1. Field of the Invention
Example embodiments of the present invention relate in general to a cryptographic method and system for encrypting data.
2. Description of the Related Art
To solve the problems in modern confidential data communications, hardware cryptographic systems based on known crypto-algorithms have become popular in an effort to continually growing performance requirements. These crypto-algorithms include public key algorithms such as the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithm, and symmetric key algorithms, for example, those based on the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES).
However, in addition to hardware-oriented crypto-systems, new crypto-analysis methods, for example, Side-Channel Analysis (SCA) have been developed. There are several different techniques for attacks on data communication systems, typically including Timing Analysis, Power Analysis, Electro-Magnetic Analysis, and Different Faults Analysis (DFA). It is known that these techniques can successfully attack the crypto-systems and obtain secret keys with less time and effort.
Accordingly, developing countermeasures against crypto-analysis methods, for example, SCA is becoming an important task for the future. However, as ECC is a relatively recent branch of cryptography, there is scant literature describing how to counter the SCA for data protection systems adopting the ECC.
For example, in Differential Power Analysis (DPA), which is a type of SCA, power tracks during a scalar multiplication operation are analyzed to obtain information on secret keys. To prevent leakage of information by the DPA, known countermeasure techniques based on the randomization of secret exponent and employed. However, these known techniques are relatively poor in responding to a special chosen-message power analysis attack. To counter this chosen-message power analysis attack, it is possible to use the well-known randomization of input messages.
FIG. 1 illustrates a conventional scalar multiplication process. Referring to FIG. 1, in a conventional crypto-system, an input point is received at operation S11, and then a point representation is selected and changed at operation S12. For example, if the point representation of the input point is an Affine representation, the point representation is changed to a Projective representation, and then a scalar multiplication operation is performed in the chosen point representation of operation S13.
An affine representation of a topological (Lie) group G is a continuous (smooth) homomorphism (e.g., structure-preserving map between two algebraic groups, for example, groups or vector spaces) G to the automorphism group of an affine space A. An automorphism is an isomorphism from a mathematical object to itself or a symmetry of the object, and a way of mapping the object to itself while preserving all its structure; the set of all automorphisms of an object is the automorphism group, or “symmetry group” of the object.
In mathematics, for example, in group theory, if G is a group and P is a vector space over a field K, then a projective representation is a homomorphism from G to Aut(ρ)/Kx, where Kx is the normal subgroup of Aut(ρ) consisting of multiplications of vectors in ρ by nonzero elements of K (e.g., scalar multiples of the identity), and Aut(ρ) represents the automorphism group of the vector space underlying ρ.
As is well known, an encrypted point is generated by the scalar multiplication operation of a secret key and the input point based on an ECC algorithm. The scalar multiplication operation can be iterated for a plurality of rounds to fit a system specification. When the scalar multiplication operation is complete, a point representation of the encrypted point is changed to another point representation (e.g., Affine representation) at operation S14. An output point obtained by changing the point representation of the encrypted point to the original point representation is output (S15) to a post-processor for sign/verification.
In the conventional crypto-system configured to resist DPA attacks, secret key masking or input point masking can be used. However, in the conventional crypto-system, since a complex scalar multiplication operation is duplicated for a plurality of rounds in parallel, this may lead to an increase in costs and a considerable reduction in performance. Accordingly, it may not be feasible to apply the conventional crypto-system to a plurality of actual applications.