A DPA Countermeasure by Randomized
Frobenius Decomposition
Tae-Jun Park, Mun-Kyu Lee*, Dowon Hong and
Kyoil Chung
* Inha University
Outline
I
Side channel analysis
II
Frobenius expansion
III Random decomposition
IV Conclusion
WISA 2005
2
Power Analysis
 Kocher, Crypto 99
 Powerful technique to recover the secret
information by monitoring power signal
 Two kinds of power analysis
- SPA : Simple power analysis
- DPA : Differential power analysis
WISA 2005
3
Power Analysis on Elliptic Curve
 Coron, CHES 99
 Naïve implementation of ECC are
highly vulnerable to SPA and DPA
 Various methods have been proposed
- Hasan suggested several countermeasures on
Koblitz curves, 2001, IEEE Transactions on
computers
- Ciet et al. proposed randomizing the GLV
decomposition to prevent DPA in GLV curves
CHES 2002
WISA 2005
4
The Goal of This Talk
 New Countermeasure against DPA on ECC
 Applied to any curve where Frobenius
method can be used
 Two dimensional generalization of Coron’s
method
 15.3 ~34.0% extra computations
WISA 2005
5
Elliptic Curve
 Let q be the prime power
 q
is of
2
m
or 3m
Otherwise
y
y 2  x3  ax  b
x
- To avoid the MOV attack
Use only nonsupersingular
elliptic curve
WISA 2005
6
Frobenius Endomorphism
 The Frobenius endomorphisms of E
 The minimal polynomial of the Frobenius
endomorphism
WISA 2005
7
Frobenius Expansion-(1)
 The endomorphism ring of nonsupersingular elliptic
curve is the order in the imaginary quadratic field
 The ring
the endomorphism ring
is a subring of
 Mueller proposed a Frobenius expansion method by
iterating divisions
- fast scalar multiplication on elliptic curves over small
fields of characteristic two
- Division by the Frobenius endomorphism
ring
 in the
WISA 2005
8
Frobenius Expansion-(2)
 Division by  in the
looks like division by
complex number in the Gaussian integer
 Lemma: Suppose that q be even (resp., odd) prime
power. Let
. There exists an integer r Z
and an element
s.t.
WISA 2005
9
Frobenius Expansion-(3)
 By iterating the process of divisions by 
with remainder, one can expand
with
WISA 2005
10
Division by  in Z[ ] -(1)
WISA 2005
11
Division by  in Z[ ]-(2)
 Let L be the lattice generated by 1 and
 :
L  [1, ] is isomorphic to Z[ ]
All elements in L which can be divided by 
for example, all numbers divided by 2 is of the form
2n
 The set of such elements is generated by
 and
q   : L1  [ , q   ]
WISA 2005
12
Division by  in Z[ ]-(3)
 Divide s  s1  s2  L by
 with remainder
- If s  s1  s2  L1 , then there exist t1 , t2  Z
s. t. s1  s2  (t1  t2 )
- If not, move s1  s2 horizontally left or right to
s1  r  s2  L1 for suitable r Z
WISA 2005
13
Random Decomposition-(1)
 Transform L  [1, ] to random lattice L '
- Choose random integer a, b, c, d
a b
A

c
d


where ad  bc  0
WISA 2005
14
Random Decomposition-(2)
L


L'


a b
A

c
d

















 b  d

 a  c
1
WISA 2005
15
Random Decomposition-(3)
WISA 2005
16
Random Decomposition-(4)
 Lemma : For any s  s1  s2  Z[ ] , we can
find k1 , k2 , r1 , r2  Z s. t.
with the Euclidean length of r  r1  r2
is bounded by
WISA 2005
17
Random Decomposition-(5)
WISA 2005
18
Scalar Multiplication
 Scalar multiplication kP
- k  Z[[ ] is expanded as
k  k1a  k2b  (k1c  k2 d )  r1  r2
- By Mueller’s expansion method
l
k1a  k2b  (k1c  k2 d )   ki ' i
i 0
- A scalar multiplication
l
kP  (  ki ' i P )  (r1  r2 ) P
i 0
WISA 2005
19
Overhead
WISA 2005
20
Conclusion
 Our method can be applied to all kind of
elliptic curves
 It can be used in conjunction with other
countermeasure
 It will be generalized to hyperelliptic curves
WISA 2005
21