Distinguishing Exponent Digits by Observing Modular Subtractions

Slides:



Advertisements
Similar presentations
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Advertisements

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
Fall 2006 – Fundamentals of Business Statistics 1 Chapter 6 Introduction to Sampling Distributions.
1 (Student’s) T Distribution. 2 Z vs. T Many applications involve making conclusions about an unknown mean . Because a second unknown, , is present,
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
Binary Real Numbers. Introduction Computers must be able to represent real numbers (numbers w/ fractions) Two different ways:  Fixed-point  Floating-point.
Standard Statistical Distributions Most elementary statistical books provide a survey of commonly used statistical distributions. The reason we study these.
Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK Colin D Walter.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group
1 Chapter 10: Introduction to Inference. 2 Inference Inference is the statistical process by which we use information collected from a sample to infer.
Fast Exponentiation (3/31) What is the most efficient way to compute (mod 32591)? We will need an efficient algorithm in order to do “RSA cryptography”,
Alternative Wide Block Encryption For Discussion Only.
Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.
Sliding Windows Succumbs to Big Mac Attack Colin D. Walter
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: (Manchester,
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)
IEEE ARITH 17 Cape Cod, 27th – 29th June 2005 Data Dependent Power Use in Multipliers Colin D. Walter David Samyde
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: (Manchester,
Remote Timing Attacks are Practical David Brumley Dan Boneh [Modified by Somesh.
1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)
WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter
Implementation of Public Key Encryption Algorithms
Known-Plaintext-Only Attack on RSA-CRT with Montgomerry Multiplication
Chapter 8: Estimating with Confidence
Public Key Cryptography
Simple Power Analysis of
Probability plots.
Chapter 8: Estimating with Confidence
Attacks on Public Key Encryption Algorithms
PV204 Security technologies
Modeling and Simulation CS 313
New Cache Designs for Thwarting Cache-based Side Channel Attacks
Comparing Groups April 6-7, 2017 CS 160 – Section 10.
Floating Point Operations
UNIVERSITY OF MASSACHUSETTS Dept
Sampling Distributions
Statistical Data Analysis
A Session On Regression Analysis
Public Key Cryptosystems - RSA
Chapter 5 Sampling Distributions
Digital Signature Schemes and the Random Oracle Model
Roberto Battiti, Mauro Brunato
The Detail of the Normal Distribution
Chapter 7 Random Number Generation
STA 291 Spring 2008 Lecture 10 Dustin Lueker.
Properties of Random Numbers
Cryptographic Timing Attacks
Probability Key Questions
Chapter 8: Estimating with Confidence
Chapter 3 DataStorage Foundations of Computer Science ã Cengage Learning.
Factoring RSA Moduli: Current State of the Art J
Chapter 8: Estimating with Confidence
The Central Limit Theorem
Chapter 8: Estimating with Confidence
Data Structures – Week #7
Breaking the Liardet-Smart Randomized Exponentiation Algorithm
Chapter 8: Estimating with Confidence
2/5/ Estimating a Population Mean.
Chapter3 Fixed Point Representation
Chapter 8: Estimating with Confidence
Cryptography Lecture 16.
Cryptography Lecture 18.
Colin D. Walter Comodo CA, Bradford, UK
Scientific Practice The Detail of the Normal
Applied Statistics and Probability for Engineers
Some Security Aspects of the Randomized Exponentiation Algorithm
Presentation transcript:

Distinguishing Exponent Digits by Observing Modular Subtractions Colin D. Walter and Susan Thompson www.datacard.com

A Timing Attack on RSA Context: AB mod N Output from multiplier S < 2N Require output S < N or < 2n So conditional subtraction in S/W Assume recognisable in power trace Unknown plain/cipher text Unknown modulus RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

History Kocher (Crypto 1996) - Known Plaintext Dhem et al (Cardis 1998) - Supplied Detail Schindler (Ches 2000) - Square & Mult Platform Seven - Unknown Plaintext (RSA 2001) - Much Less Data - m-ary expn. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Partial Product S Last step of Montgomery mod mult: S  (S + aB + qN)/r a = top digit of A, dependent on size of A q, S effectively randomly distributed For random A and fixed B, the average S is a linear function of B, indepnt of A Larger B  more frequent final subtractions RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Distribution of S For a multiply S behaves like random variable αβ + γ where α, β have the distributions of 2–nA, B and γ is uniform. For a square S behaves like α2 + γ. Integrating over values of α and β, the probability of S being greater than 2n is: … for multiply, … for square RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

… for multiply, … for square. Squares vs Multiplies … for multiply, … for square. So probabilities of conditional subtraction of N are different. With sufficient observations we can distinguish squares from multiplies. ( Care: non-uniform distribution on [0..2N]. ) RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Careless implementation of Modular Multiplication is dangerous. First Results In square-and-multiply exponentiation we can read the bits of a secret key. Careless implementation of Modular Multiplication is dangerous. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

m-ary Exponentiation A, A2 or A3 In case square-and-multiply leaks, use m-ary exponentiation. Is it safe? Example: 4-ary to compute Ad mod N Each multiply is by one of A, A2 or A3 Can these be distinguished? RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Differentiating Multipliers Averaging over all observations, we can distinguish squares from multiplies. Averaging over all observations, the different multipliers are indistinguishable. Key: Select observation subsets. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Choice of Obs. Subsets Identify an initial multiplication A×Ai–1. Partition observations according to whether or not the extra final subtraction occurs. One subset: cases of larger Ai (on average) Other subset: cases of smaller Ai (on avage) Other powers Aj (ji) will be average. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

More Results Multiply operations by Ai (same, fixed i) will show similar non-average final subn frequencies in the two subsets: above average in one, below average in the other. Multiply operations by Aj (ji) will have closer to average final subn frequencies. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Consequence All cases of exponent digit i can be identified from their non-average behaviour in the two subsets. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Demonstration The pre-computations of A, A2 and A3 give us 23 observation subsets. Selecting different subsets will change the relative frequencies of final subns. Operations corresponding to the same exponent digit will behave similarly. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Sub in Initial Squaring RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

No Sub in Initial Squaring RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Reasoning Opn A×A does have a final subn: A is big, so exp digit 01 has many subs. A2 is much smaller, so exp digit 10 has least subs. A3 is more normal, so digit 11 has middling subs. Opn A×A does not have a final subn: A is small, so exp digit 01 has very few subs. A2 is bigger but still small, digit 10 has more subs. A3 is most normal, so exp digit 11 has most subs. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Conclusions In m-ary exponentiation we may be able to read the bits of a secret key. Careless implementation of Modular Multiplication is dangerous also for m-ary exponentiation. Even with low detection of final subns, expnt digits are obtained accurately, so there is no safety in longer keys. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.