TY - GEN
T1 - A second-order DPA attack breaks a window-method based countermeasure against side channel attacks
AU - Okeya, Katsuyuki
AU - Sakurai, Kouichi
PY - 2002/1/1
Y1 - 2002/1/1
N2 - Möller proposed a countermeasure using window method against side channel attacks. However, its immunity to side channel attacks is still controversial. In this paper, we show Möller’s countermeasure is vulnerable to a second-order differential power analysis attack. A side channel attackis an attackthat takes advantage of information leaked during execution of a cryptographic procedure. An nth-order differential power analysis attackis the side channel attackwhic h uses n different leaked data that correspond to n different intermediate values during the execution. Our proposed attackagainst Möller’s countermeasure finds out the use of same elliptic points, and restricts candidates of the secret scalar value. In these circumstances, the attackcompletely detects the scalar value using Baby-Step-Giant-Step method as a directcomputational attack. For a 160-bit scalar value, the proposed attack restricts the number of candidates of the scalar to a 45-bit integer, and the direct-computational attackcan actually detect the scalar value. Besides, we improve Möller’s countermeasure to prevent the proposed attack. We compare the original method and improved countermeasure in terms of the computational intractability and the computational cost of the scalar multiplication.
AB - Möller proposed a countermeasure using window method against side channel attacks. However, its immunity to side channel attacks is still controversial. In this paper, we show Möller’s countermeasure is vulnerable to a second-order differential power analysis attack. A side channel attackis an attackthat takes advantage of information leaked during execution of a cryptographic procedure. An nth-order differential power analysis attackis the side channel attackwhic h uses n different leaked data that correspond to n different intermediate values during the execution. Our proposed attackagainst Möller’s countermeasure finds out the use of same elliptic points, and restricts candidates of the secret scalar value. In these circumstances, the attackcompletely detects the scalar value using Baby-Step-Giant-Step method as a directcomputational attack. For a 160-bit scalar value, the proposed attack restricts the number of candidates of the scalar to a 45-bit integer, and the direct-computational attackcan actually detect the scalar value. Besides, we improve Möller’s countermeasure to prevent the proposed attack. We compare the original method and improved countermeasure in terms of the computational intractability and the computational cost of the scalar multiplication.
UR - http://www.scopus.com/inward/record.url?scp=84945314413&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84945314413&partnerID=8YFLogxK
U2 - 10.1007/3-540-45811-5_30
DO - 10.1007/3-540-45811-5_30
M3 - Conference contribution
AN - SCOPUS:84945314413
SN - 3540442707
SN - 9783540442707
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 389
EP - 401
BT - Information Security - 5th International Conference, ISC 2002, Proceedings
A2 - Chan, Agnes Hui
A2 - Gligor, Virgil
PB - Springer Verlag
T2 - 5th International Conference on Information Security, ISC 2002
Y2 - 30 September 2002 through 2 October 2002
ER -