Fixed-Hamming-Weight Representation for Indistinguishable Addition Formulae

In the execution of signature on a smart card, side channel attacks such as simple power analysis (SPA) have become serious threat. There are the fixed procedure method and the indistinguishable method for SPA resistant methods. The indistinguishable method conceals all branch instructions by using indistinguishable addition formulae but may reveal the hamming-weight when an addition chain with the un-fixed-hamming-weight is used. In the case of hyper-elliptic curve, the indistinguishable method has not been proposed yet. In this paper, we give an indistinguishable addition formulae of hyper-elliptic curve. We also give algorithms which output the fixed-hamming-weight representation for indistinguishable addition formulae and works with or without computation table, which can dissolve the above mentioned problem on the indistinguishable method and are also applied to an elliptic curve scalar multiplication

Efficient Countermeasures against RPA, DPA, and SPA

In the execution on a smart card, side channel attacks such as simple power analysis (SPA) and the differential power analysis (DPA) have become serious threat [15]. Side channel attacks monitor power consumption and even exploit the leakage information related to power consumption to reveal bits of a secret key d although d is hidden inside a smart card. Almost public key cryptosystems including RSA, DLP-based cryptosystems, and elliptic curve cryptosystems execute an exponentiation algorithm with a secret-key exponent, and they thus suffer from both SPA and DPA. Recently, in the case of elliptic curve cryptosystems, DPA is improved to the Refined Power Analysis (RPA), which exploits a special point with a zero value and reveals a secret key [10]. RPA is further generalized to Zero-value Point Attack (ZPA) [2]. Both RPA and ZPA utilizes a special feature of elliptic curves that happens to have a special point or a register used in addition and doubling formulae with a zero value and that the power consumption of 0 is distinguishable from that of an non-zero element. To make the matters worse, some previous efficient countermeasures are neither resistant against RPA nor ZPA. Although a countermeasure to RPA is proposed, this is not universal countermeasure, gives each different method to each type of elliptic curves, and is still vulnerable against ZPA [30]. The possible countermeasures are ES [3] and the improved version [4]. This paper focuses on countermeasures against RPA, ZPA, DPA and SPA. We show a novel countermeasure resistant against RPA, ZPA, SPA and DPA without any pre-computed table. We also generalize the countermeasure to present more efficient algorithm with a pre-computed table.Cryptographic hardware and embedded systems - CHES 2004 : 6th International Workshop, Cambridge, MA, USA, August 11-13, 2004 : proceedings / Marc Joye, Jean-Jacques Quisquater (eds.)

Secure Elliptic Curve Exponentiation against RPA, ZRA, DPA, and SPA

In the execution on a smart card, side channel attacks such as the simple power analysis (SPA) and the differential power analysis (DPA) have become serious threat. Side channel attacks monitor the side channel information such as power consumption and even exploit the leakage information related to power consumption to reveal bits of a secret key d although d is hidden inside a smart card. Almost public key cryptosystems including RSA, DLP-based cryptosystems, and elliptic curve cryptosystems execute an exponentiation algorithm with a secret-key exponent, and they thus suffer from both SPA and DPA. In the case of elliptic curve cryptosystems, DPA is improved to the refined power analysis (RPA), which exploits a special point with a zero value and reveals a secret key. RPA is further generalized to zero-value register attack (ZRA). Both RPA and ZRA utilize a special feature of elliptic curves that happens to have a special point or a register used in addition and doubling formulae with a zero value and that the power consumption of 0 is distinguishable from that of a non-zero element. To make the matters worse, some previous efficient countermeasures to DPA are neither resistant to RPA nor ZRA. This paper focuses on elegant countermeasures of elliptic curve exponentiations against RPA, ZRA, DPA and SPA. Our novel countermeasure is easily generalized to be more efficient algorithm with a pre-computed table