1 / 18

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis. Colin D. Walter formerly : www.co.umist.ac.uk (Manchester, UK) c.walter@umist.ac.uk now : www.comodo.net (Bradford, UK) colin@comodo.net. Power Analysis Attacks.

allene
Download Presentation

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MIST: An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: www.co.umist.ac.uk (Manchester, UK) c.walter@umist.ac.uk now: www.comodo.net (Bradford, UK) colin@comodo.net

  2. Power Analysis Attacks • With no counter-measures and the binary expn algm, averaging power traces at the same instants during several expns enables one to differentiate squares and multiplies and hence deduce the exponent bits. • Averaging power traces over individual digit-by-digit products in a single expn enables one to differentiate mutliplicands in m-ary expn and hence deduce the exponent. • Smartcards have limited scope for including expensive, tamper-resistant, hardware measures. • Good software counter-measures are required: new algorithms as well as modifying arguments e.g. E to E+r(M). Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  3. Requirements for Exponentiation • New algorithm, not new inputs, as single expn may be attacked. • Different pattern of Squares and Multiplies to frustrate averaging. • No re-use of multiplicands (same reason) • No fully determined tie between Square or Multiply and known process. • Good time and spaceefficiency Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  4. History • T. S. Messerges, E.A. Dabbish & R.H. SloanPower Analysis Attacks of Modular Exponentiation in Smartcards CHES 99 , LNCS 1717 • E. Oswald & M. AignerRandomized Addition-Subtraction Chains as a Countermeasure against Power Attacks CHES 2001, LNCS 2162 • C. D. WalterExponentiation using Division Chains IEEE TC 47, 1998, pp 757–765 Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  5. Binary Expn Algorithm { To compute: ResultM = ME} StartM  M ; ResultM  1; While E > 0 do Begin If (E mod 2) = 1 then ResultM  StartM×ResultM ; StartM  StartM2 ; E  E div 2 ; End ; Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  6. The MIST Expn Algorithm { To compute: ResultM = ME} StartM  M ; ResultM  1; While E > 0 do Begin Choose a random “divisor”D ; R  E mod D ; If R  0 then ResultM  StartMR × ResultM ; StartM  StartMD ; E  E div D ; { Invariant: ME.Init= StartME× ResultM } End ; Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  7. Addition Chains The main computational part of the loop is: If R  0 then ResultM  StartMR × ResultM ; StartM  StartMD ; • To provide the required efficiency, a set of possible values for D are chosen so that an efficient addition chain for D contains R, e.g. • 1+1=2, 2+1=3, 2+3=5 is an addition chain for D=5 suitable for when R = 0, 1, 2 or 3. • Comparable to the m-ary method regarding time complexity Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  8. Example Choose the set of divisors {2, 3, 5}. Consider E= 257 E D, R StartM StartM/TempM ResultM 257 5, 2 1 1+1 = 2 0+2 = 2 1+2 = 3 3+2 = 5 51 3, 0 5 5+5 = 10 10+5 = 15 17 2, 1 15 15+2 = 17 15 + 15 = 30 8 2, 0 30 30 + 30 = 60 4 2, 0 60 60 + 60 = 120 2 2, 0 120 120+120 = 240 1 240 240+17 = 257 Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  9. Choice of Divisor Set • Security: Divisors must be chosen so that sequences of squares and multiplies do not reveal D. • Efficiency: • Divisors must be chosen so that raising to the power D is (time) efficient enough. • Space is required to store addition chains. • As few registers as possible should be used for the exponentiation. • Solution: Take the set of divisors {2,3,5}. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  10. Choice of Divisor Example choice: D := 0 ; If Random(x) < 7/8 then If (E mod 2) = 0 then D  2 else If (E mod 5) = 0 then D  5 else If (E mod 3) = 0 then D  3 ; If D = 0 then Begin p := Random(x) ; If p < 6/8 then D  2 else If p < 7/8 then D  3 else D  5 End ; Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  11. Choice of Divisor • Choosing D when E 0 mod D is efficient because it avoids a multiplication by StartMR. • Choosing such D deterministically is unsafe, so they should not be chosen always. • Some pairs (D,R) require fewer multiplications per than others per bit of reduction in the size of E. We should choose the more efficient ones more frequently. • The published paper gives some details on ordering them. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  12. A Markov Process • Divisors affect the frequencies of residues Emod30 (30 = LCM of divisor set): • Choice of divisors 3, 5 when E is odd multiple of 3 or 5 reduces frequency of even residues. • With the exceptions of 14 and 25, odd & even residues occur with probability > 1/30 and < 1/30 resp. • After several iterations, 3, 9, 11, 21, 29 are all three times more likely to occur than the least likely residue 16. • We need to model this as a Markov process, looking at the limit probabilities of each residue mod 30. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  13. Probability of each (D,R) • The matrix of probabilities of each output residue mod 30 for each input residue enables the limit probability of each residue to be computed. • This gives the probabilities: • pD,R for each pair (D,R) • pD for each divisor D: p2 = 0.621 p3 = 0.234 p5 = 0.145 Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  14. Avage Addn Chain Properties • The probabilities of addition sub-chain lengths are: • length 1 is p2,0 = 0.350 • length 2 is p3,0 + p2,1 = 0.460 • length 3 is p5,0 + p3,1 + p3,2 = 0.143 • length 4 is p5,1 + p5,2 + p5,3 + p5,4 = 0.047 • So average divisor sub-chain has length 1.887 mults • Av decrease in E is 2p23p35p5 = 2.512 per subchain • So 0.75 log2E subchains & 1.42 log2E mults • This is faster than the binary expn algorithm and marginally slower than 4-ary expn Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  15. Space Requirements • There are 3 long integer registers: StartM, TempM, ResultM rather than the two for binary expn. • E can be fully processed before each expn, giving 2 bits per divisor, about 1.5n bits for n bit E. • If multn instructions are determined in advance, 5 bits are needed for each, so about 7n bits to store (but these may be generated as required). • The addition sub-chains for each pair (D,R) must be stored in ROM: under 256 bits for the table in the proceedings. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  16. Other Processing Apart from the long integer multiplicative operations, processing includes: • Generation of random numbers: 33/5 bits per divisor, or 3n bits for exponents of n bits. • Divisions of E by D: equivalent to a few long integer multiplications overall. • With three registers rather than the two for the binary algm, data movement is greater but still insignificant overall: at most one new value needs to be fetched from/ written to memory for each multiplication. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  17. Data Leakage • MIST prevents the usual power trace averaging associated with power analysis attacks, but: • The sequence of Squares and Mults parses in too many ways to enable pairs (D,R) to be recovered: (2,1) & (3,0) are the same. • Making deterministic choices for D is poor practice: they may provide a handle to distinguish between correct and incorrect keys. • Processing of E and choosing of divisors must be well hidden: computing E div D may leak. It is much shorter than a long integer multiplication, so should leak much less. Don’t do it after processing the long integer mults of the previous divisor. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

  18. Conclusion • A novel exponentiation algorithm has been presented for which random choices make averaging for DPA impossible. • The speed is comparable to 4-ary expn. • The space requirements comparable. • Areas of security concern have been narrowed. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions

More Related