Results 1  10
of
27
Monotone Comparative Statics
 Econometrica
, 1994
"... Abstract. In the execution on a smart card, side channel attacks such as simple power analysis (SPA) and the differential power analysis (DPA) have become serious threat [15]. Side channel attacks monitor power consumption and even exploit the leakage information related to power consumption to reve ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In the execution on a smart card, side channel attacks such as simple power analysis (SPA) and the differential power analysis (DPA) have become serious threat [15]. Side channel attacks monitor power consumption and even exploit the leakage information related to power consumption to reveal bits of a secret key d although d is hidden inside a smart card. Almost public key cryptosystems including RSA, DLPbased cryptosystems, and elliptic curve cryptosystems execute an exponentiation algorithm with a secretkey exponent, and they thus suffer from both SPA and DPA. Recently, in the case of elliptic curve cryptosystems, DPA is improved to the Refined Power Analysis (RPA), which exploits a special point with a zero value and reveals a secret key [10]. RPA is further generalized to Zerovalue Point Attack (ZPA) [2]. Both RPA and ZPA utilizes a special feature of elliptic curves that happens to have a special point or a register used in addition and doubling formulae with a zero value and that the power consumption of 0 is distinguishable from that of an nonzero element. To make the matters worse, some previous efficient countermeasures are neither resistant against RPA nor ZPA. Although a countermeasure to RPA is proposed, this is not universal countermeasure, gives each different method to each type of elliptic curves, and is still vulnerable against ZPA [30]. The possible countermeasures are ES [3] and the improved version [4]. This paper focuses on countermeasures against RPA, ZPA, DPA and SPA. We show a novel countermeasure resistant against RPA, ZPA, SPA and DPA without any precomputed table. We also generalize the countermeasure to present more efficient algorithm with a precomputed table.
An updated survey on secure ECC implementations: Attacks, countermeasures and cost
, 2012
"... Unprotected implementations of cryptographic primitives are vulnerable to physical attacks. While the adversary only needs to succeed in one out of many attack methods, the designers have to consider all the known attacks, whenever applicable to their system, simultaneously. Thus, keeping an organ ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Unprotected implementations of cryptographic primitives are vulnerable to physical attacks. While the adversary only needs to succeed in one out of many attack methods, the designers have to consider all the known attacks, whenever applicable to their system, simultaneously. Thus, keeping an organized, complete and uptodate table of physical attacks and countermeasures is of paramount importance to system designers. This paper summarises known physical attacks and countermeasures on Elliptic Curve Cryptosystems. For implementers of elliptic curve cryptography, this paper can be used as a road map for countermeasure selection in the early design stages.
A comb method to render ECC resistant against Side Channel Attacks
, 2004
"... Side Channel Attacks may exploit leakage information to break cryptosystems on smard card devices. In this paper we present a new SCAresistant elliptic curve scalar multiplication algorithm, based on the Lim and Lee technique. The proposed algorithm builds a sequence of bitstrings representing ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Side Channel Attacks may exploit leakage information to break cryptosystems on smard card devices. In this paper we present a new SCAresistant elliptic curve scalar multiplication algorithm, based on the Lim and Lee technique. The proposed algorithm builds a sequence of bitstrings representing the scalar k, characterized by the fact that all bitstrings are di#erent from zero; this property will ensure a uniform computation behaviour for the algorithm, and thus will make it secure against SPA (Simple Power Analysis) attacks. The use of a recently introduced randomization technique achieves the security of the proposed scheme against other SCA attacks. Furthermore, the proposed countermeasures do not penalize the computation time.
On the optimal parameter choice for elliptic curve cryptosystems using isogeny
 Public Key Cryptography – PKC 2004, Lecture Notes in Computer Science
"... Abstract. The isogeny for elliptic curve cryptosystems was initially used for the efficient improvement of order counting methods. Recently, Smart proposed the countermeasure using isogeny for resisting the refined differential power analysis by Goubin (Goubin’s attack). In this paper, we examine th ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The isogeny for elliptic curve cryptosystems was initially used for the efficient improvement of order counting methods. Recently, Smart proposed the countermeasure using isogeny for resisting the refined differential power analysis by Goubin (Goubin’s attack). In this paper, we examine the countermeasure using isogeny against zerovalue point (ZVP) attack that is generalization of Goubin’s attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that this countermeasure cannot transfer a class of curve to the efficient curve that is secure against ZVP attack. This class satisfies that the curve order is odd and (−3/p) = −1 for the base field p, and includes three SECG curves. In the addition, we compare some efficient algorithms that are secure against both Goubin’s attack and ZVP attack, and present the most efficient method of computing the scalar multiplication for each curve from SECG. Finally, we discuss another improvement for the efficient scalar multiplication, namely the usage of the point (0, y) for the base point of curve parameters. We are able to improve about 11 % for doubleandaddalways method, when the point (0, y) exists in the underlying curve or its isogeny.
A Frobenius Map Approach for An Efficient and Secure Multiplication on Koblitz Curves
, 2006
"... The most efficient technique for protecting the using Frobenius algorithms for scalar multiplication on Koblitz curves against the Side Channel Attacks seems to be the multiplier randomization technique proposed by Joye and Tymen. In this paper, an heuristic analysis on the security of the Joye and ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
The most efficient technique for protecting the using Frobenius algorithms for scalar multiplication on Koblitz curves against the Side Channel Attacks seems to be the multiplier randomization technique proposed by Joye and Tymen. In this paper, an heuristic analysis on the security of the Joye and Tymen’s technique is given. A new method improving this technique is proposed. Analysis shows that the proposed method reduce the cost of the Joye and Tymen’s technique by about 50%.
Feasibility and practicability of standardized cryptography on 4bit micro controllers
 In Selected Areas in Cryptography (SAC
"... Title Feasibility and practicability of standardized cryptographyon 4bit micro controllers ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Title Feasibility and practicability of standardized cryptographyon 4bit micro controllers
Making Register File Resistant to Power Analysis Attacks
"... Abstract — Power analysis attacks are a type of sidechannel attacks that exploits the power consumption of computing devices to retrieve secret information. They are very effective in breaking many cryptographic algorithms, especially those running in lowend processors in embedded systems, sensor ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract — Power analysis attacks are a type of sidechannel attacks that exploits the power consumption of computing devices to retrieve secret information. They are very effective in breaking many cryptographic algorithms, especially those running in lowend processors in embedded systems, sensor nodes, and smart cards. Although many countermeasures to power analysis attacks have been proposed, most of them are software based and designed for a specific algorithm. Many of them are also found vulnerable to more advanced attacks. Looking for a lowcost, algorithmindependent solution that can be implemented in many processors and makes all cryptographic algorithms secure against power analysis attacks, we start with register file, where the operands and results of most instructions are stored. In this paper, we propose RFRF, a register file that stores data with a redundant flipped copy. With the redundant copy and a new precharge phase in write operations, RFRF provides dataindependent power consumption on read and write for cryptographic algorithms. Although RFRF has large energy overhead, it is only enabled in the security mode. We validate our method with simulations. The results show that the power consumption of RFRF is independent of the values read out from or written to registers. Thus RFRF can help mitigate power analysis attacks. I.
Coordinate Blinding over Large Prime Fields
"... Abstract. In this paper we propose a multiplicative blinding scheme for protecting implementations of a scalar multiplication over elliptic curves. Specifically, this blinding method applies to elliptic curves in the short Weierstraß form over large prime fields. The described countermeasure is show ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we propose a multiplicative blinding scheme for protecting implementations of a scalar multiplication over elliptic curves. Specifically, this blinding method applies to elliptic curves in the short Weierstraß form over large prime fields. The described countermeasure is shown to be a generalization of the use of random curve isomorphisms to prevent sidechannel analysis, and the best configuration of this countermeasure is shown to be equivalent to the use of random curve isomorphisms. Furthermore, we describe how this countermeasure, and therefore random curve isomorphisms, can be efficiently implemented using Montgomery multiplication.