The Experts below are selected from a list of 11691 Experts worldwide ranked by ideXlab platform
Christophe Clavier - One of the best experts on this subject based on the ideXlab platform.
-
Square Always Exponentiation
2016Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Embedded Exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An Exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, we present in this paper new Exponentiation algorithms based on trading multiplications for squarings. Our method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than previous techniques. Last but not least, we present new algorithms using two parallel squaring blocks which provide the fastest Exponentiation to our knowledge.
-
Updated Recommendations for Blinded Exponentiation vs. Single Trace Analysis
2013Co-Authors: Christophe Clavier, Benoit FeixAbstract:Side-channel analysis has become a very powerful tool helpful for attackers trying to recover the secrets embedded in microprocessors such as smartcards. Since the initial publications from Kocher et al. many improvements on side-channel techniques have been proposed. At the same time developers have designed countermeasures to counterfeit those threats. The challenge for securing smart devices remains rough. The most complex techniques like Differential, Correlation and Mutual-information analysis are more studied today than simple side-channel analysis which seems less considered as said less powerful. We revisit in this paper the simple side-channel analysis attacks previously published. Relying on previous leakage models we design two new methods to build chosen message which allows more efficient analysis on blinded Exponentiation. We also show that, contrarily to common belief, with our chosen message method simple side-channel analysis can be successful also in some hashed message models. In a second step we introduce a more precise but realistic leakage model for hardware multipliers which leads us to new results on simple side-channel efficiency. Relying on these models we show that even with big base multipliers leakages can be exploited to recover the secret exponent on blinded Exponentiations.
-
INDOCRYPT - Square always Exponentiation
Lecture Notes in Computer Science, 2011Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Embedded Exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An Exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, we present in this paper new Exponentiation algorithms based on trading multiplications for squarings. Our method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than previous techniques. Last but not least, we present new algorithms using two parallel squaring blocks which provide the fastest Exponentiation to our knowledge.
-
Horizontal Correlation Analysis on Exponentiation
2010Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an Exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single Exponentiation curve, cannot be prevented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman Exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we finally present some new ones.
-
Horizontal Correlation Analysis on Exponentiation
2010Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Power Analysis has been widely studied since Kocher et al. presented in 1998 the initial Simple and Differential Power Analysis (SPA and DPA). Correlation Power Analysis (CPA) is nowadays one of the most powerful techniques which requires, as classical DPA, many execution curves for recovering secrets. We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an Exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single Exponentiation curve, cannot be prevented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman Exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we finally present some new ones.
Vincent Verneuil - One of the best experts on this subject based on the ideXlab platform.
-
Square Always Exponentiation
2016Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Embedded Exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An Exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, we present in this paper new Exponentiation algorithms based on trading multiplications for squarings. Our method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than previous techniques. Last but not least, we present new algorithms using two parallel squaring blocks which provide the fastest Exponentiation to our knowledge.
-
INDOCRYPT - Square always Exponentiation
Lecture Notes in Computer Science, 2011Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Embedded Exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An Exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, we present in this paper new Exponentiation algorithms based on trading multiplications for squarings. Our method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than previous techniques. Last but not least, we present new algorithms using two parallel squaring blocks which provide the fastest Exponentiation to our knowledge.
-
Horizontal Correlation Analysis on Exponentiation
2010Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an Exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single Exponentiation curve, cannot be prevented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman Exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we finally present some new ones.
-
Horizontal Correlation Analysis on Exponentiation
2010Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Power Analysis has been widely studied since Kocher et al. presented in 1998 the initial Simple and Differential Power Analysis (SPA and DPA). Correlation Power Analysis (CPA) is nowadays one of the most powerful techniques which requires, as classical DPA, many execution curves for recovering secrets. We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an Exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single Exponentiation curve, cannot be prevented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman Exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we finally present some new ones.
Lionel Torres - One of the best experts on this subject based on the ideXlab platform.
-
Vertical and horizontal correlation attacks on RNS-based Exponentiations
Journal of Cryptographic Engineering, 2015Co-Authors: Guilherme Perin, Laurent Imbert, Philippe Maurine, Lionel TorresAbstract:Side-channel attacks are a serious threat for physical implementations of public key cryptosystems and notably for the RSA. Side-channel leakages can be explored from unprotected cryptodevices and several power or electromagnetic traces are collected in order to construct (vertical) differential side-channel attacks. On Exponentiations, the so-called horizontal correlation attacks originally proposed by Walter in “Sliding windows succumbs to big mac attack” (Cryptographic hardware and embedded systems, 2001) and improved by Clavier et al. in “Horizontal correlation analysis on Exponentiation” (ICICS, 2010) demonstrated to be efficient even in the presence of strong countermeasures like the exponent and message blinding. In particular, a single trace is sufficient to recover the secret if the modular Exponentiation features long integer multiplications . In this paper, we consider the application of vertical and horizontal correlation attacks on residue number systems (RNS)-based approaches. The montgomery multiplication, which is widely adopted in the finite ring of an Exponentiation, has different construction details in the RNS domain. Experiments are conducted on hardware (parallel) and software (sequential) and leakage models for known and masked inputs are constructed for the regular and SPA-protected Montgomery ladder algorithm.
-
Vertical and horizontal correlation attacks on RNS-based Exponentiations
Journal of Cryptographic Engineering, 2015Co-Authors: Guilherme Perin, Laurent Imbert, Philippe Maurine, Lionel TorresAbstract:Side-channel attacks are a serious threat for physical implementations of public-key cryptosystems and notably for the RSA. Side-channel leakages can be explored from unprotected cryptodevices and several power or electromagnetic traces are collected in order to construct (vertical) differential side-channel attacks. On Exponentiations, the so-called horizontal correlation attacks originally proposed by Walter in 2001 and improved by Clavier et al in 2010 demonstrated to be efficient even in the presence of strong countermeasures like the exponent and message blinding. In particular, a single trace is sufficient to recover the secret if the modular Exponentiation features long-integer multiplications. In this paper, we consider the application of vertical and horizontal correlation attacks on RNS-based approaches. The Montgomery multiplication, which is widely adopted in the finite ring of an Exponentiation, has different construction details in the RNS domain. Experiments are conducted on hardware (parallel) and software (sequential) and leakage models for known and masked inputs are constructed for the regular and SPA-protected Montgomery ladder algorithm.
Mylène Roussellet - One of the best experts on this subject based on the ideXlab platform.
-
Square Always Exponentiation
2016Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Embedded Exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An Exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, we present in this paper new Exponentiation algorithms based on trading multiplications for squarings. Our method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than previous techniques. Last but not least, we present new algorithms using two parallel squaring blocks which provide the fastest Exponentiation to our knowledge.
-
INDOCRYPT - Square always Exponentiation
Lecture Notes in Computer Science, 2011Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Embedded Exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An Exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, we present in this paper new Exponentiation algorithms based on trading multiplications for squarings. Our method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than previous techniques. Last but not least, we present new algorithms using two parallel squaring blocks which provide the fastest Exponentiation to our knowledge.
-
Horizontal Correlation Analysis on Exponentiation
2010Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an Exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single Exponentiation curve, cannot be prevented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman Exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we finally present some new ones.
-
Horizontal Correlation Analysis on Exponentiation
2010Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Power Analysis has been widely studied since Kocher et al. presented in 1998 the initial Simple and Differential Power Analysis (SPA and DPA). Correlation Power Analysis (CPA) is nowadays one of the most powerful techniques which requires, as classical DPA, many execution curves for recovering secrets. We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an Exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single Exponentiation curve, cannot be prevented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman Exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we finally present some new ones.
-
Simple Power Analysis on Exponentiation Revisited
2010Co-Authors: Jean-christophe Courrège, Benoit Feix, Mylène RousselletAbstract:Power Analysis has been studied since 1998 when P. Kocher et al. presented the first attack. From the initial Simple Power Analysis more complex techniques have been designed and studied during the previous decade such as Differential and Correlation Power Analysis. In this paper we revisit Simple Power Analysis which is at the heart of side channel techniques. We aim at showing its true efficiency when studied rigorously. Based on existing Chosen Message attacks we explain in this paper how particular message values can reveal the secret exponent manipulated during a modular Exponentiation with a single power consumption curve. We detail the different ways to achieve this and then show that some blinded Exponentiations can still be threatened by Simple Power Analysis depending on the implementation. Finally we will give advice on countermeasures to prevent such enhanced Simple Power Analysis techniques.
Benoit Feix - One of the best experts on this subject based on the ideXlab platform.
-
Square Always Exponentiation
2016Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Embedded Exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An Exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, we present in this paper new Exponentiation algorithms based on trading multiplications for squarings. Our method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than previous techniques. Last but not least, we present new algorithms using two parallel squaring blocks which provide the fastest Exponentiation to our knowledge.
-
Updated Recommendations for Blinded Exponentiation vs. Single Trace Analysis
2013Co-Authors: Christophe Clavier, Benoit FeixAbstract:Side-channel analysis has become a very powerful tool helpful for attackers trying to recover the secrets embedded in microprocessors such as smartcards. Since the initial publications from Kocher et al. many improvements on side-channel techniques have been proposed. At the same time developers have designed countermeasures to counterfeit those threats. The challenge for securing smart devices remains rough. The most complex techniques like Differential, Correlation and Mutual-information analysis are more studied today than simple side-channel analysis which seems less considered as said less powerful. We revisit in this paper the simple side-channel analysis attacks previously published. Relying on previous leakage models we design two new methods to build chosen message which allows more efficient analysis on blinded Exponentiation. We also show that, contrarily to common belief, with our chosen message method simple side-channel analysis can be successful also in some hashed message models. In a second step we introduce a more precise but realistic leakage model for hardware multipliers which leads us to new results on simple side-channel efficiency. Relying on these models we show that even with big base multipliers leakages can be exploited to recover the secret exponent on blinded Exponentiations.
-
INDOCRYPT - Square always Exponentiation
Lecture Notes in Computer Science, 2011Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Embedded Exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An Exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, we present in this paper new Exponentiation algorithms based on trading multiplications for squarings. Our method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than previous techniques. Last but not least, we present new algorithms using two parallel squaring blocks which provide the fastest Exponentiation to our knowledge.
-
Horizontal Correlation Analysis on Exponentiation
2010Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an Exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single Exponentiation curve, cannot be prevented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman Exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we finally present some new ones.
-
Horizontal Correlation Analysis on Exponentiation
2010Co-Authors: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent VerneuilAbstract:Power Analysis has been widely studied since Kocher et al. presented in 1998 the initial Simple and Differential Power Analysis (SPA and DPA). Correlation Power Analysis (CPA) is nowadays one of the most powerful techniques which requires, as classical DPA, many execution curves for recovering secrets. We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an Exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single Exponentiation curve, cannot be prevented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman Exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we finally present some new ones.
