algorithm for rsa and hyperelliptic curve cryptosystems
play

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to - PowerPoint PPT Presentation

Mar 01, 2023 •240 likes •1.15k views

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January 19-th, 2016 1 / 39 Outline Regular

  1. Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January 19-th, 2016 1 / 39

  2. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 2 / 39

  3. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 3 / 39

  4. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 4 / 39

  5. RSA encryption Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod ( p − 1)( q − 1) . 5 / 39

  6. RSA encryption Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod ( p − 1)( q − 1) . Encryption. A message m ∈ { 0 , . . . , N − 1 } is encrypted as c = m e mod N Decryption. c ∈ { 0 , . . . , N − 1 } is decrypted m = c d mod N Correct since: gcd( m , N ) = 1 ⇒ m ( p − 1)( q − 1) ≡ 1 mod N 5 / 39

  7. Square-and-multiply exponentiation Let e = ( e ℓ − 1 , . . . , e 0 ) 2 , we compute m e mod N as follows r ← 1 for i from ℓ − 1 downto 0 do r ← r 2 mod N r ← r × m e i mod N end for return r 6 / 39

  8. Square-and-multiply exponentiation Let e = ( e ℓ − 1 , . . . , e 0 ) 2 , we compute m e mod N as follows r ← 1 for i from ℓ − 1 downto 0 do r ← r 2 mod N r ← r × m e i mod N end for return r Init.: r = 1 Loop 1 : 1 2 × m e ℓ − 1 Loop 2 : ( m e ℓ − 1 ) 2 m e ℓ − 2 = m 2 e ℓ − 1 + e ℓ − 2 Loop 3 : ( m 2 e ℓ − 1 + e ℓ − 2 ) 2 m e ℓ − 3 = m 4 e ℓ − 1 +2 e ℓ − 2 + e ℓ − 3 Etc. 6 / 39

  9. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 7 / 39

  10. Simple power analysis Consumption of a circuit computing m e mod N : squaring � = multiplication 8 / 39

  11. Counter-measure of the litterature: square-always Re-express multiplications as squarings: ab = (( a + b ) 2 − a 2 − b 2 ) / 2 Square-and-multiply-always (Clavier et al. 2011) r ← 1 m ′ ← m 2 mod N for i from ℓ − 1 downto 0 do r ← r 2 mod N if e i = 1 then r ← (( r + m ) 2 − m ′ − r 2 ) / 2 mod N end if end for return r Cost = 3 ℓ/ 2 squarings. Drawback: non constant computation time. 9 / 39

  12. Counter-measure of the litterature : square-and-multiply-always Renders the exponentiation regular and constant time. Square-and-multiply-always Coron 99 r ← 1 for i from ℓ − 1 downto 0 do r ← r 2 mod N if e i = 1 then r ← r × m mod N else r ′ ← r × m mod N end if end for return r Cost = ℓ multiplications and ℓ squarings. 10 / 39

  13. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 11 / 39

  14. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 0 2: for i from ℓ − 1 downto 0 do if e i = 0 then 3: r ← r 2 × m 0 4: else 5: r ← r 2 × m 1 6: end if 7: 8: end for 9: r ← r × m 0 10: return r 12 / 39

  15. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 Correctness: 0 2: for i from ℓ − 1 downto 0 At beginning of loop i : r = m α × m − 1 do 0 if e i = 0 then 3: r ← r 2 × m 0 4: else 5: r ← r 2 × m 1 6: end if 7: 8: end for 9: r ← r × m 0 10: return r 12 / 39

  16. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 Correctness: 0 2: for i from ℓ − 1 downto 0 At beginning of loop i : r = m α × m − 1 do 0 if e i = 0 then 3: If e i = 0: r ← r 2 × m 0 4: r 2 × m 0 = m 2 α m − 1 0 else 5: r ← r 2 × m 1 6: end if 7: 8: end for 9: r ← r × m 0 10: return r 12 / 39

  17. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 Correctness: 0 2: for i from ℓ − 1 downto 0 At beginning of loop i : r = m α × m − 1 do 0 if e i = 0 then 3: If e i = 0: r ← r 2 × m 0 4: r 2 × m 0 = m 2 α m − 1 0 else 5: r ← r 2 × m 1 If e i = 1: 6: r 2 × m 1 ( m 2 α m 1 m − 1 0 ) × m − 1 = end if 7: 0 m 2 α +1 m − 1 = 8: end for 0 9: r ← r × m 0 10: return r 12 / 39

  18. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 Correctness: 0 2: for i from ℓ − 1 downto 0 At beginning of loop i : r = m α × m − 1 do 0 if e i = 0 then 3: If e i = 0: r ← r 2 × m 0 4: r 2 × m 0 = m 2 α m − 1 0 else 5: r ← r 2 × m 1 If e i = 1: 6: r 2 × m 1 ( m 2 α m 1 m − 1 0 ) × m − 1 = end if 7: 0 m 2 α +1 m − 1 = 8: end for 0 9: r ← r × m 0 After loop i : r = m 2 α + e i × m − 1 0 . 10: return r 12 / 39

  19. Euclidean algorithm. Principle. Let a , b ∈ N with a ≥ b ≥ 0 gcd( a , b ) = gcd( a − qb , b ) for all q ∈ Z . 13 / 39

  20. Euclidean algorithm. Principle. Let a , b ∈ N with a ≥ b ≥ 0 gcd( a , b ) = gcd( a − qb , b ) for all q ∈ Z . Sequence of modular reductions r 0 ← a r 1 ← b r 2 ← r 0 mod r 1 r 3 ← r 1 mod r 2 . . . r i ← r i − 2 mod r i − 1 . . . gcd ( a , b ) is the last r i � = 0. 13 / 39

  21. Extended Euclidean algorithm Euclidean algorithm. Compute u and v such that Principle. ua + vb = gcd( a , b ) Let a , b ∈ N with a ≥ b ≥ 0 as follows: gcd( a , b ) = gcd( a − qb , b ) 1 We set: u 0 = 1 , v 0 = 0 for all q ∈ Z . u 1 = 0 , v 1 = 1 Sequence of modular reductions 2 We iterate: r 0 ← a u 0 a + v 0 b = r 0 r 1 ← b u 1 a + v 1 b = r 1 × ( − q 1 ) r 2 ← r 0 mod r 1 r 3 ← r 1 mod r 2 u 2 a + v 2 b = r 2 . . . r i ← r i − 2 mod r i − 1 . . . gcd ( a , b ) is the last r i � = 0. 13 / 39

  22. Extended Euclidean algorithm Euclidean algorithm. Compute u and v such that Principle. ua + vb = gcd( a , b ) Let a , b ∈ N with a ≥ b ≥ 0 as follows: gcd( a , b ) = gcd( a − qb , b ) 1 We set: u 0 = 1 , v 0 = 0 for all q ∈ Z . u 1 = 0 , v 1 = 1 Sequence of modular reductions 2 We iterate: r 0 ← a u 0 a + v 0 b = r 0 r 1 ← b u 1 a + v 1 b = r 1 × ( − q 1 ) r 2 ← r 0 mod r 1 r 3 ← r 1 mod r 2 u 2 a + v 2 b = r 2 × ( − q 2 ) . . . u 3 a + v 3 b = r 3 r i ← r i − 2 mod r i − 1 . . . gcd ( a , b ) is the last r i � = 0. 13 / 39

  23. Extended Euclidean algorithm Euclidean algorithm. Compute u and v such that Principle. ua + vb = gcd( a , b ) Let a , b ∈ N with a ≥ b ≥ 0 as follows: gcd( a , b ) = gcd( a − qb , b ) 1 We set: u 0 = 1 , v 0 = 0 for all q ∈ Z . u 1 = 0 , v 1 = 1 Sequence of modular reductions 2 We iterate: r 0 ← a u 0 a + v 0 b = r 0 r 1 ← b u 1 a + v 1 b = r 1 × ( − q 1 ) r 2 ← r 0 mod r 1 r 3 ← r 1 mod r 2 u 2 a + v 2 b = r 2 × ( − q 2 ) . . . u 3 a + v 3 b = r 3 × ( − q 3 ) r i ← r i − 2 mod r i − 1 . . . u 4 a + v 4 b = r 4 × ( − q 4 ) gcd ( a , b ) is the last r i � = 0. . . . 13 / 39

  24. Multiplicative splitting of m We have m and N and we want √ mod N with m 0 , m 1 ∼ m = m − 1 × m 1 = N 0 Extended Euclidean algorithm computes m r 0 N v 0 u 0 14 / 39

  25. Multiplicative splitting of m We have m and N and we want √ mod N with m 0 , m 1 ∼ m = m − 1 × m 1 = N 0 Extended Euclidean algorithm computes m r 1 N v 1 u 1 14 / 39

  26. Multiplicative splitting of m We have m and N and we want √ mod N with m 0 , m 1 ∼ m = m − 1 × m 1 = N 0 Extended Euclidean algorithm computes m r 2 N v 2 u 2 14 / 39

  27. Multiplicative splitting of m We have m and N and we want √ mod N with m 0 , m 1 ∼ m = m − 1 × m 1 = N 0 Extended Euclidean algorithm computes m r 3 N v 3 u 3 14 / 39

Recommend

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel GALLIN CNRS IRISA Univ. Rennes 1 November 29 th , 2018 Ph.D. supervised by Arnaud TISSERAND, CNRS Lab-STICC Introduction 1 HTMM

591 views • 40 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011

Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011

Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011 Hyperelliptic curve 2 g + 1 C : y 2 = ( x a i ) i = 1 Riemann surface with two sheets. a i = branch points. color = argument of y

733 views • 28 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit at Darmstadt A Complete and

408 views • 39 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation

Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation

Overview Using Curve Implementation Lessons Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation Lessons Ninjas Shinobi Kun An John Chan David Mauskop Wisdom Omuya Zitong Wang Curve Ninjas

360 views • 17 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
Superposition and Grover algorithm in the presence of a closed timelike curve Ki Hyuk Yee (U. of

Superposition and Grover algorithm in the presence of a closed timelike curve Ki Hyuk Yee (U. of

Superposition and Grover algorithm in the presence of a closed timelike curve Ki Hyuk Yee (U. of Seoul), with Jeongho Bang(Korea Institue of Advance of Science), Doyeol Ahn (U. of Seoul) The Relativistic Quantum Information North 2017 July 4-7,

213 views • 18 slides
L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S.

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S.

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S. Kedlaya Department of Mathematics, University of California, San Diego kedlaya@ucsd.edu http://kskedlaya.org/slides/ Arithmetic of Hyperelliptic Curves

708 views • 48 slides
Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault nicolast@exp-math.uni-essen.de University of Toronto / IEM Universitt DuisburgEssen Slide index Discrete Log Problem Large primes Hyperelliptic

927 views • 67 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides

More recommend