Square Always Exponentiation

Size: px

Start display at page:

Download "Square Always Exponentiation"

Patrick Freeman
6 years ago
Views:

Gagnerot 1,2 Mylène Roussellet 2 Vincent

1 Square Always Exponentiation Christophe Clavier 1 Benoit Feix 1,2 Georges Gagnerot 1,2 Mylène Roussellet 2 Vincent Verneuil 2,3 1 XLIM-Université de Limoges, France 2 INSIDE Secure, Aix-en-Provence, France 3 Univ. Bordeaux, IMB, France Indocrypt December 12, 2011 Vincent Verneuil - Square Always Exponentiation 1 / 38

2 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 2 / 38

3 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 2 / 38

4 Motivation 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 2 / 38

5 Motivation Motivation Exponentiation is the core operation of RSA, DSA, Diffie-Hellman protocols. Embedded in constrained devices (smart cards, etc.) with low resources. Targeted by side-channel attacks in this sensitive context. Vincent Verneuil - Square Always Exponentiation 3 / 38

6 Motivation Context Let consider the computation of m d mod n with d = (d k 1 d k 2...d 0 ) 2. M the cost of a modular multiplication. S the cost of a modular squaring. Two cases : fast squaring (S/M =.8) or not (S/M = 1). Vincent Verneuil - Square Always Exponentiation 4 / 38

7 Recalls 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 4 / 38

8 Recalls Basic Exponentiation Square-and-Multiply Left-to-right Right-to-left Vincent Verneuil - Square Always Exponentiation 5 / 38

9 Recalls Basic Exponentiation Square-and-Multiply Left-to-right Right-to-left ( ( m d = m d 0 m d 1... ( m d ) 2 ) ) 2 2 k 1... m d = m d k 1 2k 1 m d k 2 2k 2... m d 0 Vincent Verneuil - Square Always Exponentiation 5 / 38

10 Recalls Basic Exponentiation Square-and-Multiply Left-to-right Right-to-left ( ( m d = m d 0 m d 1... ( m d ) 2 ) ) 2 2 k 1... m d = m d k 1 2k 1 m d k 2 2k 2... m d 0 Input: m,n,d N Output: m d mod n a 1 for i = k 1 to 0 do a a 2 mod n if d i = 1 then a a m mod n return a Input: m,n,d N Output: m d mod n a 1 ; b m for i = 0 to k 1 do if d i = 1 then a a b mod n b b 2 mod n return a Vincent Verneuil - Square Always Exponentiation 5 / 38

11 Recalls Side-Channel Threats When a computation involving a secret occurs on an embedded devices, side-channels (power, EM) may be spotted to search for leakages. Kocher introduced in 1999 the simple and differential side-channel analysis. Vincent Verneuil - Square Always Exponentiation 6 / 38

12 Recalls Side-channel leakage: power, EM, etc. Simple Side-Channel Analysis on Exponentiation (SPA) The whole exponent may be recovered using a single curve. Vincent Verneuil - Square Always Exponentiation 7 / 38

13 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Vincent Verneuil - Square Always Exponentiation 8 / 38

14 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Square & multiply always: S, M, S, M,S, M,S, M,S, M, S, M... Vincent Verneuil - Square Always Exponentiation 8 / 38

15 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Square & multiply always: S, M, S, M,S, M,S, M,S, M, S, M... Vincent Verneuil - Square Always Exponentiation 8 / 38

16 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Square & multiply always: S, M, S, M,S, M,S, M,S, M, S, M... Montgomery ladder: S, M, S, M,S, M,S, M,S, M, S, M... Vincent Verneuil - Square Always Exponentiation 8 / 38

17 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Square & multiply always: S, M, S, M,S, M,S, M,S, M, S, M... Montgomery ladder: S, M, S, M,S, M,S, M,S, M, S, M... Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: for i = k 1 to 0 do 4: R 1 di R 0 R 1 mod n 5: R di R di 2 mod n 6: return R 0 Vincent Verneuil - Square Always Exponentiation 8 / 38

18 Recalls Regular Exponentiation Atomic Exponentiation Multiply Always Square & multiply: S, M, S, S, M, S, M, S, S, M... Vincent Verneuil - Square Always Exponentiation 9 / 38

19 Recalls Regular Exponentiation Atomic Exponentiation Multiply Always Square & multiply: S, M, S, S, M, S, M, S, S, M... Multiply always: M,M, M,M,M, M,M, M,M,M... Vincent Verneuil - Square Always Exponentiation 9 / 38

20 Recalls Regular Exponentiation Atomic Exponentiation Multiply Always Square & multiply: S, M, S, S, M, S, M, S, S, M... Multiply always: M,M, M,M,M, M,M, M,M,M... Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i k 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i [ is bitwise XOR] 8: i i 1 + t 9: return R 0 Vincent Verneuil - Square Always Exponentiation 9 / 38

21 Recalls Squaring-Multiplication Discrimination Attack In [Distinguishing Multiplications from Squaring Operations, SAC 2008], Amiel et al. observed that E x,y (HW(x y)) has a different value whether: x = y uniformly distributed in [0,2 k 1], x and y independent and uniformly distributed in [0,2 k 1]. Vincent Verneuil - Square Always Exponentiation 10 / 38

22 Recalls Squaring-Multiplication Discrimination Attack Attack: subtract two (averaged) power traces of consecutive atomic multiplications. Countermeasure: exponent blinding d d + rψ(n). Vincent Verneuil - Square Always Exponentiation 11 / 38

23 Recalls Cost Summary Algorithm Cost / bit S/M = 1 S/M =.8 # reg Square & multiply 1,2,3.5M + 1S 1.5M 1.3M 2 Multiply always 2,3 1.5M 1.5M 1.5M 2 Montgomery ladder 1M + 1S 2M 1.8M 2 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S M discrimination 3 possible sliding window optimization Vincent Verneuil - Square Always Exponentiation 12 / 38

24 Contribution 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 12 / 38

25 Contribution Our Contribution Atomic exponentiation algorithms immune to the S M discrimination Better efficiency than ladder algorithms Study of algorithms for parallelized (co)processors and space/time trade-offs Vincent Verneuil - Square Always Exponentiation 13 / 38

26 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 13 / 38

27 Principle 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 13 / 38

28 Principle Replacing Multiplications by Squarings x y = (x + y)2 x 2 y 2 (1) 2 ( ) x + y 2 ( ) x y 2 x y = (2) 2 2 Vincent Verneuil - Square Always Exponentiation 14 / 38

29 Principle Replacing Multiplications by Squarings x y = (x + y)2 x 2 y 2 (1) 2 ( ) x + y 2 ( ) x y 2 x y = (2) 2 2 Vincent Verneuil - Square Always Exponentiation 14 / 38

30 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 14 / 38

31 Left-to-Right Algorithm Using (1) Input: m,n,d N Output: m d mod n a 1 for i = k 1 to 0 do a a 2 mod n if d i = 1 then a (a+m)2 a 2 return a 2 m2 2 mod n Vincent Verneuil - Square Always Exponentiation 15 / 38

32 Input: m,n,d N Output: m d mod n 1: R 0 1 ; R 1 m ; R 2 1 2: R 3 m 2 /2 mod n 3: j 0 ; i k 1 4: while i 0 do 5: R Mj,0 R Mj,1 + R Mj,2 mod n Atomic Left-to-Right Algorithm 0 bit j = 0 1 bit j = 1 0 bit 1 bit 6: R Mj,3 R 2 Mj,3 mod n 7: R Mj,4 R Mj,5 /2 mod n 8: R Mj,6 R Mj,7 R Mj,8 mod n j = 3 9: j d i (1 + (j mod 3)) 10: i i M j,9 11: return R M = j = 2 Vincent Verneuil - Square Always Exponentiation 16 / 38

33 j = 0 (d i = 0 or 1) R 1 R 1 + R 1 mod n R 0 R 2 0 mod n R 2 R 1 /2 mod n R 1 R 1 R 2 mod n j d i [ if d i = 0] i i (1 d i ) [ if d i = 1] Atomic Left-to-Right Algorithm j = 2 (d i = 1) R 1 R 1 + R 3 mod n R 0 R 2 0 mod n R 0 R 0 /2 mod n R 0 R 2 R 0 mod n j 3 i i 1 Atomic Patterns j = 1 (d i = 1) R 2 R 0 + R 1 mod n R 2 R 2 2 mod n R 2 R 2 /2 mod n R 2 R 2 R 3 mod n j 2 i i j = 3 (d i = 0 or 1) R 3 R 3 + R 3 mod n R 0 R 2 0 mod n R 3 R 3 /2 mod n R 1 R 1 R 3 mod n j d i i i (1 d i ) [ if d i = 1] Vincent Verneuil - Square Always Exponentiation 17 / 38

34 Right-to-Left Algorithm Using (2) Input: m,n,d N Output: m d mod n a 1 ; b m for i = 0 to k 1 do if d i = 1 then a ( a+b 2 b b 2 mod n return a ) 2 ( a b 2 ) 2 mod n Vincent Verneuil - Square Always Exponentiation 18 / 38

35 Input: m,n,d N Output: m d mod n 1: R 0 m ; R 1 1 ; R 2 1 2: i 0 ; j 0 3: while i k 1 do 4: j d i (1 + (j mod 3)) 5: R Mj,0 R Mj,1 + R 0 mod n 6: R Mj,2 R Mj,3 /2 mod n 7: R Mj,4 R Mj,5 R Mj,6 mod n Atomic Right-to-Left Algorithm 0 bit 8: R Mj,3 R 2 Mj,3 mod n j = 3 9: i i + M j,7 10: return R M = j = 0 1 bit j = 1 0 bit 1 bit j = 2 Vincent Verneuil - Square Always Exponentiation 19 / 38

36 j = 0 (d i = 0) j 0 [ if j was 0] R 0 R 0 + R 0 mod n R 2 R 0 /2 mod n R 0 R 0 R 2 mod n R 0 R 2 0 mod n i i + 1 j = 1 (d i = 1) j 1 R 2 R 1 + R 0 mod n R 2 R 2 /2 mod n R 1 R 0 R 1 mod n R 2 R 2 2 mod n i i Atomic Right-to-Left Algorithm j = 2 (d i = 1) j 2 R 0 R 2 + R 0 mod n R 1 R 1 /2 mod n R 0 R 0 R 2 mod n R 1 R 2 1 mod n i i j = 3 (d i = 1) j 3 R 0 R 0 + R 0 mod n R 0 R 0 /2 mod n R 1 R 2 R 1 mod n R 0 R 2 0 mod n i i + 1 Vincent Verneuil - Square Always Exponentiation 20 / 38 Atomic Patterns

37 Cost Comparison Algorithm Cost / bit S/M = 1 S/M =.8 # reg Square & multiply 1,2,3.5M + 1S 1.5M 1.3M 2 Multiply always 2,3 1.5M 1.5M 1.5M 2 Montgomery ladder 1M + 1S 2M 1.8M 2 L.-to-r. square always 3 2S 2M 1.6M 4 R.-to-l. square always 3 2S 2M 1.6M 3 11 % speed-up over Montgomery ladder 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S M discrimination 3 possible sliding window optimization Vincent Verneuil - Square Always Exponentiation 21 / 38

38 Implementation AT90SC 30MHz with AdvX arithmetic coprocessor: Algorithm Key len. (b) Code (B) RAM (B) Timing (ms) Mont. ladder Square Always % practical speed-up obtained in practice Vincent Verneuil - Square Always Exponentiation 22 / 38

39 Security Considerations Immune to any S M discrimination Compatible with classical DPA/FA countermeasures Right-to-left is more robust than left-to-right Despite DPA countermeasures prevent safe-errors, we provide algorithms immune to C safe-errors Vincent Verneuil - Square Always Exponentiation 23 / 38

40 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 23 / 38

41 Generalities 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 23 / 38

42 Generalities Motivation Trendy topic Parallelized Montgomery ladder : 1M / bit Squarings are independent in eq. (1) and (2) What can we do if two parallel squarings are available? Vincent Verneuil - Square Always Exponentiation 24 / 38

43 Generalities Basic Parallelization Core 1 Core 2 0 bit S S 1 bit S S S S Many wasted squaring slots :-( Vincent Verneuil - Square Always Exponentiation 25 / 38

44 Generalities Scanning Direction Left-to-right: m d = m d 0 ( m d 1 ( ( ) ) ) m d k 1... Right-to-left: m d = m d k 12 k 1 m d k 22 k 2... m d 0 Right-to-left is more flexible Vincent Verneuil - Square Always Exponentiation 26 / 38

45 Generalities Better Parallelization Strategy: use the wasted 1 bit squaring slot to compute 1 squaring in advance. if(d i = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n Core 1 Core 2 S S S S Remark: requires 1 additional memory register to store the precomputed squaring. Vincent Verneuil - Square Always Exponentiation 27 / 38

46 Generalities Better Parallelization Strategy: use the wasted 1 bit squaring slot to compute 1 squaring in advance. if(d i = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n if(d i+1 = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n Core 1 Core 2 S S S S Remark: requires 1 additional memory register to store the precomputed squaring. Vincent Verneuil - Square Always Exponentiation 27 / 38

47 Generalities Better Parallelization Strategy: use the wasted 1 bit squaring slot to compute 1 squaring in advance. if(d i = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n if(d i+1 = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n Core 1 Core 2 S S S S Remark: requires 1 additional memory register to store the precomputed squaring. Vincent Verneuil - Square Always Exponentiation 27 / 38

48 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 27 / 38

49 Right-to-Left Parallelized Algorithm Input: m,n N, m < n, d = (d k 1...d 0 ) 2, require 5 k-bit registers a, b, R 0, R 1, R 2 Output: m d mod n 1: a 1 ; b m ; extra 0 2: for i = 0 to k 1 do 3: if d i = 1 then 4: if extra = 0 then 5: R 0 (a b) 2 mod n R 1 b 2 mod n 6: a (a + b) 2 mod n R 2 R 2 1 mod n 7: a (a R 0 )/4 mod n ; b R 1 ; R 1 R 2 8: extra 1 9: else 10: R 0 (a b) 2 mod n a (a + b) 2 mod n 11: a (a R 0 )/4 mod n ; b R 1 12: extra 0 13: else 14: if extra = 0 then 15: b b 2 mod n <nothing> 16: else 17: b R 1 18: extra 0 19: return a Vincent Verneuil - Square Always Exponentiation 28 / 38

50 Atomic Parallelized Algorithm Input: m,n N, m < n, d = (d k 1 d k 2...d 0 ) 2, require 7 k-bit registers R 0 to R 6 Output: m d mod n 1: R 0 1 ; R 1 m ; v (0,0,0) ; u 1 2: while v 0 k 1 do 3: j d v0 (v 1 + u + 1) 4: R 5 (R 0 R 1 )/2 mod n 5: R 6 (R 0 + R 1 )/2 mod n 6: R Mj,0 R 2 Mj,1 mod n R Mj,2 R 2 Mj,3 mod n 7: R Mj,4 R 0 R 2 mod n 8: R Mj,5 R 3 9: R Mj,6 R 4 10: v 1 M j,7 11: u M j,8 12: t 1 v 1 (1 d v0 +1) 13: R Nt,0 R 3 14: v Nt,1 0 15: v Nt,2 v Nt, : v 0 v 0 + u 17: return R 0 Vincent Verneuil - Square Always Exponentiation 29 / 38

51 Atomic Parallelized Algorithm Matrices M = N = ( 1 1 ) Vincent Verneuil - Square Always Exponentiation 30 / 38

52 Even Better Parallelization Strategy: use the wasted 1 bit squaring slots to compute several squarings in advance. The variable extra, 0 extra extramax, stores the number of precomputed squarings. Remark: requires extramax additional memory registers to store the precomputed squarings. Vincent Verneuil - Square Always Exponentiation 31 / 38

53 Even Better Parallelization Example : d = ( ) 2, extramax = 1 extramax = cost: 1S 2S 1S 1S 1S Cost: 6S Vincent Verneuil - Square Always Exponentiation 32 / 38

54 Even Better Parallelization Example : d = ( ) 2, extramax 2 extramax cost: 1S 2S 2S 0S 0S Cost: 5S Vincent Verneuil - Square Always Exponentiation 33 / 38

55 Generalized Parallel Square Always Input: m,n N, m < n, d = (d k 1 d k 2...d 0 ) 2, extramax N, require extramax+4 k-bit registers a, R 0, R 1,... R extramax+2 Output: m d mod n 1: a 1 ; R 1 m ; extra 0 2: for i = 0 to k 1 do 3: if d i = 1 then 4: if extra < extramax then 5: R 0 (a R 1 ) 2 mod n R extra+2 R 2 extra+1 mod n 6: a (a + R 1 ) 2 mod n R extra+3 R 2 extra+2 mod n 7: a (a R 0 )/4 mod n 8: (R 1,R 2,...R extramax+1 ) (R 2,R 3,...R extramax+2 ) 9: extra extra+1 10: else 11: R 0 (a R 1 ) 2 mod n a (a + R 1 ) 2 mod n 12: a (a R 0 )/4 mod n 13: (R 1,R 2,...R extramax+1 ) (R 2,R 3,...R extramax+2 ) 14: extra extra 1 15: else 16: if extra = 0 then 17: R 1 R 2 1 mod n 18: else 19: (R 1,R 2,...R extramax+1 ) (R 2,R 3,...R extramax+2 ) 20: extra extra 1 21: return a Vincent Verneuil - Square Always Exponentiation 34 / 38

56 Cost Comparison We demonstrate that the cost of the parallelized algorithms tends to: ( ) S 4 extramax +2 Algorithm General cost S/M = 1 S/M = 0.8 Parallel Montgomery ladder 1M 1M 1M Parallel Sq. Al. extramax = 1 7S/6 1.17M 0.93M Parallel Sq. Al. extramax = 2 11S/ M 0.88M Parallel Sq. Al. extramax = 3 15S/ M 0.86M.... Parallel Sq. Al. extramax 1S 1M 0.8M Vincent Verneuil - Square Always Exponentiation 35 / 38

57 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 35 / 38

58 Conclusion Square Always is an alternative countermeasure to S M discrimination It provides better efficiency than the Montgomery ladder Parallelization brings best exponentiation performances to our knowledge Two parallel squaring blocks yields faster exponentiation than two parallel multiplication blocks! Vincent Verneuil - Square Always Exponentiation 36 / 38

59 Thank you for your attention! Vincent Verneuil - Square Always Exponentiation 37 / 38

60 Turning Squarings into Multiplications r, r 1, r 2 being random integers < n x x = (x + r) x x r = (x + r) (x r) + r 2 = (x + r 1 ) (x + r 2 ) x (r 1 + r 2 ) r 1 r 2 Vincent Verneuil - Square Always Exponentiation 38 / 38

Elliptic Curve Cryptography and Security of Embedded Devices

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography