit value ‘ 0 ’. Attack method d101001 P P 2P 3P 4P 5P 10P 11P 2OP 21P 40P 41P 2P 2P 4P 6P 8P 10P 20P 22P 40P 42P 80P 82P

9 WISTP 2007 Doubling Attack ( DA ) – Fouque et al. Key : 1 0 1 0.... = = ≠

10 WISTP 2007 Security of sABS recoding against DA Characteristics Because sABS recoded value has not ‘ 0 ’ bit, it is secure against original DA Example d111 P P 2P 3P 6P 5P 10P 11P 22P 21P 42P 41P 2P 2P 4P 6P 12P 10P 20P 22P 44P 42P 84P 82P

11 WISTP 2007 Characteristics Feasible attack – Supporting a concrete method for experiment ObjectNew power attacks on scalar multiplication using recoding countermeasures (sABS recoding) Proposed ‘ initializing attack ’ - Combination of ‘ doubling attack ’ and ‘ Goubin ’ s attack ’ SPA-based attacks on one-bit of key Proposed attacks

12 WISTP 2007 Proposed attack 1 - Recursive Attack ObjectNew power attack on scalar multiplication using recoding countermeasures (sABS recoding) If an attacker knows upper n bits of secret key, he can find the upper (n+1)-th bit by this attack. By this method, attacker can find all bits of secret key in sequence. Characteristic An attacker that knows upper n bits of secret key ( = d ’ ) selects two inputs A, B for originating same ECDBL in the vicinity of upper (n+1)-th bit ( = t ). A = d ’ P, B = (2d ’ +1) P  if t = 1, (2d ’ +1)A = d ’ B if t = -1, (2d ’ +1)A ≠d ’ B

13 WISTP 2007 Proposed attack 1 - Recursive Attack d11111 A = d ’ P, B = (2d ’ +1) P  if t = 1, (2d ’ +1)A = d ’ B if t = -1, (2d ’ +1)A ≠d ’ B d ’ =11 11P 22P 33P 66P 55P 110P 121P 242P 253P 506P 517P 1034P 1023P 23P 46P 69P 138P 115P 230P 253P 506P 529P 1058P 1081P 2162P 2139P 1

14 WISTP 2007 Proposed attack 2 - Initializing Attack An attacker that knows upper n bits of secret key ( = d ’ ), he selects one input A for originating ECDBL(P) in the upper (n+1)- th bit ( = t ). A = (2d ’ +1) -1 P  if t = 1, (2d ’ +1)A = P if t = -1, (2d ’ +1)A ≠P An attacker acquires the first doubling signal-ECDBL(P) in the signal according to input point ‘ P ’. the first doubling signal-ECDBL(P) in the signal according to input point ‘ P ’ compares with the (n+1)-th doubling signal-ECDBL(P) in the power signal according to input point ‘ (2d ’ +1) -1 P ’

15 WISTP 2007 Proposed attack 2 - Initializing Attack d11111 d ’ =11 54P 35P 16P 32P 51P 29P 10P 20P P 2P 56P 39P 20P 1 A = (2d ’ +1) -1 P  if t = 1, (2d ’ +1)A = P if t = -1, (2d ’ +1)A ≠P The order of curve : 73 (2*11+1) -1 mod 73 = 54

16 WISTP 2007 Experiments & Statistical approach of noise reduction Setting PIC Microcontroller Power supply – 5V Function generator – 1MHz Oscilloscope

17 m 1 =E(X 1 ), m 2 =E(X 2 ), a 1 =max(X 1 ), b 1 =min(X 2 ) k points Experiments & Statistical approach of noise reduction

18

19 WISTP 2007 INPUT : 3P Key : 1 1 -1.... Key1?? Disc < D 1 INPUT : P 1?? INPUT : 7P Disc > D k points uk points Experiments & Statistical approach of noise reduction

20 WISTP 2007 Countermeasures & Conclusion Characteristics of proposed attacks Characteristics of proposed attacks  These new attacks is applicable to sABS recoding countermeasure.  SPA-based attacks on one-bit of key.  Initializing attack is more powerful than Goubin ’ s attack. Countermeasures Countermeasures  Using a Projective coordinates – affine coordinates is not secure.  BRIP can be applied to our attacks [ 13]  BRIP can be applied to our attacks [ 13].

21 WISTP 2007 Questions and Comments Hee Seok Kim : heeseokkim@cist.korea.ac.kr heeseokkim@cist.korea.ac.kr

Download ppt "Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management and Security, Korea University, Korea"

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?

Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
CryptoBlaze: 8-Bit Security Microcontroller. Quick Start Training Agenda What is CryptoBlaze? KryptoKit GF(2 m ) Multiplier Customize CryptoBlaze Attacks.

CryptoBlaze: 8-Bit Security Microcontroller. Quick Start Training Agenda What is CryptoBlaze? KryptoKit GF(2 m ) Multiplier Customize CryptoBlaze Attacks.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.

Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Two IFEA-M Modifications to Withstand New Attack Alexander G. Chefranov Computer Engineering Department Eastern Mediterranean University.

Two IFEA-M Modifications to Withstand New Attack Alexander G. Chefranov Computer Engineering Department Eastern Mediterranean University.
Timo Kasper Crete, Greece May 10, 2007 An Embedded System for Practical Security Analysis of Contactless Smartcards Timo Kasper, Dario Carluccio and Christof.

Timo Kasper Crete, Greece May 10, 2007 An Embedded System for Practical Security Analysis of Contactless Smartcards Timo Kasper, Dario Carluccio and Christof.
1 Authors: MILENA STANOJLOVIĆ PREDRAG PETKOVIĆ LABORATORY FOR ELECTRONIC DESIGN AUTOMATION Faculty of Electronic Engineering University of Nis.

1 Authors: MILENA STANOJLOVIĆ PREDRAG PETKOVIĆ LABORATORY FOR ELECTRONIC DESIGN AUTOMATION Faculty of Electronic Engineering University of Nis.
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Transforming out Timing Leaks (Agat’s approach) Terkel K. Tolstrup Informatics and Mathematical Modelling Technical University of.

Transforming out Timing Leaks (Agat’s approach) Terkel K. Tolstrup Informatics and Mathematical Modelling Technical University of.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
Side-Channel Attack: timing attack Hiroki Morimoto.

Side-Channel Attack: timing attack Hiroki Morimoto.
SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

Similar presentations

Ads by Google