Katsuyuki Okeya

Power Analysis Breaks Elliptic Curve Cryptosystems even Secure against the Timing Attack

We apply power analysis on known elliptic curve cryptosystems, and consider an exact implementation of scalar multiplication on elliptic curves for resisting against power attacks. Our proposed algorithm does not decrease the computational performance compared to the conventional scalar multiplication algorithm, whereas previous methods did cost the performance or fail to protect against power analysis attacks.

Signed Binary Representations Revisited

The most common method for computing exponentiation of random elements in Abelian groups are sliding window schemes, which enhance the efficiency of the binary method at the expense of some precomputation. In groups where inversion is easy (e.g. elliptic curves), signed representations of the exponent are meaningful because they decrease the amount of required precomputation. The asymptotic best signed method is wNAF, because it minimizes the precomputation effort whilst the non-zero density is nearly optimal. Unfortunately, wNAF can be computed only from the least significant bit, i.e. right-to-left. However, in connection with memory constraint devices left-to-right recoding schemes are by far more valuable.

Elliptic Curves with the Montgomery-Form and Their Cryptographic Applications

We show that the elliptic curve cryptosystems based on the Montgomery-form E M :BY 2 = X 3 + AX 2 +X are immune to the timing-attacks by using our technique of randomized projective coordinates, while Montgomery originally introduced this type of curves for speeding up the Pollard and Elliptic Curve Methods of integer factorization [Math. Comp. Vol.48, No.177, (1987) pp.243-264].

Efficient Elliptic Curve Cryptosystems from a Scalar Multiplication Algorithm with Recovery of the y-Coordinate on a Montgomery-Form Elliptic Curve

We present a scalar multiplication algorithm with recovery of the y-coordinate on a Montgomery form elliptic curve over any nonbinary field. The previous algorithms for scalar multiplication on a Montgomery form do not consider how to recover the y-coordinate. So although they can be applicable to certain restricted schemes (e.g. ECDH and ECDSA-S), some schemes (e.g. ECDSA-V and MQV) require scalar multiplication with recovery of the y-coordinate. We compare our proposed scalar multiplication algorithm with the traditional scalar multiplication algorithms (including Window-methods in Weierstrass form), and discuss the Montgomery form versus the Weierstrass form in the performance of implementations with several techniques of elliptic curve cryptosystems (including ECES, ECDSA, and ECMQV). Our results clarify the advantage of the cryptographic usage of Montgomery-form elliptic curves in constrained environments such as mobile devices and smart cards.

Merkle Signatures with Virtually Unlimited Signature Capacity

We propose GMSS, a new variant of the Merkle signature scheme. GMSS is the first Merkle-type signature scheme that allows a cryptographically unlimited(280) number of documents to be signed with one key pair. Compared to recent improvements of the Merkle signature scheme, GMSS reduces the signature size as well as the signature generation cost.

On Insecurity of the Side Channel Attack Countermeasure Using Addition-Subtraction Chains under Distinguishability between Addition and Doubling

We show that a randomized addition-subtraction chains countermeasure against side channel attacks is vulnerable to SPA attack, a kind of side channel attack, under distinguishability between addition and doubling. A side channel attackis an attackthat takes advantage of information leaked during execution of a cryptographic procedure. The randomized addition-subtraction chains countermeasure has been proposed by Oswald-Aigner, and is a random decision inserted into computations. However, its immunity to side channel attacks is still controversial. As for timing attack, a kind of side channel attack, the randomized addition-subtraction chains countermeasure is also vulnerable. Moreover, compared with other countermeasures against side channel attacks, the randomized addition-subtraction chains countermeasure, after being improved to prevent side channel attacks, is much slower.

A Second-Order DPA Attack Breaks a Window-Method Based Countermeasure against Side Channel Attacks

Moller proposed a countermeasure using window method against side channel attacks. However, its immunity to side channel attacks is still controversial. In this paper, we show Mollers countermeasure is vulnerable to a second-order differential power analysis attack. A side channel attackis an attackthat takes advantage of information leaked during execution of a cryptographic procedure. An nth-order differential power analysis attackis the side channel attack which uses n different leaked data that correspond to n different intermediate values during the execution. Our proposed attackagainst Mollers countermeasure finds out the use of same elliptic points, and restricts candidates of the secret scalar value. In these circumstances, the attack completely detects the scalar value using Baby-Step-Giant-Step method as a direct-computational attack. For a 160-bit scalar value, the proposed attack restricts the number of candidates of the scalar to a 45-bit integer, and the direct-computational attackcan actually detect the scalar value. Besides, we improve Mollers countermeasure to prevent the proposed attack. We compare the original method and improved countermeasure in terms of the computational intractability and the computational cost of the scalar multiplication.

MAME: A Compression Function with Reduced Hardware Requirements

This paper describes a new compression function, MAME designed for hardware-oriented hash functions which can be used in applications with reduced hardware requirements. MAME takes a 256-bit message block and a 256-bit chaining variable as input and produces a 256-bit output. In the light of recent attacks on MD5 and SHA-1, our design strategy is very conservative, and we show that our compression function is secure against various kinds of widely known attacks with very large security margins. The simple logical operations and the hardware efficient S-boxes are used to achieve a hardware implementation of MAME requiring only 8.1 Kgates on 0.18 μmtechnology.

Affine precomputation with sole inversion in elliptic curve cryptography

This paper presents a new approach to precompute all odd points [3]P, [5]P,..., [2k -1]P, k ge; 2 on an elliptic curve over Fp. Those points are required for the efficient evaluation of a scalar multiplication, the most important operation in elliptic curve cryptography. The proposed method precomputes the points in affine coordinates and needs only one single field inversion for the computation. The new method is superior to all known methods that also use one field inversion. Compared to methods that require several field inversions for the precomputation, the proposed method is faster for a broad range of ratios of field inversions and field multiplications. The proposed method benefits especially from ratios as they occur on smart cards.

A More Flexible Countermeasure against Side Channel Attacks Using Window Method

Elliptic curve cryptosystem (ECC) is well-suited for the implementation on memory constraint environments due to its small key size. However, side channel attacks (SCA) can break the secret key of ECC on such devices, if the implementation method is not carefully considered. The scalar multiplication of ECC is particularly vulnerable to the SCA. In this paper we propose an SCA-resistant scalar multiplication method that is allowed to take any number of pre-computed points. The proposed scheme essentially intends to resist the simple power analysis (SPA), not the differential power analysis (DPA). Therefore it is different from the other schemes designed for resisting the DPA. The previous SPA-countermeasures based on window methods utilize the fixed pattern windows, so that they only take discrete table size. The optimal size is 2 w − 1 for w=2,3,..., which was proposed by Okeya and Takagi. We play a different approach from them. The key idea is randomly (but with fixed probability) to generate two different patterns based on pre-computed points. The two distributions are indistinguishable from the view point of the SPA. The proposed probabilistic scheme provides us more flexibility for generating the pre-computed points — the designer of smart cards can freely choose the table size without restraint.