lihui wang,qing li,zhimin zhang,weijun shan,davidwei zhang

DOI: https://doi.org/10.2991/iset-15.2015.33

2015-01-01

Abstract:Elliptic curve cryptosystems (ECCs) are becoming more popular because of the reduced number of key bits required in comparison to other cryptosystems such as RSA. They are especially suited to smartcards because of the limited memory and computational power available on these devices. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain information about the cryptosystem by measuring power consumption and processing time. To resist this attack there appear a number of countermeasures and the most widely used methods are Montgomery ladder and double-and-add-always algorithm. This paper proposes a novel simple power analysis attack to these countermeasures. Experimental results on smart cards demonstrate that this attack method can retrieve secret keys by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Several countermeasures that can resist this kind of SPA attack are also demonstrated in this paper.

Lihui Wang,Qing Li,Zhimin Zhang,Weijun Shan,David Wei Zhang

DOI: https://doi.org/10.2991/iset-15.2015.29

2015-01-01

Abstract:Elliptic Curve Cryptography (ECC) is becoming widely deployed in embedded cryptographic devices. However, simple power analysis (SPA) attacks may retrieve secret keys by exploiting the power consumption of ECC devices. To resist the SPA attack there appear a number of countermeasures and the most widely used methods are Montgomery ladder and double-and-add-always algorithm. This paper proposes a refined simple power analysis attack to these countermeasures. Experimental results on smart cards demonstrate that this attack method can retrieve secret keys by distinguishing the power consumption of different jump instructions if the implementation of ECC's countermeasure is not carefully designed. The experiments also demonstrate that the proposed countermeasure in this paper can resist this kind of SPA attack

Yanzhao Yin,Liji Wu,Qian Peng,Xiangmin Zhang

DOI: https://doi.org/10.1109/icasid.2018.8693138

2018-01-01

Abstract:Although SPA (Simple Power Analysis) has been studied for many years, it is still effective on many cryptographic algorithms based on ECC. Double-and-Add and Montgomery ladder can avoid attacks with point double and point add operations, but in software implementation of ECC algorithm, modular addition and subtraction will be the weakness that the hostile attackers may use. In this paper, a black box SPA is performed on a smart card with SM2 algorithm, a Chinese standard of ECC cryptographic algorithm. The card was proved to implement the SM2 algorithm by Jacobi form and non-adjacent form, and its private key can be extracted by SPA within less than 10 power traces, with conditional operations in the modular subtraction. Then we discussed the probability that the ECC cryptography implemented by other forms be attacked with modular subtraction or addition, and illustrate how the problem can be solved by hardware implementation.

谢满德,沈海斌,竺红卫

DOI: https://doi.org/10.3969/j.issn.1004-3365.2004.06.003

2004-01-01

Abstract:The fundamental principle of differential power analysis (DPA) attacks against universal cryptosystems and a particular theory of DPA attacks against data encryption standard (DES) algorithm are described in detail. An improved algorithm is proposed for DPA. Based on the analysis of noise characteristics of the power signals, an approach to modeling the signal-to-noise ratio (SNR) is proposed and corresponding theory is demonstrated. Finally, experimental results of the algorithm are presented.

Souhir Gabsi,Yassin Kortli,Vincent Beroulle,Yann Kieffer,Belgacem Hamdi

DOI: https://doi.org/10.1007/s11042-024-18368-9

IF: 2.577

2024-02-18

Multimedia Tools and Applications

Abstract:Elliptical curves are dedicated for several security applications including Radio Frequency Identification (RFID) devices, smart cards, bankcards, etc. To guarantee effective security of such applications, these cryptographic systems require effective resistance to various types of physical attack. Differential Power-Analysis (DPA) attacks were considered the most efficient attacks against scalar multiplication calculation algorithms. In this paper, we propose a countermeasure method against the DPA attacks, for a scalar multiplication algorithm that is basically secure against Simple Power Analysis (SPA) and safe-error attacks. Our proposal is intended for Elliptic Curves Cryptosystems (ECC) algorithms dedicated to low cost applications. We first introduce the different types of side-channel attacks that ECC-based cryptographic algorithms can suffer, as well as their countermeasure methods existing in the literature. We then present an optimized hardware implementation of the most effective scalar multiplication algorithm against SPA and safe-error attacks. Finally, we present our proposed DPA countermeasure method and its effectiveness against other extensions of DPA attacks. Our proposed method is similar to the Basic Random Initial Point (BRIP) method except that the latter is only applicable for the left-to-right algorithm. The proposed method is based on the randomization of processed data during the computation of the scalar multiplication algorithm and prevents vulnerability to Zero-value Point Attack (ZPA), Refined Power analysis (RPA) attack and double attack. In the last part of our paper, we present comparative analysis in terms of computational cost between our proposed method and other countermeasure algorithms presented in the literature, such as Montgomery-ladder, the BRIP algorithm, the left-to-right algorithm and the Co-Z Mont-Ladder algorithm.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2008.183

2008-01-01

Abstract:Elliptic curve cryptography (ECC) has been adopted in many systems because it requires shorter keys than traditional public-key algorithms in primary fields. However, power analysis attacks can exploit the power consumption of ECC devices to retrieve secret keys. In this paper, we propose an efficient window-based countermeasure that is secure against existing power analysis attacks. Compared to previous counter- measures, our method has low memory overhead, requiring only a table of w+1 entries when the window size is w bits. It also has better performance than many algorithms that perform one point addition or subtraction for every bit in the scalar.

Zhijie Jerry Shi,Fan Zhang

2006-01-01

Abstract:Elliptic curve cryptography (ECC) has attracted a lot of attention because it can provide similar levels of security with much shorter keys than the arithmetic of multiple-precision integers in finite fields, which has been widely used in many public-key and key-exchange algorithms. Small key sizes are especially important to resource constrained devices as shorter keys require less storage space and consume less power to transmit and compute. However, ECC algorithms are vulnerable to power analysis attacks, which exploit the instantaneous power consumptions of computing devices to retrieve secret data. Many countermeasures have been proposed to make ECC implementations secure against power analysis. One of the approaches is randomized algorithms that generate different power traces even if the input of the algorithm is the same. For example, the randomized scalar point multiplication algorithm proposed by Oswald et al. combines two algorithms and uses random variables to decide which algorithm to follow at different stages of the execution. The randomized algorithm can thwart traditional power analysis attacks. However, in this paper, we propose an effective attack on the randomized algorithms. Our attack does not require a large number of power traces and has a very high success rate.

Dongmei Xue,Xiaole Cui,Chung-Len Lee,Lifei Liu,Shijie Zhang

DOI: https://doi.org/10.1109/icsict.2014.7021566

2014-01-01

Abstract:Elliptic Curve Cryptography is a popular algorithm since it can achieve good security level with a small key size. However, the ECC hardware is suffering from some side channel attacks, such as Differential power-analysis (DPA), which can retrieve secret keys by analyzing power consumption of the attacked devices. In this paper, a countermeasure to secure the modular multiplication, an important operation of Elliptic Curve Cryptography, with randomization method is studied. The experiment results show that unprotected device reveal the secret key within 1000 power traces, while the protected one can defend DPA attack with 105 power traces, with only 8% additional area cost.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/itng.2007.152

2007-01-01

Abstract:Power analysis can exploit the instantaneous power consumptions of elliptic curve cryptography (ECC) devices and retrieve secret keys. Many countermeasures have been proposed to make ECC implementations secure. One of the approaches is the randomized algorithms proposed by Oswald et al., which combine two scalar point multiplication algorithms and use random variables to decide which algorithm to follow at different stages of the computation. In this paper, we describe a power analysis attack that can break randomized automata proposed by Oswald et al. effectively, even with a small number of power traces

Duo Liu,Zhiyong Tan,Yiqi Dai

DOI: https://doi.org/10.1007/978-3-642-01440-6_20

2008-01-01

Abstract:The Simple Power Analysis (SPA) attack against an elliptic curve cryptosystem distinguishes between point doubling and point addition in a single execution of scalar multiplication. Although many SPA-resistant scalar multiplication algorithms have been proposed, few countermeasures for multi-scalar multiplications are known. In this paper, we propose a new SPA-resistant multi-scalar multiplication for a pair of integers combing the Joint Sparse Form (JSF) representation technique for pair of integers, point randomization, and uniform operation sequence. The new method requires about 8.5% less multiplications in the field compared to the known countermeasures.

Liu Lifei,Cui Xiaole,Ran Yalin,Cui Xiaoxin

DOI: https://doi.org/10.1109/ASICON.2015.7517206

2015-01-01

Abstract:Elliptic Curve Cryptosystem (ECC) is one of the most advantageous cryptosystems because of the shortened number of key bits when compared with RSA at the same security level. However, just as the other cryptosystems, ECC hardware is vulnerable to the side-channel analysis attacks which have been proposed. Power Analysis Attack (PA), as one of the most popular side-channel analysis attacks, is implemented easily, so more and more works concentrate on it. This work proposes a countermeasure to resist against Power Analysis. Then we design a unified hardware architecture which is multi-purpose and implementation to verify the effectiveness of the proposed method. The experiment results of FPGA verification platform show that the protected hardware can defend DPA with up to 105 measured power traces.

Xiaowei Han,Beibei Wang,An Wang,Liji Wu,Woogeun Rhee

DOI: https://doi.org/10.1109/CIS.2014.116

2014-01-01

Abstract:SM2 is a public-key cryptography algorithm which is based on elliptic curves. Since the side channel leakage of devices can be used to deduce the information of secret keys, algorithms to implement SM2 need to be improved. In this paper, we propose an initialized masking scalar multiplication algorithm (IMSM), a modified atomic point doubling and point addition algorithm (MADA), and a transformed formula countermeasure (TFCS). Analysis shows they can resist Simple Power Analysis (SPA), Differential Power Analysis and Template Attacks. IMSM and MADA have been verified to resist SPA on FPGA board successfully. Compared to Binary Expansion with RIP algorithm, 28.6% calculations can be saved when the scalar is divided into four parts, which is rather fast.

ZHAO Yan-guang,BAI Guo-qiang,CHEN Hong-yi

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.12.023

2006-01-01

Abstract:This paper describes a differential power analysis(DPA)against an implementation of elliptic curve cryptosystem(ECC)on an ASIC chip.In the chip,the method used for scalar multiplication of ECC is Montgomery Ladder which is a basic algorithm used to resist DPA.We perform a detailed MESD differential power analysis attack the ECC chip,the result shows that Montgomery Ladder is vulnerable to MESD.So,K.Itoh is wrong and the ECC chip with Montgomery Ladder is not secure enough,some other countermeasures must be adopted to enhance the ECC chip.

Kai Liao,Xiaoxin Cui,Nan Liao,Tian Wang,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/tie.2016.2610402

IF: 7.7

2016-01-01

IEEE Transactions on Industrial Electronics

Abstract:Elliptic curve cryptography (ECC) is one of the most popular public key cryptosystems in recent years due to its higher security strength and lower resource consumption. However, the noninvasive side-channel attacks (SCAs) have been proved to be a big threat to ECC systems in many previous researches. In this paper, we propose a low-area-time-product ECC coprocessor for GF(2(m)) with the ability to resist most of the existing noninvasive SCAs. The basic countermeasures are relied on the underlying finite field arithmetics in randomized Montgomery domain, which can blind the intermediate value in the iterations of scalar multiplication to prevent the adversaries from cracking the private key by statistical methods. Meanwhile, we optimize the modular division and modular multiplication algorithms to fix the operating time to resist some certain timing attacks, and the Montgomery Ladder algorithm makes the coprocessor immune against simple SCAs. To efficiently implement our coprocessor, we present a hybrid operation sequence which merely needs one multiplication module and one division module to complete the entire operations. The synthesis results indicate that our design is superior to other related works in area-time product (ATP) and the extra overhead paid for the countermeasures is less than 5%.

Jean-Sébastien Coron

DOI: https://doi.org/10.1007/3-540-48059-5_25

1999-01-01

Abstract:Differential Power Analysis, first introduced by Kocher et al. in [14], is a powerful technique allowing to recover secret smart card information by monitoring power signals. In [14] a specific DPA attack against smart-cards running the DES algorithm was described. As few as 1000 encryptions were sufficient to recover the secret key. In this paper we generalize DPA attack to elliptic curve (EC) cryptosystems and describe a DPA on EC Diffie-Hellman key exchange and EC El-Gamal type encryption. Those attacks enable to recover the private key stored inside the smart-card. Moreover, we suggest countermeasures that thwart our attack.

Zhanzhan Chen,Liji Wu,Zhenhui Zhang,Dehang Xiao,Xiangmin Zhang,Yan Liu

DOI: https://doi.org/10.1109/asid56930.2022.9995777

2022-01-01

Abstract:SM2 algorithm is widely used in financial IC cards. It has the advantages of fast operation speed and short signature, but it may also contain security vulnerabilities. Attackers can crack the secret key via Simple Power Analysis (SPA), which is the inexpensive and extremely effective method, causing a great threat to the security of SM2 algorithm. In order to improve the safety of SM2 algorithm, this paper introduces atomic algorithm to implement point addition and point doubling operation, and proposes precomputed Non Adjacent Form (NAF) random window algorithm to achieve scalar multiplication. Based on experimental analysis with SAKURA-G FPGA board, the improved SM2 algorithm can resist successfully SPA. Compared with the original algorithm, the time of computation is reduced by 67.5%, and the number of slice registers has increased by less than 5%. The security and speed of SM2 algorithm has been significantly improved.

dan zhang,guoqiang bai

DOI: https://doi.org/10.1109/edssc.2015.7285166

2015-01-01

Abstract:In this paper, we propose a high-performance implementation of elliptic curve cryptography over SCA-256 prime field by introducing an all-new isochronous architecture, which can also resist power-analysis attack. By modifying Montgomery ladder-based scalar multiplication, point addition (PA) and point double (PD) can operate synchronously, resisting simple power analysis (SPA) and double attack with minimum time-cost. Then PA and PD are designed to be strictly isochronous units by matching our configurable modular multiplication unit of pipelined stage. Both algorithm and hardware schedule are optimized from bottom to up, random cycles are also inserted to resist differential power analysis (DPA). In the hardware evaluation using CMOS standard cell library of 0.13 mu m, our ECC processor achieves 211 mu s and 8.5 mu J for one scalar multiplication with 208k gate counts. Compared to other related designs, our architecture offers not only 2 similar to 6 times better area-time product but also great power analysis resistance.

DENG Qiu-cheng,BAI Xue-fei,GUO Li,WANG Yao

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2011.02.034

2011-01-01

Abstract:In this paper,we described a differential power analysis attack on the Montgomery Ladder algorithm based on the finite field GF(2m).We first implemented the algorithm with Verilog HDL,and then synthesized it to the netlist using the Charted 0.35μm CMOS technology,thus we can get the power information accurately.We performed a ZEMD differential power analysis attack on this algorithm subsequently,and use the abscissa of P2,a variable of the Montgomery Ladder algorithm,as the intermediate variable to classify the power curves,the result shows that the Montgomery Ladder algorithm couldn′t resist the ZEMD differential power analysis attack.So the algorithm is not secure enough,we need to take some more protective measures in practice.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Congming Wei,Jiazhe Chen,An Wang,Beibei Wang,Hongsong Shi,Xiaoyun Wang

DOI: https://doi.org/10.1049/iet-ifs.2018.5228

2020-01-01

IET Information Security

Abstract:This study revisits the side-channel security of the elliptic curve cryptography (ECC) scalar multiplication implemented with Montgomery ladder. Focusing on a specific implementation that does not use they-coordinate for point addition (ECADD) and point doubling (ECDBL), the authors show that Montgomery ladder on Weierstrass curves is vulnerable to a chosen base-point attack. Unlike the normal implementation withy-coordinate, in the scenario of this study, the chosen base-point strategy will not lead to operations with two same inputs during the ECADD and/or ECDBL. Instead, by choosing a suitable base-point, one will find that there are operations that share a common operand; while it is not the case if the base-point is not chosen correctly. This results in the recovery of the secret (fixed) scalar. They also experiment the methods of shared operand detection on a real-world SoC, where asecp256k1dedicated Montgomery ladder scalar multiplication withx-only coordinate is implemented, to show the efficiency of the scalar recovery attack. Naturally, the attack can be generalised to other Weierstrass curves when they contain special points.