Yoo-Jin Baek

How to prevent DPA and fault attack in a unified way for ECC scalar multiplication: ring extension method

The elliptic curve cryptosystem(ECC) is increasingly being used in practice due to its shorter key sizes and efficient realizations. However, ECC is also known to be vulnerable to various side channel attacks, including power attacks and fault injection attacks. This paper proposes new countermeasures for ECC scalar multiplications against differential power attacks and fault attacks. The basic idea of proposed countermeasures lies in extending the definition field of an elliptic curve to its random extension ring and performing the required elliptic curve operations over the ring. Moreover, new methods perform a point validation check in a small subring of the extension ring to give an efficient fault attack countermeasure.

Regular 2 w -ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures

With the growing demand of efficient cryptosystems, their secure implementations against various side-channel attacks and the fault attack are also requested from the practice. Several countermeasures are proposed so far, and this paper proposes a new regular 2w-ary right-to-left exponentiation algorithm, which can be equipped with very efficient DPA (differential power attack) and FA (fault attack) countermeasures. Since its regular behavior clearly prevents the simple power analysis attack, the new algorithm gives a strong resistance to all the well-known major implementation attacks. This paper also gives a variant of the new algorithm for securely implementing the RSA cryptosystem with CRT (Chinese Remainder Theorem).

DPA-resistant finite field multipliers and secure AES design

The masking method is known to be one of the most powerful algorithmic countermeasures against the first-order differential power attack. This article proposes several new efficient masking algorithms applicable to finite field multipliers. Note that the finite field multiplier (more precisely, the finite field inversion) plays a crucial role in the confusion layer of many block ciphers including AES. The new algorithms are applied to implement AES DPA-securely in hardware and the detailed implementation results are presented.

On the Security of MOR Public Key Cryptosystem

For a finite group G to be used in the MOR public key cryptosystem, it is necessary that the discrete logarithm problem(DLP) over the inner automorphism group Inn (G) of G must be computationally hard to solve. In this paper, under the assumption that the special conjugacy problem of G is easy, we show that the complexity of the MOR system over G is about log |G| times larger than that of DLP over G in a generic sense. We also introduce a group-theoretic method, called the group extension, to analyze the MOR cryptosystem. When G is considered as a group extension of H by a simple abelian group, we show that DLP over Inn (G) can be ‘reduced’ to DLP over Inn (H). On the other hand, we show that the reduction from DLP over Inn (G) to DLP over G is also possible for some groups. For example, when G is a nilpotent group, we obtain such a reduction by the central commutator attack.

Correcting errors in private keys obtained from cold boot attacks

Based on the cold boot attack technique, this paper proposes a new algorithm to obtain the private key of the discrete logarithm (DL) based cryptosystems and the standard RSA from its erroneous value. The proposed algorithm achieves almost the square root complexity of search space size. More precisely, the private key of the DL based system with 160-bit key size can be recovered in 243.24 exponentiations while the complexity of the exhaustive search is 271.95 exponentiations if the error rate is given by 10%. In case of the standard RSA with 1024-bit key size, our algorithm can recover the private key with 249.08 exponentiations if the error rate is given by 1%. Compared with the efficiency of some algorithms [7,6] to recover the private key in RSA using Chinese Remainder Theorem, the recoverable error rate of our algorithm is quite small. However, our algorithm requires only partial information of the private key d while other algorithms require additional information such as partial information of factors of the RSA modulus N. The proposed algorithm can also be used for breaking countermeasure of differential power analysis attack. In the standard RSA, one uses the randomized exponent

Spectral modular arithmetic for binary extension fields

\tilde{d}=d+r\cdot\phi(N)

Extracting Unknown Keys from Unknown Algorithms Encrypting Unknown Fixed Messages and Returning No Results

instead of the decryption exponent d with the random value r. When the size of a random value r is 26-bit, it can be shown that the randomized exponent can be recovered with 249.30 exponentiations if the error rate is 1%. Finally, we also consider the breaking countermeasure that splits the decryption exponent d into d1 and d2 of same size.

Second-Order G-equivariant Logic Gate for AND Gate and its Application to Secure AES Implementation*

We describe a method of carrying multiplication in the binary extension fields. The new method fully operates on the Fourier representations of the field elements by successively applying the convolution property and a reduction technique defined on the Fourier coefficients. With some careful parameter selection, the method yields highly parallel architectures for operations involving several field multiplications such as the scalar multiplication calculation of elliptic curve cryptography.

Simple countermeasure to cryptanalysis against unified ECC codes

In addition to its usual complexity postulates, cryptography silently assumes that secrets can be physically protected in tamper-proof locations.

Cryptographic method and system for encrypting input data

ABSTRACT When implementing cryptographic algorithms in mobile devices li ke smart cards, the security against side-channel attacks should be considered. Side-channel attacks try to find critical information from the side-channel infromation obtained from th e underlying cryptographic devices‘ execution. Especially, the power analysis attack uses the power consumption profile of the devices as the side-channel information. This paper proposes a new gate-level countermeasure against the power analysis attack and the glitch attack and suggests how to apply the measure to securely implement AES.Keywords: Smart Card, Side-Channel Attack, Power Analysis Attack, Glitc h Attack, Countermeasure, AES접수일(2013년 12월 26일), 수정일(2014년 1월 21일), 게재확정일(2014년 1월 29일)* 본 연구는 ETRI의 연구개발과제인 K-SCARF 프로젝트로 수행하였음 (암호키 누출 검증 및 방지 원천 기술 연구)†주저자, yoojin.baek@gmail.com‡교신저자, dhchoi@etri.re.kr (Corresponding author) I.서 론 스마트카드 등과 같은 모바일 기기는 금융 정보 등과 같은 개인 비밀 정보를 저장하고 있기 때문에 불법적인 정보 유출과 비인가된 접근과 같은 보안 위험성이 상존하며 이를 방어하기 위하여 다양한 암호 알고리즘이 사용되고 있다. 따라서 효율적이고 안전한 암호 알고리즘의 구현에 대한 관심 및 중요성은 점점 더 증가하고 있다. 이러한 암호 알고리즘은 수학적 안전성뿐만 아니라 해당 알고리즘 구현시 부채널 공격