On the importance of protecting Δ in SFLASH against side channel attacks

Katsuyuki Okeya, Tsuyoshi Takagi, Camille Vuillaume

Research output: Contribution to journalArticle

8 Citations (Scopus)

Abstract

SFLASH was chosen as one of the final selection of the NESSIE project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, the secret key may be revealed. In this paper, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t) and the random seed Δ used for the hash function SHA-1. Whereas many papers discussed the security of (s, t), little is known about that of Δ. Steinwandt et al. proposed a theoretical DPA for finding Δ by observing the XOR operations. We propose another DPA on Δ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key Δ, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, SHA-1 must be carefully implemented in order to resist SCA on SFLASH*.

Original languageEnglish
Pages (from-to)123-131
Number of pages9
JournalIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
VolumeE88-A
Issue number1
DOIs
Publication statusPublished - Jan 1 2005

Fingerprint

Side Channel Attacks
SHA-1
Data storage equipment
Electronic document identification systems
Hash functions
Seed
Digital Signature
Smart Card
Hash Function
Signature Scheme
Resist
Modulo
Signature
Side channel attack
Experimental Results
Simulation

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Computer Graphics and Computer-Aided Design
  • Electrical and Electronic Engineering
  • Applied Mathematics

Cite this

On the importance of protecting Δ in SFLASH against side channel attacks. / Okeya, Katsuyuki; Takagi, Tsuyoshi; Vuillaume, Camille.

In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E88-A, No. 1, 01.01.2005, p. 123-131.

Research output: Contribution to journalArticle

@article{b309d9f6be9e419fb670f258d7d239f3,
title = "On the importance of protecting Δ in SFLASH against side channel attacks",
abstract = "SFLASH was chosen as one of the final selection of the NESSIE project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, the secret key may be revealed. In this paper, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t) and the random seed Δ used for the hash function SHA-1. Whereas many papers discussed the security of (s, t), little is known about that of Δ. Steinwandt et al. proposed a theoretical DPA for finding Δ by observing the XOR operations. We propose another DPA on Δ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key Δ, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, SHA-1 must be carefully implemented in order to resist SCA on SFLASH*.",
author = "Katsuyuki Okeya and Tsuyoshi Takagi and Camille Vuillaume",
year = "2005",
month = "1",
day = "1",
doi = "10.1093/ietfec/E88-A.1.123",
language = "English",
volume = "E88-A",
pages = "123--131",
journal = "IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences",
issn = "0916-8508",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "1",

}

TY - JOUR

T1 - On the importance of protecting Δ in SFLASH against side channel attacks

AU - Okeya, Katsuyuki

AU - Takagi, Tsuyoshi

AU - Vuillaume, Camille

PY - 2005/1/1

Y1 - 2005/1/1

N2 - SFLASH was chosen as one of the final selection of the NESSIE project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, the secret key may be revealed. In this paper, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t) and the random seed Δ used for the hash function SHA-1. Whereas many papers discussed the security of (s, t), little is known about that of Δ. Steinwandt et al. proposed a theoretical DPA for finding Δ by observing the XOR operations. We propose another DPA on Δ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key Δ, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, SHA-1 must be carefully implemented in order to resist SCA on SFLASH*.

AB - SFLASH was chosen as one of the final selection of the NESSIE project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, the secret key may be revealed. In this paper, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t) and the random seed Δ used for the hash function SHA-1. Whereas many papers discussed the security of (s, t), little is known about that of Δ. Steinwandt et al. proposed a theoretical DPA for finding Δ by observing the XOR operations. We propose another DPA on Δ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key Δ, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, SHA-1 must be carefully implemented in order to resist SCA on SFLASH*.

UR - http://www.scopus.com/inward/record.url?scp=27544510299&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=27544510299&partnerID=8YFLogxK

U2 - 10.1093/ietfec/E88-A.1.123

DO - 10.1093/ietfec/E88-A.1.123

M3 - Article

AN - SCOPUS:27544510299

VL - E88-A

SP - 123

EP - 131

JO - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

JF - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

SN - 0916-8508

IS - 1

ER -