An electronic signature is generated by using a private key of the signer (refer to Non-Patent Literature 1). A private key is data that no one else but the signer knows. If the private key is revealed, the signature can be forged.
When an electronic signature is calculated, a step of performing multiplication of public information and private information (e.g., a private key) occurs. The private information can be obtained by performing differential power analysis on the multiplication of the public information and the private information while referring to the public information (refer to Non-Patent Literature 2).
For example, an EC-Schnorr signature algorithm (Elliptic Curve Schnorr Digital Signature Algorithm) is as the following:
Step 0. Let G be a generator on an elliptic curve and n an order of G. Let d be a private key, M a message to be signed, and h a hash function.
Step 1. Generate a random number k. k is a natural number less than n.
Step 2. Calculate P=kG and let Px be an x coordinate of P.
Step 3. Calculate e=h(M∥Px). “∥” signifies concatenation.
Step 4. Calculate s=(e×d+k)mod n.
Step 5. (e, s) will be the electronic signature of M.
In the above calculation method, calculation of e×d is performed in Step 4. Since e is public information, the private key d can be obtained by performing differential power analysis.
For example, EC-DSA (Elliptic Curve Digital Signature Algorithm) is as the following:
Step 0. Let G be a generator on an elliptic curve and n an order of G. Let d be a private key, M a message to be signed, and h a hash function.
Step 1. Generate a random number k. k is a natural number less than n.
Step 2. Calculate P=kG and let Px be an x coordinate of P.
Step 3. Calculate s=k−1(Px×d+h(M))mod n.
Step 4. (Px, s) will be the electronic signature of M.
In the above calculation method, calculation of Px×d is performed in Step 4. Since Px is public information, the private key d can be obtained by performing differential power analysis.