1 / 17

Distinguishing Exponent Digits by Observing Modular Subtractions

Distinguishing Exponent Digits by Observing Modular Subtractions. Colin D. Walter and Susan Thompson www.datacard.com. A Timing Attack on RSA. Context: A B mod N Output from multiplier S < 2N Require output S < N or < 2 n So conditional subtraction in S/W

ponce
Download Presentation

Distinguishing Exponent Digits by Observing Modular Subtractions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distinguishing Exponent Digits by Observing Modular Subtractions Colin D. Walter and Susan Thompson www.datacard.com

  2. A Timing Attack on RSA Context: • AB mod N • Output from multiplier S < 2N • Require output S < N or < 2n • So conditionalsubtractionin S/W • Assume recognisable in power trace • Unknown plain/cipher text • Unknown modulus Walter & Thompson, Datacard Consult

  3. History • Kocher (Crypto 1996) - Known Plaintext • Dhem et al (Cardis 1998) - Supplied Detail • Schindler (Ches 2000) - Square & Mult • Platform Seven- Unknown Plaintext(RSA 2001)- Much Less Data- m-ary expn. Walter & Thompson, Datacard Consult

  4. Partial Product S • Last step of Montgomery mod mult: S  (S + aB + qN)/r a = top digit of A, dependent on size of A q, S effectively randomly distributed • For random A and fixed B, the average S is a linear function of B, indepnt of A • LargerBmore frequentfinal subtractions Walter & Thompson, Datacard Consult

  5. Distribution of S • For amultiplyS behaves like random variable αβ + γwhere α, β have the distributions of 2–nA, B and γ is uniform. • For asquare S behaves like α2 + γ. • Integrating over values of α and β, the probability of S being greater than 2n is: …for multiply,…for square Walter & Thompson, Datacard Consult

  6. Squares vs Multiplies …for multiply,…for square. • So probabilities of conditional subtraction of N are different. • With sufficient observations we can distinguish squares from multiplies. • ( Care: non-uniform distribution on [0..2N]. ) Walter & Thompson, Datacard Consult

  7. First Results • In square-and-multiply exponentiation we can read the bits of a secret key. • Careless implementation of Modular Multiplication is dangerous. Walter & Thompson, Datacard Consult

  8. m-ary Exponentiation • In case square-and-multiply leaks, use m-ary exponentiation. Is it safe? • Example: 4-ary to compute Ad mod N • Each multiply is by one of A, A2or A3 • Can these be distinguished? Walter & Thompson, Datacard Consult

  9. Differentiating Multipliers • Averaging over all observations, we can distinguish squares from multiplies. • Averaging over all observations, the different multipliers are indistinguishable. • Key: Select observation subsets. Walter & Thompson, Datacard Consult

  10. Choice of Obs. Subsets • Identify an initial multiplication A×Ai–1. • Partition observations according to whether or not the extra final subtraction occurs. • One subset: cases of larger Ai (on average) • Other subset: cases of smaller Ai (on avage) • Other powers Aj (ji) will be average. Walter & Thompson, Datacard Consult

  11. More Results • Multiply operations by Ai (same, fixed i) will show similar non-average final subn frequencies in the two subsets: • above average in one, • below average in the other. • Multiply operations by Aj (ji) will have closer to average final subn frequencies. Walter & Thompson, Datacard Consult

  12. Consequence • All cases of exponent digit i can be identified from their non-average behaviour in the two subsets. Walter & Thompson, Datacard Consult

  13. Demonstration • The pre-computations of A, A2 and A3 give us 23observation subsets. • Selecting different subsets will change the relative frequencies of final subns. • Operations corresponding to the same exponent digit will behave similarly. Walter & Thompson, Datacard Consult

  14. Sub in Initial Squaring Walter & Thompson, Datacard Consult

  15. No Sub in Initial Squaring Walter & Thompson, Datacard Consult

  16. Reasoning • Opn A×A does have a final subn: • A is big, so exp digit 01 has many subs. • A2 is much smaller, so exp digit 10 has least subs. • A3 is more normal, so digit 11 has middling subs. • Opn A×A does not have a final subn: • A is small, so exp digit 01 has very few subs. • A2 is bigger but still small, digit 10 has more subs. • A3 is most normal, so exp digit 11 has most subs. Walter & Thompson, Datacard Consult

  17. Conclusions • In m-ary exponentiation we may be able to read the bits of a secret key. • Careless implementation of Modular Multiplication is dangerous also for m-ary exponentiation. • Even with low detection of final subns, expnt digits are obtained accurately, so there is no safety in longer keys. Walter & Thompson, Datacard Consult

More Related