KR101665600B1 - Apparatus and Method for Protecting Power Collision Attack on Elliptic Curve Cryptography - Google Patents

Apparatus and Method for Protecting Power Collision Attack on Elliptic Curve Cryptography Download PDF

Info

Publication number
KR101665600B1
KR101665600B1 KR1020150096689A KR20150096689A KR101665600B1 KR 101665600 B1 KR101665600 B1 KR 101665600B1 KR 1020150096689 A KR1020150096689 A KR 1020150096689A KR 20150096689 A KR20150096689 A KR 20150096689A KR 101665600 B1 KR101665600 B1 KR 101665600B1
Authority
KR
South Korea
Prior art keywords
bit
register address
point
random
bits
Prior art date
Application number
KR1020150096689A
Other languages
Korean (ko)
Inventor
한동국
심보연
Original Assignee
국민대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 국민대학교산학협력단 filed Critical 국민대학교산학협력단
Priority to KR1020150096689A priority Critical patent/KR101665600B1/en
Application granted granted Critical
Publication of KR101665600B1 publication Critical patent/KR101665600B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to an apparatus and method for constructing an LDML (Lopez-Dahab Montgomery Ladder) algorithm so as to be safe for a subchannel analysis so that an ECC encryption algorithm can cope with a power collision attack, and a register address bit randomization technique and a random projective coordinate system And a register address for loading or storing data is always random or fixed so that the association with the key bit is removed to cope with a power collision attack of the ECC encryption algorithm.

Description

[0001] Apparatus and Method for Protecting Power Collision Attack on Elliptic Curve Cryptography [

More particularly, the present invention relates to an apparatus and method for constructing an LDML (Lopez-Dahab Montgomery Ladder) algorithm that is safe for a subchannel analysis so that an ECC encryption algorithm can respond to a power collision attack.

Generally, RSA, which is the core algorithm of accredited authentication system used in many electronic transactions such as Internet banking and internet securities transactions, and ECC (Elliptic) which is suitable for embedded platforms such as electronic passport, USIM, smart card, Curve Cryptography algorithm is vulnerable to subchannel analysis attacks.

A subchannel analysis attack is a physical attack that utilizes subchannel information that occurs while a cryptographic algorithm is running on a secure device.

In this sub-channel analysis attack, the power analysis attack that is used for the observation and analysis of the power pattern consumed while the encryption algorithm is executed is the strongest. Typical examples are Simple Power Analysis (SPA) and Differential Power Analysis , Differential Power Analysis).

And collision attacks (CA, Collision Attack). The collision attack is a public key cryptographic algorithm such as RSA and ECC, which are designed securely for simple power analysis and differential power analysis. It is a very powerful attack technique.

Therefore, it is necessary to research and develop a secure public key encryption algorithm that can cope with this.

In other words, the security of the past information protection device depends on the mathematical safety of the embedded cryptographic algorithm. In addition, since there are physical vulnerabilities due to the subchannel analysis attack, it is essential to design a secure countermeasure technique.

Korea Patent No. 10-0402156 Korean Patent Publication No. 10-2009-0070060

The present invention solves the problem of physical vulnerability due to the subchannel analysis attack of the public key cryptographic algorithm of the prior art. The present invention constitutes an LDML (Lopez-Dahab Montgomery Ladder) algorithm to secure the subchannel analysis, And an apparatus and method that are configured to respond to a power collision attack.

The present invention randomizes an address of a register using a random number having a bit length equal to the bit length of the scalar d, and further uses a register Zq to set a register address to be called at the time of edition operation, And an apparatus and method for responding to a power collision attack of the same ECC encryption algorithm.

The present invention uses an ECC cryptographic algorithm that removes the association with a key bit by randomly setting or fixing a register address to which a register address bit randomization technique and a random projective coordinate system are applied and a register is additionally used and data is loaded or stored. And an apparatus and method for responding to a power collision attack.

The objects of the present invention are not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.

In order to achieve the above object, an apparatus for responding to a power collision attack of an ECC encryption algorithm according to the present invention includes a secret value (d), a plaintext and secret key input unit for inputting a point (P) on an elliptic curve, A register address random value generator for generating a random number (r) having the same bit length as the secret value (d) to generate a random point (R) on the elliptic curve to correspond to simple power analysis and differential power analysis; A random point generating unit for randomly generating an initial operation result value at a random point R and an initial operation for randomly configuring a register address for storing a result value of d n -1 bit operation at r n -1 bits A register address for starting the repetitive operation starting from d n -2 bits and for fetching the data necessary for the d i bit intermediate operation is randomly configured with r i and r i +1 bits and the data necessary for the d i bit intermediate operation is called A point addition, a double addition operation, a double addition operation, a data addition operation, and a multiplication operation are performed on the register address, and the address for storing the result of the d i bit operation is randomly constructed by r i bits to perform point addition, A final arithmetic execution unit for randomly constructing the register address with r 0 bits to perform a final arithmetic operation; And a ciphertext output unit for outputting a ciphertext according to a final operation.

According to another aspect of the present invention, there is provided an apparatus for responding to a power collision attack of an ECC encryption algorithm, including a secret value (d), a plaintext and secret key input unit for inputting a point (P) on an elliptic curve, A first register address random value generator for generating a random bit r 1 to generate a random bit r 1 for performing a simple power analysis and a differential power analysis, a random point generator for generating a random point R on an elliptic curve, An initial operation performing unit for randomizing the initial operation result value to a point R and randomly configuring a register address for storing d n -1 bit operation result value to r 1 bit, Bit r 2 A second register address, a random value generator for generating a; d n bits from -2 begin iteration, and d i-bit register address importing data necessary for the intermediate calculation r 1, r 2 bits randomly, and, d i bit A point adder for performing a point addition and a doubling operation at random with an address for storing a result of the d i bit operation at random r 2 bits; A final arithmetic execution unit for randomly constructing a register address for fetching data necessary for a final arithmetic operation with r 1 bits to perform a final arithmetic operation; And a ciphertext output unit for outputting a ciphertext according to a final operation.

Here, the plain text and secret key input unit is characterized in that when the input secret value d = 0, dP = 0 is returned and the algorithm is terminated.

The simple power analysis correspondence in the point random value generation unit and the initial calculation execution unit prevents d n -2 bit exposure and the differential power analysis countermeasure prevents intermediate data exposure.

In addition, the point addition and doubling operation performing unit performs a point addition and a doubling operation by randomly constructing the register storing the data necessary for the d i bit intermediate operation and the address storing the operation result with r i , r i +1 bits .

In addition, the point addition and double operation performing unit performs an iterative operation for each bit from d n -1 bit to d 0 bit by decreasing the index i value and verifies whether the iterative operation has been performed up to the d 0 bit .

In addition, the point addition and double operation performing unit includes a register for loading data necessary for the d i bit intermediate operation and an address for storing the operation result as r 1 , r 2 bits to perform point addition and double operation.

The point addition and doubling operation performing unit replaces the random value used in the next iterative step to return the correct operation result and sets the index i value to perform the iterative operation by one bit from the d n -1 bit to the d 0 bit, And it is confirmed whether or not the iterative operation has been performed up to the d 0 bit.

According to another aspect of the present invention, there is provided a method for responding to a power collision attack of an ECC encryption algorithm, comprising: inputting a secret value (d), a plaintext and a secret key for inputting a point (P) A random address generating step of generating a random number (r) having the same bit length as the secret value (d) in order to randomize a random point (R) on the elliptic curve in response to simple power analysis and differential power analysis; An initial operation for randomizing the initial operation result value to a random point R and randomly configuring a register address for storing a result value of d n -1 bit operation to r n -1 bits, performing step; d n from -2-bit start and repeat operation, d i-bit register address importing data necessary for the intermediate calculation r i, r i +1 bits and randomly configured, d i-bit intermediate data necessary for operation Further comprising: a constant configuration for loading the emitter register address and performs point addition, twice the operation to the address that stores the d i-bit operation result r i bits configured to randomly; the register address importing data necessary for the final calculation r 0 Performing a final operation by randomly configuring bits; And outputting a ciphertext according to a final operation.

According to another aspect of the present invention, there is provided a method for responding to a power collision attack of an ECC encryption algorithm, comprising: inputting a secret value (d), a plaintext and a secret key for inputting a point (P) A first register address random value generating step of generating a random bit r 1 to randomize the first register address, a point random value generating step of generating a random point R on the elliptic curve to correspond to the simple power analysis and the differential power analysis An initial operation step of randomizing the initial operation result value with a random point R and randomly configuring a register address storing the result value of d n -1 bit operation as r 1 bits, Random bit r 2 A second register address, the random value generation step of generating a; d n bits from -2 begin iteration, and d i-bit register address importing data necessary for the intermediate calculation r 1, r 2 bits randomly, and, d i bit A step of constructing a register address for fetching data necessary for the intermediate operation to be constant and randomly constructing an address for storing the result of the d i bit operation to r 2 bits to perform point addition and double operation; Constructing the register address randomly with r 1 bits to perform the final operation; And outputting a ciphertext according to a final operation.

Here, the simple power analysis correspondence in the point random value generation step and the initial calculation execution step is to prevent d n -2 bit exposure.

The step of performing point addition and doubling operations comprises: a step of randomly constructing a register for storing data necessary for the d i bit intermediate operation and an address for storing the result of the operation at r i and r i +1 bits, Is performed.

In the step of performing point addition and double operation, it is checked whether the iterative operation is performed up to the d 0 bit by decreasing the index i value in order to perform the iterative operation by one bit from the d n -1 bit to the d 0 bit .

The step of performing the point addition and the double operation includes a register for loading data necessary for the d i bit intermediate operation and an address for storing the operation result as r 1 , r 2 bits to perform point addition and double operation.

To perform the point addition and the double operation, the random value used in the next iteration step is replaced to return the correct operation result and the iterative operation is performed by one bit from the d n -1 bit to the d 0 bit decreasing the index i by value characterized in that the check is carried out whether a repeat operation to d 0 bit.

The apparatus and method for responding to a power collision attack of the ECC encryption algorithm according to the present invention have the following effects.

First, an LDML (Lopez-Dahab Montgomery Ladder) algorithm can be constructed to be safe for sub-channel analysis.

Second, a countermeasure technique can be designed to provide higher security for collision attacks of the ECC algorithm, which is a public key encryption algorithm.

Third, it is possible to effectively cope with a collision attack by using a register address bit randomization technique and a random projection coordinate system, and a corresponding method using one register additionally.

1 is a block diagram of an apparatus for responding to a power collision attack of an ECC encryption algorithm according to a first embodiment of the present invention;
2 is a flowchart showing a method for responding to a power collision attack of the ECC encryption algorithm according to the first embodiment of the present invention
3 is a block diagram of an apparatus for responding to a power collision attack of an ECC encryption algorithm according to a second embodiment of the present invention
4 is a flowchart illustrating a method for responding to a power collision attack of an ECC encryption algorithm according to a second embodiment of the present invention

Hereinafter, a preferred embodiment of an apparatus and method for responding to a power collision attack of the ECC encryption algorithm according to the present invention will be described in detail.

The features and advantages of the apparatus and method for responding to a power collision attack of the ECC encryption algorithm according to the present invention will be apparent from the following detailed description of each embodiment.

FIG. 1 is a block diagram of an apparatus for responding to a power collision attack of an ECC encryption algorithm according to a first embodiment of the present invention. FIG. 2 is a diagram illustrating a method for responding to a power collision attack of an ECC encryption algorithm according to the first embodiment of the present invention Fig.

In order to solve the physical vulnerability problem caused by the subchannel analysis attack of the ECC cryptographic algorithm, the present invention is configured to configure the LDML (Lopez-Dahab Montgomery Ladder) algorithm so as to be safe in the subchannel analysis.

To this end, the address of the register is randomized by using a random number having a bit length equal to the bit length of the scalar d, and a register address to be called at the time of the edition operation is additionally used by using the register Zq, So that it can respond to a power collision attack of the ECC encryption algorithm in the same manner.

Definitions of the terms used in the following description are as shown in Table 1.

Figure 112015065847055-pat00001

First, the Lopez-Dahab Montgomery ladder with randomized address algorithm, which applies a random projection coordinate system and a corresponding method of randomizing register addresses, to cope with a sub-channel analysis attack of the ECC encryption algorithm, will be described.

First, a random finite field element R is generated by random power analysis to prevent the d n -2 bits from being exposed, and the algorithm is configured so that the multiplication operation with Z 1 = 1 does not occur by randomizing the coordinate system .

In order to cope with a collision attack, the address of the register is randomized by using a random number r = (r n -1 r n -1 ... r 0 ) 2 having the bit length equal to the bit length of the scalar d.

Further, by using the register Z q additionally, the address of the register to be loaded at the time of the edition operation can be made the same when the secret key bit is 0 and 1, thereby coping with the collision attack.

As shown in Table 2, by combining the random projection coordinate algorithm and the register randomization algorithm, it is possible to design a simple LDPC (Lopez-Dahab Montgomery Ladder) algorithm-compatible technique for simple power analysis, differential power analysis and collision attack.

Figure 112015065847055-pat00002

The Lopez-Dahab Montgomery ladder with randomized address and random projective coordinates safety verification in an apparatus and method for a power collision attack response of the ECC encryption algorithm according to the present invention is as follows.

The present invention relates to a method for verifying the safety of two different exponent bit operation register address conflicts, a safety verification for one exponent bit internal register address conflict, a safety check for data conflicts in an exponent bit operation, Includes computational data storage and safety verification for load collisions.

The apparatus for responding to a power collision attack of the ECC encryption algorithm according to the first embodiment of the present invention inputs a secret value d and a point P on an elliptic curve and returns dP = 0 if the secret value d = 0, a plain text and a private key input unit 10, a register address and a random value generator 11 for the generation of the random number r d and the same bit length for randomly addressable registers, a simple power analysis (d n -2-bit exposure) and the differential power analysis generated random value point to a random point R elliptic curve generated above to respond to the section 12, in response to the simple power analysis (d n -2-bit exposure) and differential power analysis It randomizes the initial result value to the R and, d n -1 bit operation and a register address, which stores the result r n -1 bits initial operation execution unit (13) for randomly configured, d n -2 Repeat bit starting the operation, and the bit d i intermediate operation To the John register address loading data r i bit random configuration, d i-bit intermediate operation configuration constant register address importing data necessary for, d i-bit intermediate computing the address for storing the loading necessary data register, and the operation result in r i, r i +1 bits point to a configuration at random addition, twice the operation performing unit 14, a final operation to perform the final operation to the address register loading the data necessary for the final calculation r 0 bits configured to randomly An execution unit 15, and a ciphertext output unit 16 for outputting a ciphertext according to the final operation.

In this case, the point addition and double operation performing unit 14 decrements the index i value in order to perform the iterative operation by one bit from the d n -1 bit to the d 0 bit, and checks whether the iterative operation has been performed up to the d 0 bit .

The apparatus for responding to a power collision attack of the ECC encryption algorithm according to the first embodiment of the present invention randomizes the address of the register using a random number having the same bit length as the scalar d bit length and additionally uses the register Zq The address of the register to be loaded at the time of the edition operation is set to be the same when the secret key bit is 0 and 1, so that it can cope with a power collision attack of the ECC encryption algorithm.

Specifically, as shown in FIG. 2, the secret value d and the point P on the elliptic curve are input (S200). If the input secret value d = 0, dP = 0 is returned and the algorithm is terminated (S201)

Then, in order to randomize the register address, a random number r having the same bit length as d is generated (S202)

Then, a random point R generation on the elliptic curve is performed to cope with the simple power analysis (d n -2 bit exposure) and the differential power analysis (S 203)

Next, to correspond to the simple power analysis (d n -2 bit exposure) and the differential power analysis, the initial calculation result value is randomized to R (S204)

The register address for storing the result of the d n -1 bit operation is randomly configured as r n -1 bits (S205), and the iterative operation is started from the bit d n -2 (S206)

Next, a register address for fetching data necessary for the d i bit intermediate operation is randomly configured with r i bits (S 207), and a register address for fetching data necessary for the d i bit intermediate operation is constantly configured (S 208)

A register for loading data necessary for the d i bit intermediate operation and an address for storing the calculation result are randomly constructed with r i and r i +1 bits to perform point addition and double operation (S209).

Next, in order to perform an iterative operation of one bit from the d n -1 bit to the d 0 bit, the index i value is decreased (S210), and it is confirmed whether the iterative operation is repeated up to the d 0 bit (S211)

Then, a register address for fetching data necessary for a final operation is randomly configured with r 0 bits to perform a final operation (S 212), and a ciphertext according to the final operation is output (S 213)

An apparatus and method for responding to a power collision attack of an ECC encryption algorithm according to a second embodiment of the present invention will now be described.

FIG. 3 is a block diagram of an apparatus for responding to a power collision attack of an ECC encryption algorithm according to a second embodiment of the present invention. FIG. 4 is a diagram illustrating a method for responding to a power collision attack of an ECC encryption algorithm according to a second embodiment of the present invention Fig.

As shown in FIG. 3, the apparatus for responding to a power collision attack of the ECC encryption algorithm according to the second embodiment of the present invention inputs a secret value d and a point P on an elliptic curve, and when the input secret value d = 0, dP = A plain text and secret key input unit 30 for terminating the algorithm after returning 0, a random bit r 1 And a point random value generating unit 33 for generating a random point R on an elliptic curve to correspond to a simple power analysis (d n -2 bit exposure) and a differential power analysis, And a register address for randomizing the initial calculation result value to R to correspond to the simple power analysis (d n -2 bit exposure) and the differential power analysis, and storing the d n -1 bit calculation result value An initial operation performing unit 33 for randomly configuring r 1 bits with d n -2 bits and a random bit r 2 A second register address random value generator 34 for generating a register address for randomly generating data necessary for the d i bit intermediate operation and a register address for randomly setting the register address r 2 bits for d i bit intermediate operation, A register for loading data required for the d i bit intermediate operation and an address for storing the result of the operation are r 1 , r 2 bits point addition randomly configured to perform the point addition and double the operation, two times operation execution unit 35 and, by the register address importing data necessary for the final calculation r 1 bits configured to randomly perform the final operation And a ciphertext output unit 37 for outputting a ciphertext according to the final computation.

Here, the point addition and double operation performing unit 35 replaces the random value used in the next iterative step to perform an iterative operation by one bit from the d n -1 bit to the d 0 bit to return an accurate operation result The index i value is decremented and it is confirmed whether the iterative operation is performed up to d 0 bit.

The apparatus for responding to a power collision attack of the ECC encryption algorithm according to the second embodiment of the present invention includes a first and a second register address random value generator to cope with a power collision attack of the ECC encryption algorithm.

Specifically, as shown in FIG. 4, a secret value d and a point P on an elliptic curve are input (S400). If the input secret value d = 0, dP = 0 is returned and the algorithm is terminated (S401)

Next, a random bit r 1 is generated to randomize the register address (S 402), and a random point R on the elliptic curve is generated to correspond to the simple power analysis (d n -2 bit exposure) and the differential power analysis (S403)

In order to correspond to the simple power analysis (d n -2 bit exposure) and the differential power analysis, the initial calculation result values are randomized to R (S404)

Next, a register address for storing the result value of the d n -1 bit operation is randomly configured with r 1 bits (S 405), and the iterative operation is started from the d n -2 bit (S 406)

And the random bit r 2 is generated to randomize the registers addressed and (S407), d i the address register loading the data necessary for the operation bit intermediate r constitute the 2-bit random. (S408)

Next, a register for loading data required for the d i bit intermediate operation is constantly configured (S 409), a register for loading data necessary for the d i bit intermediate operation, and an address for storing the result of the operation are r 1 , r 2 bits to perform point addition and double operation (S410)

Then, the random value used in the next iterative step is replaced (step S411), and the index i value is decremented to perform the iterative operation by one bit from the d n -1 bit to the d 0 bit (step S 412) , it is checked whether the repetitive operation is performed up to bit d 0 (S413)

Finally, a register address for fetching data necessary for the final operation is randomly configured with r 1 bits to perform a final operation (S414), and a ciphertext according to the final operation is output (S415)

Here, the random bit r 2 generating step for randomly addressable register (S407) and is applied to generate a random value by 1-bit at step (S411) for replacing the random value used in the next iteration step.

The apparatus and method for responding to a power collision attack of the ECC encryption algorithm according to the present invention as described above uses a register address bit randomization technique and a random projective coordinate system and additionally uses one register and a register address Is always random or fixed so that the association with the key bit is eliminated so that it can cope with a power collision attack of the ECC encryption algorithm.

As described above, it will be understood that the present invention is implemented in a modified form without departing from the essential characteristics of the present invention.

It is therefore to be understood that the specified embodiments are to be considered in an illustrative rather than a restrictive sense and that the scope of the invention is indicated by the appended claims rather than by the foregoing description and that all such differences falling within the scope of equivalents thereof are intended to be embraced therein It should be interpreted.

10. Plain text and secret key input 11. Register address random value generator
12. Point random value generation unit 13. Initial calculation execution unit
14. Point addition, double arithmetic execution unit 15. Final arithmetic execution unit
16. The cipher text output unit

Claims (15)

A secret value (d), and a point (P) on the elliptic curve;
A register address random value generator for generating a random number (r) having the same bit length as the secret value (d) to randomize the register address;
A point random value generator for generating a random point (R) on the elliptic curve to correspond to the simple power analysis and the differential power analysis;
An initial computation unit randomizing the initial computation result value to a random point R and randomly configuring a register address for storing the d n-1 bit computation result value to r n-1 bits;
a register address for starting the d n-2 bit repetition operation, randomly constructing a register address for reading data required for the d i bit intermediate operation with r i , r i + 1 bits, and registering the data required for the d i bit intermediate operation A point addition, a double operation performing unit for performing a point addition, a double operation, and a register operation for randomly configuring a register address for storing a result of the d i bit operation to r i bits;
A final arithmetic execution unit for randomly constructing a register address for fetching data necessary for a final arithmetic operation with r 0 bits to perform a final arithmetic operation; And a ciphertext output unit for outputting a ciphertext according to a final operation. The point addition and double operation unit include registers for fetching data necessary for the d i bit intermediate operation and addresses for storing the operation result as r i and r i + And a point addition and a double operation are performed by randomly configuring one bit. A secret value (d), and a point (P) on the elliptic curve;
A first register address random value generator for generating a random bit r 1 to randomize a register address;
A point random value generator for generating a random point (R) on the elliptic curve to correspond to the simple power analysis and the differential power analysis;
An initial arithmetic execution unit for randomizing the initial arithmetic operation result value to a random point R and randomly configuring a register address for storing the d n-1 arithmetic operation result value to r 1 bits;
A second register address random value generator for generating a random bit r 2 to randomize a register address;
d n-2 starts cyclic operation at bit, and d i-bit intermediate register address importing data necessary for the operation r 1, r 2 bits configured to randomly, and a constant register address loading the data required for the d i-bit intermediate operation A point adder for performing point addition and double operation by randomly constructing a register address for storing the result of the d i bit operation with r 2 bits;
A final arithmetic execution unit for randomly constructing a register address for fetching data necessary for a final arithmetic operation with r 1 bits to perform a final arithmetic operation; And a ciphertext output unit for outputting a ciphertext according to a final operation. The point addition and double operation unit include registers for loading data required for the d i bit intermediate operation and addresses for storing the operation result as r 1 , r 2 bits randomly to perform point addition and double operation. The apparatus for responding to a power collision attack of an ECC encryption algorithm. The apparatus of claim 1 or 2, wherein the plaintext and secret key input unit performs an algorithm termination after returning dP = 0 if the input secret value d = 0. 3. The method of claim 1 or 2, wherein the simple power analysis correspondence in the point random value generator and the initial computation performer blocks the d n -2 bit exposure, and the differential power analysis countermeasure prevents intermediate data exposure Apparatus for ECC cryptographic algorithm countermeasure against power collision attack. delete 2. The apparatus of claim 1, wherein the point addition,
and deciding whether the iterative operation is repeated up to the d 0 bit by decreasing the index i value in order to perform the iterative operation by one bit from the d n -1 bit to the d 0 bit. Device. delete 3. The apparatus of claim 2, wherein the point addition,
Replacing the random value used in the next iteration step in order to return the correct result of the operation, and by d n -1 repeated by one bit from bit to bit d 0 i yeonsanreul reduction index value to perform a cyclic operation is performed to the bits d 0 Wherein the ECC cryptographic algorithm checks whether an ECC cryptographic algorithm is used. A secret value (d), a plain text and a secret key inputting a point (P) on an elliptic curve;
A register address random value generation step of generating a random number (r) having the same bit length as the secret value (d) to randomize the register address;
A point random value generating step of generating a random point (R) on the elliptic curve to correspond to the simple power analysis and the differential power analysis;
An initial computation step of randomizing an initial computation result value at a random point R and randomly configuring a register address for storing the d n-1 bit computation result value to r n-1 bits;
a register address for starting the d n-2 bit repetition operation, randomly constructing a register address for reading data required for the d i bit intermediate operation with r i , r i + 1 bits, and registering the data required for the d i bit intermediate operation Performing a point addition and a doubling operation by randomly configuring a register address for storing the result of the d i bit operation to r i bits;
Performing a final operation by randomly constructing a register address for fetching data necessary for a final operation with r 0 bits; And a step of performing a point addition or a double operation includes a register for loading data necessary for the d i bit intermediate operation and an address for storing the result of the operation are r i and r i And performing addition and doubling of the points by randomly constructing by +1 bits. The method for responding to a power collision attack of an ECC encryption algorithm. A secret value (d), a plain text and a secret key inputting a point (P) on an elliptic curve;
A first register address random value generation step of generating a random bit r 1 to randomize a register address;
A point random value generating step of generating a random point (R) on the elliptic curve to correspond to the simple power analysis and the differential power analysis;
An initial computation step of randomizing an initial computation result value to a random point R and randomly configuring a register address to store the d n-1 bit computation result value with r 1 bits;
A second register address random value generation step of generating a random bit r 2 to randomize a register address;
d n-2 starts cyclic operation at bit, and d i-bit intermediate register address importing data necessary for the operation r 1, r 2 bits configured to randomly, and a constant register address loading the data required for the d i-bit intermediate operation Performing a point addition and a doubling operation by randomly configuring a register address for storing a result of the d i bit operation to r 2 bits;
Performing a final operation by randomly constructing a register address for fetching data necessary for a final operation with r 1 bits; Wherein the step of performing point addition and double operation comprises: a register for loading data necessary for the d i bit intermediate operation; and an address for storing the result of the operation, r 1 , r 2 bits randomly to perform point addition and double operation. The method according to claim 9 or 10, wherein the simple power analysis correspondence in the point random value generation step and the initial calculation execution step is to prevent d n -2 bit exposure. . delete 10. The method of claim 9, wherein in performing point addition,
and deciding whether the iterative operation is repeated up to the d 0 bit by decreasing the index i value in order to perform the iterative operation by one bit from the d n -1 bit to the d 0 bit. Way. delete 11. The method of claim 10, wherein in performing point addition,
In order to return the correct result of the operation to replace the random value used in the next iteration step and, d n -1 repeated by one bit from bit to bit d 0 i yeonsanreul reduction index value to perform a cyclic operation by the bits d 0 to The method comprising the steps of: determining whether an ECC encryption algorithm has been performed;

KR1020150096689A 2015-07-07 2015-07-07 Apparatus and Method for Protecting Power Collision Attack on Elliptic Curve Cryptography KR101665600B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150096689A KR101665600B1 (en) 2015-07-07 2015-07-07 Apparatus and Method for Protecting Power Collision Attack on Elliptic Curve Cryptography

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150096689A KR101665600B1 (en) 2015-07-07 2015-07-07 Apparatus and Method for Protecting Power Collision Attack on Elliptic Curve Cryptography

Publications (1)

Publication Number Publication Date
KR101665600B1 true KR101665600B1 (en) 2016-10-12

Family

ID=57173362

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150096689A KR101665600B1 (en) 2015-07-07 2015-07-07 Apparatus and Method for Protecting Power Collision Attack on Elliptic Curve Cryptography

Country Status (1)

Country Link
KR (1) KR101665600B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019117565A1 (en) * 2017-12-11 2019-06-20 국민대학교산학협력단 Apparatus and method for randomizing key bit variables of public key encryption algorithm
US11341285B2 (en) 2018-05-09 2022-05-24 Samsung Electronics Co., Ltd. Integrated circuit device and operating method of integrated circuit device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100402156B1 (en) 2002-04-25 2003-10-17 Jae Cheol Ha Method for encrypting elliptic curve to prevent power analysis attack
KR100772550B1 (en) * 2006-05-11 2007-11-02 경북대학교 산학협력단 Enhanced message blinding method to resistant power analysis attack
KR20090070060A (en) 2007-12-26 2009-07-01 대구대학교 산학협력단 Lopez-dahab algorithm based high speed elliptic curve cryptographic processor on finite field

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100402156B1 (en) 2002-04-25 2003-10-17 Jae Cheol Ha Method for encrypting elliptic curve to prevent power analysis attack
KR100772550B1 (en) * 2006-05-11 2007-11-02 경북대학교 산학협력단 Enhanced message blinding method to resistant power analysis attack
KR20090070060A (en) 2007-12-26 2009-07-01 대구대학교 산학협력단 Lopez-dahab algorithm based high speed elliptic curve cryptographic processor on finite field

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
연구보고서 "군 정보통신시스템 부채널 공격 위협측정 및 대응방안 연구" (2014.11.27. 공개) *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019117565A1 (en) * 2017-12-11 2019-06-20 국민대학교산학협력단 Apparatus and method for randomizing key bit variables of public key encryption algorithm
KR101981621B1 (en) * 2017-12-11 2019-08-28 국민대학교산학협력단 System and Method for Key bit Parameter Randomizating of public key cryptography
US11341285B2 (en) 2018-05-09 2022-05-24 Samsung Electronics Co., Ltd. Integrated circuit device and operating method of integrated circuit device

Similar Documents

Publication Publication Date Title
CN107111966B (en) Method for testing and reinforcing software application
CN107040362B (en) Modular multiplication apparatus and method
US10263768B2 (en) Protection of a calculation against side-channel attacks
CN105991292B (en) System and method for operating a secure elliptic curve cryptography system
JP7123959B2 (en) Elliptic curve point multiplication device and method
US10354063B2 (en) Protection of a modular calculation
CN109600232B (en) Attack verification and protection method and device for SM2 signature algorithm
JP5401477B2 (en) Protecting electronic circuits from error-based attacks
JPWO2006077651A1 (en) Encryption processor with tamper resistance against power analysis attacks
JP5693927B2 (en) Failure detection attack detection method and detection apparatus
US10025559B2 (en) Protection of a modular exponentiation calculation
EP3078154B1 (en) A computing device for iterative application of table networks
EP3085005B1 (en) Secure data transformations
KR101665600B1 (en) Apparatus and Method for Protecting Power Collision Attack on Elliptic Curve Cryptography
CN110710154B (en) Systems, methods, and apparatus for obfuscating device operations
US10229264B2 (en) Protection of a modular exponentiation calculation
US8582761B2 (en) Cryptographic method with elliptical curves
WO2011061263A1 (en) Countermeasures against power attacks for the randomization of the exponent
US10977365B2 (en) Protection of an iterative calculation against horizontal attacks
US11329796B2 (en) Protection of an iterative calculation
US11265142B2 (en) Protection of an iterative calculation
US10305678B2 (en) Imbalanced montgomery ladder
US20150220307A1 (en) Operation based on two operands

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190923

Year of fee payment: 4