Presentation is loading. Please wait.

Presentation is loading. Please wait.

DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded.

Published byBarry Manning Modified over 8 years ago

Similar presentations

Presentation on theme: "DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded."— Presentation transcript:

1 DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Fujitsu Laboratories LTD.

2 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Contents What is DPA? Previous DPA countermeasures Our DPA countermeasures Security of our countermeasures Performance comparison with other countermeasures

3 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Overview Fast encryption speed No additional parameter Applicable in both RSA and ECC Proposal of new effective DPA countermeasure(s) for public key cryptosystems Characteristics Objectives

4 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) What is DPA? (Differential Power Analysis) Analyze a secret key stored in the cryptographic device by monitoring its power consumption. (Kocher, CRYPTO’99) スマートカード 秘密情報 Make a differential t V t V  Smartcard Secret key K Plaintext P i (i=1,2,...,N) Analyze Secret key K Monitor a power consumption

5 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Previous DPA Countermeasures for public key Cryptosystems Randomization of the private exponent (Coron, CHES’99) Randomized binary-method (Messerges-Dabbish-Sloan, CHES’99) Randomized projective coordinates (Coron, CHES’99) Exponent splitting (Clavier-Joye, CHES2001) d  d’ = d+r  ( r :random,  :order) d = d 1 + d 2, a d = a d 1  a d 2 (mod n), ( d 1,d 2 :random) (x,y)  (x  r, y  r, z  r) ( r :random) d = 10100011010 randomly choose MSB-to-LSB binary-method LSB-to-MSB binary-method 111011101010

6 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Demerits of Previous DPA Countermeasures Slow encryption speed (Clavier-Joye, Messerges) Not applicable to both RSA and ECC(Coron) Additional parameter is required(Coron) Exponent splitting technique takes 2 times computation. Randomized projective coordinates technique is available only in ECC. When randomizing the private exponent, parameter  is used. RSA (normal) replace...  a, d, n a d (mod n) RSA (DPA protected) a d (mod n) a, d, n

7 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Merits of Our Countermeasures Fast encryption speed (Overhead is low) Applicable to both RSA and ECC No additional parameter In comparison with k-ary method, computational complexity is 105% in 1024-bit RSA, and is 119% in 160-bit ECC Vulnerable encrypt engine is easily replaced to secure one All countermeasures are based on the window method

8 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Our DPA Countermeasures We propose 3 countermeasures: Overlapping Window Method(O-WM) Randomized Table Window Method(RT-WM) Hybrid Randomizing Window Method(HR-WM) Each has unique characteristics (speed, security) A suitable countermeasure can be chosen according to the environment (encryption algorithm, key length...)

9 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Overlapping Window Method(O-WM) Data is randomized. Basic idea d 1 101 01101110 101 110 w0w0 w1w1 w2w2 Traditional WM d 1 101 01101110 010 011 w0w0 w1w1 w2w2 0 0 0 1 1 d 1 011 01101110 111 110 w0w0 w1w1 w2w2 1 0 1 1 By overlapping w i and w i+1, various expressions are possible.

10 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Data is randomized. Basic idea d 1 101 01101110 101 110 w0w0 w1w1 w2w2 Traditional WM 1 d 1011011101 RT-WM a 000 a 001 a 010 a 011 a 100 a 101 a 110 a 111 a 000000+r a 001000+r a 010000+r a 011000+r a 100000+r a 101000+r a 110000+r a 111000+r 101 010 011 w0w0 w1w1 w2w2 011 011 011 011 r:r: Table lookup: Randomize Randomized Table Window Method (RT-WM) (random)

11 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Hybrid Randomizing Window Method (HR-WM) HR-WM = O-WM + RT-WM = (Overlapping) + (Randomized Table) d 1 a 000000+r a 001000+r a 010000+r a 011000+r a 100000+r a 101000+r a 110000+r a 111000+r w0w0 w1w1 w2w2 011 1 Randomized table r (random) : 10011 110 001 100 110 Overlapping window 111110100

12 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Security Evaluation of Our Countermeasures Basic idea without countermeasureUsing countermeasure Size of the spike will be smaller by the countermeasure Security is evaluated by the ratio of the sizes. (attenuation ratio = B/A) A B

13 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) DPA Attack Experiment RSA(Normal) attenuation ratio=1/10 RSA(O-WM)

14 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Security Evaluation Result RSA ECC(2D) ECC(3D) O-WM 2 -2.6 ~2 -7.2 ( * ) 2 -2.6 ~2 -80 ( * ) RT-WM 2 -20 HR-WM 2 -11 2 -11 ~2 -61 ( * ) ECC(2D) : An implementation using affine coordinates ECC(3D) : An implementation using projective or Jacobian coordinates Attenuation Ratio(AR) for a fixed parameter ( * ) : The reason why AR varies, is described in the paper

15 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Performance Comparison among Our Countermeasures O-WMRT-WM Suitable for ECC (3D) Suitable for RSA HR-WM O-WMHR-WMRT-WM ECC(3D) (160-bit) TIME 256264279 AR~2 -80 ~2 -61 2 -20 RSA (1024- bit) TIME 155214161359 AR~2 -7.2 2 -11 2 -20 Shorter key length Longer key length TIME:number of addition/doubling(ECC) or multiplication/squaring(RSA) 210-bit 340-bit 160-bit1024-bit

16 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Comparison with Other Countermeasures TIME:number of addition/doubling(ECC) or multiplication/squaring(RSA) O-WMHR-WMRT-WMCoronMesserges ECC( 3D ) (160-bit) TIME 256264279241214 AR ~2 -80 ~2 -61 2 -20 2 -7.3 RSA (1024- bit) TIME 15521416135913211536 AR ~2 -7.2 2 -11 2 -20 2 -10 Additional Parameter No YesNo vs Coron : Additional parameter is unnecessary vs Messerges : Much higher security in ECC, higher security and 13% faster in RSA Proposed and Coron : 4-bit window, Messerges : binary-method(RSA) or signed-binary(ECC)

17 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Conclusion We evaluated the security by attenuation ratio Fast encryption speed Applicable to both RSA and ECC No Additional parameter We proposed new DPA countermeasures, O-WM, RT-WM and HR-WM ECC : All countermeasures provide enough security RSA : RT-WM and HR-WM provide enough security

18 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002)

19 All Rights Reserved. Copyright (C) Fujitsu Laboratories LTD.Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) Questions & Comments

Download ppt "DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Confidential 1 Corporate Research © THOMSON multimedia, 1999 Mixing cryptography and watermarking for copy protection in consumer electronic devices FURON.

Confidential 1 Corporate Research © THOMSON multimedia, 1999 Mixing cryptography and watermarking for copy protection in consumer electronic devices FURON.
White-Box Cryptography

White-Box Cryptography
Lecture 11-12 Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.

Lecture Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
PREVENTING CRYPTOGRAPHIC KEY LEAKAGE IN CLOUD VIRTUAL MACHINES STUDENT: FATEMAH ALHARBI PROFESSOR: NAEL ABU-GHAZALEH EE260 SEMINAR IN ELECTRICAL ENGINEERING.

PREVENTING CRYPTOGRAPHIC KEY LEAKAGE IN CLOUD VIRTUAL MACHINES STUDENT: FATEMAH ALHARBI PROFESSOR: NAEL ABU-GHAZALEH EE260 SEMINAR IN ELECTRICAL ENGINEERING.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
An Expandable Montgomery Modular Multiplication Processor Adnan Abdul-Aziz GutubAlaaeldin A. M. Amin Computer Engineering Department King Fahd University.

An Expandable Montgomery Modular Multiplication Processor Adnan Abdul-Aziz GutubAlaaeldin A. M. Amin Computer Engineering Department King Fahd University.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Similar presentations

Ads by Google