Distinguishing Exponent Digits by Observing Modular Subtractions

1
Distinguishing Exponent Digits by Observing
Modular Subtractions

• Colin D. Walter and Susan Thompson
• www.datacard.com

2
A Timing Attack on RSA

• Context
• A?B mod N
• Output from multiplier S lt 2N
• Require output S lt N or lt 2n
• So conditional subtraction in S/W
• Assume recognisable in power trace
• Unknown plain/cipher text
• Unknown modulus

3
History

• Kocher (Crypto 1996) - Known Plaintext
• Dhem et al (Cardis 1998) - Supplied Detail
• Schindler (Ches 2000) - Square Mult
• Platform Seven - Unknown Plaintext (RSA
  2001) - Much Less Data - m-ary expn.

4
Partial Product S

• Last step of Montgomery mod mult S ? (S
  aB qN)/r a top digit of A,
  dependent on size of A q, S
  effectively randomly distributed
• For random A and fixed B, the average S is a
  linear function of B, indepnt of A
• Larger B ? more frequent final subtractions

5
Distribution of S

• For a multiply S behaves like random variable
  aß ? where a, ß have the distributions
  of 2nA, B and ? is uniform.
• For a square S behaves like a2 ?.
• Integrating over values of a and ß,
  the probability of S being
  greater than 2n is ? for multiply, ? for
  square

6
Squares vs Multiplies

• ? for multiply, ? for square.
• So probabilities of conditional subtraction of N
  are different.
• With sufficient observations we can distinguish
  squares from multiplies.
• ( Care non-uniform distribution on 0..2N. )

7
First Results

• In square-and-multiply exponentiation we can read
  the bits of a secret key.
• Careless implementation of Modular Multiplication
  is dangerous.

8
m-ary Exponentiation

• In case square-and-multiply leaks, use
  m-ary exponentiation. Is it safe?
• Example 4-ary to compute Ad mod N
• Each multiply is by one of
• A, A2 or A3
• Can these be distinguished?

9
Differentiating Multipliers

• Averaging over all observations, we can
  distinguish squares from multiplies.
• Averaging over all observations, the different
  multipliers are indistinguishable.
• Key Select observation subsets.

10
Choice of Obs. Subsets

• Identify an initial multiplication AAi1.
• Partition observations according to whether or
  not the extra final subtraction occurs.
• One subset cases of larger Ai (on average)
• Other subset cases of smaller Ai (on avage)
• Other powers Aj (j?i) will be average.

11
More Results

• Multiply operations by Ai (same, fixed i)
  will show similar non-average final subn
  frequencies in the two subsets
• above average in one,
• below average in the other.
• Multiply operations by Aj (j?i) will have closer
  to average final subn frequencies.

12
Consequence

• All cases of exponent digit i can be identified
  from their non-average behaviour
  in the two subsets.

13
Demonstration

• The pre-computations of A, A2 and A3 give us 23
  observation subsets.
• Selecting different subsets will change the
  relative frequencies of final subns.
• Operations corresponding to the same exponent
  digit will behave similarly.

14

• Sub in Initial Squaring

15

• No Sub in Initial Squaring

16
Reasoning

• Opn AA does have a final subn
• A is big, so exp digit 01 has many subs.
• A2 is much smaller, so exp digit 10 has least
  subs.
• A3 is more normal, so digit 11 has middling subs.
• Opn AA does not have a final subn
• A is small, so exp digit 01 has very few subs.
• A2 is bigger but still small, digit 10 has more
  subs.
• A3 is most normal, so exp digit 11 has most subs.

17
Conclusions

• In m-ary exponentiation we may be able to read
  the bits of a secret key.
• Careless implementation of Modular Multiplication
  is dangerous also for m-ary
  exponentiation.
• Even with low detection of final subns, expnt
  digits are obtained accurately, so there
  is no safety in longer keys.