Tetsuya Izu

A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks

This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an addition chain and an addition formula in the scalar multiplication. Our addition chain requires no table look-up (or a very small number of pre-computed points) and a prominent property is that it can be implemented in parallel. The computing time for n-bit scalar multiplication is one ECDBL + (n - 1) ECADDs in the parallel case and (n - 1) ECDBLs + (n - 1) ECADDs in the single case. We also propose faster addition formulas which only use the x-coordinates of the points. By combination of our addition chain and addition formulas, we establish a faster scalar multiplication resistant against the SCA in both single and parallel computation. The improvement of our scalar multiplications over the previous method is about 37% for two processors and 5.7% for a single processor. Our scalar multiplication is suitable for the implementation on smart cards.

Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA

The differential power analysis (DPA) is a powerful attack against the implementation of cryptographic schemes on mobile devices. This paper proposes an alternative DPA using the addresses of registers of elliptic curve based cryptosystems (ECC) implemented on smart cards. We call the analysis the address-bit DPA in this paper. The analysis was originally investigated by Messerges, Dabbish and Sloan, however it was thought to be of no effect if the intermediate data are randomized. We extend the analysis and show how the extended analysis works against scalar exponentiations even if the implementation is resistant against the data-based DPA. We show experimental results of our analysis of cryptographic schemes OK-ECDH and OK-ECDSA, which are candidates of the CRYPTREC project in Japan, and evidence of their weakness.

Exceptional procedure attack on elliptic curve cryptosystems

The scalar multiplication of elliptic curve based cryptosystems (ECC) is computed by repeatedly calling the addition formula that calculatest he elliptic curve addition of two points. The addition formula involves several exceptional procedures so that implementers have to carefully consider their treatments. In this paper we study the exceptional procedure attack, which reveals the secret scalar using the error arisen from the exceptional procedures. Recently new forms of elliptic curvesan d addition formulas for ECC have been proposed, namely the Montgomery form, the Jacobi form, the Hessian form, and the Brier-Joye addition formula. They aim at improving security or efficiency of the underlying scalar multiplications. We analyze the effectiveness of the exceptional procedure attack to some addition formulas. We conclude that the exceptional procedure attack is infeasible against the curves whose order are prime, i.e., the recommended curves by several standards. However, the exceptional procedure attack on the Brier-Joye addition formula is feasible, because it yields non-standard exceptional points. We propose an attack that revealsa few bitso f the secret scalar, provided that this multiplier is constant and fixed. By the experiment over the standard elliptic curves, we have found many non-standard exceptional points even though the standard addition formula over the curves has no exceptional point. When a new addition formula isde veloped, we should be cautious about the proposed attack.

PIATS: a partially sanitizable signature scheme

In e-government or e-tax payment systems, appropriate alterations on digitally signed documents are required to hide personal information, namely privacy. Standard digital signature schemes do not allow such alternations on the signed documents since there is no means to distinguish appropriate alternations from inappropriate forgeries. The sanitizable signature scheme is a possible solution for such systems in which sanitizings of partial information are possible, after a signature is signed on the original (unsanitized) document. However, in previously proposed schemes, since sanitizers are anonymous, verifiers cannot identify sanitizers, and thus dishonest sanitizings are possible. This paper proposes a new sanitizable signature scheme “PIATS” in which partial information can be sanitized. Moreover, verifiers can identify sanitizers and thus dishonest sanitizings are eliminated.

A Practical Countermeasure against Address-Bit Differential Power Analysis

The differential power analysis (DPA) enables an adversary to reveal the secret key hidden in a smart card by observing power consumption. The address-bit DPA is a typical example of DPA which analyzes a correlation between addresses of registers and power consumption. In this paper, we propose a practical countermeasure, the randomized addressing countermeasure, against the address-bit DPA which can be applied to the exponentiation part in RSA or ECC with and without pre-computed table. Our countermeasure has almost no overhead for the protection, namely the processing speed is no slower than that without the countermeasure. We also report experimental results of the countermeasure in order to show its effect. Finally, a complete comparison of countermeasures from various view points including the processing speed and the security level is given.

Efficient Countermeasures Against Power Analysis for Elliptic Curve Cryptosystems

The power analysis on smart cards is a real threat for cryptographic applications. In spite of continuous efforts of previous countermeasures, recent improved and sophisticated attacks against Elliptic Curve Cryptosystems are not protected. This paper proposes two new countermeasures, the Randomized Linearly-transformed Coordinates (RLC) and the Randomized Initial Point (RIP) against the attacks including the Refined Power Analysis (RPC) by Goubin and the Zero-value Point Analysis (ZPA) by Akishita-Takagi. Proposed countermeasures achieve notable speed-up without reducing the security level.

Efficient Implementation of Schoof's Algorithm

Schoofs algorithm is used to find a secure elliptic curve for cryptosystems, as it can compute the number of rational points on a randomly selected elliptic curve defined over a finite field. By realizing efficient combination of several improvements, such as Atkin-Elkiess method, the isogeny cycles method, and trial search by match-and-sort techniques, we can count the number of rational points on an elliptic curve over GF(p) in a reasonable time, where p is a prime whose size is around 240-bits.

Efficient computations of the Tate pairing for the large MOV degrees

The Tate pairing hasp lenty of attractive applications, e.g., ID-based cryptosystems, short signatures, etc. Recently several fast implementationsof the Tate pairing hasb een reported, which make it appear that the Tate pairing is capable to be used in practical applications. The computation time of the Tate pairing strongly depends on underlying elliptic curves and definition fields. However these fast implementation are restricted to supersingular curves with small MOV degrees. In this paper we propose several improvements of computing the Tate pairing over general elliptic curveso ver finite fields IFq (q = pm, p > 3) -- some of them can be efficiently applied to supersingular curves. The proposed methods can be combined with previous techniques. The proposed algorithm iss pecially effective upon the curvest hat hasa large MOV degree k. We develop several formulas that compute the Tate pairing using the small number of multiplications over IFqk. For k = 6, the proposed algorithm is about 20% faster than previously fastest algorithm.

Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve

A discrete logarithm problem with auxiliary input (DLPwAI) is a problem to find α from G , αG , α d G in an additive cyclic group generated by an element G of prime order r , and a positive integer d satisfying d |(r −1). The infeasibility of this problem assures the security of some cryptographic schemes. In 2006, Cheon proposed a novel algorithm for solving DLPwAI (Cheons algorithm). This paper reports our experimental results of Cheons algorithm by implementing it with some speeding-up techniques. In fact, we have succeeded to solve DLPwAI on a pairing-friendly elliptic curve of 160-bit order in 1314 core days. Implications of our experiments on cryptographic schemes are also discussed.

Sanitizable and Deletable Signature

Recently, the sanitizable signature attracts much attention since it allows to modify (sanitize) the document for hiding partial information without keeping the integrity of the disclosed subdocuments. Sanitizable signatures are quite useful in governmental or military offices, where there is a dilemma between disclosure laws for public documents and privacy or diplomatic secrets. Since a verifier can detect whether the document was sanitized or not, especially which subdocuments was sanitized, the scheme does not establish the perfect hiding. In order to solve the problem, the deletable signature was introduced in 2006. However, because these schemes are not compatible to each other, we have to select the scheme to meet the requirement. In this paper, we propose the sanitizable and deletable signature as a combination of the sanitizable signature and the deletable signature. We also establish two concrete sanitizable and deletable signatures based on the deletable signature by Miyazaki, Hanaoka and Imai.