A Second-Order DPA Attack Breaks a Window-Method Based Countermeasure against Side Channel Attacks

摘要

Moeller proposed a countermeasure using window method against side channel attacks. However, its immunity to side channel attacks is still controversial. In this paper, we show Moller's countermeasure is vulnerable to a second-order differential power analysis attack. A side channel attack is an attack that takes advantage of information leaked during execution of a cryptographic procedure. An nth-order differential power analysis attack is the side channel attack which uses n different leaked data that correspond to n different intermediate values during the execution. Our proposed attack against Moller's countermeasure finds out the use of same elliptic points, and restricts candidates of the secret scalar value. In these circumstances, the attack completely detects the scalar value using Baby-Step-Giant-Step method as a direct-computational attack. For a 160-bit scalar value, the proposed attack restricts the number of candidates of the scalar to a 45-bit integer, and the direct-computational attack can actually detect the scalar value. Besides, we improve Moller's countermeasure to prevent the proposed attack. We compare the original method and improved countermeasure in terms of the computational intractability and the computational cost of the scalar multiplication.