The distributions of individual bits in the output of multiplicative operations

Abstract

A difference-of-means test applied to acquisitions of the instantaneous power consumption has been shown to be a suitable means of distinguishing a multiplication from a squaring operation over the integers. This has been attributed to the difference in expected Hamming weight of the output of these operations but few details are present in the literature. In this paper we define how this difference occurs and show that, somewhat surprisingly, a difference can, for some moduli, still be observed after a modular reduction. Moreover, we show that this difference leads to a practical attack under reasonable assumptions where a modulus is blinded. The presented attack goes beyond the cryptographic primitive and applies to concrete provably secure implementations, including RSA-PSS for signature generation or RSA-OAEP for encryption that uses side-channel countermeasures.

Appendices

Appendix: A Pr [Z _s =1] for multiplication in \(\mathbb {Z}\)

Following the notation we define in Section 3.1. We define Y _s as the sum of the bits of the s-th column, and W _s as the number of lines present in the addition described above, i.e. the Hamming weight of the s least significant bits of the result of a multiplication.

$$\Pr [Y_{s} = y \mid W_{s} = w] = \left(\begin{array}{c}{w}\\{y} \end{array}\right)\frac{1}{2^{w}} \quad \text{and} \quad \Pr (W_{s} = w) = \left(\begin{array}{c}{s}\\{w}\end{array}\right)\frac{1}{2^{s}} . $$

We also define D _s−1 as the carry produced from the (s−1)-th column then

$$\Pr [D_{s-1} = d] = \Pr [Y_{s-1} = 2\,d] + \Pr [Y_{s-1} = 2\,d + 1] \, , $$

and

$$\Pr [Y_{s} = y] = {\sum}_{i=0}^{y} \Pr [D_{s-1} = y-i] {\sum}_{j=i}^{s} \Pr [Y_{s} = i \mid W_{s} = j] \Pr [W_{s} = j] . $$

Let \(\kappa = {\sum }_{i=0}^{\lfloor s/2 \rfloor } \Pr [D_{s-1} = 2\,i]\), then

$$\begin{array}{@{}rcl@{}} \Pr [Z_{s} = 1] & =& \kappa {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j+1}^{s} \Pr [Y_{s} = 2\,j+1 \mid W_{s} = k] \Pr [W_{s} = k] \\ && + (1-\kappa) {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j}^{s} \Pr [Y_{s} = 2\,j \mid W_{s} = k] \Pr [W_{s} = k] \\ & =& \kappa {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j+1}^{s} \left(\begin{array}{c}{k}\\{2\,j+1} \end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{s}\\{k}\end{array}\right)\frac{1}{2^{s}} + (1-\kappa) {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j}^{s} \left(\begin{array}{c}{k}\\{2\,j}\end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{s}\\{k} \end{array}\right) \frac{1}{2^{s}} \\ & = &\left( \kappa + (1-\kappa) \right) {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j+1}^{s} \left(\begin{array}{c}{k}\\{2\,j+1} \end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{s}\\{k} \end{array}\right) \frac{1}{2^{s}} \quad \text{(by Lemma~2)} \\ & =& {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j+1}^{s} \left(\begin{array}{c}{k}\\{2\,j+1} \end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{s}\\{k} \end{array}\right) \frac{1}{2^{s}} \\ & =& {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j+1}^{s} \Pr [Y_{s} = 2\,j+1 \mid W_{s} = k] \Pr [W_{s} = k]. \end{array} $$

Hence, one can compute Pr[Z _s =1] without needing to compute the carry at each step.

Lemma 2

Given the binomial numbers \(\left (\begin {array}{c}{n}\\{r} \end {array}\right )\) for r∈{0,…,n}for some \(n \in \mathbb {Z}_{>0}\) , then

$$ {\sum}_{\text{\textit{r} odd}} \left(\begin{array}{c}{n}\\{r}\end{array}\right) = {\sum}_{\text{\textit{r} even}} \left(\begin{array}{c}{n}\\{r}\end{array}\right). $$

Proof

This follows from the binomial formula by noting that

$$0 = (1 - 1)^{n} = {\sum}_{0 \le r \le n} \left(\begin{array}{c}{n}\\{r}\end{array}\right) 1^{n-r} (-1)^{r} = {\sum}_{\begin{array}{c}{0 \le r \le n}\\{r~\text{even}}\end{array}}\left(\begin{array}{c}{n}\\{r}\end{array}\right) - {\sum}_{\begin{array}{c}{0 \le r \le n}\\{r~\text{odd}}\end{array}}\left(\begin{array}{c}{n}\\{r}\end{array}\right) \, .$$

Furthermore, given that

$$ \Pr [Z_{s} = 1] = {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j+1}^{s} \left(\begin{array}{c}{k}\\{2\,j+1}\end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{s}\\{k} \end{array}\right)\frac{1}{2^{s}} , $$

for any k,

$${\sum}_{\begin{array}{c}{1 \le j \le k,}\\{j~ \text{odd}}\end{array}} \left(\begin{array}{c}{k}\\{j} \end{array}\right) \frac{1}{2^{k}} = \frac{1}{2} \quad \text{(by Lemma 1).} $$

Hence,

$$\Pr [Z_{s} = 1] = {\sum}_{k=1}^{s} \frac{1}{2} \left(\begin{array}{c} {s}\\{k}\end{array}\right) \frac{1}{2^{s}} = \frac{1}{2} - \frac{1}{2} \left(\begin{array}{c}{s}\\{0} \end{array}\right) \frac{1}{2^{s}} = \frac{1}{2} - \frac{1}{2^{s+1}} \, . $$

Appendix: B Pr[Z _s =1] for squaring operation in \(\mathbb {Z}\)

Without loss of generality we shall assume that s is even, since if s is even Pr[W _s =s]= Pr[W _s−1=s−1]. Hence,

$$\Pr [Y_{s} = 2 \, y \mid W_{s} = 2\,w] = \left(\begin{array}{c}{w}\\{y} \end{array}\right) \frac{1}{2^{w}} $$

Again, we define D _s−2 as the carry produced from the (s−2)-th column and let \(\kappa = {\sum }_{i=0}^{\lfloor (s-2)/2 \rfloor } \Pr [D_{s-2} = 2\,i]\). We note that the result of the sum of a given column will be even, and the result will impact the next column, then

$$\begin{array}{@{}rcl@{}} \Pr [Z_{s} = 1] & =& \kappa {\sum}_{j=0}^{\lfloor (s-1)/2 \rfloor} {\sum}_{k=2\,j+1}^{\lfloor (s-1)/2 \rfloor} \Pr [Y_{s} = 2\,j+1 \mid W_{s} = k] \Pr [W_{s} = k] \\ && + (1-\kappa) {\sum}_{j=0}^{\lfloor (s-1)/2 \rfloor} {\sum}_{k=2\,j}^{\lfloor (s-1)/2 \rfloor} \Pr [Y_{s} = 2\,j \mid W_{s} = k] \Pr [W_{s} = k] \\ & =& \kappa {\sum}_{j=0}^{\lfloor (s-1)/2 \rfloor} {\sum}_{k=2\,j+1}^{\lfloor (s-1)/2 \rfloor} \left(\begin{array}{c}{k}\\{2\,j+1}\end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{\lfloor s/2 \rfloor}\\{k} \end{array}\right) \frac{1}{2^{\lfloor s/2 \rfloor}} \\ && + (1-\kappa) {\sum}_{j=0}^{\lfloor (s-1)/2 \rfloor} {\sum}_{k=2\,j}^{\lfloor (s-1)/2 \rfloor} \left(\begin{array}{c}{k}\\{2\,j}\end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{\lfloor s/2 \rfloor}\\{k} \end{array}\right) \frac{1}{2^{\lfloor s/2 \rfloor}} \\ & =& \left( \kappa + (1-\kappa) \right) {\sum}_{j=0}^{\lfloor (s-1)/2 \rfloor} {\sum}_{k=2\,j+1}^{\lfloor (s-1)/2 \rfloor} \left(\begin{array}{c}{k}\\{2\,j+1} \end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{\lfloor s/2 \rfloor}\\{k} \end{array}\right) \frac{1}{2^{\lfloor s/2 \rfloor}} \quad \text{(by Lemma~2)} \\ & =& {\sum}_{j=0}^{\lfloor s/2 \rfloor} {\sum}_{k=2\,j+1}^{\lfloor s/2 \rfloor} \left(\begin{array}{c}{k}\\{2\,j+1} \end{array}\right) \frac{1}{2^{k}} \left(\begin{array}{c}{\lfloor s/2 \rfloor}\\{k} \end{array}\right)\frac{1}{2^{\lfloor s/2 \rfloor}} \\ & =& {\sum}_{k=1}^{\lfloor (s-1)/2 \rfloor} \frac{1}{2} \left(\begin{array}{c}{\lfloor (s-1)/2 \rfloor}\\{k} \end{array}\right) \frac{1}{2^{\lfloor (s-1)/2 \rfloor}} \\ & =& \frac{1}{2} - \frac{1}{2} \left(\begin{array}{c}{\lfloor (s-1)/2 \rfloor}\\{0}\end{array}\right) \frac{1}{2^{\lfloor (s-1)/2 \rfloor}} = \frac{1}{2} - \frac{1}{2^{\lfloor (s-1)/2 \rfloor+1}} . \end{array} $$

Appendix: C The discrete logarithm problem

We recall the discrete logarithm problem:

Definition 1

Let α∈G, for some Abelian group G, and suppose α∈〈β〉. The discrete logarithm logα β is the unique integer x such that 0≤x≤ord(α)−1 and α ^x=β. The Discrete Logarithm Problem (DLP) is to compute logα β, given α and β.

In a side-channel analysis of a given instance of an exponentiation algorithm the results can only give the best guess of the exponent. Stinson describes a variant of the Baby-Step/Giant-Step algorithm where it is assumed that the exponent has a small Hamming weight [27]. Stinson’s algorithm requires the existence of a means of splitting a string of bits into two sets of equal Hamming weight.

Lemma 3

We consider an integer of bit length m, as a string of bits of length \(m \in 2\,\mathbb {Z}\) and Hamming weight 0<t<m. There will exist a set of contiguous bits with Hamming weight ⌊t/2⌋.

We present a somewhat simplified version of Stinson’s proof:

Proof

We begin with the case where t is even. Let X be an string of bits of length m with Hamming weight \(t \in \ 2 \, \mathbb {Z}\). Let each Y _i for i∈{1,…,m/2} represent one of the m/2 sets of contiguous bits starting from the i-th bit of the string. Let H be a function that returns the Hamming weight, then H(Y ₁)=t−H(Y _m/2). Given that H(Y _i )−H(Y _i+1) will be in {−1,0,1} there will be some set of contiguous bits with Hamming weight m/2. If t is odd then the first bit can be ignored as it will be set to one given the bit length is known putting us the case described above. Hence, one can find one set of Hamming weight ⌊m/2⌋ and the other of ⌈m/2⌉.

This is sufficient for our requirements. We refer the reader to Stinson for versions of this proof where m is odd [27].

Given an estimate for the exponent x ^′ where x=x ^′⊕e, for some unknown e of Hamming weight t, we can attempt to determine x by guessing e. We let z _i denote the ith bit of z for an n-bit number z. Given an n-bit number z we define the vector z̈ as follows

$$\mathring{z}_{i} = \left\{ \begin{array}{cl} 0 & \text{If}~ z_{i} = 0 \, , \\ 1 & \text{If}~ z_{i} = 1 ~\text{and}~ x^{\prime}_{i} = 0 \, , \\ -1 & \text{If}~z_{i} = 1 ~\text{and}~ x^{\prime}_{i} = 1 \, . \end{array} \right. $$

For a vector z̈ we define

$$g^{\mathring{z}} = {\prod}_{i=1}^{n} g^{\mathring{z}_{i} \cdot 2^{n-i}} . $$

If we set \(\beta ^{\prime } = \alpha ^{x^{\prime }}\), then given a proposed value of e, such that x=x ^′⊕e, we can test whether it is correct by checking whether we have β=β ^′⋅α ^ë . The error e can be divided into two sets e ₁ and e ₂, where e ₁ and e ₂ have a Hamming weight of t/2 given by a splitting algorithm. We also define a and b as two integers such that x ^′=a+b and the only bits that can be set to one for a and b are at the indexes defined by the splitting algorithm for e ₁ and e ₂ respectively. Then \(\alpha ^{x} = (\alpha ^{a} \, \alpha ^{\mathring {e}_{1}}) (\alpha ^{b} \, \alpha ^{\mathring {e}_{2}})\).

We produce a list of error vectors of Hamming weight t/2 where we define the i-th error from the set of possible errors e ₁ as e _i,1. We define the Giant-Steps to be the table which consists of all pairs \(\left (\frac {\beta }{\alpha ^{a} \, \alpha ^{\mathring {e}_{i,1}}}, a + \mathring {e}_{i,1} \right ) \, \), for all e _i,1. We define the Baby-Steps as pairs \(\left ({\alpha ^{b} \, \alpha ^{\mathring {e}_{j,2}}}, b + \mathring {e}_{j,2} \right )\) , for all e _j,2. As in the Baby-Step/Giant-Step method we can terminate the method when a collision is found between \(\left (\frac {\beta }{\alpha ^{a} \, \alpha ^{\mathring {e}_{i,1}}} \right )\) and \(\left ({\alpha ^{b} \, \alpha ^{\mathring {e}_{j,2}}} \right )\) for a given i,j. We can then derive the exponent as x=(a+ë _i,1)+(b+ë _j,2).

For an m-bit exponent one would be required to compute \(\left (\begin {array}{c}{m}\\{t/2} \end {array}\right )\)Giant-Steps and \(\left (\begin {array}{c}{m}\\{t/2} \end {array}\right )\) Baby-Steps for an error of Hamming weight t. The above assumes that t is even. If t is odd then the extra bit can be assigned, arbitrarily, to the computation of baby steps. The required computation then becomes \(\left (\begin {array}{c}{m}\\{\lfloor t/2 \rfloor } \end {array}\right )\)Giant-Steps and \(\left (\begin {array}{c}{m}\\{\lfloor t/2 \rfloor + 1} \end {array}\right )\) Baby-Steps for an error of Hamming weight t.

Other than the inclusion of an initial guess this algorithm is defined by Stinson [27], and has time complexity of \(\mathcal {O} \left (m \, \left (\begin {array}{c}{m/2}\\{t/2} \end {array}\right ) \right )\). However, this assumes that t is known.

Typically, t is not known and an adversary has to start with t=1 and increase the Hamming weight until t is found. One would expect the resulting time complexity to be \(\mathcal {O} \left (m {\sum }_{n=0}^{t} \left (\begin {array}{c}{m/2}\\{n/2} \end {array}\right ) \right )\). However, by Lemma 3 we can ignore the cases where n is odd. Since the required baby and giant steps will be computed for the cases n−1 and n+1. The resulting time complexity is therefore \(\mathcal {O} \left (m {\sum }_{n=0}^{\lceil t/2 \rceil } \left (\begin {array}{c}{m/2}\\{n} \end {array}\right ) \right )\) when t is unknown.

To derive a private exponent used in RSA [25] the order is not known and the above analysis cannot be applied directly. If we define γ to be the maximum possible bit length of ord(α). Then the problem can be rewritten as α ^γ+1 α ^x=α ^γ+1 β. Then the inverse of α ^b can be replaced by α ^γ+1−b [28].