distinguishing multiplications from squaring operations
play

Distinguishing Multiplications from Squaring Operations Frederic - PowerPoint PPT Presentation

Apr 23, 2023 •143 likes •400 views

Distinguishing Multiplications from Squaring Operations Frederic Amiel Benoit Feix Michael Tunstall Claire Whelan William P. Marnane Cork May 20, 2008 Michael Tunstall (University of Bristol) May 20, 2008 Cork 1 / 25 Introduction

  1. Distinguishing Multiplications from Squaring Operations Frederic Amiel Benoit Feix Michael Tunstall Claire Whelan William P. Marnane Cork — May 20, 2008 Michael Tunstall (University of Bristol) May 20, 2008 — Cork 1 / 25

  2. Introduction Outline Introduction 1 Side Channel Atomicity The Hamming Weight Differential Power Analysis The Difference in Hamming Weight of Operations 2 The Statistically Expected Difference Demonstrating the Difference Attacking Public Key Algorithms 3 Attacking an Exponentiation Application to Elliptic Curve Cryptography Countermeasures 4 Blinding Resistant Algorithms Conclusion 5 Michael Tunstall (University of Bristol) May 20, 2008 — Cork 2 / 25

  3. Introduction Side Channel Atomicity Side Channel Atomicity A countermeasure against being able to distinguish operations is to make the code that is required to execute them identical (referred to as Side Channel Atomicity (Chevallier-Mames et al., 2004)). The squaring operation x 2 mod n is replaced with x · x mod n to render it indistinguishable from a multiplication x · y mod n using side channel analysis. We present an attack based on the statistically expected Hamming weight of the result of these operations . . . Michael Tunstall (University of Bristol) May 20, 2008 — Cork 3 / 25

  4. Introduction The Hamming Weight The Hamming Weight Looking closely at superposed power consumption traces, small differences can be observed. Where the difference is typically either: ◮ Proportional to the Hamming weight of the data being manipulated (Hamming weight model). ◮ Proportional to the Hamming weight of the data being manipulated XORed with some unknown constant previous state (Hamming distance model). In this work we only consider the the Hamming weight model. ◮ This is the model most commonly used for attacking microprocessor implementations of cryptographic algorithms. ◮ It also applies to some hardware implementations (Amiel et al., 2007). Michael Tunstall (University of Bristol) May 20, 2008 — Cork 4 / 25

  5. Introduction Differential Power Analysis Differential Power Analysis N power consumption traces are acquired while a device is computing a cryptographic algorithm, with known variable messages. A bit b is chosen in some intermediate value, and the value of this bit is predicted for each of the N acquisitions ( w i for 1 ≤ i ≤ N ). The power traces are then divided up into two sets ( S 0 and S 1 ) depending on whether b is equal to zero or one. A differential trace ∆ n is calculated by computing an average power consumption trace for each set, and subtracting the resulting traces from each other, i.e. � w i ∈ S 0 w i � w i ∈ S 1 w i ∆ n = − | S 0 | | S 1 | where all the operations are conducted in a pointwise manner. Michael Tunstall (University of Bristol) May 20, 2008 — Cork 5 / 25

  6. Introduction Differential Power Analysis Differential Power Analysis If b is correctly predicted for each acquisition a difference in the two average will occur where bit b is manipulated. For example, if we predict one bit of the output the first s-box of DES and generate a corresponding differential trace: A difference is visible where the output of the first s-box is generated, and then in four subsequent positions where the nibble conatiaing b is manipulated in the P-permutation. This can be used to confirm hypotheses on six bits of the first subkey used, as if these six bits are not known b cannot be predicted. Michael Tunstall (University of Bristol) May 20, 2008 — Cork 6 / 25

  7. The Difference in Hamming Weight of Operations Outline Introduction 1 Side Channel Atomicity The Hamming Weight Differential Power Analysis The Difference in Hamming Weight of Operations 2 The Statistically Expected Difference Demonstrating the Difference Attacking Public Key Algorithms 3 Attacking an Exponentiation Application to Elliptic Curve Cryptography Countermeasures 4 Blinding Resistant Algorithms Conclusion 5 Michael Tunstall (University of Bristol) May 20, 2008 — Cork 7 / 25

  8. The Difference in Hamming Weight of Operations The Statistically Expected Difference The Statistically Expected Difference Differential Power Analysis relies on correctly predicting a bit b and using this to confirm hypotheses. A similar treatment can be conducted if we consider the statistically expected difference in Hamming weight between the result of two operations. For example, if we compute the expected Hamming weight of multiplication and squaring operations for n -bit words (1 ≤ n ≤ 16), assuming random uniformly distributed inputs. Michael Tunstall (University of Bristol) May 20, 2008 — Cork 8 / 25

  9. The Difference in Hamming Weight of Operations The Statistically Expected Difference The Statistically Expected Difference Why does this occur? The probability of the least significant bit being equal to zero is. 0 1 0 1 Pr(bit = 1) = 1 Pr(bit = 1) = 1 0 0 - 0 0 0 2 4 1 - 1 1 0 1 The probability of the second least significant bit being equal to zero is. 00 01 10 11 00 0 - - - 01 - 0 - - Pr(bit = 1) = 0 10 - - 0 - 11 - - - 0 00 01 10 11 00 0 0 0 0 Pr(bit = 1) = 3 01 0 0 1 1 8 10 0 1 0 1 11 0 1 1 0 Michael Tunstall (University of Bristol) May 20, 2008 — Cork 9 / 25

  10. The Difference in Hamming Weight of Operations The Statistically Expected Difference The Probability of Individual Bits Being Set to One The probability each bit in a 32-bit word produced by a multiplication of two random uniformly distributed 16-bit words. Michael Tunstall (University of Bristol) May 20, 2008 — Cork 10 / 25

  11. The Difference in Hamming Weight of Operations The Statistically Expected Difference The Probability of Individual Bits Being Set to One The probability each bit in a 32-bit word produced by a squaring of two random uniformly distributed 16-bit words. Michael Tunstall (University of Bristol) May 20, 2008 — Cork 11 / 25

  12. The Difference in Hamming Weight of Operations Demonstrating the Difference Demonstrating the Difference The school book multiplication algorithm was implemented on an ARM7 chip (32-bit architecture). Algorithm 1 : Long Integer Multiplication Input : X = ( x z − 1 , . . . , x 1 , x 0 ) b , Y = ( y z − 1 , . . . , y 1 , y 0 ) b Output : W = ( w 2 z − 1 , . . . , w 1 , w 0 ) b = X · Y W ← 0 for i = 0 to z − 1 do c ← 0 for j = 0 to z − 1 do ( uv ) b ← ( w i + j + x j · y i ) + c w i + j ← v ; c ← u end w 2 z − 1 ← v end return W A series of traces were acquired when this implementation was used to compute a multiplication of a squaring operation with random 128-bit inputs. Michael Tunstall (University of Bristol) May 20, 2008 — Cork 12 / 25

  13. The Difference in Hamming Weight of Operations Demonstrating the Difference Demonstrating the Difference The difference trace computed by comparing an average traces acquired during the computation of a multiplication and a squaring operation. The peaks in the difference correspond to the difference in Hamming weight produced when x i · y i is computed when x = y . Michael Tunstall (University of Bristol) May 20, 2008 — Cork 13 / 25

  14. The Difference in Hamming Weight of Operations Demonstrating the Difference Demonstrating the Difference The difference trace computed by comparing an two average traces acquired during the computation of a squaring operation. No peaks in the difference are observed. Michael Tunstall (University of Bristol) May 20, 2008 — Cork 14 / 25

  15. The Difference in Hamming Weight of Operations Demonstrating the Difference Demonstrating the Difference Similar peaks were visible when the same analysis was conducted on an implementation of Montgomery multiplication. Michael Tunstall (University of Bristol) May 20, 2008 — Cork 15 / 25

  16. Attacking Public Key Algorithms Outline Introduction 1 Side Channel Atomicity The Hamming Weight Differential Power Analysis The Difference in Hamming Weight of Operations 2 The Statistically Expected Difference Demonstrating the Difference Attacking Public Key Algorithms 3 Attacking an Exponentiation Application to Elliptic Curve Cryptography Countermeasures 4 Blinding Resistant Algorithms Conclusion 5 Michael Tunstall (University of Bristol) May 20, 2008 — Cork 16 / 25

  17. Attacking Public Key Algorithms Attacking an Exponentiation Attacking an Exponentiation In side channel atomic implementations of a modular exponentiation, computed using the square and multiply algorithm. The difference in Hamming weight of adjacent blocks can be compared as described previously to attack algorithms, such as the square and multiply algorithm. This results an an attack similar to the Big Mac attack (Walter, 2001). Michael Tunstall (University of Bristol) May 20, 2008 — Cork 17 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the

msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the

msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the information theoretic bound with fusion trees , Journal of Computer and [ , , p g f f , p System Sciences 47 (3): 424436, 1993] Word size n =

184 views • 16 slides
msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the

msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the

msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the information-theoretic bound with fusion trees , Journal of Computer and System Sciences 47 (3): 424 436, 1993] Word size n = g g , g a power of 2

511 views • 17 slides
Empirically Distinguishing Informative and Prestige Effects of Advertising (Ackerberg, 2001 RAND)

Empirically Distinguishing Informative and Prestige Effects of Advertising (Ackerberg, 2001 RAND)

Introduction Data Model Results Conclusions Empirically Distinguishing Informative and Prestige Effects of Advertising (Ackerberg, 2001 RAND) Panagiotis Adamopoulos Department of Information, Operations and Management Sciences Stern School

776 views • 18 slides
Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de

Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de

Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de Lyon 4 June 2018 Chitchanok Chuengsatiansup Optimizing multiplications with vector instructions 1 Introduction Current position: Postdoc (INRIA

1.32k views • 82 slides
Order of Operations MPM1D: Principles of Mathematics Recap Evaluate (5 2) 4 5 2 .

Order of Operations MPM1D: Principles of Mathematics Recap Evaluate (5 2) 4 5 2 .

n u m e r a c y n u m e r a c y Order of Operations MPM1D: Principles of Mathematics Recap Evaluate (5 2) 4 5 2 . Remember to perform the subtraction and exponentiation before any multiplications. Working with Fractions (5 2)

341 views • 4 slides
Squaring the Circle: How Framedness influences User Behavior around a Seamless Cylindrical

Squaring the Circle: How Framedness influences User Behavior around a Seamless Cylindrical

Squaring the Circle: How Framedness influences User Behavior around a Seamless Cylindrical Display Gilbert Beyer, Florian Kttner, Manuel Schiewe, Ivo Haulsen, Andreas Butz University of Munich and Fraunhofer FOKUS Shaped Displays Digital

640 views • 52 slides
Computer Programming: Skills & Concepts (CP) Arithmetic operations, int , float , double C.

Computer Programming: Skills & Concepts (CP) Arithmetic operations, int , float , double C.

Computer Programming: Skills & Concepts (CP) Arithmetic operations, int , float , double C. Alexandru 26 September 2017 CP Lect 4 slide 1 26 September 2017 Mondays lecture Variables and change-of-state The squaring

368 views • 25 slides
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe NEGRE ( 1 ) , Thomas PLANTARD ( 2 ) and Jean-Marc ROBERT ( 1 ) 1: Team DALI/LIRMM, University of Perpignan, France 2: CCISR, SCIT, (University of

1.25k views • 69 slides
Squaring the sunny circle? On balancing distributive justice of power grid costs and incentives

Squaring the sunny circle? On balancing distributive justice of power grid costs and incentives

Squaring the sunny circle? On balancing distributive justice of power grid costs and incentives for solar prosumers Merla Kubli Zurich University of Applied Sciences & University of St. Gallen, Switzerland 4th of September 2017, European

388 views • 16 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
Double-Base Chains for Scalar Multiplications on Elliptic Curves Wei Yu , Saud Al Musa, and Bao Li

Double-Base Chains for Scalar Multiplications on Elliptic Curves Wei Yu , Saud Al Musa, and Bao Li

Double-Base Chains for Scalar Multiplications on Elliptic Curves Wei Yu , Saud Al Musa, and Bao Li Institute of Information Engineering, Chinese Academy of Sciences yuwei_1_yw@163.com May, 2020 Abstract Introduction Wei Yu , Saud Al Musa, and

741 views • 36 slides
Less Poverty, More Precarity: squaring the circle of Southeast Asian development

Less Poverty, More Precarity: squaring the circle of Southeast Asian development

Less Poverty, More Precarity: squaring the circle of Southeast Asian development #LSESEADevelopment Professor Jonathan Rigg Professor and Chair in Human Geography, University of Bristol. Chair: Professor Hyun Bang Shin Professor of Geography

727 views • 68 slides
Side-Channel Analysis on Blinded Regular Scalar Multiplications Benoit Feix Mylne Roussellet

Side-Channel Analysis on Blinded Regular Scalar Multiplications Benoit Feix Mylne Roussellet

Side-Channel Analysis on Blinded Regular Scalar Multiplications Benoit Feix Mylne Roussellet Alexandre Venelli Thales Communications & Security Target of our paper 2 / 2 / Elliptic Curve Cryptosystems (ECC) implemented on

471 views • 46 slides
SQUARING THE CIRCLE Reporting of Child Abuse in Clinical Settings Isolde Blau , Director of

SQUARING THE CIRCLE Reporting of Child Abuse in Clinical Settings Isolde Blau , Director of

SQUARING THE CIRCLE Reporting of Child Abuse in Clinical Settings Isolde Blau , Director of Counselling LARAGH Counselling Service, NCS, HSE Dublin North 26 th September 2008 Master Class in Psychotherapy for the Irish Council of Psychotherapy

677 views • 55 slides
Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical

Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical

Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in March 4, FSE-2014, London Mridul Nandi U hash and Multiplication Authentication: The Popular Story 1 Alice and

1.01k views • 53 slides
The story of squaring the circle M. Laczkovich E otv os University, Budapest Warwick, July

The story of squaring the circle M. Laczkovich E otv os University, Budapest Warwick, July

The story of squaring the circle M. Laczkovich E otv os University, Budapest Warwick, July 13, 2017 Theorem (G. Vitali 1905) There is no translation invariant measure on P ( R ) satisfying ([0 , 1]) = 1 . Theorem (G. Vitali 1905)

1.43k views • 78 slides
October 16 th 2015, Budapest Workshop on Linguistic and Cognitive aspects of Quantification

October 16 th 2015, Budapest Workshop on Linguistic and Cognitive aspects of Quantification

October 16 th 2015, Budapest Workshop on Linguistic and Cognitive aspects of Quantification The semantics and the acquisition of the distributive marker po , which is notorious, (common to Slavic and has very broad distribution); our

1.02k views • 68 slides
Amazon Dynamo distributed key-value storage Michal Oniszczuk October 10, 2012 Michal Oniszczuk

Amazon Dynamo distributed key-value storage Michal Oniszczuk October 10, 2012 Michal Oniszczuk

Introduction Requirements Architecture Implementation Summary Amazon Dynamo distributed key-value storage Michal Oniszczuk October 10, 2012 Michal Oniszczuk Amazon Dynamo Introduction Requirements Motivation Architecture Amazon

408 views • 26 slides
Lost in transaction? Strategies to deal with (in)consistency in distributed systems

Lost in transaction? Strategies to deal with (in)consistency in distributed systems

Lost in transaction? Strategies to deal with (in)consistency in distributed systems @berndruecker Once upon a time: try { tx.begin(); doA(); Do A doB(); tx.commit(); All or + } catch (Exception e) { tx.rollback(); nothing } Do B Or

1.03k views • 76 slides
Not that concurrent! yvind Teig www.teigfam.net/oyvind/home @CPA 2015 fringe

Not that concurrent! yvind Teig www.teigfam.net/oyvind/home @CPA 2015 fringe

Not that concurrent! yvind Teig www.teigfam.net/oyvind/home @CPA 2015 fringe http://www.wotug.org/cpa2015/ ) Autronica Fire and Security AS, Trondheim, Norway. Autronica is a part of UTC Building & Industrial Systems, a unit of United

417 views • 19 slides
Silent Self-Stabilizing Scheme for Spanning-Tree-like Constructions Stphane Devismes 1 Colette

Silent Self-Stabilizing Scheme for Spanning-Tree-like Constructions Stphane Devismes 1 Colette

Silent Self-Stabilizing Scheme for Spanning-Tree-like Constructions Stphane Devismes 1 Colette Johnen 2 David Ilcinkas 2 1 Univ. Grenoble Alpes, VERIMAG, 38000 Grenoble, France 2 CNRS & Univ. Bordeaux, LaBRI, UMR 5800, F-33400 Talence,

1.25k views • 82 slides
Self-Stabilizing Labeling and Ranking in Ordered Trees Ajoy K. Datta 1 ephane Devismes 2 St

Self-Stabilizing Labeling and Ranking in Ordered Trees Ajoy K. Datta 1 ephane Devismes 2 St

Introduction Labeling with Guide Pairs Application: Ranking Conclusion Self-Stabilizing Labeling and Ranking in Ordered Trees Ajoy K. Datta 1 ephane Devismes 2 St Lawrence L. Larmore 1 Yvan Rivierre 2 1 School of Computer Science, University

1k views • 71 slides
Contents Part I Lock-Based Synchronization 1 The Mutual Exclusion Problem . . . . . . . . . . .

Contents Part I Lock-Based Synchronization 1 The Mutual Exclusion Problem . . . . . . . . . . .

Contents Part I Lock-Based Synchronization 1 The Mutual Exclusion Problem . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Multiprocess Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.1 The Concept of a

402 views • 13 slides
Distributed Algorithms for Message-Passing Systems Contents Part I Distributed Graph

Distributed Algorithms for Message-Passing Systems Contents Part I Distributed Graph

Michel Raynal Distributed Algorithms for Message-Passing Systems Contents Part I Distributed Graph Algorithms 1 Basic Definitions and Network Traversal Algorithms . . . . . . . . . 3 1.1 Distributed Algorithms . . . . . . . . . . . . . .

128 views • 12 slides

More recommend