Presentation is loading. Please wait.

Presentation is loading. Please wait.

Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.

Published byBrandon Parrish Modified over 8 years ago

Similar presentations

Presentation on theme: "Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST."— Presentation transcript:

1 Some Security Aspects of the Randomized Exponentiation Algorithm www.comodo.net (Bradford, UK) colin.walter@comodo.net Colin D. Walter M IST

2 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 2/19 Power Analysis Attacks With no counter-measures and the binary exp n alg m, averaging power traces at the same instants during several exp ns enables one to differentiate squares and multiplies and hence deduce the exponent bits (Kocher). Averaging power traces over individual digit-by-digit products in a single exp n enables one to differentiate multiplicands in m-ary exp n and hence deduce the exponent (CHES 2001). Smartcards have limited scope for including expensive, tamper-resistant, hardware measures. Good software counter-measures are required: new algorithms as well as modifying arguments e.g. D to D+r  (N).

3 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 3/19 m-ary Exp n (Reversed) { To compute: P = C D } Q  C ; P  1 ; While D > 0 do Begin d  D mod m ; If d  0 then P  Q d × P ; Q  Q m ; D  D div m ; { Invariant: C D.Init = Q D × P } End

4 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 4/19 M IST The M IST Exp n Algorithm { To compute: P = C D } Q  C ; P  1 ; While D > 0 do Begin d  D mod m ; If d  0 then P  Q d × P ; Q  Q m ; D  D div m ; { Invariant: C D.Init = Q D × P } End Choose a random base m, e.g. from {2,3,5} ;

5 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 5/19 Randomary Exponentiation The main computational part of the loop is: If d  0 then P  Q d × P ; Q  Q m To provide the required efficiency, a set of possible values for m are chosen so that an efficient addition chain for m contains d, e.g. 1+1=2, 2+1=3, 2+3=5 is an addition chain for base m=5 suitable for digits d = 0, 1, 2 or 3. Comparable to the 4-ary method regarding time complexity.

6 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 6/19 Running Example Fix the base set = {2, 3, 5}. Consider D = 235 Dm, d Q (before)Q d Q m P (after) 2353, 1 C 1 C 1 C 3 C 1 782, 0 C 3 1 C 6 C 1 395, 4 C 6 C 24 C 30 C 1 ×C 24 = C 25 72, 1 C 30 C 30 C 60 C 25 ×C 30 = C 55 33, 0 C 60 1C 180 C 55 12, 1 C 180 C 180 C 360 C 55 ×C 180 = C 235

7 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 7/19 Choice of Base Set Security: Bases must be chosen so that sequences of squares & multiplies or op d sharing do not reveal m. Efficiency: –Bases m must be chosen so that raising to the power m is (time) efficient enough. –Space is required to store addition chains. –As few registers as possible should be used for the exponentiation. One Solution: Take the set of bases {2,3,5}.

8 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 8/19 Choice of Base Example algorithm (see CT-RSA 2002 paper) : m  0 ; If Random(8) < 7 then If (D mod 2) = 0 then m  2 else If (D mod 5) = 0 then m  5 else If (D mod 3) = 0 then m  3 ; If m = 0 then Begin p  Random(8) ; If p < 6 then m  2 else If p < 7 then m  5 else m  3 End

9 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 9/19 Probability of (m,d) Define probabilities: p i = prob(D≡i mod 30) p m|i = prob(choosing m given D≡i mod 30) Then: p m =  i mod 30 p i p m|i is prob of base m p m,d =  i  d mod 30 p i p m|i is prob of pair (m,d) For the base selection process above: p 2 = 0.629p 3 = 0.228 p 5 = 0.142

10 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 10/19 Addition Sub-Chains Let (ijk) mean:multiply contents at addresses i and j and write result to address k. Use 1 for location of Q, 2 for temporary register, 3 for P: (111)for (m,d) = (2,0) (112, 133) for (m,d) = (2,1) (112, 121) for (m,d) = (3,0) (112, 133, 121) for (m,d) = (3,1) (112, 233, 121) for (m,d) = (3,2) (112, 121, 121) for (m,d) = (5,0) (112, 133, 121, 121) for (m,d) = (5,1) (112, 233, 121, 121) for (m,d) = (5,2) (112, 121, 133, 121) for (m,d) = (5,3) (112, 222, 233, 121) for (m,d) = (5,4)

11 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 11/19 S&M Sequences Assume an attacker can distinguish Squares and Multiplies from a single exponentiation (e.g. from Hamming weights of arguments deduced from power variation on bus.) A division chain is the list of pairs (m,d) used in an exp n scheme. It determines the addition chain to be used, and hence the sequence of squares and multiplies which occur: (2,0)S (2,1), (3,0)SM (3,1), (3,2), (5,0)SMM (5,1), (5,2), (5,3)SMMM (5,4)SSMM Base sub-chain boundaries are deduced from occurrences of S except for ambiguity between (5,4) and (2,0)(3,x) or (2,0)(5,0).

12 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 12/19 Running Example D(m,d) S&M subchain Interpretations 235(3,1) S(M)M(3,1), (3,2), (5,0) 78(2,0) S (2,0) 39(5,4) SSMM (5,4), (2,0)(3,1), (2,0)(3,2), (2,0)(5,0) 7(2,1) SM (2,1), (3,0) 3(3,0) SM (2,1), (3,0) 1(2,1) (S)M (2,1) Result: SM.S.SSMM.SM.SM.M with 1 1 2 2 3 1 4 1 = 48 choices. (Modifications for end conditions: e.g. the initial M and final S are superfluous.)

13 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 13/19 Exponent Choices There is/are: 1 way to interpret S 2 ways to interpret SM 3 ways to interpret SMM with preceding M 4 ways to interpret SMM with preceding S 4 ways to interpret SMMM The probabilities of the sub-chains can be calculated: p S = prob(S) = p 2,0 ; p SM = p 2,1 +p 3,0 ; p SMM = etc. So average number of choices to interpret a sub-chain is 1 p' S 2 p' SM 3 p' MSMM 4 p' SSMM 4 p' SMMM ≈ 1.7079 where ' is the modification due to parsing SSMM into S.SMM always.

14 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 14/19 S&M Theorem There are on average 0.766 log 2 D occurrences of S per addition chain, so 1.7079 0.766 log 2 D = D 0.5916 exponents which can generate the same S&M sequence. T HEOREMT HEOREM : The search space for exponents with the same S&M sequence as D has size approx D 3/5. For 4-ary exp n, it is much easier to average traces, easier to be certain of the S&M sequence, and the search space is only D 7/18 – which is smaller. Both are computationally infeasible searches.

15 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 15/19 Operand Re-Use From its location, address, power use in mult n or Hamming weight, it may be possible to identify re-use of operands. Assume we know when operands are equal, but nothing more. –since only squares have equal operands, this means the S&M sequence can be recovered. –for classical m-ary & sliding windows exp n, there is a fixed pre-computed multiplicand for each exp t digit value, so the secret exponent can be reconstructed uniquely. M ISTM IST operand sharing leaves ambiguities: –(2,1) and (3,0) have the same operand sharing pattern and both are common: p SM = 0.458.

16 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 16/19 Running Example D(m,d) Op Sharing Interpretations 235(3,1) (3,1) 78(2,0) (2,0) 39(5,4) (5,4) 7(2,1) (2,1), (3,0) 3(3,0) (2,1), (3,0) 1(2,1) (2,1) Result: 2 2 = 4 choices. ( Modifications for end conditions: e.g. the most significant digit d is non-zero.)

17 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 17/19 Operand Re-Use Theorem T HEOREM M IST DD 1/3With similar working to the S&M case: T HEOREM : For M IST, the search space for exponents with the same operand sharing sequence as D has size approx D 1/3. The search space for m-ary exp n has size D 0. There are several necessary boring technicalities to ensure mathematical rigour – skip sections 4 and 5 in the paper!

18 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 18/19 Difficulties? The above requires correct identification of op d sharing first (operands are never used more than 3 times) Mistakes are not self-correcting in an obvious way; only a few errors can vastly increase the search space. There is no known way to combine results from other exp ns, especially if exponent blinding is applied. Always selecting zero digits vastly decreases the search. Small public exponent, no exponent blinding and known RSA modulus provide half the bits, reducing the search space to D 1/6.

19 The MIST Algorithm Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions CHES 2002 19/19 Conclusion “Random-ary exponentiation” – a novel exp n alg m suitable for RSA on smartcard (no inverses need to be computed). Time & Space are comparable to 4-ary exp n. Random choices & little operand re-use make the usual averaging for DPA much more restricted. M ISTM IST is much stronger against power analysis than standard exp n algorithms.

Download ppt "Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Announcements: HW3 updated. Due next Thursday HW3 updated. Due next Thursday Written quiz tomorrow on chapters 1-2 (next slide) Written quiz tomorrow on.

Announcements: HW3 updated. Due next Thursday HW3 updated. Due next Thursday Written quiz tomorrow on chapters 1-2 (next slide) Written quiz tomorrow on.
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Public Key Cryptography and the RSA Algorithm

Public Key Cryptography and the RSA Algorithm
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google