CSE 127: Lecture 23

The topics covered in this lecture are RSA modular exponentiation and Timing Attack.

RSA Modular Exponentiation

To compute y = x^e mod n, a common algorithm is:

y = 1;
z = x;
while (e != 0) {
    if (e odd) {
        y = y * z mod n ;
    }
    z = z * z mod n;
    e = e div 2;
}

precondition: n > 1, 1 < x < n, e >=0

postcondition: y = x^e₀ mod n

We introduce a counter to make the proof eaiser. The counter does not affect on the computation:

y = 1;
z = x;
i = 0;
while (e != 0) {
    if (e odd) {
        y = y * z mod n;
    }
    z = z * z mod n;
    e = e div 2;
    i = i + 1;
}

The loop invariants are: z = x^2ⁱmod n and x^e₀= y * z^emod n. Where e₀ is the original input value in the variable e. (There's no need to make the distinction for x since it is not changed.) We show that the invariants are true before the loop starts, i.e.,

x = z =?= x^2ⁱ = x^2⁰ = x
and
x^e₀ =?= y * z^e = 1 * x^e.

Next, we assume that the invariants are true immediately after the while test, and show that the body of the loop preserves the invariant. Let e = 2e'+b, where b is a bit.
z_new= z * z = x^2ⁱ * x^2ⁱ = x^{(2ⁱ+ 2ⁱ)} = x^{(2 * 2ⁱ)} = x^(2ⁱ⁺¹)
and since
i_new = i + 1
z_new = x^{(2^i_new)}
so the z invariant holds.

Similarly we check the y invariant.

x^e₀ =?= y * z^e = y z^{(2e' + b)} = y * (z²)^e' * z^b = (y * z^b) * (z_new)^e'
Now y_new = y * z^b (b can be 0 or 1. Y is going to be computed when e is odd or in other words b is 1). Therefore, our above equation is going to look like :

= y_new * (z_new)^e'

Loop Invariant holds true. Now using, loop invariants to prove the post condition. The loop exits when e = 0. Plugging the value of e :

x^e₀ =?= y * z^e = y * z⁰ = y * 1 = y

Timing Attack(Differential Timing Analysis)

A snooper can determine a private key by keeping track of how long a computer takes to decipher messages. Timing attacks are applicable not just to RSA, but to other public-key cryptography systems. This attack is alarming for two reasons: It comes from a completely unexpected direction and it is a ciphertext-only attack. It is analogous to a burlgar guessing the combination of a safe by observing how long it takes for somone to turn the dial from number to number. The attack can be adapted to work with any implementation that does not run in fixed time.

In the above algorithm, modular exponentiation is accomplished bit by bit, with one modular multiplication performed, at each iteration and an additional modular multiplication performed for each 1 bit.The attack proceeds bit by bit starting with the leftmost bit, b_k. Suppose that the first i bits are known (To obtain the entire exponent, start with i = 0 and repeat the attack until the entire exponent is known.) For a given ciphertext, the attacker can complete the first i iterations of the while loop. The operation of the subsequent step depends on the unknown exponent bit. If the bit is set, y = (y * z ) mod n will be executed. For a few values of y and z, the modular multiplication will be extremely slow, and the attacker knows which these are. Therefore, if the observed time to execute the decryption algorithm is always slow when this particular iteration is slow with the 1 bit, then this bit is assumed to be 1. If a number of observed execution times for the entire algorithm are fast, then this bit is assumed to be 0. We are gathering statistics. If our hypothesis is right we have classified correctly. The algorithm can extract the bits in linear time.