Further security analysis of XTR

Dong Guk Han, Tsuyoshi Takagi, Jongin Lim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In Crypto 2000 and 2003, Lenstra-Verheul and Rubin-Silverberg proposed XTR public key system and torus based public key cryptosystem CEILIDH, respectively. The common main idea of XTR and CEILIDH is to shorten the bandwidth of transmission data. Due to the contribution of Granger et al., that is the comparison result of the performance of CEILIDH and XTR, XTR is an excellent alternative to either RSA or ECC in some applications, where computational power and memory capacity are both very limited, such as smart-cards. Among the family of XTR algorithm, Improved XTR Single Exponentiation (XTR-ISE) is the most efficient one, which computes single exponentiation. However, there are few papers investigating the side channel attacks of XTR-ISE, even though the memory constraint devices suffer most from vulnerability to side channel attacks. Chung-Hasan and Page-Stam tried to analyze XTR-ISE with the known simple power analysis, but unfortunately their approach were not practically feasible. Recently, Han et al. proposed new collision attack on it with analysis complexity O(240) when the key size is 160-bit. In this paper we analyze XTR-ISE from other point of view, namely differential power analysis (DPA). One straightforward result is that XTR-ISE can be free from the original DPA. However, a non-trivial result is that an enhancing DPA proposed in this paper threatens XTR-ISE. Furthermore, we show several weak points of the structure of XTR-ISE. From our simulation results, we show the proposed attack requires about 584 times queries to DPA_Oracle to detect the whole 160-bit secret value. This result shows that XTR-ISE is vulnerable to the proposed enhancing DPA.

Original languageEnglish
Title of host publicationInformation Security Practice and Experience - Second International Conference, ISPEC 2006, Proceedings
Pages33-44
Number of pages12
DOIs
Publication statusPublished - Jul 10 2006
Event2nd International Conference on Information Security Practice and Experience, ISPEC 2006 - Hangzhou, China
Duration: Apr 11 2006Apr 14 2006

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume3903 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other2nd International Conference on Information Security Practice and Experience, ISPEC 2006
CountryChina
CityHangzhou
Period4/11/064/14/06

Fingerprint

Exponentiation
Security Analysis
Differential Power Analysis
Side Channel Attacks
Data storage equipment
Smart cards
Collision Attack
Public-key Cryptosystem
Power Analysis
Smart Card
Complexity Analysis
Comparison Result
Public key
Data communication systems
Cryptography
Data Transmission
Vulnerability
Torus
Bandwidth
Attack

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Han, D. G., Takagi, T., & Lim, J. (2006). Further security analysis of XTR. In Information Security Practice and Experience - Second International Conference, ISPEC 2006, Proceedings (pp. 33-44). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3903 LNCS). https://doi.org/10.1007/11689522_4

Further security analysis of XTR. / Han, Dong Guk; Takagi, Tsuyoshi; Lim, Jongin.

Information Security Practice and Experience - Second International Conference, ISPEC 2006, Proceedings. 2006. p. 33-44 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3903 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Han, DG, Takagi, T & Lim, J 2006, Further security analysis of XTR. in Information Security Practice and Experience - Second International Conference, ISPEC 2006, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3903 LNCS, pp. 33-44, 2nd International Conference on Information Security Practice and Experience, ISPEC 2006, Hangzhou, China, 4/11/06. https://doi.org/10.1007/11689522_4
Han DG, Takagi T, Lim J. Further security analysis of XTR. In Information Security Practice and Experience - Second International Conference, ISPEC 2006, Proceedings. 2006. p. 33-44. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/11689522_4
Han, Dong Guk ; Takagi, Tsuyoshi ; Lim, Jongin. / Further security analysis of XTR. Information Security Practice and Experience - Second International Conference, ISPEC 2006, Proceedings. 2006. pp. 33-44 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{ca2d89933fe84a46bd8574d9fc9edc8b,
title = "Further security analysis of XTR",
abstract = "In Crypto 2000 and 2003, Lenstra-Verheul and Rubin-Silverberg proposed XTR public key system and torus based public key cryptosystem CEILIDH, respectively. The common main idea of XTR and CEILIDH is to shorten the bandwidth of transmission data. Due to the contribution of Granger et al., that is the comparison result of the performance of CEILIDH and XTR, XTR is an excellent alternative to either RSA or ECC in some applications, where computational power and memory capacity are both very limited, such as smart-cards. Among the family of XTR algorithm, Improved XTR Single Exponentiation (XTR-ISE) is the most efficient one, which computes single exponentiation. However, there are few papers investigating the side channel attacks of XTR-ISE, even though the memory constraint devices suffer most from vulnerability to side channel attacks. Chung-Hasan and Page-Stam tried to analyze XTR-ISE with the known simple power analysis, but unfortunately their approach were not practically feasible. Recently, Han et al. proposed new collision attack on it with analysis complexity O(240) when the key size is 160-bit. In this paper we analyze XTR-ISE from other point of view, namely differential power analysis (DPA). One straightforward result is that XTR-ISE can be free from the original DPA. However, a non-trivial result is that an enhancing DPA proposed in this paper threatens XTR-ISE. Furthermore, we show several weak points of the structure of XTR-ISE. From our simulation results, we show the proposed attack requires about 584 times queries to DPA_Oracle to detect the whole 160-bit secret value. This result shows that XTR-ISE is vulnerable to the proposed enhancing DPA.",
author = "Han, {Dong Guk} and Tsuyoshi Takagi and Jongin Lim",
year = "2006",
month = "7",
day = "10",
doi = "10.1007/11689522_4",
language = "English",
isbn = "3540330526",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "33--44",
booktitle = "Information Security Practice and Experience - Second International Conference, ISPEC 2006, Proceedings",

}

TY - GEN

T1 - Further security analysis of XTR

AU - Han, Dong Guk

AU - Takagi, Tsuyoshi

AU - Lim, Jongin

PY - 2006/7/10

Y1 - 2006/7/10

N2 - In Crypto 2000 and 2003, Lenstra-Verheul and Rubin-Silverberg proposed XTR public key system and torus based public key cryptosystem CEILIDH, respectively. The common main idea of XTR and CEILIDH is to shorten the bandwidth of transmission data. Due to the contribution of Granger et al., that is the comparison result of the performance of CEILIDH and XTR, XTR is an excellent alternative to either RSA or ECC in some applications, where computational power and memory capacity are both very limited, such as smart-cards. Among the family of XTR algorithm, Improved XTR Single Exponentiation (XTR-ISE) is the most efficient one, which computes single exponentiation. However, there are few papers investigating the side channel attacks of XTR-ISE, even though the memory constraint devices suffer most from vulnerability to side channel attacks. Chung-Hasan and Page-Stam tried to analyze XTR-ISE with the known simple power analysis, but unfortunately their approach were not practically feasible. Recently, Han et al. proposed new collision attack on it with analysis complexity O(240) when the key size is 160-bit. In this paper we analyze XTR-ISE from other point of view, namely differential power analysis (DPA). One straightforward result is that XTR-ISE can be free from the original DPA. However, a non-trivial result is that an enhancing DPA proposed in this paper threatens XTR-ISE. Furthermore, we show several weak points of the structure of XTR-ISE. From our simulation results, we show the proposed attack requires about 584 times queries to DPA_Oracle to detect the whole 160-bit secret value. This result shows that XTR-ISE is vulnerable to the proposed enhancing DPA.

AB - In Crypto 2000 and 2003, Lenstra-Verheul and Rubin-Silverberg proposed XTR public key system and torus based public key cryptosystem CEILIDH, respectively. The common main idea of XTR and CEILIDH is to shorten the bandwidth of transmission data. Due to the contribution of Granger et al., that is the comparison result of the performance of CEILIDH and XTR, XTR is an excellent alternative to either RSA or ECC in some applications, where computational power and memory capacity are both very limited, such as smart-cards. Among the family of XTR algorithm, Improved XTR Single Exponentiation (XTR-ISE) is the most efficient one, which computes single exponentiation. However, there are few papers investigating the side channel attacks of XTR-ISE, even though the memory constraint devices suffer most from vulnerability to side channel attacks. Chung-Hasan and Page-Stam tried to analyze XTR-ISE with the known simple power analysis, but unfortunately their approach were not practically feasible. Recently, Han et al. proposed new collision attack on it with analysis complexity O(240) when the key size is 160-bit. In this paper we analyze XTR-ISE from other point of view, namely differential power analysis (DPA). One straightforward result is that XTR-ISE can be free from the original DPA. However, a non-trivial result is that an enhancing DPA proposed in this paper threatens XTR-ISE. Furthermore, we show several weak points of the structure of XTR-ISE. From our simulation results, we show the proposed attack requires about 584 times queries to DPA_Oracle to detect the whole 160-bit secret value. This result shows that XTR-ISE is vulnerable to the proposed enhancing DPA.

UR - http://www.scopus.com/inward/record.url?scp=33745620716&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745620716&partnerID=8YFLogxK

U2 - 10.1007/11689522_4

DO - 10.1007/11689522_4

M3 - Conference contribution

AN - SCOPUS:33745620716

SN - 3540330526

SN - 9783540330523

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 33

EP - 44

BT - Information Security Practice and Experience - Second International Conference, ISPEC 2006, Proceedings

ER -