150 likes | 335 Views
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli. Colin D. Walter formerly : www.co.umist.ac.uk (Manchester, UK) c.walter@umist.ac.uk now : www.comodo.net (Bradford, UK) colin@comodo.net. Motivation.
E N D
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: www.co.umist.ac.uk (Manchester, UK) c.walter@umist.ac.uk now: www.comodo.net (Bradford, UK) colin@comodo.net
Motivation • Modular multiplication is the foundation of most arithmetic-based cryptography: efficiency and security are important. • Montgomery modular multiplication is one highly favoured method. • To avoid full length comparisons or timing attacks, conditional modular reductions are skipped, but the price is a higher bound, often 2M for modulus M, and perhaps extra iterations. • For typical, standard key and word lengths, 2M will overflow into the next word by just 1 bit. So an extra word may have to be processed: inefficient. • Perhaps the overflow bit can be detected and allow a power analysisattack. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
History • P. L. MontgomeryModular multiplication without trial division Maths of Compn44 (1985), 519–521 • C. D. WalterMontgomery Exponentiation Needs No Final Subtractions Electronics Letters 35 (1999), 1831–1832 • G. Hachez & J.-J. QuisquaterMontgomery Exponentiation with No Final Subtractions: improved results CHES 2000, LNCS 1965, 293 – 301 Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Montgomery Modr Multn { Pre-condition: 0 A < rn } P 0 ; For i 0 to n1 do Begin q (p0+aib0)(-m0-1) mod r ; P (P + aiB + qM)div r ; { Invariant: 0 P < M+B } End ; { Post-conditions: PrnA×B mod M , ABr–nP < M + ABr–n } Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Loop Invariants I SupposeP < M+Bat the start of the loop. At the end of the loop, the new value of P is (P + aiB + qM) div r <((M+B)+(r–1)B+(r–1)M)/r = M+B So the invariant holds. If B was bounded by 2M, the output would be bounded by 3M. Either we perform a conditional subtraction or we perform another iteration to keep input less than2M. The former is banned to avoid timing attacks. If the last ai is small enough, the bound becomes M+B/2 < 2M and another iteration would be unnecessary. To achieve that we require ai r/2 for the top digit: — unlikely if A M and M uses all bits of the top word. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Loop Invariants II More accuracy is possible. Define: Then i+1 = (i + ai)/r < 1 by induction. SupposePiis the value of P at the start of the iteration using i. Then it is easy to establish: i+1B Pi+1 < M + i+1B because i+1B = (iB + aiB)/r < (Pi + aiB + qiM)/r = (Pi + aiB + qiM) div r = Pi+1 and similarly for the upper bound. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Post-Condition At the end of the last iteration: So the loop invariant gives: ABr–nP< M + ABr–n • This is the tightest interval possible since its width is only M. • It improves on the previous upper boundM+BsinceAr–n< 1. • It is much better if A is known to be smaller, e.g. less than M. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Stability Under what conditions will a bound on AandBbe preserved? Then output from one MMM can be re-used as input without adjustment. SupposeA and B are bounded by (1+)M. We require M + ABr–n(1+)M always for such stability, i.e. M + (1+)2M2r–n(1+)M This means (1+)2Mr–n which we can solve for suitable . It has real solutions exactly when: 4M rn Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
First Results • The condition 4M rn for I/O remaining bound improves on those given by the papers cited earlier. • When the condition is satisfied we can chooseso that A andBare bounded by2M or by½rnas appropriate. • Intermediate values of P are bounded above by ¾rn. • For suchMwithndigits, there is no extra processing required to compensate for removing the final subtraction. • For standard key lengths, we need to take n to be 1 more than the number of digits in M in order to satisfy the bound. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Standard Key Lengths • We have seen the need for increasing n for standard key lengths. This means one more iteration than the number of digits in M. It is the cost of deleting the final subtraction. • How many bits of the corresponding extra digit are required? • We know the bound 2Mmeans at most one bit is needed. Is it necessary? Its occasional existence may provide a handle for a timing or power analysis attack. • The frequency of the top bit being non-zero is different for squares and multiplies. This was reported at RSA 2001. (This bit is what prompts the final conditional subtraction.) Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
The Extra Bit • The frequency of the top bit becoming set is around 25% – 30% when n has not been increased. • Increasing n decreases the upper bound M + ABr–nmaking it less likely to set the topmost bit, i.e. the next bit after the top bit of M. • We need to discover its frequency of being 1 to determine if a difference for squares and multiplies is measurable. We will see when it is always zero. • Since n is being increased by1, we have ¼rn–1 < M < rn–1 and want I/O to be less than rn–1. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Conditions for no overflow bit • The condition of interest is M + ABr–n < rn–1 when A, B < rn–1. • So we need M such that M + (rn–1)2r–n < rn–1 i.e. M < rn–1(1–r–1) • Thus the arguments and output of MMM will have the same number of words asM unless the top word ofM is all 1s. • Hence, when the final conditional subtraction is omitted from MMM, there is no “overflow” bit against which a power analysis attack can be mounted unless the top word of M is all 1s. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
The Unlikely Event • The potentially dangerous case is therefore when the top word of M is r – 1, which is reassuringly uncommon, and the worst case is M = rn–1. • By solving our previous quadratic in , the best bound on the inputs to achieve stability in that worst case is (1+)M= ½rn(1–(1–4r–1)½) = rn–1 + rn–2 + 2rn–3 + 5rn–4 +... • With the reasonable assumptions that residuesmod Mare uniformly distributed, at most aboutr–1of outputs will exceedrn–1. • So, for a 16-bit architecture, and limited smartcard life, the overflow bit is too rare to be of use in power analysis. • One could safely re-introduce a conditional subtraction here to avoid the need for extra hardware. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Exponentiation • We end by noting that no final subtraction is needed in the case of MMM exponentiation: • To compute Temod M, pre-processing generates Trnmod M so that subsequent multiplications are all larger than from standard modular multiplication by a factor of rnmod M. The output is therefore A = Ternmod M. • Post-processing removes the extra factor rn by an MMM multiplication by 1. The output is bounded above by M + Ar–nwhere A < 2M < ½rn. So the output is M. Of course, equality with M is impossible, since that could only arise from T = 0 which would result in output 0. • So no final modular reduction is needed for exponentiation. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Conclusion • Precise output bounds have been obtained for Montgomery Modular Multiplication. • This gives I/O bounds for MMM in the context of exponentiation when the final conditional subtraction is omitted. • All numbers have the same word size as the modulus M when 4M rnand M has n words. • Otherwise, MMM must perform another iteration, but overflow bits are then too rare to be in danger from power analysis attacks. • No final modular subtraction is required for expn. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions