A DPA Countermeasure by Randomized Frobenius Decomposition

Tae-Jun Park, Mun-Kyu Lee*, Dowon Hong and Kyoil Chung

* Inha University

WISA 2005 2

Outline

Side channel analysisSide channel analysisI

Frobenius expansionFrobenius expansionII

Random decompositionRandom decompositionIII

ConclusionConclusionIV

WISA 2005 3

Power Analysis

Kocher, Crypto 99

Powerful technique to recover the secret information by monitoring power signal

Two kinds of power analysis

- SPA : Simple power analysis

- DPA : Differential power analysis

WISA 2005 4

Power Analysis on Elliptic Curve

Coron, CHES 99

Naïve implementation of ECC are highly vulnerable to SPA and DPA

Various methods have been proposed

- Hasan suggested several countermeasures on

Koblitz curves, 2001, IEEE Transactions on computers

- Ciet et al. proposed randomizing the GLV decomposition to prevent DPA in GLV curves

CHES 2002

WISA 2005 5

The Goal of This Talk

New Countermeasure against DPA on ECC

Applied to any curve where Frobenius method can be used

Two dimensional generalization of Coron’s method

15.3 ~34.0% extra computations

WISA 2005 6

Elliptic Curve

Let be the prime power

is of or

Otherwise

q 2m

2 3y x ax b

x

y

q

3m

- To avoid the MOV attack Use only nonsupersingular elliptic curve

WISA 2005 7

Frobenius Endomorphism

The Frobenius endomorphisms of

The minimal polynomial of the Frobenius endomorphism

E

WISA 2005 8

Frobenius Expansion-(1)

The endomorphism ring of nonsupersingular elliptic curve is the order in the imaginary quadratic field

The ring is a subring of the endomorphism ring

Mueller proposed a Frobenius expansion method by iterating divisions

- fast scalar multiplication on elliptic curves over small

fields of characteristic two

- Division by the Frobenius endomorphism in the ring

WISA 2005 9

Division by in the looks like division by complex number in the Gaussian integer

Lemma: Suppose that be even (resp., odd) prime power. Let . There exists an integer

and an element s.t.

Frobenius Expansion-(2)

qrZ

WISA 2005 10

Frobenius Expansion-(3)

By iterating the process of divisions by with remainder, one can expand

with

WISA 2005 11

Division by in -(1) [ ]Z

WISA 2005 12

Let be the lattice generated by 1 and :

is isomorphic to

All elements in which can be divided by

for example, all numbers divided by 2 is of the form

The set of such elements is generated by and

:

Division by in -(2) [ ]Z

L [1, ]L [ ]Z

L

q 1 [ , ]L q

2n

WISA 2005 13

Divide by with remainder

- If , then there exist

s. t.

- If not, move horizontally left or right to

for suitable

Division by in -(3) [ ]Z

1 2s s s L

1 2 1s s s L 1 2,t t Z

1 2 1 2( )s s t t

1 2s s

1 2 1s r s L rZ

WISA 2005 14

Random Decomposition-(1)

Transform to random lattice

- Choose random integer

where

[1, ]L 'L

, , ,a b c d

a bA

c d

0ad bc

WISA 2005 15

Random Decomposition-(2)

1

a bA

c d

a c

b d

L 'L

WISA 2005 16

Random Decomposition-(3)

WISA 2005 17

Random Decomposition-(4)

Lemma : For any , we can find s. t.

with the Euclidean length of

is bounded by

1 2 [ ]s s s Z1 2 1 2, , ,k k r r Z

1 2r r r

WISA 2005 18

Random Decomposition-(5)

WISA 2005 19

Scalar Multiplication

1 2 1 20

( ) 'l

ii

ik a k b k c k d k

Scalar multiplication

- is expanded as

- By Mueller’s expansion method

- A scalar multiplication

kP

[ ]k Z[

1 2 1 2 1 2( )k k a k b k c k d r r

1 20

( ' ) ( )l

ii

ikP k P r r P

WISA 2005 20

Overhead

WISA 2005 21

Conclusion

Our method can be applied to all kind of elliptic curves

It can be used in conjunction with other countermeasure

It will be generalized to hyperelliptic curves