A Fast and Secure Implementation of Sflash
Louis Goubin2002, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Sflash is a multivariate signature scheme, and a candidate for standardisation, currently evaluated by the European call for primitives Nessie. The present paper is about the design of a highly optimized implementation of Sflash on a low-cost 8-bit smart card (without coprocessor). On top of this, we will also present a method to protect the implementation protection against power attacks such as Differential Power Analysis. Our fastest implementation of Sflash takes 59 ms on a 8051 based CPU at 10MHz. Though the security of Sflash is not as well understood as for example for RSA, Sflash is apparently the fastest signature scheme known. It is suitable to implement PKI on low-cost smart card, token or palm devices. It allows also to propose secure low-cost payment/banking solutions.
Related papers
Fast and Compact ASIC Implementation of SFlash New Signature Scheme
The idea of using multivariate polynomials as public keys has attracted several cryptographers, SFlash signature scheme is a variant of the Matsumoto and Imai multivariate public Key cryptosystem and selected by NESSIE Consortium. In this paper we describe a hardware implementation of SFlash based on bit-parallel architectures to achieve high speed circuits for operations on Finite Fields which can be efficiently used as an authentication unit in wireless devices, smart cards and RFID networks. We have proposed a new generalization to Karatsuba-Ofman multiplier as the core of the design. An ASIC chip can be realized with 78K gates counts and 2.8 2 mm die size with 0.35 m m CMOS technology, with a maximum clock frequency 140 MHZ, which takes about 21.5 s m to sign 259-Bits data.
SFLASH, a Fast Asymmetric Signature Scheme for Low-Cost SmartcardsPrimitive Specification and Supporting Documentation
2007
Note: This document specifies the updated final version of the SFLASH signature scheme, slightly modified as allowed in the second stage of Nessie evaluation process, in order to improve the speed and the security. This is therefore the only official ver-sion of SFLASH. In some ...
SFLASHv3, a Fast Asymmetric Signature Scheme
New, third version of Sflash specification (Sflash …
Note: SFLASH v2 is one of the three asymmetric signature schemes recommended by the Nessie European consortium for low-cost smart cards [21, 16]. The latest imple-mentation report shows that SFLASH v2 is the fastest signature scheme known, see [1] for details. This document ...
ESIGN: An Efficient Digital Signature Implementation for Smart Cards
Lecture Notes in Computer Science
ESIGN is an efficient digital signature algorithm [OkS, Ok], whose computation speed is more than twenty times faster than that of the RSA scheme, while its key length and signature length are comparable to those of the M A scheme. This paper presents a software implementation of ES-IGN on an 8bit microprocessor smart card. This realizes a computation time for signature generation of about 0.2 seconds. To achieve this remarkable speed for signature generation, appropriate implementation techniques such as precomputation and table look-up techniques are effectively used. Moreover, this software implementation is compact enough for smart cards; the program size and the data size including the work area are at most 3Kbytes each. Practical identification schemes based on ESIGN are also presented.
Fast Hash-Based Signatures on Constrained Devices
Lecture Notes in Computer Science, 2008
Digital signatures are one of the most important applications of microprocessor smart cards. The most widely used algorithms for digital signatures, RSA and ECDSA, depend on finite field engines. On 8-bit microprocessors these engines either require costly coprocessors, or the implementations become very large and very slow. Hence the need for better methods is highly visible. One alternative to RSA and ECDSA is the Merkle signature scheme which provides digital signatures using hash functions only, without relying on any number theoretic assumptions. In this paper, we present an implementation of the Merkle signature scheme on an 8-bit smart card microprocessor. Our results show that the Merkle signature scheme provides comparable timings compared to state of the art implementations of RSA and ECDSA, while maintaining a smaller code size.
Security and Performance Evaluation of ESIGN and RSA on IC Cards by Using Byte-Unit Modular Algorithms
IEICE Transactions on Communications, 2005
Digital signature is by far one of the most important cryptographic techniques used in the e-government and e-commerce applications. It provides authentication of senders or receivers and offers nonrepudiation of transmission (senders cannot deny their digital signature in the signed documents and the document cannot be altered in transmission without being detected). This paper presents our implementation results of digital signature algorithms on IC cards by using byte-unit modular arithmetic algorithm method [13], [20]. We evaluated the performance of wellknown ESIGN and RSA digital signature algorithms on the dedicated IC card chips and showed that ESIGN is more efficient than RSA.
Recent Results on Modular Multiplications for Smart Cards
Lecture Notes in Computer Science, 2000
In most currently used public-key cryptographic systems, including those based on the difficulty to either factorize large numbers like the RSA [RSA78] or to extract a discrete logarithm of a large number [Elg85,DH76,US 94], the most time consuming part is modular exponentiation. The base of this computation is modular multiplication. We demonstrate the ability to implement very efficiently public-key cryptographic
Fast Server-Aided RSA Signatures Secure Against Active Attacks
Lecture Notes in Computer Science, 1995
Small units like chip cards have the possibility of computing, storing and protecting data. Today such chip cards have limited computing power, then some cryptoprotocols are too slow. Some new chip cards with secure fast coprocessors are coming but are not very reliable at the moment and a little bit expensive for some applications. In banking applications there are few servers (ATM) relative to many small units: it is a better strategy to put the computing power into few large servers than into the not-very-often used cards. A possible solution is to use the computing power of the (insecure) server to help the chip card. But it remains an open question whether it is possible to accelerate signi cantly RSA signatures using an insecure server with the possibility of active attacks: that is, when the server returns false values to get some part of secret from the card. In this paper, we propose a new e cient protocol for accelerating RSA signatures, resistant against all known active and passive attacks. This protocol does not use expensive precomputations; the computation done by the card, the used RAM and the data transfers between the card and the server are small. With current chip cards it is thus possible to implement e ciently this protocol.
Secure Smart Card Signing with Time-based Digital Signature
2018 International Conference on Computing, Networking and Communications (ICNC), 2018
People use their personal computers, laptops, tablets and smart phones to digitally sign documents in company's websites and other online electronic applications, and one of the main cybersecurity challenges in this process is trusted digital signature. While the majority of systems use password-based authentication to secure electronic signature, some more critical systems use USB token and smart card to prevent identity theft and implement the trusted digital signing process. Even though smart card provides stronger security, any weakness in the terminal itself can compromise the security of smart card. In this paper, we investigate current smart card digital signature, and illustrate well-known basic vulnerabilities of smart card terminal with the real implementation of two possible attacks including PIN sniffing and message alteration just before signing. As we focus on second attack in this paper, we propose a novel mechanism using time-based digital signing by smart card to defend against message alteration attack. Our prototype implementation and performance analysis illustrate that our proposed mechanism is feasible and provides stronger security. Our method uses popular timestamping protocol packets and does not require any new key distribution and certificate issuance.
Related papers
Practical Cryptanalysis of SFLASH
Lecture Notes in Computer Science
In this paper, we present a practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 following a design they had introduced in 1998. The attack only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes. It can be applied to both SFLASH v2 which was accepted by NESSIE, as well as to SFLASH v3 which is a higher security version.
Cryptanalysis of SFLASH with Slightly Modified Parameters
Lecture Notes in Computer Science, 2007
SFLASH is a signature scheme which belongs to a family of multivariate schemes proposed by Patarin et al. in 1998 [9]. The SFLASH scheme itself has been designed in 2001 [8] and has been selected in 2003 by the NESSIE European Consortium [6] as the best known solution for implementation on low cost smart cards. In this paper, we show that slight modifications of the parameters of SFLASH within the general family initially proposed renders the scheme insecure. The attack uses simple linear algebra, and allows to forge a signature for an arbitrary message in a question of minutes for practical parameters, using only the public key. Although SFLASH itself is not amenable to our attack, it is worrying to observe that no rationale was ever offered for this "lucky" choice of parameters.
Quartz, an asymmetric signature scheme for short signatures on PC Primitive specification and supporting
Note: This document specifies the updated final version of the Quartz signature scheme, slightly modified as allowed in the second stage of Nessie evaluation process, in order to improve the speed and the security. In some papers that refer to the old version, it is sometimes called Quartz v1 , and Quartz v2 is the new version. This is therefore the only official version of Quartz. We note that the key generation has not changed, the signature computation has changed, and the signature verification has changed slightly. In the Appendix of the present document we summarize all the changes to Quartz, for readers and developers that are acquainted with the previous version. It also includes an explanation why these changes has been made.
CORSAIR: A Smart Card for Public Key Cryptosystems
Lecture Notes in Computer Science, 1991
Algorithms best suired forflexible smart card applications are based on public key cryptosystems-RSA, zero-knowiedge protocols. .. Their practical implementation (execution in =:I second) entails a computing power beyond the reach of classical smart cards, since large integers (512 bits) have to be manipulated in complex ways (exponentiation). CORSAIR achieves up to 40 (8 bit) MIPS with a clock speed of 6 Mhz. This allows to compute XE mod M, with 512 bit operand& in less than 15 second (0.4 set for a signature). The new smart card is in the final design stage; the first test chips should be available by the end of 1990.
Low-Cost Elliptic Curve Digital Signature Coprocessor for Smart Cards
IEEE 17th International Conference on Application-specific Systems, Architectures and Processors (ASAP'06), 2006
public key authentication on 8-bit smart cards. Elliptic curve cryptography is used for its efficiency per bit of key and the Elliptic Curve Digital Signature Algorithm is chosen. For this functionality, an area constrained coprocessor is probably the best approach to perform the most computer-intensive operations at an acceptable speed considering the limited memory and power of the selected platform. For that purpose, the scalar point multiplication in GF(2 m ) in both affine and projective coordinates was implemented in order to compare their performances with the same level of optimization and the same technology. A hardware/software co-design strategy was also used to avoid the need of a dedicated register file.
Secure Implementation of the Stern Authentication and Signature Schemes for Low-Resource Devices
Lecture Notes in Computer Science, 2008
In this paper we describe the first implementation on smartcard of the code-based authentication protocol proposed by Stern at Crypto'93 and we give a securization of the scheme against side channel attacks. On the whole, this provides a secure implementation of a very practical authentication (and possibly signature) scheme which is mostly attractive for lightweight cryptography.
A Secure Server-Aided RSA Signature Computation Protocol for Smart Cards
Smart cards have opened up possibilities for many exciting applications. However, one problem with conventional smart cards is that they only have very limited computational power. As a result, it takes too long for a smart card to perform a single RSA signature operation in real time applications. Server-aided RSA signature computation protocols offer feasible solutions for this problem. The basic idea is to distribute most of the computation to an auxiliary processor which is capable of performing fast multi-precision modular exponentiation. However, the smart card has to guard against the auxiliary processor since it may attempt to obtain information about the secret exponent or to obtain the smart card's signature on a message of its own choosing by supplying the smart card with incorrect values. The only way to defeat these attacks is for the smart card to have some means of verifying the data provided by the auxiliary processor. In this paper, we propose such a secure protocol.
Improved Secure Implementation of Code-Based Signature Schemes on Embedded Devices
Amongst areas of cryptographic research, there has recently been a widening interest for code-based cryptosystems and their implementations. Besides the a priori resistance to quantum computer attacks, they represent a real alternative to the currently used cryptographic schemes. In this paper we consider the implementation of the Stern authentication scheme and one recent variation of this scheme by Aguilar et al.. These two schemes allow public authentication and public signature with public and private keys of only a few hundreds bits. The contributions of this paper are twofold: first, we describe how to implement a code-based signature in a constrained device through the Fiat-Shamir paradigm, in particular we show how to deal with long signatures. Second, we implement and explain new improvements for code-based zero-knowledge signature schemes. We describe implementations for these signature and authentication schemes, secured against side channel attacks, which drastically improve the previous implementation presented at Cardis 2008 by Cayrel et al.. We obtain a factor 3 reduction of speed and a factor of about 2 for the length of the signature. We also provide an extensive comparison with RSA signatures.
A Secure Hardware Implementation for Elliptic Curve Digital Signature Algorithm
Computer systems science and engineering, 2023
Since the end of the 1990s, cryptosystems implemented on smart cards have had to deal with two main categories of attacks: side-channel attacks and fault injection attacks. Countermeasures have been developed and validated against these two types of attacks, taking into account a well-defined attacker model. This work focuses on small vulnerabilities and countermeasures related to the Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm. The work done in this paper focuses on protecting the ECDSA algorithm against fault-injection attacks. More precisely, we are interested in the countermeasures of scalar multiplication in the body of the elliptic curves to protect against attacks concerning only a few bits of secret may be sufficient to recover the private key. ECDSA can be implemented in different ways, in software or via dedicated hardware or a mix of both. Many different architectures are therefore possible to implement an ECDSA-based system. For this reason, this work focuses mainly on the hardware implementation of the digital signature ECDSA. In addition, the proposed ECDSA architecture with and without fault detection for the scalar multiplication have been implemented on Xilinx field programmable gate arrays (FPGA) platform (Virtex-5). Our implementation results have been compared and discussed. Our area, frequency, area overhead and frequency degradation have been compared and it is shown that the proposed architecture of ECDSA with fault detection for the scalar multiplication allows a trade-off between the hardware overhead and the security of the ECDSA.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.