efficient leak resistant modular exponentiation in rns
play

Efficient Leak Resistant Modular Exponentiation in RNS Andrea - PowerPoint PPT Presentation

Oct 15, 2023 •266 likes •708 views

Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1) , Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2) CCISR, SCIT, University of Wollongong,

  1. Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1) , Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2) CCISR, SCIT, University of Wollongong, Wollongong, Australia 24-th Symposium on Computer Arithmetic, London, July 26, 2017 1 / 19

  2. Outline Cryptography 1 RSA cryptosystem Power analysis Montgomery multiplication in RNS Randomized modular exponentiation in RNS 2 Randomized Montgomery multiplication Proposed approach Level of randomization Conclusion 3 2 / 19

  3. Outline Cryptography 1 RSA cryptosystem Power analysis Montgomery multiplication in RNS Randomized modular exponentiation in RNS 2 Randomized Montgomery multiplication Proposed approach Level of randomization Conclusion 3 3 / 19

  4. RSA encryption (Rivest, Shamir and Adleman) Bob chooses p and q two large prime numbers and computes N = pq . He generates E and D two integers such that ED = 1 (mod ( p − 1)( q − 1)). Public Key: N , D . Private Key: E , p , q . Alice encrypts a message m by: c = m D mod N . Bob decrypts c by doing: c E = m ED mod N = m . 4 / 19

  5. An algorithm for modular exponentiation : Right-to-left Square-and-multiply Require: A modulus N , an integer X ∈ [0 , N [ and an exponent E = ( e ℓ − 1 , . . . , e 0 ) 2 Ensure: R = X E (mod N ) ℓ − 1 e i 2 i � 1: R ← 1 X E = X i =0 2: Z ← X 3: for i from 0 to ℓ − 1 do X E = X e ℓ − 1 2 ℓ − 1 ×· · ·× X e 1 2 1 × X e 0 2 0 if e i = 1 then 4: R ← R × Z (mod N ) 5: end if 6: Z ← Z 2 (mod N ) 7: 8: end for 9: return R 5 / 19

  6. Simple power analysis E = ( e ℓ , . . . , e 0 ) 2 and X ∈ [0 , N [ ↑ Square-and-multiply R ← 1 Z ← X for i = 0 to ℓ − 1 do if e i = 1 then mod N R ← R · Z endif Z ← Z 2 mod N endfor return ( R ) 6 / 19

  7. Simple power analysis E = ( e ℓ , . . . , e 0 ) 2 and X ∈ [0 , N [ ↑ Square-and-multiply-always Square-and-multiply Montgomery-ladder R 0 ← 1 R ← 1 R ← 1 R 1 ← 1 Z ← X R ′ ← X Z ← X for i = 0 to ℓ − 1 do for i = ℓ to 1 do for i = 0 to ℓ − 1 do if e i = 1 then if k i = 1 then if e i = 0 then mod N R ← R · Z R ← R · R ′ mod N R 0 ← R 0 · Z mod N endif R ′ ← R ′ 2 else mod N Z ← Z 2 mod N R 1 ← R 1 · Z mod N else endfor endif R ′ ← R · R ′ mod N return ( R ) endfor R ← R 2 Z ← Z 2 mod N endif return ( R 1 ) endfor return ( R ) ↓ ↓ 6 / 19

  8. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 7 / 19

  9. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 0 r 5 r 1 r 2 r 3 r 4 r ′ 1 5 7 / 19

  10. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 0 r 5 r 1 r 2 r 3 r 4 r ′ 1 5 trace 1 trace 2 trace 3 . . . . . . . . . . . . trace L 7 / 19

  11. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 0 r 5 r 1 r 2 r 3 r 4 r ′ 1 5 trace 1 Differentials: trace 2 correct guess trace 3 . . . . . wrong guess . . . . . . . trace L 7 / 19

  12. Differential power analysis m loop 1 loop 2 loop 3 loop 4 loop 5 e 1 = 1 e 2 = 0 e 3 = 1 e 4 = 0 e 5 =?? 0 r 5 r 1 r 2 r 3 r 4 r ′ 1 5 trace 1 Differentials: trace 2 correct guess trace 3 . . . . . wrong guess . . . . . . . trace L Counter-measure: Randomization of the exponent and data. 7 / 19

  13. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 8 / 19

  14. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 X Montgomery Multiplication × Y Require: X , Y ∈ [0 , N [ and A = 2 n > N Z 1 Z 0 Ensure: R = X × Y × A − 1 (mod N ) 1: Z ← X × Y 2: Q ← N − 1 × Z (mod A ) 3: R ← ( Z − Q × N ) / A

  15. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 X Montgomery Multiplication × Y Require: X , Y ∈ [0 , N [ and A = 2 n > N Z 1 Z 0 Ensure: R = X × Y × A − 1 (mod N ) − ∗ = Q × N Z 0 1: Z ← X × Y 2: Q ← N − 1 × Z (mod A ) 3: R ← ( Z − Q × N ) / A 8 / 19

  16. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 X Montgomery Multiplication × Y Require: X , Y ∈ [0 , N [ and A = 2 n > N Z 1 Z 0 Ensure: R = X × Y × A − 1 (mod N ) − ∗ = Q × N Z 0 1: Z ← X × Y 2: Q ← N − 1 × Z (mod A ) R 0 3: R ← ( Z − Q × N ) / A × 2 − n R 8 / 19

  17. Montgomery multiplication Basic modular multiplication. For X , Y ∈ [0 , N [ Product. Z ← X × Y 1 Reduction. Q ← ⌊ Z / N ⌋ and R ← Z − Q × N 2 X Montgomery Multiplication × Y Require: X , Y ∈ [0 , N [ and A = 2 n > N Z 1 Z 0 Ensure: R = X × Y × A − 1 (mod N ) − ∗ = Q × N Z 0 1: Z ← X × Y 2: Q ← N − 1 × Z (mod A ) R 0 3: R ← ( Z − Q × N ) / A × 2 − n R Montgomery representation. � X = XA mod N provides 1 Y ) = ( XA ) × ( YA ) × A − 1 mod N = XYA mod N MontMul ( � X , � 2 8 / 19

  18. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. 9 / 19

  19. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. An integer X such that 0 ≤ X < A = � t i =1 a i is represented by [ X ] A = ( x 1 = X mod a 1 , . . . , x t = X mod a t ) . 9 / 19

  20. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. An integer X such that 0 ≤ X < A = � t i =1 a i is represented by [ X ] A = ( x 1 = X mod a 1 , . . . , x t = X mod a t ) . The Chinese remainder theorem tell us that for op ∈ { + , ×} [ X ] A op [ Y ] A = ([ x 1 op y 1 ] a 1 , . . . , [ x t op y t ] a t ) ⇔ X op Y mod A 9 / 19

  21. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. An integer X such that 0 ≤ X < A = � t i =1 a i is represented by [ X ] A = ( x 1 = X mod a 1 , . . . , x t = X mod a t ) . The Chinese remainder theorem tell us that for op ∈ { + , ×} [ X ] A op [ Y ] A = ([ x 1 op y 1 ] a 1 , . . . , [ x t op y t ] a t ) ⇔ X op Y mod A Montgomery Multiplication in RNS Require: X , Y in A ∪ B Ensure: XYA − 1 mod N in A ∪ B 1: [ Q ] A ← [ XYN − 1 ] A 3: [ Z ] B ← [( XY − QN ) A − 1 ] B 5: return ( Z A∪B ) 9 / 19

  22. Montgomery multiplication in residue number system Let A = { a 1 , . . . , a t } be a set t co-prime integers. An integer X such that 0 ≤ X < A = � t i =1 a i is represented by [ X ] A = ( x 1 = X mod a 1 , . . . , x t = X mod a t ) . The Chinese remainder theorem tell us that for op ∈ { + , ×} [ X ] A op [ Y ] A = ([ x 1 op y 1 ] a 1 , . . . , [ x t op y t ] a t ) ⇔ X op Y mod A Montgomery Multiplication in RNS Require: X , Y in A ∪ B Ensure: XYA − 1 mod N in A ∪ B 1: [ Q ] A ← [ XYN − 1 ] A 2: [ Q ] B ← BE A→B ([ Q ] A ) 3: [ Z ] B ← [( XY − QN ) A − 1 ] B 4: [ Z ] A ← BE B→A ([ Z ] B ) 5: return ( Z A∪B ) 9 / 19

  23. Outline Cryptography 1 RSA cryptosystem Power analysis Montgomery multiplication in RNS Randomized modular exponentiation in RNS 2 Randomized Montgomery multiplication Proposed approach Level of randomization Conclusion 3 10 / 19

  24. Randomization in RNS (LRA CHES 2004) We have � X old = [ XA old ] A old ∪B old we permute the basis elements A old ∪ B old → A new ∪ B new A B a 1 b 1 a 2 b t − 1 a t − 1 a t b t this leads to a new representation of X � X new = [ XA new ] A new ∪B new Cost Two Montgomery multiplications : mod N → XA old A new mod N → XA new mod N . XA old 11 / 19

  25. Randomized square-and-multiply-always Input: N , X ∈ [0 , N [ , E = ( e ℓ − 1 , . . . , e 0 ) 2 and M = { m 1 , . . . , m 2 t } . Output: X E mod N Square-and-mult-always A , B ← random split M Z ← [ � � X ] A∪B , � 1] A∪B , � R 0 ← [ � R 1 ← [ � 1] A∪B for i from 0 to ℓ − 1 do R e i ← MM RNS( � � R e i , � Z , A , B ) Z ← MM RNS( � � Z , � Z , A , B ) end for � return R 1 12 / 19

  26. Randomized square-and-multiply-always Input: N , X ∈ [0 , N [ , E = ( e ℓ − 1 , . . . , e 0 ) 2 and M = { m 1 , . . . , m 2 t } . Output: X E mod N Randomized Square-and-mult-always A , B ← random split M Z ← [ � � X ] A∪B , R 0 ← [ � � 1] A∪B , � R 1 ← [ � 1] A∪B for i from 0 to ℓ − 1 do R e i ← MM RNS( � � R e i , � Z , A , B ) Z ← MM RNS( � � Z , � Z , A , B ) Randomise( A old , B old , A , B ) Z ← Update( � � Z , A old , B old , A , B ) R 0 ← Update( � � R 0 , A old , B old , A , B ) R 1 ← Update( � � R 1 , A old , B old , A , B ) end for � return R 1 12 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe

Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe NEGRE ( 1 ) , Thomas PLANTARD ( 2 ) and Jean-Marc ROBERT ( 1 ) 1: Team DALI/LIRMM, University of Perpignan, France 2: CCISR, SCIT, (University of

1.25k views • 69 slides
Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and

Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and

0 12 1 Numb3rs 11 2 10 3 Modular Exponentiation 9 4 8 5 7 6 Story So Far Quotient and Remainder, GCD, Euclid s algorithm, L(a,b) { au + bv | u,v Z } = { n gcd(a,b) | n Z } Primes, Fundamental Theorem of

272 views • 14 slides
SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas

SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas

SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas Plantard Paris Diderot Universit e, University of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au 2019 Berthe, Plantard (IRIF,

1.16k views • 69 slides
THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e , and n , the following algorithm quickly computes the reduced power a e % n . ( Initialize ) Set ( x, y, f ) = (1 , a, e ). ( Loop ) While f &gt;

175 views • 5 slides
Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford

Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford

Modular Exponentiation In the browser !? P.h.D. semester project, 2017. Supervised by Bryan Ford (DEDIS) and Thomas Hofer (DGSI). 1 Background The digital world takes an overwhelming part in our daily life. Voting is still paper-based and

215 views • 19 slides
Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball ,

Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball ,

Efficient Modular SAT Solving for IC3 Sam Bayless , Celina G. Val , Thomas Ball , Holger H. Hoos , Alan J. Hu University of British Columbia Microsoft Research Sam Bayless (UBC) Efficient Modular SAT Solving for IC3

505 views • 31 slides
www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

Class I Leak Detection Systems - Highest level of monitoring and prevention of double walled tanks and pipes, according EU Standard EN 13160-2 Advantages Working Principle Product Overview www.thomas-leak-detection.com Leak

206 views • 16 slides
Efficient and secure modular operations using the Polynomial Modular Number System (Part 1)

Efficient and secure modular operations using the Polynomial Modular Number System (Part 1)

The Polynomial modular number system (PMNS) Randomisation with the PMNS Internal randomisation using the Montgomery-like method Efficient and secure modular operations using the Polynomial Modular Number System (Part 1) ephane Didier 1 , Fangan

757 views • 26 slides
&amp; Mobility DEVELOPMENT OF AN EFFICIENT, LEAK PROOF PLENUM SEAL FOR THE M1 ABRAMS ENGINE INLET

&amp; Mobility DEVELOPMENT OF AN EFFICIENT, LEAK PROOF PLENUM SEAL FOR THE M1 ABRAMS ENGINE INLET

Power &amp; Mobility DEVELOPMENT OF AN EFFICIENT, LEAK PROOF PLENUM SEAL FOR THE M1 ABRAMS ENGINE INLET Steve Tarnowski Steve Pennala Great Lakes Sound and Vibration Inc. 8/21/2018 DISTRIBUTION STATEMENT A. Approved for public release;

284 views • 13 slides
a (mod m ) b is congruent to modulo a m b mod mod a m b m

a (mod m ) b is congruent to modulo a m b mod mod a m b m

Number Theory and its Applications Modular Exponentiation Euclidean Algorithm for GCD Solving Linear Congruences Chinese Remainder Theorem and Application to Arithmetic with large numbers Covered in Sections 3.6 and 3.7 Based

489 views • 19 slides
ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In

ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In

ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires &amp; CONICET In collaboration with Marco S. Bianchi arXiv:1403.3398 N=4 SYM Exponentiation Consider color ordered MHV 4p amplitude in We define the ratio

415 views • 29 slides
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo, Amira Barki, Solenn Brunet and Jacques Traor 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING16 February 26th, 2016

532 views • 23 slides
Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona

Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona

Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona Introduction a. Leak Detection Options b. Helium Leak Detection c. Leak Tracer System Design d. Use and experience Why Leak Check? Proof of Sample

569 views • 16 slides
Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical development Leak detection system requirements Causes of leaks Leak detection options Non-continuous leak detection Continuous external leak detection

806 views • 49 slides
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France

980 views • 70 slides
Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential

Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential

November 2017 Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential Contents Needs for Leak Detection Sensors Review of Leak Detection Systems Husky Leak N. Battleford, SK; July 2016 Platform

635 views • 24 slides
Improving MD to Nurse Communication Systems Based Project Vertical Team: Janelle Fauci MD,

Improving MD to Nurse Communication Systems Based Project Vertical Team: Janelle Fauci MD,

Improving MD to Nurse Communication Systems Based Project Vertical Team: Janelle Fauci MD, Lindsay Frederick MD, Michael Polin MD, Jovana Martin MD Faculty Mentor: Joseph Biggio MD Why is this important? Essential part of providing

309 views • 9 slides
FOR RELIABLE POWER AEMOS REQUEST TO ENHANCE THE RELIABILITY &amp; EMERGENCY RESERVE TRADER

FOR RELIABLE POWER AEMOS REQUEST TO ENHANCE THE RELIABILITY &amp; EMERGENCY RESERVE TRADER

WORKING ON A STRATEGIC RESERVE FOR RELIABLE POWER AEMOS REQUEST TO ENHANCE THE RELIABILITY &amp; EMERGENCY RESERVE TRADER STAKEHOLDER FORUM 12 NOVEMBER 2018 Agenda 1. Welcome and agenda 2. Background and context 3. Appropriateness of

838 views • 63 slides
Engineering Technologies &amp; Developments PEER REVIEW of UKRAINIAN NPPs PROBABILISTIC RISK

Engineering Technologies &amp; Developments PEER REVIEW of UKRAINIAN NPPs PROBABILISTIC RISK

Engineering Technologies &amp; Developments PEER REVIEW of UKRAINIAN NPPs PROBABILISTIC RISK ASSESSMENT PROJECTS L. Sagidullin, D. Goma. The Sixth International Information Exchange Forum on Safety Analysis for Nuclear Power Plants of VVER

360 views • 32 slides
Review of the O 3 NAAQS: Schedule and Preview of the REA and PA Presentation to CASAC O 3 Panel

Review of the O 3 NAAQS: Schedule and Preview of the REA and PA Presentation to CASAC O 3 Panel

Review of the O 3 NAAQS: Schedule and Preview of the REA and PA Presentation to CASAC O 3 Panel 1/09/2012 Anticipated Schedule Stage of review Major milestones Schedule 1 st Draft ISA : Document released for CASAC and public review Mar 2011

363 views • 11 slides
New model structures on simplicial sets Matt Feller University of Virginia CT 2019 Edinburgh

New model structures on simplicial sets Matt Feller University of Virginia CT 2019 Edinburgh

New model structures on simplicial sets Matt Feller University of Virginia CT 2019 Edinburgh Outline 1 Background 2 Cisinskis Theory 3 New Stuff Category Theory in Simplicial Sets 0-simplices: Category Theory in Simplicial Sets

1.19k views • 95 slides
GGI Lectures on the arXiv:0910.2254v1 [hep-th] 13 Oct 2009 Pure Spinor Formalism of the

GGI Lectures on the arXiv:0910.2254v1 [hep-th] 13 Oct 2009 Pure Spinor Formalism of the

GGI Lectures on the arXiv:0910.2254v1 [hep-th] 13 Oct 2009 Pure Spinor Formalism of the Superstring Oscar A. Bedoya a 1 and Nathan Berkovits b 2 a Instituto de F sica, Universidade de S ao Paulo 05315-970, S ao Paulo, SP, Brasil b

251 views • 23 slides
Welcome to the Health Workforce Council Meeting! Before we begin our session, here are a few

Welcome to the Health Workforce Council Meeting! Before we begin our session, here are a few

Welcome to the Health Workforce Council Meeting! Before we begin our session, here are a few suggestions for participants: Please test your audio and then MUTE yourself . Council Members are encouraged to use audio and video. Welcome!

502 views • 25 slides
Hit disambiguation with SpacePointSolver Robert Sulej (FNAL/NCBJ) Motivation: FD hit

Hit disambiguation with SpacePointSolver Robert Sulej (FNAL/NCBJ) Motivation: FD hit

Hit disambiguation with SpacePointSolver Robert Sulej (FNAL/NCBJ) Motivation: FD hit disambiguation takes significant CPU time in ProtoDUNE events It is also source of inefficiency for 2D clustering and 3D tracking high cosmic

440 views • 10 slides

More recommend