Presentation is loading. Please wait.

Presentation is loading. Please wait.

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

Published byMoris Kelly Modified over 9 years ago

Similar presentations

Presentation on theme: "C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,"— Presentation transcript:

1 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department, UMIST, UK www.co.umist.ac.uk

2 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Overview b Cryptographic etc Motivations b Checker Function for Error Detection b Properties and Costs b Error Correction b Conclusion

3 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Motivation b Fault Detection b Cryptographic Arithmetic e.g. RSA, Diffie-Hellman b Design Errors in Embedded Systems b Undetected Fabrication Faults b Sporadic Errors e.g. Ionising Radiation b Fault Tolerance for Increased Yield b Active Attacks - Differential Fault Analysis

4 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Current Methods b Duplication of hardware: too expensive. b Error correcting codes: don’t apply. b Modular checker functions for integer arithmetic: don’t apply. b Verification by performing the inverse crypto function: too expensive, unwise or unavailable. A cost effective solution is needed.

5 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 The Integer Arith ic Solution We will adapt a standard choice for an integer checker function, namely: f(A) = A mod D where often D = 3 or 5. Conveniently, f(A ¤B) = f (A) ¤ f(B) for any arith ic op n ¤. This equality is checked for each operation This doesn’t work for arithmetic mod M.

6 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Notation RSA : b public modulus M, b keys d and e, one public, one private Plain text T and cipher text C are related by C = T e mod M and T = C d mod M

7 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Number Representations Hardware represents A as A = a i r i where b radix r is typically 2, 4, 2 16 or 2 32 b n+1 is its number of digits b digits a i are in [0..r–1] or are redundant using 1 or 2 extra bits or twice as many bits (as in a carry- save rep n ).

8 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Montgomery Multiplication { Pre-Conditions: r prime to M, A has n+1 digits } P := 0 ; For i := 0 to n do Begin q i := ( P + a i B )( –M –1 ) mod r ; P := ( P + a i B + q i M ) div r ; End { Post-condition: P  (A×B×R -1 ) mod M for R = r n+1 }

9 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 An Integer Equation The initial digits q j form an integer Q i = q j r j Similarly, the initial digits a j form an integer A i. Pr i+1 = A i ×B + Q i ×M holds at the end of each loop iteration. So, for Q = Q n and R = r n+1, P×R = A×B + Q×M

10 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 A Check for Mult n Errors The function f(A) = A mod D can now be applied to verify Montgomery products P×R = A×B + Q×M P×R = A×B + Q×M by checking that f(P) × f(R) = f(A) × f(B) + f(Q) × f(M) holds in the ring of residues mod D.

11 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 The Choice of Modulus D Requirements for D include: b mod D operations must be cheap and fast; b the check should reveal most or all errors. We will conclude that D = r ± 1 is a good choice (unless radix r is very small).

12 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Stuck-at Faults b Stuck-at faults change inputs A by 2 i, some i. So f(A) changes if D has an odd factor. b Then in f(A)×f(B) + f(Q)×f(M), the error is detected when f(B) is non-zero, i.e. in 1/D of all cases. b B changes during an exponentiation, so almost certainly some f(B) will be non-zero and the error will be detected.

13 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Modulus M M is fixed for many exponentiations. b If stuck-at the correct value, results will be OK ( and the H/W may never compute incorrectly! ) b If stuck at the wrong value, Q changes during an exponentiation, so almost certainly some f(Q) will be non-zero and again the error will be detected. f(P)×f(R) = f(A)×f(B) + f(Q)×f(M)

14 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Digit Slice Errors At the level of the j th digit slice, the digits satisfy p j + r×c out := p j + a i ×b j – q i ×m j + c in (j=0,1,…,n) where c in and c out are carries from/to neighbouring slices, bounded by 2r–2. b The right side is < 2r 2, so any error makes a difference to the output of dr j where d < 2r 2. b Any D larger than and prime to 2r 2 will detect such single errors since f(P) will change. b But, in 1/D cases f(P) will eventually be restored to the value it should have had, even though P is wrong.

15 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Summary so far: b Most crypto hardware can be protected against transient and permanent faults by the checker function f(A) = A mod D. b b Errors are detected except in at most 1/D of cases if D is larger than and prime to 2r 2.

16 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Efficient Choice of D b For compatibility with the H/W multiplier, it will be best to keep D < r since f(A)×f(B) and f(Q)×f(M) etc must be computed. b Taking D = r–1 enables f(A) to be evaluated by summing the digits of A and repeating the process on the result until a value < D is obtained. (cf adding digits base 10 to check divisibility by 9) (cf adding digits base 10 to check divisibility by 9)

17 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Costs for Checking b The correct f(M) and f(R) should be stored to avoid recomputation. b Each multiplication in an exponentiation produces two new outputs, P and Q. b Approx n 2 digit operations are performed in each mult n. b Approx 2n operations will evaluate f(P), f(Q) and the two sides of the equation. b So the time cost is close to increasing n by 1. b The result is obtained before the next mult n is completed.

18 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Error Recovery b An error may indicate an attack and suggest termination of the computation. b If re-calculation is required, transient errors only need storage of a previous input set. b For multipliers of size O(n 2 ) and registers of size O(n), we expect this cost to be equivalent to adding O(1) to the area, i.e. 1 or 2 to n.

19 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Permanent Faults b Comprehensive production testing is expensive. b So shortcuts will lead to faulty products being delivered. b Error detection is necessary. b M is not usually changed very frequently. So some errors in the hardware may not surface at testing nor even occur during the chip's life.

20 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Permanent Faults b Recovery from recurring faults: re-using the same inputs is useless. b Inputs can be modified in an attempt to avoid the errors. b Try a shift: compute T e mod M via T e mod rM. b Try a scaling: T e mod dM where d is prime to r.

21 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 General Case b The paper looks in detail at a number of different H/W situations and different algorithms. b The same conclusions in hold each case, even for r = 2. (Pick D = r k ±1 with k = 4, say.) b The checker function is always much cheaper than other solutions such as voting between copies of the hardware.

22 C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 Summary and Conclusion b Error detection is desirable in many situations. b It is easy to detect and correct transient errors in H/W for cryptosystems based on modular arith ic. b Such checks defeat certain types of active attack on embedded systems such as smartcards. b The check described here is cheap and efficient in time and space, and reliable.

Download ppt "C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,"

Similar presentations

Modular Arithmetic Several important cryptosystems make use of modular arithmetic. This is when the answer to a calculation is always in the range 0 –

Modular Arithmetic Several important cryptosystems make use of modular arithmetic. This is when the answer to a calculation is always in the range 0 –
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Fault-Tolerant Systems Design Part 1.

Fault-Tolerant Systems Design Part 1.
Section 4.1: Primes, Factorization, and the Euclidean Algorithm Practice HW (not to hand in) From Barr Text p. 160 # 6, 7, 8, 11, 12, 13.

Section 4.1: Primes, Factorization, and the Euclidean Algorithm Practice HW (not to hand in) From Barr Text p. 160 # 6, 7, 8, 11, 12, 13.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
CSE 246: Computer Arithmetic Algorithms and Hardware Design Instructor: Prof. Chung-Kuan Cheng Winter 2004 Lecture 2.

CSE 246: Computer Arithmetic Algorithms and Hardware Design Instructor: Prof. Chung-Kuan Cheng Winter 2004 Lecture 2.
Number Theory and Cryptography

Number Theory and Cryptography
CENG536 Computer Engineering Department Çankaya University.

CENG536 Computer Engineering Department Çankaya University.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.

Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Level ISA3: Information Representation

Level ISA3: Information Representation
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Storage of Bits Computers represent information as patterns of bits

Storage of Bits Computers represent information as patterns of bits
Montgomery’s Multiplication Technique: How to make it Smaller and Faster Colin D. Walter Computation Department, UMIST, UK www.co.umist.ac.uk.

Montgomery’s Multiplication Technique: How to make it Smaller and Faster Colin D. Walter Computation Department, UMIST, UK
Copyright 2008 Koren ECE666/Koren Part.6a.1 Israel Koren Spring 2008 UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Digital Computer.

Copyright 2008 Koren ECE666/Koren Part.6a.1 Israel Koren Spring 2008 UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Digital Computer.
Richard Fateman CS 282 Lecture 61 Evaluation/Interpolation (I) Lecture 6.

Richard Fateman CS 282 Lecture 61 Evaluation/Interpolation (I) Lecture 6.
Real Numbers and the Decimal Number System

Real Numbers and the Decimal Number System

Similar presentations

Ads by Google