Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis
|
|
- Bennett Houston
- 6 years ago
- Views:
Transcription
1 Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January 19-th, / 39
2 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 2 / 39
3 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 3 / 39
4 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 4 / 39
5 RSA encryption Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod (p 1)(q 1). 5 / 39
6 RSA encryption Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod (p 1)(q 1). Encryption. A message m {0,..., N 1} is encrypted as c = m e mod N Decryption. c {0,..., N 1} is decrypted m = c d mod N Correct since: gcd(m, N) = 1 m (p 1)(q 1) 1 mod N 5 / 39
7 Square-and-multiply exponentiation Let e = (e l 1,..., e 0 ) 2, we compute m e mod N as follows r 1 for i from l 1 downto 0 do r r 2 mod N r r m e i mod N end for return r 6 / 39
8 Square-and-multiply exponentiation Let e = (e l 1,..., e 0 ) 2, we compute m e mod N as follows r 1 for i from l 1 downto 0 do r r 2 mod N r r m e i mod N end for return r Init.: r = 1 Loop 1 : 1 2 m e l 1 Loop 2 : (m e l 1) 2 m e l 2 = m 2e l 1+e l 2 Loop 3 : (m 2e l 1+e l 2 ) 2 m e l 3 = m 4e l 1+2e l 2 +e l 3 Etc. 6 / 39
9 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 7 / 39
10 Simple power analysis Consumption of a circuit computing m e mod N: squaring multiplication 8 / 39
11 Counter-measure of the litterature: square-always Re-express multiplications as squarings: ab = ((a + b) 2 a 2 b 2 )/2 Square-and-multiply-always (Clavier et al. 2011) r 1 m m 2 mod N for i from l 1 downto 0 do r r 2 mod N if e i = 1 then r ((r + m) 2 m r 2 )/2 mod N end if end for return r Cost = 3l/2 squarings. Drawback: non constant computation time. 9 / 39
12 Counter-measure of the litterature : square-and-multiply-always Renders the exponentiation regular and constant time. Square-and-multiply-always Coron 99 r 1 for i from l 1 downto 0 do r r 2 mod N if e i = 1 then r r m mod N else r r m mod N end if end for return r Cost = l multiplications and l squarings. 10 / 39
13 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 11 / 39
14 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then 4: r r 2 m 0 5: else 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r 12 / 39
15 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then Correctness: At beginning of loop i: r = m α m 1 0 4: r r 2 m 0 5: else 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r 12 / 39
16 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then 4: r r 2 m 0 5: else Correctness: At beginning of loop i: r = m α m 1 0 If e i = 0: r 2 m 0 = m 2α m 1 0 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r 12 / 39
17 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then 4: r r 2 m 0 5: else 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r Correctness: At beginning of loop i: r = m α m 1 0 If e i = 0: r 2 m 0 = m 2α m 1 0 If e i = 1: r 2 m 1 = (m 2α m 1 m 1 0 ) m 1 0 = m 2α+1 m / 39
18 Proposed counter-measure Strategy: multiplicative splitting of m m = m 1 0 m 1 mod N with m 0, m 1 = N 1: r m 1 0 2: for i from l 1 downto 0 do 3: if e i = 0 then 4: r r 2 m 0 5: else 6: r r 2 m 1 7: end if 8: end for 9: r r m 0 10: return r Correctness: At beginning of loop i: r = m α m 1 0 If e i = 0: r 2 m 0 = m 2α m 1 0 If e i = 1: r 2 m 1 = (m 2α m 1 m 1 0 ) m 1 0 = m 2α+1 m 1 0 After loop i: r = m 2α+e i m / 39
19 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. 13 / 39
20 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. Sequence of modular reductions r 0 a r 1 b r 2 r 0 mod r 1 r 3 r 1 mod r 2. r i r i 2 mod r i 1. gcd(a, b) is the last r i / 39
21 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. Sequence of modular reductions r 0 a r 1 b r 2 r 0 mod r 1 r 3 r 1 mod r 2. r i r i 2 mod r i 1. gcd(a, b) is the last r i 0. Extended Euclidean algorithm Compute u and v such that as follows: ua + vb = gcd(a, b) 1 We set: u 0 = 1, v 0 = 0 u 1 = 0, v 1 = 1 2 We iterate: u 0 a + v 0 b = r 0 u 1 a + v 1 b = r 1 ( q 1 ) u 2 a + v 2 b = r 2 13 / 39
22 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. Sequence of modular reductions r 0 a r 1 b r 2 r 0 mod r 1 r 3 r 1 mod r 2. r i r i 2 mod r i 1. gcd(a, b) is the last r i 0. Extended Euclidean algorithm Compute u and v such that as follows: ua + vb = gcd(a, b) 1 We set: u 0 = 1, v 0 = 0 u 1 = 0, v 1 = 1 2 We iterate: u 0 a + v 0 b = r 0 u 1 a + v 1 b = r 1 ( q 1 ) u 2 a + v 2 b = r 2 ( q 2 ) u 3 a + v 3 b = r 3 13 / 39
23 Euclidean algorithm. Principle. Let a, b N with a b 0 gcd(a, b) = gcd(a qb, b) for all q Z. Sequence of modular reductions r 0 a r 1 b r 2 r 0 mod r 1 r 3 r 1 mod r 2. r i r i 2 mod r i 1. gcd(a, b) is the last r i 0. Extended Euclidean algorithm Compute u and v such that as follows: ua + vb = gcd(a, b) 1 We set: u 0 = 1, v 0 = 0 u 1 = 0, v 1 = 1 2 We iterate: u 0 a + v 0 b = r 0 u 1 a + v 1 b = r 1 ( q 1 ) u 2 a + v 2 b = r 2 ( q 2 ) u 3 a + v 3 b = r 3 ( q 3 ) u 4 a + v 4 b = r 4 ( q 4 ). 13 / 39
24 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 0 u 0 v 0 14 / 39
25 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 1 u 1 v 1 14 / 39
26 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 2 u 2 v 2 14 / 39
27 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 3 u 3 v 3 14 / 39
28 Multiplicative splitting of m We have m and N and we want m = m 1 0 m 1 mod N with m 0, m 1 = N Extended Euclidean algorithm computes m N r 3 u 3 v 3 we stop when u i, r i = N 1/2 u i m + v i N = r i m = u 1 i r i mod N. and m 0 = u i and m 1 = r i are good! 14 / 39
29 Complexity comparison Exponent of size l bits. Integer modulo N on t computer words. Multiplication/squaring in O(t 2 ). Timing in 10 Property Algorithm #word op. 3 CC 2040bits 3070bits None Square-and-multiply 7.5lt 2 + O(lt) Multiply-always 9lt Reg. 2 + O(lt) Square-always 9lt 2 + O(lt) Reg. and CT Square-and-mult-always 10.5lt 2 + O(lt) Montgomery-ladder 10.5lt 2 + O(lt) Montgomery-ladder opt. 9lt 2 + O(lt) Proposed 7.5lt 2 + O(lt) Reg. =Regular and CT=Constant time. 15 / 39
30 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 16 / 39
31 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 17 / 39
32 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice Bob 18 / 39
33 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice Bob a random() b random() 18 / 39
34 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P Bob b random() Computes B = b P 18 / 39
35 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P sends A sends B Bob b random() Computes B = b P 18 / 39
36 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P Computes K = a B sends A sends B Bob b random() Computes B = b P Computes K = b A Shared secret key K = a b P 18 / 39
37 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P Computes K = a B sends A sends B Bob b random() Computes B = b P Computes K = b A Shared secret key K = a b P Discrete log problem: given A in < P > find a such that A = a P. 18 / 39
38 Diffie-Hellmann key exchange Alice and Bob agree on a group (G, +, O) and a generating point of the group P. Alice a random() Computes A = a P Computes K = a B sends A sends B Bob b random() Computes B = b P Computes K = b A Shared secret key K = a b P Discrete log problem: given A in < P > find a such that A = a P. The main operation is the scalar multiplication a P. 18 / 39
39 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 19 / 39
40 Group law for an elliptic curve y 2 = x 3 2x + 1 P = (x P, y P ) Q = (x Q, y Q ) x 20 / 39
41 Group law for an elliptic curve y 2 = x 3 2x + 1 R = P + Q P = (x P, y P ) Q = (x Q, y Q ) x Addition (chord): { xr = λ x P x Q y R = y P λ(x R x P ) with λ = y P y Q x P x Q 20 / 39
42 Group law for an elliptic curve y 2 = x 3 2x + 1 R = P + Q P = (x P, y P ) P = (x P, y P ) Q = (x Q, y Q ) x x R = 2P Addition (chord): { xr = λ x P x Q y R = y P λ(x R x P ) with λ = y P y Q x P x Q Doubling (tangent) 20 / 39
43 Scalar multiplication : k P P x Double-and-add for k P R O for i = l 1 to 0 do R 2 R if k i = 1 then R R + P endif endfor return(r) 2P Scalar multiplication: 7P 2 P 3P = (2P) + P 6P = 2 (3P) 7P = (6P) + P 21 / 39
44 Scalar multiplication : k P P 3P x Double-and-add for k P R O for i = l 1 to 0 do R 2 R if k i = 1 then R R + P endif endfor return(r) 2P Scalar multiplication: 7P 2 P 3P = (2P) + P 6P = 2 (3P) 7P = (6P) + P 21 / 39
45 Scalar multiplication : k P 6P P 3P x Double-and-add for k P R O for i = l 1 to 0 do R 2 R if k i = 1 then R R + P endif endfor return(r) Scalar multiplication: 7P 2 P 3P = (2P) + P 6P = 2 (3P) 7P = (6P) + P 21 / 39
46 Scalar multiplication : k P 6P P x 7P Double-and-add for k P R O for i = l 1 to 0 do R 2 R if k i = 1 then R R + P endif endfor return(r) Scalar multiplication: 7P 2 P 3P = (2P) + P 6P = 2 (3P) 7P = (6P) + P 21 / 39
47 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 22 / 39
48 Hyperelliptic curve H : y 2 = x 5 5x + 4x x 23 / 39
49 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as P 0 x u(x) = (x x 0 )(x x 1 ) v(x) = x 2 + v 1 x + v 0 { v(x0 ) = y such that 0 v(x 1 ) = y 1 P 1 23 / 39
50 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as P 0 x u(x) = (x x 0 )(x x 1 ) v(x) = x 2 + v 1 x + v 0 { v(x0 ) = y such that 0 v(x 1 ) = y 1 P 1 23 / 39
51 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as u(x) = (x x 0 )(x x 1 ) P 0 P 1 P 3 P 2 x v(x) = x 2 + v 1 x + v 0 { v(x0 ) = y such that 0 v(x 1 ) = y 1 Addition of D = P 0 + P 1 and D = P 2 + P 3 : 23 / 39
52 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as u(x) = (x x 0 )(x x 1 ) P 0 P 1 P 3 P 2 x v(x) = x 2 + v 1 x + v 0 { v(x0 ) = y such that 0 v(x 1 ) = y 1 Addition of D = P 0 + P 1 and D = P 2 + P 3 : Let the curve going through all P i s. C : y = w 3 x 3 + w 2 x 2 + w 1 x + w / 39
53 Hyperelliptic curve H : y 2 = x 5 5x + 4x Goup elements: pair of points D = P 0 + P 1 on H encoded as P 0 u(x) = (x x 0 )(x x 1 ) v(x) = x 2 + v 1 x + v 0 P 3 Q 0 P 2 P 1 Q 1 x such that { v(x0 ) = y 0 v(x 1 ) = y 1 Addition of D = P 0 + P 1 and D = P 2 + P 3 : Let the curve going through all P i s. C : y = w 3 x 3 + w 2 x 2 + w 1 x + w 0. H C = {P0, P 1, P 2, P 3, Q 0, Q 1 }. 23 / 39
54 Hyperelliptic curve H : y 2 = x 5 5x + 4x Q 1 Goup elements: pair of points D = P 0 + P 1 on H encoded as P 0 u(x) = (x x 0 )(x x 1 ) v(x) = x 2 + v 1 x + v 0 P 3 Q 0 P 2 P 1 Q 0 Q 1 x such that { v(x0 ) = y 0 v(x 1 ) = y 1 Addition of D = P 0 + P 1 and D = P 2 + P 3 : Let the curve going through all P i s. C : y = w 3 x 3 + w 2 x 2 + w 1 x + w 0. H C = {P 0, P 1, P 2, P 3, Q 0, Q 1 }. D + D = Q 0 + Q / 39
55 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 24 / 39
56 Scalar multiplication on H with half-size splitting Proposed regular scalar multiplication k D while IsIrreducible(u(x)) do D 2 D k k/2 mod # < D > end while Factorize u(x) = (x x 0 )(x x 1 ) D 0 (x x i, v(x i )), D 1 (x x i, v(x i )) R D 0 for i = l 1 to 0 do R 2 R if k i = 0 then R R + D 0 else R R + D 1 end if end for R R + D 0 return R 25 / 39
57 Scalar multiplication on H with half-size splitting Proposed regular scalar multiplication k D while IsIrreducible(u(x)) do D 2 D k k/2 mod # < D > end while Factorize u(x) = (x x 0 )(x x 1 ) D 0 (x x i, v(x i )), D 1 (x x i, v(x i )) R D 0 for i = l 1 to 0 do R 2 R if k i = 0 then R R + D 0 else R R + D 1 end if end for R R + D 0 return R 25 / 39
58 Scalar multiplication on H with half-size splitting Proposed regular scalar multiplication k D while IsIrreducible(u(x)) do D 2 D k k/2 mod # < D > end while Factorize u(x) = (x x 0 )(x x 1 ) D 0 (x x i, v(x i )), D 1 (x x i, v(x i )) R D 0 for i = l 1 to 0 do R 2 R if k i = 0 then R R + D 0 else R R + D 1 end if end for R R + D 0 return R 25 / 39
59 Factorization u(x) = x 2 + u 1 x + u 0 We work in the field F p = Z/pZ and use u(x) = (x u )(x + u 1 ) where = u1 2 4u / 39
60 Factorization u(x) = x 2 + u 1 x + u 0 We work in the field F p = Z/pZ and use u(x) = (x u )(x + u 1 ) where = u1 2 4u 0. 2 IsIrreducible: 1 Test if is a square-root with the Jacobi symbol ( ) { 1 if is a square = p 1 if is not a square 26 / 39
61 Factorization u(x) = x 2 + u 1 x + u 0 We work in the field F p = Z/pZ and use u(x) = (x u )(x + u 1 ) where = u1 2 4u 0. 2 IsIrreducible: 1 Test if is a square-root with the Jacobi symbol ( ) { 1 if is a square = p 1 if is not a square 2 Jacobi symbol computation: = 2 α and odd ( ) ( ) α ( ) 2 = p p p and then use for a and b odd ( ) ( ) a = ( 1) (a 1)(b 1) b mod a 4 b a 26 / 39
62 Factorization u(x) = x 2 + u 1 x + u 0 We work in the field F p = Z/pZ and use u(x) = (x u )(x + u 1 ) where = u1 2 4u 0. 2 IsIrreducible: 1 Test if is a square-root with the Jacobi symbol ( ) { 1 if is a square = p 1 if is not a square 2 Jacobi symbol computation: = 2 α and odd ( ) ( ) α ( ) 2 = p p p and then use for a and b odd ( ) ( ) a = ( 1) (a 1)(b 1) b mod a 4 b a Square root computation: if p 3 mod 4 then = p mod p. For other kinds of p an exponentiation + a few squares. 26 / 39
63 Complexity comparison for scalar multiplication on H(F p ) Regular scalar multiplication Op. formula Cost Montgomery-ladder (Kummer) Duquesne l(62m + 4S) Double-and-add-always Costello-Hisil l(52m + 11S) Proposed Costello-Hisil + Proposed l(49m + 9S) + O(1) M=Multiplication, S=Squaring, l is the bit length of k. 27 / 39
64 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 28 / 39
65 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 29 / 39
66 Differential power analysis: principle data1 b=1. 30 / 39
67 Differential power analysis: principle data1 b=1 data2 b=0. 30 / 39
68 Differential power analysis: principle data1 b=1 data2 data3 data4 b=0 b=0 b=1 b=1 data5 data6 data7 b=0 b=0 b=1 data8. 30 / 39
69 Differential power analysis: principle b=1 data1 data2 data3 data4 data5 data6 data7 data8 b=0 b=0 b=1 b=1 b=0 b=0 b=1 Guess b = 1 Guess b = / 39
70 Differential power analysis: principle b=1 data1 data2 data3 data4 data5 data6 data7 data8 b=0 b=0 b=1 b=1 b=0 b=0 b=1 Guess b = 1 Guess b = 0 ( trace blue) ( trace red). 30 / 39
71 Differential power analysis: principle data1 b=1 data2 data3 data4 b=0 b=0 b=1 b=1 data5 data6 data7 b=0 b=0 b=1 data8. 30 / 39
72 Differential power analysis: principle b=1 data1 data2 data3 data4 data5 data6 data7 data8 b=0 b=0 b=1 b=1 b=0 b=0 b=1 Guess b = 1 Guess b = 0 ( trace blue) ( trace red). 30 / 39
73 Differential power analysis: real life m loop 1 e 1 = 1 loop 2 e 2 = 0 loop 3 e 3 = 1 loop 4 e 4 = 0 loop 5 e 5 =?? 31 / 39
74 Differential power analysis: real life m loop 1 e 1 = 1 r 1 loop 2 e 2 = 0 r 2 loop 3 e 3 = 1 r 3 loop 4 e 4 = 0 r 4 loop 5 e 5 =?? 0 r 5 1 r 5 31 / 39
75 Differential power analysis: real life m loop 1 e 1 = 1 r 1 loop 2 e 2 = 0 r 2 loop 3 e 3 = 1 r 3 loop 4 e 4 = 0 r 4 loop 5 e 5 =?? 0 r 5 1 r 5 trace 1 trace 2 trace 3. trace L 31 / 39
76 Differential power analysis: real life m loop 1 e 1 = 1 r 1 loop 2 e 2 = 0 r 2 loop 3 e 3 = 1 r 3 loop 4 e 4 = 0 r 4 loop 5 e 5 =?? 0 r 5 1 r 5 trace 1 Differentials: trace 2 trace 3 correct guess wrong guess. trace L 31 / 39
77 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 32 / 39
78 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N 33 / 39
79 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N Approach 2: Montgomery Multiplication: q a b N 1 mod M r (a b + q N)/M 33 / 39
80 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N Approach 2: Montgomery Multiplication: q a b N 1 mod M r (a b + q N)/M which satisfies r a b M 1 mod N. 33 / 39
81 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N Approach 2: Montgomery Multiplication: q a b N 1 mod M r (a b + q N)/M which satisfies r a b M 1 mod N. Montgomery representation: ã = am mod N leads to ã b M 1 mod N = ãb mod N 33 / 39
82 Counter-measures to DPA: message blinding Approach 1: pick a random α [1, N], set β = (α e ) 1 mod N m = m α mod N c = m e β mod N Approach 2: Montgomery Multiplication: q a b N 1 mod M r (a b + q N)/M which satisfies r a b M 1 mod N. Montgomery representation: ã = am mod N leads to ã b M 1 mod N = ãb mod N randomized M with the residue number system. 33 / 39
83 Exponent randomization (Coron 99) We have φ = (p 1)(q 1) and N = pq an RSA integer, then for all α N. m d+α φ mod N = m d mod N φ = #E(F q ) for an (hyper)elliptic curve P E(F q ) the for all α N. (d + αφ) P = d P Coron in 1999 propose to randomise an exponent d as d + αφ with α {0, 1} / 39
84 Problem can arise (Ciet-Joye 2003): The NIST B233 curve has order φ φ = ( ) 2 Then if we compute α φ with α of 20 bits we get α φ = ( ) 2 In d + α φ a big part of the bits of d are not blinded. 35 / 39
85 Randomisation with signed representation Signed recoding (Ha-Moon 2002): Let 1 = 1, then we have = = = / 39
86 Randomisation with signed representation Signed recoding (Ha-Moon 2002): Let 1 = 1, then we have = = = Let k = l 1 i=0 k i2 i can be recoded l 1 k = k i 2 i with k i {0, 1, 1} i=0 and there is 3 l /2 l such recoding, in average. 36 / 39
87 Randomisation with signed representation Signed recoding (Ha-Moon 2002): Let 1 = 1, then we have Let k = l 1 i=0 k i2 i can be recoded = = = l 1 k = k i 2 i with k i {0, 1, 1} i=0 and there is 3 l /2 l such recoding, in average. Bad recoding (Fouque et al. 2004): let then we have P j = (k 0,..., k j ) 2 P and P j = (k 0,..., k j ) 2 P P j = P j or P j = P j 2 j P. 36 / 39
88 Outline 1 Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure 2 Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication 3 Differential power analysis and counter-measures Differential power analysis Counter-measures 4 Conclusion 37 / 39
89 Conclusion We proposed a half-size splitting approach which works well for regular modular exponentiation, works well for regular scalar multiplication on hyperelliptic curves, but not so good on elliptic curves. Some challenge remains to counter-act side channel analysis: Good randomizations. Threat of horizontal attacks: use technique of DPA on a single trace. Require to inject randomisation all along computations, without too much penalty. 38 / 39
90 Thank you for your attention. Any questions? 39 / 39
Efficient Leak Resistant Modular Exponentiation in RNS
Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1), Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2)
More informationEfficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Efficient randomized regular modular exponentiation
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationLazy Leak Resistant Exponentiation in RNS
Lazy Leak Resistant Exponentiation in RNS Andrea Lesavourey, Christophe Negre, Thomas Plantard To cite this version: Andrea Lesavourey, Christophe Negre, Thomas Plantard. Lazy Leak Resistant Exponentiation
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationRSA-256bit 數位電路實驗 TA: 吳柏辰. Author: Trumen
RSA-256bit 數位電路實驗 TA: 吳柏辰 Author: Trumen Outline Introduction to Cryptography RSA Algorithm Montgomery Algorithm for RSA-256 bit 2 Introduction to Cryptography 3 Communication Is Insecure Alice Bob Paparazzi
More informationEfficient regular modular exponentiation using multiplicative half-size splitting
J Cryptogr Eng (17) 7:45 53 DOI 1.17/s13389-16-134-5 SHORT COMMUNICATION Efficient regular modular exponentiation using multiplicative half-size splitting Christophe Negre 1, Thomas Plantard 3,4 Received:
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationBlinded Fault Resistant Exponentiation FDTC 06
Previous Work Our Algorithm Guillaume Fumaroli 1 David Vigilant 2 1 Thales Communications guillaume.fumaroli@fr.thalesgroup.com 2 Gemalto david.vigilant@gemalto.com FDTC 06 Outline Previous Work Our Algorithm
More informationCarmen s Core Concepts (Math 135)
Carmen s Core Concepts (Math 135) Carmen Bruni University of Waterloo Week 8 1 The following are equivalent (TFAE) 2 Inverses 3 More on Multiplicative Inverses 4 Linear Congruence Theorem 2 [LCT2] 5 Fermat
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationUniversity of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:
University of Tokyo: Advanced Algorithms Summer 2010 Lecture 6 27 May Lecturer: François Le Gall Scribe: Baljak Valentina As opposed to prime factorization, primality testing is determining whether a given
More informationEfficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe Negre, Thomas Plantard, Jean-Marc Robert Team DALI (UPVD) and LIRMM (UM2, CNRS), France CCISR, SCIT, (University
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 23, 2017 CPSC 467, Lecture 14 1/42 Computing in Z n Modular multiplication Modular inverses Extended Euclidean algorithm
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationINTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.
INTEGERS PETER MAYR (MATH 2001, CU BOULDER) In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes. 1. Divisibility Definition. Let a, b
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationNumbers. Çetin Kaya Koç Winter / 18
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as
More informationCryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage
Cryptosystem Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage f(m). The receiver computes f 1 (f(m)). Advantage: Cannot
More informationHorizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID:
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationNumber Theory & Asymmetric Cryptography
Number Theory & Asymmetric Cryptography Modular Arithmetic Notations Ζ={, 2, 1, 0,1,2,, } Ζ m ={0,1, 2,,m 2, m 1} a b mod m a=b+km, integer k Addition mod m Given a b mod m and c d mod m (a+c) (b+d) mod
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 14, 2013 CPSC 467b, Lecture 9 1/42 Integer Division (cont.) Relatively prime numbers, Z n, and φ(n) Computing in Z n
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationCandidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.
UNIVERSITY OF EAST ANGLIA School of Mathematics May/June UG Examination 2010 2011 CRYPTOGRAPHY Time allowed: 2 hours Attempt THREE questions. Candidates must show on each answer book the type of calculator
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationEncryption: The RSA Public Key Cipher
Encryption: The RSA Public Key Cipher Michael Brockway March 5, 2018 Overview Transport-layer security employs an asymmetric public cryptosystem to allow two parties (usually a client application and a
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationbasics of security/cryptography
RSA Cryptography basics of security/cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret)
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationAttacks on RSA & Using Asymmetric Crypto
Attacks on RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationNumber Theory and Algebra: A Brief Introduction
Number Theory and Algebra: A Brief Introduction Indian Statistical Institute Kolkata May 15, 2017 Elementary Number Theory: Modular Arithmetic Definition Let n be a positive integer and a and b two integers.
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationSquare Always Exponentiation
Square Always Exponentiation Christophe Clavier 1 Benoit Feix 1,2 Georges Gagnerot 1,2 Mylène Roussellet 2 Vincent Verneuil 2,3 1 XLIM-Université de Limoges, France 2 INSIDE Secure, Aix-en-Provence, France
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationPower Analysis to ECC Using Differential Power between Multiplication and Squaring
Power Analysis to ECC Using Differential Power between Multiplication and Squaring Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Information Technologies Laboratories, Tokyo, Japan akishita@pal.arch.sony.co.jp
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationLecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya
BBM 205 Discrete Mathematics Hacettepe University http://web.cs.hacettepe.edu.tr/ bbm205 Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya Resources: Kenneth Rosen,
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationSide-Channel Analysis on Blinded Regular Scalar Multiplications
Side-Channel Analysis on Blinded Regular Scalar Multiplications Extended Version Benoit Feix 1 and Mylène Roussellet 2 and Alexandre Venelli 3 1 UL Security Transactions, UK Security Lab benoit.feix@ul.com
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationElliptic Curve Computations (1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x 3 x over the real number field R.
Elliptic Curve Computations (1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x 3 x over the real number field R. >> v = y^2 - x*(x-1)*(x+1) v = y^2 - x*(x-1)*(x+1) >> ezplot(v, [-1,3,-5,5])
More informationFinal Report. Cryptography and Number Theory Boot Camp NSF-REU. Summer 2017
Final Report Cryptography and Number Theory Boot Camp NSF-REU Angel Agüero Mahmoud El-Kishky Dietrich Jenkins Catherine Marin King Asa Linson Enrique Salcido Kaitlin Tademy Summer 2017 Abstract In this
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More information