Improved Zero Value Attack on XTR

  • Régis Bevan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3574)


In 2000, Lenstra and Verheul presented the XTR Public Key System which used a subgroup of the multiplicative group GF(p 6) with a compact representation. In two other papers, Han et al. analyzed the security against power analysis of the XTR algorithms presented by Lenstra and Verheul in 2000. In particular they showed that the XTR Single Exponentiation (XTR-SE) is vulnerable to a modification of the Refined Power Analysis (MRPA) and they presented a countermeasure based on the XTR double exponentiation. In the first part of this paper, we show that this countermeasure is not efficient for some particular inputs. For these inputs, an attacker has a probability of 2/3 to retrieve the secret exponent with only one power measurement. In a second part, we show that all the inputs used by Han et al. for MRPA are not valid inputs for XTR. As one of these dangerous inputs can also be obtained by Fault Injection, we discuss about the different scenarios of attacks and about their respective countermeasures.


MRPA DFA Power Analysis XTR smart cards 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akishita, T., Takagi, T.: Zero-value Point Attacks on Elliptic Curve Cryptosystem. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 218–233. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks. In: Breveglieri, L., Koren, I. (eds.) Workshop on Fault Diagnosis and Tolerance in Cryptography – FDTC 2004, pp. 330–342. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  3. 3.
    Ciet, M., Giraud, C.: Transient Fault Induction Attacks on XTR. In: López et al. [14], pp. 440–451Google Scholar
  4. 4.
    Fouque, P.-A., Valette, F.: The Doubling Attack: Why Upwards is better than Downwards. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Golic, J., Tymen, C.: Multiplicative masking and power analysis of AES. In: Kaliski Jr. et al. [10], pp. 198–212Google Scholar
  6. 6.
    Goubin, L.: A Refined Power-Analysis Attack on Elliptic Curve Cryptosystem. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–210. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Han, D.-G., Izu, T., Lim, J., Sakurai, K.: Modified Power-Analysis Attacks on XTR and an Efficient Countermeasure. In: López et al. [14], pp. 305–317Google Scholar
  8. 8.
    Han, D.-G., Lim, J., Sakurai, K.: On Security of XTR public key cryptosystems against Side Channel Attacks. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 454–465. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Itoh, K., Izu, T., Takenak, M.: Address-bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA. In: Kaliski Jr. et al. [10], pp. 129–143Google Scholar
  10. 10.
    Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.): CHES 2002. LNCS, vol. 2523. Springer, Heidelberg (2003)Google Scholar
  11. 11.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  12. 12.
    Lenstra, A.K., Verheul, E.R.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 1–19. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Lenstra, A.K., Verheul, E.R.: Fast irreductibility and subgroup membership testing in XTR. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 73–86. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    López, J., Qing, S., Okamoto, E. (eds.): ICICS 2004. LNCS, vol. 3269. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  15. 15.
    Novak, R.: SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 252–262. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Page, D., Stam, M.: On XTR and Side-Channel Analysis. In: Matsui, M., Zuccherato, R. (eds.) SAC 2004. LNCS, vol. 3357, pp. 54–68. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Shparlinski, I.E.: On the Generalized Hidden Number Problem and Bit Security of XTR. In: Bozta, S., Sphparlinski, I. (eds.) AAECC 2001. LNCS, vol. 2227, pp. 268–277. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Stam, M., Lenstra, A.K.: Speeding up XTR. In: Boyd, E. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 125–143. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Verheul, E.R.: Evidence that XTR Is More Secure then Supersingular Elliptic Curve Cryptosystems. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 195–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Régis Bevan
    • 1
  1. 1.Oberthur Card Systems SAPuteauxFrance

Personalised recommendations