Presentation is loading. Please wait.

Presentation is loading. Please wait.

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)

Published byEstella Kelly Modified over 8 years ago

Similar presentations

Presentation on theme: "M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)"— Presentation transcript:

1 M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter www.co.umist.ac.uk (Manchester, UK) c.walter@umist.ac.uk

2 RSA 2002C.D. Walter, Computation Dept. UMIST2 Power Analysis Attacks With no counter-measures and the binary exp n alg m, averaging power traces at the same instants during several exp ns enables one to differentiate squares and multiplies and hence deduce the exponent bits. Averaging power traces over individual digit-by-digit products in a single exp n enables one to differentiate mutliplicands in m-ary exp n and hence deduce the exponent. Smartcards have limited scope for including expensive, tamper-resistant, hardware measures. Good software counter-measures are required: new algorithms as well as modifying arguments e.g. E to E+r  (M).

3 RSA 2002C.D. Walter, Computation Dept. UMIST3 Requirements for Exponentiation New algorithm, not new inputs, as single exp n may be attacked. Different pattern of Squares and Multiplies to frustrate averaging. No re-use of multiplicands (same reason) No fully determined tie between Square or Multiply and known process. Good time and space efficiency

4 RSA 2002C.D. Walter, Computation Dept. UMIST4 History T. S. Messerges, E.A. Dabbish & R.H. Sloan Power Analysis Attacks of Modular Exponentiation in SmartcardsCHES 99, LNCS 1717 E. Oswald & M. Aigner Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks CHES 2001, LNCS 2162 C. D. Walter Exponentiation using Division Chains IEEE TC 47, 1998, pp 757–765

5 RSA 2002C.D. Walter, Computation Dept. UMIST5 Binary Exp n Algorithm { To compute: ResultM = M E } StartM  M ; ResultM  1; While E > 0 do Begin If (E mod 2) = 1 then ResultM  StartM×ResultM ; StartM  StartM 2 ; E  E div 2 ; End ;

6 RSA 2002C.D. Walter, Computation Dept. UMIST6 The M IST Exp n Algorithm { To compute: ResultM = M E } StartM  M ; ResultM  1; While E > 0 do Begin Choose a random “divisor”D ; R  E mod D ; If R  0 then ResultM  StartM R × ResultM ; StartM  StartM D ; E  E div D ; { Invariant: M E.Init = StartM E × ResultM } End ;

7 RSA 2002C.D. Walter, Computation Dept. UMIST7 Addition Chains The main computational part of the loop is: If R  0 then ResultM  StartM R × ResultM ; StartM  StartM D ; To provide the required efficiency, a set of possible values for D are chosen so that an efficient addition chain for D contains R, e.g. 1+1=2, 2+1=3, 2+3=5 is an addition chain for D=5 suitable for when R = 0, 1, 2 or 3. Comparable to the m-ary method regarding time complexity

8 RSA 2002C.D. Walter, Computation Dept. UMIST8 Example Choose the set of divisors {2, 3, 5}. Consider E = 257 ED, RStartM StartM/TempM ResultM 2575, 2 1 1+1 = 2 0+2 = 2 1+2 = 3 3+2 = 5 513, 0 5 5+5 = 10 10+5 = 15 17 2, 1 15 15+2 = 17 15 + 15 = 30 82, 0 30 30 + 30 = 60 42, 0 60 60 + 60 = 120 22, 0120120+120 = 240 1240 240+17 = 257

9 RSA 2002C.D. Walter, Computation Dept. UMIST9 Choice of Divisor Set Security: Divisors must be chosen so that sequences of squares and multiplies do not reveal D. Efficiency: –Divisors must be chosen so that raising to the power D is (time) efficient enough. –Space is required to store addition chains. –As few registers as possible should be used for the exponentiation. Solution: Take the set of divisors {2,3,5}.

10 RSA 2002C.D. Walter, Computation Dept. UMIST10 Choice of Divisor Example choice: D := 0 ; If Random(x) < 7/8 then If (E mod 2) = 0 then D  2 else If (E mod 5) = 0 then D  5 else If (E mod 3) = 0 then D  3 ; If D = 0 then Begin p := Random(x) ; If p < 6/8 then D  2 else If p < 7/8 then D  3 else D  5 End ;

11 RSA 2002C.D. Walter, Computation Dept. UMIST11 Choice of Divisor –Choosing D when E  0 mod D is efficient because it avoids a multiplication by StartM R. –Choosing such D deterministically is unsafe, so they should not be chosen always. –Some pairs (D,R) require fewer multiplications than others per bit of reduction in the size of E. We should choose the more efficient ones more frequently. –The published paper gives some details on ordering them.

12 RSA 2002C.D. Walter, Computation Dept. UMIST12 A Markov Process Divisors affect the frequencies of residues E mod 30 (30 = LCM of divisor set): –Choice of divisors 3, 5 when E is odd multiple of 3 or 5 reduces frequency of even residues. –With the exceptions of 14 and 25, odd & even residues occur with probability > 1 / 30 and < 1 / 30 resp. –After several iterations, 3, 9, 11, 21, 29 are all three times more likely to occur than the least likely residue 16. We need to model this as a Markov process, looking at the limit probabilities of each residue mod 30.

13 RSA 2002C.D. Walter, Computation Dept. UMIST13 Probability of each (D,R) The matrix of probabilities of each output residue mod 30 for each input residue enables the limit probability of each residue to be computed. This gives the probabilities: –p D,R for each pair (D,R) –p D for each divisor D: p 2 = 0.621 p 3 = 0.234 p 5 = 0.145

14 RSA 2002C.D. Walter, Computation Dept. UMIST14 Av age Add n Chain Properties The probabilities of addition sub-chain lengths are: –length 1 is p 2,0 = 0.350 –length 2 is p 3,0 + p 2,1 = 0.460 –length 3 is p 5,0 + p 3,1 + p 3,2 = 0.143 –length 4 is p 5,1 + p 5,2 + p 5,3 + p 5,4 = 0.047 So average divisor sub-chain has length 1.887 mult s Av decrease in E is 2 p 2 3 p 3 5 p 5 = 2.512 per subchain So 0.75 log 2 E subchains & 1.42 log 2 E mult s This is faster than the binary exp n algorithm and marginally slower than 4-ary exp n

15 RSA 2002C.D. Walter, Computation Dept. UMIST15 Space Requirements There are 3 long integer registers: StartM, TempM, ResultM rather than the two for binary exp n. E can be fully processed before each exp n, giving 2 bits per divisor, about 1.5n bits for n bit E. If mult n instructions are determined in advance, 5 bits are needed for each, so about 7n bits to store (but these may be generated as required). The addition sub-chains for each pair (D,R) must be stored in ROM: under 256 bits for the table in the proceedings.

16 RSA 2002C.D. Walter, Computation Dept. UMIST16 Other Processing Apart from the long integer multiplicative operations, processing includes: Generation of random numbers: 3 3 / 5 bits per divisor, or 3n bits for exponents of n bits. Divisions of E by D: equivalent to a few long integer multiplications overall. With three registers rather than the two for the binary alg m, data movement is greater but still insignificant overall: at most one new value needs to be fetched from/ written to memory for each multiplication.

17 RSA 2002C.D. Walter, Computation Dept. UMIST17 Data Leakage M IST prevents the usual power trace averaging associated with power analysis attacks, but: The sequence of Squares and Mult s parses in too many ways to enable pairs (D,R) to be recovered: (2,1) & (3,0) are the same. Making deterministic choices for D is poor practice: they may provide a handle to distinguish between correct and incorrect keys. Processing of E and choosing of divisors must be well hidden: computing E div D may leak. It is much shorter than a long integer multiplication, so should leak much less. Don’t do it after processing the long integer mult s of the previous divisor.

18 RSA 2002C.D. Walter, Computation Dept. UMIST18 Conclusion A novel exponentiation algorithm has been presented for which random choices make averaging for DPA impossible. The speed is comparable to 4-ary exp n. The space requirements comparable. Areas of security concern have been narrowed.

Download ppt "M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)"

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.

Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Hash Tables1 Part E Hash Tables   0 1 2 3 4 451-229-0004 981-101-0002 025-612-0001.

Hash Tables1 Part E Hash Tables  
UNIVERSITY OF MASSACHUSETTS Dept

UNIVERSITY OF MASSACHUSETTS Dept
Tirgul 7. Find an efficient implementation of a dynamic collection of elements with unique keys Supported Operations: Insert, Search and Delete. The keys.

Tirgul 7. Find an efficient implementation of a dynamic collection of elements with unique keys Supported Operations: Insert, Search and Delete. The keys.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Similar presentations

Ads by Google