A DPA Countermeasure by Randomized F robenius Decomposition Tae-Jun Park, Mun-Kyu Lee*, Dowon Hong and Kyoil Chung * Inha University
Dec 14, 2015
A DPA Countermeasure by Randomized Frobenius Decomposition
Tae-Jun Park, Mun-Kyu Lee*, Dowon Hong and Kyoil Chung
* Inha University
WISA 2005 2
Outline
Side channel analysisSide channel analysisI
Frobenius expansionFrobenius expansionII
Random decompositionRandom decompositionIII
ConclusionConclusionIV
WISA 2005 3
Power Analysis
Kocher, Crypto 99
Powerful technique to recover the secret information by monitoring power signal
Two kinds of power analysis
- SPA : Simple power analysis
- DPA : Differential power analysis
WISA 2005 4
Power Analysis on Elliptic Curve
Coron, CHES 99
Naïve implementation of ECC are highly vulnerable to SPA and DPA
Various methods have been proposed
- Hasan suggested several countermeasures on
Koblitz curves, 2001, IEEE Transactions on computers
- Ciet et al. proposed randomizing the GLV decomposition to prevent DPA in GLV curves
CHES 2002
WISA 2005 5
The Goal of This Talk
New Countermeasure against DPA on ECC
Applied to any curve where Frobenius method can be used
Two dimensional generalization of Coron’s method
15.3 ~34.0% extra computations
WISA 2005 6
Elliptic Curve
Let be the prime power
is of or
Otherwise
q 2m
2 3y x ax b
x
y
q
3m
- To avoid the MOV attack Use only nonsupersingular elliptic curve
WISA 2005 7
Frobenius Endomorphism
The Frobenius endomorphisms of
The minimal polynomial of the Frobenius endomorphism
E
WISA 2005 8
Frobenius Expansion-(1)
The endomorphism ring of nonsupersingular elliptic curve is the order in the imaginary quadratic field
The ring is a subring of the endomorphism ring
Mueller proposed a Frobenius expansion method by iterating divisions
- fast scalar multiplication on elliptic curves over small
fields of characteristic two
- Division by the Frobenius endomorphism in the ring
WISA 2005 9
Division by in the looks like division by complex number in the Gaussian integer
Lemma: Suppose that be even (resp., odd) prime power. Let . There exists an integer
and an element s.t.
Frobenius Expansion-(2)
qrZ
WISA 2005 10
Frobenius Expansion-(3)
By iterating the process of divisions by with remainder, one can expand
with
WISA 2005 11
Division by in -(1) [ ]Z
WISA 2005 12
Let be the lattice generated by 1 and :
is isomorphic to
All elements in which can be divided by
for example, all numbers divided by 2 is of the form
The set of such elements is generated by and
:
Division by in -(2) [ ]Z
L [1, ]L [ ]Z
L
q 1 [ , ]L q
2n
WISA 2005 13
Divide by with remainder
- If , then there exist
s. t.
- If not, move horizontally left or right to
for suitable
Division by in -(3) [ ]Z
1 2s s s L
1 2 1s s s L 1 2,t t Z
1 2 1 2( )s s t t
1 2s s
1 2 1s r s L rZ
WISA 2005 14
Random Decomposition-(1)
Transform to random lattice
- Choose random integer
where
[1, ]L 'L
, , ,a b c d
a bA
c d
0ad bc
WISA 2005 15
Random Decomposition-(2)
1
a bA
c d
a c
b d
L 'L
WISA 2005 16
Random Decomposition-(3)
WISA 2005 17
Random Decomposition-(4)
Lemma : For any , we can find s. t.
with the Euclidean length of
is bounded by
1 2 [ ]s s s Z1 2 1 2, , ,k k r r Z
1 2r r r
WISA 2005 18
Random Decomposition-(5)
WISA 2005 19
Scalar Multiplication
1 2 1 20
( ) 'l
ii
ik a k b k c k d k
Scalar multiplication
- is expanded as
- By Mueller’s expansion method
- A scalar multiplication
kP
[ ]k Z[
1 2 1 2 1 2( )k k a k b k c k d r r
1 20
( ' ) ( )l
ii
ikP k P r r P
WISA 2005 20
Overhead
WISA 2005 21
Conclusion
Our method can be applied to all kind of elliptic curves
It can be used in conjunction with other countermeasure
It will be generalized to hyperelliptic curves