強化基於智慧卡之公開金鑰密碼系統實作安全性與效率

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：18

、訪客IP：3.139.93.168

姓名

連偉智(Wei-Chih Lien) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

強化基於智慧卡之公開金鑰密碼系統實作安全性與效率
(Security and Performance Enhancement of Public-key Cryptosystem Implementation for Smart Cards)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ 商業性金鑰恢復與金鑰託管機制之研究
★ AES資料加密標準之實體密碼分析研究	★ 電子競標系統之研究
★ 針對堆疊滿溢攻擊之動態程式區段保護機制	★ 通用型數域篩選因數分解法之參數探討
★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器	★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究
★ 遮罩保護機制防禦差分能量攻擊之研究	★ AES資料加密標準之能量密碼分析研究
★ 小額電子付費系統之設計與密碼分析	★ 公平電子現金系統之研究
★ RSA公開金鑰系統之實體密碼分析研究	★ 保護行動代理人所收集資料之研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (全文檔遺失)
請聯絡國立中央大學圖書館資訊系統組 TEL:(03)422-7151轉57422，或E-mail聯絡

摘要(中)

模指數運算以及與其同結構的純量乘法計算，為公開金鑰密碼系統中，兩種核心運算。由於智慧卡的計算能力以及記憶體空間有限，在使用智慧卡實作模指數運算演算法(或公開金鑰密碼系統)時，設計一個兼具計算與空間效能的模指數運算演算法，為現行研究方向中一個重要的探討議題。另者，鑒於智慧卡易受到基於系統實作之旁通道分析攻擊(side-channel analysis attack)，在設計模指數運算演算法的同時，考量系統實作安全亦為一個重要的安全性議題。本論文即以上述的兩個議題為研究主軸，探討兼具高效能與安全的模指數運算演算法。
在整數編碼的研究主題下，NAF二進制表示法為二元整數數系中，漢明值(Hamming weight)最小之編碼方法，基於此特性，NAF為二元整數數系中可加速純量乘法計算之最佳方法；而隨機式的NAF編碼法為現存文獻當中一個典型的旁通道分析防禦法。在本論文中，我們提出了一個稱為sNAF的NAF通式編碼法，我們的研究成果顯示sNAF與NAF具有相同的平均漢明值，該兩種編碼法皆可被運用於加速純量乘法計算，與傳統的二進位表示法相比較，最高加速效益可達約11.11%。而為了抵抗旁通道分析攻擊法，我們亦提出一個隨機式的sNAF編碼法，與隨機式的NAF編碼法以及數個現存的編碼法比較，隨機式的sNAF編碼法之安全性相對性地較為優越。
兩倍攻擊法(doubling attack)為一種選擇兩筆相關密文(或明文)的旁通道分析攻擊法。在RSA密碼系統的研究主題下，本論文提出一個基於選擇小序值(small order) 密文之新穎的兩倍攻擊法，本攻擊法只需要一筆選擇密文即可進行攻擊，亦可進一步地推廣為使用不同於原始兩倍攻擊法的兩筆相關選擇密文來進行攻擊。我們的研究成果顯示，利用中國餘數定理加速RSA運算之實作方法亦無法抵抗本攻擊法。而為了防禦本攻擊法，本論文亦提出一個針對RSA密碼系統而設計的高效能防禦法。而在ECC密碼系統的研究主題下，由於常見的ECC密碼系統具有質數序值(prime order)之特性，與小序值點(密文)不存在之特質，因此，上述之新穎的兩倍攻擊法無法推廣至ECC密碼系統中。但是，攻擊者仍可能選擇小序值之錯誤點來進行攻擊，我們的研究成果顯示，現存的防禦法依然無法有效地抵抗此類攻擊法。而為了防禦此類攻擊法，本論文亦針對ECC密碼系統提出數個實作上的安全性建議。
蒙特哥馬利餘數(Montgomery reduction)演算法與中國餘數定理為兩種加速RSA密碼運算之重要技術。在本論文中，我們提出了一個新型的DPA旁通道分析攻擊法，以攻擊結合蒙特哥馬利餘數演算法以及中國餘數定理的實作方法，並以實驗結果證實本攻擊法之可行性。而為了防禦本攻擊法，基於明文(或密文)遮罩(message-blinding)技術以及中國餘數定理，本論文提出了一個高效能防禦方法。

摘要(英)

Modular exponentiation and its analogy, scalar multiplication, are the central computations in public-key cryptosystems. Because the memory capacity and computation power are crucial to smart cards, designing efficient exponentiation algorithms is an important issue for smart-card related applications. Since smart cards may suffer from side-channel analysis (SCA) attacks, which target the implementation of cryptosystems, the implementation security of cryptosystems using smart cards is an issue as important as designing an efficient algorithm. This dissertation investigates efficient and secure methods to implement exponentiation algorithms.

Because its property of having minimal Hamming weight among binary signed-digit representations, the binary non-adjacent form (NAF) is the optimal method to speed up scalar multiplications. Randomized NAF recoding is a typical SCA countermeasure. This dissertation newly introduces the separated non-adjacent form (sNAF) as a generalization of the conventional NAF. We show that both of sNAF and NAF have the same average Hamming weight, and can speed up exponentiation algorithms with a rate about 11.11% when compared with using the conventional binary recoded scalar. This dissertation also proposes the randomized sNAF recoding scheme to increase the security strength of scalar multiplications against SCA attacks. Compared with the randomized NAF recoding and several previous recoding schemes, the randomized sNAF recoding is a superior countermeasure from the viewpoint of security.
Doubling attack is a powerful SCA attack on exponentiation algorithms by exploiting two related chosen messages. This dissertation proposes the small-order doubling attack on the RSA cryptosystem by exploiting only one single chosen message of small order. This attack can be extended to the attack using two related chosen messages, which are different from the used by the original doubling attack. We show that an efficient RSA implementation improved by Chinese remainder theorem (CRT) is also weak against the proposed attacks. To prevent RSA against the proposed doubling attacks, a low-cost countermeasure is newly developed. Basically, the small-order doubling attacks can not threaten the elliptic curve cryptosystems (ECC), whereas a cryptographic elliptic curve is usually suggested with a prime order and small-order points do not exist on this kind of curves. However, this dissertation shows that existing invalid points having small orders on other curves can be used to mount a further extended doubling attack on the target curve of prime order. Several previous SCA countermeasures for ECC are shown to be vulnerable against the proposed doubling attack. To prevent ECC against the doubling attack using invalid points, efficient countermeasures are suggested in this dissertation.
Montgomery reduction algorithms are often taken to cooperate with RSA-CRT methods to achieve a high performance of RSA modular exponentiations. This dissertation proposes a new DPA attack on the RSA-CRT implementation with Montgomery reduction algorithms. An experimental result is illustrated to verify the proposed DPA attacks. In order to prevent against the proposed DPA attacks, an CRT-based message blinding technique is proposed as a low-cost countermeasure.

關鍵字(中)

★ 公開金鑰密碼系統
★ 旁通道分析攻擊法

關鍵字(英)

論文目次

1 Introduction . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Motivation of the Research . . . . . . . . . . . . . . 1
1.2 Organization of the Dissertation . . . . . . . . . . . 2
1.3 Our Contributions . . . . . . . . . . . . . . . . . . .4
2 Public Key Cryptography . . . . . . . . . . . . . . . . .7
2.1 Public Key Cryptosystem . . . . . . . . . . . . . . . .7
2.1.1 RSA Cryptosystem . . . . . . . . . . . . . . . . . . 8
2.1.2 Cryptosystems Based on DLP in Zp . . . . . . . . . . 9
2.1.3 Elliptic Curve Cryptosystem . . . . . . . . . . . . 10
2.2 Exponentiation Algorithm . . . . . . . . . . . . . . .11
2.2.1 Binary Exponentiation Algorithm . . . . . . . . . . 11
2.2.2 NAF Exponent Recoding . . . . . . . . . . . . . . . 12
2.2.3 Chinese Remainder Theorem . . . . . . . . . . . . . 13
2.2.4 Montgomery Reduction Algorithms . . . . . . . . . . 14
3 Side-Channel Analysis . . . . . . . . . . . . . . . .17
3.1 Simple Power Analysis . . . . . . . . . . . . . . . . 17
3.2 Differential Power Analysis . . . . . . . . . . . . . 18
3.3 Coron’s Countermeasures . . . . . . . . . . . . . . .20
3.4 Random Isomorphisms Countermeasure . . . . . . . . . .21
3.5 Doubling Attack . . . . . . . . . . . . . . . . . . . 21
3.6 RPA, ZPA, and the BRIP Countermeasure . . . . . . . . 22
I Integer Exponent Recoding . . . . . . . . . . . . . . 25
4 The Separated Non-Adjacent Form . . . . . . . . . . . .27
4.1 RelatedWorks . . . . . . . . . . . . . . . . . . . . .27
4.2 The Proposed Recoding Method . . . . . . . . . . . . .28
4.2.1 The Separated Non-Adjacent Form – sNAF . . . . . . 29
4.2.2 Remarks on g-sNAF Recoding . . . . . . . . . . . . .32
4.3 Hamming Weight of the g-sNAF Representation . . . . . 33
4.4 Application to Efficient and Secure Implementation of Cryptosystems . . . . . . . . . . . . . . . . . . . . 35
4.4.1 Remarks on the Length of sNAF Representations . . . 36
4.5 Summary of the Separated Non-adjacent Form . . . . . .36
5 Randomized Exponent Recoding against DPA . . . . . . . 39
5.1 RelatedWorks . . . . . . . . . . . . . . . . . . . . .39
5.2 The Proposed Randomized g-sNAF Recoding . . . . . . . 41
5.3 DPA-resistance Analysis of the Randomized g-sNAF Recoding . . . . . . . . . . . . . . . . . . . . . . 43
5.3.1 Comparison of Randomized Recoding Schemes . . . . . 46
5.4 Summary of Randomized sNAF Recoding . . . . . . . . . 48
II Collision Based Power Attack . . . . . . . . . . . . 49
6 Enhanced Doubling Attack on RSA . . . . . . . . . . . 51
6.1 The Proposed Attack on RSA Implementations . . . . . .51
6.1.1 Attack on the Square-and-multiply-always Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.1.2 Attack on the BRIP Algorithm . . . . . . . . . . . .53
6.2 Extension to RSA with CRT . . . . . . . . . . . . . . 54
6.3 Extension to Randomly Chosen-Ciphertext Attack . . . .56
6.4 Low-cost Countermeasures for RSA Implementations . . .57
6.5 Impossibility of Attacks by Other Small-order Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6.6 Summary of Improved Doubling Attack on RSA . . . . . .58
7 Small-order Doubling Attack on Prime-order Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . 61
7.1 The Proposed Attack on ECC Implementations . . . . . .61
7.1.1 Attack on the Double-and-add-always Algorithm . . . 62
7.1.2 Simulation Results . . . . . . . . . . . . . . . . .64
7.2 Cryptanalysis on Existing DPA Countermeasures . . . . 65
7.3 Countermeasures for ECC Implementations . . . . . . . 67
7.4 Summary of Small-order Doubling Attack on ECC . . . . 67
III DPA Attack on Montgomery Algorithms . . . . . . . . 69
8 DPA Attack on RSA-CRT with Montgomery Reduction Algorithm . . . . . . . . . . . . . . . . . . . . . 71
8.1 RelatedWorks . . . . . . . . . . . . . . . . . . . . .71
8.2 The Proposed DPA attack . . . . . . . . . . . . . . . 72
8.2.1 RSA-CRT Implementation with Montgomery Reduction . .73
8.2.2 The Proposed DPA on Montgomery Reduction Algorithms 74
8.2.3 Experimental Result . . . . . . . . . . . . . . . . 76
8.2.4 Potential Improvement of the Proposed DPA Attack . .78
8.2.5 Application to RSA-OAEP Decryption and RSA-PSS Signing . . . . . . . . . . . . . . . . . . . . . . . . 80
8.3 DPA Countermeasures . . . . . . . . . . . . . . . . . 82
8.3.1 Message Blinding Technique . . . . . . . . . . . . .83
8.3.2 The Proposed CRT-based Message Blinding Method . . .83
8.3.3 Application to Secure Montgomery Reduction Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8.3.4 Comparison among Message-blinded RSA-CRT Implementations. . . . . . . . . . . . . . . . . . . . . .87
8.4 Summary of DPA Attacks on Montgomery Reduction Algorithms . . . . . . . . . . . . . . . . . . . . . . . .88
9 Summary and Future Works . . . . . . . . . . . . . . . 89
9.1 Summary of Contributions . . . . . . . . . . . . . . .89
9.2 Furture Research Directions . . . . . . . . . . . . . 91
Bibliography . . . . . . . . . . . . . . . . . . . . . . 93
Appendix . . . . . . . . . . . . . . . . . . . . . . . 103

參考文獻

[1] Michel Abdalla and David Pointcheval. Simple password-based encrypted key exchange protocols. In Alfred Menezes, editor, Topics in Cryptology – CTRSA 2005, volume 3376 of Lecture Notes in Computer Science, pages 191–208. Springer, 2005.
[2] Dakshi Agrawal, Bruce Archambeault, Josyula R. Rao, and Pankaj Rohatgi. The EM side channel(s). In Burton S. Kaliski Jr., C¸ etin Kaya Ko¸c, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2002,
volume 2523 of Lecture Notes in Computer Science, pages 29–45. Springer, 2003.
[3] MahnKi Ahn, JaeCheol Ha, Hoon Jae Lee, and Sang-Jae Moon. A random m-ary method based countermeasure against side channel attacks. In Vipin Kumar, Marina L. Gavrilova, Chih Jeng Kenneth Tan, and Pierre L’Ecuyer, editors, Computational Science and Its Applications – ICCSA 2003, volume 2668 of Lecture Notes in Computer Science, pages 338–347. Springer, 2003.
[4] Toru Akishita and Tsuyoshi Takagi. Zero-value register attack on elliptic curve cryptosystem. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Science, E88-A(1):132–139, 2005.
[5] Frederic Amiel and Benoit Feix. On the BRIP algorithms security for RSA. In Jose Antonio Onieva, Damien Sauveron, Serge Chaumette, Dieter Gollmann, and Constantinos Markantonakis, editors, Information Security Theory and
Practices – WISTP 2008, volume 5019 of Lecture Notes in Computer Science, pages 136–149. Springer, 2008.
[6] Giuseppe Ateniese and Breno de Medeiros. Identity-based chameleon hash and applications. In Ari Juels, editor, Financial Cryptography – FC 2004, vol. 3110 of Lecture Notes in Computer Science, pages 164–180. Springer, 2004.
[7] Giuseppe Ateniese and Breno de Medeiros. On the key exposure problem in chameleon hashes. In Carlo Blundo and Stelvio Cimato, editors, Security in Communication Networks – SCN 2004, vol. 3352 of Lecture Notes in Computer
Science. pages 165–179. Springer, 2005.
[8] Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption padding –How to encrypt with RSA. In Alfredo De Santis, editor, Advances in Cryptology– EUROCRYPT’94, volume 950 of Lecture Notes in Computer Science, pages
92–111. Springer, 1995.
[9] Mihir Bellare and Phillip Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. In Ueli M. Maurer, editor, Advances in Cryptology – EUROCRYPT’96, volume 1070 of Lecture Notes in Computer Science, pages 399–416. Springer, 1996.
[10] Ingrid Biehl, Bernd Meyer, and Volker M¨uller. Differential fault attacks on elliptic curve cryptosystems. In Mihir Bellare, editor, Advances in Cryptology – CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 131–146. Springer, 2000.
[11] Bert den Boer, Kerstin Lemke, and Guntram Wicke. A DPA attack against the modular reduction within a CRT implementation of RSA. In Burton S. Kaliski Jr., C¸ etin Kaya Ko¸c, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2002, volume 2523 of Lecture Notes in Computer Science, pages 228–243. Springer, 2003.
[12] Eric Brier, Christophe Clavier, and Francis Olivier. Correlation power analysis with a leakage model. In Marc Joye and Jean-Jacques Quisquater, editors, Cryptographic Hardware and Embedded Systems – CHES 2004, volume 3156 of
Lecture Notes in Computer Science, pages 16–29. Springer, 2004.
[13] Mathieu Ciet and Marc Joye. Elliptic curve cryptosystem in the presence of permanent and transient faults. Designs, Codes and Cryptography, 36(1):33–
43, 2005.
[14] Jean-S´ebastien Coron. Resistance against differential power analysis for elliptic curve cryptosystems. In C¸ etin Kaya Ko¸c and Christof Paar, editors, Cryptographic Hardware and Embedded Systems – CHES ’99, volume 1717 of Lecture Notes in Computer Science, pages 292–302. Springer, 1999.
[15] Benoˆıt Chevallier-Mames, Mathieu Ciet, and Marc Joye. Low-cost solutions for preventing simple side-channel analysis: Side-channel atomicity. IEEE Transactions
on Computers, 53(6):760–768, 2004.
[16] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 26(6):644–654, 1976.
[17] Nevine Maurice Ebeid and M. Anwar Hasan. On randomizing private keys to counteract DPA attacks. In Mitsuru Matsui and Robert J. Zuccherato, editors,
Selected Areas in Cryptography – SAC 2003, volume 3006 of Lecture Notes in Computer Science, pages 58–72. Springer, 2004.
[18] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472, 1985.
[19] Pierre-Alain Fouque and Fr´ed´eric Valette. The doubling attack – why upwards is better than downwards. In Colin D. Walter, C¸ etin Kaya Ko¸c, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages 269–280. Springer, 2003.
[20] Pierre-Alain Fouque, Gwena¨elle Martinet, and Guillaume Poupard. Attacking unbalanced RSA-CRT using SPA. In Colin D. Walter, C¸ etin Kaya Ko¸c, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems –
CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages 254–268. Springer, 2003.
[21] Pierre-Alain Fouque, Fr´ed´eric Muller, Guillaume Poupard, and Fr´ed´eric Valette. Defeating countermeasures based on randomized BSD representations. In Marc Joye and Jean-Jacques Quisquater, editors, Cryptographic Hardware and Embedded Systems – CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 312–327. Springer, 2004.
[22] Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA-OAEP is secure under the RSA assumption. Journal of Cryptology, 17(2):81–104, 2004.
[23] Harvey L. Garner. The residue number system. IRE Transactions on Electronic Computers, EC-8(6):140–147, 1959.
[24] Louis Goubin. A refined power-analysis attack on elliptic curve cryptosystems. In Yvo Desmedt, editor, Public Key Cryptography – PKC 2003, volume 2567 of Lecture Notes in Computer Science, pages 199–210. Springer, 2003.
[25] JaeCheol Ha and Sang-Jae Moon. Randomized signed-scalar multiplication of ECC to resist power attacks. In Burton S. Kaliski Jr., C¸ etin Kaya Ko¸c, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems –CHES 2002, volume 2523 of Lecture Notes in Computer Science, pages 551–563.Springer, 2003.
[26] Dong-guk Han, Tetsuya Izu, and Tsuyoshi Takagi. Some explicit formulae of NAF and its left-to-right analogue. Cryptology ePrint Archive, Report 2005/384. Available at http://eprint.iacr.org/2005/384.
[27] Dong-Guk Han, Katsuyuki Okeya, Tae Hyun Kim, Yoon Sung Hwang, Beomin Kim, and Young-Ho Park. Enhanced exhaustive search attack on randomized BSD type countermeasure. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E89-A(5):1316–1327, 2006.
[28] Naofumi Homma, Atsushi Miyamoto, Takafumi Aoki, Akashi Satoh, and Adi Shamir. Comparative Power Analysis of Modular Exponentiation Algorithms. IEEE Transactions on Computers, 59(6):795–807, 2010.
[29] Kai Hwang. Computer arithmetic: principles, architecture and design. Reading, John Wiley & Sons Inc, 1979.
[30] ISO/IEC 15946-4, Information technology - Security techniques – Cryptographic techniques based on elliptic curves - Part 4: Digital signatures giving message
recovery.
[31] Marc Joye and Sung-Ming Yen. Optimal left-to-right binary signed-digit recoding. IEEE Transactions on Computers, 49(7):740–748, 2000.
[32] Marc Joye and Christophe Tymen. Protections against differential analysis for elliptic curve cryptography – an algebraic approach. In C¸ etin Kaya Ko¸c, David
Naccache, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 377–390. Springer, 2001.
[33] Anton Kargl and G¨otz Wiesend. On randomized addition-subtraction chains to counteract differential power attacks. In Javier Lopez, Sihan Qing, and Eiji Okamoto, editors, Information and Communications Security – ICICS 2004, volume 3269 of Lecture Notes in Computer Science, pages 278–290. Springer, 2004.
[34] Chris Karlof and David Wagner. Hidden Markov model cryptanalysis. In Colin D. Walter, C¸ etin Kaya Ko¸c, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2003, volume 2779 of Lecture Notes in
Computer Science, pages 17–34. Springer, 2003.
[35] Neal Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48(177):203–209, 1987.
[36] Paul C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Neal Koblitz, editor, Advances in Cryptology – CRYPTO ’96, volume 1109 of Lecture Notes in Computer Science, pages 104–113. Springer, 1996.
[37] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Introduction to differential power analysis and related attacks, 1998. Available at http://www.cryptography.com/.
[38] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In Michael J. Wiener, editor, Advances in Cryptology – CRYPTO ’99, volume 1666 of Lecture Notes in Computer Science, pages 388–397. Springer, 1996.
[39] Juliane Kr¨amer, Dmitry Nedospasov, and Jean-Pierre Seifert. Weaknesses in current RSA signature schemes. In Howon Kim, editor, Information Security and Cryptology – ICISC 2011, volume 7259 of Lecture Notes in Computer
Science, pages 155–168. Springer, 2012.
[40] Yuan-Han Kuo. The research of power analysis against AES. Master’s thesis, National Central University, Taiwan, R.O.C., 2004.
[41] Kerstin Lemke, Kai Schramm, and Christof Paar. DPA on n-bit sized boolean and arithmetic operations and its application to IDEA, RC6, and the HMACconstruction. In Marc Joye and Jean-Jacques Quisquater, editors, Cryptographic
Hardware and Embedded Systems – CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 205–219. Springer, 2004.
[42] Pierre-Yvan Liardet and Nigel P. Smart. Preventing SPA/DPA in ECC systems using the Jacobi form. In C¸ etin Kaya Ko¸c, David Naccache, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 391–401. Springer, 2001.
[43] Hideyo Mamiya, Atsuko Miyaji, and Hiroaki Morimoto. Efficient countermeasure against RPA, DPA, and SPA. In Marc Joye and Jean-Jacques Quisquater, editors, Cryptographic Hardware and Embedded Systems – CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 343–356. Springer, 2004.
[44] Hideyo Mamiya, Atsuko Miyaji, and Hiroaki Morimoto. Secure elliptic curve exponentiation against RPA, ZRA, DPA, and SPA. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Science, E89-A(8):2207–2215, 2006.
[45] Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power analysis attacks, revealing the secrets of smart cards, Reading ISBN: 978-0-387-30857-9. Springer, 2007.
[46] Alfred Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of applied cryptography, Reading ISBN: 0-8493-8523-7. CRC Press, 1996.
[47] Thomas S. Messerges, Ezzy A. Dabbish, and Robert H. Sloan. Power analysis attacks of modular exponentiation in smartcards. In C¸ etin Kaya Ko¸c and Christof Paar, editors, Cryptographic Hardware and Embedded Systems –
CHES ’99, volume 1717 of Lecture Notes in Computer Science, pages 144–157. Springer, 1999.
[48] Victor S. Miller. Use of elliptic curves in cryptography. In Hugh C. Williams, editor, Advances in Cryptology – CRYPTO’85, volume 218 of Lecture Notes in
Computer Science, pages 417–426. Springer, 1986.
[49] Atsushi Miyamoto, Naofumi Homma, Takafumi Aoki, and Akashi Satoh. Enhanced power analysis attack using chosen message against RSA hardware implementations. In Proc. of International Symposium on Circuits and Systems –
ISCAS 2008, pages 3282–3285. IEEE, 2008.
[50] Peter Montgomery. Modular multiplication without trial division. Mathematics of Computation, 44(170):519–521, 1985.
[51] Fran¸cois Morain and Jorge Olivos. Speeding up the computation on an elliptic curve using addition-subtraction chains. Theoretical Informatics and Applications,
44:531–544, 1990.
[52] James A. Muir and Douglas R. Stinson. Minimality and other properties of the width-w nonadjacent form. Mathematics of Computation, 75(253):369–384,
2006.
[53] James A. Muir and Douglas R. Stinson. Alternative digit sets for nonadjacent representations. In Mitsuru Matsui and Robert J. Zuccherato, editors, Selected
Areas in Cryptography – SAC 2003, volume 3006 of Lecture Notes in Computer Science, pages 306–319. Springer, 2004.
[54] National Institute of Standards and Technology (NIST). FIPS PUB 186-2: digital signature standard (DSS), January 2000. Available at http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf
[55] National Institute of Standards and Technology (NIST). FIPS PUB 46-3: data encryption standard (DES), October 1999. Available at http://csrc.nist.gov/publications/fips/archive/fips46-3/fips46-3.pdf
[56] Roman Novak. SPA-based adaptive chosen-ciphertext attack on RSA implementation. In David Naccache and Pascal Paillier, editors, Public Key Cryptography– PKC 2002, volume 2274 of Lecture Notes in Computer Science, pages
252–262. Springer, 2002.
[57] Katsuyuki Okeya and Kouichi Sakurai. On insecurity of the side channel attack countermeasure using addition-subtraction chains under distinguishability between
addition and doubling. In Lynn Margaret Batten and Jennifer Seberry, editors, Information Security and Privacy – ACISP 2002, volume 2384 of Lecture Notes in Computer Science, pages 420–435. Springer, 2002.
[58] Katsuyuki Okeya and Dong-Guk Han. Side channel attack on Ha-Moon’s countermeasure of randomized signed scalar multiplication. In Thomas Johansson and Subhamoy Maitra, editors, Progress in Cryptology – INDOCRYPT 2003, volume 2904 of Lecture Notes in Computer Science, pages 334–348. Springer, 2003.
[59] Katsuyuki Okeya, Katja Schmidt-Samoa, Christian Spahn, and Tsuyoshi Takagi. Signed binary representation revisited. In Matthew K. Franklin, editor, Advances in Cryptology – CRYPTO 2004, volume 3152 of Lecture Notes in
Computer Science, pages 123–139. Springer, 2004.
[60] Elisabeth Oswald and Manfred Josef Aigner. Randomized addition-subtraction chains as a countermeasure against power attacks. In C¸ etin Kaya Ko¸c, David Naccache, and Christof Paar, editors, Cryptographic Hardware and Embedded
Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 39–50. Springer, 2001.
[61] Public-Key Cryptography Standards, PKCS#1: RSA Cryptography Standard, RSA Laboratories. http://www.rsa.com/rsalabs/node.asp?id=2125
[62] Public-Key Cryptography Standards, PKCS#2.1: RSA Cryptography Standard, RSA Laboratories. http://www.rsasecurity.com/rsalabs/pkcs/
[63] Jean-Jacques Quisquater and C. Couvreur. Fast decipherment algorithm for the RSA public-key cryptosystem. IEEE Electronics Latters, 18(21):905–907, 1982.
[64] Jean-Jacques Quisquater and David Samyde. Electromagnetic analysis (EMA): measures and countermeasures for smart cards. In Isabelle Attali and Thomas P. Jensen, editors, Smart Card Programming and Security – E-smart 2001, volume 2140 of Lecture Notes in Computer Science, pages 200–210. Springer, 2001.
[65] George W. Reitwiesner. Binary arithmetic. Advances in Computers, 1:231–308, 1960.
[66] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.
[67] Claus-Peter Schnorr. Efficient signature generation by smart cards. Journal of Cryptography, 4(3):161–174, 1991.
[68] Kai Schramm, Thomas J. Wollinger, and Christof Paar. A new class of collision attacks and its application to DES. Fast Software Encryption – FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 206–222. Springer,
2003.
[69] Adi Shamir. Method and apparatus for protecting public key schemes from timing and fault attacks. United States Patent #5,991,415, November 23, 1999. Also presented at the rump session of EUROCRYPT 1997.
[70] Jong Hoon Shin, Dong Jin Park, and Pil Joong Lee. DPA attack on the improved Ha-Moon algorithm. In JooSeok Song, Taekyoung Kwon, and Moti Yung, editors, Information Security Applications – WISA 2005, volume 3786 of Lecture Notes in Computer Science, pages 283–291. Springer, 2006.
[71] Sang Gyoo Sim, Dong Jin Park, and Pil Joong Lee. New power analysis on the Ha-Moon algorithm and MIST algorithm. In Javier Lopez, Sihan Qing, and Eiji Okamoto, editors, Information and Communications Security – ICICS 2004,
volume 3269 of Lecture Notes in Computer Science, pages 291–304, Springer, 2004.
[72] Nigel P. Smart. An analysis of Goubin’s refined power analysis attack. In Colin D. Walter, C¸ etin Kaya Ko¸c, and Christof Paar, editors, Cryptographic Hardware
and Embedded Systems – CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages 281–290. Springer, 2003.
[73] Victor Shoup. OAEP reconsidered. Journal of Cryptology, 15(4):223–249, 2002.
[74] Standards for Efficient Cryptography Group (SECG). Specification of Standards for Efficient Cryptography, Version 1.0, 2000. Available at http://www.secg.org/secg docs.htm
[75] Transparency Market Research. Smart card market – Global industry analysis, size, share, growth, trends, and forecast, 2012–2018. Report 2011. Available at
http://www.transparencymarketresearch.com/smart-card.html
[76] Wireless Application Protocol (WAP) Forum. Wireless Transport Layer Security (WTLS) Specification. Available at http://www.wapforum.org
[77] Marc F. Witteman. A DPA attack on RSA in CRT mode. Riscure Technical Report. Available at http://www.riscure.com/fileadmin/images/Docs/DPA attack on RSA in CRT mode.pdf.
[78] Marc F. Witteman, Jasper G. J. van Woudenberg, and Federico Menarini. Defeating RSA multiply-always and message blinding countermeasure. In Aggelos
Kiayias, editor, Topics in Cryptology – CT-RSA 2011, volume 6558 of Lecture Notes in Computer Science, pages 77–88. Springer, 2011.
[79] Sung-Ming Yen, Chien-Ning Chen, Sang-Jae Moon, and JaeCheol Ha. Improvement on Ha-Moon randomized exponentiation algorithm. In Choonsik Park and
Seongtaek Chee, editors, Information Security and Cryptology – ICISC 2004, volume 3506 of Lecture Notes in Computer Science, pages 154–167. Springer, 2005.
[80] Sung-Ming Yen, Wei-Chih Lien, Sang-Jae Moon, and JaeCheol Ha. Power analysis by exploiting chosen message and internal collisions – Vulnerability of checking mechanism for RSA-decryption. In Ed Dawson and Serge Vaudenay, editors, Progress in Cryptology – Mycrypt 2005, volume 3715 of Lecture Notes in Computer Science, pages 183–195. Springer, 2005.

指導教授

顏嵩銘(Sung-Ming Yen)

審核日期

2013-7-24

推文