• ETRI Journal
• /
• v.32 no.1
• /
• pp.102-111
• /
• 2010

Recently power attacks on RSA cryptosystems have been widely investigated, and various countermeasures have been proposed. One of the most efficient and secure countermeasures is the message blinding method, which includes the RSA derivative of the binary-with-random-initial-point algorithm on elliptical curve cryptosystems. It is known to be secure against first-order differential power analysis (DPA); however, it is susceptible to second-order DPA. Although second-order DPA gives some solutions for defeating message blinding methods, this kind of attack still has the practical difficulty of how to find the points of interest, that is, the exact moments when intermediate values are being manipulated. In this paper, we propose a practical second-order correlation power analysis (SOCPA). Our attack can easily find points of interest in a power trace and find the private key with a small number of power traces. We also propose an efficient countermeasure which is secure against the proposed SOCPA as well as existing power attacks.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.164-168
• /
• 2006

전력 공격은 암호화 연산 과정 중 발생하는 소비 전력의 파형을 측정하여 비밀 정보를 알아내는 공격 방식이다. 이러한 전력 공격에 대한 취약성을 막기 위하여 message blinding, exponent blinding과 같은 기법들이 적용되어 왔다. 본 고에서는 $ECC^{[1]}$암호화 연산 과정에서, r이 임의의 정수일 때, dP=(d-r)P+rP인 관계를 이용하는 exponent blinding기법$^{[2]}$에 대하여 언급하고, 위 기법을 전력 공격의 대응책으로 적용 시 적절히 구현되지 않으면 power attack에 대하여 매우 취약하다는 것을 보인다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.261-270
• /
• 2015

In information security devices, such as Smart Cards, vulnerabilities of the RSA algorithm which is used to protect the data were found in the Side Channel Analysis. The RSA is especially vulnerable to Power Analysis which uses power consumption when the algorithm is working. Typically Power Analysis is divided into SPA(Simple Power Analysis) and DPA(Differential Power Analysis). On top of this, there is a CA(Collision Analysis) which is a very powerful attack. CA makes it possible to attack using a single waveform, even if the algorithm is designed to secure against SPA and DPA. So Message blinding, which applies the window method, was considered as a countermeasure. But, this method does not provide sufficient safety when the window size is small. Therefore, in this paper, we propose a new countermeasure that provides higher safety against CA. Our countermeasure is a combination of message and exponent blinding which is applied to the window method. In addition, through experiments, we have shown that our countermeasure provides approximately 124% higher attack complexity when the window size is small. Thus it can provide higher safety against CA.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.985-991
• /
• 2015

The user's secret key can be retrieved by various side channel leakage informations occurred during the execution of cryptographic RSA exponentiation algorithm which is embedded on a security device. The collision-based power analysis attack known as a serious side channel threat can be accomplished by finding some collision pairs on a RSA power consumption trace. Recently, an RSA exponentiation algorithm was proposed as a countermeasure which is based on the window method adopted combination of message blinding and exponent splitting. In this paper, we show that this countermeasure provides approximately $2^{53}$ attack complexity, much lower than $2^{98}$ insisted in the original article, when the window size is two.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.2
• /
• pp.335-344
• /
• 2016

It is known that power analysis is one of the most powerful attack in side channel analysis. Among power analysis single trace attack is widely studied recently since it uses one power consumption trace to recover secret key of public cryptosystem. Recently Sim et al. proposed new exponentiation algorithm for RSA cryptosystem with higher attack complexity to prevent single trace attack. In this paper we analyze the vulnerability of exponentiation algorithm described by Sim et al. Sim et al. applied message blinding and random exponentiation splitting method on $2^t-ary$ for higher attack complexity. However we can reveal private key using information exposed during pre-computation generation. Also we describe modified algorithm that provides higher attack complexity on collision attack. Proposed algorithm minimized the reuse of value that are used during exponentiation to provide security under single collision attack.