Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distinguishing Exponent Digits by Observing Modular Subtractions

Published byΕιδοθεα Βλαχόπουλος Modified over 6 years ago

Similar presentations

Presentation on theme: "Distinguishing Exponent Digits by Observing Modular Subtractions"— Presentation transcript:

1 Distinguishing Exponent Digits by Observing Modular Subtractions
Colin D. Walter and Susan Thompson

2 A Timing Attack on RSA Context: AB mod N
Output from multiplier S < 2N Require output S < N or < 2n So conditional subtraction in S/W Assume recognisable in power trace Unknown plain/cipher text Unknown modulus RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

3 History Kocher (Crypto 1996) - Known Plaintext
Dhem et al (Cardis 1998) - Supplied Detail Schindler (Ches 2000) - Square & Mult Platform Seven - Unknown Plaintext (RSA 2001) - Much Less Data m-ary expn. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

4 Partial Product S Last step of Montgomery mod mult: S  (S + aB + qN)/r a = top digit of A, dependent on size of A q, S effectively randomly distributed For random A and fixed B, the average S is a linear function of B, indepnt of A Larger B  more frequent final subtractions RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

5 Distribution of S For a multiply S behaves like random variable αβ + γ where α, β have the distributions of 2–nA, B and γ is uniform. For a square S behaves like α2 + γ. Integrating over values of α and β, the probability of S being greater than 2n is: … for multiply, … for square RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

6 … for multiply, … for square.
Squares vs Multiplies … for multiply, … for square. So probabilities of conditional subtraction of N are different. With sufficient observations we can distinguish squares from multiplies. ( Care: non-uniform distribution on [0..2N]. ) RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

7 Careless implementation of Modular Multiplication is dangerous.
First Results In square-and-multiply exponentiation we can read the bits of a secret key. Careless implementation of Modular Multiplication is dangerous. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

8 m-ary Exponentiation A, A2 or A3
In case square-and-multiply leaks, use m-ary exponentiation. Is it safe? Example: 4-ary to compute Ad mod N Each multiply is by one of A, A2 or A3 Can these be distinguished? RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

9 Differentiating Multipliers
Averaging over all observations, we can distinguish squares from multiplies. Averaging over all observations, the different multipliers are indistinguishable. Key: Select observation subsets. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

10 Choice of Obs. Subsets Identify an initial multiplication A×Ai–1.
Partition observations according to whether or not the extra final subtraction occurs. One subset: cases of larger Ai (on average) Other subset: cases of smaller Ai (on avage) Other powers Aj (ji) will be average. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

11 More Results Multiply operations by Ai (same, fixed i) will show similar non-average final subn frequencies in the two subsets: above average in one, below average in the other. Multiply operations by Aj (ji) will have closer to average final subn frequencies. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

12 Consequence All cases of exponent digit i can be identified from their non-average behaviour in the two subsets. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

13 Demonstration The pre-computations of A, A2 and A3 give us 23 observation subsets. Selecting different subsets will change the relative frequencies of final subns. Operations corresponding to the same exponent digit will behave similarly. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

14 Sub in Initial Squaring
RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

15 No Sub in Initial Squaring
RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

16 Reasoning Opn A×A does have a final subn:
A is big, so exp digit 01 has many subs. A2 is much smaller, so exp digit 10 has least subs. A3 is more normal, so digit 11 has middling subs. Opn A×A does not have a final subn: A is small, so exp digit 01 has very few subs. A2 is bigger but still small, digit 10 has more subs. A3 is most normal, so exp digit 11 has most subs. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

17 Conclusions In m-ary exponentiation we may be able to read the bits of a secret key. Careless implementation of Modular Multiplication is dangerous also for m-ary exponentiation. Even with low detection of final subns, expnt digits are obtained accurately, so there is no safety in longer keys. RSA Conf, SF, Apr 2001 Walter & Thompson, Datacard Consult

Download ppt "Distinguishing Exponent Digits by Observing Modular Subtractions"

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
Fall 2006 – Fundamentals of Business Statistics 1 Chapter 6 Introduction to Sampling Distributions.

Fall 2006 – Fundamentals of Business Statistics 1 Chapter 6 Introduction to Sampling Distributions.
1 (Student’s) T Distribution. 2 Z vs. T Many applications involve making conclusions about an unknown mean . Because a second unknown, , is present,

1 (Student’s) T Distribution. 2 Z vs. T Many applications involve making conclusions about an unknown mean . Because a second unknown, , is present,
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
Binary Real Numbers. Introduction Computers must be able to represent real numbers (numbers w/ fractions) Two different ways:  Fixed-point  Floating-point.

Binary Real Numbers. Introduction Computers must be able to represent real numbers (numbers w/ fractions) Two different ways:  Fixed-point  Floating-point.
Standard Statistical Distributions Most elementary statistical books provide a survey of commonly used statistical distributions. The reason we study these.

Standard Statistical Distributions Most elementary statistical books provide a survey of commonly used statistical distributions. The reason we study these.
Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK www.comodogroup.com Colin D Walter.

Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK Colin D Walter.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.

9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group

© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group
1 Chapter 10: Introduction to Inference. 2 Inference Inference is the statistical process by which we use information collected from a sample to infer.

1 Chapter 10: Introduction to Inference. 2 Inference Inference is the statistical process by which we use information collected from a sample to infer.
Fast Exponentiation (3/31) What is the most efficient way to compute 3 12574 (mod 32591)? We will need an efficient algorithm in order to do “RSA cryptography”,

Fast Exponentiation (3/31) What is the most efficient way to compute (mod 32591)? We will need an efficient algorithm in order to do “RSA cryptography”,
Alternative Wide Block Encryption For Discussion Only.

Alternative Wide Block Encryption For Discussion Only.
Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.

Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.
Sliding Windows Succumbs to Big Mac Attack Colin D. Walter www.co.umist.ac.uk.

Sliding Windows Succumbs to Big Mac Attack Colin D. Walter
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: www.co.umist.ac.uk (Manchester,

Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: (Manchester,
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)
IEEE ARITH 17 Cape Cod, 27th – 29th June 2005 Data Dependent Power Use in Multipliers Colin D. Walter David Samyde

IEEE ARITH 17 Cape Cod, 27th – 29th June 2005 Data Dependent Power Use in Multipliers Colin D. Walter David Samyde

Similar presentations

Ads by Google