efficient modular exponentiation based on multiple
play

Efficient Modular Exponentiation Based on Multiple Multiplications - PowerPoint PPT Presentation

Jul 16, 2023 •550 likes •1.25k views

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe NEGRE ( 1 ) , Thomas PLANTARD ( 2 ) and Jean-Marc ROBERT ( 1 ) 1: Team DALI/LIRMM, University of Perpignan, France 2: CCISR, SCIT, (University of

  1. Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe NEGRE ( 1 ) , Thomas PLANTARD ( 2 ) and Jean-Marc ROBERT ( 1 ) 1: Team DALI/LIRMM, University of Perpignan, France 2: CCISR, SCIT, (University of Wollongong), Australia Arith22 2015, Lyon, the 22-24th of June 2015 C. Nègre, T. Plantard and J.-M. Robert 1 / 37

  2. Table of Content Problematic 1 RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure Modular Multiplication 2 Montgomery Modular Multiplication Our Objective Contributions 3 A · B , A · C A · B 0 , A · B 1 , . . . , A · B ℓ Application to SPA Protected Modular Exponentiations Experimental Results Conclusion 4 C. Nègre, T. Plantard and J.-M. Robert 2 / 37

  3. Problematic RSA Protocol Table of Content Problematic 1 RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure Modular Multiplication 2 Montgomery Modular Multiplication Our Objective Contributions 3 A · B , A · C A · B 0 , A · B 1 , . . . , A · B ℓ Application to SPA Protected Modular Exponentiations Experimental Results Conclusion 4 C. Nègre, T. Plantard and J.-M. Robert 3 / 37

  4. Problematic RSA Protocol RSA Protocol (Rivest, Shamir and Adlemann): Alice generates the keys. She: Chooses two distinct prime numbers p and q ; Computes N = pq ; Computes φ ( N ) = φ ( p ) φ ( q ) = ( p − 1 )( q − 1 ) = N − ( p + q − 1 ) ; Chooses an integer e such that 1 < e < φ ( N ) and gcd ( e , φ ( N )) = 1; Solves for d given d · e ≡ 1 mod φ ( N ) ; → e is released as the public key exponent, → d is kept as the private key exponent. C. Nègre, T. Plantard and J.-M. Robert 4 / 37

  5. Problematic RSA Protocol RSA Protocol (2) → Bob encrypts using Alice’s public key e : C = M e mod N C. Nègre, T. Plantard and J.-M. Robert 5 / 37

  6. Problematic RSA Protocol RSA Protocol (2) → Bob encrypts using Alice’s public key e : C = M e mod N → Alice decrypts Bob’s message using her secret key d : C d ( M e ) d mod N = mod N M e · d = mod N M 1 mod φ ( N ) = mod N = M C. Nègre, T. Plantard and J.-M. Robert 5 / 37

  7. Problematic RSA Protocol RSA Protocol (2) → Bob encrypts using Alice’s public key e : C = M e mod N → Alice decrypts Bob’s message using her secret key d : C d ( M e ) d mod N = mod N M e · d = mod N M 1 mod φ ( N ) = mod N = M → The main operation is the Modular Exponentiation C. Nègre, T. Plantard and J.-M. Robert 5 / 37

  8. Problematic The Modular Exponentiation Table of Content Problematic 1 RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure Modular Multiplication 2 Montgomery Modular Multiplication Our Objective Contributions 3 A · B , A · C A · B 0 , A · B 1 , . . . , A · B ℓ Application to SPA Protected Modular Exponentiations Experimental Results Conclusion 4 C. Nègre, T. Plantard and J.-M. Robert 6 / 37

  9. Problematic The Modular Exponentiation Square-and-multiply We consider an RSA modulus N such that N < 2 wn . Square-and-multiply Require: N the RSA modulus, g and e = ( e k − 1 , . . . , e 0 ) 2 integers ∈ [ 0 , . . . , N [ , with e k − 1 = 1. Ensure: X = g e mod N Right-to-left Left-to-right X ← 1 X ← g for i = 0 to k − 1 do for i = k − 2 downto 0 do X ← X 2 mod N if e i = 1 then X ← X · g mod N if e i = 1 then g ← g 2 mod N X ← X · g mod N return ( X = g e ) return ( X = g e ) C. Nègre, T. Plantard and J.-M. Robert 7 / 37

  10. Problematic Simple Power Analysis, Counter-measure Table of Content Problematic 1 RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure Modular Multiplication 2 Montgomery Modular Multiplication Our Objective Contributions 3 A · B , A · C A · B 0 , A · B 1 , . . . , A · B ℓ Application to SPA Protected Modular Exponentiations Experimental Results Conclusion 4 C. Nègre, T. Plantard and J.-M. Robert 8 / 37

  11. Problematic Simple Power Analysis, Counter-measure Simple Power Analysis RSA Left-to-right Square-and-multiply Require: N the RSA modulus, g and e = ( e k − 1 , . . . , e 0 ) 2 integers ∈ [ 0 , . . . , N [ , with e k − 1 = 1. Ensure: X = g e mod N X ← g for i = k − 2 downto 0 do X ← X 2 mod N if e i = 1 then X ← X · g mod N return ( X = g e ) C. Nègre, T. Plantard and J.-M. Robert 9 / 37

  12. Problematic Simple Power Analysis, Counter-measure Simple Power Analysis RSA Left-to-right Square-and-multiply Require: N the RSA modulus, g and e = ( e k − 1 , . . . , e 0 ) 2 integers ∈ [ 0 , . . . , N [ , with e k − 1 = 1. Ensure: X = g e mod N X ← g for i = k − 2 downto 0 do X ← X 2 mod N → A squaring corresponds to a low crenel if e i = 1 then X ← X · g mod N return ( X = g e ) C. Nègre, T. Plantard and J.-M. Robert 9 / 37

  13. Problematic Simple Power Analysis, Counter-measure Simple Power Analysis RSA Left-to-right Square-and-multiply Require: N the RSA modulus, g and e = ( e k − 1 , . . . , e 0 ) 2 integers ∈ [ 0 , . . . , N [ , with e k − 1 = 1. Ensure: X = g e mod N X ← g for i = k − 2 downto 0 do X ← X 2 mod N if e i = 1 then X ← X · g mod N → A multiplication corresponds to a high crenel return ( X = g e ) C. Nègre, T. Plantard and J.-M. Robert 9 / 37

  14. Problematic Simple Power Analysis, Counter-measure Simple Power Analysis RSA Left-to-right Square-and-multiply Require: N the RSA modulus, g and e = ( e k − 1 , . . . , e 0 ) 2 integers ∈ [ 0 , . . . , N [ , with e k − 1 = 1. Ensure: X = g e mod N X ← g for i = k − 2 downto 0 do X ← X 2 mod N if e i = 1 then X ← X · g mod N return ( X = g e ) → Vulnerable: the sequence of operations leaks the secret scalar (no regularity.) C. Nègre, T. Plantard and J.-M. Robert 9 / 37

  15. Problematic Simple Power Analysis, Counter-measure Montgomery Binary Ladder Montgomery Require: e = ( e t − 1 , . . . , e 1 , e 0 ) with e t − 1 = 1 , g ∈ Z / N Z Ensure: X = g e mod N 1: X 0 ← g , X 1 ← g 2 mod N 2: for i from t − 2 downto 0 do if ( e i = 0 ) then 3: X 1 ← X 0 · X 1 mod N , X 0 ← X 2 mod N 4: 0 else 5: X 0 ← X 0 · X 1 mod N , X 1 ← X 2 mod N 6: 1 7: return ( X 0 ) Basic Montgomery’s Ladder Modular Exponentiation C. Nègre, T. Plantard and J.-M. Robert 10 / 37

  16. Problematic Simple Power Analysis, Counter-measure Regular Exponentiation Algorithms Joye and Tunstall suggested a 2 t -ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2 t , ℓ the m -ary length of e and N the RSA modulus Ensure: e = ( e ℓ − 1 , . . . , e 0 ) with e i ∈ { 1 , . . . , m } , 1 ≤ i ≤ ℓ − 2 1: s ← ( 1 , 1 , . . . , 1 ) m 2: e ′ ← e − s mod N 3: for i = 0 to ℓ − 2 do d ← e ′ mod m 4: e ′ ← ⌊ e ′ / m ⌋ 5: 6: e i ← d + 1 Then, the addition without carry leads to the 0-less recoding: C. Nègre, T. Plantard and J.-M. Robert 11 / 37

  17. Problematic Simple Power Analysis, Counter-measure Regular Exponentiation Algorithms Joye and Tunstall suggested a 2 t -ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2 t , ℓ the m -ary length of e and N the RSA modulus Ensure: e = ( e ℓ − 1 , . . . , e 0 ) with e i ∈ { 1 , . . . , m } , 1 ≤ i ≤ ℓ − 2 1: s ← ( 1 , 1 , . . . , 1 ) m 2: e ′ ← e − s mod N 3: for i = 0 to ℓ − 2 do d ← e ′ mod m 4: e ′ ← ⌊ e ′ / m ⌋ 5: 6: e i ← d + 1 Example with t = 4 , m = 10 10 : e = 1 9 7 5 0 4 0 2 3 Then, the addition without carry leads to the 0-less recoding: C. Nègre, T. Plantard and J.-M. Robert 11 / 37

  18. Problematic Simple Power Analysis, Counter-measure Regular Exponentiation Algorithms Joye and Tunstall suggested a 2 t -ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2 t , ℓ the m -ary length of e and N the RSA modulus Ensure: e = ( e ℓ − 1 , . . . , e 0 ) with e i ∈ { 1 , . . . , m } , 1 ≤ i ≤ ℓ − 2 1: s ← ( 1 , 1 , . . . , 1 ) m 2: e ′ ← e − s mod N 3: for i = 0 to ℓ − 2 do d ← e ′ mod m 4: e ′ ← ⌊ e ′ / m ⌋ 5: 6: e i ← d + 1 Example with t = 4 , m = 10 10 : e = 1 9 7 5 0 4 0 2 3 = 1 1 1 1 1 1 1 1 1 s Then, the addition without carry leads to the 0-less recoding: C. Nègre, T. Plantard and J.-M. Robert 11 / 37

  19. Problematic Simple Power Analysis, Counter-measure Regular Exponentiation Algorithms Joye and Tunstall suggested a 2 t -ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2 t , ℓ the m -ary length of e and N the RSA modulus Ensure: e = ( e ℓ − 1 , . . . , e 0 ) with e i ∈ { 1 , . . . , m } , 1 ≤ i ≤ ℓ − 2 1: s ← ( 1 , 1 , . . . , 1 ) m 2: e ′ ← e − s mod N 3: for i = 0 to ℓ − 2 do d ← e ′ mod m 4: e ′ ← ⌊ e ′ / m ⌋ 5: 6: e i ← d + 1 Example with t = 4 , m = 10 10 : e = 1 9 7 5 0 4 0 2 3 = 1 1 1 1 1 1 1 1 1 s e ′ ← e − s mod N 0 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: C. Nègre, T. Plantard and J.-M. Robert 11 / 37

Recommend

Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1) , Christophe Negre

Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1) , Christophe Negre

Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1) , Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2) CCISR, SCIT, University of Wollongong,

708 views • 43 slides
Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford

Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford

Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford (DEDIS) and Thomas Hofer (DGSI). 1 Background The digital world takes an overwhelming part in our daily life. Voting is still paper-based and

215 views • 19 slides
Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and

Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and

0 12 1 Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and Remainder, GCD, Euclid s algorithm, L(a,b) { au + bv | u,v Z } = { n gcd(a,b) | n Z } Primes, Fundamental Theorem of

272 views • 14 slides
THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e , and n , the following algorithm quickly computes the reduced power a e % n . ( Initialize ) Set ( x, y, f ) = (1 , a, e ). ( Loop ) While f &gt;

175 views • 5 slides
a (mod m ) b is congruent to modulo a m b mod mod a m b m

a (mod m ) b is congruent to modulo a m b mod mod a m b m

Number Theory and its Applications Modular Exponentiation Euclidean Algorithm for GCD Solving Linear Congruences Chinese Remainder Theorem and Application to Arithmetic with large numbers Covered in Sections 3.6 and 3.7 Based

489 views • 19 slides
Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball ,

Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball ,

Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball , Holger H. Hoos , Alan J. Hu University of British Columbia Microsoft Research Sam Bayless (UBC) Efficient Modular SAT Solving for IC3

505 views • 31 slides
Efficient and secure modular operations using the Polynomial Modular Number System (Part 1)

Efficient and secure modular operations using the Polynomial Modular Number System (Part 1)

The Polynomial modular number system (PMNS) Randomisation with the PMNS Internal randomisation using the Montgomery-like method Efficient and secure modular operations using the Polynomial Modular Number System (Part 1) ephane Didier 1 , Fangan

758 views • 26 slides
SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas

SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas

SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas Plantard Paris Diderot Universit e, University of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au 2019 Berthe, Plantard (IRIF,

1.16k views • 69 slides
Efficient Multiple-ISA Embedded Processor Core Design Based on RISC-V Yuanhu Cheng , Libo Huang,

Efficient Multiple-ISA Embedded Processor Core Design Based on RISC-V Yuanhu Cheng , Libo Huang,

Efficient Multiple-ISA Embedded Processor Core Design Based on RISC-V Yuanhu Cheng , Libo Huang, Yijun Cui, Sheng Ma, Yongwen Wang, Bincai Sui National University of Defense Technology Changsha, China Cont ntent nts Introduction

378 views • 17 slides
ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In

ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In

ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In collaboration with Marco S. Bianchi arXiv:1403.3398 N=4 SYM Exponentiation Consider color ordered MHV 4p amplitude in We define the ratio

415 views • 29 slides
Modular Assembly: An Efficient Approach for Creation and Maintenance of Persistent Space Assets

Modular Assembly: An Efficient Approach for Creation and Maintenance of Persistent Space Assets

Modular Assembly: An Efficient Approach for Creation and Maintenance of Persistent Space Assets William (Bill) R. Doggett Structural Mechanics and Concepts Branch NASA Langley Research Center, Hampton, Va. 23681 USA 2019 IEEE

249 views • 20 slides
Peregreen modular database for efficient storage of historical time series in cloud

Peregreen modular database for efficient storage of historical time series in cloud

Peregreen modular database for efficient storage of historical time series in cloud environments Alexander A. Visheratin , Alexey Struckov, Semen Yufa, Alexey Muratov, Denis Nasonov, Nikolay Butakov ITMO University Yury Kuznetsov, Michael

467 views • 21 slides
Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink Giovambattista Ianni Thomas Krennwallner Peter Schller KBS Group Institut fr Informationssysteme, Technische Universitt Wien

606 views • 50 slides
Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink

Pushing Efficient Evaluation of HEX Programs by Modular Decomposition Thomas Eiter Michael Fink Giovambattista Ianni Thomas Krennwallner Peter Schller KBS Group Institut fr Informationssysteme, Technische Universitt Wien

734 views • 39 slides
CSE 311 Foundations of 4.3 7 th Edition Computing I 3.5, 3.6 6 th Edition 2.5, 2.6 up

CSE 311 Foundations of 4.3 7 th Edition Computing I 3.5, 3.6 6 th Edition 2.5, 2.6 up

Announcements Reading assignments Today and Monday: CSE 311 Foundations of 4.3 7 th Edition Computing I 3.5, 3.6 6 th Edition 2.5, 2.6 up to p. 191 5 th Edition Lecture 11 Wednesday Modular Exponentiation and Primes

345 views • 5 slides
Efficient Modular NIZK Arguments from Shift and Product Speaker: Bingsheng Zhang 1 Joint work with

Efficient Modular NIZK Arguments from Shift and Product Speaker: Bingsheng Zhang 1 Joint work with

Efficient Modular NIZK Arguments from Shift and Product Speaker: Bingsheng Zhang 1 Joint work with Prastudy Fauzi 2 and Helger Lipmaa 2 1. National and Kapodistrian University of Athens, Greece 2. University of Tartu, Estonia S CANS 2013,

445 views • 20 slides
Single Base Modular Multiplication for Efficient Hardware RNS Implementations of ECC Karim Bigou

Single Base Modular Multiplication for Efficient Hardware RNS Implementations of ECC Karim Bigou

Single Base Modular Multiplication for Efficient Hardware RNS Implementations of ECC Karim Bigou and Arnaud Tisserand CNRS, IRISA, INRIA Centre Rennes - Bretagne Atlantique and Univ. Rennes 1 CHES 2015, Sept. 13 16 Karim Bigou and Arnaud

1.13k views • 30 slides
An Assume-Guarantee Method for Modular An Assume-Guarantee Method for Modular Verification of

An Assume-Guarantee Method for Modular An Assume-Guarantee Method for Modular Verification of

An Assume-Guarantee Method for Modular An Assume-Guarantee Method for Modular Verification of Evolving Component-Based Software Verification of Evolving Component-Based Software Pham Ngoc Hung, Nguyen Truong Thang, and Takuya Katayama Japan

544 views • 21 slides
Type-Based Structural Analysis for Modular Systems of Equations Linkping University, 19 June

Type-Based Structural Analysis for Modular Systems of Equations Linkping University, 19 June

Type-Based Structural Analysis for Modular Systems of Equations Linkping University, 19 June 2014 Henrik Nilsson Joint work with John Capper School of Computer Science University of Nottingham Type-Based Structural Analysis for Modular

1.07k views • 105 slides
Efficient Parallel Implementations of Multiple Sequence Alignment Using BSP/CGM Model Jucele F.

Efficient Parallel Implementations of Multiple Sequence Alignment Using BSP/CGM Model Jucele F.

Introduction Multiple Sequence Alignment Distributed Memory Shared Memory Computational Results Conclusions and Future Work Efficient Parallel Implementations of Multiple Sequence Alignment Using BSP/CGM Model Jucele F. A. Vasconcellos,

459 views • 21 slides
An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long

An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long

An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long Codewords Codewords Stefan Grnroos Kristian Nybom Jerker Bjrkqvist 18.10.11 bo Akademi University - Turku, Finland 1 Background Background

301 views • 11 slides
Efficient representation of uncertainty in multiple sequence alignments using directed acyclic

Efficient representation of uncertainty in multiple sequence alignments using directed acyclic

Efficient representation of uncertainty in multiple sequence alignments using directed acyclic graphs JOSEPH L HERMAN, DM NOVK, RUNE LYNGSO, ADRIENN SZAB, ISTVN MIKLS AND JOTUN HEIN Describing the Problem #1

340 views • 30 slides
Modular Program and Modular Design for LARP Quadrupoles A research program and magnet design

Modular Program and Modular Design for LARP Quadrupoles A research program and magnet design

Superconducting Magnet Division Modular Program and Modular Design for LARP Quadrupoles A research program and magnet design based on flat racetrack coil modules Ramesh Gupta May 4, 2005 (Revised June 14, 2005) Ramesh Gupta, BNL Modular

478 views • 26 slides
On the generators of a certain algebra of q-multiple zeta values Ulf Khn - Universitt of

On the generators of a certain algebra of q-multiple zeta values Ulf Khn - Universitt of

On the generators of a certain algebra of q-multiple zeta values Ulf Khn - Universitt of Hamburg Zeta Values, Modular Forms and Elliptic Motives II ICMAT Madrid, December 5, 2014 joint work with Henrik Bachmann 1 / 34 2 / 34 0 Multiple

844 views • 34 slides

More recommend