Zero-value register attack on elliptic curve cryptosystem

Toru Akishita, Tsuyoshi Takagi

研究成果: ジャーナルへの寄稿記事

7 引用 (Scopus)

抄録

Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0, y). which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1) 3x2+a = 0, (2) 5x 4+2ax2-4bx+a2 = 0, (3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae - in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.

元の言語英語
ページ(範囲)132-139
ページ数8
ジャーナルIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
E88-A
発行部数1
DOI
出版物ステータス出版済み - 1 1 2005

Fingerprint

Elliptic Curve Cryptosystem
Cryptography
Attack
Data storage equipment
Zero
Differential Power Analysis
Addition formula
P-point
Elliptic Curves
Randomisation
Resist
Collision
Isomorphic
Scalar

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Computer Graphics and Computer-Aided Design
  • Electrical and Electronic Engineering
  • Applied Mathematics

これを引用

Zero-value register attack on elliptic curve cryptosystem. / Akishita, Toru; Takagi, Tsuyoshi.

:: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 巻 E88-A, 番号 1, 01.01.2005, p. 132-139.

研究成果: ジャーナルへの寄稿記事

@article{d41f53df429f4dd7b791362bf7db52e9,
title = "Zero-value register attack on elliptic curve cryptosystem",
abstract = "Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0, y). which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1) 3x2+a = 0, (2) 5x 4+2ax2-4bx+a2 = 0, (3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae - in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.",
author = "Toru Akishita and Tsuyoshi Takagi",
year = "2005",
month = "1",
day = "1",
doi = "10.1093/ietfec/E88-A.1.132",
language = "English",
volume = "E88-A",
pages = "132--139",
journal = "IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences",
issn = "0916-8508",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "1",

}

TY - JOUR

T1 - Zero-value register attack on elliptic curve cryptosystem

AU - Akishita, Toru

AU - Takagi, Tsuyoshi

PY - 2005/1/1

Y1 - 2005/1/1

N2 - Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0, y). which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1) 3x2+a = 0, (2) 5x 4+2ax2-4bx+a2 = 0, (3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae - in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.

AB - Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0, y). which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1) 3x2+a = 0, (2) 5x 4+2ax2-4bx+a2 = 0, (3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae - in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.

UR - http://www.scopus.com/inward/record.url?scp=27544441237&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=27544441237&partnerID=8YFLogxK

U2 - 10.1093/ietfec/E88-A.1.132

DO - 10.1093/ietfec/E88-A.1.132

M3 - Article

AN - SCOPUS:27544441237

VL - E88-A

SP - 132

EP - 139

JO - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

JF - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

SN - 0916-8508

IS - 1

ER -