Dong-Guk Han

Improved Computation of Square Roots in Specific Finite Fields

In this paper, we study exponentiation in the specific finite fields F, with very special exponents such as those that occur in algorithms for computing square roots. Here, q is a prime power, q = pk, where k > 1, and k is odd. Our algorithmic approach improves the corresponding exponentiation resulted from the better rewritten exponent. To the best of our knowledge, it is the first major improvement to the Tonelli-Shanks algorithm, for example, the number of multiplications can be reduced to at least 60 percent on the average when p= 1 (mod 16). Several numerical examples are given that show the speedup of the proposed methods.

New security problem in RFID systems “tag killing”

Radio frequency identification systems based on low-cost computing devices is the new plaything that every company would like to adopt. The biggest challenge for RFID technology is to provide benefits without threatening the privacy of consumers. Using cryptographic primitives to thwart RFID security problems is an approach which has been explored for several years. In this paper, we introduce a new security problem called as Tag Killing which aims to wipe out the functioning of the system, e.g., denial of service attacks. We analyze several well-known RFID protocols which are considered as good solutions with Tag Killing adversary model and we show that most of them have weaknesses and are vulnerable to it.

Side channel attacks and countermeasures on pairing based cryptosystems over binary fields

Pairings on elliptic curves have been used as cryptographic primitives for the development of new applications such as identity based schemes. For the practical applications, it is crucial to provide efficient and secure implementations of the pairings. There have been several works on efficient implementations of the pairings. However, the research for secure implementations of the pairings has not been thoroughly investigated. In this paper, we investigate vulnerability of the pairing used in some pairing based protocols against side channel attacks. We propose an efficient algorithm secure against such side channel attacks of the eta pairing using randomized projective coordinate systems for the pairing computation.

A More Compact Representation of XTR Cryptosystem

XTR is one of the most efficient public-key cryptosystems that allow us to compress the communication bandwidth of their ciphertext. The compact representation can be achieved by deploying a subgroup Fq2 of extension field Fq6, so that the compression ratio of XTR cryptosystem is 1/3. On the other hand, Dijk et al. proposed an efficient public-key cryptosystem using a torus over Fq30 whose compression ratio is 4/15. It is an open problem to construct an efficient public-key cryptosystem whose compression ratio is smaller than 4/15. In this paper we propose a new variant of XTR cryptosystem over finite fields with characteristic three whose compression ratio is 1/6. The key observation is that there exists a trace map from Fq6 to Fq in the case of characteristic three. Moreover, the cost of compression and decompression algorithm requires only about 1% overhead compared with the original XTR cryptosystem. Therefore, the proposed variant of XTR cryptosystem is one of the fastest public-key cryptosystems with the smallest compression ratio.

Side Channel Attack on Ha-Moon’s Countermeasure of Randomized Signed Scalar Multiplication

Side channel attacks (SCA) are serious attacks on mobile devices. In SCA, the attacker can observe the side channel information while the device performs the cryptographic operations, and he/she can detect the secret stored in the device using such side channel information. Ha-Moon proposed a novel countermeasure against side channel attacks in elliptic curve cryptosystems (ECC). The countermeasure is based on the signed scalar multiplication with randomized concept, and does not pay the penalty of speed. Ha-Moon proved that the countermeasure is secure against side channel attack theoretically, and confirmed its immunity experimentally. Thus Ha-Moon’s countermeasure seems to be very attractive. In this paper we propose a novel attack against Ha-Moon’s countermeasure, and show that the countermeasure is vulnerable to the proposed attack. The proposed attack utilizes a Markov chain for detecting the secret. The attacker determines the transitions in the Markov chain using side channel information, then detects the relation between consecutive two bits of the secret key, instead of bits of the secret key as they are. The use of such relations drastically reduces the search space for the secret key, and the attacker can easily reveal the secret. In fact, around twenty observations of execution of the countermeasure are sufficient to detect the secret in the case of the standard sizes of ECC. Therefore, Ha-Moon’s countermeasure is not recommended for cryptographic use.

Cryptanalysis of the full version randomized addition-subtraction chains

In [12], Okeya and Sakurai showed that the simple version randomized addition-subtraction chains countermeasure [14] is vulnerable to SPA attack. But their analysis method is not able to be applicable to the complex version [14]. In this paper, we show that Okeya and Sakurais attack algorithm has two latent problems which need to be considered. We further propose new powerful concrete attack algorithms which are different from [12,15]. By using our proposed attack algorithms, we can totally break the full version randomized addition-subtraction chains [14]. From our implementation results for standard 163-bit keys, the success probability for the simple version with 20 AD sequences is about 94% and with 30 AD sequences is about 99%. Also, the success probability for the complex version with 40 AD sequences is about 94% and with 70 AD sequences is about 99%.

An improved side channel attack using event information of subtraction

RSA-CRT is a widely used algorithm that provides high performance implementation of the RSA-signature algorithm. Many previous studies on each operation step have been published to verify the physical leakages of RSA-CRT when used in smart devices. This paper proposes SAED (subtraction algorithm analysis on equidistant data), which extracts sensitive information using the event information of the subtraction operation in a reduction algorithm. SAED is an attack method that uses algorithm-dependent power signal changes. An adversary can extract a key using differential power analysis (DPA) of the subtraction operation. This paper indicates the theoretical rationality of SAED, and shows that its results are better than those of other methods. According to our experiments, only 256 power traces are sufficient to acquire one block of data. We verify that this method is more efficient than those proposed in previously published studies.

CPA performance comparison based on Wavelet Transform

Correlation Power Analysis (CPA) is a very effective attack method for finding secret keys using the statistical features of power consumption signals from cryptosystems. However, the power consumption signal of the encryption device is greatly affected or distorted by noise arising from peripheral devices. When a side channel attack is carried out, this distorted signal, which is affected by noise and time inconsistency, is the major factor that reduces the attack performance. A signal processing method based on the Wavelet Transform (WT) has been proposed to enhance the attack performance. Selecting the decomposition level and the wavelet basis is very important because the CPA performance based on the WT depends on these two factors. In this paper, the CPA performance, in terms of noise reduction and the transform domain, is compared and analyzed from the viewpoint of attack time and the minimum number of signals required to find the secret key. In addition, methods for selecting the decomposition level and the wavelet basis using the features of power consumption are proposed, and validated through experiments.

Modified Power-Analysis Attacks on XTR and an Efficient Countermeasure

In [HLS04a], Han et al. presented a nice overview of some side channel attacks (SCA), and some classical countermeasures. However, their proposed countermeasures against SCA are so inefficient that the efficiency of XTR with SCA countermeasures is at least 129 times slower than that of XTR without them. Thus they remained the construction of the efficient countermeasures against SCA as an open question. In this paper, we show that XTR can be also attacked by the modified refined power analysis (MRPA) and the modified zero-value attack (MZVA). To show validity of MRPA and MZVA on XTR, we give some numerical data of them.

Cryptanalysis of the Countermeasures Using Randomized Binary Signed Digits

Recently, side channel attacks (SCA) have been recognized as menaces to public key cryptosystems. In SCA, an attacker observes side channel information during cryptographic operations, and reveals the secret scalar using the side channel information. On the other hand, elliptic curve cryptosystems (ECC) are suitable for implementing on smartcards. Since a scalar multiplication is a dominant step in ECC, we need to design an algorithm to compute scalar multiplication with the immunity to SCA. For this purpose, several scalar multiplication methods that utilize randomized binary-signed-digit (BSD) representations were proposed. This type of countermeasures includes Ha-Moon’s countermeasure, Ebeid-Hasan’s one, and Agagliate’s one. In this paper we propose a novel general attack against “all” the countermeasures of this type. The proposed attack lists the candidates for the secret scalar, however straight-forward approach requires huge memory, thus it is infeasible. The proposed attack divides the table into small tables, which reduces the memory requirement. For example, the computational cost and the memory requirement of the proposed attack for revealing the 163-bit secret key are O(28) and O(223), respectively, using 20 observations on the scalar multiplication with Ha-Moon’s countermeasure. The computational cost and the memory requirement are O(221) and O(212) for Ebeid-Hasan’s one, and O(240) and O(26) for Agagliate’s one. If 40 observations are used, computational cost for Agagliate’s one is reduced to O(233). Whenever we utilize a countermeasure of BSD type, we should beware of the proposed attack. In other words, the security of BSD type is controversial.