公開金鑰系統之實體密碼分析研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：30

、訪客IP：3.145.103.100

姓名

王致尉(Jhih-Wei Wang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

公開金鑰系統之實體密碼分析研究
(The Research of Public-Key Cryptosystems Implementations against Physical Cryptanalysis)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ 商業性金鑰恢復與金鑰託管機制之研究
★ AES資料加密標準之實體密碼分析研究	★ 電子競標系統之研究
★ 針對堆疊滿溢攻擊之動態程式區段保護機制	★ 通用型數域篩選因數分解法之參數探討
★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器	★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究
★ 遮罩保護機制防禦差分能量攻擊之研究	★ AES資料加密標準之能量密碼分析研究
★ 小額電子付費系統之設計與密碼分析	★ 公平電子現金系統之研究
★ RSA公開金鑰系統之實體密碼分析研究	★ 保護行動代理人所收集資料之研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

現今許多密碼硬體設備如智慧卡已在日常生活中被廣泛使用，然而，近幾年的研究指出實作不周嚴的密碼系統並無法抵擋實體密碼分析的攻擊。以公開金鑰密碼系統而言，指數與純量乘法演算法分別為實體密碼分析兩個主要的攻擊目標，而由於模指數與純量乘法運算是許多公開金鑰系統的核心運算，因此，這些密碼演算法在實作上是否能對抗實體密碼分析的攻擊開始受到重視。
在本論文的前半部分，我們首先證明Joye在 2009 年所提出之指數運算防禦法會遭受一種強大的能量分析攻擊，並且我們提出兩種較安全的指數運算防禦機制消除Joye防禦法的安全性弱點，此兩種指數運算防禦法在效能上與Joye的防禦法幾乎沒有差異。
而在論文的後半部分，我們將分析由張等人在 2008 年所提出之純量乘法防禦法的安全性。由於張等人的防禦法會遭受記憶體安全錯誤攻擊法(memory safe-error attack)的攻擊，因此，我們提出兩種有效率的純量乘法運算防禦機制抵擋包含記憶體安全錯誤攻擊法在內的數種實體密碼分析攻擊。藉由嚴謹的安全性及效能分析，此兩種純量乘法運算防禦法相較於張等人的防禦法來的更有效率，安全性也較高。

摘要(英)

Nowadays many cryptographic hardware devices such as smart cards are widely used in our daily lives. However, recent development of physical cryptanalysis points out that the naive implementation of cryptographic algorithms does not provide security anymore. There are two victims of the physical attacks in many public-key cryptosystems: the modular exponentiation and scalar multiplication algorithms. Since both the modular exponentiation and scalar multiplication are the important and main operations in various public-key cryptosystems, much attention has recently been paid regarding the security issues of these algorithms against physical cryptanalysis.
In the first half of this thesis, we first introduce Joye’’s downward exponentiation countermeasure, and then show that Joye’’s method is still vulnerable to one powerful power analysis attack. Furthermore, we propose two more secure exponentiation countermeasures to eliminate the security weakness of Joye’’s method. The performance of both improved countermeasures is almost same as Joye’’s.
In the second half of this thesis, we analyze the vulnerability of Zhang et al’’s scalar multiplication countermeasure under the memory safe-error attack. Then two better countermeasures against physical attacks including memory safe-error attack are proposed. Compared with Zhang et al’’s countermeasure, two proposed countermeasures both achieve higher security and better performance.

關鍵字(中)

★ 模指數
★ 實體密碼分析
★ 能量分析攻擊
★ 安全錯誤攻擊法
★ 純量乘法
★ 公開金鑰密碼系統

關鍵字(英)

★ public-key cryptosystem
★ modular exponentiation
★ scalar multiplication
★ physical cryptanalysis
★ safe-error attack
★ power analysis attack

論文目次

1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Review of Physical Cryptanalysis against Modular Exponentiation 5
2.1 Exponentiation Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Simple Power Analysis (SPA) . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Computational Safe-error Attack (C-SEA) . . . . . . . . . . . . . . . 8
2.4 Doubling Attack (DA) . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.5 Montgomery Ladder Algorithm . . . . . . . . . . . . . . . . . . . . . 10
2.6 Relative Doubling Attack (RDA) . . . . . . . . . . . . . . . . . . . . 11
3 Regular Downward m-ary Exponentiation Countermeasures 14
3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Joye’s Downward m-ary Exponentiation Algorithm . . . . . . . . . . 15
3.3 Security Weakness of Joye’s Countermeasure . . . . . . . . . . . . . . 16
3.4 Improvement on Joye’s Method . . . . . . . . . . . . . . . . . . . . . 19
3.5 Security Analysis of the Proposed Countermeasures . . . . . . . . . . 22
3.6 Performance Analysis of the Proposed Countermeasures . . . . . . . . 26
3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4 Review of Physical Cryptanalysis against Scalar Multiplication 29
4.1 Scalar Multiplication Algorithms . . . . . . . . . . . . . . . . . . . . 29
4.2 Memory Safe-error Attack (M-SEA) . . . . . . . . . . . . . . . . . . . 31
4.3 Diﬀerential Power Analysis (DPA) . . . . . . . . . . . . . . . . . . . . 33
4.4 Possible DPA Countermeasures . . . . . . . . . . . . . . . . . . . . . 35
4.5 Reﬁned Power Analysis (RPA) and Zero-Value Point Attack (ZPA) . 36
4.6 BRIP Countermeasure . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5 Eﬃcient Upward Window-Based Scalar Multiplication Algorithms 40
5.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.2 Zhang et al’s Upward Window-Based Countermeasure . . . . . . . . . 41
5.3 Memory Safe-error Attack to Zhang et al’s Method . . . . . . . . . . 44
5.4 The Proposed Countermeasures . . . . . . . . . . . . . . . . . . . . . 46
5.5 Security Analysis of the Proposed Countermeasures . . . . . . . . . . 50
5.6 Performance Analysis of the Proposed Countermeasures . . . . . . . . 52
5.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6 Conclusions 55
6.1 Brief Review of the Main Contributions . . . . . . . . . . . . . . . . . 55
6.2 Further Research Topics and Directions . . . . . . . . . . . . . . . . . 56

參考文獻

[1] ANSI X9.62, “Public Key Cryptography for the Financial Services Industry,”
The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999.
[2] T. Akishita and T. Takagi, “Zero-Value Point Attacks on Elliptic Curve Cryp-
tosystem,” Proc. of ISC 2003, LNCS vol. 2851, pp. 218-233, 2003.
[3] D. Boneh, G. Durfee, and Y. Frankel, “An attack on RSA given a small fraction
of the private key bits,” Proc. of ASIACRYPT 1998, LNCS vol. 1514, pp. 25-34,
1998.
[4] J. Blomer and A. May, “New Partial Key Exposure Attacks on RSA,” Proc. of
CRYPTO 2003, LNCS vol. 2729, pp. 27-43, 2003.
[5] M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption Padding - How
to Encrypt with RSA,” Proc. of EUROCRYPT 1994, LNCS vol. 950, pp. 92-
111, 1995.
[6] D. Chaum, “Security without Identiﬁcation: Transaction Systems to Make Big
Brother Obsolete,” Communications of the ACM, vol. 28, no. 10, pp. 1030-1044
1985.
[7] J. S. Coron, “Resistance against Diﬀerential Power Analysis for Elliptic Curve
Cryptosystems,” Proc. of CHES 1999, LNCS vol. 1717, pp. 292-301, 1999.
[8] B. Chevallier-Mames, M. Ciet, and M. Joye, “Low-Cost Solutions for Prevent-
ing Simple Side-Channel Analysis: Side-Channel Atomicity,” IEEE Trans. On
Computers, vol. 53, no. 6, pp. 760-768, 2004.
[9] C. Clavier and M. Joye, “Universal Exponentiation Algorithm - A First Step
toward Provable SPA-resistance,” Proc. of CHES 2001, LNCS vol. 2162, pp.
300-308, 2001.
[10] C. Clavier and M. Joye, “(Virtually) Free Randomization Technique for Elliptic
Curve Cryptography,” Proc. of ICICS 2003, LNCS vol. 2836, pp. 348-359, 2003.
[11] B. Chevallier-Mames, “Self-Randomized Exponentiation Algorithms,” Proc. of
CT-RSA 2004, LNCS vol. 2964, pp. 236-249, 2004.
[12] W. Diﬃe and M. E. Hellman, “Multiuser Cryptographic Techniques,” Proc. of
AFIPS 1976, vol. 45, pp. 109-112, 1976.
[13] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on
Discrete Logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469-472,
1985.
[14] P. A. Fouque and F. Valette, “The Doubling Attack-Why Upwards Is Better
than Downwards,” Proc. of CHES 2003, LNCS vol. 2779, pp. 269-280, 2003.
[15] M. Feng, B. B. Zhu, C. Zhao, and S. Li, “Signed MSB-Set Comb Method for
Elliptic Curve Point Multiplication,” Proc. of ISPEC 2006, LNCS vol. 3903,
pp. 13-24, 2006.
[16] L. Goubin, “A Reﬁned Power-Analysis Attack on Elliptic Curve Cryptosys-
tems,” Proc. of PKC 2003, LNCS vol. 2567, pp. 192-211, 2003.
[17] J. C Ha and S. J. Moon, “Randomized Signed-Scalar Multiplication of ECC
to Resist Power Attacks,” Proc. of CHES 2002, LNCS vol. 2523, pp. 551-563,
2003.
[18] M. Hedabou, P. Pinel, and L. Beneteau “Countermeasures for Preventing Comb
Method Against SCA Attacks,” Proc. of ISPEC 2005, LNCS vol. 3439, pp. 85-
96, 2005.
[19] J. Ha, J. Park, S. Moon, and S. M. Yen “Provably Secure Countermeasure
Resistant to Several Types of Power Attack for ECC,” Proc. of WISA 2007,
LNCS vol. 4867, pp. 333-344, 2007.
[20] ISO/IEC 15946-4, “Information technology - Security techniques. Crypto-
graphic techniques based on elliptic curves - Part 4: Digital signature giving
message recovery,” Working Draft, JTC 1/SC 27, December 28th, 2001.
[21] K. Itoh, T. Izu, and M. Takenaka, “Eﬃcient Countermeasures against Power
Analysis for Elliptic Curve Cryptosystems ,” CARDIS-WCC 2004, 2004.
[22] K. Itoh, J. Yajima, M. Takenaka, and N. Torii, “DPA Countermeasures by
Improving the Window Method,” Proc. of CHES 2002, LNCS vol. 2523, pp.303-317, 2002.
[23] M. Joye, “Highly Regular m-ary Powering Ladders,” Proc. of SAC 2009, LNCS
vol. 5867, pp. 350-363, 2009.
[24] A. Jurisic and A. J. Menezes, “Elliptic Curves and Cryptography,” Dr. Dobb’s
Journal, pp. 23-36, 1997.
[25] M. Joye and C. Tymen, “Protections against Diﬀerential Analysis for Elliptic
Curve Cryptosystem,” Proc. of CHES 2001, LNCS vol. 2162, pp. 377-390, 2001.
[26] M. Joye and S. M. Yen, “The Montgomery Powering Ladder,” Proc. of CHES
2002, LNCS vol. 2523, pp. 291-301, 2003.
[27] N. Koblitz, “Elliptic Curves Cryptosystems,” Mathematics of Computation, vol.
48, pp. 203-209, 1987.
[28] P. Kocher, “Timing Attacks on Implementations of Diﬃe-Hellman, RSA, DSS,
and Other Systems,” Proc. of CRYPTO 1996, LNCS vol. 1109, pp. 104-113,
1996.
[29] C. K. Kim, J. C. Ha, S. J. Moon, S. M. Yen, W. C. Lien, and S. H. Kim,
“An improved and Eﬃcient Countermeasure Against Power Analysis Attacks,”
Cryptology ePrint Archive, Report 2005/022, 2005.
[30] P. Kocher, J. Jaﬀe, and B. Jun, “Diﬀerential Power Analysis,” Proc. of
CRYPTO 1999, LNCS vol. 1666, pp. 388-397, 1999.
[31] H. Kim, T. H. Kim, J. C. Ryoo, D. G. Han, H. W. Kim, and J. Lim, “Enhanced
Doubling Attacks on Signed-All-Bits Recoding,” Proc. of WISTP 2007, LNCS
vol. 4462, pp. 39-52, 2007.
[32] C. H. Kim and J. J. Quisquater, “Method for Detecting Vulnerability to Dou-
bling Attacks,” Proc. of ICICS 2008, LNCS vol. 5308, pp. 97-110, 2008.
[33] V. Miller, “Uses of Elliptic Curves in Cryptography,” Proc. of CRYPTO 1985,
LNCS vol. 218, pp. 417-426, 1986.
[34] P. L. Montgomery, “Speeding the Pollard and Elliptic Curve Methods of Fac-
torization,” Mathematics of Computation, vol. 48, pp. 243-264, 1987.
[35] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Power Analysis Attacks of
Modular Exponentiation in Smartcards,” Proc. of CHES 1999, LNCS vol. 1717,
pp. 144-157, 1999.
[36] H. Mamiya, A. Miyaji, and H. Morimoto, “Eﬃcient Countermeasures Against
RPA, DPA, and SPA,” Proc. of CHES 2004, LNCS vol. 3156, pp. 343-356,
2004.
[37] J. A. Menezes, C. P. Oorschot, and A. S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, Boca Raton, 1997.
[38] NIST, “Recommended Elliptic Curves for Federal Govern-
ment Use,“ In the appendix of FIPS 186-2. availiable from
http://csrc.nist.gov/publications/ﬁps/ﬁps186-2/ﬁps186-2.pdf
[39] NIST, “Digital Signature Standard (DSS),“ Federal Information Processing
Standards PUBlication 186-2, february 2000.
[40] E. Oswald and K. Aigner, “Randomized Addition-Subtraction Chain as a Coun-
termeasures against Power Attacks,” Proc. of CHES 2001, LNCS vol. 2162, pp.
39-50, 2001.
[41] K. Okeya, and T. Takagi, “A More Flexible Countermeasure Against Side Chan-
nel Attacks Using Window Method,” Proc. of CHES 2003, LNCS vol. 2779, pp.
397-410, 2003.
[42] K. Okeya, and T. Takagi, “The Width-w NAF Method Provides Small Memory
and First Elliptic Scalar Multiplications Secure Against Side Channel Attacks,”
Proc. of CT-RSA 2003, LNCS vol. 2612, pp. 328-342, 2003.
[43] PKCS #1 v2.1, “RSA Cryptography Standards,“ 5 January 2001. availiable from
http://www.rsasecurity.com/rsalabs/pkcs/
[44] R. L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital
Signatures and Public-Key Cryptosystem,” Commun. of ACM, vol. 21, no. 2,
pp. 120-126, 1978.
[45] Standards for Eﬃcient Cryptogrpahy Group (SECG), “Speciﬁcation of
Standards for Eﬃcient Cryptogrpahy,“ Ver. 1.0, 2000. availiable from
http://www.secg.org/secgdocs.htm
[46] N. P. Smart, “An Analysis of Goubin’s Reﬁned Power Analysis Attack,” Proc.
of CHES 2003, LNCS vol. 2779, pp. 281-290, 2003.
[47] Wireless Application Protocol (WAP) Forum, “Wireless Transport Loyer Secu-
rity (WTLS) Speciﬁcation.“ availiable from http://www.wapforum.org/
[48] C. D. Walter, “An Eﬃcient Randomized Exponentiation Algorithm for Resist-
ing Power Analysis,” Proc. of CT-RSA 2002, LNCS vol. 2271, pp. 53-66, 2002.
[49] S. M. Yen, C. N. Chen, S. J. Moon, and J. C. Ha, “Improvement on Ha-Moon
Randomized Exponentiation Algorithm,” Proc. of ICISC 2004, LNCS vol. 3506,
pp. 154-167, 2005.
[50] S. M. Yen and M. Joye, “Checking Before Output May Not Be Enough Against
Fault-Based Cryptanalysis,” IEEE Trans. On Computers, vol. 49, no. 9, pp.
967-970, 2000.
[51] S. M. Yen, S. Kim, S. Lim and S. Moon, “A Countermeasure Against One
Physical Cryptanalysis May Beneﬁt Another Attack,” Proc. of ICICS 2001,
LNCS vol. 2288, pp. 414-427, 2001.
[52] S. M. Yen, L. C. Ko, S. Moon, and J. Ha, “Relative Doubling Attack Against
Montgomery Ladder,” Proc. of ICISC 2005, LNCS vol. 3935, pp. 117-128, 2006.
[53] S. M. Yen, and C. S. Laih, “Fast Algorithms for LUC Digital Signature Com-
putation,” IEE proceedings: Computers and Digital Techniques, vol. 142, no. 2,
pp. 165-169, 1995.
[54] S. M. Yen, W. C. Lien, S. Moon, and J. Ha, “Power Analysis by Exploiting
Chosen Message and Internal Collisions- Vulnerability of Checking Mechanism
for RSA-Decryption,” Proc. of Mycrypt 2005, LNCS vol. 3715, pp. 183-195,
2005.
[55] F. Zhang and Z. J. Shi, “An Eﬃcient Window-Based Countermeasure to Power
Analysis of ECC Algorithms,” Proc. of ITNG 2008, pp. 120-126, 2008.

指導教授

顏嵩銘(Sung-Ming Yen)

審核日期

2010-7-5

推文