Efficient Countermeasures against RPA, DPA, and SPA

  • Hideyo Mamiya
  • Atsuko Miyaji
  • Hiroaki Morimoto
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3156)


In the execution on a smart card, side channel attacks such as simple power analysis (SPA) and the differential power analysis (DPA) have become serious threat [15]. Side channel attacks monitor power consumption and even exploit the leakage information related to power consumption to reveal bits of a secret key d although d is hidden inside a smart card. Almost public key cryptosystems including RSA, DLP-based cryptosystems, and elliptic curve cryptosystems execute an exponentiation algorithm with a secret-key exponent, and they thus suffer from both SPA and DPA. Recently, in the case of elliptic curve cryptosystems, DPA is improved to the Refined Power Analysis (RPA), which exploits a special point with a zero value and reveals a secret key [10]. RPA is further generalized to Zero-value Point Attack (ZPA) [2]. Both RPA and ZPA utilizes a special feature of elliptic curves that happens to have a special point or a register used in addition and doubling formulae with a zero value and that the power consumption of 0 is distinguishable from that of an non-zero element. To make the matters worse, some previous efficient countermeasures are neither resistant against RPA nor ZPA. Although a countermeasure to RPA is proposed, this is not universal countermeasure, gives each different method to each type of elliptic curves, and is still vulnerable against ZPA [30]. The possible countermeasures are ES [3] and the improved version [4]. This paper focuses on countermeasures against RPA, ZPA, DPA and SPA. We show a novel countermeasure resistant against RPA, ZPA, SPA and DPA without any pre-computed table. We also generalize the countermeasure to present more efficient algorithm with a pre-computed table.


Elliptic curve exponentiation ZPA RPA DPA SPA 


  1. 1.
    Araki, K., Satoh, T.: Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Commentarii Math. Univ. St. Pauli. 47, 81–92 (1998)zbMATHMathSciNetGoogle Scholar
  2. 2.
    Akishita, T., Takagi, T.: Zero-value Point Attacks on Elliptic Curve Cryptosystem. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 218–233. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Clavier, C., Joye, M.: Universal exponentiation algorithm. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 300–308. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Ciet, M., Joye, M. (Virtually) Free randomization technique for elliptic curve cryptography. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 348–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  7. 7.
    Frey, G., Rück, H.G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of computation 62, 865–874 (1994)zbMATHMathSciNetGoogle Scholar
  8. 8.
    Proposed federal information processing standard for digital signature standard (DSS), Federal Register, 56(169), 42980–42982 (August 30, 1991)Google Scholar
  9. 9.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory IT-31, 469–472 (1985)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Goubin, L.: A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–210. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Itoh, K., Takenaka, M., Torii, N., Temma, S., Kurihara, Y.: Fast implementation of public-key cryptography on DSP TMS320C6201. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 61–72. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  12. 12.
    Itoh, K., Izu, T., Takenaka, M.: Efficient countermeasures against power analysis for elliptic curve cryptosystems. In: SCIS 2004 (2004) (previous version). The final version will be appeared in the proceedings of CARDIS 2004Google Scholar
  13. 13.
    Joye, M., Tymen, C.: Protections against Differential Analysis for Elliptic Curve Cryptosystem. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation 48, 203–209 (1987)zbMATHMathSciNetCrossRefGoogle Scholar
  15. 15.
    Kocher, C.: Timing attacks on Implementations of Diffie-Hellman, RSA, DSS, and other system. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Kocher, C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  17. 17.
    Knuth, D.E.: The Art of Computer Programming, 2nd edn., vol. 2. Addison-Wesley, Reading (1981)zbMATHGoogle Scholar
  18. 18.
    Koyama, K., Tsuruoka, Y.: Speeding up elliptic cryptosystems by using a signed binary window method. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 345–357. Springer, Heidelberg (1993)Google Scholar
  19. 19.
    Menezes, A., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to logarithms in a finite field. In: Proceedings of the 22nd Annual ACM Symposium on the Theory of Computing, pp. 80–89 (1991)Google Scholar
  20. 20.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  21. 21.
    Möller, B.: Securing Elliptic Curve Point Multiplication against Side-Channel Attacks. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 324–334. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Möller, B.: Parallelizable Elliptic Curve Point Multiplication Method with Resistance against Side-Channel Attacks. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 402–413. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods for factorization. Mathematics of Computation 48, 243–264 (1987)zbMATHMathSciNetCrossRefGoogle Scholar
  24. 24.
    Okeya, K., Takagi, T.: The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 328–342. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory IT-24, 106–110 (1978)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Pollard, J.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32, 918–924 (1978)zbMATHMathSciNetGoogle Scholar
  27. 27.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHMathSciNetCrossRefGoogle Scholar
  28. 28.
    Avanzi, R.M.: On multi-exponentiation in cryptography, Cryptology ePrint Archive, Report 2002/154, (2002)
  29. 29.
    Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. to appear in J. Cryptology Google Scholar
  30. 30.
    Smart, N.P.: An analysis of goubin’s refined power analysis attack. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 281–290. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  31. 31.
    Semaev, I.A.: Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Mathematics of computation 67, 353–356 (1998)zbMATHMathSciNetCrossRefGoogle Scholar
  32. 32.
    Solinas, J.A.: Low-Weight Binary Representation for Pairs of Integers, Centre for Applied Cryptographic Research, University of Waterloo, Combinatorics and Optimization Reseach Report CORR 2001-41 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Hideyo Mamiya
    • 1
  • Atsuko Miyaji
    • 1
  • Hiroaki Morimoto
    • 1
  1. 1.Japan Advanced Institute of Science and Technology 

Personalised recommendations