On Randomized Addition-Subtraction Chains to Counteract Differential Power Attacks
- 694 Downloads
Since the work of Coron ([Co99]) we are aware of Differential Power Analysis (DPA) as a tool used by attackers of elliptic curve cryptosystems. In 2003 Ebeid and Hasan proposed a new defense in the spirit of earlier work by Oswald/Aigner and Ha/Moon. Their algorithm produces a random representation of the key in binary signed digits. This representation translates into an addition-subtraction chain for the computation of multiplication by the key (on the elliptic curve). The security rests on the fact, that addition and subtraction are indistinguishable from a power analysis viewpoint. We introduce an attack on this new defense under the assumption that SPA is possible: The attacker has a method to detect the presence of an addition or subtraction at a particular bit position of the addition-subtraction chain, while he needs not to be able to discriminate between these. We make the embedded system execute a number N (may be as few as 100) of instances of the cryptoalgorithm with the secret key. For each bit of the key we record a statistic on the occurence of a nonzero digit at this position in the (internal) binary signed digits representation of the key. If the number N of executions is large enough, the statistic can be used to estimate the respective probability (for a nonzero digit of the random binray signed digits representation of the key at this particular position). These probabilities in turn allow to deduce the secret key.
We then propose a second algorithm along the lines given by Ebeid and Hasan, which however, processes the bits in the other direction. One of us suggested that probabilistic switching between the two algorithms might provide better security. A closer analysis showed that exploiting the correlations between the power traces makes it possible to isolate a sufficient majority of executions of a particular one of the algorithms and to mount the attack.
Keywordsside channel attacks DPA binary signed digits
Unable to display preview. Download preview PDF.
- [Dh98]Dhem, J.F., Koeune, F., Leroux, P.-A., Mestre, P., Quisquater, J.J., Willems, J.L.: A practical implementation of the Timing Attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 175–190. Springer, Heidelberg (2000)Google Scholar
- [Eb03]Ebeid, N., Hasan, M.A.: Analysis of DPA Countermeasures Based on Randomizing the Binary Algorithm. Technical Report CORR 2003-14, Centre for Applied Cryptography Research, University of Waterloo, CanadaGoogle Scholar
- [Ko96]Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
- [Ko99]Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
- [Mi86]Miller, V.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
- [Ok00]Okeya, K., Sakurai, K.: Power analysis breaks elliptic curve cryptosystems even secure against timing attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 178–190. Springer, Heidelberg (2000)Google Scholar