[PPT] - Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to PowerPoint Presentation

SLIDE 1

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis

Christophe Negre ici

joined work with T. Plantard (U. of Wollongong, Australia)

Journees Nationales GDR IM January 19-th, 2016

1 / 39

SLIDE 2

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

2 / 39

SLIDE 3

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

3 / 39

SLIDE 4

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

4 / 39

SLIDE 5

RSA encryption

Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod (p − 1)(q − 1).

5 / 39

SLIDE 6

RSA encryption

Public key: a modulus N = pq and e a public exponent. Private key: the exponent d satisfying ed = 1 mod (p − 1)(q − 1).

Encryption. A message m ∈ {0, . . . , N − 1} is encrypted as

c = me mod N

Decryption. c ∈ {0, . . . , N − 1} is decrypted

m = cd mod N Correct since: gcd(m, N) = 1 ⇒ m(p−1)(q−1) ≡ 1 mod N

5 / 39

SLIDE 7

Square-and-multiply exponentiation

Let e = (eℓ−1, . . . , e0)2, we compute me mod N as follows r ← 1 for i from ℓ − 1 downto 0 do r ← r2 mod N r ← r × mei mod N end for return r

6 / 39

SLIDE 8

Square-and-multiply exponentiation

Let e = (eℓ−1, . . . , e0)2, we compute me mod N as follows r ← 1 for i from ℓ − 1 downto 0 do r ← r2 mod N r ← r × mei mod N end for return r Init.: r = 1 Loop 1 : 12 × meℓ−1 Loop 2 : (meℓ−1)2meℓ−2 = m2eℓ−1+eℓ−2 Loop 3 : (m2eℓ−1+eℓ−2)2meℓ−3 = m4eℓ−1+2eℓ−2+eℓ−3 Etc.

6 / 39

SLIDE 9

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

7 / 39

SLIDE 10

Simple power analysis

Consumption of a circuit computing me mod N: squaring = multiplication

8 / 39

SLIDE 11

Counter-measure of the litterature: square-always

Re-express multiplications as squarings: ab = ((a + b)2 − a2 − b2)/2

Square-and-multiply-always (Clavier et al. 2011)

r ← 1 m′ ← m2 mod N for i from ℓ − 1 downto 0 do r ← r2 mod N if ei = 1 then r ← ((r + m)2 − m′ − r2)/2 mod N end if end for return r Cost = 3ℓ/2 squarings. Drawback: non constant computation time.

9 / 39

SLIDE 12

Counter-measure of the litterature : square-and-multiply-always

Renders the exponentiation regular and constant time.

Square-and-multiply-always Coron 99

r ← 1 for i from ℓ − 1 downto 0 do r ← r2 mod N if ei = 1 then r ← r × m mod N else r′ ← r × m mod N end if end for return r Cost = ℓ multiplications and ℓ squarings.

10 / 39

SLIDE 13

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

11 / 39

SLIDE 14

Proposed counter-measure

Strategy: multiplicative splitting of m m = m−1 × m1 mod N with m0, m1 ∼ = √ N

1: r ← m−1 2: for i from ℓ − 1 downto 0

do

3:

if ei = 0 then

4:

r ← r2 × m0

5:

else

6:

r ← r2 × m1

7:

end if

8: end for 9: r ← r × m0 10: return r

12 / 39

SLIDE 15

Proposed counter-measure

Strategy: multiplicative splitting of m m = m−1 × m1 mod N with m0, m1 ∼ = √ N

1: r ← m−1 2: for i from ℓ − 1 downto 0

do

3:

if ei = 0 then

4:

r ← r2 × m0

5:

else

6:

r ← r2 × m1

7:

end if

8: end for 9: r ← r × m0 10: return r

Correctness: At beginning of loop i: r = mα × m−1

12 / 39

SLIDE 16

Proposed counter-measure

Strategy: multiplicative splitting of m m = m−1 × m1 mod N with m0, m1 ∼ = √ N

1: r ← m−1 2: for i from ℓ − 1 downto 0

do

3:

if ei = 0 then

4:

r ← r2 × m0

5:

else

6:

r ← r2 × m1

7:

end if

8: end for 9: r ← r × m0 10: return r

Correctness: At beginning of loop i: r = mα × m−1 If ei = 0: r 2 × m0 = m2αm−1

12 / 39

SLIDE 17

Proposed counter-measure

Strategy: multiplicative splitting of m m = m−1 × m1 mod N with m0, m1 ∼ = √ N

1: r ← m−1 2: for i from ℓ − 1 downto 0

do

3:

if ei = 0 then

4:

r ← r2 × m0

5:

else

6:

r ← r2 × m1

7:

end if

8: end for 9: r ← r × m0 10: return r

Correctness: At beginning of loop i: r = mα × m−1 If ei = 0: r 2 × m0 = m2αm−1 If ei = 1: r 2 × m1 = (m2αm1m−1

0 ) × m−1

= m2α+1m−1

12 / 39

SLIDE 18

Proposed counter-measure

Strategy: multiplicative splitting of m m = m−1 × m1 mod N with m0, m1 ∼ = √ N

1: r ← m−1 2: for i from ℓ − 1 downto 0

do

3:

if ei = 0 then

4:

r ← r2 × m0

5:

else

6:

r ← r2 × m1

7:

end if

8: end for 9: r ← r × m0 10: return r

Correctness: At beginning of loop i: r = mα × m−1 If ei = 0: r 2 × m0 = m2αm−1 If ei = 1: r 2 × m1 = (m2αm1m−1

0 ) × m−1

= m2α+1m−1 After loop i: r = m2α+ei × m−1

0 .

12 / 39

SLIDE 19

Euclidean algorithm. Principle.

Let a, b ∈ N with a ≥ b ≥ 0 gcd(a, b) = gcd(a − qb, b) for all q ∈ Z.

13 / 39

SLIDE 20

Euclidean algorithm. Principle.

Let a, b ∈ N with a ≥ b ≥ 0 gcd(a, b) = gcd(a − qb, b) for all q ∈ Z. Sequence of modular reductions r0 ← a r1 ← b r2 ← r0 mod r1 r3 ← r1 mod r2 . . . ri ← ri−2 mod ri−1 . . . gcd(a, b) is the last ri = 0.

13 / 39

SLIDE 21

Euclidean algorithm. Principle.

Let a, b ∈ N with a ≥ b ≥ 0 gcd(a, b) = gcd(a − qb, b) for all q ∈ Z. Sequence of modular reductions r0 ← a r1 ← b r2 ← r0 mod r1 r3 ← r1 mod r2 . . . ri ← ri−2 mod ri−1 . . . gcd(a, b) is the last ri = 0.

Extended Euclidean algorithm

Compute u and v such that ua + vb = gcd(a, b) as follows:

1 We set:

u0 = 1, v0 = 0 u1 = 0, v1 = 1

2 We iterate:

u0a + v0b = r0 u1a + v1b = r1 × (−q1) u2a + v2b = r2

13 / 39

SLIDE 22

Euclidean algorithm. Principle.

Let a, b ∈ N with a ≥ b ≥ 0 gcd(a, b) = gcd(a − qb, b) for all q ∈ Z. Sequence of modular reductions r0 ← a r1 ← b r2 ← r0 mod r1 r3 ← r1 mod r2 . . . ri ← ri−2 mod ri−1 . . . gcd(a, b) is the last ri = 0.

Extended Euclidean algorithm

Compute u and v such that ua + vb = gcd(a, b) as follows:

1 We set:

u0 = 1, v0 = 0 u1 = 0, v1 = 1

2 We iterate:

u0a + v0b = r0 u1a + v1b = r1 × (−q1) u2a + v2b = r2 × (−q2) u3a + v3b = r3

13 / 39

SLIDE 23

Euclidean algorithm. Principle.

Let a, b ∈ N with a ≥ b ≥ 0 gcd(a, b) = gcd(a − qb, b) for all q ∈ Z. Sequence of modular reductions r0 ← a r1 ← b r2 ← r0 mod r1 r3 ← r1 mod r2 . . . ri ← ri−2 mod ri−1 . . . gcd(a, b) is the last ri = 0.

Extended Euclidean algorithm

Compute u and v such that ua + vb = gcd(a, b) as follows:

1 We set:

u0 = 1, v0 = 0 u1 = 0, v1 = 1

2 We iterate:

u0a + v0b = r0 u1a + v1b = r1 × (−q1) u2a + v2b = r2 × (−q2) u3a + v3b = r3 ×(−q3) u4a + v4b = r4 ×(−q4) . . .

13 / 39

SLIDE 24

Multiplicative splitting of m

We have m and N and we want m = m−1 × m1 mod N with m0, m1 ∼ = √ N Extended Euclidean algorithm computes

m r0 v0 N u0

14 / 39

SLIDE 25

Multiplicative splitting of m

We have m and N and we want m = m−1 × m1 mod N with m0, m1 ∼ = √ N Extended Euclidean algorithm computes

m r1 N u1 v1

14 / 39

SLIDE 26

Multiplicative splitting of m

We have m and N and we want m = m−1 × m1 mod N with m0, m1 ∼ = √ N Extended Euclidean algorithm computes

m r2 v2 N u2

14 / 39

SLIDE 27

Multiplicative splitting of m

We have m and N and we want m = m−1 × m1 mod N with m0, m1 ∼ = √ N Extended Euclidean algorithm computes

m r3 v3 N u3

14 / 39

SLIDE 28

Multiplicative splitting of m

We have m and N and we want m = m−1 × m1 mod N with m0, m1 ∼ = √ N Extended Euclidean algorithm computes

m r3 v3 N u3

we stop when ui, ri ∼ = N1/2 uim + viN = ri ⇒ m = u−1

i

× ri mod N. and m0 = ui and m1 = ri are good!

14 / 39

SLIDE 29

Complexity comparison

Exponent of size ℓ bits. Integer modulo N on t computer words. Multiplication/squaring in O(t2).

Property Algorithm #word op. Timing in 103CC 2040bits 3070bits None Square-and-multiply 7.5ℓt2 + O(ℓt) 14201 46287 Reg. Multiply-always 9ℓt2 + O(ℓt) 16178 52171 Square-always 9ℓt2 + O(ℓt) 18020 58766 Reg. and CT Square-and-mult-always 10.5ℓt2 + O(ℓt) 19738 63292 Montgomery-ladder 10.5ℓt2 + O(ℓt) 21803 70389 Montgomery-ladder opt. 9ℓt2 + O(ℓt) 18124 57401 Proposed 7.5ℓt2 + O(ℓt) 15203 47540

Reg. =Regular and CT=Constant time.

15 / 39

SLIDE 30

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

16 / 39

SLIDE 31

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

17 / 39

SLIDE 32

Diffie-Hellmann key exchange

Alice and Bob agree on a group (G, +, O) and a generating point of the group P.

Bob Alice

18 / 39

SLIDE 33

Diffie-Hellmann key exchange

Alice and Bob agree on a group (G, +, O) and a generating point of the group P.

Bob Alice

a ← random() b ← random() 18 / 39

SLIDE 34

Diffie-Hellmann key exchange

Alice and Bob agree on a group (G, +, O) and a generating point of the group P.

Bob Alice

a ← random() Computes A = a · P Computes B = b · P b ← random() 18 / 39

SLIDE 35

Diffie-Hellmann key exchange

Alice and Bob agree on a group (G, +, O) and a generating point of the group P.

Bob Alice

sends B sends A

Computes A = a · P a ← random() b ← random() Computes B = b · P 18 / 39

SLIDE 36

Diffie-Hellmann key exchange

Alice and Bob agree on a group (G, +, O) and a generating point of the group P.

Bob Alice

sends B sends A

Computes A = a · P a ← random() Computes B = b · P b ← random() Computes K = b · A Computes K = a · B

Shared secret key K = a · b · P

18 / 39

SLIDE 37

Diffie-Hellmann key exchange

Alice and Bob agree on a group (G, +, O) and a generating point of the group P.

Bob Alice

sends B sends A

Computes A = a · P a ← random() Computes B = b · P b ← random() Computes K = b · A Computes K = a · B

Shared secret key K = a · b · P

Discrete log problem: given A in < P > find a such that A = a · P.

18 / 39

SLIDE 38

Diffie-Hellmann key exchange

Alice and Bob agree on a group (G, +, O) and a generating point of the group P.

Bob Alice

sends B sends A

Computes A = a · P a ← random() Computes B = b · P b ← random() Computes K = b · A Computes K = a · B

Shared secret key K = a · b · P

Discrete log problem: given A in < P > find a such that A = a · P.

The main operation is the scalar multiplication a · P.

18 / 39

SLIDE 39

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

19 / 39

SLIDE 40

Group law for an elliptic curve y 2 = x3 − 2x + 1

x

P = (xP, yP) Q = (xQ, yQ)

20 / 39

SLIDE 41

Group law for an elliptic curve y 2 = x3 − 2x + 1

x

P = (xP, yP) Q = (xQ, yQ) R = P + Q

Addition (chord): xR = λ − xP − xQ yR = yP − λ(xR − xP) with λ = yP−yQ

xP−xQ

20 / 39

SLIDE 42

Group law for an elliptic curve y 2 = x3 − 2x + 1

x

P = (xP, yP) Q = (xQ, yQ) R = P + Q

Addition (chord): xR = λ − xP − xQ yR = yP − λ(xR − xP) with λ = yP−yQ

xP−xQ

x

P = (xP, yP) R = 2P

Doubling (tangent)

20 / 39

SLIDE 43

Scalar multiplication : k · P

x

P 2P

Double-and-add for k · P R ← O for i = ℓ − 1 to 0 do R ← 2 · R if ki = 1 then R ← R + P endif endfor return(R) Scalar multiplication: 7P 2 · P 3P = (2P) + P 6P = 2 · (3P) 7P = (6P) + P

21 / 39

SLIDE 44

Scalar multiplication : k · P

x

P 2P 3P

Double-and-add for k · P R ← O for i = ℓ − 1 to 0 do R ← 2 · R if ki = 1 then R ← R + P endif endfor return(R) Scalar multiplication: 7P 2 · P 3P = (2P) + P 6P = 2 · (3P) 7P = (6P) + P

21 / 39

SLIDE 45

Scalar multiplication : k · P

x

P 3P 6P

Double-and-add for k · P R ← O for i = ℓ − 1 to 0 do R ← 2 · R if ki = 1 then R ← R + P endif endfor return(R) Scalar multiplication: 7P 2 · P 3P = (2P) + P 6P = 2 · (3P) 7P = (6P) + P

21 / 39

SLIDE 46

Scalar multiplication : k · P

x

P 6P 7P

Double-and-add for k · P R ← O for i = ℓ − 1 to 0 do R ← 2 · R if ki = 1 then R ← R + P endif endfor return(R) Scalar multiplication: 7P 2 · P 3P = (2P) + P 6P = 2 · (3P) 7P = (6P) + P

21 / 39

SLIDE 47

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

22 / 39

SLIDE 48

Hyperelliptic curve H : y 2 = x5 − 5x + 4x

x

23 / 39

SLIDE 49

Hyperelliptic curve H : y 2 = x5 − 5x + 4x

x

P0 P1

Goup elements: pair of points D = P0 + P1

n H encoded as

u(x) = (x − x0)(x − x1) v(x) = x2 + v1x + v0 such that v(x0) = y0 v(x1) = y1

23 / 39

SLIDE 50

Hyperelliptic curve H : y 2 = x5 − 5x + 4x

x

P0 P1

Goup elements: pair of points D = P0 + P1

n H encoded as

u(x) = (x − x0)(x − x1) v(x) = x2 + v1x + v0 such that v(x0) = y0 v(x1) = y1

23 / 39

SLIDE 51

Hyperelliptic curve H : y 2 = x5 − 5x + 4x

x

P0 P1 P2 P3

Goup elements: pair of points D = P0 + P1

n H encoded as

u(x) = (x − x0)(x − x1) v(x) = x2 + v1x + v0 such that v(x0) = y0 v(x1) = y1 Addition of D = P0 + P1 and D′ = P2 + P3:

23 / 39

SLIDE 52

Hyperelliptic curve H : y 2 = x5 − 5x + 4x

x

P0 P1 P2 P3

Goup elements: pair of points D = P0 + P1

n H encoded as

u(x) = (x − x0)(x − x1) v(x) = x2 + v1x + v0 such that v(x0) = y0 v(x1) = y1 Addition of D = P0 + P1 and D′ = P2 + P3:

◮ Let the curve going through all Pis.

C : y = w3x3 + w2x2 + w1x + w0.

23 / 39

SLIDE 53

Hyperelliptic curve H : y 2 = x5 − 5x + 4x

x

P0 P1 P2 P3 Q0 Q1

Goup elements: pair of points D = P0 + P1

n H encoded as

u(x) = (x − x0)(x − x1) v(x) = x2 + v1x + v0 such that v(x0) = y0 v(x1) = y1 Addition of D = P0 + P1 and D′ = P2 + P3:

◮ Let the curve going through all Pis.

C : y = w3x3 + w2x2 + w1x + w0.

◮ H ∩ C = {P0, P1, P2, P3, Q0, Q1}. 23 / 39

SLIDE 54

Hyperelliptic curve H : y 2 = x5 − 5x + 4x

x

P0 P1 P2 P3 Q0 Q1

Q0
Q1

Goup elements: pair of points D = P0 + P1

n H encoded as

u(x) = (x − x0)(x − x1) v(x) = x2 + v1x + v0 such that v(x0) = y0 v(x1) = y1 Addition of D = P0 + P1 and D′ = P2 + P3:

◮ Let the curve going through all Pis.

C : y = w3x3 + w2x2 + w1x + w0.

◮ H ∩ C = {P0, P1, P2, P3, Q0, Q1}. ◮ D + D′ =

Q0 + Q1.

23 / 39

SLIDE 55

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

24 / 39

SLIDE 56

Scalar multiplication on H with half-size splitting

Proposed regular scalar multiplication k · D

while IsIrreducible(u(x)) do D ← 2 · D k ← k/2 mod # < D > end while Factorize u(x) = (x − x0)(x − x1) D0 ← (x − xi, v(xi)), D1 ← (x − xi, v(xi)) R ← −D0 for i = ℓ − 1 to 0 do R ← 2 · R if ki = 0 then R ← R + D0 else R ← R + D1 end if end for R ← R + D0 return R

25 / 39

SLIDE 57

Scalar multiplication on H with half-size splitting

Proposed regular scalar multiplication k · D

while IsIrreducible(u(x)) do D ← 2 · D k ← k/2 mod # < D > end while Factorize u(x) = (x − x0)(x − x1) D0 ← (x − xi, v(xi)), D1 ← (x − xi, v(xi)) R ← −D0 for i = ℓ − 1 to 0 do R ← 2 · R if ki = 0 then R ← R + D0 else R ← R + D1 end if end for R ← R + D0 return R

25 / 39

SLIDE 58

Scalar multiplication on H with half-size splitting

Proposed regular scalar multiplication k · D

while IsIrreducible(u(x)) do D ← 2 · D k ← k/2 mod # < D > end while Factorize u(x) = (x − x0)(x − x1) D0 ← (x − xi, v(xi)), D1 ← (x − xi, v(xi)) R ← −D0 for i = ℓ − 1 to 0 do R ← 2 · R if ki = 0 then R ← R + D0 else R ← R + D1 end if end for R ← R + D0 return R

25 / 39

SLIDE 59

Factorization u(x) = x2 + u1x + u0

We work in the field Fp = Z/pZ and use u(x) = (x − −u1 + √ ∆ 2 )(x + −u1 − √ ∆ 2 ) where ∆ = u2

1 − 4u0.

26 / 39

SLIDE 60

Factorization u(x) = x2 + u1x + u0

We work in the field Fp = Z/pZ and use u(x) = (x − −u1 + √ ∆ 2 )(x + −u1 − √ ∆ 2 ) where ∆ = u2

1 − 4u0.

IsIrreducible:

1

Test if ∆ is a square-root with the Jacobi symbol ∆ p

=

1 if ∆ is a square −1 if ∆ is not a square

26 / 39

SLIDE 61

Factorization u(x) = x2 + u1x + u0

We work in the field Fp = Z/pZ and use u(x) = (x − −u1 + √ ∆ 2 )(x + −u1 − √ ∆ 2 ) where ∆ = u2

1 − 4u0.

IsIrreducible:

1

Test if ∆ is a square-root with the Jacobi symbol ∆ p

=

1 if ∆ is a square −1 if ∆ is not a square

2

Jacobi symbol computation: ∆ = 2α∆′ and ∆′ odd ∆ p

=

2 p α × ∆′ p

and then use for a and b odd

a b

= (−1)

(a−1)(b−1) 4

b mod a a

26 / 39

SLIDE 62

Factorization u(x) = x2 + u1x + u0

We work in the field Fp = Z/pZ and use u(x) = (x − −u1 + √ ∆ 2 )(x + −u1 − √ ∆ 2 ) where ∆ = u2

1 − 4u0.

IsIrreducible:

1

Test if ∆ is a square-root with the Jacobi symbol ∆ p

=

1 if ∆ is a square −1 if ∆ is not a square

2

Jacobi symbol computation: ∆ = 2α∆′ and ∆′ odd ∆ p

=

2 p α × ∆′ p

and then use for a and b odd

a b

= (−1)

(a−1)(b−1) 4

b mod a a

Square root computation: if p ≡ 3 mod 4 then

√ ∆ = ∆

p−3 4 +1

mod p. For other kinds of p ⇒ an exponentiation + a few squares.

26 / 39

SLIDE 63

Complexity comparison for scalar multiplication on H(Fp)

Regular scalar multiplication

Op. formula

Cost Montgomery-ladder (Kummer) Duquesne ℓ(62M + 4S) Double-and-add-always Costello-Hisil ℓ(52M + 11S) Proposed Costello-Hisil + Proposed ℓ(49M + 9S) + O(1) M=Multiplication, S=Squaring, ℓ is the bit length of k.

27 / 39

SLIDE 64

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

28 / 39

SLIDE 65

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

29 / 39

SLIDE 66

Differential power analysis: principle

data1

b=1

.

30 / 39

SLIDE 67

Differential power analysis: principle

data1

b=1

data2

b=0

.

30 / 39

SLIDE 68

Differential power analysis: principle

data1

b=1

data2

b=0

data3

b=0

data4

b=1

data5

b=1

data6

b=0

data7

b=0

data8

b=1

.

30 / 39

SLIDE 69

Differential power analysis: principle

data1

b=1

data2

b=0

data3

b=0

data4

b=1

data5

b=1

data6

b=0

data7

b=0

data8

b=1

. Guess b = 1 Guess b = 0

30 / 39

SLIDE 70

Differential power analysis: principle

data1

b=1

data2

b=0

data3

b=0

data4

b=1

data5

b=1

data6

b=0

data7

b=0

data8

b=1

. Guess b = 1 Guess b = 0 ( trace blue) − ( trace red)

30 / 39

SLIDE 71

Differential power analysis: principle

data1

b=1

data2

b=0

data3

b=0

data4

b=1

data5

b=1

data6

b=0

data7

b=0

data8

b=1

.

30 / 39

SLIDE 72

Differential power analysis: principle

data1

b=1

data2

b=0

data3

b=0

data4

b=1

data5

b=1

data6

b=0

data7

b=0

data8

b=1

. Guess b = 1 Guess b = 0 ( trace blue) − ( trace red)

30 / 39

SLIDE 73

Differential power analysis: real life

loop 1 e1 = 1 loop 2 e2 = 0 loop 3 e3 = 1 loop 4 e4 = 0 loop 5 e5 =??

m

31 / 39

SLIDE 74

Differential power analysis: real life

loop 1 e1 = 1 r1 loop 2 e2 = 0 r2 loop 3 e3 = 1 r3 loop 4 e4 = 0 r4 loop 5 e5 =??

m

0 r5

r′

5 1

31 / 39

SLIDE 75

Differential power analysis: real life

loop 1 e1 = 1 r1 loop 2 e2 = 0 r2 loop 3 e3 = 1 r3 loop 4 e4 = 0 r4 loop 5 e5 =??

m

0 r5

r′

5 1

trace 1 trace 2 trace 3 . . . . . . . . . . . . trace L

31 / 39

SLIDE 76

Differential power analysis: real life

loop 1 e1 = 1 r1 loop 2 e2 = 0 r2 loop 3 e3 = 1 r3 loop 4 e4 = 0 r4 loop 5 e5 =??

m

0 r5

r′

5 1

trace 1 trace 2 trace 3 . . . . . . . . . . . . trace L

correct guess wrong guess

Differentials:

31 / 39

SLIDE 77

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

32 / 39

SLIDE 78

Counter-measures to DPA: message blinding

Approach 1: pick a random α ∈ [1, N], set β = (αe)−1 mod N m′ = m × α mod N c = m′e × β mod N

33 / 39

SLIDE 79

Counter-measures to DPA: message blinding

Approach 1: pick a random α ∈ [1, N], set β = (αe)−1 mod N m′ = m × α mod N c = m′e × β mod N Approach 2:

◮ Montgomery Multiplication:

q ← −a × b × N−1 mod M r ← (a × b + q × N)/M

33 / 39

SLIDE 80

Counter-measures to DPA: message blinding

Approach 1: pick a random α ∈ [1, N], set β = (αe)−1 mod N m′ = m × α mod N c = m′e × β mod N Approach 2:

◮ Montgomery Multiplication:

q ← −a × b × N−1 mod M r ← (a × b + q × N)/M which satisfies r ≡ a × b × M−1 mod N.

33 / 39

SLIDE 81

Counter-measures to DPA: message blinding

Approach 1: pick a random α ∈ [1, N], set β = (αe)−1 mod N m′ = m × α mod N c = m′e × β mod N Approach 2:

◮ Montgomery Multiplication:

q ← −a × b × N−1 mod M r ← (a × b + q × N)/M which satisfies r ≡ a × b × M−1 mod N.

◮ Montgomery representation:

a = aM mod N leads to

a ×

b × M−1 mod N = ab mod N

33 / 39

SLIDE 82

Counter-measures to DPA: message blinding

Approach 1: pick a random α ∈ [1, N], set β = (αe)−1 mod N m′ = m × α mod N c = m′e × β mod N Approach 2:

◮ Montgomery Multiplication:

q ← −a × b × N−1 mod M r ← (a × b + q × N)/M which satisfies r ≡ a × b × M−1 mod N.

◮ Montgomery representation:

a = aM mod N leads to

a ×

b × M−1 mod N = ab mod N ⇒ randomized M with the residue number system.

33 / 39

SLIDE 83

Exponent randomization (Coron 99)

We have φ = (p − 1)(q − 1) and N = pq an RSA integer, then md+α·φ mod N = md mod N for all α ∈ N. φ = #E(Fq) for an (hyper)elliptic curve P ∈ E(Fq) the (d + αφ) · P = d · P for all α ∈ N. Coron in 1999 propose to randomise an exponent d as d + αφ with α ∈ {0, 1}20.

34 / 39

SLIDE 84

Problem can arise (Ciet-Joye 2003):

The NIST B233 curve has order φ φ = (1000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000 00000000000100111110100101110100111001110010111110001 01001101001001000100000001100011101001001100000001111 0011111110000011010111)2 Then if we compute α · φ with α of 20 bits we get

α · φ = (∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 000000000000000000 000000000000000000000000000000000000000000000000000000 0000000000000000000000 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗)2

In d + α · φ a big part of the bits of d are not blinded.

35 / 39

SLIDE 85

Randomisation with signed representation

Signed recoding (Ha-Moon 2002):

◮ Let ¯

1 = −1, then we have 1000001 = 100001¯ 1 = 10001¯ 1¯ 1 = 1001¯ 1¯ 1¯ 1 . . .

36 / 39

SLIDE 86

Randomisation with signed representation

Signed recoding (Ha-Moon 2002):

◮ Let ¯

1 = −1, then we have 1000001 = 100001¯ 1 = 10001¯ 1¯ 1 = 1001¯ 1¯ 1¯ 1 . . .

◮ Let k = ℓ−1

i=0 ki2i can be recoded

k =

ℓ−1

i=0

k′

i 2i with ki ∈ {0, 1, ¯

1} and there is 3ℓ/2ℓ such recoding, in average.

36 / 39

SLIDE 87

Randomisation with signed representation

Signed recoding (Ha-Moon 2002):

◮ Let ¯

1 = −1, then we have 1000001 = 100001¯ 1 = 10001¯ 1¯ 1 = 1001¯ 1¯ 1¯ 1 . . .

◮ Let k = ℓ−1

i=0 ki2i can be recoded

k =

ℓ−1

i=0

k′

i 2i with ki ∈ {0, 1, ¯

1} and there is 3ℓ/2ℓ such recoding, in average.

Bad recoding (Fouque et al. 2004): let Pj = (k0, . . . , kj)2 · P and P′

j = (k′ 0, . . . , k′ j)2 · P

then we have P′

j = Pj or P′ j = Pj − 2jP.

36 / 39

SLIDE 88

Outline

1

Regular exponentiation in RSA cryptosystem RSA encryption Simple power analysis Proposed counter-measure

2

Extension to Hyper-elliptic curve Diffie-Hellmann key exchange Elliptic curve Hyperelliptic curve Proposed regular scalar multiplication

3

Differential power analysis and counter-measures Differential power analysis Counter-measures

4

Conclusion

37 / 39

SLIDE 89

Conclusion

We proposed a half-size splitting approach which works well for regular modular exponentiation, works well for regular scalar multiplication on hyperelliptic curves, but not so good on elliptic curves. Some challenge remains to counter-act side channel analysis: Good randomizations. Threat of horizontal attacks: use technique of DPA on a single trace. Require to inject randomisation all along computations, without too much penalty.

38 / 39

SLIDE 90

Thank you for your attention. Any questions ?

39 / 39