Improved zero value attack on XTR

  • Authors:
  • Régis Bevan

  • Affiliations:
  • Oberthur Card Systems SA, Puteaux, France

  • Venue:
  • ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
  • Year:
  • 2005

Quantified Score

Hi-index 0.00

Visualization

Abstract

In 2000, Lenstra and Verheul presented the XTR Public Key System which used a subgroup of the multiplicative group GF(p6) with a compact representation. In two other papers, Han et al. analyzed the security against power analysis of the XTR algorithms presented by Lenstra and Verheul in 2000. In particular they showed that the XTR Single Exponentiation (XTR-SE) is vulnerable to a modification of the Refined Power Analysis (MRPA) and they presented a countermeasure based on the XTR double exponentiation. In the first part of this paper, we show that this countermeasure is not efficient for some particular inputs. For these inputs, an attacker has a probability of 2/3 to retrieve the secret exponent with only one power measurement. In a second part, we show that all the inputs used by Han et al. for MRPA are not valid inputs for XTR. As one of these dangerous inputs can also be obtained by Fault Injection, we discuss about the different scenarios of attacks and about their respective countermeasures.