algorithm for rsa and hyperelliptic curve cryptosystems
play

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to - PowerPoint PPT Presentation

Mar 01, 2023 •240 likes •1.15k views

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January 19-th, 2016 1 / 39 Outline Regular

  1. Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January 19-th, 2016 1 / 39

  2. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 2 / 39

  3. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 3 / 39

  4. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 4 / 39

  5. RSA encryption Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod ( p − 1)( q − 1) . 5 / 39

  6. RSA encryption Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod ( p − 1)( q − 1) . Encryption. A message m ∈ { 0 , . . . , N − 1 } is encrypted as c = m e mod N Decryption. c ∈ { 0 , . . . , N − 1 } is decrypted m = c d mod N Correct since: gcd( m , N ) = 1 ⇒ m ( p − 1)( q − 1) ≡ 1 mod N 5 / 39

  7. Square-and-multiply exponentiation Let e = ( e ℓ − 1 , . . . , e 0 ) 2 , we compute m e mod N as follows r ← 1 for i from ℓ − 1 downto 0 do r ← r 2 mod N r ← r × m e i mod N end for return r 6 / 39

  8. Square-and-multiply exponentiation Let e = ( e ℓ − 1 , . . . , e 0 ) 2 , we compute m e mod N as follows r ← 1 for i from ℓ − 1 downto 0 do r ← r 2 mod N r ← r × m e i mod N end for return r Init.: r = 1 Loop 1 : 1 2 × m e ℓ − 1 Loop 2 : ( m e ℓ − 1 ) 2 m e ℓ − 2 = m 2 e ℓ − 1 + e ℓ − 2 Loop 3 : ( m 2 e ℓ − 1 + e ℓ − 2 ) 2 m e ℓ − 3 = m 4 e ℓ − 1 +2 e ℓ − 2 + e ℓ − 3 Etc. 6 / 39

  9. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 7 / 39

  10. Simple power analysis Consumption of a circuit computing m e mod N : squaring � = multiplication 8 / 39

  11. Counter-measure of the litterature: square-always Re-express multiplications as squarings: ab = (( a + b ) 2 − a 2 − b 2 ) / 2 Square-and-multiply-always (Clavier et al. 2011) r ← 1 m ′ ← m 2 mod N for i from ℓ − 1 downto 0 do r ← r 2 mod N if e i = 1 then r ← (( r + m ) 2 − m ′ − r 2 ) / 2 mod N end if end for return r Cost = 3 ℓ/ 2 squarings. Drawback: non constant computation time. 9 / 39

  12. Counter-measure of the litterature : square-and-multiply-always Renders the exponentiation regular and constant time. Square-and-multiply-always Coron 99 r ← 1 for i from ℓ − 1 downto 0 do r ← r 2 mod N if e i = 1 then r ← r × m mod N else r ′ ← r × m mod N end if end for return r Cost = ℓ multiplications and ℓ squarings. 10 / 39

  13. Outline Regular exponentiation in RSA cryptosystem 1 RSA encryption Simple power analysis Proposed counter-measure Extension to Hyper-elliptic curve 2 Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication Differential power analysis and counter-measures 3 Differential power analysis Counter-measures Conclusion 4 11 / 39

  14. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 0 2: for i from ℓ − 1 downto 0 do if e i = 0 then 3: r ← r 2 × m 0 4: else 5: r ← r 2 × m 1 6: end if 7: 8: end for 9: r ← r × m 0 10: return r 12 / 39

  15. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 Correctness: 0 2: for i from ℓ − 1 downto 0 At beginning of loop i : r = m α × m − 1 do 0 if e i = 0 then 3: r ← r 2 × m 0 4: else 5: r ← r 2 × m 1 6: end if 7: 8: end for 9: r ← r × m 0 10: return r 12 / 39

  16. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 Correctness: 0 2: for i from ℓ − 1 downto 0 At beginning of loop i : r = m α × m − 1 do 0 if e i = 0 then 3: If e i = 0: r ← r 2 × m 0 4: r 2 × m 0 = m 2 α m − 1 0 else 5: r ← r 2 × m 1 6: end if 7: 8: end for 9: r ← r × m 0 10: return r 12 / 39

  17. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 Correctness: 0 2: for i from ℓ − 1 downto 0 At beginning of loop i : r = m α × m − 1 do 0 if e i = 0 then 3: If e i = 0: r ← r 2 × m 0 4: r 2 × m 0 = m 2 α m − 1 0 else 5: r ← r 2 × m 1 If e i = 1: 6: r 2 × m 1 ( m 2 α m 1 m − 1 0 ) × m − 1 = end if 7: 0 m 2 α +1 m − 1 = 8: end for 0 9: r ← r × m 0 10: return r 12 / 39

  18. Proposed counter-measure Strategy: multiplicative splitting of m √ with m 0 , m 1 ∼ m = m − 1 × m 1 mod N = N 0 1: r ← m − 1 Correctness: 0 2: for i from ℓ − 1 downto 0 At beginning of loop i : r = m α × m − 1 do 0 if e i = 0 then 3: If e i = 0: r ← r 2 × m 0 4: r 2 × m 0 = m 2 α m − 1 0 else 5: r ← r 2 × m 1 If e i = 1: 6: r 2 × m 1 ( m 2 α m 1 m − 1 0 ) × m − 1 = end if 7: 0 m 2 α +1 m − 1 = 8: end for 0 9: r ← r × m 0 After loop i : r = m 2 α + e i × m − 1 0 . 10: return r 12 / 39

  19. Euclidean algorithm. Principle. Let a , b ∈ N with a ≥ b ≥ 0 gcd( a , b ) = gcd( a − qb , b ) for all q ∈ Z . 13 / 39

  20. Euclidean algorithm. Principle. Let a , b ∈ N with a ≥ b ≥ 0 gcd( a , b ) = gcd( a − qb , b ) for all q ∈ Z . Sequence of modular reductions r 0 ← a r 1 ← b r 2 ← r 0 mod r 1 r 3 ← r 1 mod r 2 . . . r i ← r i − 2 mod r i − 1 . . . gcd ( a , b ) is the last r i � = 0. 13 / 39

  21. Extended Euclidean algorithm Euclidean algorithm. Compute u and v such that Principle. ua + vb = gcd( a , b ) Let a , b ∈ N with a ≥ b ≥ 0 as follows: gcd( a , b ) = gcd( a − qb , b ) 1 We set: u 0 = 1 , v 0 = 0 for all q ∈ Z . u 1 = 0 , v 1 = 1 Sequence of modular reductions 2 We iterate: r 0 ← a u 0 a + v 0 b = r 0 r 1 ← b u 1 a + v 1 b = r 1 × ( − q 1 ) r 2 ← r 0 mod r 1 r 3 ← r 1 mod r 2 u 2 a + v 2 b = r 2 . . . r i ← r i − 2 mod r i − 1 . . . gcd ( a , b ) is the last r i � = 0. 13 / 39

  22. Extended Euclidean algorithm Euclidean algorithm. Compute u and v such that Principle. ua + vb = gcd( a , b ) Let a , b ∈ N with a ≥ b ≥ 0 as follows: gcd( a , b ) = gcd( a − qb , b ) 1 We set: u 0 = 1 , v 0 = 0 for all q ∈ Z . u 1 = 0 , v 1 = 1 Sequence of modular reductions 2 We iterate: r 0 ← a u 0 a + v 0 b = r 0 r 1 ← b u 1 a + v 1 b = r 1 × ( − q 1 ) r 2 ← r 0 mod r 1 r 3 ← r 1 mod r 2 u 2 a + v 2 b = r 2 × ( − q 2 ) . . . u 3 a + v 3 b = r 3 r i ← r i − 2 mod r i − 1 . . . gcd ( a , b ) is the last r i � = 0. 13 / 39

  23. Extended Euclidean algorithm Euclidean algorithm. Compute u and v such that Principle. ua + vb = gcd( a , b ) Let a , b ∈ N with a ≥ b ≥ 0 as follows: gcd( a , b ) = gcd( a − qb , b ) 1 We set: u 0 = 1 , v 0 = 0 for all q ∈ Z . u 1 = 0 , v 1 = 1 Sequence of modular reductions 2 We iterate: r 0 ← a u 0 a + v 0 b = r 0 r 1 ← b u 1 a + v 1 b = r 1 × ( − q 1 ) r 2 ← r 0 mod r 1 r 3 ← r 1 mod r 2 u 2 a + v 2 b = r 2 × ( − q 2 ) . . . u 3 a + v 3 b = r 3 × ( − q 3 ) r i ← r i − 2 mod r i − 1 . . . u 4 a + v 4 b = r 4 × ( − q 4 ) gcd ( a , b ) is the last r i � = 0. . . . 13 / 39

  24. Multiplicative splitting of m We have m and N and we want √ mod N with m 0 , m 1 ∼ m = m − 1 × m 1 = N 0 Extended Euclidean algorithm computes m r 0 N v 0 u 0 14 / 39

  25. Multiplicative splitting of m We have m and N and we want √ mod N with m 0 , m 1 ∼ m = m − 1 × m 1 = N 0 Extended Euclidean algorithm computes m r 1 N v 1 u 1 14 / 39

  26. Multiplicative splitting of m We have m and N and we want √ mod N with m 0 , m 1 ∼ m = m − 1 × m 1 = N 0 Extended Euclidean algorithm computes m r 2 N v 2 u 2 14 / 39

  27. Multiplicative splitting of m We have m and N and we want √ mod N with m 0 , m 1 ∼ m = m − 1 × m 1 = N 0 Extended Euclidean algorithm computes m r 3 N v 3 u 3 14 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel GALLIN CNRS IRISA Univ. Rennes 1 November 29 th , 2018 Ph.D. supervised by Arnaud TISSERAND, CNRS Lab-STICC Introduction 1 HTMM

591 views • 40 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011

Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011

Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011 Hyperelliptic curve 2 g + 1 C : y 2 = ( x a i ) i = 1 Riemann surface with two sheets. a i = branch points. color = argument of y

733 views • 28 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit at Darmstadt A Complete and

408 views • 39 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech

Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech

Overview Needed Theorems RSA Encryption Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science Public Key (RSA) Encryption Overview Needed Theorems RSA

1.62k views • 137 slides
RSA lect 2.oo3 CS 70, March 10, 2005 review from Tuesday RSA algorithm proof observation:

RSA lect 2.oo3 CS 70, March 10, 2005 review from Tuesday RSA algorithm proof observation:

RSA lect 2.oo3 CS 70, March 10, 2005 review from Tuesday RSA algorithm proof observation: there are enough primes to make it relatively easy to find two of them; there are approximately x/(ln x) primes between 1 and x 1 in 20 SIDs are prime

57 views • 3 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt numbers using a simple version of the RSA algorithm. Each team should have two members. Each team-member should complete the exercise as Bob, then pass

228 views • 4 slides
Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser

Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1 , Christian Hanser 2 , Andrea Hoeller 2 , oppelmann 3 , Fernando Virdia 1 , Andreas Wallner 2 Thomas P 1 Information Security Group, Royal Holloway, University of

726 views • 53 slides
HOST RSA ECE 495/595 RSA (material drawn from Avi Kak (kak@purdue.edu) Lecture 12, Lecture

HOST RSA ECE 495/595 RSA (material drawn from Avi Kak (kak@purdue.edu) Lecture 12, Lecture

HOST RSA ECE 495/595 RSA (material drawn from Avi Kak (kak@purdue.edu) Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto. protocols The RSA algorithm is based on the following property of positive

530 views • 19 slides
Exporting Non- Exportable RSA Keys March 18, 2011 Jason Geffner Principal Security Consultant

Exporting Non- Exportable RSA Keys March 18, 2011 Jason Geffner Principal Security Consultant

NGS Secure Black Hat Europe 2011 Exporting Non- Exportable RSA Keys March 18, 2011 Jason Geffner Principal Security Consultant & Account Manager jason.geffner@ngssecure.com NCC Group Plc, Manchester Technology Centre, Oxford Road,

934 views • 34 slides
Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of

Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of

Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of public key crypto and RSA. Fall 2018 CS 222: Discrete Structures 1 Definition Cryptology is the study of secret writing Concerned with

681 views • 54 slides

More recommend