The present invention relates generally to the field of cryptography, and more particularly to tamper-proof encryption/decryption with provisions for preventing power analysis attacks, such as SPA, DPA and RPA, in a processor for elliptic curve cryptosystem.
Services provided over networks are spreading widely, as exemplified by the electronic payment over the network, and the Japanese Resident Registration Network. These services use encryption for information security.
The smart card that contains an IC chip for storing user's secret information is expected to spread widely as a user device in such services. The smart card has the functions of encryption, digital signature and authentication, and uses its secret information as a key. Since such secret information is stored in the IC chip memory, the smart card achieves significantly high security or tamper resistance against unauthorized access by a third party, in comparison with a magnetic card.
The public key cryptosystem uses different keys for decryption and encryption, respectively. Typically, a plaintext is encrypted with a public key, and a ciphertext is decrypted with a private or secret key, to thereby provide secure transmission of the ciphertext. In addition, the plaintext may be encrypted with a private key, and the ciphertext may be decrypted with a public key, to thereby identify the user who has encrypted the plaintext, for digital signature and authentication. In the public key cryptosystem, no secret key is required to be shared by the transmitter and the receiver, but its amount of computation is much larger than the common key cryptosystem. The public key cryptosystem includes the RSA encryption and the elliptic curve encryption.
The RSA encryption is based on modular exponentiation expressed by z=ax (mod n). The cryptographic function based on the RSA encryption is related to encryption, decryption, signature generation, and signature verification. In the decryption and signature generation, user's secret information is used as a private key. The modular exponentiation generates output data v that satisfies v=ad (mod n), where a denotes input data, mod n denotes modulo n for the remainder, and d denotes a private key.
The elliptic curve encryption is based on elliptic point scalar multiplication. The elliptic point scalar multiplication generates a point V that satisfies V=dA for a scalar value d and a point A on an elliptic curve. The cryptographic function based on the elliptic curve encryption is related to ECES encryption/decryption, ECDSA signature generation/signature verification, and ECDH secret key sharing. In the processing of ECES decryption, ECDSA signature generation, and ECDH secret key sharing, user's secret information is used as a private key. For example, in the processing for the shared ECDH secret key, the elliptic point scalar multiplication expressed by V=dA is performed to determine an elliptic point V expressing a shared secret value, where A denotes the point of a public key paired with the shared secret key, and d denotes the scalar value of the private key.
The modular multiplication c=a×b (mod n), the modular squaring c=a2, and the modular exponentiation C=ax (mod n) in the RSA encryption correspond to the elliptic point addition C=A+B, the elliptic point doubling C=2A, and the elliptic point scalar multiplication C=×A in the elliptic curve encryption, respectively.
Analysis for decryption or tampering is attempted by guessing secret information, including the secret key, from available information such as ciphertext. Power analysis attack which is one form of decryption was devised in 1998 by Paul Kocher.
The power analysis attack is described in P. Kocher, J. Jaffe and B. Jun “Differential Power Anaysis”, Crypto '99, LNCS 1666, pp. 388-397, Springer-Verlag, 1999.
In this power analysis attack, different pieces of input data are provided to the encryption processor included in an encryption device, such as a smart card. During this process, changes in power dissipation over time are measured using an oscilloscope or the like, for example, as shown in
The power analysis attacks include simple power analysis (SPA) and differential power analysis (DPA). The SPA guesses the secret key from the characteristic of a single power dissipation curve taken from the encryption processor. The DPA guesses the secret key by analyzes the differences between many different power dissipation curves (hereinafter referred to as the power difference curves). Generally, the DPA is more powerful than SPA.
The requirements of protection against the power analysis attack are described in the different international standards. For example, in the protection profile (PP) for the smart card in accordance with the International Standard ISO 15408 related to the security, protection is mandatory for countermeasure against the power analysis attack. On the other hand, in the U.S. Standard FIPS 140-2 related to encryption modules, only there is currently a comment only on the need for protection for countermeasure against the power analysis attack. However, protection for countermeasure against the power analysis attack will become mandatory in the future.
Different countermeasures have been developed for preventing the power analysis attacks SPA and DPA on the RSA and the elliptic curve encryption. However, a refined power analysis (RPA) attack has been released in L. Goubin, “A Refined Power-Analysis Attack on Elliptic Curve Crypto-systems”, PKC 2003, LNCS 2567, Springer-Verlag, 2003. This attack is effective to attacking a part of ciphertext in the public key cryptosystem which prevents the power analysis attack on elliptic curve encryption.
Next, technical terms used in elliptic curve encryption are described below. See the Standard IEEE P1363/D13 (Draft Version 13, Nov. 12, 1999) main document, Standard Specifications for Public Key Cryptography, http://grouper.ieee.org/groups/1363/P1363/draft.html for details.
A curve expressed by a function of variables x and y like the following is called an elliptic curve. An elliptic curve (over a prime field): y2=x3+ax+b (mod p),
where p is a prime number, and a and b are elliptic parameters (0≦a, b≦p).
An elliptic curve (over a binary field): y2+xy=x3+ax2+b (mod f(x))),
where f represents a polynomial of GF(2m), and a and b are elliptic parameters (a, b ⊂ GF (2m)).
An elliptic curve are mainly defined over a prime field and a binary field. An elliptic curve is determined uniquely by the elliptic parameters a and b.
A point (elliptic point) on an elliptic curve has coordinates (x, y) that satisfy the formula expressing the elliptic curve. The elliptic points represent a set of integers (x, y) that satisfy 0≦x, y<p over a prime field, and represent a set of elements (x, y) that satisfy (x, y) ⊂ GF (2m) over a binary field.
An infinite elliptic point denoted by O is a special point on an elliptic curve that satisfies A+O=O+A=A for an arbitrary elliptic point A, where the symbol “+” indicates addition of elliptic points.
A base elliptic point is a point on an elliptic curve, and denoted by G. The base elliptic point is shared by the users of elliptic curve encryption, and used for generating a pair of a public key and a private key and for other processing based on the elliptic curve encryption.
A representation of an elliptic point with a two-dimensional vector (x, y) is called affine coordinates. A representation of an elliptic point with a three-dimensional vector (X, Y, Z) that satisfies (x, y)=(X/Z, Y/Z) is called projective coordinates. A representation of an elliptic point with a three-dimensional vector (X, Y, Z) that satisfies (x, y)=(X/Z2, Y/Z3) is called Jacobian coordinates. The use of three-dimensional vector representations significantly reduces the number of times of division in the elliptic point scalar multiplication to thereby speed up the entire computation.
An operation of A+B on elliptic points A and B is called an elliptic point addition, where the points satisfies A+B=B+A. An operation of A−B on elliptic points A and B is called an elliptic point subtraction.
An operation of elliptic point doubling derives a point C defined as C=2A on an elliptic curve, from a point A on the elliptic curve. This operation of 2A is called elliptic point doubling.
An operation of elliptic point scalar multiplication derives a point V defined as V=dA on an elliptic curve, from a point A on the elliptic curve and a scalar value d. This operation consists of a combination of the elliptic point addition, the elliptic point subtraction, and the elliptic point doubling.
For a base elliptic point G and a scalar value d representing a private key, a public key is given by V that satisfies V=dG. The public key is a point on the elliptic curve, and the private key is a scalar value.
Next, the power analysis attack is described below.
Algorithms for implementing the modular exponentiation or the elliptic point scalar multiplication include a binary method, a signed binary method, and a window method. It is assumed that the attacker knows the algorithm of modular exponentiation or elliptic point scalar multiplication implemented in the smart card.
Referring to
Referring to
The following correlations (COR.1) and (COR.2) hold between the algorithm and the private key d of
(COR.1) There is correlation between the bit values of the value d and the operations performed. In the algorithm of
(COR.2) There is correlation between the bit values of the value d and the values of the work variable. In the algorithm of
The SPA determines the private key in accordance with the correlation (COR.1) above. The DPA guesses the private key in accordance with the correlation (COR.2). The RPA guesses the private key in accordance with any one of the correlations (COR.1) and (COR.2).
The SPA measures a single power waveform, and then guesses the processing performed in the smart card, to thereby guess the private key.
For example, it is assumed that the power consumption of a smart card that processes the algorithm of
Known countermeasures against the SPA include the Add-and-Double-Always and the Montgomery-Ladder, in which fixed computing procedure is repeated independently of the bit values of the private key d.
The Add-and-Double-Always is described in J. Coron, “Resistance against differential power analysis for elliptic curve cryptographic cryptosystem”, CHES '99, LNCS 1717, pp. 292-302, Springer-Verlag, 1999.
The Montgomery-Ladder is described in P. Montgomery, “Speeding the Pollard and elliptic curve methods for factorizations”, Math of Comp, vol. 48, pp. 243-264, 1987.
The DPA measures and analyzes a plurality of power waveforms, and thereby guesses the private key. The following procedure (DPA.01) through (DPA.03) gives an example of the DPA against the algorithm of
(DPA.02) The value of d[0] is guessed in accordance with the following procedure, and then the correctness of the guess is determined.
The guess value d[0] is assumed to be correct. Based on this assumption, the data value of the coordinates x of the variable V inside the smart card at the time when Steps 203-206 have been completed for i=0 is guessed for each Aj. For example, if it is assumed that d[0]=1, then V=Aj is guessed in accordance with the algorithm of
In accordance with the above-mentioned classification, a power difference curve is generated that is expressed as follows:
Δ(t)={average of C(Ai,t)'sεG1}−{average of C(Ai,t)'sεG0}.
When the power difference curve has a spike as shown in
(DPA.03) Procedure (DPA.02) is repeated sequentially for d[1], d[2], . . . , d[m−1], so that the value of the private key d is determined. For performing procedure (DPA.02) for d[h], the data of V used as the criteria of the classification in procedure (DPA.02) is the data previously determined at the time of the procedure for i=h. In the guess of the data value of V, the previously determined values d[0] through d[h−1] and the current guess value of d[h] are used. This is so because the value of V is such a value determined by V=2hd[h]A+d[h−1,0]A, i.e., the previously obtained d[0] through d[h−1] and the current guess value d[h].
The DPA is based on the characteristics that the power consumption of the smart card is proportional to the number of one's (1's) in the data value.
A known typical countermeasure against the DPA uses a random value. In this method, variable data is concealed or randomized using a random value generated inside the smart card, so that the guess for the data values by the DPA is prevented.
For example, in a so-called randomized projective coordinate system, the data representation of an elliptic point in projective coordinates or Jacobian coordinates is randomized. In this case, in the conventional encryption processing, for a work variable (x, y) expressed in the affine coordinates, this work variable is transformed into the projective coordinates (r×x, r×y, r×z) or into the Jacobian coordinates (r2×x, r3×y, r×z), where r indicates a random value. This random value r randomizes all of the coordinate data. Thus, the guess of the value of the work variable becomes impossible, so that the DPA is prevented. Although the value of the work variable is thus randomized, the value of any one of the work variables specifies the same point independently of the random value r. Thus, after determining d[0] through d[m−1], the determined coordinates are inversely transformed into affine coordinates, to thereby determine the same operated result dAj uniquely as that of the conventional operation.
Next, the RPA is described below. The RPA guesses the bit value of the private key d, then selects a specific input elliptic point in accordance with the bit value, and then provides it as an input of the scalar multiplication of the encryption device, to thereby guess the private key d. When the work variable value at a specific timing of the scalar multiplication is zero (0), the guess of the bit value is determined to be correct in the RPA. Otherwise, the guess is determined to be incorrect. Whether the work variable value is zero can be determined using a single power waveform in the SPA or using the difference of a plurality of power waveforms in the DPA.
The following procedure of (RPA.01) through (RPA.03) gives an example of the RPA against the algorithm of
(RPA.01) A=(d[h, 0]−1 (mod φ))Q is determined in accordance with the known values d[0], d[1], . . . , d[h−1] and the guess value d[h], where φ denotes the value of the order, and Q denotes a point on an elliptic curve satisfying Q=(x, 0) or (0, y), i.e., a set of coordinates which has the coordinate x or y equal to zero.
(RPA.02) The smart card is caused to perform the operation of dA, to thereby determine a power consumption wave form C(A, d).
(RPA.03) In the curve of the power consumption waveform C(A, d), a partial waveform corresponding to i=h and h+1 at Steps 203-206 is observed, and then it is determined whether the coordinate x of the work variable V is zero. See the document Goubin described above for the way of determining whether the coordinate x of V is zero.
The RPA is possible, because when the guess of d[h] is correct, the coordinate x or y of the work variable V becomes zero after the loop of Steps 203-206 is completed for i=h. For the coordinate x or y of V which becomes zero, an exceptional operation occurs when this value is used in the arithmetic operation for i=h+1. Then, the exceptional operation is observed in the power waveform.
When the guess of d[h] is correct, a waveform indicating the coordinate value of V appears after the loop for i=h. This is so because A is given in accordance with procedure (RPA.01). By giving such A, the value of V after the loop of Steps 203-206 for i=h becomes equal to Q, if the guess of d[h] is correct. Thus, the value of the coordinate x or y becomes zero (0).
Accordingly, the RPA can be prevented, by preparing an algorithm so as to prevent the coordinate value of the work variable from becoming zero (0) at the timing anticipated by the attacker.
The RPA is prevented basically by a countermeasure against the DPA that randomizes the data. However, there is an exception. For example, the randomized projective coordinate system which is one of the countermeasures against the DPA is vulnerable to the RPA. This is so because, when the work data in a process without a countermeasure against the DPA is denoted by (X, Y, Z), the work data is expressed by (r×X, r×Y, r×Z) in the randomized projective coordinate system. Thus, when the coordinate value in the process without a countermeasure against the DPA is zero (0), the coordinate value in the randomized projective coordinate system also becomes zero (0) independently of the value of r.
Izu et al. “Comparison and Evaluation of Side Channel Attack Countermeasure for Elliptic Cryptosystem” 2003, Symposium on Cryptography and Information Security (SCI 2003), 8D-3 released by the inventors describes that the most secure countermeasures against the power analysis attack to the public key cryptosystem corresponding to the elliptic cryptosystem are the four countermeasures, Randomized Projective Coordinates (RPC), Randomized Curve (RC), Exponent Splitting (ES), and Point Blinding (PB) against the SPA and the DPA. These are countermeasures against the DPA, but can be used together with the countermeasure against the SPA, to thereby prevent both of the DPA and the SPA.
Table 1 shows the comparison of security of the public key cryptosystem used together with the Add-and-Double-Always, against the SPA, the DPA and the RPA, and of the amount of processing required for the elliptic point scalar multiplication.
In TABLE 1, S indicates that the system is secure against the power analysis attack, and V indicates that the system is vulnerable to the power analysis attack. E denotes the processing time of the elliptic point scalar multiplication in the Add-and-Double-Always of
The RPC and the RC achieve high-speed processing, but vulnerable to the RPA. The ES and the PB are secure against the RPA, but are slow.
Each of these algorithms includes the following three stages: (i) randomizing the coordinate data of an input elliptic point A (Steps 401-402 of
Stage (i) is a process for countermeasure against the DPA. A random value r is generated. Then, the coordinate data is randomized in accordance with A′=(r×AX, r×AY, r×AZ) in
Stage (iii) is a process of de-randomizing the data to provide as an output the processed value which is the same as that of conventional encryption processing. The operation of V=(V[0]X/V[0]Z, V[0]Y/V[0]Z) is performed in
However, these countermeasures have no effect on the RPA. This is so because the product of the coordinate values and the random value r is introduced in the randomization at stage (i). For example, in
The RPC and the RC requires one time of the Add-and-Double-Always operation and one time of the inverse element operation for the de-randomization, for a total processing time of E+I.
Similarly to the algorithms of
In
In
The ES requires two times of the Add-and-Double-Always operation, and one time of the elliptic point addition operation for the de-randomization, for a total processing time of 2E+A. The PB requires two times of the Add-and-Double-Always operation, and three times of the elliptic point addition or subtraction operation for randomizing the data and for de-randomizing the data, for a total processing time of 2E+3A.
Therefore, the known processing for the public key cryptosystem that requires a small amount of processing of the elliptic point scalar multiplication is vulnerable to the RPC, while the other known processing for public key cryptosystem that is secure against the RPC requires a large amount of processing of the elliptic point scalar multiplication.
The inventors have recognized that there is a need for providing a processing method for public key cryptosystem that requires a small amount of processing of the scalar multiplication and that is also secure against the SPA, the DPA and the RPC.
An object of the invention is to provide processing of public key encryption that requires a small amount of processing of the scalar multiplication and that is also secure against the SPA, the DPA and the RPC.
In accordance with an aspect of the present invention, an encryption device for performing elliptic encryption processing with a private key, includes: a randomizing unit for setting, into an initial elliptic point V0, an elliptic point R on an elliptic curve that is generated in accordance with a random value; an operation unit for performing a first operation of summing the initial elliptic point V0 and a scalar multiple of a particular input elliptic point A on the elliptic curve, V1=V0+dA, in accordance with a bit sequence of a particular scalar value d for the elliptic encryption processing; a de-randomizing unit for performing a second operation of subtracting the initial elliptic point V0 from the sum V1 determined by the first operation, V=V1−V0; and a unit for providing, as an output, the elliptic point V determined by the de-randomization unit.
In accordance with another aspect of the present invention, an encryption device for performing modular exponentiation encryption processing with a private key, includes: a randomizing unit for setting, into an initial value V0, an integer r generated in accordance with a random value; an operation unit for performing a first operation of modular exponentiation V1=V0ad (mod n)=r×ad (mod n) for the initial value V0 and a particular input value a in accordance with a bit sequence of a particular value d for the modular exponentiation encryption processing; a de-randomizing unit for performing a second operation of modular multiplication V=V1×r−1 (mod n) on the value V1 determined by the second operation and an inverse element r−1 (mod n) of r (mod n); and a unit for providing, as an output, the value V determined by the de-randomizing unit.
The invention also relates to a program for implementing the encryption device described above.
The invention relates to a method for implementing the encryption device described above.
According to the invention, processing of public key encryption can be provided such that it requires a small amount of processing of the scalar multiplication and that is also secure against the SPA, the DPA and the RPC.
Throughout the drawings, similar symbols and numerals indicate similar elements.
FIGS. 14 to 16 show respective different algorithms of generating the random elliptic point R in
The encryption device 10 further includes a processor 32 and a program memory 34 such as a ROM. The processor 32 controls the elements 12-24 described above in accordance with a program stored in the memory 34. Alternatively, the processor 32 may implement the elements 12-24 by executing a program stored in the memory 34 and corresponding to the functions of the elements 12-24. In this case,
Similarly to the algorithms of
Referring to
At Step 1006, the initializing unit 16 initializes the work variables to be used in the Add-and-Double-Always, such that V[0]=R or r, and V[2]=A or a.
At Step 1008, the scalar multiplication processing unit 20 for an elliptic point performs the Add-and-Double-Always with the work variable V′[0], V′[1] and V[2]. Thus, for i=0, 1, . . . , m−1, the operations of V′[1]=ECADD(V′[0], V[2]), V[2]=ECDBL(V[2]), and V′[0]=V′[d[i]] are repeatedly performed in the elliptic curve encryption, or alternatively the operations of V′[1]=V′[0]×V[2] (mod n), V[2]=V[2]2 (mod n), and V[0]=V′[d[i]] are repeatedly performed in the RSA encryption. Independently of the bit values of the private key d, a predetermined operation pattern of the Add-and-Double-Always is repeated, to thereby provide protection against the SPA. By providing V′[0]=R or r at Step 1004, the values of the work variables V′[0] and V′[1] are randomized to thereby prevent the DPA. The value of V[2] is not randomized. This is so because the DPA and the SPA using the value of V[2] are impossible in the Add-and-Double-Always, so that the randomization of V[2] is not required. The value of V[2] can be determined by repeating the doubling or the squaring of the value A, independently of the bit values of the private key d. Thus, the DPA cannot be achieved using this value.
At Step 1010, the random element canceling unit 22 de-randomizes the randomized data. For this purpose, for R generated at Step 1004, the operation of V=V′[0]−R is performed in the elliptic curve encryption, whereas the operation of V=V′[0]×r−1 is performed in the RSA. At Step 1012, the output unit 24 provides the operation result V as an output.
In this way, the SPA and the DPA are prevented by the algorithm of
Referring to
The loop including Steps 1104-1108 performs the elliptic point scalar multiplication through the Add-and-Double-Always for the work variables V′[0], V′[1] and V[2] Although this loop performs the same processing as the Add-and-Double-Always without a countermeasure against the RPA of Steps 303-307 of
With these initial values, the relations between the work variables V′[0] and V′[1] of
Upon completion of the loop of Steps 1104-1108, the output unit 24 at Step 1109 performs the operation of V=V′[0]−R to thereby de-randomize the data which has been randomized with R, and then provides the value V as an output.
In this way, the algorithm in accordance with the invention provides the encryption processing which is secure against the RPA. The algorithm of
Referring to
The loop including Steps 1204-1208 performs modular exponentiation through the Add-and-Double-Always for the work variables V′[0], V′[1] and V[2], to thereby update these work variables.
Upon completion of the loop of Steps 1204-1208, the output unit 24 at Step 1209 performs the modular multiplication of V′[0] by the inverse element r−1 (mod n) of r, to thereby de-randomize the data which has been randomized with r, and then provides the result V as an output.
The loop including Steps 1204-1208 for the Add-and-Double-Always prevents the SPA. Further, the random value r set as the initial value to the work variable V′[0] causes the work variables in the loop to vary at random, which prevents the DPA.
In comparison with the algorithm of
Next, embodiments of the basic algorithm for elliptic curve encryption of
There are a plurality of embodiments for generating the elliptic point R at Step 1101 of
Referring to
Referring to
At Step 1501, the generating unit 14 reads a value of R used in the conventional countermeasure against the power analysis attack, from a specific area in the memory. Alternatively, the initial value of the elliptic point R may be provided in accordance with the method shown in
In these algorithms, similarly to the algorithm of
Similarly to the algorithm of
The elliptic point doubling at Step 1107 is repeatedly performed on the same work variable V[2]. The value of V[2] is expressed by V[2]=2i+1A using the loop variable i. The technique of accelerating the computation by repeatedly performing the doubling on the same point (elliptic point 2k-multiplication) in the Jacobian coordinate system and the prime field is disclosed in Japanese Patent Application Publication JP 2000-137436-A published on May, 16, 2000 and invented by Takenaka and Ito, two of the present inventors, the entirety of which is incorporated herein by reference. In
The loop variable i in
Alternatively, Step 1101 of
Next, an embodiment of the basic algorithm for the RSA encryption of
As described above, the embodiments of the invention provide countermeasures against all of the analyses of the SPA, the DPA and the RPA, and requires the smaller amount of computation than that of the ES and the PB which are known as generally secure systems.
Table 2 shows the comparison between the elliptic curve encryption in accordance with the invention and the conventional public key encryption for countermeasure against the power analysis attack. Table 3 shows the comparison between the RSA encryption in accordance with the invention and the conventional public key encryption for countermeasure against the power analysis attack. In Table 3, the RPC, RC and PB encryptions are not applicable to the elliptic curve encryption, and hence are not shown.
In Tables 2 and 3, “S” indicates that the system is secure against the analysis, and “V” indicates that the system is vulnerable to the analysis. “E” indicates the processing time of scalar multiplication in the Add-and-Double-Always without a countermeasure against the power analysis attack. “I” indicates the processing time of determining the inverse elements. “A” indicates the processing time of elliptic point addition, elliptic point subtraction, and elliptic point doubling. However, A is smaller than E and hence is negligible.
The amount of processing in the conventional encryption is shown in TABLE 1. In the algorithm of
As can be seen from TABLE 2, the encryptions secure against all of the SPA, the DPA and the RPA are the ES encryption, the PB encryption and the encryption according to the invention. In comparison of the processing time, A is much smaller than E and negligible, and hence the processing time of the encryption of the invention is approximately half the processing time of the secure ES and PB encryptions.
A is much smaller than E and negligible, apparently because each of the elliptic point addition and doubling are performed m times in the Add-and-Double-Always, for a total of 2 m times. For example, for m=160 in the elliptic curve encryption of 160 bits, E=320A.
The amount of computation required for the ES is 2E, because the computing procedure of the ES in the RSA is as follows:
v1=ad1(mod n),
v2=ad2(mod n), and
v=v1v2(mod n)=ad(mod n),
where the modular multiplication of v1 and v2 is assumed to be much smaller than the modular exponentiation and negligible. The processing of
The above-described embodiments are only typical examples, and their modifications and variations are apparent to those skilled in the art. It should be noted that those skilled in the art can make various modifications to the above-described embodiments without departing from the principle of the invention and the accompanying claims.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/JP03/09284 | Jul 2003 | US |
Child | 11272916 | Nov 2005 | US |