SPA vulnerabilities of the binary extended Euclidean algorithm

The execution flow of the binary extended Euclidean algorithm (BEEA) is heavily dependent on its inputs. Taking advantage of that fact, this work presents a novel simple power analysis (SPA) of this algorithm that reveals some exploitable power consumption-related leakages. The exposed leakages make...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Journal of cryptographic engineering Jg. 7; H. 4; S. 273 - 285
Hauptverfasser: Aldaya, Alejandro Cabrera, Sarmiento, Alejandro J. Cabrera, Sánchez-Solano, Santiago
Format: Journal Article
Sprache:Englisch
Veröffentlicht: Berlin/Heidelberg Springer Berlin Heidelberg 01.11.2017
Springer Nature B.V
Schlagworte:
Algorithms
Circuits and Systems
Communications Engineering
Computer Communication Networks
Computer Science
Cryptography
Cryptology
Data encryption
Data Structures and Information Theory
Networks
Operating Systems
Power consumption
Regular Paper
Target recognition
Lattice attack
Side-channel analysis
Binary Euclidean algorithm
SPA
ECDSA
ISSN:2190-8508, 2190-8516
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:The execution flow of the binary extended Euclidean algorithm (BEEA) is heavily dependent on its inputs. Taking advantage of that fact, this work presents a novel simple power analysis (SPA) of this algorithm that reveals some exploitable power consumption-related leakages. The exposed leakages make it possible to retrieve some bits of the algorithm’s secret input without profiling the target device. The identified vulnerabilities can be exploited in many cryptographic protocols where the modular inversion operation is applied to a secret argument. In this work, the ECDSA protocol is used to exemplify how the presented SPA can be used to disclose in about 2 min all standardized private key sizes using less than 800 traces. In the context of ECDSA, a countermeasure previously proposed to mitigate a timing leakage during scalar multiplication is also analyzed, showing that, when it is improperly implemented, it enhances the proposed bit recovery method. Three countermeasures for removing SPA leakages from a BEEA implementation are also analyzed.
Bibliographie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2190-8508
2190-8516
DOI:10.1007/s13389-016-0135-4