Efficient Modular Exponentiation Based on Multiple Multiplications - - PowerPoint PPT Presentation
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe NEGRE ( 1 ) , Thomas PLANTARD ( 2 ) and Jean-Marc ROBERT ( 1 ) 1: Team DALI/LIRMM, University of Perpignan, France 2: CCISR, SCIT, (University of
Christophe NEGRE(1), Thomas PLANTARD(2) and Jean-Marc ROBERT(1)
1: Team DALI/LIRMM, University of Perpignan, France 2: CCISR, SCIT, (University of Wollongong), Australia
Arith22 2015, Lyon, the 22-24th of June 2015
1 / 37
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
2 / 37
Problematic RSA Protocol
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
3 / 37
Problematic RSA Protocol
Alice generates the keys. She: Chooses two distinct prime numbers p and q; Computes N = pq; Computes φ(N) = φ(p)φ(q) = (p − 1)(q − 1) = N − (p + q − 1); Chooses an integer e such that 1 < e < φ(N) and gcd(e, φ(N)) = 1; Solves for d given d · e ≡ 1 mod φ(N);
4 / 37
Problematic RSA Protocol
→ Bob encrypts using Alice’s public key e: C = Me mod N
5 / 37
Problematic RSA Protocol
→ Bob encrypts using Alice’s public key e: C = Me mod N → Alice decrypts Bob’s message using her secret key d: C d mod N = (Me)d mod N = Me·d mod N = M1
mod φ(N)
mod N = M
5 / 37
Problematic RSA Protocol
→ Bob encrypts using Alice’s public key e: C = Me mod N → Alice decrypts Bob’s message using her secret key d: C d mod N = (Me)d mod N = Me·d mod N = M1
mod φ(N)
mod N = M
5 / 37
Problematic The Modular Exponentiation
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
6 / 37
Problematic The Modular Exponentiation
We consider an RSA modulus N such that N < 2wn. Square-and-multiply Require: N the RSA modulus, g and e = (ek−1, . . . , e0)2 integers ∈ [0, . . . , N[, with ek−1 = 1. Ensure: X = ge mod N
Left-to-right X ← g for i = k − 2 downto 0 do X ← X 2 mod N if ei = 1 then X ← X · g mod N return (X = ge) Right-to-left X ← 1 for i = 0 to k − 1 do if ei = 1 then X ← X · g mod N g ← g2 mod N return (X = ge)
7 / 37
Problematic Simple Power Analysis, Counter-measure
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
8 / 37
Problematic Simple Power Analysis, Counter-measure
RSA Left-to-right Square-and-multiply Require: N the RSA modulus, g and e = (ek−1, . . . , e0)2 integers ∈ [0, . . . , N[, with ek−1 = 1. Ensure: X = ge mod N X ← g for i = k − 2 downto 0 do X ← X 2 mod N if ei = 1 then X ← X · g mod N return (X = ge)
9 / 37
Problematic Simple Power Analysis, Counter-measure
RSA Left-to-right Square-and-multiply Require: N the RSA modulus, g and e = (ek−1, . . . , e0)2 integers ∈ [0, . . . , N[, with ek−1 = 1. Ensure: X = ge mod N X ← g for i = k − 2 downto 0 do X ← X 2 mod N → A squaring corresponds to a low crenel if ei = 1 then X ← X · g mod N return (X = ge)
9 / 37
Problematic Simple Power Analysis, Counter-measure
RSA Left-to-right Square-and-multiply Require: N the RSA modulus, g and e = (ek−1, . . . , e0)2 integers ∈ [0, . . . , N[, with ek−1 = 1. Ensure: X = ge mod N X ← g for i = k − 2 downto 0 do X ← X 2 mod N if ei = 1 then X ← X · g mod N → A multiplication corresponds to a high crenel return (X = ge)
9 / 37
Problematic Simple Power Analysis, Counter-measure
RSA Left-to-right Square-and-multiply Require: N the RSA modulus, g and e = (ek−1, . . . , e0)2 integers ∈ [0, . . . , N[, with ek−1 = 1. Ensure: X = ge mod N X ← g for i = k − 2 downto 0 do X ← X 2 mod N if ei = 1 then X ← X · g mod N return (X = ge)
→ Vulnerable: the sequence of operations leaks the secret scalar (no regularity.)
9 / 37
Problematic Simple Power Analysis, Counter-measure
Montgomery Require: e = (et−1, . . . , e1, e0) with et−1 = 1, g ∈ Z/NZ Ensure: X = ge mod N
1: X0 ← g, X1 ← g2 mod N 2: for i from t − 2 downto 0 do 3:
if (ei = 0) then
4:
X1 ← X0 · X1 mod N, X0 ← X 2 mod N
5:
else
6:
X0 ← X0 · X1 mod N, X1 ← X 2
1
mod N
7: return (X0)
Basic Montgomery’s Ladder Modular Exponentiation
10 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Then, the addition without carry leads to the 0-less recoding:
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 Then, the addition without carry leads to the 0-less recoding:
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 Then, the addition without carry leads to the 0-less recoding:
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding:
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Joye and Tunstall suggested a 2t-ary recoding without zero digits: Unsigned-Digit Recoding Algorithm Require: e ≥ 1, m = 2t, ℓ the m-ary length of e and N the RSA modulus Ensure: e = (eℓ−1, . . . , e0) with ei ∈ {1, . . . , m}, 1 ≤ i ≤ ℓ − 2
1: s ← (1, 1, . . . , 1)m 2: e′ ← e − s mod N 3: for i = 0 to ℓ − 2 do 4:
d ← e′ mod m
5:
e′ ← ⌊e′/m⌋
6:
ei ← d + 1 Example with t = 4, m = 1010: e = 1 9 7 5 4 2 3 s = 1 1 1 1 1 1 1 1 1 e′ ← e − s mod N 8 6 3 9 2 9 1 2 Then, the addition without carry leads to the 0-less recoding: e′ mod N 8 6 3 9 2 9 1 2 s = 1 1 1 1 1 1 1 1 1 recoding 1 9 7 4 10 3 10 2 3
11 / 37
Problematic Simple Power Analysis, Counter-measure
Regular 2t-ary Square-and-multiply Require: g, Joye-Tunstall recoding of e = (ek−1, . . . , e0) < N Ensure: X = ge mod N Left-to-right Y1 ← g for i = 2 to 2t do Yi ← Yi−1 · g mod N X ← Yek−1 for i = k − 2 downto 0 do X ← X 2t mod N X ← X · Yei mod N return (X = ge) Right-to-left X ← g, Yi ← 1, i ∈ {1, . . . , 2t} for i = 0 to k − 1 do Yei ← Yei · X mod N X ← X 2t mod N // Final reconstruction X ← Y2t for i = 2t − 1 downto 1 do Yi ← Yi · Yi+1 mod N X ← X · Yi mod N return (X = ge)
12 / 37
Modular Multiplication Montgomery Modular Multiplication
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
13 / 37
Modular Multiplication Montgomery Modular Multiplication
Let A and B in [0, N[. Let us set C = A × B, C < N2. Montgomery reduction of C = A × B:
14 / 37
Modular Multiplication Montgomery Modular Multiplication
Let A and B in [0, N[. Let us set C = A × B, C < N2. Montgomery reduction of C = A × B: One set Q ← A × B × (−N−1) mod 2wn, then the division Y ← (A × B + Q × N)/2wn. is exact.
14 / 37
Modular Multiplication Montgomery Modular Multiplication
Let A and B in [0, N[. Let us set C = A × B, C < N2. Montgomery reduction of C = A × B: One set Q ← A × B × (−N−1) mod 2wn, then the division Y ← (A × B + Q × N)/2wn. is exact. Y satisfies Y = A × B × 2−wn mod N and Y < 2N.
14 / 37
Modular Multiplication Montgomery Modular Multiplication
Let A and B in [0, N[. Let us set C = A × B, C < N2. Montgomery reduction of C = A × B: One set Q ← A × B × (−N−1) mod 2wn, then the division Y ← (A × B + Q × N)/2wn. is exact. Y satisfies Y = A × B × 2−wn mod N and Y < 2N. Montgomery representation: A = A × 2wn mod N.
B × 2−wn mod N = (AB) × 2wn mod N
14 / 37
Modular Multiplication Montgomery Modular Multiplication
X (n′ words)
w bit words
...0 0...
X ← X + [x0 · (−N−1 mod 2w) mod 2w] · N) X ← X/2w which is < X/2w + N
15 / 37
Modular Multiplication Montgomery Modular Multiplication
X (n′ words)
w bit words
...0 0...
X ← X + [x0 · (−N−1 mod 2w) mod 2w] · N) X ← X/2w which is < X/2w + N SmallRed (one word) Require: A modulus N < 2wn−2 and a positive integer X = (xn′−1, . . . , x0)2w of n′ words and N′ = (−N−1) mod 2w Ensure: Y = X · 2−w mod N with Y < X/2w + N
1: q ← x0 · N′ mod 2w 2: Y ← (X + q · N)/2w 3: return Y
15 / 37
Modular Multiplication Montgomery Modular Multiplication
ABR−1 mod N = (n−1
j=0 bj2wj) · A · 2−wn mod N
16 / 37
Modular Multiplication Montgomery Modular Multiplication
ABR−1 mod N = (n−1
j=0 bj2wj) · A · 2−wn mod N A · b0 · 2−w
0... ...0 SmallRed
(A · b0 · 2−w + A · b1) · 2−w
0... ...0 SmallRed
. . . . . . . . . (n−1
j=0 bj2wj) · A · 2−wn
0... ...0 SmallRed
16 / 37
Modular Multiplication Montgomery Modular Multiplication
# word-multiplications # word additions ABR−1 mod N 2n2 + n 4n2 + 2n − 1 A2R−1 mod N
3 2n2 + 5 2n − 1
3n2 + 5n − 1
17 / 37
Modular Multiplication Our Objective
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
18 / 37
Modular Multiplication Our Objective
To achieve this goal we focused on:
19 / 37
Modular Multiplication Our Objective
To achieve this goal we focused on: Two Modular Multiplications by a common operand A · B, A · C;
19 / 37
Modular Multiplication Our Objective
To achieve this goal we focused on: Two Modular Multiplications by a common operand A · B, A · C; Multiple Modular Multiplications by a common operand A · B0, A · B1, . . . , A · Bℓ;
19 / 37
Modular Multiplication Our Objective
To achieve this goal we focused on: Two Modular Multiplications by a common operand A · B, A · C; Multiple Modular Multiplications by a common operand A · B0, A · B1, . . . , A · Bℓ; Application to SPA protected modular exponentiations.
19 / 37
Contributions A · B, A · C
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
20 / 37
Contributions A · B, A · C
The Block Montgomery Modular multiplication computes:
A · B · R−1 = (
n−1
bj2wj) · A · 2−w(n+1) mod N =
n−1
bjA · 2−w(n+1−j) mod N =
n−1
bj(A · 2−w(n−1−j) mod N)2−2w mod N = (
n−1
bjA(j)) · 2−2w mod N (1) where A(j) = A2−w(n−1−j) mod N for j = 0, . . . , n − 1. With the same for A · C · R−1, one
A · C · R−1 = (
n−1
cjA(j)) · 2−2w mod N. (2)
21 / 37
Contributions A · B, A · C
The Block Montgomery Modular multiplication computes:
A · B · R−1 = (
n−1
bj2wj) · A · 2−w(n+1) mod N =
n−1
bjA · 2−w(n+1−j) mod N =
n−1
bj(A · 2−w(n−1−j) mod N)2−2w mod N = (
n−1
bjA(j)) · 2−2w mod N (1) where A(j) = A2−w(n−1−j) mod N for j = 0, . . . , n − 1. With the same for A · C · R−1, one
A · C · R−1 = (
n−1
cjA(j)) · 2−2w mod N. (2)
21 / 37
Contributions A · B, A · C
Therefore, the values A(j) are shared by both multiplications: A = A(n−1) SmallRed(A(n−1)) = A · 2−w mod N = A(n−2), SmallRed(A(n−2)) = (A · 2−w) · 2−w mod N = A(n−3), . . . . . . SmallRed(A(1)) = (A · 2−w(n−2)) · 2−w mod N = A · 2−w(n−1) = A(0).
22 / 37
Contributions A · B, A · C
CombinedMontMul(A, B, C) Require: the modulus N < 2wn−2, three integers A = (an−1, . . . a0)2, B = (bn−1, . . . b0)2, C = (cn−1, . . . c0)2 such that A, B, C < 2N, w the word size, R = 2w(n+1) the Montgomery constant. Ensure: Y = A · B · R−1 mod N and Z = A · C · R−1 mod N
1: X ← A 2: Y ← bn−1 · X, Z ← cn−1 · X 3: for j = n − 2 downto 0 do 4:
q ← |X|2w N′ mod 2w
5:
X ← (X + q · N)/2w // = A(j) for j = n − 2, . . . , 0
6:
Y ← Y + bj · X, Z ← Z + cj · X
7: Y ← SmallRed(Y ), Z ← SmallRed(Z) 8: Y ← SmallRed(Y ), Z ← SmallRed(Z) 9: return Y and Z
23 / 37
Contributions A · B, A · C
By sharing the computations of A(j), we reduce the complexity of the global computation of both multiplications A · B, A · C: Operation Algorithm # ADD # MUL AB, AC Two MontMuls 8n2 + 4n − 2 4n2 + 2n AB, A2 MontMul and 7n2 + 7n − 2
7 2n2 + 7 2n − 1
MontSqu AB, AC CombinedMontMul 6n2 + 9n + 1 3n2 + 4n + 3
24 / 37
Contributions A · B0, A · B1, . . . , A · Bℓ
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
25 / 37
Contributions A · B0, A · B1, . . . , A · Bℓ
Given A ∈ {0, . . . , N − 1} and Bi, i = 1, . . . , ℓ, we want to compute: Y1 = A · B1 · 2−w(n+1) mod N, Y2 = A · B2 · 2−w(n+1) mod N, . . . Yℓ = A · Bℓ · 2−w(n+1) mod N.
26 / 37
Contributions A · B0, A · B1, . . . , A · Bℓ
Given A ∈ {0, . . . , N − 1} and Bi, i = 1, . . . , ℓ, we want to compute: Y1 = A · B1 · 2−w(n+1) mod N, Y2 = A · B2 · 2−w(n+1) mod N, . . . Yℓ = A · Bℓ · 2−w(n+1) mod N. We expand each multiplication A · Bi · 2−w(n+1) mod N relatively to Bi and rewrite the product as follows: A · Bi · 2−w(n+1) = (
n−1
bi,j2wj) · A−w(n+1) mod N = (
n−1
bi,jA(j)) · 2−2w mod N. (3)
26 / 37
Contributions A · B0, A · B1, . . . , A · Bℓ
Operation Algorithm # ADD # MUL ABi, ℓ MontMuls ℓ(4n2 + 2n − 1) ℓ(2n2 + n) i = 1, . . . , ℓ ABi, ℓ× MultByComOp ℓ(2n2 + 5n + 1) ℓ(n2 + 2n + 2) i = 1, . . . , ℓ and 1× PrecomMultByComOp +(2n + 1)(n − 1) +(n2 − 1)
27 / 37
Contributions A · B0, A · B1, . . . , A · Bℓ
Operation Algorithm # ADD # MUL ABi, ℓ MontMuls ℓ(4n2 + 2n − 1) ℓ(2n2 + n) i = 1, . . . , ℓ ABi, ℓ× MultByComOp ℓ(2n2 + 5n + 1) ℓ(n2 + 2n + 2) i = 1, . . . , ℓ and 1× PrecomMultByComOp +(2n + 1)(n − 1) +(n2 − 1)
27 / 37
Contributions A · B0, A · B1, . . . , A · Bℓ
Operation Algorithm # ADD # MUL ABi, ℓ MontMuls ℓ(4n2 + 2n − 1) ℓ(2n2 + n) i = 1, . . . , ℓ ABi, ℓ× MultByComOp ℓ(2n2 + 5n + 1) ℓ(n2 + 2n + 2) i = 1, . . . , ℓ and 1× PrecomMultByComOp +(2n + 1)(n − 1) +(n2 − 1)
27 / 37
Contributions A · B0, A · B1, . . . , A · Bℓ
Operation Algorithm # ADD # MUL ABi, ℓ MontMuls ℓ(4n2 + 2n − 1) ℓ(2n2 + n) i = 1, . . . , ℓ ABi, ℓ× MultByComOp ℓ(2n2 + 5n + 1) ℓ(n2 + 2n + 2) i = 1, . . . , ℓ and 1× PrecomMultByComOp +(2n + 1)(n − 1) +(n2 − 1)
PrecomMultByComOp → computations of all A(j). Storage required: → n × (n word operand A(j)).
27 / 37
Contributions Application to SPA Protected Modular Exponentiations
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
28 / 37
Contributions Application to SPA Protected Modular Exponentiations
Montgomery Ladder with CombinedMontMul(A, B, C) Require: N < 2wn−1 and G ∈ {0, . . . , N − 1} and an exponent e = (ek−1, . . . e0)2, w the word size and R = 2w(n+1) the Montgomery con- stant. Ensure: G e mod N
1: X0 ← R mod N 2: //conversion X1 ← G · R2 · R−1 mod N 3: X1 ← MontMul(G, R2 mod N) 4: X1 ← SmallRed(X1) 5: for i = k − 1 downto 0 do 6:
X1−ei , Xei ← CombinedMontMul(Xei , X1−ei , Xei )
7: // conversion X0 ← (G e · R) · R−1 mod N 8: X0 ← MontMul(X0, 1), X0 ← SmallRed(X0) 9: return X0
29 / 37
Contributions Application to SPA Protected Modular Exponentiations
Right-to-left regular 2t-ary exponentiation with CombinedMontMul Require: N < 2wn−2 the modulus, an integer 0 ≤ G < N, an exponent e = (ek−1, . . . , e0)2t with ei ∈ {1, . . . , 2t}, R = 2w(n+1) the Montgomery constant. Ensure: G e mod N
1: X ← MontMul(G, R2 mod N), X ← SmallRed(X) // X = G · R mod N 2: for i = 1 to 2t do 3:
Yi ← R mod N
4: for i = 0 to k − 1 do 5:
Yei , X ← CombinedMontMul(X, Yei , X)
6:
for j = 1 to t − 1 do
7:
X ← MontSqu(X), X ← SmallRed(X)
8: // Final reconstruction 9: Z ← Y2t 10: Y2t−1 ← MontMul(Y2t−1, Y2t ) 11: Y2t−1 ← SmallRed(Y2t−1) 12: for i = 2t − 1 downto 2 do 13:
Z, Yi−1 ← CombinedMontMul(Yi, Z, Yi−1)
14: Z ← MontMul(Z, Y1), Z ← SmallRed(Z) 15: Z ← MontMul(Z, 1), Z ← SmallRed(Z) 16: return Z
30 / 37
Contributions Application to SPA Protected Modular Exponentiations
Left-to-right regular 2t-ary exponentiation with MultByComOp Require: N < 2wn−1 the modulus, an integer 0 ≤ G < N, an exponent e = (ek−1, . . . , e0)2 with ek−1 ∈ {1, . . . , m}, R = 2w(n+1) the Montgomery constant. Ensure: G e mod N
1: G1 ← MontMul(G, R2 mod N),G1 ← SmallRed(G1)// G1 = G · 2w(n+1) mod N 2: X ← R 3: G (0)
1
, . . . , G (n−1)
1
← PrecompMultByComOp(G1)
4: for i = 2 to 2t do 5:
Gi ← MultByComOp(Gi−1, G (0)
1
, . . . , G (n−1)
1
)
6:
G (0)
i
, . . . , G (n−1)
i
← PrecompMultByComOp(Gi)
7: for i = k − 1 downto 0 do 8:
for j = 1 to t do
9:
X ← MontSqu(X), X ← SmallRed(X)// X ← X 2 · 2−w(n+1) mod N
10:
X ← MultByComOp(X, G (0)
ei , . . . , G (n−1) ei
)
11: X ← MontMul(X, 1), X ← SmallRed(X)// X ← X · 2−w(n+1) mod N 12: return X
31 / 37
Contributions Application to SPA Protected Modular Exponentiations
Complexities of modular exponentiation for 2048 bits ML ML R-to-L R-to-L L-to-R L-to-R CMM CMM MBCO #ADD/103 15143 13183 8595 8253 8466 7804 Improv. 12.9% 4% 7.9% #MUL/103 7506 6564 4296 4120 4232 3896 Improv. 12.6% 4.1% 7.9% Storage req.
ML=Montgomery-ladder, R-to-L= Right-to-left, L-to-R=Left-to-right
32 / 37
Contributions Experimental Results
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
33 / 37
Contributions Experimental Results
Intel Core i7 (turbo-boost and hyperthreading deactivated), gcc 4.8.2 GMP 6.0.0 library for 1 × n multiplications and n × n additions Algorithm 1024 bits 2048 bits 4096 bits #CC/103 Imp. #CC/103 Imp. #CC/103 Imp. ratio ratio ratio Mont-ladder 3068 9.0% 20643 9.1% 153443 14.6% Mont-ladder 2793 18773 131011 with CMM Right-to-left 1857 0.1% 11796 1.7% 87081 4.0% Right-to-left with CMM 1855 11596 83599 Left-to-right 1858
11734 3.1 % 83354 8.3 % Left-to-right with MBCO 1877 11368 77745
34 / 37
Conclusion
1
Problematic RSA Protocol The Modular Exponentiation Simple Power Analysis, Counter-measure
2
Modular Multiplication Montgomery Modular Multiplication Our Objective
3
Contributions A · B, A · C A · B0, A · B1, . . . , A · Bℓ Application to SPA Protected Modular Exponentiations Experimental Results
4
Conclusion
35 / 37
Conclusion
In this work, we proposed: Two Modular Multiplications by a common operand A · B, A · C:
→ Improvement of two modular multiplications up to 25%;
36 / 37
Conclusion
In this work, we proposed: Two Modular Multiplications by a common operand A · B, A · C:
→ Improvement of two modular multiplications up to 25%;
Multiple Modular Multiplications by a common operand A · B0, A · B1, . . . , A · Bℓ:
→ Improvement of ℓ modular multiplications up to 50%;
36 / 37
Conclusion
In this work, we proposed: Two Modular Multiplications by a common operand A · B, A · C:
→ Improvement of two modular multiplications up to 25%;
Multiple Modular Multiplications by a common operand A · B0, A · B1, . . . , A · Bℓ:
→ Improvement of ℓ modular multiplications up to 50%;
Application to SPA protected RSA modular exponentiations:
→ the Montgomery Ladder is improved by 9 to 15 %; → the Right-to-left regular 2t-ary exponentiation is improved by up to 4 %; → the Left-to-right regular 2t-ary exponentiation is improved by up to 8 %.
36 / 37
Conclusion
mail : jean-marc.robert@univ-perp.fr home page : perso.univ-perp.fr/jeanmarc.robert
This work was supported by:
PAVOIS ANR 12 BS02 002 02 ERASMUS MUNDUS Thelxinoe Smart City
37 / 37