On Edwards curves and ZVP-attacks
- PDF / 162,593 Bytes
- 11 Pages / 439.37 x 666.142 pts Page_size
- 2 Downloads / 160 Views
On Edwards curves and ZVP-attacks S. Martínez · D. Sadornil · J. Tena · R. Tomàs · M. Valls
Received: 1 April 2011 / Revised: 24 July 2013 / Accepted: 2 September 2013 / Published online: 22 September 2013 © Springer-Verlag Berlin Heidelberg 2013
Abstract Elliptic curve cryptography on smart cards is vulnerable under a particular Side Channel Attack: the existence of zero-value points (ZVP). One approach to face this drawback relies on changing the curve for an isogenous one, until a resistant curve is found. This paper focuses on an alternative strategy: exploiting the properties of a recently introduced form of elliptic curves, Edwards curves. We show that these curves achieve conditions for being resistant to ZVP-attacks. Hence, using Edwards curves is a good countermeasure to avoid these attacks. Keywords
Elliptic curve cryptography · Side channel attacks · Smart cards
Mathematics Subject Classification (2000)
94A60 · 11T71 · 14H45
S. Martínez · R. Tomàs · M. Valls Universitat de Lleida, Lleida, Spain e-mail: [email protected] R. Tomàs e-mail: [email protected] M. Valls e-mail: [email protected] D. Sadornil (B) Universidad de Cantabria, Cantabria, Spain e-mail: [email protected] J. Tena IMUVA, Universidad de Valladolid, Valladolid, Spain e-mail: [email protected]
123
508
S. Martínez et al.
1 Introduction Elliptic curve cryptography has its roots in the late 1980s, when Miller and Koblitz [15, 16] suggested the usage of these curves in the design of cryptosystems. They showed that using significantly smaller keys, they could achieve the same security levels than classical cryptosystems, such as RSA or ElGamal. Thereby, these cryptographical techniques turn out to be specially interesting in resource-constrained devices, such as smart cards. Since less memory and shorter transmission times are required, it permits saving time and costs. Nevertheless, smart cards suffer from an inherent weak point: they may be vulnerable under Side Channel Attacks (SCA) [3,9], which exploit information leaked by the card during the execution of the protocol, such as timing, power consumption or electromagnetic behaviour. There are many papers in the literature (see papers referred in [3,9]) devoted to the study of countermeasures to resist these attacks. In the particular case of elliptic curve cryptosystems, Goubin [13] was the first to report, in 2003, an SCA. In his work, he pointed out some conditions that curves should fulfil, in order to avoid the presence of some particular points. Akishita and Takagi [1,2] extended Goubin’s conditions, since they showed that the presence of some other points should be also avoided (zero-value point attack, ZVP-attack). At the moment, techniques to face these attacks benefit of the usage of isogenous curves [2,17,20]: given a curve that may contain vulnerable points, they search for an isogenous one that fulfils the conditions. Then, computations are implemented on this curve, so no information for a ZVP-attack is leaked. Another kind of SCA is presented in [1
Data Loading...
