Top | Introduction | Members | Activities | Call for Paper | Link | Japanese


    "Reserch for Countermeasure of Side Channel Analysis
    on Elliptic Curve Cryptography"


    The public key cryptosystem is different encryption key whish is public
from decryption key which is secret. It is used for not only encryption
but also the e-signature. By the improvement of decipher, RSA
cryptosystem and Elgamal cryptosystem that is a past public key
cryptosystem. Safety is threatened. An elliptic curve cryptosystem (ECC)
and a hyper-elliptic curve cryptosystem (HECC) are actively researched
for that as next generation's cryptosystems. 

The elliptic curve cryptosystem is based on the points on an elliptic
curve becoming a group, and elliptic discrete logarithm problem. It was
proposed by Koblitz and Miller. Encryption and decryption Key size of
ECC is short and compactly compared with RSA etc.
Therefore, it is used from this feature with the smart 
card with a small memory.The operation that becomes the center of the elliptic curve 
cryptosystem is an operation of scalar multiplication $dP$ to point $P$ on an elliptic curve and 
secret key $d$ regardless of decoding or the signature generation of the ciphertext. 

It is a side channel attack that becomes a threat because of implementation 
the smart card of ECC. The side channel 
attack is an attack to obtain the secret key by using side channel 
information on power consumption and the execution time etc. 
Generally, when conputing the scalar multiplication $dP$, the binary method is executed. 
In the operation, because $x$ is expressed by the bit string, The power
consumption is differnt between bit is 1 and 0. Thus the secret key
leaks by the power consumption. Therefore, countermeasures of the side
channel attack have been researched. 

The side channel attacks are classified simple  power analysis attack
(SPA) and different power analysis analysis (DPA). 
SPA is an attack of the pattern of waves of the power consumption under
the operation to obtain the secret key by one observation. 
It is necessary to lose the dependence of the confidential information and power consumption 
to prevent SPA. Existing countermeasures method inserts the dummy operation while operating it, and 
includes the method of making the pattern of waves constant. 
It is DPA that the attacker simulate the test key and taking the
difference of power consumption with a true secret key. In DPA, it is
classified into Data-bit DPA(DDPA) and Address-bit DPA(ADPA). 

There are DDPA countermeasures that includes the method of using the
randomization scalar and a random point, and ADPA measures have the
method of making the randomization scalar and concealing the relation
between the scalar and the address. However, both computational
complexities and the memories tend to increase by existing measures
method to SPA, DDPA, and ADPA. Moreover, there is a problem that each
measures method is safe only in a each attack method. In this research,
I proposed effective algorithms of scalar multiplicationthis which are
countermeasure on SPA, DDPA, ADPA. 

The window method is used as a scalar multiplication algorithm in this
research. The window method prepare preliminary operation table. Using
the table, it is used can high-speed computation. In the proposal
method, it proposes DDPA 
countermeasures and ADPA countermeasures in the window method. In DDPA
countermeasures, the method of the randomization scalar is used. 

For window method when applied SPA countemeasure , Table size increase
becaouse using fix window.
And by DDPA countermeasure, computational complexity by table making
increases by using random point and data.
In proposed scheme, I apply Side channel atomicity to an SPA
countermeasure and, by DDPA countermeasure, use a method to do randomisation
of a scalar.
the randomizing of the scalar is done by deciding whether to execute the conversion of 
the expression of each operated window at random by using becoming
$(100\bar{8}) _ 2=0(\bar{8}=-8)$.
By this proposec scheme, randomisation of scalar expression is
possible. 
Furthermore, I give presence of conversion with a random number in the
case of 0bit so that increase the number of the randomisation. 
Usually, Last bit of bit string in window execute only doubling in the
case of 0 bit
by window method, but  execute presence of the insertion of the
addition that does not influence a scalar value in 0bit either by a
random number by proposed method.   By choice of processing by 0bit
time, the number of the randomisation increases more.   I really
sacrificed computational complexity, but the number of the randomisation
increased than randomisation technique of existing scalar expression.
ADPA measures use the method of concealing the relation between the scalar and the 
address. Because the relation between data and the address of the table is rotated at random, the 
relation is concealed. Both countereasures are given without the
computational complexity increasing and addition one memory. And I
proposed the window method algorithm that considered SPA measures in
addition to these measures.


    [ back ]