TY - GEN
T1 - On the importance of protecting Δ in SFLASH against side channel attacks
AU - Okeya, Katsuyuki
AU - Takagi, Tsuyoshi
AU - Vuillaume, Camille
PY - 2004
Y1 - 2004
N2 - SFLASH was chosen as one of the final selection of the NESSIE project in 2003, It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, we are able to break the secret key. In this paper, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t] and the random seed Δ used for the hash function SHA-1. Whereas many papers discussed the security of(s, t), little is known about that of Δ . Steinwandt et al. proposed a theoretical DPA on finding Δ by observing the XOR operations. We propose another DPA on Δ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key Δ , the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, we have to carefully implement SHA-1 in order to resist SCA on SFLASH.
AB - SFLASH was chosen as one of the final selection of the NESSIE project in 2003, It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, we are able to break the secret key. In this paper, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t] and the random seed Δ used for the hash function SHA-1. Whereas many papers discussed the security of(s, t), little is known about that of Δ . Steinwandt et al. proposed a theoretical DPA on finding Δ by observing the XOR operations. We propose another DPA on Δ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key Δ , the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, we have to carefully implement SHA-1 in order to resist SCA on SFLASH.
UR - http://www.scopus.com/inward/record.url?scp=3042602212&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=3042602212&partnerID=8YFLogxK
U2 - 10.1109/ITCC.2004.1286713
DO - 10.1109/ITCC.2004.1286713
M3 - Conference contribution
AN - SCOPUS:3042602212
SN - 0769521088
SN - 9780769521084
T3 - International Conference on Information Technology: Coding Computing, ITCC
SP - 560
EP - 568
BT - International Conference on Information Technology
A2 - Srimani, P.K.
A2 - Abraham, A.
A2 - Cannataro, M.
A2 - Domingo-Ferrer, J.
A2 - Hashemi, R.
T2 - International Conference on Information Technology: Coding Computing, ITCC 2004
Y2 - 5 April 2004 through 7 April 2004
ER -