• ETRI Journal
• /
• v.32 no.1
• /
• pp.102-111
• /
• 2010

Recently power attacks on RSA cryptosystems have been widely investigated, and various countermeasures have been proposed. One of the most efficient and secure countermeasures is the message blinding method, which includes the RSA derivative of the binary-with-random-initial-point algorithm on elliptical curve cryptosystems. It is known to be secure against first-order differential power analysis (DPA); however, it is susceptible to second-order DPA. Although second-order DPA gives some solutions for defeating message blinding methods, this kind of attack still has the practical difficulty of how to find the points of interest, that is, the exact moments when intermediate values are being manipulated. In this paper, we propose a practical second-order correlation power analysis (SOCPA). Our attack can easily find points of interest in a power trace and find the private key with a small number of power traces. We also propose an efficient countermeasure which is secure against the proposed SOCPA as well as existing power attacks.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.164-168
• /
• 2006

전력 공격은 암호화 연산 과정 중 발생하는 소비 전력의 파형을 측정하여 비밀 정보를 알아내는 공격 방식이다. 이러한 전력 공격에 대한 취약성을 막기 위하여 message blinding, exponent blinding과 같은 기법들이 적용되어 왔다. 본 고에서는 $ECC^{[1]}$암호화 연산 과정에서, r이 임의의 정수일 때, dP=(d-r)P+rP인 관계를 이용하는 exponent blinding기법$^{[2]}$에 대하여 언급하고, 위 기법을 전력 공격의 대응책으로 적용 시 적절히 구현되지 않으면 power attack에 대하여 매우 취약하다는 것을 보인다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.261-270
• /
• 2015

In information security devices, such as Smart Cards, vulnerabilities of the RSA algorithm which is used to protect the data were found in the Side Channel Analysis. The RSA is especially vulnerable to Power Analysis which uses power consumption when the algorithm is working. Typically Power Analysis is divided into SPA(Simple Power Analysis) and DPA(Differential Power Analysis). On top of this, there is a CA(Collision Analysis) which is a very powerful attack. CA makes it possible to attack using a single waveform, even if the algorithm is designed to secure against SPA and DPA. So Message blinding, which applies the window method, was considered as a countermeasure. But, this method does not provide sufficient safety when the window size is small. Therefore, in this paper, we propose a new countermeasure that provides higher safety against CA. Our countermeasure is a combination of message and exponent blinding which is applied to the window method. In addition, through experiments, we have shown that our countermeasure provides approximately 124% higher attack complexity when the window size is small. Thus it can provide higher safety against CA.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.3
• /
• pp.117-121
• /
• 2007

Most existing countermeasures against classical DPA are vulnerable to new DPA, e.g., refined power analysis attack (RPA), zero-value point attack (ZPA), and doubling attack. More recently, Mamiya et al proposed a new countermeasure (so-called BRIP) against RPA, ZPA, classical DPA and SPA. This countermeasure, however, also has a vulnerability of scalar multiplication computations by exploiting specially chosen input message. Therefore, to prevent various power analysis attacks like DPA and new SPA, we propose an enhanced countermeasure by developing a new random blinding technique.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.727-738
• /
• 2015

Until recently, power analysis is one of the most popular research issues among various side channel analyses. Since Differential Power Analysis had been first proposed by Kocher et al., various practical power analyses correspond with software/hardware cryptographic devices have been proposed. In this paper, we analyze vulnerability of countermeasure against power analysis exploiting single power trace of public cryptographic algorithm. In ICICS 2010, Clavier et al. proposed Horizontal Correlation Analysis which can recover secret information from a single exponentiation trace and corresponding countermeasures. "Blind operands in LIM", one of their countermeasures, exploits additive blinding in order to prevent leakage of intermediate value related to secret information. However, this countermeasure has vulnerability of having power leakage that is dependant with the message known by an adversary. In this paper, we analyzed vulnerabilities by three attack scenarios and proved them by practical correlation power analysis experiments.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.985-991
• /
• 2015

The user's secret key can be retrieved by various side channel leakage informations occurred during the execution of cryptographic RSA exponentiation algorithm which is embedded on a security device. The collision-based power analysis attack known as a serious side channel threat can be accomplished by finding some collision pairs on a RSA power consumption trace. Recently, an RSA exponentiation algorithm was proposed as a countermeasure which is based on the window method adopted combination of message blinding and exponent splitting. In this paper, we show that this countermeasure provides approximately $2^{53}$ attack complexity, much lower than $2^{98}$ insisted in the original article, when the window size is two.

• Journal of KIISE:Computer Systems and Theory
• /
• v.29 no.5
• /
• pp.299-306
• /
• 2002

Partially blind signature scheme is used in applications such as electronic cash and electronic voting where the privacy of the signature requester is important. This paper proposes an RSA-based enhanced partially blind signature scheme minimizing the amount of computation of the signature requester. The signature requester needs computation in blinding the message to the signer and in generating the final signature using the intermediate signature generated by the signer. Since the proposed scheme enables the signature requester to get the final signature just by using modular additions and multiplications, it decreases computation of the signature requester considerably. So, the proposed partially blind signature scheme is adequate for devices such as mobile device, smart-card, and electronic purse that have relatively low computing power.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.2
• /
• pp.335-344
• /
• 2016

It is known that power analysis is one of the most powerful attack in side channel analysis. Among power analysis single trace attack is widely studied recently since it uses one power consumption trace to recover secret key of public cryptosystem. Recently Sim et al. proposed new exponentiation algorithm for RSA cryptosystem with higher attack complexity to prevent single trace attack. In this paper we analyze the vulnerability of exponentiation algorithm described by Sim et al. Sim et al. applied message blinding and random exponentiation splitting method on $2^t-ary$ for higher attack complexity. However we can reveal private key using information exposed during pre-computation generation. Also we describe modified algorithm that provides higher attack complexity on collision attack. Proposed algorithm minimized the reuse of value that are used during exponentiation to provide security under single collision attack.