AU2018101695A4 - An apparatus and method based on sliding window with One’s complementary subtraction recoding in scalar multiplication of ECC to avoid simple power analysis attacks on IoT devices. - Google Patents
An apparatus and method based on sliding window with One’s complementary subtraction recoding in scalar multiplication of ECC to avoid simple power analysis attacks on IoT devices. Download PDFInfo
- Publication number
- AU2018101695A4 AU2018101695A4 AU2018101695A AU2018101695A AU2018101695A4 AU 2018101695 A4 AU2018101695 A4 AU 2018101695A4 AU 2018101695 A AU2018101695 A AU 2018101695A AU 2018101695 A AU2018101695 A AU 2018101695A AU 2018101695 A4 AU2018101695 A4 AU 2018101695A4
- Authority
- AU
- Australia
- Prior art keywords
- scalar multiplication
- point
- spa
- elliptical curve
- iot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000000295 complement effect Effects 0.000 title claims description 3
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 claims description 2
- 238000007792 addition Methods 0.000 description 22
- 238000013459 approach Methods 0.000 description 7
- 241000224511 Bodo Species 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 2
- 230000002596 correlated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000000875 corresponding effect Effects 0.000 description 1
- 230000005670 electromagnetic radiation Effects 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 229910044991 metal oxide Inorganic materials 0.000 description 1
- 150000004706 metal oxides Chemical class 0.000 description 1
- 238000011410 subtraction method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
- G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Mathematical Physics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Analysis (AREA)
- Computing Systems (AREA)
- Algebra (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Abstract: All Elliptical Curve Cryptography protocols are based on point addition and point doubling operations. These two operations require different power and execution time on IOT node. In binary method of scalar multiplication, point addition always corresponds to 1 and point doubling corresponds to 0 .The private key of the IOT node is recorded in the form of 1 and 0, while doing scalar multiplication. All these knowledge in the public domain provides sufficient side channel leakage at lower levels to the attacker to know the entire key in the sequence of 1 and 0 by analyzing power consumption of microcontroller and time required for execution on IOT node for particular cryptographic routine. These types of attacks are not only theoretical but also can be carried out with instruments such as power oscilloscopes to measure the power consumption of sensor nodes while implementing cryptographic algorithm. This patent application proposes a novel algorithm based on windowing principle to avoid simple power analysis attacks (SPA) in scalar multiplication operation on IoT nodes using elliptical curve cryptography. Vdd p-channel d Vin (-- Vout d n-channel Figure 3 CMOS Logic Inverter Circuit Hamming Weight or Hamming Distance Leakage (D - - / - - - - -00 Time Figure 4Example of Power Consumption Information Leakage Algorithm 1 SPA Resistant Double and Add Always Method Input: Point Pe E(F),an t bit intger k = kj2j ,kj c {0,1} j=0 Output: Q = kP 1.Q <- oo.For j = f -Ito 0 do, 1.1Q0 <- 2QO, 1.2 Q, <- Q 0 + P 1.3 Q 0 <- Qk, 2.Return (Q0 )
Description
This invention pertains generally to cryptography and more precisely power analysis attacks in elliptical curve cryptography on Internet of Things platform having limited resources such as computational, bandwidth and energy.
DESCRIPTION OF THE RELATED ART [0001] All ECC protocols are based on point addition and point doubling operations .These two operations requires different power and execution time on IOT node. In binary method of scalar multiplication, point addition always corresponds to 1 and point doubling corresponds to O.The private key of the IOT node is recoded in the form of 1 and 0, while doing scalar multiplication. All these knowledge in the public domain provides sufficient side channel leakage at lower levels to the attacker to know the entire key in the sequence of 1 and 0 by analyzing power consumption of microcontroller and time required for execution on IOT node for particular cryptographic routine as shown in Figure 1. These types of attacks are not theoretical and can be carried out with instruments such as power oscilloscopes to measure the power consumption of sensor nodes while implementing cryptographic algorithm. Figure 2 shows setup of SPA attack.
[0002] As shown in figure 1 point doubling and point addition power spikes are distinguishable from each other. Next section gives detailed analysis of basic
2018101695 14 Nov 2018 building block of microcontroller i.e. CMOS inverter circuit to understand the nature of power analysis attacks.
[0003] Overview of side channel attacks on IOT node
There are several method available for obtaining the side channel information in order to find the secret key in ECC. This chapter deals with only SPA, however several other methods of attack are also briefly summarized here for completeness. [0004] CMOS inverter circuit consists of two transistors namely P-channel and Nchannel that serves as semiconductor switches and turns on or off depending on the input voltage Vin. The input to the transistor may be at logic 1 or logic θ. Logic 1 is called the high voltage signal and logic 0 is called low voltage signal. If the Vin is at logic 1, then P-channel transistor is non conducting and N- channel transistor is conducting. In this case there current will flow from output to the ground and output voltage will be logic θ or equal to ground voltage. If the V,'n is at low voltage signal in that case P-channel transistor is conducting and N-channel is non conducting and the supply voltage Vdd will appear at the output terminal and output will be will be high i.e. logic l.So this invert circuit gives output 1 if the input is θ and vice versa.
The power consumption of the above circuit during each clock cycle can be measured by placing a standard resistor of value 1 Ω value in series with supply voltage Vdd. This power depends on the instruction being executed and someone can plot a power trace, which shows power consumed by device during each clock cycle.
[0005] The hypothesis behind power analysis attacks is that the power traces are always correlated to the instructions the microprocessor is executing as well as the value of the operands it is manipulating. Therefore, examinations of the power traces can reveal information about the instructions being executed and contents of
2018101695 14 Nov 2018 the data registers. In the case that the device is executing as secret key cryptographic operation, it may be possible to deuce the secret key. The figure 4 shows set up of SPA in IOT.
[0006] Several authors have proposed unified code to avoid this weakness which eliminates the timing differences of point addition and point doubling operations. Unfortunately these techniques are difficult to implement on sensor nodes due to limited memory and computational power. This research proposes an innovative algorithm which is light weight and can be implemented at physical layer of wireless sensor nodes to avoid any information leakage.
Simple power analysis (SPA) attacks were proposed .A more sophisticated use of SPA were proposed by where the attacker examines the Hamming weight of the positive integer by measuring height of the power trace at a point during scalar multiplication process. By observing hamming weight of private key it is possible to determine the private key used by IOT node.
[0007] Enhanced Simple Power Analysis
In scalar multiplication if the integer is recoded with signed binary digits, addition subtraction method is used to generate the public key. [92] proposed enhanced SPA which makes use of Markov Chain to predict the bits of the private key which have caused particular pattern of point additions and doublings operation. This method can also be applied to randomized addition-subtractions chain models. [0008] Differential Power Analysis
These attacks uses a statically analysis of power signals from many scalar multiplication process to examine the similarity and differences between these power traces. These similarities and differences are due to various values of data, operands and register addresses used during programming. This information is then manipulated to reveal the secret key of the node.
2018101695 14 Nov 2018 [0009] Various counter measures are available in literature for DPA. These counter measures includes,
1. Randamization of the private key of the node.
2. Use of addition mask.
3. Use of exponent splitting.
4,Overlaping window method.
5. randomised table window method.
6. Hybrid overlapping and randomized table window method.
7. Perturbation point.
8. Point of small order as a perturbation point.
9. Randomized projective or Jacobian coordinates.
10. Randomized Isomorphic Curve or field
11. Scalar Multiplication Algorithms Randomization
The wireless sensor nodes like IMOTE2 , MIC Az [21 ] are manufactured by using CMOS (Complementary Metal Oxide Semiconductor) technology in which the basic building block is the inverter or NOT gate .
[0010] Electro magnetic Analysis
The flow of current through CMOS device also induces electromagnetic radiations. This EM signal can be collected by placing sensor close to the device. As with power analysis attacks, one can now analyze the EM signal to reveal the secret key. Simple Electro Magnetic Analysis, Differential Electro Magnetic Analysis can be launched. As with power analysis counter measures for these attacks could be hardware based, for e.g. use of metal layer or circuit designing etc.
[0011] Fault and Timings Attacks
Fault attacks are always carried out by feeding invalid input or causing fault during as computation by the microcontroller of IOT node. The output of the microcontroller in such circumstances can reveal the information about the key.
2018101695 14 Nov 2018
Timings attacks work when an operation using secret key does not run in the constant time and the time taken is correlated to the value of the secret key.
[0012] Overview of Existing SPA counter Measures
There are two standard approaches against SPA attacks: first one is use of dummy operations and second one is use of identical formulae. Both approach attempts to make the power traces of the two group operations (addition and doubling) indistinguishable. The first approach consists in adding extra or “dummy” operations in the addition and doubling algorithms where the sequences of operations differ. In the second approach the same sequence of operations will be repeated independent of scalar, so they will appear identical to SPA attacks. The first approach will increase the code size and will put microcontroller in idle time where as second approach will increase the cost of scalar multiplication algorithm. Although dummy operation is a very simple countermeasure to implement, it is not always safe: If the secret key is used multiple times, dummy operations can be revealed by adaptive fault analysis, and further countermeasures are required to prevent this attack.
The second approach consists in rewriting the two group operations into a unified formula. Since both operations will then use the same set of operations, the two operations will have the same power trace. Unified formulae tend to be more costly to use than dummy operations, but they prevent adaptive fault analysis (but not DPA). The main disadvantage of unified formulas is that they are group specific and so far they have only been developed for elliptic curves. The following section gives various counter measures available for SPA in the literature.
[0013] Double and Add Always
This method modifies binary method slightly to achieve resistance against SPA. Instead of performing A point addition when the next bit of the integer k is 1, this algorithm performs an addition in each iteration of the loop and discards the results
2018101695 14 Nov 2018 of those additions which are irrelevant. This prevents SPA because the pattern of additions and doublings is the same for all scalar multiplications and does not reveal the integer used.
[0014] Montgomery Ladder
A Montgomery ladder can be used to resist SPA because it performs a double and add in every loop, in a similar fashion to the double and add always countermeasures. A Montgomery ladder does not use any dummy operations. The method was originally proposed for use with Montgomery curves, since it allowed a fast point addition algorithm which did not require the use of the y-coordinate on these curves. A method for finding the addition and doubling required by Montgomery’s ladder without using the y-coordinate of the points for any elliptic curve .
[0015] Identical formulae for point addition and doublings
The other methods to avoid SPA attacks includes universal exponentiation algorithm, randomized addition and subtraction chain, non deterministic right to left method with pre computations. All these methods which are suggested in literatures are either increasing computational cost or putting more stress on the memory usages to avoid SPA attacks. As seen in first few chapters the major objective of this research is to reduce the computational cost and memory usages for IOT and makes these counter measures heavy weight for them.
[0016] Proposed Window OCS method to avoid SPA in IOT
Our proposed algorithm is based on a window principle in which point doubling and addition operations will be performed at a consistent sequence independent of scalar. The fixed window method which is sometimes referred as m-ary method satisfies this requirement of consistency of point addition and doubling operation which is independent of scalar. The proposed window OCS method is a variant of
2018101695 14 Nov 2018 window method in which the scalar is represented in the OCS from by use of algorithm 5.2, chapter 5 of the thesis. The use of window method as countermeasure against SPA was initially proposed by Bodo Moller. Our algorithm is different from Bodo’s algorithm because it uses different encoding method for scalar than Bodo’s method. The proposed algorithm based on windowing principle is effective method on IOT platform as this method do not use any dummy operations and does not limit to particular family of curves and thus can be implemented on any NIST curves. Proposed window OCS method resistant SPA is given in the algorithm 3.
[0017] As shown in algorithm 6.3, window OCS method with a window size of w requires pre-computing of the points..........’(2 .These 2 ” -2points are stored in a look up table, typically in affine representation to save RAM and to allow one using the mixed coordinates for point addition as discussed in the Chapter 4 of this thesis. Our OCS window algorithms works in a similar fashion as the double and add method, except that in each step w bits of are considered with the corresponding table entry being added to the intermediate results. A window size of w reduces the total number of additions to I!w where are the total number of bits in but does not change the number of doublings^doublings). The next chapter of this thesis aims at finding out optimal value of window size w of window OCS method so that there will be good compromise between performance and memory requirements of IOT node to avoid SPA.
[0018] The window OCS method employs a “sliding window” in the sense that algorithm 6.3 has a width of w, moving right to left , skipping consecutives zero entries after a non zero digit is processed. Although we have found no reference to this specific scheme in the literature , a suggestion to combine m-ary and signed digit method.
2018101695 14 Nov 2018 [0019] Summary
The IOT node consists of limited memory for storage so to avoid SPA attack is very difficult in such environment. Our window OCS method based on windowing principle will execute point addition and doubling in uniform sequence irrespective of scalar and will make attacker difficult to detect the secret scalar by using SPA. The window size w is a matter of trade off between the available memory and performance. Next chapter of the thesis will present innovative algorithm to choose the optimum choice of window w for IOT so that there is balanced use of memory for application and computational purposes and was a major objective of this research.
2018101695 14 Nov 2018
Claims (5)
- 2018101695 14 Nov 2018ClaimsI/We Claim,1. A method of simple power analysis attack resistant elliptical curve scalar multiplication on the Internet of Things platform comprising the steps of, (a) Selecting an elliptical curve E(a,b) having equation y2 = .r’ + ox+ 6 mod (p) where 4«3 + Tib2 mod (p) + Oand Generator point p by the IoT Node.(b) Selecting integer/; as a private key of the IoT node.(c) Performing scalar multiplication operation Q = kP by the IoT Node for encryption of the messages.
- 2. The method of SPA resistant elliptical curve scalar multiplication as recited in claim 1 wherein the IoT Node, (a) Recode integer k in the one's complement subtraction format.(b) Pre-compute all the values =iP for i = {1,3,5........2wl-l} where w is the window size for the scanning of bits.(c) Storing pre-computed 2“’-2 points in a look up table, typically in affine representation to save memory and allow using mixed coordinate for point addition.
- 3. The method of SPA resistant elliptical curve scalar multiplication as stated in claim 1 wherein the IoT Node computes Q comprising the steps of, (a) Scanning of w bits at a time and doing doubling operations for w times in each step in the background.(b) Depending on the value of scanned bits of w, doing a subsequent addition with the help of corresponding pre-computed value in the look up table.
- 4. The method of SPA resistant elliptical curve scalar multiplication as stated in claim 1 wherein point doubling and point addition operations are performed in a consistent pattern irrespective of integer k.
- 5. A method of SPA resistant elliptical curve scalar multiplication on IoT platforms with pre-computation substantially as hereinbefore described with reference to the accompanying drawings and description of art.2018101695 14 Nov 2018
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2018101695A AU2018101695A4 (en) | 2018-11-14 | 2018-11-14 | An apparatus and method based on sliding window with One’s complementary subtraction recoding in scalar multiplication of ECC to avoid simple power analysis attacks on IoT devices. |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2018101695A AU2018101695A4 (en) | 2018-11-14 | 2018-11-14 | An apparatus and method based on sliding window with One’s complementary subtraction recoding in scalar multiplication of ECC to avoid simple power analysis attacks on IoT devices. |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| AU2018101695A4 true AU2018101695A4 (en) | 2018-12-20 |
Family
ID=64662298
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2018101695A Ceased AU2018101695A4 (en) | 2018-11-14 | 2018-11-14 | An apparatus and method based on sliding window with One’s complementary subtraction recoding in scalar multiplication of ECC to avoid simple power analysis attacks on IoT devices. |
Country Status (1)
| Country | Link |
|---|---|
| AU (1) | AU2018101695A4 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109714207A (en) * | 2018-12-28 | 2019-05-03 | 中国电子科技集团公司信息科学研究院 | A kind of complex network key node recognition methods and system |
| CZ308895B6 (en) * | 2020-03-19 | 2021-08-11 | České vysoké učení technické v Praze | Connection of a standard CMOS cell with reduced data dependence of static consumption |
-
2018
- 2018-11-14 AU AU2018101695A patent/AU2018101695A4/en not_active Ceased
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109714207A (en) * | 2018-12-28 | 2019-05-03 | 中国电子科技集团公司信息科学研究院 | A kind of complex network key node recognition methods and system |
| CN109714207B (en) * | 2018-12-28 | 2022-01-28 | 中国电子科技集团公司信息科学研究院 | Complex network key node identification method and system |
| CZ308895B6 (en) * | 2020-03-19 | 2021-08-11 | České vysoké učení technické v Praze | Connection of a standard CMOS cell with reduced data dependence of static consumption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bauer et al. | Horizontal and vertical side-channel attacks against secure RSA implementations | |
| Mukhopadhyay et al. | Hardware security: design, threats, and safeguards | |
| Hess et al. | Information leakage attacks against smart card implementations of cryptographic algorithms and countermeasures–a survey | |
| Chen et al. | Improvement of trace-driven I-Cache timing attack on the RSA algorithm | |
| Feix et al. | Side-channel analysis on blinded regular scalar multiplications | |
| AU2018101695A4 (en) | An apparatus and method based on sliding window with One’s complementary subtraction recoding in scalar multiplication of ECC to avoid simple power analysis attacks on IoT devices. | |
| WO2015193789A1 (en) | Differential power analysis countermeasures | |
| Rashidi | High-throughput and lightweight hardware structures of HIGHT and PRESENT block ciphers | |
| CN102193773A (en) | Integrated circuit protected for horizontal bypass analysis | |
| Ngo et al. | Side-channel attacks on lattice-based KEMs are not prevented by higher-order masking | |
| Barenghi et al. | A novel fault attack against ECDSA | |
| Abarzúa et al. | Survey on performance and security problems of countermeasures for passive side-channel attacks on ECC | |
| Luo et al. | Effective simple-power analysis attacks of elliptic curve cryptography on embedded systems | |
| Sakamoto et al. | Fault sensitivity analysis against elliptic curve cryptosystems | |
| Schmidt et al. | Fault attacks on the montgomery powering ladder | |
| Ghosh et al. | Security of prime field pairing cryptoprocessor against differential power attack | |
| Бессалов et al. | Randomization of CSIDH algorithm on quadratic and twisted Edwards curves | |
| AU2010101116A4 (en) | An apparatus and method of SPA resistant elliptical scalar multiplication on the resource constrained wireless sensor network platform. | |
| Shah et al. | Prevention of Simple Power Analysis Attacks in Elliptical Curve Cryptography on WSN Platform | |
| Bock | SCA resistent implementation of the Montgomery kP-algorithm | |
| Herbst et al. | Using templates to attack masked montgomery ladder implementations of modular exponentiation | |
| Akdemir et al. | Non-linear error detection for elliptic curve cryptosystems | |
| Rauzy et al. | Using modular extension to provably protect ECC against fault attacks | |
| Zode et al. | Novel fault attack resistant architecture for elliptic curve cryptography | |
| Park et al. | ATAVE: A framework for automatic timing attack vulnerability evaluation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FGI | Letters patent sealed or granted (innovation patent) | ||
| MK22 | Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry |