APPARATUS AND METHOD FOR PERFORMING OPERATION BEING SECURE AGAINST SIDE CHANNEL ATTACK

0Associated
Cases 
0Associated
Defendants 
0Accused
Products 
0Forward
Citations 
0
Petitions 
1
Assignment
First Claim
1. An apparatus for performing an operation, comprising:
 a first extractor configured to extract one or more first parameter candidate values corresponding to a seed value from a first parameter candidate value set;
a first outputter configured to output a first output values using the extracted first parameter candidate values;
a second extractor configured to extract one or more second parameter candidate values corresponding to the seed value from a second parameter candidate value set; and
a second outputter configured to output a second output value using the extracted second parameter candidate values, wherein the second output value is capable of being generated using the first output value.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus and method for performing an operation which are secure against sidechannel attack are provided. According to one embodiment of the present disclosure, the apparatus includes a first extractor configured to extract one or more first parameter candidate values corresponding to a seed value from a first parameter candidate value set, a first outputter configured to output a first output values using the extracted first parameter candidate values, a second extractor configured to extract one or more second parameter candidate values corresponding to the seed value from a second parameter candidate value set, and a second outputter configured to output a second output value using the extracted second parameter candidate values wherein the second output value is capable of being generated using the first output value.
0 Citations
No References
No References
14 Claims
 1. An apparatus for performing an operation, comprising:
a first extractor configured to extract one or more first parameter candidate values corresponding to a seed value from a first parameter candidate value set; a first outputter configured to output a first output values using the extracted first parameter candidate values; a second extractor configured to extract one or more second parameter candidate values corresponding to the seed value from a second parameter candidate value set; and a second outputter configured to output a second output value using the extracted second parameter candidate values, wherein the second output value is capable of being generated using the first output value.  View Dependent Claims (2, 3, 4, 5, 6, 7)
 8. A method of performing an operation, comprising:
extracting one or more first parameter candidate values corresponding to a seed value from a first parameter candidate value set; outputting a first output values using the extracted first parameter candidate values; extracting one or more second parameter candidate values corresponding to the seed value from a second parameter candidate value set; and outputting a second output value using the extracted second parameter candidate values, wherein the second output value is capable of being generated using the first output value.  View Dependent Claims (9, 10, 11, 12, 13, 14)
1 Specification
This application claims the benefit under 35 USC § 119(a) of Korean Patent Application No. 1020180045584, filed on Apr. 19, 2018, in the Korean Intellectual Property Office, the entire disclosure of which is incorporated herein by reference for all purposes.
The following description relates to a technology for sidechannel attack prevention.
As Internet of Things (IoT) devices evolve, there is a growing risk of sidechannel attacks that gain important information by exploiting physical information leaked from devices during a key exchange for encryption, mathematical computations for an encryption, a digital signature, etc.
A sidechannel attack is an attack that obtains secret information using a leakage of sidechannel information (e.g., power consumption, the amount of electromagnetic radiation, algorithm execution time, etc.) for computations performed during an operation of an algorithm for key exchange, encryption, digital signature, etc.
A power analysis attack, which is a form of sidechannel attack, is known as the most powerful sidechannel attack, and equipment for power analysis attacks is also known as a very effective attack means because of high probability of realization with low cost. Thus, the power analysis attack is a field in which the most research is being currently conducted. A method of such a power analysis attack largely includes simple power analysis (SPA), differential power analysis (DPA), collision attack (CA), and the like.
Methods that have been proposed so far to prevent sidechannel attack have problems in that they require a large amount of computation and thus cause performance degradation and they are methods for protecting against only some sidechannel attacks. A method secure against all of the sidechannel attacks has not been proposed yet. In addition, there has been proposed no method secure against collision attacks.
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
The disclosed embodiments are intended to provide an apparatus and method for preventing exposure of important information by a sidechannel attack.
In one general aspect, there is provided an apparatus for performing an operation, including a first extractor configured to extract one or more first parameter candidate values corresponding to a seed value from a first parameter candidate value set, a first outputter configured to output a first output values using the extracted first parameter candidate values, a second extractor configured to extract one or more second parameter candidate values corresponding to the seed value from a second parameter candidate value set, and a second outputter configured to output a second output value using the extracted second parameter candidate values, wherein the second output value is capable of being generated using the first output value.
The second output value may have a value equal to a value obtained through an operation using the first output value as an exponent or a multiplier.
The second parameter candidate value set may include a plurality of second parameter candidate values equal to values obtained through an operation using each of the first parameter candidate values included in the first parameter candidate value set as an exponent or a multiplier.
The extracted second parameter candidate values may have values equal to values obtained through an operation using each of the extracted first parameter candidate values as an exponent or a multiplier.
The seed value may be formed by an arbitrary bit string, the first extractor may extract one or more first parameter candidate values corresponding to the bit string, and the second extractor may extract one or more second parameter candidate values corresponding to the bit string.
The first extractor may extract the one or more first parameter candidate values on the basis of a bit value of each bit included in the bit string and a position of each bit in the bit string and the second extractor may extract the one or more second parameter candidate values on the basis of a bit value of each bit included in the bit string and the position of each bit in the bit string.
The apparatus may further include an encryptor configured to perform at least one of digital signature generation, encryption, and encryption key generation using the first output value and the second output value.
In another general aspect, there is provided a method of performing an operation, including extracting one or more first parameter candidate values corresponding to a seed value from a first parameter candidate value set, outputting a first output values using the extracted first parameter candidate values, extracting one or more second parameter candidate values corresponding to the seed value from a second parameter candidate value set, and outputting a second output value using the extracted second parameter candidate values, wherein the second output value is capable of being generated using the first output value.
The second output value may have a value equal to a value obtained through an operation using the first output value as an exponent or a multiplier.
The second parameter candidate value set may include a plurality of second parameter candidate values equal to values obtained through an operation using each of the first parameter candidate values included in the first parameter candidate value set as an exponent or a multiplier.
The extracted second parameter candidate values may have values equal to values obtained through an operation using each of the extracted first parameter candidate values as an exponent or a multiplier.
The seed value may be formed by an arbitrary bit string, the extracting of the first parameter candidate values may include extracting one or more first parameter candidate values corresponding to the bit string, and the extracting of the second parameter candidate values may include extracting one or more second parameter candidate values corresponding to the bit string.
The extracting of the first parameter candidate values may include extracting the one or more first parameter candidate values on the basis of a bit value of each bit included in the bit string and a position of each bit in the bit string and the extracting of the second parameter candidate values may include extracting the one or more second parameter candidate values on the basis of a bit value of each bit included in the bit string and the position of each bit in the bit string.
The method may further include performing at least one of digital signature generation, encryption, and encryption key generation using the first output value and the second output value.
Other features and aspects will be apparent from the following detailed description, the drawings, and the claims.
Throughout the drawings and the detailed description, unless otherwise described, the same drawing reference numerals will be understood to refer to the same elements, features, and structures. The relative size and depiction of these elements may be exaggerated for clarity, illustration, and convenience.
The following description is provided to assist the reader in gaining a comprehensive understanding of the methods, apparatuses, and/or systems described herein. Accordingly, various changes, modifications, and equivalents of the methods, apparatuses, and/or systems described herein will be suggested to those of ordinary skill in the art.
Descriptions of wellknown functions and constructions may be omitted for increased clarity and conciseness. Also, terms described in below are selected by considering functions in the embodiment and meanings may vary depending on, for example, a user or operator'"'"'s intentions or customs. Therefore, definitions of the terms should be made on the basis of the overall context. The terminology used in the detailed description is provided only to describe embodiments of the present disclosure and not for purposes of limitation. Unless the context clearly indicates otherwise, the singular forms include the plural forms. It should be understood that the terms “comprises” or “includes” specify some features, numbers, steps, operations, elements, and/or combinations thereof when used herein, but do not preclude the presence or possibility of one or more other features, numbers, steps, operations, elements, and/or combinations thereof in addition to the description.
Referring to
The first extractor 110 extracts one or more first parameter candidate values that correspond to a seed value from a set of first parameter candidate values (hereinafter referred to as a first parameter candidate value set).
In this case, the seed value may be an arbitrary value represented by a bit string of a predetermined length. For example, the seed value may be an arbitrary value generated within a predetermined range. In another example, the seed value may be a value obtained by converting a user'"'"'s ID or an arbitrarily generated value into a bit string of a predetermined length using, for example, a hash function.
In the embodiment of the present disclosure, the seed value may be a value generated using various methods in addition to the above example, and need not be necessarily generated using a particular method.
The first parameter candidate value set may include a plurality of first parameter candidate values. In this case, each of the first parameter candidate values may be a pregenerated arbitrary value or a value selected from a predetermined range.
According to one embodiment of the present disclosure, the first extractor 110 may extract one or more first parameter candidate values corresponding to the bit string of the seed value.
In addition, according to one embodiment of the present disclosure, the first extractor 110 may extract one or more first parameter candidate values on the basis of a bit value of each bit included in the bit string of the seed value and the position of each bit in the bit string.
The second extractor 120 extracts one or more second parameter candidate values corresponding to the seed value from a set of second parameter candidate values (hereinafter referred to as a second parameter candidate value set).
In this case, the second parameter candidate value set may include a plurality of second parameter candidate values. Each of the second parameter candidate values may have the same value as a value obtained through an operation using each of the first parameter candidate values included in the first parameter candidate value set as an exponent or a multiplier.
For example, each of the second parameter candidate values may have the same value obtained through an exponentiation operation using the first parameter candidate values as an exponent as shown in Equation 1 below.
r=g^{k } (1)
Here, k denotes a first parameter candidate value, r denotes a second parameter candidate value, g denotes a generator of a multiplicative group having p as an order, and p denotes an arbitrary prime number. Hereinafter, k, r, g, and p represent the same as defined above.
In another example, each of the second parameter candidate values may have the same value as a value obtained through a scalar multiplication operation using the first parameter candidate values as an multiplier as shown in Equation 2 below.
r=k·P (2)
Here, P represents a generator of an additive group (e.g., an elliptic curve group) having p as an order, and hereinafter represents the same.
According to one embodiment of the present disclosure, the second extractor 120 may extract one or more second parameter candidate values corresponding to a bit string of the seed value.
In addition, according to one embodiment of the present disclosure, the second extractor 120 may extract one or more second parameter candidate values on the basis of a bit value of each of the bits included in the bit string of the seed value and a position of each of the bits in the bit string.
Meanwhile, according to one embodiment of the present disclosure, each of the second parameter candidate values extracted by the second extractor 120 may have a value equal to a value generated using each of the first parameter candidate values extracted by the first extractor 110 as an exponent or a multiplier.
The first outputter 130 generates a first output value using one or more first parameter candidate values extracted by the first extractor 110 and the second outputter 140 generates a second output value using one or more second parameter candidate values extracted by the second extractor 120.
In this case, the second output value may have a value equal to a value obtained through an operation using the first output value as an exponent or a multiplier.
For example, when n (where n is an integer greater than 1) first parameter candidate values and n second parameter candidate values are extracted, the first outputter 130 may generate a first output value by adding the n extracted first parameter candidate values to each other as shown in Equation 3 below.
a=k_{e1}+k_{e2}+ . . . +k_{en } (3)
In addition, the second outputter 140 may generate the second output value by adding or multiplying the n extracted second parameter candidate values with each other.
For example, when the second parameter candidate value set includes the second parameter candidate values that can be generated through an operation using each of the first parameter candidate values included in the first parameter candidate value set as an exponent, the second outputter 140 may generate the second output value by multiplying the n extracted second parameter candidate values as shown in Equation 4 below.
b=r_{e1}×r_{e2}× . . . ×r_{en } (4)
In this case, Equation 4 can be expressed as Equation 5 below.
b=g^{(k}^{e1}^{+k}^{e2}^{+ . . . +k}^{en}^{)}g^{a } (5)
That is, referring to Equation 5, it can be seen that the second output value output by the second outputter 140 is equal to a value obtained through an operation using the first output value as an exponent.
Meanwhile, when the second parameter candidate value set includes second parameter candidate values that can be generated through an operation using each of the first parameter candidate values included in the first parameter candidate value set as a multiplier, the second outputter 140 may generate the second output value by adding the n extracted second parameter candidate values to each other as shown in Equation 6 below.
b=r_{e1}+r_{e2}+ . . . +r_{en } (6)
In this case, Equation 6 can be expressed as Equation 7 below.
b=(k_{e1}+k_{e2}30 . . . +k_{en})·P=a·P (7)
That is, referring to Equation 7, it can be seen that the second output value output by the second outputter 140 is equal to a value obtained through an operation using the first output value as a multiplier.
Referring to
The encryptor 150 performs at least one of encryption key generation, digital signature generation, and encryption using a first output value and a second output value.
For example, the encryptor 150 may generate an encryption key using a key exchange algorithm, such as a DiffieHellman key exchange algorithm, which requires an exponentiation operation.
Specifically, an illustrative encryption key generation procedure in accordance with a DiffieHellman key exchange algorithm is as follows:
1) A chooses a random integer X_{1}, where X_{1}∈[1,p−1], and then generates Y_{1}=g^{X}^{1}mod p
2) B chooses a random integer X_{2}, where X_{2}∈[1,p−1], and then generates Y_{2}=g^{X}^{2 }mod p
3) A and B exchange Y_{1 }and Y_{2 }
4) A computes S_{k}=Y_{2}^{X}^{1 }mod p=g^{X}^{1}^{X}^{2 }mod p to generate an encryption key S_{k }
5) B computes S_{k}=Y_{1}^{X}^{2 }mod p=g^{X}^{1}^{X}^{2 }mod p to generate an encryption key S_{k }
In this case, the encryptor 150 may use the first output value as X_{1 }or X_{2 }and use the second output value as g^{X}^{1 }or g^{X}^{2}. That is, the encryptor 150 may generate Y_{1 }or Y_{2 }without a direct operation for g^{X}^{1 }or g^{X}^{2}.
In another example, the encryptor 150 may generate an encryption key according to a key exchange algorithm, such as an elliptic curve DiffieHellman (ECDH) key exchange algorithm, which requires a scalar multiplication operation.
Specifically, an illustrative encryption key generation procedure in accordance with an ECDH key exchange algorithm is as follows:
1) A chooses a random integer X_{a}, where X_{a}∈[1,n−1], and then generates Y_{a}=X_{a}·P
2) B chooses a random integer X_{b}, where X_{b}∈[1,n−1], and then generates Y_{b}=X_{b}·P
3) A and B exchange Y_{a }and Y_{b }
4) A computes S_{k}=X_{a}·Y_{b}=X_{a}·(X_{b}·P) to generate an encryption key S_{k }
5) B computes S_{k}=X_{b}·Y_{a}=X_{b}·(X_{a}·P) to generate an encryption key S_{k }
In this case, the encryptor 150 may use the first output value as X_{a }or X_{b }and use the second output value as Y_{a }or Y_{b}. That is, the encryptor 150 may generate Y_{a }or Y_{b }without a direct operation for X_{a}·P or X_{b}·P.
In another example, the encryptor 150 may perform encryption using an encryption algorithm, such as an ElGamal encryption algorithm, which requires an exponentiation operation.
Specifically, an illustrative encryption procedure in accordance with the ElGamal encryption algorithm is as follows:
1) A random integer t is chosen, where t∈[1,p−1]
2) C_{1}=g^{t }mod p is computed
3) C_{2}=(pk^{t }mod p)·M is computed (where pk is a public key and M is a message to be encrypted)
4) Encrypted text (C_{1}, C_{2}) is output
In this case, the encryptor 150 may use the first output value as t and use the second output value as g^{t}. That is, the encryptor 150 may generate the encrypted text C_{1 }without a direct operation for g^{t}.
In another example, the encryptor 150 may perform encryption using an encryption algorithm, such as an elliptic curve cryptography (ECC) algorithm, which requires a scalar multiplication operation.
Specifically, an illustrative encryption procedure in accordance with the ECC algorithm is as follows:
1) A random integer t is chosen, where t∈[1,n−1]
2) C_{1}=t·P is computed
3) C_{2}=t·Q+M is computed (where Q is a public key and M is a message to be encrypted)
4) Encrypted text (C_{i}, C_{2}) is output
In this case, the encryptor 150 may use the first output value as t and use the second output value as C_{1}. That is, the encryptor 150 may generate the encrypted text C_{1 }without a direct operation for t·P.
In another example, the encryptor 150 may generate a digital signature using a digital signature algorithm (DSA) which requires an exponentiation operation.
Specifically, an illustrative digital signature generation procedure in accordance with DSA is as follows:
1) A random integer t is chosen, where t∈[1,q−1] (where, q is a prime divisor of p−1)
2) R=(g^{t }mod p) mod q is computed
3) S=t^{−1}(H(m)+CR) mod q is computed (where C is a secret key, m is a message, and H( ) is a hash function)
4) Signature values (R, S) for a message are output
In this case, the encryptor 150 may use the first output value as t and use the second output value as g^{t}. That is, the encryptor 150 may generate a signature value R without a direct operation for g^{t}.
In another example, the encryptor 150 may generate a digital signature using a digital signature algorithm, such as an elliptic curve digital signature algorithm (ECDSA), which requires a scalar multiplication operation.
Specifically, a digital signature generation procedure in accordance with the ECDSA is as follows:
1) A random integer t is selected, where t∈[1,n−1]
2) t·P=(x_{1}, y_{1}) is computed
3) R=x_{1 }mod n is computed
4) S=t^{−1}(H(m)+CR) mod n is computed (where C is a secret key, m is a message, and H( ) is a hash function)
5) Signature values (R, S) for a message are output
In this case, the encryptor 150 may use the first output value as t and use the second output value as t·P. That is, the encryptor 150 may generate a digital value R without a direct operation for t·P.
Meanwhile, in the example shown in
Referring to
Meanwhile, the first parameter candidate value set 300 may include 2^{n }(where n is a length of a seed value) first parameter candidate values and the second parameter candidate value set 400 may include the same number of second parameter candidate values as the number of the first parameter candidate values included in the first parameter candidate value set 300. In the example shown in
Meanwhile, each of the second parameter candidate values included in the second parameter candidate value set 400 may be the same as a value generated through an operation using the first parameter candidate value having the same index value as the second parameter candidate value as an exponent or a multiplier.
Specifically, second parameter candidate value r_{1 }having an index value ‘000’ may be the same as a value generated through an exponentiation operation that uses first parameter candidate value k_{1 }having an index value ‘000,’ as shown in Equation 8 below.
r_{1}=g^{k}^{1 } (8)
In another example, second parameter candidate value r_{1 }having an index value ‘000’ may be the same as a value generated through a scalar multiplication operation that uses first parameter candidate value k_{1 }which has an index value ‘000’ as a multiplier, as shown in Equation 9 below.
r_{1}=k_{1}·P (9)
Meanwhile, the first extractor 110 may compare an index value of each of the first parameter candidate values included in the first parameter candidate value set 300 to the seed value to extract a first parameter candidate value having an index value identical to the seed value. In this case, the first outputter 130 may output the extracted first parameter candidate value as a first output value.
In addition, the second extractor 120 may compare an index value of each of the second parameter candidate values included in the second parameter candidate value set 400 to the seed value to extract a second parameter candidate value having an index value identical to the seed value. In this case, the second outputter 140 may output the extracted second parameter candidate value as a second output value.
For example, when the seed value is ‘010,’ the first extractor 110 may extract a first parameter candidate value k_{3 }that has an index value ‘010’ from the first parameter candidate value set 300 and the second extractor 120 may extract a second parameter candidate value r_{3 }that has an index value ‘010’ from the second parameter candidate value set 400.
In this case, the first outputter 130 may output the extracted k_{3 }as the first output value and the second outputter 140 may output the extracted r_{3 }as the second output value.
Specifically, in the example shown in
11 or 12.
a=k_{3 } (10)
b=r_{3}=g^{k}^{3}=g^{a } (11)
b=r_{3}=k_{3}·P=a·P (12)
That is, referring to Equations 11 and 12, it can be seen in the example shown in
In the example shown in
Referring to
The first parameter candidate value set 500 may include n (where n is a length of the seed value) first parameter candidate values and the second parameter candidate value set 600 may include the same number of second parameter candidate values as the number of the first parameter candidate values included in the first parameter candidate value set 500. In the example shown in
Meanwhile, each of the second parameter candidate values included in the second parameter candidate value set 600 may be the same as a value generated through an operation using the first parameter candidate value having the same index value as the second parameter candidate value as an exponent or a multiplier.
Specifically, a second parameter candidate value r_{2 }having an index value of ‘2’ may be the same as a value obtained through an exponentiation operation using a first parameter candidate value k_{2 }having an index value of ‘2’ as an exponent, as shown in Equation 13 below.
r_{2}=g^{k}^{2 } (13)
In another example, a second parameter candidate value r_{2 }having an index value of ‘2’ may be the same as a value obtained through a scalar multiplication operation using a first parameter candidate value k_{2 }having an index value of ‘2’ as a multiplier, as shown in Equation 14.
r_{2}k_{2}·P (14)
The first extractor 110 may extract one or more first parameter candidate values having an index value corresponding to a position of a specific bit value in a bit string of the seed value from the first parameter candidate value set 500. In addition, the second extractor 120 may extract one or more second parameter candidate values corresponding to a position of a specific bit value in a bit string of the seed value.
For example, assuming that the seed value is ‘01100010,’ a bit value of ‘1’ is placed at the second, third and seventh positions in the seed value and a bit value of ‘0’ is placed at the first, fourth, fifth, sixth, and eighth positions.
In this case, the first extractor 110 and the second extractor 120 may respectively extract the first parameter candidate values {k_{2}, k_{3}, k_{7}} and the second parameter candidate values {r_{2}, r_{3}, r_{7}} that have index values 2, 3, and 7, respectively, corresponding to the positions of the bit value of ‘1’ in the seed value. In another example, the first extractor 110 and the second extractor 120 may respectively extract the first parameter candidate values {k_{1}, k_{4}, k_{5}, k_{6}, k_{8}} and the second candidate values {r_{1}, r_{4}, r_{5}, r_{6}, r_{8}} that have index values 1, 4, 5, 6, 8, respectively, corresponding to the positions of a bit value of ‘0’ in the seed value.
In the abovedescribed example, when the first parameter candidate values {k_{2}, k_{3}, k_{7}} and the second parameter candidate values {r_{2}, r_{3}, r_{7}} are extracted, the first outputter 130 may generate a first output value using, for example, Equation 15 below.
a=k_{2}+k_{3}+k_{7 } (15)
In addition, when the second parameter candidate values {r_{2}, r_{3}, r_{7}} are equal to values obtained through an operation using each of the first parameter candidate values {k_{2}, k_{3}, k_{7}} as an exponent, the second outputter 140 may generate a second output value using, for example, Equation 16 below.
b=r_{2}×r_{3}×r_{7 } (16)
In this case, Equation 16 can be expressed as Equation 17 below.
b=g^{(k}^{2}^{+k}^{3}^{+k}^{7}^{)}=g^{a } (17)
On the other hand, when the extracted second parameter candidate values {r_{2}, r_{3}, r_{7}} are equal to values obtained through an operation using each of the first parameter candidate values {k_{2}, k_{3}, k_{7}} as a multiplier, the second outputter 140 may generate a second output value using, for example, Equation 18 below.
b=r_{2}+r_{3}+r_{7 } (18)
In this case, Equation 18 can be expressed as Equation 19 below.
b=(k_{2}+k_{3}+k_{7})·P=a·P (19)
That is, referring to Equations 16 to 19, it can be seen in the example shown in
In the example shown in
Referring to
The first parameter candidate value set 700 may include 2×n (where n is a length of the seed value) first parameter candidate values and the second parameter candidate value set 800 may include the same number of second parameter candidate values as the number of the first parameter candidate values included in the first parameter candidate value set 700. In the shown example, as the length of the seed value is assumed to be 8 bits, the first parameter candidate value set 700 includes 2×8 first parameter candidate values and the second parameter candidate value set 800 also includes 2×8 second parameter candidate values.
Meanwhile, each of the second parameter candidate values included in the second parameter candidate value set 800 may be equal to a value generated through an operation using the first parameter candidate value having the same index value as the second parameter candidate value as an exponent or a multiplier.
Specifically, a second parameter candidate value r_{i,j }may be the same as a value obtained through an exponentiation operation using, for example, a first parameter candidate value k_{i,j }as an exponent, as shown in Equation 20 below.
r_{i,j}=g^{k}^{i,j } (20)
In another example, the second parameter candidate value may be the same as a value obtained through a scalar multiplication operation using a first parameter candidate value k_{i,j }as a multiplier, as shown in Equation 21 below.
r_{i,j}=k_{i,j}·P (21)
Meanwhile, the first extractor 110 may extract a plurality of first parameter candidate values having index values respectively corresponding to a bit value of each bit constituting a bit string of the seed value and a position of the bit in the bit string from the first parameter candidate value set 700. In addition, the second extractor 120 may extract a plurality of second parameter candidate values having index values respectively corresponding to a bit value of each bit constituting a bit string of the seed value and a position of the bit in the bit string from the second parameter candidate value set 800.
Specifically, for example, assuming that the seed value is ‘01100010,’ a bit value of the first bit in the seed value is ‘0,’ and thus the first extractor 110 and the second extractor 120 may respectively extract a first parameter candidate value k_{0,1 }and a second parameter candidate value r_{0,1 }that have index values of (0,1).
In addition, since a bit value of the second bit in the seed value is ‘1’ the first extractor 110 and the second extractor 120 may respectively extract a first parameter candidate value k_{1,2 }and a second parameter candidate value r_{1,2 }that have index values of (1,2).
In the same way, the first extractor 110 may extract first parameter candidate values {k_{0,1}, k_{1,2}, k_{1,3}, k_{0,4}, k_{0,5}, k_{0,6}, k_{1,7}, k_{0,8}} and the second extractor 120 may extract second parameter candidate values {r_{0,1}, r_{1,2}, r_{1,3}, r_{0,4}, r_{0,5}, r_{0,6}, r_{1,7}, r_{0,8}. }
In this case, the first outputter 130 may generate a first output value using, for example, Equation 22 below.
a=k_{0,1}+k_{1,}+k_{1,3}+k_{0,4}+k_{0,5}+k_{0,6}+k_{1,7}+k_{0,8 } (22)
When the second parameter candidate value included in the second parameter candidate value set 800 is the same as a value obtained through, for example, an exponentiation operation shown in Equation 20, the second outputter 140 may output a second output value using, for example, Equation 23 below.
b=r_{0,1}×r_{1,2}×r_{1,3}×r_{0,4}×r_{0,5}×r_{0,6}×r_{1,7}×r_{0,8 } (23)
In this case, Equation 23 can be expressed as Equation 24.
b=g^{(k}^{0,1}^{+k}^{1,2}^{+k}^{1,3}^{+k}^{0,4}^{+k}^{0,5}^{+k}^{0,6}^{+k}^{1,7}^{+k}^{0,8}^{)}=g^{a } (24)
On the other hand, when the second parameter candidate value included in the second parameter candidate value set 800 is the same as a value obtained through, for example, a multiplication operation shown in Equation 21, the second outputter 140 may output a second output value using, for example, Equation 25 below.
b=r_{0,1}+r_{1,2}+r_{1,3}+r_{0,4}+r_{0,5}+r_{0,6}++r_{1,7}+r_{0,8 } (25)
In this case, Equation 25 can be expressed as Equation 26 below.
b=(k_{0,1}+k_{1,2}+k_{1,3}+k_{0,4}+k_{0,5}+k_{0,6}+k_{1,7}+k_{0,8})·P=a·P (26)
That is, referring to Equations 23 to 26, it can be seen in the example shown in
The method shown in
Referring to
In this case, according to one embodiment of the present disclosure, the apparatus 100 may extract one or more first parameter candidate values corresponding to a bit string of the seed value from the first parameter candidate value set.
In addition, according to one embodiment of the present disclosure, the apparatus 100 may extract one or more first parameter candidate values from the first parameter candidate value set on the basis of a bit value of each bit included in the bit string of the seed value and a position of each bit in the bit string.
Then, the apparatus 100 outputs a first output value using the one or more extracted first parameter candidate values (920).
In this case, according to one embodiment of the present disclosure, the apparatus 100 may generate the first output value by, for example, adding the one or more extracted first parameter candidate values to each other.
Then, the apparatus 100 extracts one or more second parameter candidate values corresponding to the seed value from a second parameter candidate value set (930).
In this case, according to one embodiment of the present disclosure, second parameter candidate values included in the second parameter candidate value set may have values equal to values obtained through an operation using each of the first parameter candidate values included in the first parameter candidate value set as an exponent or a multiplier.
In addition, according to one embodiment of the present disclosure, the apparatus 100 may extract one or more second parameter candidate values corresponding to the bit string of the seed value from the second parameter candidate value set.
Additionally, according to one embodiment of the present disclosure, the apparatus 100 may extract one or more second parameter candidate values from the second parameter candidate value set on the basis of a bit value of each bit included in the bit string of the seed value and a position of each bit in the bit string.
According to one embodiment of the present disclosure, the second parameter candidate values extracted from the second parameter candidate value set may each be the same as a value generated through an operation using each of the first parameter candidate values extracted in operation 910 as an exponent or a multiplier.
Then, the apparatus 100 outputs a second output value using the one or more extracted second parameter candidate values (940).
In this case, according to one embodiment of the present disclosure, the apparatus 100 may generate the second output value by, for example, adding or multiplying the one or more extracted second parameter candidate values with each other and the second output value may be the same as a value obtained through an operation using the first output value as an exponent or a multiplier.
While the flowchart shown in
The illustrated computing environment 1 includes a computing device 12. In one embodiment, the computing device 12 may be one or more components included in an apparatus 100 for performing an operation.
The computing device 12 includes at least one processor 14, a computerreadable storage medium 16, and a communication bus 18. The processor 14 may enable the computing device 12 to operate according to the aforementioned exemplary embodiments. For example, the processor 14 may execute one or more programs stored in the computerreadable storage medium 16. The one or more programs may include one or more computer executable commands, and the computer executable commands may be configured to cause the computing device 12 to perform operations according to the illustrative embodiment when executed by the processor 14.
The computerreadable storage medium 16 is configured to store computer executable commands and program codes, program data and/or information in other suitable forms. The programs stored in the computer readable storage medium 16 may include a set of commands executable by the processor 14. In one embodiment, the computer readable storage medium 16 may be a memory (volatile memory, such as random access memory (RAM), nonvolatile memory, or a combination thereof), one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, storage media in other forms capable of being accessed by the computing device 12 and storing desired information, or a combination thereof.
The communication bus 18 interconnects various other components of the computing device 12 including the processor 14 and the computer readable storage medium 16.
The computing device 12 may include one or more input/output interfaces 22 for one or more input/output devices 24 and one or more network communication interfaces 26. The input/output interface 22 and the network communication interface 26 are connected to the communication bus 18. The input/output device 24 may be connected to other components of the computing device 12 through the input/output interface 22. The illustrative input/output device 24 may be a pointing device (a mouse, a track pad, or the like), a keyboard, a touch input device (a touch pad, a touch screen, or the like), an input device, such as a voice or sound input device, various types of sensor devices, and/or a photographing device, and/or an output device, such as a display device, a printer, a speaker, and/or a network card. The illustrative input/output device 24 which is one component constituting the computing device 12 may be included inside the computing device 12 or may be configured as a separate device from the computing device 12 and connected to the computing device 12.
According to the embodiments of the present disclosure, it is possible to generate a value equal to a value derived through an exponentiation operation or a scalar point multiplication operation using previously generated parameter candidate value sets and a simple operation secure against sidechannel attack, thereby improving security against sidechannel attack without degrading performance.
A number of examples have been described above. Nevertheless, it will be understood that various modifications may be made. For example, suitable results may be achieved if the described techniques are performed in a different order and/or if components in a described system, architecture, device, or circuit are combined in a different manner and/or replaced or supplemented by other components or their equivalents. Accordingly, other implementations are within the scope of the following claims.