Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis

Size: px

Start display at page:

Download "Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis"

Bennett Houston
6 years ago
Views:

1 Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January 19-th, / 39

2 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 2 / 39

3 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 3 / 39

4 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 4 / 39

5 RSA encryption Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod (p 1)(q 1). 5 / 39

6 RSA encryption Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod (p 1)(q 1). Encryption. A message m {0,..., N 1} is encrypted as c = m e mod N Decryption. c {0,..., N 1} is decrypted m = c d mod N Correct since: gcd(m, N) = 1 m (p 1)(q 1) 1 mod N 5 / 39

7 Square-and-multiply exponentiation Let e = (e l 1,..., e 0 ) 2, we compute m e mod N as follows r 1 for i from l 1 downto 0 do r r 2 mod N r r m e i mod N end for return r 6 / 39

8 Square-and-multiply exponentiation Let e = (e l 1,..., e 0 ) 2, we compute m e mod N as follows r 1 for i from l 1 downto 0 do r r 2 mod N r r m e i mod N end for return r Init.: r = 1 Loop 1 : 1 2 m e l 1 Loop 2 : (m e l 1) 2 m e l 2 = m 2e l 1+e l 2 Loop 3 : (m 2e l 1+e l 2 ) 2 m e l 3 = m 4e l 1+2e l 2 +e l 3 Etc. 6 / 39

9 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 7 / 39

10 Simple power analysis Consumption of a circuit computing m e mod N: squaring multiplication 8 / 39

11 Counter-measure of the litterature: square-always Re-express multiplications as squarings: ab = ((a + b) 2 a 2 b 2 )/2 Square-and-multiply-always (Clavier et al. 2011) r 1 m m 2 mod N for i from l 1 downto 0 do r r 2 mod N if e i = 1 then r ((r + m) 2 m r 2 )/2 mod N end if end for return r Cost = 3l/2 squarings. Drawback: non constant computation time. 9 / 39

12 Counter-measure of the litterature : square-and-multiply-always Renders the exponentiation regular and constant time. Square-and-multiply-always Coron 99 r 1 for i from l 1 downto 0 do r r 2 mod N if e i = 1 then r r m mod N else r r m mod N end if end for return r Cost = l multiplications and l squarings. 10 / 39

13 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 11 / 39

14 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then 4: r r 2 m 0 5: else 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r 12 / 39

15 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then Correctness: At beginning of loop i: r = m α m 1 0 4: r r 2 m 0 5: else 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r 12 / 39

16 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then 4: r r 2 m 0 5: else Correctness: At beginning of loop i: r = m α m 1 0 If e i = 0: r 2 m 0 = m 2α m 1 0 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r 12 / 39

17 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then 4: r r 2 m 0 5: else 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r Correctness: At beginning of loop i: r = m α m 1 0 If e i = 0: r 2 m 0 = m 2α m 1 0 If e i = 1: r 2 m 1 = (m 2α m 1 m 1 0 ) m 1 0 = m 2α+1 m / 39

18 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then 4: r r 2 m 0 5: else 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r Correctness: At beginning of loop i: r = m α m 1 0 If e i = 0: r 2 m 0 = m 2α m 1 0 If e i = 1: r 2 m 1 = (m 2α m 1 m 1 0 ) m 1 0 = m 2α+1 m 1 0 After loop i: r = m 2α+e i m / 39

19 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. 13 / 39

20 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. Sequence of modular reductions r 0 a r 1 b r 2 r 0 mod r 1 r 3 r 1 mod r 2. r i r i 2 mod r i 1. gcd(a, b) is the last r i / 39

21 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. Sequence of modular reductions r 0 a r 1 b r 2 r 0 mod r 1 r 3 r 1 mod r 2. r i r i 2 mod r i 1. gcd(a, b) is the last r i 0. Extended Euclidean algorithm Compute u and v such that as follows: ua + vb = gcd(a, b) 1 We set: u 0 = 1, v 0 = 0 u 1 = 0, v 1 = 1 2 We iterate: u 0 a + v 0 b = r 0 u 1 a + v 1 b = r 1 ( q 1 ) u 2 a + v 2 b = r 2 13 / 39

22 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. Sequence of modular reductions r 0 a r 1 b r 2 r 0 mod r 1 r 3 r 1 mod r 2. r i r i 2 mod r i 1. gcd(a, b) is the last r i 0. Extended Euclidean algorithm Compute u and v such that as follows: ua + vb = gcd(a, b) 1 We set: u 0 = 1, v 0 = 0 u 1 = 0, v 1 = 1 2 We iterate: u 0 a + v 0 b = r 0 u 1 a + v 1 b = r 1 ( q 1 ) u 2 a + v 2 b = r 2 ( q 2 ) u 3 a + v 3 b = r 3 13 / 39

23 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. Sequence of modular reductions r 0 a r 1 b r 2 r 0 mod r 1 r 3 r 1 mod r 2. r i r i 2 mod r i 1. gcd(a, b) is the last r i 0. Extended Euclidean algorithm Compute u and v such that as follows: ua + vb = gcd(a, b) 1 We set: u 0 = 1, v 0 = 0 u 1 = 0, v 1 = 1 2 We iterate: u 0 a + v 0 b = r 0 u 1 a + v 1 b = r 1 ( q 1 ) u 2 a + v 2 b = r 2 ( q 2 ) u 3 a + v 3 b = r 3 ( q 3 ) u 4 a + v 4 b = r 4 ( q 4 ). 13 / 39

24 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 0 u 0 v 0 14 / 39

25 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 1 u 1 v 1 14 / 39

26 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 2 u 2 v 2 14 / 39

27 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 3 u 3 v 3 14 / 39

28 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 3 u 3 v 3 we stop when u i, r i = N 1/2 u i m + v i N = r i m = u 1 i r i mod N. and m 0 = u i and m 1 = r i are good! 14 / 39

29 Complexity comparison Exponent of size l bits. Integer modulo N on t computer words. Multiplication/squaring in O(t 2 ). Timing in 10 Property Algorithm #word op. 3 CC 2040bits 3070bits None Square-and-multiply 7.5lt 2 + O(lt) Multiply-always 9lt Reg. 2 + O(lt) Square-always 9lt 2 + O(lt) Reg. and CT Square-and-mult-always 10.5lt 2 + O(lt) Montgomery-ladder 10.5lt 2 + O(lt) Montgomery-ladder opt. 9lt 2 + O(lt) Proposed 7.5lt 2 + O(lt) Reg. =Regular and CT=Constant time. 15 / 39

30 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 16 / 39

31 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 17 / 39

32 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice Bob 18 / 39

33 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice Bob a random() b random() 18 / 39

34 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P Bob b random() Computes B = b P 18 / 39

35 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P sends A sends B Bob b random() Computes B = b P 18 / 39

36 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P Computes K = a B sends A sends B Bob b random() Computes B = b P Computes K = b A Shared secret key K = a b P 18 / 39

37 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P Computes K = a B sends A sends B Bob b random() Computes B = b P Computes K = b A Shared secret key K = a b P Discrete log problem: given A in < P > find a such that A = a P. 18 / 39

38 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P Computes K = a B sends A sends B Bob b random() Computes B = b P Computes K = b A Shared secret key K = a b P Discrete log problem: given A in < P > find a such that A = a P. The main operation is the scalar multiplication a P. 18 / 39

39 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 19 / 39

40 Group law for an elliptic curve y 2 = x 3 2x + 1 P = (x P, y P ) Q = (x Q, y Q ) x 20 / 39

41 Group law for an elliptic curve y 2 = x 3 2x + 1 R = P + Q P = (x P, y P ) Q = (x Q, y Q ) x Addition (chord): { xr = λ x P x Q y R = y P λ(x R x P ) with λ = y P y Q x P x Q 20 / 39

42 Group law for an elliptic curve y 2 = x 3 2x + 1 R = P + Q P = (x P, y P ) P = (x P, y P ) Q = (x Q, y Q ) x x R = 2P Addition (chord): { xr = λ x P x Q y R = y P λ(x R x P ) with λ = y P y Q x P x Q Doubling (tangent) 20 / 39

43 Scalar multiplication : k P P x Double-and-add for k P R O for i = l 1 to 0 do R 2 R if k i = 1 then R R + P endif endfor return(r) 2P Scalar multiplication: 7P 2 P 3P = (2P) + P 6P = 2 (3P) 7P = (6P) + P 21 / 39

44 Scalar multiplication : k P P 3P x Double-and-add for k P R O for i = l 1 to 0 do R 2 R if k i = 1 then R R + P endif endfor return(r) 2P Scalar multiplication: 7P 2 P 3P = (2P) + P 6P = 2 (3P) 7P = (6P) + P 21 / 39

45 Scalar multiplication : k P 6P P 3P x Double-and-add for k P R O for i = l 1 to 0 do R 2 R if k i = 1 then R R + P endif endfor return(r) Scalar multiplication: 7P 2 P 3P = (2P) + P 6P = 2 (3P) 7P = (6P) + P 21 / 39

46 Scalar multiplication : k P 6P P x 7P Double-and-add for k P R O for i = l 1 to 0 do R 2 R if k i = 1 then R R + P endif endfor return(r) Scalar multiplication: 7P 2 P 3P = (2P) + P 6P = 2 (3P) 7P = (6P) + P 21 / 39

47 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 22 / 39

48 Hyperelliptic curve H : y 2 = x 5 5x + 4x x 23 / 39

49 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as P 0 x u(x) = (x x 0 )(x x 1 ) v(x) = x 2 + v 1 x + v 0 { v(x0 ) = y such that 0 v(x 1 ) = y 1 P 1 23 / 39

50 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as P 0 x u(x) = (x x 0 )(x x 1 ) v(x) = x 2 + v 1 x + v 0 { v(x0 ) = y such that 0 v(x 1 ) = y 1 P 1 23 / 39

51 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as u(x) = (x x 0 )(x x 1 ) P 0 P 1 P 3 P 2 x v(x) = x 2 + v 1 x + v 0 { v(x0 ) = y such that 0 v(x 1 ) = y 1 Addition of D = P 0 + P 1 and D = P 2 + P 3 : 23 / 39

52 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as u(x) = (x x 0 )(x x 1 ) P 0 P 1 P 3 P 2 x v(x) = x 2 + v 1 x + v 0 { v(x0 ) = y such that 0 v(x 1 ) = y 1 Addition of D = P 0 + P 1 and D = P 2 + P 3 : Let the curve going through all P i s. C : y = w 3 x 3 + w 2 x 2 + w 1 x + w / 39

53 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as P 0 u(x) = (x x 0 )(x x 1 ) v(x) = x 2 + v 1 x + v 0 P 3 Q 0 P 2 P 1 Q 1 x such that { v(x0 ) = y 0 v(x 1 ) = y 1 Addition of D = P 0 + P 1 and D = P 2 + P 3 : Let the curve going through all P i s. C : y = w 3 x 3 + w 2 x 2 + w 1 x + w 0. H C = {P0, P 1, P 2, P 3, Q 0, Q 1 }. 23 / 39

54 Hyperelliptic curve H : y 2 = x 5 5x + 4x Q 1 Goup elements: pair of points D = P 0 + P 1 on H encoded as P 0 u(x) = (x x 0 )(x x 1 ) v(x) = x 2 + v 1 x + v 0 P 3 Q 0 P 2 P 1 Q 0 Q 1 x such that { v(x0 ) = y 0 v(x 1 ) = y 1 Addition of D = P 0 + P 1 and D = P 2 + P 3 : Let the curve going through all P i s. C : y = w 3 x 3 + w 2 x 2 + w 1 x + w 0. H C = {P 0, P 1, P 2, P 3, Q 0, Q 1 }. D + D = Q 0 + Q / 39

55 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 24 / 39

56 Scalar multiplication on H with half-size splitting Proposed regular scalar multiplication k D while IsIrreducible(u(x)) do D 2 D k k/2 mod # < D > end while Factorize u(x) = (x x 0 )(x x 1 ) D 0 (x x i, v(x i )), D 1 (x x i, v(x i )) R D 0 for i = l 1 to 0 do R 2 R if k i = 0 then R R + D 0 else R R + D 1 end if end for R R + D 0 return R 25 / 39

57 Scalar multiplication on H with half-size splitting Proposed regular scalar multiplication k D while IsIrreducible(u(x)) do D 2 D k k/2 mod # < D > end while Factorize u(x) = (x x 0 )(x x 1 ) D 0 (x x i, v(x i )), D 1 (x x i, v(x i )) R D 0 for i = l 1 to 0 do R 2 R if k i = 0 then R R + D 0 else R R + D 1 end if end for R R + D 0 return R 25 / 39

58 Scalar multiplication on H with half-size splitting Proposed regular scalar multiplication k D while IsIrreducible(u(x)) do D 2 D k k/2 mod # < D > end while Factorize u(x) = (x x 0 )(x x 1 ) D 0 (x x i, v(x i )), D 1 (x x i, v(x i )) R D 0 for i = l 1 to 0 do R 2 R if k i = 0 then R R + D 0 else R R + D 1 end if end for R R + D 0 return R 25 / 39

59 Factorization u(x) = x 2 + u 1 x + u 0 We work in the field F p = Z/pZ and use u(x) = (x u )(x + u 1 ) where = u1 2 4u / 39

60 Factorization u(x) = x 2 + u 1 x + u 0 We work in the field F p = Z/pZ and use u(x) = (x u )(x + u 1 ) where = u1 2 4u 0. 2 IsIrreducible: 1 Test if is a square-root with the Jacobi symbol ( ) { 1 if is a square = p 1 if is not a square 26 / 39

61 Factorization u(x) = x 2 + u 1 x + u 0 We work in the field F p = Z/pZ and use u(x) = (x u )(x + u 1 ) where = u1 2 4u 0. 2 IsIrreducible: 1 Test if is a square-root with the Jacobi symbol ( ) { 1 if is a square = p 1 if is not a square 2 Jacobi symbol computation: = 2 α and odd ( ) ( ) α ( ) 2 = p p p and then use for a and b odd ( ) ( ) a = ( 1) (a 1)(b 1) b mod a 4 b a 26 / 39

62 Factorization u(x) = x 2 + u 1 x + u 0 We work in the field F p = Z/pZ and use u(x) = (x u )(x + u 1 ) where = u1 2 4u 0. 2 IsIrreducible: 1 Test if is a square-root with the Jacobi symbol ( ) { 1 if is a square = p 1 if is not a square 2 Jacobi symbol computation: = 2 α and odd ( ) ( ) α ( ) 2 = p p p and then use for a and b odd ( ) ( ) a = ( 1) (a 1)(b 1) b mod a 4 b a Square root computation: if p 3 mod 4 then = p mod p. For other kinds of p an exponentiation + a few squares. 26 / 39

63 Complexity comparison for scalar multiplication on H(F p ) Regular scalar multiplication Op. formula Cost Montgomery-ladder (Kummer) Duquesne l(62m + 4S) Double-and-add-always Costello-Hisil l(52m + 11S) Proposed Costello-Hisil + Proposed l(49m + 9S) + O(1) M=Multiplication, S=Squaring, l is the bit length of k. 27 / 39

64 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 28 / 39

65 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 29 / 39

66 Differential power analysis: principle data1 b=1. 30 / 39

67 Differential power analysis: principle data1 b=1 data2 b=0. 30 / 39

68 Differential power analysis: principle data1 b=1 data2 data3 data4 b=0 b=0 b=1 b=1 data5 data6 data7 b=0 b=0 b=1 data8. 30 / 39

69 Differential power analysis: principle b=1 data1 data2 data3 data4 data5 data6 data7 data8 b=0 b=0 b=1 b=1 b=0 b=0 b=1 Guess b = 1 Guess b = / 39

70 Differential power analysis: principle b=1 data1 data2 data3 data4 data5 data6 data7 data8 b=0 b=0 b=1 b=1 b=0 b=0 b=1 Guess b = 1 Guess b = 0 ( trace blue) ( trace red). 30 / 39

71 Differential power analysis: principle data1 b=1 data2 data3 data4 b=0 b=0 b=1 b=1 data5 data6 data7 b=0 b=0 b=1 data8. 30 / 39

72 Differential power analysis: principle b=1 data1 data2 data3 data4 data5 data6 data7 data8 b=0 b=0 b=1 b=1 b=0 b=0 b=1 Guess b = 1 Guess b = 0 ( trace blue) ( trace red). 30 / 39

73 Differential power analysis: real life m loop 1 e 1 = 1 loop 2 e 2 = 0 loop 3 e 3 = 1 loop 4 e 4 = 0 loop 5 e 5 =?? 31 / 39

74 Differential power analysis: real life m loop 1 e 1 = 1 r 1 loop 2 e 2 = 0 r 2 loop 3 e 3 = 1 r 3 loop 4 e 4 = 0 r 4 loop 5 e 5 =?? 0 r 5 1 r 5 31 / 39

75 Differential power analysis: real life m loop 1 e 1 = 1 r 1 loop 2 e 2 = 0 r 2 loop 3 e 3 = 1 r 3 loop 4 e 4 = 0 r 4 loop 5 e 5 =?? 0 r 5 1 r 5 trace 1 trace 2 trace 3. trace L 31 / 39

76 Differential power analysis: real life m loop 1 e 1 = 1 r 1 loop 2 e 2 = 0 r 2 loop 3 e 3 = 1 r 3 loop 4 e 4 = 0 r 4 loop 5 e 5 =?? 0 r 5 1 r 5 trace 1 Differentials: trace 2 trace 3 correct guess wrong guess. trace L 31 / 39

77 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 32 / 39

78 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N 33 / 39

79 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N Approach 2: Montgomery Multiplication: q a b N 1 mod M r (a b + q N)/M 33 / 39

80 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N Approach 2: Montgomery Multiplication: q a b N 1 mod M r (a b + q N)/M which satisfies r a b M 1 mod N. 33 / 39

81 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N Approach 2: Montgomery Multiplication: q a b N 1 mod M r (a b + q N)/M which satisfies r a b M 1 mod N. Montgomery representation: ã = am mod N leads to ã b M 1 mod N = ãb mod N 33 / 39

82 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N Approach 2: Montgomery Multiplication: q a b N 1 mod M r (a b + q N)/M which satisfies r a b M 1 mod N. Montgomery representation: ã = am mod N leads to ã b M 1 mod N = ãb mod N randomized M with the residue number system. 33 / 39

83 Exponent randomization (Coron 99) We have φ = (p 1)(q 1) and N = pq an RSA integer, then for all α N. m d+α φ mod N = m d mod N φ = #E(F q ) for an (hyper)elliptic curve P E(F q ) the for all α N. (d + αφ) P = d P Coron in 1999 propose to randomise an exponent d as d + αφ with α {0, 1} / 39

84 Problem can arise (Ciet-Joye 2003): The NIST B233 curve has order φ φ = ( ) 2 Then if we compute α φ with α of 20 bits we get α φ = ( ) 2 In d + α φ a big part of the bits of d are not blinded. 35 / 39

85 Randomisation with signed representation Signed recoding (Ha-Moon 2002): Let 1 = 1, then we have = = = / 39

86 Randomisation with signed representation Signed recoding (Ha-Moon 2002): Let 1 = 1, then we have = = = Let k = l 1 i=0 k i2 i can be recoded l 1 k = k i 2 i with k i {0, 1, 1} i=0 and there is 3 l /2 l such recoding, in average. 36 / 39

87 Randomisation with signed representation Signed recoding (Ha-Moon 2002): Let 1 = 1, then we have Let k = l 1 i=0 k i2 i can be recoded = = = l 1 k = k i 2 i with k i {0, 1, 1} i=0 and there is 3 l /2 l such recoding, in average. Bad recoding (Fouque et al. 2004): let then we have P j = (k 0,..., k j ) 2 P and P j = (k 0,..., k j ) 2 P P j = P j or P j = P j 2 j P. 36 / 39

88 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 37 / 39

89 Conclusion We proposed a half-size splitting approach which works well for regular modular exponentiation, works well for regular scalar multiplication on hyperelliptic curves, but not so good on elliptic curves. Some challenge remains to counter-act side channel analysis: Good randomizations. Threat of horizontal attacks: use technique of DPA on a single trace. Require to inject randomisation all along computations, without too much penalty. 38 / 39

90 Thank you for your attention. Any questions? 39 / 39

Efficient Leak Resistant Modular Exponentiation in RNS

Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1), Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2)