Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breaking the Liardet-Smart Randomized Exponentiation Algorithm

Published byΒασίλης Τομαραίοι Modified over 5 years ago

Similar presentations

Presentation on theme: "Breaking the Liardet-Smart Randomized Exponentiation Algorithm"— Presentation transcript:

1 Breaking the Liardet-Smart Randomized Exponentiation Algorithm
Colin D. Walter This is the PowerPoint presentation of my talk for Cardis 2002, San Jose, November 2002. The paper is published by the USENIX Association, Berkeley. C ● O ● M ● O ● D ● O RESEARCH LAB (Bradford, UK)

2 Power Analysis Attacks
With no counter-measures, the binary expn algm, and a standard projective or affine representation for points, adds and doubles in ECC are easily distinguished using timing differences in a single power trace This reveals the secret key. Typical counter-measures include: Selecting other representations or inserting dummy operations so that adds and doubles execute identical code. Using m-ary expn so different digits use identical code. Adding blinding to the key to prevent averaging which reduces noise. Randomising the key representation, also to prevent averaging. The Liardet-Smart exponentiation algorithm is a counter-measure to power analysis attacks, pioneered by Kocher. What we need is a means of randomising the operations of a point multiplication so that they are different on every use of the secret key. Key blinding is one solution, but perhaps expensive in that it increases the key length from 160 or 192 bits typically by a further 32 bits. Random key recoding is essentially for free. Identical code for adds and doubles using the standard Weierstrass representation is given in: E. Brier & M. Joye, Weierstraß Elliptic Curves and Side-Channel Attacks, Public Key Cryptography, P. Paillier & D. Naccache (editors), Lecture Notes in Computer Science, 2274, Springer-Verlag, 2002, 335–345. Here the adds and doubles contains field squares and field cubes respectively. Because these have different properties, they are potentially distinguishable using power analysis. Liardet-Smart Exponentiation Algorithm Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

3 Recoding Overview Decryption/Signing: Q = kP for point P and secret key k. k is recoded right to left with random bases mi and corresponding digits ki: k = ((...((kn)mn–1+kn–1)mn–2+...)m1+k1)m0+k0 kP is computed by processing digits left to right: k = m0(m1(... mn–2(mn–1(knP) +kn–1P) + ...) +k1P) +k0P Here, only values dP (1 ≤ d ≤ 2R–1), d odd, need pre-computing. The key is recoded, as described on the slide, by processing it from right to left, i.e. this is the order in which random bases mi and digits ki are generated. To form kP, the digits are consumed in the opposite order, as in m-ary exponentiation, viz. left to right. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

4 Liardet-Smart Recoding (CHES 2001)
While k > 0 do { If (k mod 2) = 0 then { mi  2 ; ki  0 ; } else { Choose base mi  {21,22,...2R} randomly ; ki  k minmod mi ; k  (k–ki) / mi ; i  i+1 ; } ; minmod returns the least abs value residue. Here is the precise algorithm. Note that 2 is always chosen when an even digit would result. So digits for all bases > 2 are odd. This saves on the pre-computed values dP which need to be stored. Also the minmod means d only needs to go up to half the maximumm base value. Negative values d do not need pre-computing as point subtractions are used then instead of point additions, at no extra cost. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

5 Probty for each Base The random choice of base need not choose mi uniformly. Let pj = proby of selecting mi = 2j when k is odd. and p0 = proby of selecting mi = 2 when k is even. To provide better efficiency, pj should be increased for large j and decreased for small j. e.g. take pj = 2j–R–1 (j >1) and p1 = p2 . For m = 2R always, this becomes m-ary sliding windows, in which case there is double and 1/(R+1) add per key bit. One can still change the properties of the algorithm simply by adjusting the frequency at which the various bases occur. The greatest efficiency occurs when m = 2R is always chosen, giving m-ary sliding windows, for which there is one point double and 1/(R+1) point add per key bit. Square-and-multiply is the special case when R = 2. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

6 Assumptions Key blinding adds to cost in ECC: typically adding 32 bits to a or 192-bit key. So assume the key is unblinded and used repeatedly. Assume also that adds and doubles can (usually) be distinguished in a single power or EM trace. So we can process traces into words over the alphabet {A,D}. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

7 Notation Traces and digits will both have most significant digits on the left, as usual. The position of a specific instance of a character A or D in a trace is the number of Ds to the right. (–1)404 yields trace ...DADDDADD, where the last A has position and the last D position 0. This is the usual indexing of digits when viewed base 2. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

8 The Least Significant Digit
The digits are recovered in order from right to left. W.l.o.g. we just need to show: i) how to recover the least significant digit, ii) how to derive a trace set for the next digit. Lemma: For any trace, if i is chosen so ADi is the suffix, then k is exactly divisible by 2i. Proof: The last occurrence of A defines i uniquely. It corresponds to an odd digit. The i subsequent Ds correspond to base 2 for even k. So k = 2i × odd. If i ≥ 1 then m0 = 2 and k0 = 0. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

9 Odd Least Signt Digits Theorem: Let k be odd. Suppose j (1 ≤ j ≤ R+1) is such that the set Tr of traces has no trace with suffix ADiA for any i < j. Then k ≡ 1 mod 2j with probability Π1≤i≤j–1 (1 + (1–pi')|Tr|)–1 for pj' = p0+ p pj Observe that this tends to 1 as |Tr| increases. Proof: – Use induction on j. Case j = 1 is trivial. Assume stated case for j holds. We need to establish it for j+1. We must distinguish k ≡ 1 mod 2j+1 from k ≡ 1+2j mod 2j+1. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

10 The Least Signt Digit i.e. no suffixes ADiA for i < j+1.
Assume k ≡ 1 mod 2j Select a trace. If base m0 ≥ 2j+1 then the trace has suffix Dj+1A. If base m0 < 2j+1 then the last odd digit is preceded by enough occurrences of base 2 with digit 0 to give suffix Dj+1A. So Dj+1A always occurs, i.e. no suffixes ADiA for i < j+1. Assume k ≡ 2j+1 mod 2j Select a trace. If base m0 ≥ 2j+1 then the trace has suffix is Dj+1A If base m0 < 2j+1 then k0 = 1 & the suffix is ADjA. So suffix ADjA occurs with prob pj' = p0+ p pj Thus no ADjA in any trace means k ≡ 1 mod 2j+1 with prob (1 + (1–pj')|Tr|)–1 (given k ≡ 1 mod 2j) ... qed ■ Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

11 The Best Congruence Π1≤i≤j–1 (1 + (1–pi')|Tr|)–1
Theorem: Let k be odd. Suppose j (1 ≤ j ≤ R+1) is minimal such that the set Tr of traces contains a trace with suffix ADjA Then k ≡ 2j +1 mod 2j+1 with probability Π1≤i≤j–1 (1 + (1–pi')|Tr|)–1 Observe again that this tends to 1 as |Tr| increases. Proof: By the previous theorem, k ≡ 1 mod 2j with the stated prob. Then, since ADjA occurs, we must have k ≡ 2j+1 mod 2j ■ Now we know the residue of k modulo some power of 2 with reasonable certainty if |Tr| is large enough. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

12 Subsets of Traces To obtain intermediate digits, we just need to remove trace suffixes which correspond to less significant digits. Define Tri to be the subset of Tr obtained by removing suffixes to the right of the D with position i. So Tr0 = Tr . Let TriA (resp. TriD) be the subset of Tri consisting of traces which terminate in A (resp. D). Note that TriA has had suffixes removed which correspond to whole digits This may not be true for TriD. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

13 Subsets of Traces Question: For fixed i, do all the traces in Tr, TriA or TriD correspond to the same key? Assume each sub-trace in the chosen set represents a whole number of digits (so all the As and Ds of the last digit are included.) Put ms = 2i, ks = k mod ms and kp = k div ms Then the traces correspond to kp or kp+1 because the deleted suffix digits must represent ks or ks–ms . Note that traces in TriA must be generated by odd keys, because of the final A So they must all represent the same key. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

14 Recovering all the Digits
For every i for which there is an A at position i, we can form TriA and use the theorems to deduce the bottom digit of the key which the traces represent. We need to know whether kp or kp+1 occurs: clearly, it is determined by the sign of the most significant of the deleted digits (kp+1 for –ve digit). Take min j ≤ R s.t. Tr contains a trace with suffix ADjA So k ≡ 1 mod 2j. Take m0 = 2j, so k0 = Then TrjA represents kp = k div m Repeat for other digits. Notes i) such j may not exist; ii) TrjA does not get smaller as j increases. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

15 The Missing Case Suppose no such j ≤ R exists, i.e. every trace in Tr ends DR+1A. Then k ≡ 1 mod 2R+1 (almost certainly). So every base choice gives k0 = and some cases of mi = 2 and ki = until kp = k div 2R is obtained. So each trace of (Tr0A)R represents the even kp . Next choose m0 = 2 and k0 = 0 for kp and repeat with resulting new kp until there is a trace ending with A, when previous cases apply. A complete representation of k is eventually obtained this way. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

16 Feasibility Will errors increase as digits are generated right to left? Digits are obtained independently for each i for which TriA is not empty and these sets are approximately equal in size for each i. So the proby of an error is roughly the same for every digit. Knowledge of the pi i) reveals the probability of A occurring in a trace, ii) enables |TrjA| to be estimated, and so, iii) gives a lower bound on the probability of an error in the digit at that point. For a uniform distribution of base choices, we have about 2|Tr|/(R+3) traces in the sets of interest. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

17 Main Theorems THEOREM : For a uniform distribn of base choices, the key k can be recovered with proby > (1+ρπ)–n where n = log2k, ρ = 1–R–1 and π = 2|Tr|/(R+3) Corollary : For uniformly chosen bases ≤ 8 and keys of 192 bits, only 9 traces are required to break the Liardet-Smart algorithm using O(232) work. We assumed the same unblinded key throughout and perfect interpretation of traces as words over {A,D}. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

18 Counter-Measures Clearly, key blinding will defeat the attack; for a lifetime bounded by 216, blinding bits should suffice. Code might be adjusted to perform the add every time – but this is very expensive. Code could be improved to minimise differences between adds and doubles. Biasing base choices to favour larger values increases attack costs In the limit, 2R-ary exponentiation is not susceptible to the attack. Note that not all patterns were used, and so probabilities were lower bounds. Hence the attack may work with fewer traces. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

19 Conclusion New counter-measures to DPA and DEMA need to be evaluated carefully; they may only have value in conjunction with other measures. The Liardet-Smart randomised exponentiation algorithm is susceptible to attack outside a well-defined context. For repeated re-use of a decrypt key, standard key blinding & equalised code is recommended to prevent the attack described here. Liardet-Smart Exponentiation Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions

Download ppt "Breaking the Liardet-Smart Randomized Exponentiation Algorithm"

Similar presentations

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
What we learn with pleasure we never forget. Alfred Mercier Smitha N Pai.

What we learn with pleasure we never forget. Alfred Mercier Smitha N Pai.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.

Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.
Quick Sort, Shell Sort, Counting Sort, Radix Sort AND Bucket Sort

Quick Sort, Shell Sort, Counting Sort, Radix Sort AND Bucket Sort
Number Theory and Cryptography

Number Theory and Cryptography
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
The RSA Algorithm Rocky K. C. Chang, March 2014 1.

The RSA Algorithm Rocky K. C. Chang, March
Copyright © Cengage Learning. All rights reserved. CHAPTER 11 ANALYSIS OF ALGORITHM EFFICIENCY ANALYSIS OF ALGORITHM EFFICIENCY.

Copyright © Cengage Learning. All rights reserved. CHAPTER 11 ANALYSIS OF ALGORITHM EFFICIENCY ANALYSIS OF ALGORITHM EFFICIENCY.
Lecture for Week 9 2013 Spring.  Numbers can be represented in many ways. We are familiar with the decimal system since it is most widely used in everyday.

Lecture for Week Spring.  Numbers can be represented in many ways. We are familiar with the decimal system since it is most widely used in everyday.
Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK www.comodogroup.com Colin D Walter.

Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK Colin D Walter.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.

9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
CompSci 102 Discrete Math for Computer Science February 16, 2012 Prof. Rodger.

CompSci 102 Discrete Math for Computer Science February 16, 2012 Prof. Rodger.
Integer Representation for People Computer Organization and Assembly Language: Module 3.

Integer Representation for People Computer Organization and Assembly Language: Module 3.
Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.

Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.
Sliding Windows Succumbs to Big Mac Attack Colin D. Walter www.co.umist.ac.uk.

Sliding Windows Succumbs to Big Mac Attack Colin D. Walter
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: www.co.umist.ac.uk (Manchester,

Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: (Manchester,
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)

Similar presentations

Ads by Google