efficient leak resistant modular exponentiation in rns
play

Efficient Leak Resistant Modular Exponentiation in RNS Andrea - PowerPoint PPT Presentation

Oct 15, 2023 •266 likes •708 views

Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1) , Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2) CCISR, SCIT, University of Wollongong,

  1. Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1) , Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2) CCISR, SCIT, University of Wollongong, Wollongong, Australia 24-th Symposium on Computer Arithmetic, London, July 26, 2017 1 / 19

  2. Outline Cryptography 1 RSA cryptosystem Power analysis Montgomery multiplication in RNS Randomized modular exponentiation in RNS 2 Randomized Montgomery multiplication Proposed approach Level of randomization Conclusion 3 2 / 19

  3. Outline Cryptography 1 RSA cryptosystem Power analysis Montgomery multiplication in RNS Randomized modular exponentiation in RNS 2 Randomized Montgomery multiplication Proposed approach Level of randomization Conclusion 3 3 / 19

  4. RSA encryption (Rivest, Shamir and Adleman) Bob chooses p and q two large prime numbers and computes N = pq . He generates E and D two integers such that ED = 1 (mod ( p − 1)( q − 1)). Public Key: N , D . Private Key: E , p , q . Alice encrypts a message m by: c = m D mod N . Bob decrypts c by doing: c E = m ED mod N = m . 4 / 19

  5. An algorithm for modular exponentiation : Right-to-left Square-and-multiply Require: A modulus N , an integer X ∈ [0 , N [ and an exponent E = ( e ℓ − 1 , . . . , e 0 ) 2 Ensure: R = X E (mod N ) ℓ − 1 e i 2 i � 1: R ← 1 X E = X i =0 2: Z ← X 3: for i from 0 to ℓ − 1 do X E = X e ℓ − 1 2 ℓ − 1 ×· · ·× X e 1 2 1 × X e 0 2 0 if e i = 1 then 4: R ← R × Z (mod N ) 5: end if 6: Z ← Z 2 (mod N ) 7: 8: end for 9: return R 5 / 19

  6. Simple power analysis E = ( e ℓ , . . . , e 0 ) 2 and X ∈ [0 , N [ ↑ Square-and-multiply R ← 1 Z ← X for i = 0 to ℓ − 1 do if e i = 1 then mod N R ← R · Z endif Z ← Z 2 mod N endfor return ( R ) 6 / 19

  7. Simple power analysis E = ( e ℓ , . . . , e 0 ) 2 and X ∈ [0 , N [ ↑ Square-and-multiply-always Square-and-multiply Montgomery-ladder R 0 ← 1 R ← 1 R ← 1 R 1 ← 1 Z ← X R ′ ← X Z ← X for i = 0 to ℓ − 1 do for i = ℓ to 1 do for i = 0 to ℓ − 1 do if e i = 1 then if k i = 1 then if e i = 0 then mod N R ← R · Z R ← R · R ′ mod N R 0 ← R 0 · Z mod N endif R ′ ← R ′ 2 else mod N Z ← Z 2 mod N R 1 ← R 1 · Z mod N else endfor endif R ′ ← R · R ′ mod N return ( R ) endfor R ← R 2 Z ← Z 2 mod N endif return ( R 1 ) endfor return ( R ) ↓ ↓ 6 / 19

  8. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 7 / 19

  9. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 0 r 5 r 1 r 2 r 3 r 4 r ′ 1 5 7 / 19

  10. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 0 r 5 r 1 r 2 r 3 r 4 r ′ 1 5 trace 1 trace 2 trace 3 . . . . . . . . . . . . trace L 7 / 19

  11. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 0 r 5 r 1 r 2 r 3 r 4 r ′ 1 5 trace 1 Differentials: trace 2 correct guess trace 3 . . . . . wrong guess . . . . . . . trace L 7 / 19

  12. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 0 r 5 r 1 r 2 r 3 r 4 r ′ 1 5 trace 1 Differentials: trace 2 correct guess trace 3 . . . . . wrong guess . . . . . . . trace L Counter-measure: Randomization of the exponent and data. 7 / 19

  13. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 8 / 19

  14. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 X Montgomery Multiplication × Y Require: X , Y ∈ [0 , N [ and A = 2 n > N Z 1 Z 0 Ensure: R = X × Y × A − 1 (mod N ) 1: Z ← X × Y 2: Q ← N − 1 × Z (mod A ) 3: R ← ( Z − Q × N ) / A

  15. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 X Montgomery Multiplication × Y Require: X , Y ∈ [0 , N [ and A = 2 n > N Z 1 Z 0 Ensure: R = X × Y × A − 1 (mod N ) − ∗ = Q × N Z 0 1: Z ← X × Y 2: Q ← N − 1 × Z (mod A ) 3: R ← ( Z − Q × N ) / A 8 / 19

  16. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 X Montgomery Multiplication × Y Require: X , Y ∈ [0 , N [ and A = 2 n > N Z 1 Z 0 Ensure: R = X × Y × A − 1 (mod N ) − ∗ = Q × N Z 0 1: Z ← X × Y 2: Q ← N − 1 × Z (mod A ) R 0 3: R ← ( Z − Q × N ) / A × 2 − n R 8 / 19

  17. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 X Montgomery Multiplication × Y Require: X , Y ∈ [0 , N [ and A = 2 n > N Z 1 Z 0 Ensure: R = X × Y × A − 1 (mod N ) − ∗ = Q × N Z 0 1: Z ← X × Y 2: Q ← N − 1 × Z (mod A ) R 0 3: R ← ( Z − Q × N ) / A × 2 − n R Montgomery representation. � X = XA mod N provides 1 Y ) = ( XA ) × ( YA ) × A − 1 mod N = XYA mod N MontMul ( � X , � 2 8 / 19

  18. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. 9 / 19

  19. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. An integer X such that 0 ≤ X < A = � t i =1 a i is represented by [ X ] A = ( x 1 = X mod a 1 , . . . , x t = X mod a t ) . 9 / 19

  20. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. An integer X such that 0 ≤ X < A = � t i =1 a i is represented by [ X ] A = ( x 1 = X mod a 1 , . . . , x t = X mod a t ) . The Chinese remainder theorem tell us that for op ∈ { + , ×} [ X ] A op [ Y ] A = ([ x 1 op y 1 ] a 1 , . . . , [ x t op y t ] a t ) ⇔ X op Y mod A 9 / 19

  21. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. An integer X such that 0 ≤ X < A = � t i =1 a i is represented by [ X ] A = ( x 1 = X mod a 1 , . . . , x t = X mod a t ) . The Chinese remainder theorem tell us that for op ∈ { + , ×} [ X ] A op [ Y ] A = ([ x 1 op y 1 ] a 1 , . . . , [ x t op y t ] a t ) ⇔ X op Y mod A Montgomery Multiplication in RNS Require: X , Y in A ∪ B Ensure: XYA − 1 mod N in A ∪ B 1: [ Q ] A ← [ XYN − 1 ] A 3: [ Z ] B ← [( XY − QN ) A − 1 ] B 5: return ( Z A∪B ) 9 / 19

  22. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. An integer X such that 0 ≤ X < A = � t i =1 a i is represented by [ X ] A = ( x 1 = X mod a 1 , . . . , x t = X mod a t ) . The Chinese remainder theorem tell us that for op ∈ { + , ×} [ X ] A op [ Y ] A = ([ x 1 op y 1 ] a 1 , . . . , [ x t op y t ] a t ) ⇔ X op Y mod A Montgomery Multiplication in RNS Require: X , Y in A ∪ B Ensure: XYA − 1 mod N in A ∪ B 1: [ Q ] A ← [ XYN − 1 ] A 2: [ Q ] B ← BE A→B ([ Q ] A ) 3: [ Z ] B ← [( XY − QN ) A − 1 ] B 4: [ Z ] A ← BE B→A ([ Z ] B ) 5: return ( Z A∪B ) 9 / 19

  23. Outline Cryptography 1 RSA cryptosystem Power analysis Montgomery multiplication in RNS Randomized modular exponentiation in RNS 2 Randomized Montgomery multiplication Proposed approach Level of randomization Conclusion 3 10 / 19

  24. Randomization in RNS (LRA CHES 2004) We have � X old = [ XA old ] A old ∪B old we permute the basis elements A old ∪ B old → A new ∪ B new A B a 1 b 1 a 2 b t − 1 a t − 1 a t b t this leads to a new representation of X � X new = [ XA new ] A new ∪B new Cost Two Montgomery multiplications : mod N → XA old A new mod N → XA new mod N . XA old 11 / 19

  25. Randomized square-and-multiply-always Input: N , X ∈ [0 , N [ , E = ( e ℓ − 1 , . . . , e 0 ) 2 and M = { m 1 , . . . , m 2 t } . Output: X E mod N Square-and-mult-always A , B ← random split M Z ← [ � � X ] A∪B , � 1] A∪B , � R 0 ← [ � R 1 ← [ � 1] A∪B for i from 0 to ℓ − 1 do R e i ← MM RNS( � � R e i , � Z , A , B ) Z ← MM RNS( � � Z , � Z , A , B ) end for � return R 1 12 / 19

  26. Randomized square-and-multiply-always Input: N , X ∈ [0 , N [ , E = ( e ℓ − 1 , . . . , e 0 ) 2 and M = { m 1 , . . . , m 2 t } . Output: X E mod N Randomized Square-and-mult-always A , B ← random split M Z ← [ � � X ] A∪B , R 0 ← [ � � 1] A∪B , � R 1 ← [ � 1] A∪B for i from 0 to ℓ − 1 do R e i ← MM RNS( � � R e i , � Z , A , B ) Z ← MM RNS( � � Z , � Z , A , B ) Randomise( A old , B old , A , B ) Z ← Update( � � Z , A old , B old , A , B ) R 0 ← Update( � � R 0 , A old , B old , A , B ) R 1 ← Update( � � R 1 , A old , B old , A , B ) end for � return R 1 12 / 19

Recommend

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe NEGRE ( 1 ) , Thomas PLANTARD ( 2 ) and Jean-Marc ROBERT ( 1 ) 1: Team DALI/LIRMM, University of Perpignan, France 2: CCISR, SCIT, (University of

1.25k views • 69 slides
Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and

Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and

0 12 1 Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and Remainder, GCD, Euclid s algorithm, L(a,b) { au + bv | u,v Z } = { n gcd(a,b) | n Z } Primes, Fundamental Theorem of

272 views • 14 slides
SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas

SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas

SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas Plantard Paris Diderot Universit e, University of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au 2019 Berthe, Plantard (IRIF,

1.16k views • 69 slides
THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e , and n , the following algorithm quickly computes the reduced power a e % n . ( Initialize ) Set ( x, y, f ) = (1 , a, e ). ( Loop ) While f &gt;

175 views • 5 slides
Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford

Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford

Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford (DEDIS) and Thomas Hofer (DGSI). 1 Background The digital world takes an overwhelming part in our daily life. Voting is still paper-based and

215 views • 19 slides
Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball ,

Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball ,

Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball , Holger H. Hoos , Alan J. Hu University of British Columbia Microsoft Research Sam Bayless (UBC) Efficient Modular SAT Solving for IC3

505 views • 31 slides
www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

Class I Leak Detection Systems - Highest level of monitoring and prevention of double walled tanks and pipes, according EU Standard EN 13160-2 Advantages Working Principle Product Overview www.thomas-leak-detection.com Leak

206 views • 16 slides
Efficient and secure modular operations using the Polynomial Modular Number System (Part 1)

Efficient and secure modular operations using the Polynomial Modular Number System (Part 1)

The Polynomial modular number system (PMNS) Randomisation with the PMNS Internal randomisation using the Montgomery-like method Efficient and secure modular operations using the Polynomial Modular Number System (Part 1) ephane Didier 1 , Fangan

758 views • 26 slides
&amp; Mobility DEVELOPMENT OF AN EFFICIENT, LEAK PROOF PLENUM SEAL FOR THE M1 ABRAMS ENGINE INLET

&amp; Mobility DEVELOPMENT OF AN EFFICIENT, LEAK PROOF PLENUM SEAL FOR THE M1 ABRAMS ENGINE INLET

Power &amp; Mobility DEVELOPMENT OF AN EFFICIENT, LEAK PROOF PLENUM SEAL FOR THE M1 ABRAMS ENGINE INLET Steve Tarnowski Steve Pennala Great Lakes Sound and Vibration Inc. 8/21/2018 DISTRIBUTION STATEMENT A. Approved for public release;

284 views • 13 slides
a (mod m ) b is congruent to modulo a m b mod mod a m b m

a (mod m ) b is congruent to modulo a m b mod mod a m b m

Number Theory and its Applications Modular Exponentiation Euclidean Algorithm for GCD Solving Linear Congruences Chinese Remainder Theorem and Application to Arithmetic with large numbers Covered in Sections 3.6 and 3.7 Based

489 views • 19 slides
ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In

ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In

ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In collaboration with Marco S. Bianchi arXiv:1403.3398 N=4 SYM Exponentiation Consider color ordered MHV 4p amplitude in We define the ratio

415 views • 29 slides
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo, Amira Barki, Solenn Brunet and Jacques Traor 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING16 February 26th, 2016

532 views • 23 slides
Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona

Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona

Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona Introduction a. Leak Detection Options b. Helium Leak Detection c. Leak Tracer System Design d. Use and experience Why Leak Check? Proof of Sample

569 views • 16 slides
Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical development Leak detection system requirements Causes of leaks Leak detection options Non-continuous leak detection Continuous external leak detection

806 views • 49 slides
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France

980 views • 70 slides
Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential

Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential

November 2017 Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential Contents Needs for Leak Detection Sensors Review of Leak Detection Systems Husky Leak N. Battleford, SK; July 2016 Platform

635 views • 24 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Modular Assembly: An Efficient Approach for Creation and Maintenance of Persistent Space Assets

Modular Assembly: An Efficient Approach for Creation and Maintenance of Persistent Space Assets

Modular Assembly: An Efficient Approach for Creation and Maintenance of Persistent Space Assets William (Bill) R. Doggett Structural Mechanics and Concepts Branch NASA Langley Research Center, Hampton, Va. 23681 USA 2019 IEEE

249 views • 20 slides
Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
Optical Leak Testing Technology October 9th, 2014 Hermetic Leak Test Methods Helium Mass

Optical Leak Testing Technology October 9th, 2014 Hermetic Leak Test Methods Helium Mass

Optical Leak Testing Technology October 9th, 2014 Hermetic Leak Test Methods Helium Mass Spectrometry (Fine) Bubble Leak testing (Gross) Dye Penetrant (Gross) (Destructive) Residual Gas Analysis (Destructive) Cumulative Helium Leak Detection

326 views • 31 slides
Peregreen modular database for efficient storage of historical time series in cloud

Peregreen modular database for efficient storage of historical time series in cloud

Peregreen modular database for efficient storage of historical time series in cloud environments Alexander A. Visheratin , Alexey Struckov, Semen Yufa, Alexey Muratov, Denis Nasonov, Nikolay Butakov ITMO University Yury Kuznetsov, Michael

467 views • 21 slides
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly

637 views • 32 slides
Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink Giovambattista Ianni Thomas Krennwallner Peter Schller KBS Group Institut fr Informationssysteme, Technische Universitt Wien

606 views • 50 slides
Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink Giovambattista Ianni Thomas Krennwallner Peter Schller KBS Group Institut fr Informationssysteme, Technische Universitt Wien

734 views • 39 slides

More recommend