A DPA Attack on the Improved Ha-Moon Algorithm

The algorithm proposed by Ha and Moon [HM02] is a countermeasure against power analysis. The Ha-Moon algorithm has two drawbacks in that it requires an inversion and has a right-to-left approach. Recently, Yen, Chen, Moon and Ha improved the algorithm by removing these drawbacks [YCMH04]. Their new algorithm is inversion-free, has a left-to-right approach and employs a window method. They insisted that their algorithm leads to a more secure countermeasure in computing modular exponentiation against side-channel attacks. This algorithm, however, still has a similar weakness observed in [FMPV04,SPL04]. This paper shows that the improved Ha-Moon algorithm is vulnerable to differential power analysis even if we employ their method in selecting $s_i$

A New Exponentiation Algorithm Resistant to Combined Side Channel Attack

Abstract Since two different types of side channel attacks based on passive information leakage and active fault injection are independently considered as implementation threats on cryptographic modules, most countermeasures have been separately developed according to each attack type. But then, Amiel et al. proposed a combined side channel attack in which an attacker combines these two methods to recover the secret key in an RSA implementation. In this paper, we show that the BNP (Boscher, Naciri, and Prouff) algorithm for RSA, which is an SPA/FA-resistant exponentiation method, is also vulnerable to the combined attack. In addition, we propose a new exponentiation algorithm resistant to power analysis and fault attack as well as the combined attack. The proposed secure exponentiation algorithm can be employed to strengthen the security of CRT-RSA

Survey for Performance & Security Problems of Passive Side-channel Attacks Countermeasures in ECC

The main objective of the Internet of Things is to interconnect everything around us to obtain information which was unavailable to us before, thus enabling us to make better decisions. This interconnection of things involves security issues for any Internet of Things key technology. Here we focus on elliptic curve cryptography (ECC) for embedded devices, which offers a high degree of security, compared to other encryption mechanisms. However, ECC also has security issues, such as Side-Channel Attacks (SCA), which are a growing threat in the implementation of cryptographic devices. This paper analyze the state-of-the-art of several proposals of algorithmic countermeasures to prevent passive SCA on ECC defined over prime fields. This work evaluates the trade-offs between security and the performance of side-channel attack countermeasures for scalar multiplication algorithms without pre-computation, i.e. for variable base point. Although a number of results are required to study the state-of-the-art of side-channel attack in elliptic curve cryptosystems, the interest of this work is to present explicit solutions that may be used for the future implementation of security mechanisms suitable for embedded devices applied to Internet of Things. In addition security problems for the countermeasures are also analyzed

Key Randomization Countermeasures to Power Analysis Attacks on Elliptic Curve Cryptosystems

It is essential to secure the implementation of cryptosystems in embedded devices agains side-channel attacks. Namely, in order to resist differential (DPA) attacks, randomization techniques should be employed to decorrelate the data processed by the device from secret key parts resulting in the value of this data. Among the countermeasures that appeared in the literature were those that resulted in a random representation of the key known as the binary signed digit representation (BSD). We have discovered some interesting properties related to the number of possible BSD representations for an integer and we have proposed a different randomization algorithm. We have also carried our study to the $\tau$-adic representation of integers which is employed in elliptic curve cryptosystems (ECCs) using Koblitz curves. We have then dealt with another randomization countermeasure which is based on randomly splitting the key. We have investigated the secure employment of this countermeasure in the context of ECCs

Efficient scalar multiplication against side channel attacks using new number representation

Elliptic curve cryptography (ECC) is probably the most popular public key systems nowadays. The classic algorithm for computation of elliptic curve scalar multiplication is Doubling-and-Add. However, it has been shown vulnerable to simple power analysis, which is a type of side channel attacks (SCAs). Among different types of attacks, SCAs are becoming the most important and practical threat to elliptic curve computation. Although Montgomery power ladder (MPL) has shown to be a good choice for scalar multiplication against simple power analysis, it is still subject to some advanced SCAs such like differential power analysis. In this thesis, a new number representation is firstly proposed, then several scalar multiplication algorithms using this new number system are presented. It has also been shown that the proposed algorithms outperform or comparable to the best of existing similar algorithms in terms of against side channel attacks and computational efficiency. Finally we extend both the new number system and the corresponding scalar multiplication algorithms to high radix cases

Efficient and Secure ECDSA Algorithm and its Applications: A Survey

Public-key cryptography algorithms, especially elliptic curve cryptography (ECC)and elliptic curve digital signature algorithm (ECDSA) have been attracting attention frommany researchers in different institutions because these algorithms provide security andhigh performance when being used in many areas such as electronic-healthcare, electronicbanking,electronic-commerce, electronic-vehicular, and electronic-governance. These algorithmsheighten security against various attacks and the same time improve performanceto obtain efficiencies (time, memory, reduced computation complexity, and energy saving)in an environment of constrained source and large systems. This paper presents detailedand a comprehensive survey of an update of the ECDSA algorithm in terms of performance,security, and applications

Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

In this work, we analyze all existing RSA-CRT countermeasures against the Bellcore attack that use binary self-secure exponentiation algorithms. We test their security against a powerful adversary by simulating fault injections in a fault model that includes random, zeroing, and skipping faults at all possible fault locations. We find that most of the countermeasures are vulnerable and do not provide sufficient security against all attacks in this fault model. After investigating how additional measures can be included to counter all possible fault injections, we present three countermeasures which prevent both power analysis and many kinds of fault attacks

Differential Power Analysis Resistant Hardware Implementation Of The Rsa Cryptosystem

Tez (Yüksek Lisans) -- İstanbul Teknik Üniversitesi, Fen Bilimleri Enstitüsü, 2007Thesis (M.Sc.) -- İstanbul Technical University, Institute of Science and Technology, 2007Bu çalışmada, RSA kripto sistemi donanımsal olarak gerçeklenmiş ve daha sonra bir Yan-Kanal Analizi çeşidi olan Diferansiyel Güç Analizi (DGA) ile yapılacak saldırılara karşı dayanıklı hale getirilmiştir. RSA kripto sisteminde şifreleme ve şifre çözmede modüler üs alma işlemi yapılır: M^E(mod N). Bu çalışmadaki RSA kripto sisteminde, Xilinx Sahada Programlanabilir Kapı Dizisi (FPGA) donanım olarak kullanılmıştır. Modüler üs alma işlemi, art arda çarpmalar ile yapılır. Bu gerçeklemede kullanılan Montgomery modüler çarpıcı, Elde Saklamalı Toplayıcılar ile gerçeklenmiştir. Saldırgan, Güç Analizi yaparak kripto sistemin gizli anahtarını ele geçirebilir. Bu tezde ilk gerçekleştirilen RSA devresi DGA’ya karşı korumasızdır. XCV1000E üzerinde gerçeklendiğinde, 81,06 MHz maksimum saat frekansı, 104,85 Kb/s işlem hacmi ve 4,88 ms toplam üs alma süresine sahip olduğu ve 9037 dilimlik alan kapladığı görülmüştür. Itoh ve diğ. tarafından önerilen Rastgele Tablolu Pencere Yöntemi (RT-WM) algoritması ile RSA şifreleme algoritmasına getirilen değişiklik, algoritmik karşı durma yöntemlerinden biridir ve donanım üzerinde gerçeklenmemiştir. Yapılan ikinci gerçeklemede, ilk gerçeklemenin üzerine bu algoritmanın getirdiği değişiklikler uygulanmıştır. RT-WM’nin donanım gerçeklemesi, 512-bit anahtar uzunluğu, 2-bit pencere genişliği ve 3-bitlik bir rastgele sayı kullanarak, XCV1000E üzerinde yapıldığında, 66,66 MHz maksimum saat frekansı, 84,42 Kb/s işlem hacmi ve 6,06 ms toplam üs alma süresine sahip olduğu ve XCV1000E içinde hazır bulunan blok SelectRAM yapısının kullanılmasıyla birlikte 10986 dilimlik alan kapladığı görülmüştür. Korumalı gerçekleme, korumasız ile karşılaştırıldığında, toplam sürenin %24,2 arttığı, işlem hacminin de %19,5 azaldığı görülmektedir.In this study, RSA cryptosystem was implemented on hardware and afterwards it was modified to be resistant against Differential Power Analysis (DPA) attacks, which are a type of Side-Channel Analysis Attacks. The encryption and decryption in an RSA cryptosystem is modular exponentiation. In this study, Xilinx Field Programmable Gate Array (FPGA) devices have been used as hardware. Modular exponentiation is realized with sequential multiplications. The Montgomery modular multiplier in this implementation has been realized with Carry-Save Adders. By doing a Power Analysis, the attacker can extract the secret key of the cryptosystem. In this thesis, the primarily implemented RSA circuit is unprotected against DPA attacks. Implemented on XCV1000E, it has 81,06 MHz maximum clock frequency, 104,85 Kb/s of throughput, and 4,88 ms of total exponentiation time, occupying an area of 9037 slices. The modification to the RSA encryption algorithm that comes with the Randomized Table Window Method (RT-WM), proposed by Itoh et al., is one of the algorithmic countermeasures against DPA and has not been implemented on hardware. Realized using 512-bit key length, 2-bit window length, and, a 3-bit random number, on XCV1000E, the RT-WM hardware implementation resulted in 66,66 MHz maximum clock frequency, 84,42 Kb/s of throughput, and 6,06 ms of total exponentiation time and occupied an area of 10986 slices with the use of the built-in block SelectRAM structure inside XCV1000E. When comparing the protected implementation with the unprotected, it can be seen that the total time has increased by 24,2% while the throughput has decreased 19,5%.Yüksek LisansM.Sc

Fault attacks on RSA and elliptic curve cryptosystems

This thesis answered how a fault attack targeting software used to program EEPROM can threaten hardware devices, for instance IoT devices. The successful fault attacks proposed in this thesis will certainly warn designers of hardware devices of the security risks their devices may face on the programming leve