1. Some Security Aspects of the Randomized Exponentiation Algorithm
MIST
Colin D. Walter
Earlier talks at the conference have covered the principles of differential power analysis (DPA) and differential electro-magnetic anaylsis (DEMA) – and side channel leakage in general. I will assume these basics are now familiar to the audience. The published paper contains several references for those for whom this is not familiar territory.
DPA and/or DEMA can be used to break most exponentiation algorithms. So there is a strong need for fresh ideas about exponentiation. Randomising the input and keys is straight-forward, but may be insufficient against the more knowledgeable and beter funded adversary. At CHES 2001, I showed how DPA or DEMA might break a single instance of sliding windows exponentiation. It appears, therefore, that randomised algorithms are required, not just randomised inputs, in order to secure the secret exponent against discovery using DPA/DEMA.
At RSA 2002 in Feb (LNCS 2271), I presented one such algorithm, called MIST, which is suitable for RSA since no inverses have to be calculated. Efficiency aspects of it were considered there: it is comparable in time and space usage to 4-ary exponentiation. Here we will look at some aspects of its security. Does it provide the protection against DPA/DEMA that is desired?
I am Colin Walter. I recently moved job to become head of cryptography at Comodo Research Labs in Bradford, UK, which makes security products both S/W and H/W: see its web site for product details. The recently launched Trust Tool Bar is the most well known of these. Comodo actually owns the patent rights for the MIST algorithm described here and will license its use to other companies. Do contact me if you are interested the algorithm or in joining the crypto team here.
(Bradford, UK)

2. Power Analysis Attacks
With no counter-measures and the binary expn algm, averaging power traces at the same instants during several expns enables one to differentiate squares and multiplies and hence deduce the exponent bits (Kocher).
Averaging power traces over individual digit-by-digit products in a single expn enables one to differentiate multiplicands in m-ary expn and hence deduce the exponent (CHES 2001).
Smartcards have limited scope for including expensive, tamper-resistant, hardware measures.
Good software counter-measures are required: new algorithms as well as modifying arguments e.g. D to D+r(N).
We can average a number of power traces which have the same sequence of squares and multiplies to reduce noise and expose the data dependent aspects: squares can be distinguished from multiplies by, for example, the different number of conditional modular subtractions, or the different number of arguments fetched from memory, etc.
This can be defeated by changing the exponent on each occasion: D to D+r(N) for random r where D is the secret exponent and N the modulus. Then a different pattern of squares and multiplies is obtained very time the random r is changed. However, this is no protection if a single exponentiation can be attacked successfully by reading the pattern.
At CHES 2001, I showed that it might be possible to recognise repeated re-use of multiplicands by averaging over the digit-by-digit computations in each long integer multiplicative operation. This would break a single exponentiation using the binary, m-ary or sliding windows algorithms. Hence new algorithms are required.
Scope for hardware counter-measures is limited, although as technology has shrunk, chip manufacturers have now been able to include Faraday cages to reduce EMR. Anyway, one should not rely on a single line of defence.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

3. m-ary Expn (Reversed) { To compute: P = CD } Q  C ; P  1 ;
While D > 0 do
Begin
d  D mod m ;
If d  0 then
P  Qd × P ;
Q  Qm ;
D  D div m ;
{ Invariant: CD.Init = QD × P }
End
Here is m-ary exponentiation for a representation of exponent D with base m, but reversed to read the digits of D in the reverse of the usual order, i.e. from right to left. Successive values of d are the digits base m from least to most significant.
This direction for processing digits is not used in practice, except for m = 2, because of the cost of computing Qd in each loop iteration. For the opposite order, these powers can be pre-computed and stored.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

4. The MIST Expn Algorithm
{ To compute: P = CD }
Q  C ;
P  1 ;
While D > 0 do
Begin
d  D mod m ;
If d  0 then
P  Qd × P ;
Q  Qm ;
D  D div m ;
{ Invariant: CD.Init = QD × P }
End
Choose a random base m, e.g. from {2,3,5} ;
All that MIST does, having set things up this way, is to choose m randomly in each loop, usually from a pre-determined set for which the computation of Qd is cheap. So one might reasonable call this
random-ary exponentiation.
Historically, m is called a divisor, and the sequence of pairs (m,d) a division chain for D. This is the notation of the paper in the proceedings. Here, I have re-cast it in the traditional notation of cryptography and exponentiation. I hope the choice and mixture of notation is not confusing.
Generally, m is selected from a small set, such as {2,3,5}, with known security strength and for which additional data has been pre-calculated.
As before, P accumulates the partial product and eventually contains the input base C raised to the power D. Q now contains C raised to the power of the product of the previous values of m. D contains the unprocessed part of the initial exponent, which is its initial value divided by the product of the previous values of m.
It is easy to prove the correctness of the algorithm: see the IEEE TC paper or the CT-RSA 2002 paper. It requires establishing the loop invariant. As can be seen from it, D really does contain the unprocessed part of its initial value D.Init.
Making a random choice for m at each loop iteration provides a different exponentiation scheme for each exponentiation.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

5. Randomary Exponentiation
The main computational part of the loop is: If d  0 then P  Qd × P ; Q  Qm
To provide the required efficiency, a set of possible values for m are chosen so that an efficient addition chain for m contains d, e.g.
1+1=2, 2+1=3, 2+3=5 is an addition chain for base m=5 suitable for digits d = 0, 1, 2 or 3.
Comparable to the 4-ary method regarding time complexity.
The main problem with this algorithm is the expense of computing both Qd and Qm. These are not done sequentially and independently as implied by the above code: an addition chain for computing Qm is selected to guarantee that Qd is computed en route, so that it comes for free.
Consequently, like the m-ary method of exponentiation, all the work required is contained in raising something to the power m (equivalent to the squarings of the binary method) and the extra multiplication corresponding to the exponent digit d when it is non-zero.
Since repeatedly raising to the power 2 provides the highest power for the fewest multiplications, it is not clear that this method will out-perform the standard binary algorithm.
However, taking m = 2 always is just one of the normal, efficient, square-and-multiply methods. If we frequently pick other ms for which d = 0, then we save a multiplication. This over-compensates for the extra cost of raising to the power m. As a result, the method becomes about as efficient as 4-ary exponentiation.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

6. Running Example Fix the base set = {2, 3, 5}. Consider D = 235
D m, d Q (before) Qd Qm P (after)
235 3, C 1 C 1 C 3 C 1
78 2, C C 6 C 1
39 5, C 6 C 24 C C1×C24 = C 25
7 2, C 30 C 30 C C25×C30 = C 55
3 3, C C C 55
1 2, C 180 C 180 C C55×C180 = C 235
Here is an example of the algorithm for computing C235.
Each value of D introduces a new loop iteration in the algorithm, with a fresh random base m and the digit d = (D mod m). The values of D drop by a factor m down the column. On the other hand, the values of Q and P increase. They show the powers of C that are computed in the two registers at each point: Q contains C raised to a power equal to the product of all choices of m up to that point; P contains the product of all the Qd values.
The example uses 8 multiplications to create C180 and just 3 more to create the final P. Thus 11 long integer multiplicative operations are performed in total – similar to the 1.5×log2235 ≈ 10.5 expected from the binary method.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

7. Choice of Base Set
Security: Bases must be chosen so that sequences of squares & multiplies or opd sharing do not reveal m.
Efficiency:
Bases m must be chosen so that raising to the power m is (time) efficient enough.
Space is required to store addition chains.
As few registers as possible should be used for the exponentiation.
One Solution: Take the set of bases {2,3,5}.
As noted earlier, there are two main problems to solve: one is efficiency, the other is security.
The pattern of squares and multiplies must not reveal the exponent. If we were to choose just {2} as the base set from which each m must be chosen, then we would obtain the usual right-to-left binary algorithm and the sequence of squares and multiplies would yield the exponent directly. This is insecure.
We need at least two or more bases to provide the choice necessary to enable different addition chains to be generated. In this regard, the more the merrier. However, a large base may have a distinctive pattern for raising to the power m, so that it can be recognised. Hence small bases are better.
The study of how sequences of squares and multiplies can reveal the exponent is both fascinating and extensive. There was insufficient space in the CT-RSA 2002 paper to cover this important topic. We are going to look at it now.
For efficiency, 2 and numbers of the form 2n+1 are the most desirable choices for m. {2,3,5} turns out to be a good choice for further investigation. With a fixed set of bases to choose from, the addition sub-chains for raising to the powers m and d can be pre-determined to maximise efficiency and security. Other choices of m would need such details to be computed dynamically, and this would probably make the process too inefficient for intended applications and perhaps insecure.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

8. Choice of Base Example algorithm (see CT-RSA 2002 paper): m  0 ;
If Random(8) < 7 then
If (D mod 2) = 0 then m  2 else
If (D mod 5) = 0 then m  5 else
If (D mod 3) = 0 then m  3 ;
If m = 0 then
Begin
p  Random(8) ;
If p < 6 then m  2 else
If p < 7 then m  5 else
m  3
End
How do we select m randomly to provide an efficient exponentiation scheme?
Efficiency is still a problem. With the base 3 we need two multiplications to raise to the power 3, and in 2 out of 3 cases an extra multiplication to update P. So we have, on average 22/3rds multiplications for a reduction in the exponent by a factor close to 3. This means almost 2n multiplicative operations for an exponent of n bits. This is much less efficient than base 2 which requires an average of 3n/2 multiplicative operations. Similarly base 5 is inefficient, though not quite by as much. Hence our worries that the method might be too inefficient.
Thus we may wish to bias the choice of base. When the digit d is 0 we save a multiplication, so this would make an efficient preference. Hence, in most cases (7 out of 8, say) we select such a base, choosing the most efficient 2 in preference to the next most efficient, namely 5, and the least efficient 3 last. As multiples of 3 and 5 are reasonably frequent, we save over the binary algorithm’s choice of 2 when D is odd. (Here Random(n) returns a random integer in the range 0..n–1).
If a zero digit is not possible, we again order and bias the choice of bases towards efficiency. Surprisingly, 2 is still the most efficient choice, although it requires the most multiplications for the number of bits it removes from the exponent. This apparent contradiction arises from the fact that, when combined with an average number of multiplications to obtain the bit reduction given by 3 or 5, it is actually better than either.
The choice of m given here requires about 1.42n multiplications. Counter-intuitively, this is better than the binary algorithm.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

9. Probability of (m,d) Define probabilities: Then:
pi = prob(D≡i mod 30) pm|i = prob(choosing m given D≡i mod 30)
Then:
pm = i mod 30 pi pm|i is prob of base m
pm,d = id mod 30 pi pm|i is prob of pair (m,d)
For the base selection process above: p2 = p3 = p5 = 0.142
The algorithm for choosing m disturbs the relative probabilities of D mod 30 so that they are no longer uniform: for example choosing exact divisors frequently biases the digits so that those prime to 30 become more likely.
This defines a Markov process with one state for each residue mod 2×3×5 = 30, and transition probabilities as given in the algorithm for choosing m. The limiting probabilities pi for each state are easily found.
The probabilities of pm and pm,d have the formulae given, and so are easily calculated.
They enable one to find average properties of the division chain, such as how many multiplications are involved. We need such values later to estimate how big the search space is for D.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

10. Addition Sub-Chains
Let (ijk) mean: multiply contents at addresses i and j and write result to address k.
Use 1 for location of Q, 2 for temporary register, 3 for P:
(111) for (m,d) = (2,0)
(112, 133) for (m,d) = (2,1)
(112, 121) for (m,d) = (3,0)
(112, 133, 121) for (m,d) = (3,1)
(112, 233, 121) for (m,d) = (3,2)
(112, 121, 121) for (m,d) = (5,0)
(112, 133, 121, 121) for (m,d) = (5,1)
(112, 233, 121, 121) for (m,d) = (5,2)
(112, 121, 133, 121) for (m,d) = (5,3)
(112, 222, 233, 121) for (m,d) = (5,4)
For the security study, we need to decide on the choice of addition sub-chains. This requires some notation.
Let ijk stand for the instruction to multiply the contents of registers i and j together and write the result to register k. Then, assuming Q is in register 1, register 2 is for temporary storage, and P is in register 3, the slide shows what instructions to perform to update P and Q as desired. In some cases, this may result in writing to a different register than the preferred one. For example, with (2,1), register 2 contains Q after the sub-chain is executed. This change of purpose for the registers just needs to be recorded so that the sub-chain can be modified appropriately before use.
Note that squares have the form (iij). Each sub-chain starts with a square and there are no other squares except in the case of (5,4).
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

11. S&M Sequences
Assume an attacker can distinguish Squares and Multiplies from a single exponentiation (e.g. from Hamming weights of arguments deduced from power variation on bus.)
A division chain is the list of pairs (m,d) used in an expn scheme. It determines the addition chain to be used, and hence the sequence of squares and multiplies which occur:
(2,0) S (2,1), (3,0) SM (3,1), (3,2), (5,0) SMM (5,1), (5,2), (5,3) SMMM (5,4) SSMM
Base sub-chain boundaries are deduced from occurrences of S except for ambiguity between (5,4) and (2,0)(3,x) or (2,0)(5,0).
Initial power analysis attacks noted that squares and multiplies behaved differently, and so could be identified in a power trace. This enables the binary algorithm to be cracked: each multiplication corresponds to a 1 bit in the exponent.
Our initial attack scenario therefore assumes that squares and multiplications can be distinguished. The attacker, however, has no knowledge of I/O: that should be properly blinded. Thus, he must recover the exponent using only knowledge of the sequence of squares and multiplies. We will call this sequence an S&M chain.
As the division chain (i.e. the base/digit sequence) is different for every exponentiation, the attacker must derive the S&M chain from a single exponentiation. This is harder than in the original attacks where many power traces were averaged to improve the signal-to-noise ratio.
Then he must recover the digit sequence from the S&M chain, using the table of possibilities for (m,d) on the slide. This determines the exponent D uniquely in the usual way as when m is fixed. (The example on slide 6 shows how D can be determined.)
The first problem is to parse the S&M chain into sub-chains corresponding to the bases. Each sub-chain commences with an S, and there are no other occurrences of S except in the sub-chain SSMM for (5,4). Hence the sub-chain boundaries are all determined except for an ambiguity that SSMM may represent one or two sub-chains.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

12. Running Example 235 (3,1) S(M)M (3,1), (3,2), (5,0) 78 (2,0) S (2,0)
D (m,d) S&M subchain Interpretations
235 (3,1) S(M)M (3,1), (3,2), (5,0)
78 (2,0) S (2,0)
39 (5,4) SSMM (5,4), (2,0)(3,1),
(2,0)(3,2), (2,0)(5,0)
7 (2,1) SM (2,1), (3,0)
3 (3,0) SM (2,1), (3,0)
1 (2,1) (S)M (2,1)
Result: SM.S.SSMM.SM.SM.M with = 48 choices.
(Modifications for end conditions: e.g. the initial M and final S are superfluous.)
Here again is the example of computing C235.
The pattern SMM.S.S.SMM.SM.SM.SM is partitioned before every occurrence of S.
(3,1), (3,2) and (5,0) all have pattern SMM, so one of these is the value for the first base/digit pair.
(2,0) is the only possibility for the next S.
Then SSMM may represent one subchain for (5,4) or two subchains for (2,0) followed by (3,1), (3,2) or (5,0).
The last three SMs may each correspond to (2,1) or (3,0).
In fact, the last digit must be non-zero, and so one possibility must be removed.
This leaves 48 choices in all for D.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

13. Exponent Choices There is/are: 1 way to interpret S
2 ways to interpret SM
3 ways to interpret SMM with preceding M
4 ways to interpret SMM with preceding S
4 ways to interpret SMMM
The probabilities of the sub-chains can be calculated: pS = prob(S) = p2,0 ; pSM = p2,1+p3,0 ; pSMM = etc.
So average number of choices to interpret a sub-chain is p'S 2p'SM 3p'MSMM 4p'SSMM 4p'SMMM ≈ where ' is the modification due to parsing SSMM into S.SMM always.
Parse the S&M sequence into minimal sub-chains, i.e. one sub-chain for each occurrence of S, so always parse SSMM as S then SMM. Then look at the number of ways of interpreting them: 1 for S, 2 for SM, etc.
SMM is interesting: there are two cases depending on whether S is preceded by S or M: the former case allows an extra interpretation – 4 instead of 3 possibilities.
Then the number of ways of reconstructing an average minimal sub-chain can be computed, and it turns out to be about
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

14. S&M Theorem
There are on average log2D occurrences of S per addition chain, so log2D = D exponents which can generate the same S&M sequence.
THEOREM : The search space for exponents with the same S&M sequence as D has size approx D3/5.
For 4-ary expn, it is much easier to average traces, easier to be certain of the S&M sequence, and the search space is only D7/18 – which is smaller.
Both are computationally infeasible searches.
Raising this to the power of the average number of minimal sub-chains (i.e. digits) gives the total number of exponents D which can generate the same S&M pattern, namely approx D3/5.
For MIST, the S&M sequence must be determined from a single exponentiation whether or not there is exponent blinding. However, for 4-ary exponentiation, one can average many exponentiations when there is no blinding. So the S&M sequence can be determined with at least the same accuracy for 4-ary exponentiation; in fact, always having 2 successive squares helps with error detection and correction.
The paper doesn’t show how big a search space 4-ary exponentiation has, so here’s a derivation. Suppose 4-ary sliding windows are employed. Then multiplication involves exponent digits 1 and 3 only. If 2 is detected, a single square is done. Overall, reading the exponent from left to right with variable sliding window, digits 112 and 102 appear with probability 1/5 each, digits 012 and 002 appear with probability 3/10 each. 002 leads to two squares using both exponent bits and a random choice for the next digit in those 3/10 of cases and 112 lead to two squares and a multiplication which also uses up both exponent bits, and leads to the next digit being random in another 3/10+1/5 = 1/2 of cases. 102 leads to a single square and multiply, using only the initial exponent bit 1, leading to the next digit being bit 0 followed by a random bit in 1/5 of cases. So the next digit has probability 1/5 + (3/10+1/2)/2 = 3/5 of beginning with a 0, as we initially assumed. On average, each such step has probability 1/2+1/5 = 7/10 of a multiplication, and uses up 2*(3/10+1/2)+1*(1/5) = 9/5 bits of D. So there are about 7/10*5/9*log2D = 7/18*log2D mults for D, and there are two choices for each of these.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

15. Operand Re-Use
From its location, address, power use in multn or Hamming weight, it may be possible to identify re-use of operands. Assume we know when operands are equal, but nothing more.
since only squares have equal operands, this means the S&M sequence can be recovered.
for classical m-ary & sliding windows expn, there is a fixed pre-computed multiplicand for each expt digit value, so the secret exponent can be reconstructed uniquely.
MIST operand sharing leaves ambiguities:
(2,1) and (3,0) have the same operand sharing pattern and both are common: pSM =
At CHES 2001 I showed how it was at least theoretically possible to distinguish different multiplicands and identify equal multiplicands from a single exponentiation. This was done by observing the gate switching activity in a multiplier simulation. We should assume that techniques for monitoring power and EMR may improve sufficiently for this to be possible. Alternatively, power use when the operand is sent along the bus may reveal the Hamming weight, and hence also identify re-use of the same operand. Yet again, EMR from a register being accessed may differ from EMR from a non-accessed register, so that the location reveals the operand being selected.
In the case of the standard algorithms - binary, m-ary and sliding windows - this knowledge is instantly fatal. There are m/2 pre-computed powers of the input which are repeatedly re-used in every multiplication according to the value of the odd digit base m of the exponent. So, as in the binary case, the exponent digits can be read off from the list of operands used.
With MIST, operand sharing knowledge is much harder to obtain: it must be done accurately from a single exponentiation, and each operand is used at most 3 times.
As squares have equal operands and multiplications don’t, operand sharing enables the S&M sequence to be recovered. The division chain is recovered as before but with fewer ambiguities: most choices before are resolved by observing the different patterns of operand sharing, only (2,1) and (3,0) remain with identical patterns. However, their designed high frequency means a large search space still remains.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

16. Running Example 235 (3,1) (3,1) 78 (2,0) (2,0) 39 (5,4) (5,4)
D (m,d) Op Sharing Interpretations
235 (3,1) (3,1)
78 (2,0) (2,0)
39 (5,4) (5,4)
7 (2,1) (2,1), (3,0)
3 (3,0) (2,1), (3,0)
1 (2,1) (2,1)
Result: 22 = 4 choices.
( Modifications for end conditions: e.g. the most significant digit d is non-zero.)
Here again is the example for computing C235.
The previous 48 choices have been reduced to just 4.
Slide 10 contains the actual sub-chains used, from which the operand sharing patterns can be extracted. These are given in the paper. It is then apparent that (3,1), (3,2) and (5,0), for example, have different operand sharing patterns, and so can be distinguished. Thus the first pair (m,d) is correctly determined. Others follow likewise, except for the ambiguity between (2,1) and (3,0).
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

17. Operand Re-Use Theorem
With similar working to the S&M case: THEOREM : For MIST, the search space for exponents with the same operand sharing sequence as D has size approx D1/3.
The search space for m-ary expn has size D0.
There are several necessary boring technicalities to ensure mathematical rigour – skip sections 4 and 5 in the paper!
Since almost half of base choices give (2,1) or (3,0), (probability 0.458), the number of matching digit sequences is around D1/3. This can be established in the same way as the counting process for the S&M search space. Essentially every choice leads to a different exponent: although there is some minimal amount of duplication of reconstructed exponents, there is no obvious way to save much work from deleting duplicates.
In comparison, operand sharing knowledge for m-ary exponentiation reveals the exponent entirely: equal operands means equal exponent digits.
There are several boring technicalities to establish this with reasonable mathematical rigour. Some is given in the paper, some is easy but omitted, and the rest (such as inter-dependence of successive bases) is easiest to quantify experimentally.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

18. Difficulties?
The above requires correct identification of opd sharing first (operands are never used more than 3 times)
Mistakes are not self-correcting in an obvious way; only a few errors can vastly increase the search space.
There is no known way to combine results from other expns, especially if exponent blinding is applied.
Always selecting zero digits vastly decreases the search.
Small public exponent, no exponent blinding and known RSA modulus provide half the bits, reducing the search space to D1/6.
What are the problems with carrying out such attacks? One is that operands are hardly re-used: re-use is essentially entirely within a divisor sub-chain. So it will be less easy to correct any errors than for m-ary exponentiation when the much more widespread re-use makes characterisation of the operand much more precise. Such an attack may be impossible on a smartcard without decapsulation of the chip until monitoring techniques are substantially more accurate.
Every error clearly increases the search space many-fold: every possibility seems to have to be tried and rejected before the existence of an error can be established, and then it is unclear which of the many choices in the incorrect one – many of them may have to be tried before the errors are found.
If the errors cannot be corrected, another exponentiation has to be attacked. There is no way known yet for combining partial data from one exponentiation to decrease the search space for another exponentiation, even when no exponent blinding is performed first.
A more efficient variation of the algorithm selects a zero digit whenever one exists, not just in most cases, as here. This would only be marginally more efficient, but it turns out to be much less secure, since many partially reconstructed values of D can be rejected during the attack because they fail to satisfy the exact division by m criterion.
Finally, with small public exponent and minimal blinding, one can take the top bits of the public modulus and deduce a set of possible choices for the top bits of the exponent D which is small enough to be computed with. (In fact, every extra bit of blinding or public modulus doubles the work that the attacker must do.) Once the possibilities for the lower half of D have been reconstructed, it is easy to identify the correct one by finding matching top and bottom halves. Details will be provided in a future publication. However, for standard RSA key lengths, this should still make an attack computationally infeasible.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm

19. Conclusion
“Random-ary exponentiation” – a novel expn algm suitable for RSA on smartcard (no inverses need to be computed).
Time & Space are comparable to 4-ary expn.
Random choices & little operand re-use make the usual averaging for DPA much more restricted.
MIST is much stronger against power analysis than standard expn algorithms.
To sum up, a novel randomised exponentiation algorithm has been described, one which is suitable for RSA on a smartcard because no inverse needs to be computed. From its construction, it might reasonably be called randomary exponentiation.
Its time and space orders were shown at the CT-RSA 2002 conference to be similar to those of 4-ary exponentiation.
It seems to defeat current state-of-the-art DPA and DEMA methods. In particular, even without exponent blinding, one cannot average over a number of exponentiations to improve trace data, nor is it clear how to combine data deduced from different exponentiations. Also, data is re-used much less than with standard m-ary sliding windows, so that there is less trace data depending on the same secret key information that could be sensibly averaged to enhance that information.
Although there are implementation aspects which were not covered here but need to be dealt with carefully, the MIST algorithm appears to compare very favorably against the classical non-randomised algorithms in terms of its strength against DPA and DEMA.
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
The MIST Algorithm