Abstract
A difference-of-means test applied to acquisitions of the instantaneous power consumption has been shown to be a suitable means of distinguishing a multiplication from a squaring operation over the integers. This has been attributed to the difference in expected Hamming weight of the output of these operations but few details are present in the literature. In this paper we define how this difference occurs and show that, somewhat surprisingly, a difference can, for some moduli, still be observed after a modular reduction. Moreover, we show that this difference leads to a practical attack under reasonable assumptions where a modulus is blinded. The presented attack goes beyond the cryptographic primitive and applies to concrete provably secure implementations, including RSA-PSS for signature generation or RSA-OAEP for encryption that uses side-channel countermeasures.
Similar content being viewed by others
Notes
Otherwise a private exponent could be determined by simple power analysis [18].
References
Akishita, T., Takagi, T.: Power analysis to ECC using differential power between multiplication and squaring. In: Domingo-Ferrer, J., Posegga, J., Schreckling D. (eds.) CARDIS 2006, LNCS, vol. 3928, pp. 151–164. Springer (2006)
Amiel, F., Feix, B., Tunstall, M., Whelan, C., Marnane, W.P.: Distinguishing multiplications from squaring operations. In: Youm, H., Yung, M. (eds.) SAC 2008, LNCS, vol. 5932, pp. 148–162. Springer (2009)
Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal and vertical side-channel analysis against secure RSA implementations. In: Dawson, E. (ed.) CT-RSA 2013, LNCS, vol. 7779, pp. 1–17. Springer (2013)
Bellare, M., Rogaway, P.: Optimal asymmetric encryption — how to encrypt with RSA. In: Santis, A.D. (ed.) EUROCRYPT ’94, LNCS, vol. 950, pp. 92–111. Springer (1994)
Bellare, M., Rogaway, P.: The exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT ’96, LNCS, vol. 1070, pp. 399–416. Springer (1996)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004, LNCS, vol. 3156, pp. 16–29. Springer (2004)
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, Jr., Koç, C.K., Paar C. (eds.) CHES 2002, LNCS, vol. 2523, pp. 13–28. Springer (2002)
Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Galbratih, S., Nandi M. (eds.) INDOCRYPT 2012, LNCS, vol. 7668, pp. 140–155. Springer (2012)
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010, LNCS, vol. 6476, pp. 46–61. Springer (2010)
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Square always exponentiation. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011, LNCS, vol. 7107, pp. 40–57. Springer (2011)
Coron, J.S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, C.K., Paar C. (eds.) CHES 1999, LNCS, vol. 1717, pp. 292–302. Springer (1999)
Dupaquis, V., Venelli, A.: Redundant modular reduction algorithms. In: Prouff, E. (ed.) CARDIS 2011, LNCS, vol. 7079, pp. 102–114. Springer (2011)
Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008, LNCS, vol. 5154, pp. 426–442. Springer (2008)
Hanley, N., Tunstall, M., Marnane, W.P.: Using templates to distinguish multiplications from squaring operations. Int. J. Inf. Secur. 10 (4), 255–266 (2011)
Joye, M.: Highly regular right-to-left algorithms for scalar multiplication. In: Paillier, P., Verbauwhede I. (eds.) CHES 2007, LNCS, vol. 4727, pp. 135–147. Springer (2007)
Joye, M., Yen, S.M.: The Montgomery powering ladder. In: Kaliski, Jr., Koç, Ç.K., Paar, C. (eds.) CHES 2002, LNCS, vol. 2523, pp. 291–302. Springer (2003)
Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO ’96, LNCS, vol. 1109, pp. 104–113. Springer (1996)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO ’99, LNCS, vol. 1666, pp. 388–397. Springer (1999)
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks — Revealing the Secrets of Smart Cards. Springer, Berlin (2007)
Montgomery, P.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)
Montgomery, P.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48 (177), 243–264 (1987)
National Institute of Standards and Technology (NIST): recommended elliptic curves for federal government use. In the appendix of FIPS 186-3, available from, http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf (2009)
Oswald, E., Aigner, M.: Randomized addition-subtraction chains as a countermeasure against power attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001, LNCS, vol. 2162, pp. 39–50. Springer (2001)
Parhami, B.: Computer Arithmetic. Oxford University Press, London (2000)
Rivest, R., Shamir, A., Adleman, L.M.: Method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21 (2), 120–126 (1978)
Smart, N., Oswald, E., Page, D.: Randomised representations. IET Proc. Inf. Secur. 2 (2), 19–27 (2008)
Stinson, D.: Some baby-step giant-step algorithms for the low Hamming weight discrete logarithm problem. Math. Comput. 71 (237), 379–391 (2002)
Teske, E.: New algorithms for finite abelian groups. Ph.D. thesis, Technische Universität Darmstadt (1998)
Whitnall, C., Oswald, E., Mather, L.: An exploration of the Kolmogorov-Smirnov test as a competitor to mutual information analysis. In: Prouff, E. (ed.) CARDIS 2011, LNCS, vol. 7079, pp. 234–251. Springer (2011)
Acknowledgments
The authors would like to thank the anonymous referees for their detailed and perceptive comments. The work described in this paper has also been supported in part the European Commission through the ICT Programme under Contract ICT-2007-216676 ECRYPT II and the EPSRC via grant EP/I005226/1.
Author information
Authors and Affiliations
Corresponding author
Additional information
This work was conducted while the author was employed by the Cryptography Group at the University of Bristol.
Appendices
Appendix: A Pr [Z s =1] for multiplication in \(\mathbb {Z}\)
Following the notation we define in Section 3.1. We define Y s as the sum of the bits of the s-th column, and W s as the number of lines present in the addition described above, i.e. the Hamming weight of the s least significant bits of the result of a multiplication.
We also define D s−1 as the carry produced from the (s−1)-th column then
and
Let \(\kappa = {\sum }_{i=0}^{\lfloor s/2 \rfloor } \Pr [D_{s-1} = 2\,i]\), then
Hence, one can compute Pr[Z s =1] without needing to compute the carry at each step.
Lemma 2
Given the binomial numbers \(\left (\begin {array}{c}{n}\\{r} \end {array}\right )\) for r∈{0,…,n}for some \(n \in \mathbb {Z}_{>0}\) , then
Proof
This follows from the binomial formula by noting that
Furthermore, given that
for any k,
Hence,
Appendix: B Pr[Z s =1] for squaring operation in \(\mathbb {Z}\)
Without loss of generality we shall assume that s is even, since if s is even Pr[W s =s]= Pr[W s−1=s−1]. Hence,
Again, we define D s−2 as the carry produced from the (s−2)-th column and let \(\kappa = {\sum }_{i=0}^{\lfloor (s-2)/2 \rfloor } \Pr [D_{s-2} = 2\,i]\). We note that the result of the sum of a given column will be even, and the result will impact the next column, then
Appendix: C The discrete logarithm problem
We recall the discrete logarithm problem:
Definition 1
Let α∈G, for some Abelian group G, and suppose α∈〈β〉. The discrete logarithm logα β is the unique integer x such that 0≤x≤ord(α)−1 and α x=β. The Discrete Logarithm Problem (DLP) is to compute logα β, given α and β.
In a side-channel analysis of a given instance of an exponentiation algorithm the results can only give the best guess of the exponent. Stinson describes a variant of the Baby-Step/Giant-Step algorithm where it is assumed that the exponent has a small Hamming weight [27]. Stinson’s algorithm requires the existence of a means of splitting a string of bits into two sets of equal Hamming weight.
Lemma 3
We consider an integer of bit length m, as a string of bits of length \(m \in 2\,\mathbb {Z}\) and Hamming weight 0<t<m. There will exist a set of contiguous bits with Hamming weight ⌊t/2⌋.
We present a somewhat simplified version of Stinson’s proof:
Proof
We begin with the case where t is even. Let X be an string of bits of length m with Hamming weight \(t \in \ 2 \, \mathbb {Z}\). Let each Y i for i∈{1,…,m/2} represent one of the m/2 sets of contiguous bits starting from the i-th bit of the string. Let H be a function that returns the Hamming weight, then H(Y 1)=t−H(Y m/2). Given that H(Y i )−H(Y i+1) will be in {−1,0,1} there will be some set of contiguous bits with Hamming weight m/2. If t is odd then the first bit can be ignored as it will be set to one given the bit length is known putting us the case described above. Hence, one can find one set of Hamming weight ⌊m/2⌋ and the other of ⌈m/2⌉.
This is sufficient for our requirements. We refer the reader to Stinson for versions of this proof where m is odd [27].
Given an estimate for the exponent x ′ where x=x ′⊕e, for some unknown e of Hamming weight t, we can attempt to determine x by guessing e. We let z i denote the ith bit of z for an n-bit number z. Given an n-bit number z we define the vector z̈ as follows
For a vector z̈ we define
If we set \(\beta ^{\prime } = \alpha ^{x^{\prime }}\), then given a proposed value of e, such that x=x ′⊕e, we can test whether it is correct by checking whether we have β=β ′⋅α ë . The error e can be divided into two sets e 1 and e 2, where e 1 and e 2 have a Hamming weight of t/2 given by a splitting algorithm. We also define a and b as two integers such that x ′=a+b and the only bits that can be set to one for a and b are at the indexes defined by the splitting algorithm for e 1 and e 2 respectively. Then \(\alpha ^{x} = (\alpha ^{a} \, \alpha ^{\mathring {e}_{1}}) (\alpha ^{b} \, \alpha ^{\mathring {e}_{2}})\).
We produce a list of error vectors of Hamming weight t/2 where we define the i-th error from the set of possible errors e 1 as e i,1. We define the Giant-Steps to be the table which consists of all pairs \(\left (\frac {\beta }{\alpha ^{a} \, \alpha ^{\mathring {e}_{i,1}}}, a + \mathring {e}_{i,1} \right ) \, \), for all e i,1. We define the Baby-Steps as pairs \(\left ({\alpha ^{b} \, \alpha ^{\mathring {e}_{j,2}}}, b + \mathring {e}_{j,2} \right )\) , for all e j,2. As in the Baby-Step/Giant-Step method we can terminate the method when a collision is found between \(\left (\frac {\beta }{\alpha ^{a} \, \alpha ^{\mathring {e}_{i,1}}} \right )\) and \(\left ({\alpha ^{b} \, \alpha ^{\mathring {e}_{j,2}}} \right )\) for a given i,j. We can then derive the exponent as x=(a+ë i,1)+(b+ë j,2).
For an m-bit exponent one would be required to compute \(\left (\begin {array}{c}{m}\\{t/2} \end {array}\right )\)Giant-Steps and \(\left (\begin {array}{c}{m}\\{t/2} \end {array}\right )\) Baby-Steps for an error of Hamming weight t. The above assumes that t is even. If t is odd then the extra bit can be assigned, arbitrarily, to the computation of baby steps. The required computation then becomes \(\left (\begin {array}{c}{m}\\{\lfloor t/2 \rfloor } \end {array}\right )\)Giant-Steps and \(\left (\begin {array}{c}{m}\\{\lfloor t/2 \rfloor + 1} \end {array}\right )\) Baby-Steps for an error of Hamming weight t.
Other than the inclusion of an initial guess this algorithm is defined by Stinson [27], and has time complexity of \(\mathcal {O} \left (m \, \left (\begin {array}{c}{m/2}\\{t/2} \end {array}\right ) \right )\). However, this assumes that t is known.
Typically, t is not known and an adversary has to start with t=1 and increase the Hamming weight until t is found. One would expect the resulting time complexity to be \(\mathcal {O} \left (m {\sum }_{n=0}^{t} \left (\begin {array}{c}{m/2}\\{n/2} \end {array}\right ) \right )\). However, by Lemma 3 we can ignore the cases where n is odd. Since the required baby and giant steps will be computed for the cases n−1 and n+1. The resulting time complexity is therefore \(\mathcal {O} \left (m {\sum }_{n=0}^{\lceil t/2 \rceil } \left (\begin {array}{c}{m/2}\\{n} \end {array}\right ) \right )\) when t is unknown.
To derive a private exponent used in RSA [25] the order is not known and the above analysis cannot be applied directly. If we define γ to be the maximum possible bit length of ord(α). Then the problem can be rewritten as α γ+1 α x=α γ+1 β. Then the inverse of α b can be replaced by α γ+1−b [28].
Rights and permissions
About this article
Cite this article
Tunstall, M., Joye, M. The distributions of individual bits in the output of multiplicative operations. Cryptogr. Commun. 7, 71–90 (2015). https://doi.org/10.1007/s12095-014-0110-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-014-0110-9