跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 王致尉
Jhih-Wei Wang
論文名稱: 公開金鑰系統之實體密碼分析研究
The Research of Public-Key Cryptosystems Implementations against Physical Cryptanalysis
指導教授: 顏嵩銘
Sung-Ming Yen
口試委員:
學位類別: 碩士
Master
系所名稱: 資訊電機學院 - 資訊工程學系
Department of Computer Science & Information Engineering
畢業學年度: 98
語文別: 英文
論文頁數: 70
中文關鍵詞: 模指數實體密碼分析能量分析攻擊安全錯誤攻擊法純量乘法公開金鑰密碼系統
外文關鍵詞: public-key cryptosystem, modular exponentiation, scalar multiplication, physical cryptanalysis, safe-error attack, power analysis attack
相關次數: 點閱:14下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 現今許多密碼硬體設備如智慧卡已在日常生活中被廣泛使用,然而,近幾年的研究指出實作不周嚴的密碼系統並無法抵擋實體密碼分析的攻擊。以公開金鑰密碼系統而言,指數與純量乘法演算法分別為實體密碼分析兩個主要的攻擊目標,而由於模指數與純量乘法運算是許多公開金鑰系統的核心運算,因此,這些密碼演算法在實作上是否能對抗實體密碼分析的攻擊開始受到重視。
    在本論文的前半部分,我們首先證明Joye在 2009 年所提出之指數運算防禦法會遭受一種強大的能量分析攻擊,並且我們提出兩種較安全的指數運算防禦機制消除Joye防禦法的安全性弱點,此兩種指數運算防禦法在效能上與Joye的防禦法幾乎沒有差異。
    而在論文的後半部分,我們將分析由張等人在 2008 年所提出之純量乘法防禦法的安全性。由於張等人的防禦法會遭受記憶體安全錯誤攻擊法(memory safe-error attack)的攻擊,因此,我們提出兩種有效率的純量乘法運算防禦機制抵擋包含記憶體安全錯誤攻擊法在內的數種實體密碼分析攻擊。藉由嚴謹的安全性及效能分析,此兩種純量乘法運算防禦法相較於張等人的防禦法來的更有效率,安全性也較高。

    Nowadays many cryptographic hardware devices such as smart cards are widely used in our daily lives. However, recent development of physical cryptanalysis points out that the naive implementation of cryptographic algorithms does not provide security anymore. There are two victims of the physical attacks in many public-key cryptosystems: the modular exponentiation and scalar multiplication algorithms. Since both the modular exponentiation and scalar multiplication are the important and main operations in various public-key cryptosystems, much attention has recently been paid regarding the security issues of these algorithms against physical cryptanalysis.
    In the first half of this thesis, we first introduce Joye''s downward exponentiation countermeasure, and then show that Joye''s method is still vulnerable to one powerful power analysis attack. Furthermore, we propose two more secure exponentiation countermeasures to eliminate the security weakness of Joye''s method. The performance of both improved countermeasures is almost same as Joye''s.
    In the second half of this thesis, we analyze the vulnerability of Zhang et al''s scalar multiplication countermeasure under the memory safe-error attack. Then two better countermeasures against physical attacks including memory safe-error attack are proposed. Compared with Zhang et al''s countermeasure, two proposed countermeasures both achieve higher security and better performance.

    1 Introduction 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 Review of Physical Cryptanalysis against Modular Exponentiation 5 2.1 Exponentiation Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Simple Power Analysis (SPA) . . . . . . . . . . . . . . . . . . . . . . 7 2.3 Computational Safe-error Attack (C-SEA) . . . . . . . . . . . . . . . 8 2.4 Doubling Attack (DA) . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5 Montgomery Ladder Algorithm . . . . . . . . . . . . . . . . . . . . . 10 2.6 Relative Doubling Attack (RDA) . . . . . . . . . . . . . . . . . . . . 11 3 Regular Downward m-ary Exponentiation Countermeasures 14 3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.2 Joye’s Downward m-ary Exponentiation Algorithm . . . . . . . . . . 15 3.3 Security Weakness of Joye’s Countermeasure . . . . . . . . . . . . . . 16 3.4 Improvement on Joye’s Method . . . . . . . . . . . . . . . . . . . . . 19 3.5 Security Analysis of the Proposed Countermeasures . . . . . . . . . . 22 3.6 Performance Analysis of the Proposed Countermeasures . . . . . . . . 26 3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4 Review of Physical Cryptanalysis against Scalar Multiplication 29 4.1 Scalar Multiplication Algorithms . . . . . . . . . . . . . . . . . . . . 29 4.2 Memory Safe-error Attack (M-SEA) . . . . . . . . . . . . . . . . . . . 31 4.3 Differential Power Analysis (DPA) . . . . . . . . . . . . . . . . . . . . 33 4.4 Possible DPA Countermeasures . . . . . . . . . . . . . . . . . . . . . 35 4.5 Refined Power Analysis (RPA) and Zero-Value Point Attack (ZPA) . 36 4.6 BRIP Countermeasure . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5 Efficient Upward Window-Based Scalar Multiplication Algorithms 40 5.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5.2 Zhang et al’s Upward Window-Based Countermeasure . . . . . . . . . 41 5.3 Memory Safe-error Attack to Zhang et al’s Method . . . . . . . . . . 44 5.4 The Proposed Countermeasures . . . . . . . . . . . . . . . . . . . . . 46 5.5 Security Analysis of the Proposed Countermeasures . . . . . . . . . . 50 5.6 Performance Analysis of the Proposed Countermeasures . . . . . . . . 52 5.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 6 Conclusions 55 6.1 Brief Review of the Main Contributions . . . . . . . . . . . . . . . . . 55 6.2 Further Research Topics and Directions . . . . . . . . . . . . . . . . . 56

    [1] ANSI X9.62, “Public Key Cryptography for the Financial Services Industry,”
    The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999.
    [2] T. Akishita and T. Takagi, “Zero-Value Point Attacks on Elliptic Curve Cryp-
    tosystem,” Proc. of ISC 2003, LNCS vol. 2851, pp. 218-233, 2003.
    [3] D. Boneh, G. Durfee, and Y. Frankel, “An attack on RSA given a small fraction
    of the private key bits,” Proc. of ASIACRYPT 1998, LNCS vol. 1514, pp. 25-34,
    1998.
    [4] J. Blomer and A. May, “New Partial Key Exposure Attacks on RSA,” Proc. of
    CRYPTO 2003, LNCS vol. 2729, pp. 27-43, 2003.
    [5] M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption Padding - How
    to Encrypt with RSA,” Proc. of EUROCRYPT 1994, LNCS vol. 950, pp. 92-
    111, 1995.
    [6] D. Chaum, “Security without Identification: Transaction Systems to Make Big
    Brother Obsolete,” Communications of the ACM, vol. 28, no. 10, pp. 1030-1044
    1985.
    [7] J. S. Coron, “Resistance against Differential Power Analysis for Elliptic Curve
    Cryptosystems,” Proc. of CHES 1999, LNCS vol. 1717, pp. 292-301, 1999.
    [8] B. Chevallier-Mames, M. Ciet, and M. Joye, “Low-Cost Solutions for Prevent-
    ing Simple Side-Channel Analysis: Side-Channel Atomicity,” IEEE Trans. On
    Computers, vol. 53, no. 6, pp. 760-768, 2004.
    [9] C. Clavier and M. Joye, “Universal Exponentiation Algorithm - A First Step
    toward Provable SPA-resistance,” Proc. of CHES 2001, LNCS vol. 2162, pp.
    300-308, 2001.
    [10] C. Clavier and M. Joye, “(Virtually) Free Randomization Technique for Elliptic
    Curve Cryptography,” Proc. of ICICS 2003, LNCS vol. 2836, pp. 348-359, 2003.
    [11] B. Chevallier-Mames, “Self-Randomized Exponentiation Algorithms,” Proc. of
    CT-RSA 2004, LNCS vol. 2964, pp. 236-249, 2004.
    [12] W. Diffie and M. E. Hellman, “Multiuser Cryptographic Techniques,” Proc. of
    AFIPS 1976, vol. 45, pp. 109-112, 1976.
    [13] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on
    Discrete Logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469-472,
    1985.
    [14] P. A. Fouque and F. Valette, “The Doubling Attack-Why Upwards Is Better
    than Downwards,” Proc. of CHES 2003, LNCS vol. 2779, pp. 269-280, 2003.
    [15] M. Feng, B. B. Zhu, C. Zhao, and S. Li, “Signed MSB-Set Comb Method for
    Elliptic Curve Point Multiplication,” Proc. of ISPEC 2006, LNCS vol. 3903,
    pp. 13-24, 2006.
    [16] L. Goubin, “A Refined Power-Analysis Attack on Elliptic Curve Cryptosys-
    tems,” Proc. of PKC 2003, LNCS vol. 2567, pp. 192-211, 2003.
    [17] J. C Ha and S. J. Moon, “Randomized Signed-Scalar Multiplication of ECC
    to Resist Power Attacks,” Proc. of CHES 2002, LNCS vol. 2523, pp. 551-563,
    2003.
    [18] M. Hedabou, P. Pinel, and L. Beneteau “Countermeasures for Preventing Comb
    Method Against SCA Attacks,” Proc. of ISPEC 2005, LNCS vol. 3439, pp. 85-
    96, 2005.
    [19] J. Ha, J. Park, S. Moon, and S. M. Yen “Provably Secure Countermeasure
    Resistant to Several Types of Power Attack for ECC,” Proc. of WISA 2007,
    LNCS vol. 4867, pp. 333-344, 2007.
    [20] ISO/IEC 15946-4, “Information technology - Security techniques. Crypto-
    graphic techniques based on elliptic curves - Part 4: Digital signature giving
    message recovery,” Working Draft, JTC 1/SC 27, December 28th, 2001.
    [21] K. Itoh, T. Izu, and M. Takenaka, “Efficient Countermeasures against Power
    Analysis for Elliptic Curve Cryptosystems ,” CARDIS-WCC 2004, 2004.
    [22] K. Itoh, J. Yajima, M. Takenaka, and N. Torii, “DPA Countermeasures by
    Improving the Window Method,” Proc. of CHES 2002, LNCS vol. 2523, pp.303-317, 2002.
    [23] M. Joye, “Highly Regular m-ary Powering Ladders,” Proc. of SAC 2009, LNCS
    vol. 5867, pp. 350-363, 2009.
    [24] A. Jurisic and A. J. Menezes, “Elliptic Curves and Cryptography,” Dr. Dobb’s
    Journal, pp. 23-36, 1997.
    [25] M. Joye and C. Tymen, “Protections against Differential Analysis for Elliptic
    Curve Cryptosystem,” Proc. of CHES 2001, LNCS vol. 2162, pp. 377-390, 2001.
    [26] M. Joye and S. M. Yen, “The Montgomery Powering Ladder,” Proc. of CHES
    2002, LNCS vol. 2523, pp. 291-301, 2003.
    [27] N. Koblitz, “Elliptic Curves Cryptosystems,” Mathematics of Computation, vol.
    48, pp. 203-209, 1987.
    [28] P. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS,
    and Other Systems,” Proc. of CRYPTO 1996, LNCS vol. 1109, pp. 104-113,
    1996.
    [29] C. K. Kim, J. C. Ha, S. J. Moon, S. M. Yen, W. C. Lien, and S. H. Kim,
    “An improved and Efficient Countermeasure Against Power Analysis Attacks,”
    Cryptology ePrint Archive, Report 2005/022, 2005.
    [30] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” Proc. of
    CRYPTO 1999, LNCS vol. 1666, pp. 388-397, 1999.
    [31] H. Kim, T. H. Kim, J. C. Ryoo, D. G. Han, H. W. Kim, and J. Lim, “Enhanced
    Doubling Attacks on Signed-All-Bits Recoding,” Proc. of WISTP 2007, LNCS
    vol. 4462, pp. 39-52, 2007.
    [32] C. H. Kim and J. J. Quisquater, “Method for Detecting Vulnerability to Dou-
    bling Attacks,” Proc. of ICICS 2008, LNCS vol. 5308, pp. 97-110, 2008.
    [33] V. Miller, “Uses of Elliptic Curves in Cryptography,” Proc. of CRYPTO 1985,
    LNCS vol. 218, pp. 417-426, 1986.
    [34] P. L. Montgomery, “Speeding the Pollard and Elliptic Curve Methods of Fac-
    torization,” Mathematics of Computation, vol. 48, pp. 243-264, 1987.
    [35] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Power Analysis Attacks of
    Modular Exponentiation in Smartcards,” Proc. of CHES 1999, LNCS vol. 1717,
    pp. 144-157, 1999.
    [36] H. Mamiya, A. Miyaji, and H. Morimoto, “Efficient Countermeasures Against
    RPA, DPA, and SPA,” Proc. of CHES 2004, LNCS vol. 3156, pp. 343-356,
    2004.
    [37] J. A. Menezes, C. P. Oorschot, and A. S. Vanstone, “Handbook of Applied
    Cryptography,” CRC Press, Boca Raton, 1997.
    [38] NIST, “Recommended Elliptic Curves for Federal Govern-
    ment Use,“ In the appendix of FIPS 186-2. availiable from
    http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf
    [39] NIST, “Digital Signature Standard (DSS),“ Federal Information Processing
    Standards PUBlication 186-2, february 2000.
    [40] E. Oswald and K. Aigner, “Randomized Addition-Subtraction Chain as a Coun-
    termeasures against Power Attacks,” Proc. of CHES 2001, LNCS vol. 2162, pp.
    39-50, 2001.
    [41] K. Okeya, and T. Takagi, “A More Flexible Countermeasure Against Side Chan-
    nel Attacks Using Window Method,” Proc. of CHES 2003, LNCS vol. 2779, pp.
    397-410, 2003.
    [42] K. Okeya, and T. Takagi, “The Width-w NAF Method Provides Small Memory
    and First Elliptic Scalar Multiplications Secure Against Side Channel Attacks,”
    Proc. of CT-RSA 2003, LNCS vol. 2612, pp. 328-342, 2003.
    [43] PKCS #1 v2.1, “RSA Cryptography Standards,“ 5 January 2001. availiable from
    http://www.rsasecurity.com/rsalabs/pkcs/
    [44] R. L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital
    Signatures and Public-Key Cryptosystem,” Commun. of ACM, vol. 21, no. 2,
    pp. 120-126, 1978.
    [45] Standards for Efficient Cryptogrpahy Group (SECG), “Specification of
    Standards for Efficient Cryptogrpahy,“ Ver. 1.0, 2000. availiable from
    http://www.secg.org/secgdocs.htm
    [46] N. P. Smart, “An Analysis of Goubin’s Refined Power Analysis Attack,” Proc.
    of CHES 2003, LNCS vol. 2779, pp. 281-290, 2003.
    [47] Wireless Application Protocol (WAP) Forum, “Wireless Transport Loyer Secu-
    rity (WTLS) Specification.“ availiable from http://www.wapforum.org/
    [48] C. D. Walter, “An Efficient Randomized Exponentiation Algorithm for Resist-
    ing Power Analysis,” Proc. of CT-RSA 2002, LNCS vol. 2271, pp. 53-66, 2002.
    [49] S. M. Yen, C. N. Chen, S. J. Moon, and J. C. Ha, “Improvement on Ha-Moon
    Randomized Exponentiation Algorithm,” Proc. of ICISC 2004, LNCS vol. 3506,
    pp. 154-167, 2005.
    [50] S. M. Yen and M. Joye, “Checking Before Output May Not Be Enough Against
    Fault-Based Cryptanalysis,” IEEE Trans. On Computers, vol. 49, no. 9, pp.
    967-970, 2000.
    [51] S. M. Yen, S. Kim, S. Lim and S. Moon, “A Countermeasure Against One
    Physical Cryptanalysis May Benefit Another Attack,” Proc. of ICICS 2001,
    LNCS vol. 2288, pp. 414-427, 2001.
    [52] S. M. Yen, L. C. Ko, S. Moon, and J. Ha, “Relative Doubling Attack Against
    Montgomery Ladder,” Proc. of ICISC 2005, LNCS vol. 3935, pp. 117-128, 2006.
    [53] S. M. Yen, and C. S. Laih, “Fast Algorithms for LUC Digital Signature Com-
    putation,” IEE proceedings: Computers and Digital Techniques, vol. 142, no. 2,
    pp. 165-169, 1995.
    [54] S. M. Yen, W. C. Lien, S. Moon, and J. Ha, “Power Analysis by Exploiting
    Chosen Message and Internal Collisions- Vulnerability of Checking Mechanism
    for RSA-Decryption,” Proc. of Mycrypt 2005, LNCS vol. 3715, pp. 183-195,
    2005.
    [55] F. Zhang and Z. J. Shi, “An Efficient Window-Based Countermeasure to Power
    Analysis of ECC Algorithms,” Proc. of ITNG 2008, pp. 120-126, 2008.

    QR CODE
    :::