• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.5
• /
• pp.1079-1087
• /
• 2018

Binary scalar multiplication which is the main operation of elliptic curve cryptography is vulnerable to the side-channel analysis. Especially, it is vulnerable to the side-channel analysis which uses power consumption and electromagnetic emission patterns. Thus, various countermeasures have been studied. However, they have focused on eliminating patterns of data dependent branches, statistical characteristic according to intermediate values, or the interrelationships between data. No countermeasure have been taken into account for the secure design of the key bit check phase, although the secret scalar bits are directly loaded during that phase. Therefore, in this paper, we demonstrate that we can extract secret scalar bits with 100% success rate using a single power or a single electromagnetic trace by performing key bit-dependent attack on hardware implementation of binary scalar multiplication algorithm. Experiments are focused on the $Montgomery-L{\acute{o}}pez-Dahab$ ladder algorithm protected by scalar randomization. Our attack does not require sophisticated pre-processing and can defeat existing countermeasures using a single-trace. As a result, we propose a countermeasure and suggest that it should be applied.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.9
• /
• pp.3266-3285
• /
• 2014

With limited computing and storage resources, many network applications of encryption algorithms require low power devices and fast computing components. CHESS-64 is designed by employing simple key scheduling and Data-Dependent operations (DDO) as main cryptographic components. Hardware performance for Field Programmable Gate Arrays (FPGA) and for Application Specific Integrated Circuits (ASIC) proves that CHESS-64 is a very flexible and powerful new cipher. In this paper, the security of CHESS-64 block cipher under related-key differential cryptanalysis is studied. Based on the differential properties of DDOs, we construct two types of related-key differential characteristics with one-bit difference in the master key. To recover 74 bits key, two key recovery algorithms are proposed based on the two types of related-key differential characteristics, and the corresponding data complexity is about $2^{42.9}$ chosen-plaintexts, computing complexity is about $2^{42.9}$ CHESS-64 encryptions, storage complexity is about $2^{26.6}$ bits of storage resources. To break the cipher, an exhaustive attack is implemented to recover the rest 54 bits key. These works demonstrate an effective and general way to attack DDO-based ciphers.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.1
• /
• pp.47-57
• /
• 2003

In this paper, we firstly evaluate the resistance of the reduced 5-round version of the block cipher CIKS-1 against linear cryptanalysis(LC) and show that we can attack full-round CIKS-1 with \ulcorner56-bit key through the canonical extension of our attack. A feature of the CIKS-1 is the use of both Data-Dependent permutations(DDP) and internal key scheduling which consist in data dependent transformation of the round subkeys. Taking into accout the structure of CIKS-1 we investigate linear approximation. That is, we consider 16 linear approximations with p=3/4 for 16 parallel modulo $2^2$ additions to construct one-round linear approximation and derive one-round linear approximation with the probability P=1/2+$2^{-17}$ by Piling-up lemma. Then we present 3-round linear approximation with 1/2+$2^{-17}$ using this one-round approximation and attack the reduced 5-round CIKS-1 with 64-bit block by LC. In conclusion we present that our attack requires $2^{38}$chosen plaintexts with a probability of success of 99.9% and about $2^{67-7}$encryption times to recover the last round key.(But, for the full-round CIKS-1, our attack requires about $2^{166}$encryption times)

• Journal of Broadcast Engineering
• /
• v.8 no.4
• /
• pp.501-504
• /
• 2003

In this out watermarking method, a key is determined by quantizing the maximum motion difference between frames. We have a problem the key value for embedding and detection are different in 1 to 3% frames of all frames. This problem can be easily solved by using a new key according to bit error rate of the extracted watermark. Since the watermark is embedded in each frame nth different keys and detected In all the frames, out method is resistant against attacks such as the frame averaging and frame drop.