快速安全的椭圆曲线标量乘算法研究
|
摘要
椭圆曲线密码是一种杰出的公钥密码体制。它具有众所周知的优势,在智能卡、无线网络和嵌入式系统等资源受限的设备中有广泛的应用。边信道攻击作为物理安全的一个重要部分严重威胁了智能卡的安全,其中能量攻击对椭圆曲线的标量乘运算尤为有效。本文主要研究了标量乘运算在能量攻击下的安全性和效率,旨在给出快速安全的标量乘算法。本论文主要得到以下结果:
1.深入分析总结了最常见的边信道攻击-简单能量攻击,在此基础上提出了一种改进的简单能量攻击-基于马尔科夫链的能量攻击。这种方法把马尔科夫链模型运用于分析从AD序列推出密钥过程中,具体分析时把椭圆曲线标量乘算法看作马尔科夫链。理论上证明,它比简单能量攻击更有效。
2.提出了一个新的抵抗简单能量攻击的椭圆曲线标量乘算法。这个算法在Comb算法[149]基础上进行改进,得到标量k的比特串序列,序列特征是所有的比特位都不为0,这个性质保证了标量乘算法的统一计算形式,进而可以抵抗简单能量攻击。结合随机化技术,这个算法可以抵抗差分能量攻击等其他边信道攻击。与其他抵抗边信道攻击的方案相比,这个算法没有牺牲效率,仅比Comb算法多一次点加和倍点运算。
3.提出了一个新型快速安全的标量乘算法。该算法是一种基于仅有点加运算的特殊加法链,可自然地抵抗简单能量攻击。此外,在新型点加运算公式中利用特殊加法链的性质,可以在一定程度上提高标量乘算法的运算效率:对于长度为160比特的整数,其特殊加法链长度为260时,仅仅需要1719次乘法运算。特殊加法链长度从280到260,运行标量乘算法比倍点-点加算法效率上提高26%~31%;比NAF算法快16%~22%;比4-NAF算法快7%~13%;比目前最好的方法-双基链算法也要快1%~8%。
4.将一个数学上的运算“( a + b)2 ?a2?b2=2ab”运用到Jacobian坐标系下点之间的运算,使用相对运算量稍低的平方运算代替乘法运算,可以使得点加、倍点、混加和三倍点运算的运算量减少,尤其是计算三倍点运算时,效率提高的更多。这种方法为最近使用多基链标量展开方法做快速标量乘提供了保障。
5.提出了一个新的基于原子块结构的椭圆曲线标量乘算法。相比以前的原子块结构,我们的算法不但可以抵抗简单边信道攻击,而且在效率上有较大提高:使用NAF的标量展开,我们这种结构的原子块结构相比以前的方案可以提高30%。
6.提出了一种高效灵活的抵抗能量攻击的方案-分拆窗口方法。该方法以改进的NAFw算法[128]为基础,不仅可以抵抗SPA而且可以抵抗SPA/DPA联合攻击和抵抗SPA/二阶DPA联合攻击,可以根据需要选择合适的窗口宽度,而且适用于存储受限的设备中。这种方法比整体窗口方法效率较高。
Elliptic Curve Cryptosystem is a kind of outstanding public-key cryptosystem. It is well known for its advantages like which has wide application in smart card, wireless network and embedded systems with limited resources. As an important part of physical security, side channel attacks menace the security of these systems. Especially, the power attack is very severe for the security of scalar multiplication on Elliptic Curve. This thesis for doctor’s degree focuses on the security and efficiency of scalar multiplication on power attack and is to propose fast and secure scalar multiplications. The thesis obtains main results as follows:
1. We do detailed analysis on the side channel attacks commonly used. We also propose an improved simple energy attack based on Markov Chain. This method applies the modle of Markov Chain to the anlysis of the processes of secret key from AD sequence, in which Elliptic Curve Cryptosystem scalar multiplication algorithm is used as Markov Chain. Theoretical proofs show that method is more efficient than the normal side-channel attacks.
2. This thesis presentes a new SCA resistant Elliptic Curve scalar multiplication algorithm. The proposed algorithm, which builds a sequence of bit-strings representing the scalar k, is characterized by the fact that all bit-strings are different from zero. This character will ensure a uniform computation behavior for the algorithm, and thus make it secure against SPA. Combied with other randomization techniques, this algorithm can resist against other side channel attacks including differential power attack. By compare with other schemes resisting against side chanel atacks,this algorithm does not penalize the computation time and needs only one more point adding and doubling than the comb algorithm.
3. A new fast and secure scalar multiplication algorithm is proposed. The algorithm is a particular addition chains based on only additions, which providing a natural protection against side channel attacks. Moreover, new addition formulae which take into account the specific structure of those chains making point multiplication very efficient are proposed. The scalar multiplication algorithm only needs 1719 multiplication for the SAC260 of 160-bit integers. From chains of length 280 to 260, our method outperforms all the previous methods with a increased efficency from 26% to 31% over the double-and-add, from 16% to 22% over NAF, from 7% to 13% over 4-NAF and from 1% to 8% over the best algorithm presently-double base chain.
4. Appling a mathematical operation“( a + b)2 ?a2?b2=2ab”on the computation between points of Jacobian coordinates, and the substitution of multiplication with squaring which is more cheaper than multiplication. Especially, these techniques can reduce the computation of doubling, addition, mixed addition and tripling. Particularly, the efficiency is improved a lot for tripling computation, providing a guarantee for fast scalar multiplication by using multi-base chains methods nowadays.
5. We modify the ECC scalar multiplication to achieve a faster atomic structure when applying side channel atomicity protection. In contrast to previous atomic operations that assume squarings are indistinguishable from multiplications, our new atomic structure offers true SSCA-protection resulted from the squaring in its formulation. In the scalar multiplication using NAF, the computational efficency of our atomic blocks is increased by 30% than that of previous atomic implementations.
6. Based on the improved NAFw algorithm, we present an efficient and flexible scheme resisting power attacks-the fractional windows. The fractional windows are able to resist not only SPA but also SPA /DPA combined attacks and SPA/2nd-order DPA combined attacks. The fractional windows allow us to select the appropriate window width and offer great advantages in the frame of resource-constrained devices. The fractional windows are more efficent than integral windows
1.深入分析总结了最常见的边信道攻击-简单能量攻击,在此基础上提出了一种改进的简单能量攻击-基于马尔科夫链的能量攻击。这种方法把马尔科夫链模型运用于分析从AD序列推出密钥过程中,具体分析时把椭圆曲线标量乘算法看作马尔科夫链。理论上证明,它比简单能量攻击更有效。
2.提出了一个新的抵抗简单能量攻击的椭圆曲线标量乘算法。这个算法在Comb算法[149]基础上进行改进,得到标量k的比特串序列,序列特征是所有的比特位都不为0,这个性质保证了标量乘算法的统一计算形式,进而可以抵抗简单能量攻击。结合随机化技术,这个算法可以抵抗差分能量攻击等其他边信道攻击。与其他抵抗边信道攻击的方案相比,这个算法没有牺牲效率,仅比Comb算法多一次点加和倍点运算。
3.提出了一个新型快速安全的标量乘算法。该算法是一种基于仅有点加运算的特殊加法链,可自然地抵抗简单能量攻击。此外,在新型点加运算公式中利用特殊加法链的性质,可以在一定程度上提高标量乘算法的运算效率:对于长度为160比特的整数,其特殊加法链长度为260时,仅仅需要1719次乘法运算。特殊加法链长度从280到260,运行标量乘算法比倍点-点加算法效率上提高26%~31%;比NAF算法快16%~22%;比4-NAF算法快7%~13%;比目前最好的方法-双基链算法也要快1%~8%。
4.将一个数学上的运算“( a + b)2 ?a2?b2=2ab”运用到Jacobian坐标系下点之间的运算,使用相对运算量稍低的平方运算代替乘法运算,可以使得点加、倍点、混加和三倍点运算的运算量减少,尤其是计算三倍点运算时,效率提高的更多。这种方法为最近使用多基链标量展开方法做快速标量乘提供了保障。
5.提出了一个新的基于原子块结构的椭圆曲线标量乘算法。相比以前的原子块结构,我们的算法不但可以抵抗简单边信道攻击,而且在效率上有较大提高:使用NAF的标量展开,我们这种结构的原子块结构相比以前的方案可以提高30%。
6.提出了一种高效灵活的抵抗能量攻击的方案-分拆窗口方法。该方法以改进的NAFw算法[128]为基础,不仅可以抵抗SPA而且可以抵抗SPA/DPA联合攻击和抵抗SPA/二阶DPA联合攻击,可以根据需要选择合适的窗口宽度,而且适用于存储受限的设备中。这种方法比整体窗口方法效率较高。
Elliptic Curve Cryptosystem is a kind of outstanding public-key cryptosystem. It is well known for its advantages like which has wide application in smart card, wireless network and embedded systems with limited resources. As an important part of physical security, side channel attacks menace the security of these systems. Especially, the power attack is very severe for the security of scalar multiplication on Elliptic Curve. This thesis for doctor’s degree focuses on the security and efficiency of scalar multiplication on power attack and is to propose fast and secure scalar multiplications. The thesis obtains main results as follows:
1. We do detailed analysis on the side channel attacks commonly used. We also propose an improved simple energy attack based on Markov Chain. This method applies the modle of Markov Chain to the anlysis of the processes of secret key from AD sequence, in which Elliptic Curve Cryptosystem scalar multiplication algorithm is used as Markov Chain. Theoretical proofs show that method is more efficient than the normal side-channel attacks.
2. This thesis presentes a new SCA resistant Elliptic Curve scalar multiplication algorithm. The proposed algorithm, which builds a sequence of bit-strings representing the scalar k, is characterized by the fact that all bit-strings are different from zero. This character will ensure a uniform computation behavior for the algorithm, and thus make it secure against SPA. Combied with other randomization techniques, this algorithm can resist against other side channel attacks including differential power attack. By compare with other schemes resisting against side chanel atacks,this algorithm does not penalize the computation time and needs only one more point adding and doubling than the comb algorithm.
3. A new fast and secure scalar multiplication algorithm is proposed. The algorithm is a particular addition chains based on only additions, which providing a natural protection against side channel attacks. Moreover, new addition formulae which take into account the specific structure of those chains making point multiplication very efficient are proposed. The scalar multiplication algorithm only needs 1719 multiplication for the SAC260 of 160-bit integers. From chains of length 280 to 260, our method outperforms all the previous methods with a increased efficency from 26% to 31% over the double-and-add, from 16% to 22% over NAF, from 7% to 13% over 4-NAF and from 1% to 8% over the best algorithm presently-double base chain.
4. Appling a mathematical operation“( a + b)2 ?a2?b2=2ab”on the computation between points of Jacobian coordinates, and the substitution of multiplication with squaring which is more cheaper than multiplication. Especially, these techniques can reduce the computation of doubling, addition, mixed addition and tripling. Particularly, the efficiency is improved a lot for tripling computation, providing a guarantee for fast scalar multiplication by using multi-base chains methods nowadays.
5. We modify the ECC scalar multiplication to achieve a faster atomic structure when applying side channel atomicity protection. In contrast to previous atomic operations that assume squarings are indistinguishable from multiplications, our new atomic structure offers true SSCA-protection resulted from the squaring in its formulation. In the scalar multiplication using NAF, the computational efficency of our atomic blocks is increased by 30% than that of previous atomic implementations.
6. Based on the improved NAFw algorithm, we present an efficient and flexible scheme resisting power attacks-the fractional windows. The fractional windows are able to resist not only SPA but also SPA /DPA combined attacks and SPA/2nd-order DPA combined attacks. The fractional windows allow us to select the appropriate window width and offer great advantages in the frame of resource-constrained devices. The fractional windows are more efficent than integral windows
引文
[1]Paul C.Kocher.Timing attacks on implementations of Diffie-Hellman,RSA,DSS,and otther systems.In Advances in Cryptology-Crypto’96, LNCS1109, pp.104-113. Springer-Verlag,1996.
[2]Paul C.Kocher,J.Jaffe,and B.Jun.Differential power analysis. In Advances in Cryptology-Crypto’99,LNCS1666,pp.388-397.Springer-Verlag,1999.
[3]T.S.Messerges,E.A.Dabbish,R.H.Sloan.Power analysis attacks of modular exponentiation in smrtcards.In:proc. CHES1999.Nea York: Springer-Verlag, 2000.144-157.
[4]J.S.Coron.Resistance against differential power analysis for elliptic curve cryptosystems.In:Proc.Workshop on Cryptographic Hardware and Embedded Systems(CHES’99). Nea York: Springer-Verlag,1999.1292-302.
[5]Daniel Page and Martijn Stam. On XTR and Side-Channel Analysis.In SAC2004, LNCS3357,pp.54-68.Springer-Verlag,2005.
[6]K.Okeya and K.Sakurai.Power analysis breaks Elliptic CurveCryptosystems even secure agaist the Timing attack.INDOCYPTO2000,LNCS1977, pp.178-190,Springer-Verlag,2000.
[7]Katsuyuki Okeya and Tsuyoshi Takagi.The width-w NAF method provides small memory and fast Elliptic Scalar multiplications secure against side channel attacks.CT-RSA2003,LNCS2612,pp.328-343. Springer-Verlag,2003.
[8]Katsuyuki Okeya and Tsuyoshi Takagi.A more fexible countermeasure agaist side channel attack using window method.CHES2003, LNCS2779,pp.397-410. Springer-Verlag,2003.
[9]Katsuyuki Okeya ,Tsuyoshi Takagi and Camille Vuillaume.On the exact fexibility of the flexible countermeasure against side channel attacks.ACISP2004, LNCS3108,pp.466-477. Springer-Verlag,2004.
[10]J.C.Ha and S.J.Moon.Randomized signed-scalar multiplication of ECC to resist power attacks.CHES2002, LNCS2523,pp.551-563. Springer-Verlag,2002.
[11]Katsuyuki Okeya,Dong-Guk Han.Side channel attack on Ha-Moon’s countermeasure of randomized signed scalar multiplication.INDOCRYPT2003, LNCS2904,pp.334-348. Springer-Verlag,2003.
[12]Fouque,Muller , Poupard and Valette.Defeating countermeasures based on randomized BSD representations.CHES2004,LNCS3156,pp.312-327. Springer-Verlag,2004.
[13]Yen,Chen,Moon and Ha.Improvement on Ha-Moon randomized exponentiation algorithm.ICISC2004,LNCS3506,pp.154-167. Springer-Verlag,2005.
[14] J.H.Shin, D.J.Park and P.J.Lee.DPA attack on the improved Ha-Moon algorithm. WISA2005, LNCS3786, pp.283-291. Springer-Verlag,2006.
[15] Camille Vuillaume and Katsuyuki Okeya.Flexible exponentiation with resistance to side channel attacks.ACNS2006,LNCS3989,pp.268-283. Springer-Verlag,2006.
[16] C.Rechberger and E.Oswald.Stream ciphers and side-channel analysis.The state of the Art of stream ciphers,2004
[17] J.Lano,N.Mentens,B.Preneel and I.Verbauwheale.Power analysis of synchronous stream ciphers with resynchronization mechanism. The state of the Art of stream ciphers,2004
[18] Antoine Joux and Pascal Delannay.Galois LFSR,Embedded Devices and side channel weaknesses.INDOCRYPT2006,LNCS4329,pp.436-451. Springer-Verlag, 2006.
[19] Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache Attacks and Countermeasures:the Case of AES.CT-RSA2006,LNCS3860,pp.1-20. Springer-Verlag,2006.
[20] Sergei Skorobogatov. Optically Enhanced Position-LockedPower Analysis.CHES2006,LNCS4249,pp.61-75. Springer-Verlag,2006.
[21] M.K. Ahn, J.C. Ha, H.J. Lee, and S.J. Moon. A Random M-ary Method based Countermeasure against Side Channel Attacks. In Proceedings of ICCASA-2003, LNCS 2668, pp.338-347, Springer-Verlag, Berlin, 2003.
[22]R. M. Avanzi. Countermeasures against Differential Power Analysis for hyperelliptic curve cryptosystems. CHES 2003, LNCS 2779, pp. 366-381, Springer-Verlag, Berlin, 2004.
[23] E. Brier, I. Dechene and M. Joye. United addition formulea for elliptic curve cryptosystems. In Nedjah, N., de Macedo Mourelle, L., eds.: Embedded Cryptographic Hardware:Methodologies and Architectures. Nova Science Publishers (2004) 247-256
[24] O. Billet and M. Joye. The Jacobi model of an elliptic curve and Side-Channel Analysis.AAECC 2003, LNCS 2643, pp. 34-42, Springer-Verlag, Berlin, 2003.
[25] I. Biehl, B. Meyer, and V. Muller. Differential fault attacks on elliptic curve crypto- systems. CRYPTO 2000, LNCS 1880, pp.131-146, Springer-Verlag, Berlin, 2000.
[26] I.F. Blake, G. Seroussi, and N.P. Smart. Advances in Elliptic Curve Cryptography, Cam-bridge University Press, 2005.
[27] L. Batina, N. Mentens, K.Sakiyama, B. Preneel and I.Verbauwhede. Low-Cost EllipticCurve Cryptography for Wireless Sensor Networks. ESAS 2006. LNCS 4357, pp. 6-17,Springer, Heidelberg 2006.
[28] M. Ciet, K. Lauter, M.Joye and P.L .Montgomery. Trading inversions for multiplicationsin elliptic curve Cryptography, Designs, Codes and Cryptography 39(2), 189-206 (2006)
[29] B. Chevallier-Mames, M. Ciet and M. Joye, Low-Cost Solutions for Preventing SimpleSide-Channel Analysis: Side-Channel Atomicity. IEEE Trans. Computers 53(6): 760-768(2004).
[30] H. Cohen, A. Miyaji, and T. Ono. Efficient elliptic curve exponentiation using mixedcoordinates. Asiacrypt 1998, LNCS 1514, pp. 51-65, Springer-Verlag, Berlin, 1998.
[31] V.Dimitrov, L.Imbert, P.K.Mishra. Efficient and Secure Elliptic Curve Point Multiplication Using Double Base Chain. ASIACRYPT 2005. LNCS 3788, pp.59-78, Springer,Heidelberg, 2005.
[32] Y. Hitchcock and P. Montague. A New Elliptic Curve Scalar Multiplication Algorithm to Resist Simple Power Analysis. ACISP 2002, LNCS 2384, pp.214-225, Springer-Verlag Berlin Heidelberg, 2002.
[33] J. Ha and S. Moon. Randomized signed-scalar multiplication of ECC to resist power attacks. CHES-2002, LNCS 2523, pp.551-563, Springer-Verlag, Berlin, 2002.
[34] D.Hankerson, A.Menezes and S. Vanstone. Guide to Elliptic Curve Cryptography.Springer-Verlag (2004)
[35] K. Itoh, T. Izu, and T. Takenaka, Efficient Countermeasures against Power Analysis forElliptic Curve Cryptosystems, Sixth Smart Card Research an Advanced Application IFIP Conference CARDIS 2004, pp.99-114, 2004.
[36] Marc Joye. Highly Regular Right-to-Left Algorithms for Scalar Multiplication. CHES 2007,LNCS 4727, pp. 135-147, Springer-Verlag, Berlin, 2007.
[37] Marc Joye, Pascal Paillier and Berry Schoenmakers On Second-Order Differential Power Analysis. CHES 2005, LNCS 3659, pp. 293-308, Springer-Verlag, Berlin, 2005.
[38] M. Joye and Jean-Jacques Quisquater. Hessian elliptic curves and side-channel attacks.CHES 2001, LNCS 2162, pp.402-410, Springer-Verlag, 2001.
[39] M. Joye and S.-M. Yen. The Montgomery powering ladder. CHES 2002, LNCS 2523, pp.291-302, Springer-Verlag, Berlin, 2003.
[40] Chae Hoon Lim A New Method for Securing Elliptic Scalar Multiplication Against Side-Channel Attacks. ACISP 2004, LNCS 3108, pp.289-300. Springer-Verlag Berlin Heidelberg,2004.
[41] T. Messerges, E. Dabbish and R. Sloan. Examining smart-card security under the threadof power analysis attacks. IEEE Trans. on Computers, 51(5):541-552, 2002.
[42] S Moon. A Binary Redundant Scalar Point Multiplication in Secure Elliptic Curve Cryptosystems, International Journal of Network Security, Vol. 3, No. 2, pp.132-137, 2006.
[43] B. Muoller. Securing elliptic curve point multiplication against side-channel attacks. Information Security, LNCS 2200, pp. 324-334, Springer-Verlag, 2001.
[44] E. Oswald and M. Aigner. Randomized addition-subtraction chains as a countermeasureagainst power attacks. CHES 2001, LNCS 2162, pp 39-50.. Springer-Verlag, Berlin, 2002.
[45] K. Okeya, H. Kurumatani and K. Sakurai, Elliptic Curves with the Montgomery Form andTheir Cryptographic Applications. PKC 2000, LNCS 1751, pp. 238-257, Springer-Verlag,Berlin, 2000.
[46] K. Okeya, K. Miyazaki, and K. Sakurai, A Fast Scalar Multiplication Method with Randomized Projective Coordinate on a Montgomery-Form Elliptic Curve Secure against Side Channel Attacks , ICISC 2001, LNCS 2288, pp. 428-439, Springer-Verlag, Berlin, 2002.
[47] K. Okeya and K. Sakurai. Power analysis breaks elliptic curve cryptosystems even secure against the timing attack. INDOCRYPT 2000, LNCS 1977, pp. 178-190, Springer-Verlag,Berlin, 2000.
[48]Katsuyuki Okeya and Tsuyoshi Takagi. A More Flexible Countermeasure against Side Channel Attacks Using Window Method. CHES 2003, LNCS 2779, pp. 397-410, Springer,Berlin, 2003.
[49] R. Mayer-Sommer. Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smart Cards. CHES 2000, LNCS 1965, pp. 78-92, Springer-Verlag, Berlin,2000.
[50] J. A. Solinas. Low-Weight Binary Representation for Pairs of Integers, Centre for Applied Cryptographic Research, University of Waterloo, Combinatorics and Optimization Reseach Report CORR 2001-41, 2001.
[51] Douglas Stebila and Nicolas Theriault. Unified Point Addition Formulea and Side-Channel Attacks. CHES 2006, LNCS 4249, pp. 354-368, Springer-Verlag, Berlin, 2006.
[52] C.D. Walter. Simple Power Analysis of United Code for ECC Double and Add. CHES 2004, LNCS 3156, pp.191-204, Springer-Verlag, Berlin, 2004.
[53] Neal Koblitz. The State of Elliptic Curve Cryptography.Designs,Codes and Cryptography ,2000,19:173-193
[54]郝林罗平.椭圆曲线密码体制中点的数乘的一种快速算法.电子与信息学报2003,25(2):275-278
[55]郝林罗平彭小宁.一种改进的椭圆曲线离散对数快速冗余算法.计算机研究与发展2004,41(1):79-82
[56]祝跃飞裴定一.求异常椭圆曲线上的DLP的一个算法.中国科学(A辑)2001,31(4):332-336
[57]丁宏郭艳华.快速大数模乘算法及其应用.小型微型计算机系统2003, 24(7): 1367-1370
[58] Phillips BJ, Burgess N. Implementing 1024-bits RSA exponentiation on a 32-bits processor core.IEEE International Conference on Application Specific Systems, Architecture and Processor(ASAP’00)
[59]Stinson ,冯登国译,密码学原理与实践(第二版),北京,电子工业出版社,2003,219-220
[60]Bodo M?ller.Securing Elliptic Curve Point Multiplication against Side-Channel Attacks.Information Security-ISC2001, Lecture Notes in Computer Science,vol.2200. Springer, pp.324-334, 2001
[61] T. Izu, T. Takagi.A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks. Public Key Cryptography, 5th International Workshop on Practice and Theory in Public Key Cryptosystems, Lecture Notes in Computer Science , vol. 2274. Springer, pp. 280–296, 2002
[62]韩军,曾晓洋,汤庭鳌.RSA密码算法的功耗轨迹分析及其防御措施.计算机学报,2006,29(4):590-596
[63] K. Okeya and K. Sakurai.On Insecurity of the Side Channel Attack Countermeasure Using Addition-Subtraction Chains under Distinguishability between Addition and Doubling. ACISP 2002, Lecture Notes in Computer Science (LNCS),vol. 2384. Springer, pp. 420–435, 2002
[64]C. D. Walter.Security constraints on the oswald-aigner exponentiation algorithm. Cryptology ePrint Archive, Report 2003/013, 2003
[65] E. Oswald and M. Aigner.Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks. Cryptographic Hardware and Embedded Systems-CHES 2001,3th International Workshop, Paris, France, May 14-16, 2001,Proceedings, Lecture Notes in Computer Science (LNCS), vol. 2162.Springer, 2001, pp. 39–50
[66]刘铎,戴一奇,王道顺.平稳与平衡-椭圆曲线密码体制抗旁信道攻击的策略与手段.计算机研究与发展,2005,42(10:1667-1672
[67]Katsuyuki Okeya,Dong-Guk Han.Side channel attack on Ha-Moon’s countermeasure of randomized signed scalar multiplication.INDOCRYPT 2003.Berlin Heidelberg:Springer-Verlag,LNCS2904,2003:334-348.
[68]J.S.Coron.Resistance against differential power analysis for elliptic curve cryptosystems.Cryptography Hardware and Embedded Systems-CHES’99.Berlin Heidelberg:Springer-Verlag,LNCS1717,1999:292-302.
[69] P.V.Liardet,N.Smart.Preventing SPA/DPA in ECC systems using the Jacobi form.Cryptography Hardware and Embedded Systems-CHES’01.Berlin Heidelberg:Springer-Verlag,LNCS2162, 2001:401-411.
[70]M.Joye,J.J.Quisquater. Hessian elliptic curves and side-channel attacks.Cryptography Hardware and Embedded Systems-CHES’01.Berlin Heidelberg:Springer-Verlag,LNCS2162,2001:412-420.
[71]M.Joye,C.Tymen. Protections against differential analysis for elliptic curve cryptography:an algebraic approach.Cryptography Hardware and Embedded Systems-CHES’01. Berlin Heidelberg:Springer-Verlag, LNCS2162, 2001:386-400.
[72]J.Lopez,R.Dahab.Fast multiplication on elliptic curves over GF(2m) without precomputation.Cryptography Hardware and Embedded Systems-CHES’99 .Berlin Heidelberg:Springer-Verlag, LNCS1717,1999:316-327.
[73] K.Okeya,K.Sakurai.A Second-order DPA attacks breaks a window-method based countermeasure against side channel attacks.Information Security Conference2002. Berlin Heidelberg:Springer-Verlag,LNCS2433, 2002:389-401.
[74]B.M?ller.Securing elliptic curve point multiplication against side-channel attacks.Information Security Conference2001.Berlin Heidelberg:Springer-Verlag, LNCS2200,2001:324-334.
[75]P.L.Montgomery.Speeding up the Pollard and elliptic curve methods of factorization.Mathematics of Computation,1987,48(177): 243-264.
[76]National Institute of Standard and Technology(NIST).Digital signature standard(DSS)[S].FIPS PUB 186-2,2000
[77]Certicom Research.Standard for efficient cryptography.Version 1.0,2000.Available at url http:/www.secg.org/.
[78] M.Brown,D.Hankerson,J.Lopez,A.Menezes.Software implementation of the NIST elliptic curves over prime fields.Progress in Cryptology CT-RSA 2001.Berlin Heidelberg:Springer-Verlag,LNCS2020,2001:250-265.
[79] Miller Victor S. Uses of elliptic curves in cryptography.Advances in Cryptology—CRYPTO’85, Lecture Notes in Computer Sciences. Springer-Verlag, 1986:417-428.
[80] Koblitz Neal. Elliptic curve cryptosystems . Mathematics of Computation, 1987, 48(177):203-209
[81] Avanzi Roberto M, Cohen Henri, Doche Christophe, et al. Handbook of elliptic and hyperelliptic curve cryptography. Boca Raton FL, USA: Chapman and Hall/CRC Press, 2005.
[82] Hankerson Darrel, Menezes Alfred J, Vanstone Scott. Guide to elliptic curve cryptography.Springer-Verlag, 2004.
[83]Montgomery P L. Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation, 1987, 48(177):143-264.
[84] Okeya Katsuyuki , Sakurai Kouichi. Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the y-coordinate on a Montgomery-form elliptic curve. Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems, Lecture Notes In Computer Science. Springer-Verlag, 2001, 2162:126-141.
[85] Kocher P C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems.Advances in Cryptology—CRYPTO’96, Lecture Notes in Computer Sciences. Springer-Verlag, 1996:104-113.
[86] Kocher P C, Jaffe J, Jun B. Differential power analysis.Advances in Cryptology—CRYPTO’99, Lecture Notes in Computer Sciences. Springer-Verlag, 1999:388-397.
[87] Chevallier-Mames Benoit, Ciet Mathieu, Joye Marc . Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity.IEEE Transactions on Computers, 2004, 53(6):760-768
[88] Knuth Donald E. The art of computer programming: fundamental algorithms. Addison-Wesley, 1981.
[89] Dimitrov Vassil , Imbert Laurent, Mishra Pradeep Kumar .Efficient and secure elliptic curve point multiplication using double-base chains.11th International Conference on the Theory and Application of Cryptology and Information Security, Lecture Notes in Computer Sciences. Springer-Verlag, 2005, 3788:59-78.
[90] D. Hankerson, A. Menezes and S. Vanstone,“Guide to Elliptic Curve Cryptography,”Springer-Verlag, 2004.
[91] H. Cohen, A. Miyaji and T. Ono,“Efficient Elliptic Curve Exponentiation using Mixed Coordinates,”in Advances in Cryptology– ASIACRYPT’98, Lectures Notes in Computer Science, Vol. 1514, pp. 51–65,Springer-Verlag, 1998.
[92] V. Dimitrov, L. Imbert and P.K. Mishra,“Efficient and Secure Elliptic Curve Point Multiplication using Double-Base Chains,”in Advances in Cryptology– ASIACRYPT’05, Lectures Notes in Computer Science, Vol. 3788, pp. 59–78, Springer-Verlag, 2005.
[93] M. Ciet, M. Joye, K. Lauter and P. L. Montgomery,“Trading Inversions for Multiplications in Elliptic Curve Cryptography,”in Designs,Codes and Cryptography, Vol. 39, No 2, pp.189-206, 2006.
[94] D. Bernstein,“High-Speed Diffie-Hellman, Part 2,”presentation in INDOCRYPT’06, tutorial session, 2006.
[95] M. Brown, D. Hankerson, J. Lopez and A. Menezes,“Software Implementation of the NIST elliptic curves over prime fields,”in Progress in Cryptology CT-RSA 2001, Lectures Notes in Computer Science, Vol.2020, pp. 250-265, Springer-Verlag, 2001.
[96] J. Gro?sch?dl, R. Avanzi, E. Savas and S. Tillich,“Energy-Efficient Software Implementation of Long Integer Modular Arithmetic,“in Workshop on Cryptographic Hardware and Embedded Systems (CHES’05),Lectures Notes in Computer Science, Vol. 3659, pp. 75-90, Springer-Verlag, 2005.
[97] C.H. Lim, and H.S. Hwang,“Fast implementation of Elliptic Curve Arithmetic in GF(pm),”in Public Key Cryptography (PKC’00), Lectures Notes in Computer Science, Vol. 1751, pp. 405-421, Springer-Verlag,2000.
[98] C.H. Gebotys and R.J. Gebotys,“Secure Elliptic Curve Implementations: An Analysis of Resistance to Power-Attacks in a DSP Processor,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’03), Lectures Notes in Computer Science, Vol. 2523, pp. 114-128, Springer-Verlag, 2003.
[99] R. Avanzi,“Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations,”in Workshop on Cryptographic Hardware and Embedded Systems.(CHES’04), Lectures Notes in Computer Science,Vol. 3156, pp. 148-162, Springer-Verlag, 2004.
[100] D. Bernstein,“Curve25519: New Diffie-Hellman Speed Records,”in Public Key Cryptography (PKC’06), Lectures Notes in Computer Science,Vol. 3958, pp. 229-240, Springer-Verlag, 2006.
[101] N. Gura, A. Patel, A. Wander, H. Eberle and S.C. Shantz,“Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’04), Lectures Notes in Computer Science, Vol. 3156, pp. 119-132, Springer-Verlag,2004.
[102] A. Woodbury,“Efficient Algorithms for Elliptic Curve Cryptosystems on Embedded Systems,”MSc. Thesis, Worcester Polytechnic Institute,2001.
[103] R. Avanzi,“Side Channel Attacks on Implementations of Curve-Based Cryptographic Primitives,”Cryptology ePrint Archive, Report 2005/017, 2005. Available at: http://eprint.iacr.org
[104] J.S. Coron,“Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’99), pp. 292-302, 1999.
[105] P.Y. Liardet and N.P. Smart,“Preventing SPA/DPA in ECC systems using the Jacobi form,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’01), Lectures Notes in Computer Science, Vol.2162, pp. 401-411, Springer-Verlag, 2001.
[106] O. Billet and M. Joye,“The Jacobi Model of an Elliptic Curve and Side-Channel Analysis,”Cryptology ePrint Archive, Report 2002/125,2002. Available at:http://eprint.iacr.org/2002/125
[107] N. P. Smart,“The Hessian Form of an Elliptic Curve,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’01), Lectures Notes in Computer Science, Vol. 2162, pp. 118-125, Springer-Verlag,2001.
[108] L. Batina, N. Mentens, B. Preneel and I. Verbauwhede, "Balanced Point Operations for Side-Channel Protection of Elliptic Curve Cryptography,"in IEE Proceedings - Information Security, Vol. 152, No 1, pp.57-65, 2005.
[109] W. Fischer, C. Giraud, E.W. Knudsen and J.-P. Seifert,“Parallel Scalar Multiplication on General Elliptic Curves over p
[112] R. Avanzi, H. Cohen, C. Doche, G. Frey, T. Lange, K. Nguyen and F. Vercauteren,“Handbook of Elliptic and Hyperelliptic Curve Cryptography,”CRC Press, 2005.
[113] C.D. Walter,“Sliding Windows succumbs to Big Mac Attack,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’01),Lectures Notes in Computer Science, Vol. 2162, pp. 286-299, Springer-Verlag, 2001.
[114] S.B. Xu and L. Batina,“Efficient Implementation of Elliptic Curve Cryptosystems on an ARM7 with Hardware Accelerator,”in International International Conference on Information and Communications Security (ICICS’01),Lectures Notes in Computer Science, Vol. 2200, pp. 266-279, Springer-Verlag, 2001.
[115] K. Itoh, M. Takenaka, N. Torii, S. Temma and Y. Kurihara,“Fast Implementation of Public-Key Cryptography on a DSP TMS320C6201,”in Workshop on Cryptographic Hardware and Embedded Systems, Lectures Notes in Computer Science, Vol. 1717, pp. 61-72,Springer-Verlag, 1999.
[116] P. K. Mishra,“Pipelined Computation of Scalar Multiplication in Elliptic Curve Cryptosystems,”in IEEE Transactions on Computers, Vol.55, No. 8, pp. 1000-1010, 2006.
[117]Yongbin Zhou,Dengguo Feng.Side-channel attacks:Ten years after its publication and the impacts on Cryptographic Module Security Testing.htttp://eprint.iacr.org
[118]Naofumi Homma,Sei Nagashime,Yuichi Imai,Takafumi Aoki,and Akashi Satoh.High-resolution side channel attack using phase-based waveform matching[C],CHES2006,LNCS4249.Berlin:Springer-Verlag,2006,187-200
[119] Phillips B J,Burgess N.Implementing 1024-bits RSA Exponentiation on a 32-bits Processor Core[C].IEEE International conference on application specific systems,Architecture and Processor,2000
[120]Dario Catalano et al..Contemporary Cryptology[M].Boston:Birkhauser-Verlag,2005
[121]J.Coron.Resistance against differential power analysis for elliptic curve cryptosystems[C].CHES’99,LNCS1717. Berlin:Springer-Verlag,1999,292-302
[122] B. M?ller.Securing elliptic curve point multiplication against side-channel attacks[C].ISC’01,LNCS2200. Berlin:Springer-Verlag,2001,324-334
[123] N.P.Smart and P.Y.Liardet.Preventing SPA/DPA in ECC systems using the Jacobi form[C].CHES’01,LNCS2162. Berlin:Springer-Verlag,2001,391-401
[124]E.Oswald and Aigner.Randomized addition-subtraction chains as a countermeasures against power attacks[C].CHES’01,LNCS2162. Berlin :Springer-Verlag,2001,39-51
[125]Okeya and Sakurai.On insecurity of the side channel attack countermeasure using addition-subtraction chains under distinguishability between addition and doubling[C].ACISP’02,LNCS2384. Berlin:Springer-Verlag,2002,420-435
[126]C.D.Walter.Breaking the Liadet-Smart randomized exponentiation algorithm[C].Smart Card Research and Advanced ApplicationConference’02,pp.59-68,USENIX Association,2002.
[127]S-M.Yen and M.Joye.Checking before output may not be enough against fault-based cryptanalysis[J].IEEE Transactions on Computers,Vol.49,No.9,pp.967-970,2000
[128] Okeya and Sakurai.The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks[C].CT-RSA’03,LNCS2612. Berlin:Springer-Verlag,2003,328-342
[129]H.Cohen,A.Miyali,and T.Ono.Efficient elliptic curve exponentiation using mixed coordinates[C].Asiacryp’98,LNCS1514. Berlin:Springer-Verlag,1998,51-65
[130] D. Knuth, and A. Yao. Analysis of the subtractive algorithm for greatest common divisors. Proc. Nat. Acad. Sct. USA, volume 72, No 1,pages 4720-472, Dec. 1975.
[131] N. Vorobiev. Fibonacci Numbers. Birkhuser Verlag, 2002.
[132] D. Hankerson, J. L. Hernandez, and A. Menezes. Software implementation of elliptic curve cryptography over binary fields. In International Workshop on Cryptographic Hardware and Embedded Systems CHES '00, volume 1965 of LNCS, pp. 1-24. Springer-Verlag,2001.
[133] V. Miller, Use of elliptic curves in cryptography, in: Proc. of CRYPTO1985, LNCS 218,pp. 417-426, Springer-Verlag, Berlin, 1986.
[134] C. E. Shannon. Communication theory of secret system. Bell Syst. Tech.J, 1949(28):656-715.
[135] W, Diffie. ,M. E Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, Vol.IT-22, no.6, pp. 644-654, 1976.
[136] S. Galbraith, Supersingular curves in cryptography, AsiaCrypt 2001, LNCS,Vol.2248,Springer-Verlag, pp. 495-513, 2001.
[137] D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. CRYPTO 2001, LNCS 2139, pp. 213-229, Springer-Verlag Berlin Heidelberg, 2001.
[138] T. Okamoto and D. Pointcheval. The gap problems: A new class of problems for the security of cryptographic schemes. PKC 2001, LNCS 1992, pp. 104-118, Springer-Verlag, 2001.
[139] A. Boldyreva. Efficient threshold signature multisignature and blind signature schemesbased on the gap-Di±e-Hellman-group signature scheme. PKC 2003. LNCS 2567, pp. 31-46. Springer-Verlag, 2003.
[140] J.C. Cha and J.H. Cheon. An identity-based signature from gap Diffie-Hellman groups.PKC 2003. LNCS 2567, pp. 18-30, Springer-Verlag, 2003.
[141] F. Morain and J. Olivos. Speeding up the computations on an elliptic curve using addition-subtraction chains. Theoretical Informatics and Applications, 24, 531-543, 1990.
[142] A.J.Menezes,T.Okamoto and S.A.Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 1993,39(5):1639-1646.
[143] R. Schoof Elliptic curves over finite field and the computation of square roots mod p.Mathematics of Computation, 1985, 44:483-494.
[144] A. Atkin and F. Morain. Elliptic curves and primality proving Mathematics of Computation, 1993.
[145] R Schoof. Counting Points on Elliptic Curves over Finite Fields. Journal of Theorie des Nombres de Bordeaux, 1995,(7):219-254.
[146] IEEE 1363. Standard Specifications for Public Key Cryptography. IEEE, 2000.
[147] Nicolas Meloni1, New Point Addition Formulae for ECC Applications WAIFI 2007, LNCS4547, pp. 189-201, Springer-Verlag, Berlin, 2007.
[148] Harald Niederreiter, Chaoping Xing. Rational points on curves over finite fields : theory and applications Cambridge. Cambridge University Press, 2001.
[149] M.Brown, D.Hankerson, J.Lopez, A.Menezes. Software implementation of the NIST elliptic curves over prime fields. In: Progress in Cryptology CT-RSA 2001, D.Naccache, editor, vol 2020, LNCS, pp. 250-265, 2001.
[150]张宁.能量分析攻击下安全的椭圆曲线标量乘法.西安电子科技大学博士学位论文.8008.3
[151]汪朝晖.椭圆曲线密码的安全性研究.武汉大学博士学位论文.2004.6
[152]孔凡玉.公钥密码体制中的若干算法研究.山东大学博士学位论文.2006.6
[153]陈智雄.椭圆曲线与伪随机序列的构造.西安电子科技大学博士学位论文, 2006.12
[2]Paul C.Kocher,J.Jaffe,and B.Jun.Differential power analysis. In Advances in Cryptology-Crypto’99,LNCS1666,pp.388-397.Springer-Verlag,1999.
[3]T.S.Messerges,E.A.Dabbish,R.H.Sloan.Power analysis attacks of modular exponentiation in smrtcards.In:proc. CHES1999.Nea York: Springer-Verlag, 2000.144-157.
[4]J.S.Coron.Resistance against differential power analysis for elliptic curve cryptosystems.In:Proc.Workshop on Cryptographic Hardware and Embedded Systems(CHES’99). Nea York: Springer-Verlag,1999.1292-302.
[5]Daniel Page and Martijn Stam. On XTR and Side-Channel Analysis.In SAC2004, LNCS3357,pp.54-68.Springer-Verlag,2005.
[6]K.Okeya and K.Sakurai.Power analysis breaks Elliptic CurveCryptosystems even secure agaist the Timing attack.INDOCYPTO2000,LNCS1977, pp.178-190,Springer-Verlag,2000.
[7]Katsuyuki Okeya and Tsuyoshi Takagi.The width-w NAF method provides small memory and fast Elliptic Scalar multiplications secure against side channel attacks.CT-RSA2003,LNCS2612,pp.328-343. Springer-Verlag,2003.
[8]Katsuyuki Okeya and Tsuyoshi Takagi.A more fexible countermeasure agaist side channel attack using window method.CHES2003, LNCS2779,pp.397-410. Springer-Verlag,2003.
[9]Katsuyuki Okeya ,Tsuyoshi Takagi and Camille Vuillaume.On the exact fexibility of the flexible countermeasure against side channel attacks.ACISP2004, LNCS3108,pp.466-477. Springer-Verlag,2004.
[10]J.C.Ha and S.J.Moon.Randomized signed-scalar multiplication of ECC to resist power attacks.CHES2002, LNCS2523,pp.551-563. Springer-Verlag,2002.
[11]Katsuyuki Okeya,Dong-Guk Han.Side channel attack on Ha-Moon’s countermeasure of randomized signed scalar multiplication.INDOCRYPT2003, LNCS2904,pp.334-348. Springer-Verlag,2003.
[12]Fouque,Muller , Poupard and Valette.Defeating countermeasures based on randomized BSD representations.CHES2004,LNCS3156,pp.312-327. Springer-Verlag,2004.
[13]Yen,Chen,Moon and Ha.Improvement on Ha-Moon randomized exponentiation algorithm.ICISC2004,LNCS3506,pp.154-167. Springer-Verlag,2005.
[14] J.H.Shin, D.J.Park and P.J.Lee.DPA attack on the improved Ha-Moon algorithm. WISA2005, LNCS3786, pp.283-291. Springer-Verlag,2006.
[15] Camille Vuillaume and Katsuyuki Okeya.Flexible exponentiation with resistance to side channel attacks.ACNS2006,LNCS3989,pp.268-283. Springer-Verlag,2006.
[16] C.Rechberger and E.Oswald.Stream ciphers and side-channel analysis.The state of the Art of stream ciphers,2004
[17] J.Lano,N.Mentens,B.Preneel and I.Verbauwheale.Power analysis of synchronous stream ciphers with resynchronization mechanism. The state of the Art of stream ciphers,2004
[18] Antoine Joux and Pascal Delannay.Galois LFSR,Embedded Devices and side channel weaknesses.INDOCRYPT2006,LNCS4329,pp.436-451. Springer-Verlag, 2006.
[19] Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache Attacks and Countermeasures:the Case of AES.CT-RSA2006,LNCS3860,pp.1-20. Springer-Verlag,2006.
[20] Sergei Skorobogatov. Optically Enhanced Position-LockedPower Analysis.CHES2006,LNCS4249,pp.61-75. Springer-Verlag,2006.
[21] M.K. Ahn, J.C. Ha, H.J. Lee, and S.J. Moon. A Random M-ary Method based Countermeasure against Side Channel Attacks. In Proceedings of ICCASA-2003, LNCS 2668, pp.338-347, Springer-Verlag, Berlin, 2003.
[22]R. M. Avanzi. Countermeasures against Differential Power Analysis for hyperelliptic curve cryptosystems. CHES 2003, LNCS 2779, pp. 366-381, Springer-Verlag, Berlin, 2004.
[23] E. Brier, I. Dechene and M. Joye. United addition formulea for elliptic curve cryptosystems. In Nedjah, N., de Macedo Mourelle, L., eds.: Embedded Cryptographic Hardware:Methodologies and Architectures. Nova Science Publishers (2004) 247-256
[24] O. Billet and M. Joye. The Jacobi model of an elliptic curve and Side-Channel Analysis.AAECC 2003, LNCS 2643, pp. 34-42, Springer-Verlag, Berlin, 2003.
[25] I. Biehl, B. Meyer, and V. Muller. Differential fault attacks on elliptic curve crypto- systems. CRYPTO 2000, LNCS 1880, pp.131-146, Springer-Verlag, Berlin, 2000.
[26] I.F. Blake, G. Seroussi, and N.P. Smart. Advances in Elliptic Curve Cryptography, Cam-bridge University Press, 2005.
[27] L. Batina, N. Mentens, K.Sakiyama, B. Preneel and I.Verbauwhede. Low-Cost EllipticCurve Cryptography for Wireless Sensor Networks. ESAS 2006. LNCS 4357, pp. 6-17,Springer, Heidelberg 2006.
[28] M. Ciet, K. Lauter, M.Joye and P.L .Montgomery. Trading inversions for multiplicationsin elliptic curve Cryptography, Designs, Codes and Cryptography 39(2), 189-206 (2006)
[29] B. Chevallier-Mames, M. Ciet and M. Joye, Low-Cost Solutions for Preventing SimpleSide-Channel Analysis: Side-Channel Atomicity. IEEE Trans. Computers 53(6): 760-768(2004).
[30] H. Cohen, A. Miyaji, and T. Ono. Efficient elliptic curve exponentiation using mixedcoordinates. Asiacrypt 1998, LNCS 1514, pp. 51-65, Springer-Verlag, Berlin, 1998.
[31] V.Dimitrov, L.Imbert, P.K.Mishra. Efficient and Secure Elliptic Curve Point Multiplication Using Double Base Chain. ASIACRYPT 2005. LNCS 3788, pp.59-78, Springer,Heidelberg, 2005.
[32] Y. Hitchcock and P. Montague. A New Elliptic Curve Scalar Multiplication Algorithm to Resist Simple Power Analysis. ACISP 2002, LNCS 2384, pp.214-225, Springer-Verlag Berlin Heidelberg, 2002.
[33] J. Ha and S. Moon. Randomized signed-scalar multiplication of ECC to resist power attacks. CHES-2002, LNCS 2523, pp.551-563, Springer-Verlag, Berlin, 2002.
[34] D.Hankerson, A.Menezes and S. Vanstone. Guide to Elliptic Curve Cryptography.Springer-Verlag (2004)
[35] K. Itoh, T. Izu, and T. Takenaka, Efficient Countermeasures against Power Analysis forElliptic Curve Cryptosystems, Sixth Smart Card Research an Advanced Application IFIP Conference CARDIS 2004, pp.99-114, 2004.
[36] Marc Joye. Highly Regular Right-to-Left Algorithms for Scalar Multiplication. CHES 2007,LNCS 4727, pp. 135-147, Springer-Verlag, Berlin, 2007.
[37] Marc Joye, Pascal Paillier and Berry Schoenmakers On Second-Order Differential Power Analysis. CHES 2005, LNCS 3659, pp. 293-308, Springer-Verlag, Berlin, 2005.
[38] M. Joye and Jean-Jacques Quisquater. Hessian elliptic curves and side-channel attacks.CHES 2001, LNCS 2162, pp.402-410, Springer-Verlag, 2001.
[39] M. Joye and S.-M. Yen. The Montgomery powering ladder. CHES 2002, LNCS 2523, pp.291-302, Springer-Verlag, Berlin, 2003.
[40] Chae Hoon Lim A New Method for Securing Elliptic Scalar Multiplication Against Side-Channel Attacks. ACISP 2004, LNCS 3108, pp.289-300. Springer-Verlag Berlin Heidelberg,2004.
[41] T. Messerges, E. Dabbish and R. Sloan. Examining smart-card security under the threadof power analysis attacks. IEEE Trans. on Computers, 51(5):541-552, 2002.
[42] S Moon. A Binary Redundant Scalar Point Multiplication in Secure Elliptic Curve Cryptosystems, International Journal of Network Security, Vol. 3, No. 2, pp.132-137, 2006.
[43] B. Muoller. Securing elliptic curve point multiplication against side-channel attacks. Information Security, LNCS 2200, pp. 324-334, Springer-Verlag, 2001.
[44] E. Oswald and M. Aigner. Randomized addition-subtraction chains as a countermeasureagainst power attacks. CHES 2001, LNCS 2162, pp 39-50.. Springer-Verlag, Berlin, 2002.
[45] K. Okeya, H. Kurumatani and K. Sakurai, Elliptic Curves with the Montgomery Form andTheir Cryptographic Applications. PKC 2000, LNCS 1751, pp. 238-257, Springer-Verlag,Berlin, 2000.
[46] K. Okeya, K. Miyazaki, and K. Sakurai, A Fast Scalar Multiplication Method with Randomized Projective Coordinate on a Montgomery-Form Elliptic Curve Secure against Side Channel Attacks , ICISC 2001, LNCS 2288, pp. 428-439, Springer-Verlag, Berlin, 2002.
[47] K. Okeya and K. Sakurai. Power analysis breaks elliptic curve cryptosystems even secure against the timing attack. INDOCRYPT 2000, LNCS 1977, pp. 178-190, Springer-Verlag,Berlin, 2000.
[48]Katsuyuki Okeya and Tsuyoshi Takagi. A More Flexible Countermeasure against Side Channel Attacks Using Window Method. CHES 2003, LNCS 2779, pp. 397-410, Springer,Berlin, 2003.
[49] R. Mayer-Sommer. Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smart Cards. CHES 2000, LNCS 1965, pp. 78-92, Springer-Verlag, Berlin,2000.
[50] J. A. Solinas. Low-Weight Binary Representation for Pairs of Integers, Centre for Applied Cryptographic Research, University of Waterloo, Combinatorics and Optimization Reseach Report CORR 2001-41, 2001.
[51] Douglas Stebila and Nicolas Theriault. Unified Point Addition Formulea and Side-Channel Attacks. CHES 2006, LNCS 4249, pp. 354-368, Springer-Verlag, Berlin, 2006.
[52] C.D. Walter. Simple Power Analysis of United Code for ECC Double and Add. CHES 2004, LNCS 3156, pp.191-204, Springer-Verlag, Berlin, 2004.
[53] Neal Koblitz. The State of Elliptic Curve Cryptography.Designs,Codes and Cryptography ,2000,19:173-193
[54]郝林罗平.椭圆曲线密码体制中点的数乘的一种快速算法.电子与信息学报2003,25(2):275-278
[55]郝林罗平彭小宁.一种改进的椭圆曲线离散对数快速冗余算法.计算机研究与发展2004,41(1):79-82
[56]祝跃飞裴定一.求异常椭圆曲线上的DLP的一个算法.中国科学(A辑)2001,31(4):332-336
[57]丁宏郭艳华.快速大数模乘算法及其应用.小型微型计算机系统2003, 24(7): 1367-1370
[58] Phillips BJ, Burgess N. Implementing 1024-bits RSA exponentiation on a 32-bits processor core.IEEE International Conference on Application Specific Systems, Architecture and Processor(ASAP’00)
[59]Stinson ,冯登国译,密码学原理与实践(第二版),北京,电子工业出版社,2003,219-220
[60]Bodo M?ller.Securing Elliptic Curve Point Multiplication against Side-Channel Attacks.Information Security-ISC2001, Lecture Notes in Computer Science,vol.2200. Springer, pp.324-334, 2001
[61] T. Izu, T. Takagi.A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks. Public Key Cryptography, 5th International Workshop on Practice and Theory in Public Key Cryptosystems, Lecture Notes in Computer Science , vol. 2274. Springer, pp. 280–296, 2002
[62]韩军,曾晓洋,汤庭鳌.RSA密码算法的功耗轨迹分析及其防御措施.计算机学报,2006,29(4):590-596
[63] K. Okeya and K. Sakurai.On Insecurity of the Side Channel Attack Countermeasure Using Addition-Subtraction Chains under Distinguishability between Addition and Doubling. ACISP 2002, Lecture Notes in Computer Science (LNCS),vol. 2384. Springer, pp. 420–435, 2002
[64]C. D. Walter.Security constraints on the oswald-aigner exponentiation algorithm. Cryptology ePrint Archive, Report 2003/013, 2003
[65] E. Oswald and M. Aigner.Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks. Cryptographic Hardware and Embedded Systems-CHES 2001,3th International Workshop, Paris, France, May 14-16, 2001,Proceedings, Lecture Notes in Computer Science (LNCS), vol. 2162.Springer, 2001, pp. 39–50
[66]刘铎,戴一奇,王道顺.平稳与平衡-椭圆曲线密码体制抗旁信道攻击的策略与手段.计算机研究与发展,2005,42(10:1667-1672
[67]Katsuyuki Okeya,Dong-Guk Han.Side channel attack on Ha-Moon’s countermeasure of randomized signed scalar multiplication.INDOCRYPT 2003.Berlin Heidelberg:Springer-Verlag,LNCS2904,2003:334-348.
[68]J.S.Coron.Resistance against differential power analysis for elliptic curve cryptosystems.Cryptography Hardware and Embedded Systems-CHES’99.Berlin Heidelberg:Springer-Verlag,LNCS1717,1999:292-302.
[69] P.V.Liardet,N.Smart.Preventing SPA/DPA in ECC systems using the Jacobi form.Cryptography Hardware and Embedded Systems-CHES’01.Berlin Heidelberg:Springer-Verlag,LNCS2162, 2001:401-411.
[70]M.Joye,J.J.Quisquater. Hessian elliptic curves and side-channel attacks.Cryptography Hardware and Embedded Systems-CHES’01.Berlin Heidelberg:Springer-Verlag,LNCS2162,2001:412-420.
[71]M.Joye,C.Tymen. Protections against differential analysis for elliptic curve cryptography:an algebraic approach.Cryptography Hardware and Embedded Systems-CHES’01. Berlin Heidelberg:Springer-Verlag, LNCS2162, 2001:386-400.
[72]J.Lopez,R.Dahab.Fast multiplication on elliptic curves over GF(2m) without precomputation.Cryptography Hardware and Embedded Systems-CHES’99 .Berlin Heidelberg:Springer-Verlag, LNCS1717,1999:316-327.
[73] K.Okeya,K.Sakurai.A Second-order DPA attacks breaks a window-method based countermeasure against side channel attacks.Information Security Conference2002. Berlin Heidelberg:Springer-Verlag,LNCS2433, 2002:389-401.
[74]B.M?ller.Securing elliptic curve point multiplication against side-channel attacks.Information Security Conference2001.Berlin Heidelberg:Springer-Verlag, LNCS2200,2001:324-334.
[75]P.L.Montgomery.Speeding up the Pollard and elliptic curve methods of factorization.Mathematics of Computation,1987,48(177): 243-264.
[76]National Institute of Standard and Technology(NIST).Digital signature standard(DSS)[S].FIPS PUB 186-2,2000
[77]Certicom Research.Standard for efficient cryptography.Version 1.0,2000.Available at url http:/www.secg.org/.
[78] M.Brown,D.Hankerson,J.Lopez,A.Menezes.Software implementation of the NIST elliptic curves over prime fields.Progress in Cryptology CT-RSA 2001.Berlin Heidelberg:Springer-Verlag,LNCS2020,2001:250-265.
[79] Miller Victor S. Uses of elliptic curves in cryptography.Advances in Cryptology—CRYPTO’85, Lecture Notes in Computer Sciences. Springer-Verlag, 1986:417-428.
[80] Koblitz Neal. Elliptic curve cryptosystems . Mathematics of Computation, 1987, 48(177):203-209
[81] Avanzi Roberto M, Cohen Henri, Doche Christophe, et al. Handbook of elliptic and hyperelliptic curve cryptography. Boca Raton FL, USA: Chapman and Hall/CRC Press, 2005.
[82] Hankerson Darrel, Menezes Alfred J, Vanstone Scott. Guide to elliptic curve cryptography.Springer-Verlag, 2004.
[83]Montgomery P L. Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation, 1987, 48(177):143-264.
[84] Okeya Katsuyuki , Sakurai Kouichi. Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the y-coordinate on a Montgomery-form elliptic curve. Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems, Lecture Notes In Computer Science. Springer-Verlag, 2001, 2162:126-141.
[85] Kocher P C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems.Advances in Cryptology—CRYPTO’96, Lecture Notes in Computer Sciences. Springer-Verlag, 1996:104-113.
[86] Kocher P C, Jaffe J, Jun B. Differential power analysis.Advances in Cryptology—CRYPTO’99, Lecture Notes in Computer Sciences. Springer-Verlag, 1999:388-397.
[87] Chevallier-Mames Benoit, Ciet Mathieu, Joye Marc . Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity.IEEE Transactions on Computers, 2004, 53(6):760-768
[88] Knuth Donald E. The art of computer programming: fundamental algorithms. Addison-Wesley, 1981.
[89] Dimitrov Vassil , Imbert Laurent, Mishra Pradeep Kumar .Efficient and secure elliptic curve point multiplication using double-base chains.11th International Conference on the Theory and Application of Cryptology and Information Security, Lecture Notes in Computer Sciences. Springer-Verlag, 2005, 3788:59-78.
[90] D. Hankerson, A. Menezes and S. Vanstone,“Guide to Elliptic Curve Cryptography,”Springer-Verlag, 2004.
[91] H. Cohen, A. Miyaji and T. Ono,“Efficient Elliptic Curve Exponentiation using Mixed Coordinates,”in Advances in Cryptology– ASIACRYPT’98, Lectures Notes in Computer Science, Vol. 1514, pp. 51–65,Springer-Verlag, 1998.
[92] V. Dimitrov, L. Imbert and P.K. Mishra,“Efficient and Secure Elliptic Curve Point Multiplication using Double-Base Chains,”in Advances in Cryptology– ASIACRYPT’05, Lectures Notes in Computer Science, Vol. 3788, pp. 59–78, Springer-Verlag, 2005.
[93] M. Ciet, M. Joye, K. Lauter and P. L. Montgomery,“Trading Inversions for Multiplications in Elliptic Curve Cryptography,”in Designs,Codes and Cryptography, Vol. 39, No 2, pp.189-206, 2006.
[94] D. Bernstein,“High-Speed Diffie-Hellman, Part 2,”presentation in INDOCRYPT’06, tutorial session, 2006.
[95] M. Brown, D. Hankerson, J. Lopez and A. Menezes,“Software Implementation of the NIST elliptic curves over prime fields,”in Progress in Cryptology CT-RSA 2001, Lectures Notes in Computer Science, Vol.2020, pp. 250-265, Springer-Verlag, 2001.
[96] J. Gro?sch?dl, R. Avanzi, E. Savas and S. Tillich,“Energy-Efficient Software Implementation of Long Integer Modular Arithmetic,“in Workshop on Cryptographic Hardware and Embedded Systems (CHES’05),Lectures Notes in Computer Science, Vol. 3659, pp. 75-90, Springer-Verlag, 2005.
[97] C.H. Lim, and H.S. Hwang,“Fast implementation of Elliptic Curve Arithmetic in GF(pm),”in Public Key Cryptography (PKC’00), Lectures Notes in Computer Science, Vol. 1751, pp. 405-421, Springer-Verlag,2000.
[98] C.H. Gebotys and R.J. Gebotys,“Secure Elliptic Curve Implementations: An Analysis of Resistance to Power-Attacks in a DSP Processor,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’03), Lectures Notes in Computer Science, Vol. 2523, pp. 114-128, Springer-Verlag, 2003.
[99] R. Avanzi,“Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations,”in Workshop on Cryptographic Hardware and Embedded Systems.(CHES’04), Lectures Notes in Computer Science,Vol. 3156, pp. 148-162, Springer-Verlag, 2004.
[100] D. Bernstein,“Curve25519: New Diffie-Hellman Speed Records,”in Public Key Cryptography (PKC’06), Lectures Notes in Computer Science,Vol. 3958, pp. 229-240, Springer-Verlag, 2006.
[101] N. Gura, A. Patel, A. Wander, H. Eberle and S.C. Shantz,“Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’04), Lectures Notes in Computer Science, Vol. 3156, pp. 119-132, Springer-Verlag,2004.
[102] A. Woodbury,“Efficient Algorithms for Elliptic Curve Cryptosystems on Embedded Systems,”MSc. Thesis, Worcester Polytechnic Institute,2001.
[103] R. Avanzi,“Side Channel Attacks on Implementations of Curve-Based Cryptographic Primitives,”Cryptology ePrint Archive, Report 2005/017, 2005. Available at: http://eprint.iacr.org
[104] J.S. Coron,“Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’99), pp. 292-302, 1999.
[105] P.Y. Liardet and N.P. Smart,“Preventing SPA/DPA in ECC systems using the Jacobi form,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’01), Lectures Notes in Computer Science, Vol.2162, pp. 401-411, Springer-Verlag, 2001.
[106] O. Billet and M. Joye,“The Jacobi Model of an Elliptic Curve and Side-Channel Analysis,”Cryptology ePrint Archive, Report 2002/125,2002. Available at:http://eprint.iacr.org/2002/125
[107] N. P. Smart,“The Hessian Form of an Elliptic Curve,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’01), Lectures Notes in Computer Science, Vol. 2162, pp. 118-125, Springer-Verlag,2001.
[108] L. Batina, N. Mentens, B. Preneel and I. Verbauwhede, "Balanced Point Operations for Side-Channel Protection of Elliptic Curve Cryptography,"in IEE Proceedings - Information Security, Vol. 152, No 1, pp.57-65, 2005.
[109] W. Fischer, C. Giraud, E.W. Knudsen and J.-P. Seifert,“Parallel Scalar Multiplication on General Elliptic Curves over p
[112] R. Avanzi, H. Cohen, C. Doche, G. Frey, T. Lange, K. Nguyen and F. Vercauteren,“Handbook of Elliptic and Hyperelliptic Curve Cryptography,”CRC Press, 2005.
[113] C.D. Walter,“Sliding Windows succumbs to Big Mac Attack,”in Workshop on Cryptographic Hardware and Embedded Systems (CHES’01),Lectures Notes in Computer Science, Vol. 2162, pp. 286-299, Springer-Verlag, 2001.
[114] S.B. Xu and L. Batina,“Efficient Implementation of Elliptic Curve Cryptosystems on an ARM7 with Hardware Accelerator,”in International International Conference on Information and Communications Security (ICICS’01),Lectures Notes in Computer Science, Vol. 2200, pp. 266-279, Springer-Verlag, 2001.
[115] K. Itoh, M. Takenaka, N. Torii, S. Temma and Y. Kurihara,“Fast Implementation of Public-Key Cryptography on a DSP TMS320C6201,”in Workshop on Cryptographic Hardware and Embedded Systems, Lectures Notes in Computer Science, Vol. 1717, pp. 61-72,Springer-Verlag, 1999.
[116] P. K. Mishra,“Pipelined Computation of Scalar Multiplication in Elliptic Curve Cryptosystems,”in IEEE Transactions on Computers, Vol.55, No. 8, pp. 1000-1010, 2006.
[117]Yongbin Zhou,Dengguo Feng.Side-channel attacks:Ten years after its publication and the impacts on Cryptographic Module Security Testing.htttp://eprint.iacr.org
[118]Naofumi Homma,Sei Nagashime,Yuichi Imai,Takafumi Aoki,and Akashi Satoh.High-resolution side channel attack using phase-based waveform matching[C],CHES2006,LNCS4249.Berlin:Springer-Verlag,2006,187-200
[119] Phillips B J,Burgess N.Implementing 1024-bits RSA Exponentiation on a 32-bits Processor Core[C].IEEE International conference on application specific systems,Architecture and Processor,2000
[120]Dario Catalano et al..Contemporary Cryptology[M].Boston:Birkhauser-Verlag,2005
[121]J.Coron.Resistance against differential power analysis for elliptic curve cryptosystems[C].CHES’99,LNCS1717. Berlin:Springer-Verlag,1999,292-302
[122] B. M?ller.Securing elliptic curve point multiplication against side-channel attacks[C].ISC’01,LNCS2200. Berlin:Springer-Verlag,2001,324-334
[123] N.P.Smart and P.Y.Liardet.Preventing SPA/DPA in ECC systems using the Jacobi form[C].CHES’01,LNCS2162. Berlin:Springer-Verlag,2001,391-401
[124]E.Oswald and Aigner.Randomized addition-subtraction chains as a countermeasures against power attacks[C].CHES’01,LNCS2162. Berlin :Springer-Verlag,2001,39-51
[125]Okeya and Sakurai.On insecurity of the side channel attack countermeasure using addition-subtraction chains under distinguishability between addition and doubling[C].ACISP’02,LNCS2384. Berlin:Springer-Verlag,2002,420-435
[126]C.D.Walter.Breaking the Liadet-Smart randomized exponentiation algorithm[C].Smart Card Research and Advanced ApplicationConference’02,pp.59-68,USENIX Association,2002.
[127]S-M.Yen and M.Joye.Checking before output may not be enough against fault-based cryptanalysis[J].IEEE Transactions on Computers,Vol.49,No.9,pp.967-970,2000
[128] Okeya and Sakurai.The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks[C].CT-RSA’03,LNCS2612. Berlin:Springer-Verlag,2003,328-342
[129]H.Cohen,A.Miyali,and T.Ono.Efficient elliptic curve exponentiation using mixed coordinates[C].Asiacryp’98,LNCS1514. Berlin:Springer-Verlag,1998,51-65
[130] D. Knuth, and A. Yao. Analysis of the subtractive algorithm for greatest common divisors. Proc. Nat. Acad. Sct. USA, volume 72, No 1,pages 4720-472, Dec. 1975.
[131] N. Vorobiev. Fibonacci Numbers. Birkhuser Verlag, 2002.
[132] D. Hankerson, J. L. Hernandez, and A. Menezes. Software implementation of elliptic curve cryptography over binary fields. In International Workshop on Cryptographic Hardware and Embedded Systems CHES '00, volume 1965 of LNCS, pp. 1-24. Springer-Verlag,2001.
[133] V. Miller, Use of elliptic curves in cryptography, in: Proc. of CRYPTO1985, LNCS 218,pp. 417-426, Springer-Verlag, Berlin, 1986.
[134] C. E. Shannon. Communication theory of secret system. Bell Syst. Tech.J, 1949(28):656-715.
[135] W, Diffie. ,M. E Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, Vol.IT-22, no.6, pp. 644-654, 1976.
[136] S. Galbraith, Supersingular curves in cryptography, AsiaCrypt 2001, LNCS,Vol.2248,Springer-Verlag, pp. 495-513, 2001.
[137] D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. CRYPTO 2001, LNCS 2139, pp. 213-229, Springer-Verlag Berlin Heidelberg, 2001.
[138] T. Okamoto and D. Pointcheval. The gap problems: A new class of problems for the security of cryptographic schemes. PKC 2001, LNCS 1992, pp. 104-118, Springer-Verlag, 2001.
[139] A. Boldyreva. Efficient threshold signature multisignature and blind signature schemesbased on the gap-Di±e-Hellman-group signature scheme. PKC 2003. LNCS 2567, pp. 31-46. Springer-Verlag, 2003.
[140] J.C. Cha and J.H. Cheon. An identity-based signature from gap Diffie-Hellman groups.PKC 2003. LNCS 2567, pp. 18-30, Springer-Verlag, 2003.
[141] F. Morain and J. Olivos. Speeding up the computations on an elliptic curve using addition-subtraction chains. Theoretical Informatics and Applications, 24, 531-543, 1990.
[142] A.J.Menezes,T.Okamoto and S.A.Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 1993,39(5):1639-1646.
[143] R. Schoof Elliptic curves over finite field and the computation of square roots mod p.Mathematics of Computation, 1985, 44:483-494.
[144] A. Atkin and F. Morain. Elliptic curves and primality proving Mathematics of Computation, 1993.
[145] R Schoof. Counting Points on Elliptic Curves over Finite Fields. Journal of Theorie des Nombres de Bordeaux, 1995,(7):219-254.
[146] IEEE 1363. Standard Specifications for Public Key Cryptography. IEEE, 2000.
[147] Nicolas Meloni1, New Point Addition Formulae for ECC Applications WAIFI 2007, LNCS4547, pp. 189-201, Springer-Verlag, Berlin, 2007.
[148] Harald Niederreiter, Chaoping Xing. Rational points on curves over finite fields : theory and applications Cambridge. Cambridge University Press, 2001.
[149] M.Brown, D.Hankerson, J.Lopez, A.Menezes. Software implementation of the NIST elliptic curves over prime fields. In: Progress in Cryptology CT-RSA 2001, D.Naccache, editor, vol 2020, LNCS, pp. 250-265, 2001.
[150]张宁.能量分析攻击下安全的椭圆曲线标量乘法.西安电子科技大学博士学位论文.8008.3
[151]汪朝晖.椭圆曲线密码的安全性研究.武汉大学博士学位论文.2004.6
[152]孔凡玉.公钥密码体制中的若干算法研究.山东大学博士学位论文.2006.6
[153]陈智雄.椭圆曲线与伪随机序列的构造.西安电子科技大学博士学位论文, 2006.12