Method for Detecting Vulnerability to Doubling Attacks
The doubling attack by Fouque and Valette and its analogue, the relative doubling attack, by Yen et al. are a new kind of simple power analysis that can be applied to a binary double-and-add algorithm in a scalar multiplication (or a multiply-and-square algorithm in a modular exponentiation). The doubling attack is very powerful because it requires just two queries to the device to find the secret key. The original doubling attack broke the binary double-and-add always algorithm and the relative doubling attack succeeded in breaking the Montgomery ladder. Fouque and Valette told that the doubling attack was applicable only to downward algorithms, i.e., “left-to-right” implementations of a binary modular exponentiation and recommended to use upward “right-to-left” implementations. On the contrary, Yen et al. proposed a new downward algorithm and asserted that it was secure against doubling attacks. This kind of controversy comes from the lack of analysis of the fundamentals of the doubling attacks. Therefore we analyze the characteristic of the doubling attack and propose a method to easily test a given algorithm’s security against doubling attacks. Furthermore, we show Yen et al.’s scheme is still vulnerable to the doubling attack.
KeywordsDoubling attack relative doubling attack modular exponentiation simple power analysis (SPA) smart card
Unable to display preview. Download preview PDF.
- 1.PKCS # 1, v2.1, RSA Cryptogrpaphy Standards (January 5, 2001), http://www.rsasecurity.com/rsalabs/pkcs/
- 5.ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logatihms. IEEE Transactions on Information Theory (4), 469–472 (1985)Google Scholar
- 7.Giraud, C.: Fault resistant RSA implementation. In: Breveglieri, L., Koren, I. (eds.) Second Workshop on Fault Diagnosis and Tolerance in Cryptography – FDTC 2005, pp. 142–151 (2005)Google Scholar
- 11.Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSA and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
- 13.Lu, C.-C., Tseng, S.-Y., Huang, S.-K.: A secure modular exponential algorithm resists to power, timing, C safe error and M safe error attacks. In: 19th International Conference on Advanced Information Networking and Applications (AINA 2005), vol. 2, pp. 151–154 (2005)Google Scholar
- 16.Yen, S.-M., Lu, C.-C., Tseng, S.-Y.: Method for protecting public key schemes from timing, power, and fault attacks. U.S. Patent Number US2004/0125950 A1 (July 2004)Google Scholar