## Analysis of DPA Countermeasures Based on Randomizing the Binary Algorithm (2003)

Citations: | 4 - 2 self |

### BibTeX

@TECHREPORT{Ebeid03analysisof,

author = {Nevine Ebeid and M. Anwar Hasan},

title = {Analysis of DPA Countermeasures Based on Randomizing the Binary Algorithm},

institution = {},

year = {2003}

}

### OpenURL

### Abstract

One of the major threats to the security of cryptosystems nowadays is the information leaked through side channels. For instance, power analysis attacks have been successfully mounted on cryptosystems embedded into small devices such as smart cards.

### Citations

3846 |
Introduction to Automata Theory, Languages and Computation
- Hopcroft, Ullman
- 1979
(Show Context)
Citation Context ...ctor # = (# 1 . . . #w ) for a chain with w states is the unique solution of #P = # w X j=1 # j = 1 (15) B Grammars, Automata and Generating Functions Grammars A grammar G is a quadruple (T, N,S, P ) =-=[10, 12]-=-, where . T is a terminal alphabet (usually small letters), . N is a nonterminal alphabet (usually capital letters), . S # N is a start symbol, . P is a set of productions (rewrite rules) of the form ... |

702 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...age computational complexity. This enables us to present a comparison of these two countermeasures. 1 Introduction There appears to be an increasing trend towards adapting elliptic curve cryptography =-=[23, 17]-=- for di#erent security purposes. Elliptic curve cryptosystems (ECCs) seem to be more suitable for implementation on devices with limited memory and computational capability such as smart cards and als... |

685 | Differential power analysis
- Kocher, Jaffe, et al.
- 1999
(Show Context)
Citation Context ... the security of the keys stored in them. It is becoming inevitable to check the resistance of these devices against side-channel attacks. Side channels include execution time [18], power consumption =-=[19,21,22]-=-, electromagnetic emanations [28] and computational faults [2]. Here we will discuss briefly power analysis attacks and a class of their countermeasures. There are two main types of power analysis att... |

534 |
Uses of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ...age computational complexity. This enables us to present a comparison of these two countermeasures. 1 Introduction There appears to be an increasing trend towards adapting elliptic curve cryptography =-=[23, 17]-=- for di#erent security purposes. Elliptic curve cryptosystems (ECCs) seem to be more suitable for implementation on devices with limited memory and computational capability such as smart cards and als... |

271 | An Introduction to the Analysis of Algorithms
- Sedgewick, Flajolet
- 1996
(Show Context)
Citation Context ...t is [z n ]2a p (z). Alternatively, let a(z) = #A #u u=1 then the expected cost is 1 2 n-1 [z n ]a(z) = [z n ]2a(z/2) where the last equality follows from the scaling property of generating functions =-=[31]-=- A(#z) = X n # n a n z n For a deeper study of the use of generating functions in the average-case analysis of algorithms, we refer the reader to Sedgewick and Flajolet's book [31] and also to the ser... |

96 | Speeding up the computations on an elliptic curve using additionsubtraction chains
- Morain, Olivos
- 1990
(Show Context)
Citation Context ...e report is organized as follows. In section 2, we briefly present the binary algorithms for EC scalar multiplication. Section 3 is an overview of the speedup algorithms proposed by Morain and Olivos =-=[24]-=-. Section 4 discusses the DPA countermeasure proposed by Oswald and Aigner [27] and its complexity analysis. In section 5, we present Reitwiesner's canonical recoding approach and its application to E... |

95 |
A Signed Binary Multiplication Technique
- Booth
- 1951
(Show Context)
Citation Context ... generates L has the terminal alphabet T = {0, 1}, the nonterminal alphabet N = {T 0 , T 1 , T 11 } corresponding to the states 0, 1 and 11 of 4 This is the transformation initially proposed by Booth =-=[3]-=- 7 the automaton respectively. The start symbol S = A (not shown in the graph since it is a dummy state that leads directly to T 0 without scanning any input symbol). The productions P are A # T 0 T 0... |

87 |
An improved algorithm for arithmetic on a family of elliptic curves
- Solinas
- 1997
(Show Context)
Citation Context ...n Figure 5 since the arcs emerging from the two states T 1 and T 110 are the same. For the sake of completeness, we consider it essential to include the NAF recoding algorithm presented by Solinas in =-=[32,33]-=-. To derive the binary expansion of an integer, we divide it by 2, store the remainder (0 or 1), and repeat the process with the quotient. To derive the NAF of an integer, using the method proposed by... |

79 |
Binary arithmetic
- Reitwiesner
- 1960
(Show Context)
Citation Context ...e us able to easily di#erentiate them from the binary symbols referred to as bits. The number of trits in this representation can exceed at most by one the number of bits in the binary representation =-=[29]-=-. Remark 2.2 The nonadjacent form (NAF) [7] of k is a BSD representation where k i k i+1 = 0 for 0 # i # n - 1. It is characterized by having a minimal hamming weight, i.e., fewest nonzero coe#cients,... |

61 | On the importance of eliminating errors in cryptographic computations
- Boneh, DeMillo, et al.
(Show Context)
Citation Context ...o check the resistance of these devices against side-channel attacks. Side channels include execution time [18], power consumption [19,21,22], electromagnetic emanations [28] and computational faults =-=[2]-=-. Here we will discuss briefly power analysis attacks and a class of their countermeasures. There are two main types of power analysis attacks that were presented by Kocher et al. These are simple and... |

55 | R.H.: Investigations of power analysis attacks on smartcards
- Messerges, Dabbish, et al.
- 1999
(Show Context)
Citation Context ... the security of the keys stored in them. It is becoming inevitable to check the resistance of these devices against side-channel attacks. Side channels include execution time [18], power consumption =-=[19,21,22]-=-, electromagnetic emanations [28] and computational faults [2]. Here we will discuss briefly power analysis attacks and a class of their countermeasures. There are two main types of power analysis att... |

49 | Weierstra elliptic curves and side-channel attacks
- Brier, Joye, et al.
- 2002
(Show Context)
Citation Context ...ions require exactly the same field operations and be executed by a unified code or hardware so that they can not be distinguished from the power trace as is the case for Hessian-form elliptic curves =-=[13]-=- and Jacobi-form elliptic curves [20]. In this report, we analyze the randomization algorithms presented by Oswald and Aigner in [27] and by Ha and Moon in [11]. We investigate their e#ectiveness, i.e... |

45 |
N.P.: Preventing SPA/DPA in ECC systems using the Jacobi form
- Liardet, Smart
- 2001
(Show Context)
Citation Context ...perations and be executed by a unified code or hardware so that they can not be distinguished from the power trace as is the case for Hessian-form elliptic curves [13] and Jacobi-form elliptic curves =-=[20]-=-. In this report, we analyze the randomization algorithms presented by Oswald and Aigner in [27] and by Ha and Moon in [11]. We investigate their e#ectiveness, i.e., whether or not they can produce al... |

41 |
Specifications for Public-Key Cryptography
- Standard
- 2000
(Show Context)
Citation Context ...x, y), where x and y # K, together with a special point O called the point at infinity. Then the set of points on E can be equipped with an Abelian group structure by the following addition operation =-=[1]-=-. Elliptic Curve Addition The point O is the group identity, i.e., for any point P = (x, y) #= O on E, P #O = O#P = P , where # denotes the elliptic curve group operation (i.e., addition). For an EC o... |

37 |
Power Analysis Attacks of Modular Exponentiation in Smartcards
- Messerges, Dabbish, et al.
- 1999
(Show Context)
Citation Context ... the security of the keys stored in them. It is becoming inevitable to check the resistance of these devices against side-channel attacks. Side channels include execution time [18], power consumption =-=[19,21,22]-=-, electromagnetic emanations [28] and computational faults [2]. Here we will discuss briefly power analysis attacks and a class of their countermeasures. There are two main types of power analysis att... |

34 | Optimal left-to-right binary signed-digit recoding
- Joye, Yen
- 2000
(Show Context)
Citation Context ...signments in (12), we discover that Reitwiesner's approach computes k # by computing 3k = 2k+k, subtacts k using a new rule for subtraction, namely 0 - 1 = 1 and then discards the least significant 0 =-=[5, 14]-=-. In fact, if 3k = k 0 + P m i=0 s i 2 i+1 , then the conventional pencil-and-paper method to add nonnegative integers [16, p. 251] gives s i = (c i + k i + k i+1 ) mod 2 = c i + k i + k i+1 - 2#(c i ... |

30 |
On addition chains
- Brauer
- 1939
(Show Context)
Citation Context ...an compute the EC scalar multiplication kP (or the exponentiation x k ) with l point addition operations (multiplications) . The topic of addition chains has been extensively studied (see for example =-=[4, 9, 16, 26, 30]-=-). Finding the best addition chain is impractical, but we can find near-optimal ones. Some good algorithms exist, among which the binary algorithm (see Section 2), and some of its variations (see [16]... |

29 |
Timing Attacks on Implementations of Di e-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ... is not enough to ensure the security of the keys stored in them. It is becoming inevitable to check the resistance of these devices against side-channel attacks. Side channels include execution time =-=[18]-=-, power consumption [19,21,22], electromagnetic emanations [28] and computational faults [2]. Here we will discuss briefly power analysis attacks and a class of their countermeasures. There are two ma... |

26 |
Implementation of a new primality test
- Cohen, Lenstra
- 1987
(Show Context)
Citation Context ...ical, but we can find near-optimal ones. Some good algorithms exist, among which the binary algorithm (see Section 2), and some of its variations (see [16] and the implementation of the 2 m method in =-=[6]-=-). Morain and Olivos, in [24], have studied briefly the so called addition-subtraction chains. These are defined as in (6) but with # 0s# l, # v, wssuch that k i = k v kw (7) They pointed out that add... |

26 | Randomized addition-subtraction chains as a countermeasure against power attacks, Cryptographic hardware and embedded systems—CHES 2001
- Oswald, Aigner
- 2001
(Show Context)
Citation Context ...yptosystems embedded into small devices such as smart cards. In the recent past, several DPA countermeasures have been proposed. Among these, two countermeasures, one proposed by Oswald and Aigner in =-=[27]-=- and the other by Ha and Moon in [11], are based on inserting random decisions throughout the execution of algorithms that are used to compute the elliptic curve (EC) scalar multiplication using a red... |

22 |
On arithmetic weight for a general radix representation of integers
- Clark, Liang
- 1973
(Show Context)
Citation Context ...signments in (12), we discover that Reitwiesner's approach computes k # by computing 3k = 2k+k, subtacts k using a new rule for subtraction, namely 0 - 1 = 1 and then discards the least significant 0 =-=[5, 14]-=-. In fact, if 3k = k 0 + P m i=0 s i 2 i+1 , then the conventional pencil-and-paper method to add nonnegative integers [16, p. 251] gives s i = (c i + k i + k i+1 ) mod 2 = c i + k i + k i+1 - 2#(c i ... |

19 |
Resistance against di®erential power analysis for elliptic curve cryptosystems
- Coron
- 1999
(Show Context)
Citation Context ...es et al. show how the side channel information can be maximized. In [22], they described a number of power analysis attacks against smartcard implementations of modular exponentiation algorithms. In =-=[7]-=-, Coron has drawn the attention that naive implementations of ECCs on smart cards are highly vulnerable to both SPA and DPA and proposed some countermeasures for both attacks. Specially to counteract ... |

19 | Randomized signed-scalar Multiplication of ECC to resist Power Attacks
- Ha, Moon
- 2002
(Show Context)
Citation Context ...es such as smart cards. In the recent past, several DPA countermeasures have been proposed. Among these, two countermeasures, one proposed by Oswald and Aigner in [27] and the other by Ha and Moon in =-=[11]-=-, are based on inserting random decisions throughout the execution of algorithms that are used to compute the elliptic curve (EC) scalar multiplication using a redundant binary signed digit (BSD) repr... |

16 |
The Art of Computer Programming-Seminumerical Algorithms
- Knuth
- 1981
(Show Context)
Citation Context ...lliptic curve operations on average. For a good survey on di#erent approaches for speeding up elliptic curve scalar multiplication, one can refer to [7]. 3 Also known as the ternary balanced notation =-=[16]-=-. 5 3 Morain and Olivos' Addition-Subtraction Chains An addition chain for an integer k is a list of l + 1 positive integers where k 0 = 1, k l = k and # 0s# l, # v, wssuch that k i = k v + kw (6) Thu... |

15 |
A lower bound for the length of addition chains
- Schonhage
- 1975
(Show Context)
Citation Context ...an compute the EC scalar multiplication kP (or the exponentiation x k ) with l point addition operations (multiplications) . The topic of addition chains has been extensively studied (see for example =-=[4, 9, 16, 26, 30]-=-). Finding the best addition chain is impractical, but we can find near-optimal ones. Some good algorithms exist, among which the binary algorithm (see Section 2), and some of its variations (see [16]... |

13 | Hidden Markov Model Cryptanalysis
- Karlof, Wagner
(Show Context)
Citation Context ...ant information such as distinguished point doubling and adding operations, but more than one such measurement may be needed to infer the key value or reduce the key search space. 2 Karlof and Wagner =-=[15]-=- proposed a general cryptanalysis model for randomized algorithms that could totally recover a 192-bit key with as few as ten traces when it was applied to Oswald and Aigner's both countermeasures. Al... |

13 |
On vectorial addition chains
- Olivos
- 1981
(Show Context)
Citation Context ...an compute the EC scalar multiplication kP (or the exponentiation x k ) with l point addition operations (multiplications) . The topic of addition chains has been extensively studied (see for example =-=[4, 9, 16, 26, 30]-=-). Finding the best addition chain is impractical, but we can find near-optimal ones. Some good algorithms exist, among which the binary algorithm (see Section 2), and some of its variations (see [16]... |

12 |
Labelled formal languages and their uses
- Greene
- 1983
(Show Context)
Citation Context ...es that a 1 (resp. 1) and then a 0 (from right to left) were prepended to k # . To analyze the cost of their automata, Morain and Olivos used an approach based on grammatical specification (see e.g., =-=[10]-=- and Appendix B). We present it here as they did in [24]. The language recognized by the automaton is L = {0, 1} # 1 to which belong all binary representations of integers having 1 as the most signifi... |

10 | On insecurity of the side channel attack countermeasure using additionsubtraction chains under distinguishability between addition and doubling - Okeya, Sakurai - 2002 |

9 | C.K.: Exponentiation using canonical recoding
- Egecioglu, Koc
- 1994
(Show Context)
Citation Context ...most the same as for the binary algorithm and that the number of additions is on the average 9% more. In the following, we present our analysis using Markov chains following the same procedures as in =-=[11, 8]-=-. Analysis Using Markov Chains We use Markov chains here to find the limiting probability of occurrence of point additions or subtractions in the proposed algorithm (please refer to Appendix A for the... |

7 |
Remarks on number theory III. On addition chains
- Erdős
- 1960
(Show Context)
Citation Context |

7 | Improved algorithms for arithmetic on anomalous binary curves
- Solinas
- 1999
(Show Context)
Citation Context ...n Figure 5 since the arcs emerging from the two states T 1 and T 110 are the same. For the sake of completeness, we consider it essential to include the NAF recoding algorithm presented by Solinas in =-=[32,33]-=-. To derive the binary expansion of an integer, we divide it by 2, store the remainder (0 or 1), and repeat the process with the quotient. To derive the NAF of an integer, using the method proposed by... |

2 | EletroMagnetic Analysis (EMA): Measures and Countermeasures for Smart Cards - Quisquater, Samyde - 2001 |

2 | Security constraints on the Oswald-Aigner exponentiation algorithm
- Walter
- 2003
(Show Context)
Citation Context ...hese two countermeasures alone can not defeat variants of the SPA attack 2 . In fact, the two versions of Oswald and Aigner's countermeasure were cryptanalyzed by Okeya and Sakurai [25] and by Walter =-=[34]-=- respectively. More recently, 1 We should note here that, in the context of exponentiation-based cryptosystems, using a representation of an integer with negative symbols may be more costly than the t... |