breaking randomized mixed radix scalar multiplication
play

Breaking Randomized Mixed-Radix Scalar Multiplication Algorithms - PowerPoint PPT Presentation

Nov 26, 2022 •445 likes •893 views

Breaking Randomized Mixed-Radix Scalar Multiplication Algorithms emie Detrey 1 Laurent Imbert 2 J er 1 LORIA, Inria, CNRS, Univ. Lorraine, Nancy, France 2 LIRMM, CNRS, Univ. Montpellier, France Latincrypt 2019 Santiago de Chile Oct. 2,

  1. Breaking Randomized Mixed-Radix Scalar Multiplication Algorithms emie Detrey 1 Laurent Imbert 2 J´ er´ 1 LORIA, Inria, CNRS, Univ. Lorraine, Nancy, France 2 LIRMM, CNRS, Univ. Montpellier, France Latincrypt 2019 Santiago de Chile – Oct. 2, 2019

  2. Context Side-channel attacks and countermeasures for elliptic curve scalar multiplication: k , P �→ [ k ] P = P + P + · · · + P Randomization strategies ◮ scalar blinding, point/cordinates randomization 1/19

  3. Context Side-channel attacks and countermeasures for elliptic curve scalar multiplication: k , P �→ [ k ] P = P + P + · · · + P Randomization strategies ◮ scalar blinding, point/cordinates randomization ◮ randomized algorithms Idea: use a different, randomly selected addition chain for each scalar multiplication. ◮ Ex: binary signed digits failures [Oswald, Aigner’01], [Ha, Moon’02]. 1/19

  4. Context Side-channel attacks and countermeasures for elliptic curve scalar multiplication: k , P �→ [ k ] P = P + P + · · · + P Randomization strategies ◮ scalar blinding, point/cordinates randomization ◮ randomized algorithms Idea: use a different, randomly selected addition chain for each scalar multiplication. ◮ Ex: binary signed digits failures [Oswald, Aigner’01], [Ha, Moon’02]. ◮ Covering Systems of Congruences [Guerrini, I., Winterhalter’17] 1/19

  5. Today’s talk Covering systems of congruences Full key recovery A regular and constant-time generalization A (virtual) template attack 2/19

  6. Covering Systems of Congruences A covering system of congruence (CSC) is a finite set of congruences S = { r i mod m i } i , s.t. every integer satisfies at least one of them. 3/19

  7. Covering Systems of Congruences A covering system of congruence (CSC) is a finite set of congruences S = { r i mod m i } i , s.t. every integer satisfies at least one of them. Example 1: binary decomposition 0 1 0 ( mod 2) 1 ( mod 2) Binary aka double-and-add algorithm k ≡ r mod 2 ⇒ [ k ] P = [2] Q + [ r ] P , where Q = [( k − r ) / 2] P Not redundant ⇒ non randomizable 3/19

  8. Covering Systems of Congruences A covering system of congruence (CSC) is a finite set of congruences S = { r i mod m i } i , s.t. every integer satisfies at least one of them. Example 2: multiple moduli 0 1 2 3 4 5 6 7 8 9 10 11 0 ( mod 2) 0 ( mod 3) 1 ( mod 4) 1 ( mod 6) − 1 ( mod 12) k ≡ r mod m ⇒ [ k ] P = [ m ] Q + [ r ] P , where Q = [( k − r ) / m ] P Redundant but not uniform 3/19

  9. Exact Coverings A CSC is an n -cover if every integer is covered at least n times. It is an exact n -cover if every integer is covered exactly n times. Example: an exact 2-cover 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 1 ( mod 2) 2 ( mod 4) 3 ( mod 4) 0 ( mod 6) 2 ( mod 6) 4 ( mod 6) 0 ( mod 8) 1 ( mod 8) 4 ( mod 8) 5 ( mod 8) Redundant and uniform 4/19

  10. A CSC-based Randomized Algorithm Input: S an exact n -cover, ℓ = lcm( m 1 , . . . , m |S| ), k ∈ N , P ∈ G Output: Q = [ k ] P ∈ G 1: if k = 0 then return O 2: 3: else if k = 1 then return P 4: 5: Select r ( mod m ) uniformly at random among the n classes that cover integers in ℓ Z + k 6: compute Q ← [( k − r ) / m ] P recursively 7: return [ m ] Q + [ r ] P # note: [ r ] P may be precomputed 5/19

  11. Covering systems of congruences Full key recovery A regular and constant-time generalization A (virtual) template attack 6/19

  12. Threat model The attacker can differentiate D from A . Execution trace: concatenation of subtraces given by [ m ] Q + [ r ] P . − 1 ( mod 6) − → [6] Q − P − → DADA 2 ( mod 12) − → [12] Q + [2] P − → DADDA ([2] P precomp.) 2 ( mod 12) − → [2]([6] Q + P ) − → DADAD 7/19

  13. Threat model The attacker can differentiate D from A . Execution trace: concatenation of subtraces given by [ m ] Q + [ r ] P . − 1 ( mod 6) − → [6] Q − P − → DADA 2 ( mod 12) − → [12] Q + [2] P − → DADDA ([2] P precomp.) 2 ( mod 12) − → [2]([6] Q + P ) − → DADAD k = 0xfa72c39b25ecc4164d4c5ddeb506299c0941863eeee13f6d4d73fe32bfceec1f D D A D D D D D A D D D A D A D D A D A D D D A D D A D D A D D A D A D D D A D D D A D D D D D D A D D D D D A D A D A D A D A D D A D D A D D A D D D D D A D D D A D D A D A D A D D D D D A D A D A D D A D A D D D A D A D D A D D D A D A D D D D A D D A D D D A D D A D A D A D D D D A D D D A D D A D D D D D D D D A D A D D D D A D A D A D D A D A D D A D D D D D A D D D D A D A D D D A D A D A D A D D D A D A D A D D D D A D D D A D D D D A D A D A D D A D A D A D D D D D D D A D D D D D D A D A D A D D A D D D A D A D D A D D D A D A D A D A D D D D A D D A D D A D A D D D D A D D D A D A D A D D D D D D D A D D A D D D A D A D D A D A D A D A D D A D D A D A D D D D D A Randomization provides a huge number of traces for a given k . 7/19

  14. (Weak) security assumption The mapping Tr from Z to (D|A)* is not injective. 10273 = 1 + 12(0 + 4(10 + 12(5 + 12(1 + 12 . 0)))) Tr (10273) = D A D D A D A D D A D A D D A D D D A D D A 43455 = 3 + 4(7 + 8(1 + 12(5 + 12(9 + 12 . 0)))) , Tr (43455) = D A D D A D A D D A D A D D A D D D A D D A 14649 = 9 + 12(0 + 4(5 + 12(1 + 12(2 + 12 . 0)))) , Tr (14649) = D A D D A D A D D A D A D D A D D D A D D A Empirical estimate: #integers that maps to a given trace(*) > 2 116 (*) of length equal to the average length of a trace produced by 256-bit integers 8/19

  15. The mapping Tr − 1 Example for u3c-48-24 { ( 0, 2) } D DD { ( 0, 4) } { (-1, 4) } DDA { ( 0, 8) } DDD DADA { ( 3, 6), (-1, 6), ( 1, 6) } { (-2, 8) } DDAD DDDA { (-1, 8), ( 1, 8) } { (-2, 12), ( 2, 12), ( 6, 12) } DADAD DADDA { ( 1, 12), ( 5, 12) } { (-3, 12) } DDADA DDADD { ( 4, 16), (-4, 16) } { ( 2, 16), (-6, 16) } DDDAD { ( 5, 16), (-3, 16), (-5, 16), (3, 16) } DDDDA 9/19

  16. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD (split up for simplification) 10/19

  17. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD (split up for simplification) DDADD D DDA D -- 0 ( mod 4) ⇒ k ∈ 4 Z 10/19

  18. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD (split up for simplification) DDADD D DDA D -- 0 ( mod 4) ⇒ k ∈ 4 Z 0 ( mod 2) ⇒ k ∈ 8 Z DDADD D DDA - -- 10/19

  19. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD (split up for simplification) DDADD D DDA D -- 0 ( mod 4) ⇒ k ∈ 4 Z 0 ( mod 2) ⇒ k ∈ 8 Z DDADD D DDA - -- DDADD D --- - -- − 1 ( mod 4) ⇒ k ∈ 32 Z − 8 10/19

  20. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD (split up for simplification) DDADD D DDA D -- 0 ( mod 4) ⇒ k ∈ 4 Z 0 ( mod 2) ⇒ k ∈ 8 Z DDADD D DDA - -- DDADD D --- - -- − 1 ( mod 4) ⇒ k ∈ 32 Z − 8 0 ( mod 2) ⇒ k ∈ 64 Z − 8 DDADD - --- - -- 10/19

  21. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD (split up for simplification) DDADD D DDA D -- 0 ( mod 4) ⇒ k ∈ 4 Z 0 ( mod 2) ⇒ k ∈ 8 Z DDADD D DDA - -- DDADD D --- - -- − 1 ( mod 4) ⇒ k ∈ 32 Z − 8 0 ( mod 2) ⇒ k ∈ 64 Z − 8 DDADD - --- - -- 4 ( mod 16) ⇒ k ∈ 1024 Z + 248 ----- - --- - -- − 4 ( mod 16) ⇒ k ∈ 1024 Z − 264 10/19

  22. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD 4 ( mod 16) ⇒ k ∈ 1024 Z + 248 ----- - --- - -- − 4 ( mod 16) ⇒ k ∈ 1024 Z − 264 T2: DDDAD D D DDAD DD DDDAD D D DDAD -- 0 ( mod 4) ⇒ k ∈ 4 Z − 2 ( mod 8) ⇒ k ∈ 32 Z − 8 DDDAD D D ---- -- DDDAD D - ---- -- 0 ( mod 2) ⇒ k ∈ 64 Z − 8 0 ( mod 2) ⇒ k ∈ 128 Z − 8 DDDAD - - ---- -- 2 ( mod 16) ⇒ k ∈ 2048 Z + 248 ----- - - ---- -- − 6 ( mod 16) ⇒ k ∈ 2048 Z − 776 10/19

  23. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD 4 ( mod 16) ⇒ k ∈ 1024 Z + 248 ----- - --- - -- − 4 ( mod 16) ⇒ k ∈ 1024 Z − 264 T2: DDDAD D D DDAD DD 2 ( mod 16) ⇒ k ∈ 2048 Z + 248 ----- - - ---- -- − 6 ( mod 16) ⇒ k ∈ 2048 Z − 776 10/19

  24. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD 4 ( mod 16) ⇒ k ∈ 1024 Z + 248 ----- - --- - -- − 4 ( mod 16) ⇒ k ∈ 1024 Z − 264 T2: DDDAD D D DDAD DD 2 ( mod 16) ⇒ k ∈ 2048 Z + 248 ----- - - ---- -- − 6 ( mod 16) ⇒ k ∈ 2048 Z − 776 10/19

  25. Full key recovery algorithm (on a toy example) T1: DDADD D DDA D DD 4 ( mod 16) ⇒ k ∈ 1024 Z + 248 ----- - --- - -- − 4 ( mod 16) ⇒ k ∈ 1024 Z − 264 T2: DDDAD D D DDAD DD 2 ( mod 16) ⇒ k ∈ 2048 Z + 248 ----- - - ---- -- − 6 ( mod 16) ⇒ k ∈ 2048 Z − 776 ◮ Pruning strategy to limit exponential growth of partially decoded traces ◮ Work without preliminary splitting ◮ Work when [ r ] P is precomputed (traces only reveal m -values) ◮ Can recover the whole scalar with very few traces 10/19

  26. Covering systems of congruences Full key recovery A regular and constant-time generalization A (virtual) template attack 11/19

  27. Mixed-radix number system Write k in base ( b 1 , . . . , b n ) s.t.: ( b i need not be distincts) k = k 1 + b 1 ( k 2 + b 2 ( k 3 + · · · + b n ( k n +1 ) · · · )) 12/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient and Secure (H)ECC Scalar Multiplication with Twin Multipliers T. Lange* * and P. K.

Efficient and Secure (H)ECC Scalar Multiplication with Twin Multipliers T. Lange* * and P. K.

Efficient and Secure (H)ECC Scalar Multiplication with Twin Multipliers T. Lange* * and P. K. Mishra. * Ruhr Universitt Bochum, Germany. Indian Statistical Institute, Kolkata, India. (H)ECC Scalar Multiplication.... T Lange and P K

596 views • 43 slides
R A D I X S O R T Radix Sort 147 dnc CS 16: Radix Sort Radix Sort Unlike other sorting

R A D I X S O R T Radix Sort 147 dnc CS 16: Radix Sort Radix Sort Unlike other sorting

CS 16: Radix Sort R O A D S T R I X R A D I X S O R T Radix Sort 147 dnc CS 16: Radix Sort Radix Sort Unlike other sorting methods, radix sort considers the structure of the keys Assume keys are represented in a base M number system

464 views • 15 slides
Mixed models in R using the lme4 package Part 3: Linear mixed models with simple, scalar random

Mixed models in R using the lme4 package Part 3: Linear mixed models with simple, scalar random

Packages Dyestuff Mixed models Penicillin Pastes Fixed-effects Mixed models in R using the lme4 package Part 3: Linear mixed models with simple, scalar random effects Douglas Bates University of Wisconsin - Madison and R Development Core

900 views • 78 slides
Mixed models in R using the lme4 package Part 1: Linear mixed models with simple, scalar random

Mixed models in R using the lme4 package Part 1: Linear mixed models with simple, scalar random

Mixed models in R using the lme4 package Part 1: Linear mixed models with simple, scalar random effects Douglas Bates 2011-03-16 Contents 1 Packages 1 2 Dyestuff 2 3 Mixed models 5 4 Penicillin 10 5 Pastes 14 6 Fixed-effects 19

598 views • 27 slides
Matrix Multiplication Matrix multiplication is an operation with properties quite different from

Matrix Multiplication Matrix multiplication is an operation with properties quite different from

Matrix Multiplication Matrix multiplication is an operation with properties quite different from its scalar counterpart. To begin with, order matters in matrix multiplication. That is, the matrix product AB need not be the same as the matrix

695 views • 58 slides
Practical Evaluation of Protected RNS Scalar Multiplication CHES 2019 By Louiza

Practical Evaluation of Protected RNS Scalar Multiplication CHES 2019 By Louiza

Practical Evaluation of Protected RNS Scalar Multiplication CHES 2019 By Louiza Papachristodoulou Joint work with A. Fournaris, K. Papagiannopoulos, L. Batina Out utli line Residue Number System in Elliptic Curve Cryptography

468 views • 17 slides
Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun Goudarzi, Matthieu Rivain, Damien Vergnaud SAC 2016, 12 Aug, St. Johns Outline EC signature schemes based on random nonces computed from [ k ]

696 views • 52 slides
1 Vector Multiplication Dot (scalar) product Vector Multiplication Dot (scalar) product b

1 Vector Multiplication Dot (scalar) product Vector Multiplication Dot (scalar) product b

To Do To Do Foundations of Computer Graphics Foundations of Computer Graphics Complete Assignment 0 (a due 26, b due 31) (Spring 2012) (Spring 2012) Get help if issues with compiling, programming CS 184, Lecture 2: Review of Basic Math

578 views • 6 slides
Automatic Generation of HCCA Resistant Scalar Multiplication Algorithm by Proper Sequencing of

Automatic Generation of HCCA Resistant Scalar Multiplication Algorithm by Proper Sequencing of

Automatic Generation of HCCA Resistant Scalar Multiplication Algorithm by Proper Sequencing of Field Multiplier Operands Poulami Das, Debapriya Basu Roy and, Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur 29 / 09 / 2017 Debapriya

1k views • 74 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Mixed models in R using the lme4 package Part 1: Linear mixed models with simple, scalar random

Mixed models in R using the lme4 package Part 1: Linear mixed models with simple, scalar random

Mixed models in R using the lme4 package Part 1: Linear mixed models with simple, scalar random effects Douglas Bates 8 th International Amsterdam Conference on Multilevel Analysis <Bates@R-project.org> 2011-03-16 Douglas Bates

1.18k views • 75 slides
Fast, uniform scalar multiplication for genus 2 Jacobians with fast Kummers Ping Ngai (Brian)

Fast, uniform scalar multiplication for genus 2 Jacobians with fast Kummers Ping Ngai (Brian)

Fast, uniform scalar multiplication for genus 2 Jacobians with fast Kummers Ping Ngai (Brian) Chung Craig Costello Benjamin Smith University of Chicago Microsoft Research INRIA + Laboratoire dInformatique de l Ecole polytechnique

498 views • 20 slides
Scalar Multiplication and Addition Chains Peter Birkner Department of Mathematics, Technical

Scalar Multiplication and Addition Chains Peter Birkner Department of Mathematics, Technical

Motivation Left-To-Right Binary Right-To-Left Binary Signed Digit Representations Windowing Methods Scalar Multiplication and Addition Chains Peter Birkner Department of Mathematics, Technical University of Denmark Summer School on Elliptic

773 views • 17 slides
Math 221: LINEAR ALGEBRA Chapter 2. Matrix Algebra 2-1. Matrix Addition, Scalar Multiplication

Math 221: LINEAR ALGEBRA Chapter 2. Matrix Algebra 2-1. Matrix Addition, Scalar Multiplication

Math 221: LINEAR ALGEBRA Chapter 2. Matrix Algebra 2-1. Matrix Addition, Scalar Multiplication and Transposition Le Chen 1 Emory University, 2020 Fall (last updated on 10/21/2020) Creative Commons License (CC BY-NC-SA) 1 Slides are adapted

998 views • 57 slides
Symmetric Digit Sets for Elliptic Curve Scalar Multiplication Clemens Heuberger Michela Mazzoli

Symmetric Digit Sets for Elliptic Curve Scalar Multiplication Clemens Heuberger Michela Mazzoli

Symmetric Digit Sets for Elliptic Curve Scalar Multiplication Clemens Heuberger Michela Mazzoli Alpen-Adria-Universit at Klagenfurt, Austria Linz, 2013-11-15 1 Outline Introduction 1 Complex Base 2 Symmetry 3 2 Introduction 1

977 views • 29 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
using Autoencoder Neural Networks in WSN for IoT Tony T. Luo, Institute for Infocomm Research,

using Autoencoder Neural Networks in WSN for IoT Tony T. Luo, Institute for Infocomm Research,

Distributed Anomaly Detection using Autoencoder Neural Networks in WSN for IoT Tony T. Luo, Institute for Infocomm Research, A*STAR, Singapore - https://tonylt.github.io Sai G. Nagarajan, Singapore University of Technology and Design IEEE

546 views • 16 slides
Technology challenges for r addressing s submari rine intercon onnec ection ons TGEG19

Technology challenges for r addressing s submari rine intercon onnec ection ons TGEG19

Technology challenges for r addressing s submari rine intercon onnec ection ons TGEG19 27 June 2019 Ioannis Margaris Chief Technology, System Planning and Strategy of Officer ADMIE (IPTO) General Manager Ariadne Interconnection

255 views • 10 slides
Inter ercon onnec ection on o of e electricity n networks b between een regions a and c

Inter ercon onnec ection on o of e electricity n networks b between een regions a and c

Inter ercon onnec ection on o of e electricity n networks b between een regions a and c continents ts TGEG19 27 June 2019 Ioannis Margaris Chief Technology, System Planning and Strategy of Officer ADMIE (IPTO) General

382 views • 12 slides
The LUX Dark Matter Experiment Dan McKinsey Yale University Physics Department July 1, 2009

The LUX Dark Matter Experiment Dan McKinsey Yale University Physics Department July 1, 2009

The LUX Dark Matter Experiment Dan McKinsey Yale University Physics Department July 1, 2009 TAUP 2009, Rome The LUX detector The LUX Detector ~ 6m diameter Water Cerenkov Shield. Mani Tripathi, June 2009 Dual phase detector - aspect ratio ~

510 views • 36 slides
Ingredients to Successful Modeling: SMoRRES and Partner- Augmented Input Thursday, March 15 @ 7 pm

Ingredients to Successful Modeling: SMoRRES and Partner- Augmented Input Thursday, March 15 @ 7 pm

Ingredients to Successful Modeling: SMoRRES and Partner- Augmented Input Thursday, March 15 @ 7 pm ET Presenter: Jill E Senner, PhD, CCC-SLP Matthew R. Baud, MS, CCC-SLP Webinar Logistics Archived webcasts ASHA CEUs live webcast

1.01k views • 57 slides
Radiosity Radiosity Cornell box with color bleeding [Goral et al 84] Computer Graphics (Spring

Radiosity Radiosity Cornell box with color bleeding [Goral et al 84] Computer Graphics (Spring

Radiosity Radiosity Cornell box with color bleeding [Goral et al 84] Computer Graphics (Spring 2008) Computer Graphics (Spring 2008) COMS 4160, Lecture 23: Radiosity http://www.cs.columbia.edu/~cs4160 Photograph of a sculpture. Advantages

75 views • 4 slides
I : Algebra : prove goal First Theorem of Algebra ) them ( Fundamental root have a . non

I : Algebra : prove goal First Theorem of Algebra ) them ( Fundamental root have a . non

Applications theorem of Fundamental I : Algebra : prove goal First Theorem of Algebra ) them ( Fundamental root have a . non constant plate EW some in All completely GI Any plx ) e Glx ) splits . p G) = O fact that , using the

227 views • 11 slides
Appropriation What makes something a work of art? If its a questions of the artists hand or

Appropriation What makes something a work of art? If its a questions of the artists hand or

Appropriation What makes something a work of art? If its a questions of the artists hand or concept, how much does the original thing need to be transformed? What is the value of the artists signature? What is real? This question

716 views • 46 slides

More recommend