Modified Doubling Attack by Exploiting Chosen Ciphertext of Small Order

Yen, Sung-Ming; Lien, Wei-Chih; Chen, Chien-Ning

doi:10.1587/transfun.e94.a.1981

Cited by 3 publications

(3 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some collision attacks using chosen-plaintext [16][17][18][19] cannot be exploited to attack ECDSA (Elliptic Curve Digital Signature Algorithm) [20] using typical DPA countermeasures. However, in the case of our attacks, an adversary does not need to know the plaintext.…”

Section: Contributionmentioning

confidence: 99%

See 1 more Smart Citation

Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace

Hanley

Kim

Tunstall³

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Public key cryptographic algorithms are typically based on group exponentiation algorithms where the exponent is private. A collision attack is typically where an adversary seeks to determine whether two operations in an exponentiation have the same input. In this paper we extend this to an adversary who seeks to determine whether the output of one operation is used as the input to another. We describe implementations of these attacks to a 192-bit scalar multiplication over an elliptic curve that only require a single power consumption trace to succeed with a high probability. Moreover, our attacks do not require any knowledge of the input to the exponentiation algorithm. These attacks would therefore be applicable to algorithms such as EC-DSA, where an exponent is ephemeral, or to implementations where an exponent is blinded. Moreover, we define attacks against exponentiation algorithms that are considered to be resistant to collision attacks and prove that collision attacks are applicable to all addition chain-based exponentiation algorithms. Hence, we demonstrate that a side-channel resistant implementation of a group exponentiation algorithm will require countermeasures that introduce enough noise such that an attack is not practical.

show abstract

Section: Contributionmentioning

confidence: 99%

“…In addition, Homma et al demonstrated the effectiveness of their attacks on a PowerPC processor and a FPGA. Some further extensions have recently been proposed by Yen et al [19] who provide some simulated results of their atacks.…”

Section: Previous Workmentioning

confidence: 99%

Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace

Hanley

Kim

Tunstall³

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…If the divisions are evaluated during the computation and the power consumption trace of divisions can be recognized, the SM patterns S, SM, and SMM can be determined by the number of squarings/multiplications between two divisions. In addition, some special chosen messages will cause revelation of computational sequence [11], e.g., −1 ≡ n − 1 (mod n) and faulty elliptic curve points of small orders [12]. If the exponent is an odd integer and the input message (base number) is −1, referring to Fig.…”

Section: Definition 3 Let Q Imentioning

confidence: 99%

SPA on MIST Exponentiation Algorithm with Multiple Computational Sequences

Chen

Yen

2013

Security Engineering and Intelligence Informatics

Self Cite

View full text Add to dashboard Cite

Abstract. The MIST algorithm is a randomized version of the division chain exponentiation algorithm and is a side-channel countermeasure. When analyzing the MIST algorithm by ordinary simple power analysis (with only one square-multiply sequence obtained), an attacker cannot retrieve the secret exponent due to the ambiguous relationship between the square-multiply sequence and the computation. We point out the MIST algorithm is still vulnerable to simple power analysis observing multiple power consumption traces and propose a practical method with detailed steps to deduce the secret exponent from multiple squaremultiply sequences. Further countermeasures such as exponent blinding are required to prevent the analysis proposed in this paper.

show abstract

Collision Based Attacks in Practice

Diop¹,

Liardet²,

Linge³

et al. 2015

2015 Euromicro Conference on Digital System Design

View full text Add to dashboard Cite

Chosen-Message Simple Power Analysis, also called Collision Based Attacks (CBA), have been proposed by Fouque, Yen and Homma. These attacks aim at inducing and detecting collisions during modular operations. However, detecting collisions is a challenging task in real environments. Doing it in an automated manner is even more challenging. In this paper, we propose and compare some methods and criteria allowing to automatically (without any visual inspection) detect the occurrence of collisions in leakage traces acquired on modern (and thus noisy) circuits.

show abstract

Modified Doubling Attack by Exploiting Chosen Ciphertext of Small Order

Cited by 3 publications

References 26 publications

Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace

Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace

SPA on MIST Exponentiation Algorithm with Multiple Computational Sequences

Collision Based Attacks in Practice

Contact Info

Product

Resources

About