Correlated Extra Reductions Defeat Fixed Window Exponentiation

The security of modular power algorithm is a very important research topic, which is the core operation of public key cryptography algorithm. Since the first timing attack was public in 1996, the attacker can exploit time differenc-es between specific events to recover a secret key. In 2016, Dugardin took ad-vantage of extra reductions to attack a regular exponentiation algorithm, which did not entirely adapt the fixed window method with Montgomery’s algorithm. The central thesis of this paper is that there exists a positive correlation between extra reductions of pre-computation and post-computation when the calculation has the same multiplier factor. In this article, basing on this dependency we present an attack method, and confirm the feasibility and effectiveness of it by conducting simulation experiments. Experimental results verify that the method can effectively attack modular power algorithm.


Introduction
Side-channel attack is an increasingly important area in applied cryptography. In a side-channel attack, the attacker is able to detect relevant physical information in the computation of a cryptographic algorithm and thus to get knowledge of the secret key. Meanwhile, due to the limitation of the computing resources and processing power, the master key of the cryptographic algorithm is mostly cut into several sub-key blocks and participates in operations in a certain order. The attacker can recover the sub-key block value by using subtle correlation, after obtaining enough sub-key block values and combing with the algorithm design, and the master key value can be restored. This behavior makes it possible to re-cover the long key within a limited complexity. Hence, there is an urgent need to notice the safety problems caused by the side-channel attack. text styles are provided.
RSA algorithms [1] are commonly used in a wide range of public key cryptosystem in the embedded world from the smartcard technology to the IoT service.
From a mathematical viewpoint, the security of the RSA algorithm relies on the difficulty in factoring large integer, but the practical implementation of the algorithm is not absolutely safe. The modular power algorithm is the core operation of the widely used public key cryptographic algorithm, and RSA is no exception.
Or, more specifically, an RSA decryption or encryption computation is based on modular exponentiation consisting of many squares and multiplications. With the introduction of side-channel attack, many of the previously proposed module modular power algorithms may have potential security problems, and there is still much room for research on evaluating their security issues.
Since Kocher first implemented the timing attack of the RSA algorithm [1], various new attack techniques have been presented by the researchers for different cryptographic algorithms, like simple power attack [2], differential power attack [3], electromagnetic attack [4], correlation power attack [5] and so on. At the same time, there are a lot of studies of recovering the secret key with less time. But Kocher's timing attack will not work if the algorithm [6] one or more invalid modular multiplication operation to make the time computation constant in the Montgomery implementation. In the literature on [7], a new timing attack is introduced on the RSA with Chinese Remainder Theorem. The papers [8] [9] [10] performed timing attacks on RSA implementations in OpenSSL or mbedTLS, not only RSA with Chinese Remainder Theorem, but also extend to exponentiation algorithm, and optimized exponentiation algorithm. Surveys such as that conducted by Schindler [11] have showed that exclusive exponent blinding (without additional countermeasures) does not always prevent timing attacks on RSA.
Recently in CHES 2016, Dugardin et al. [12] pointed out binary exponentiation algorithms is vulnerable to side-channel attack even with message blinding and regular exponentiation. They presented a new dependency based on extra reductions in a sequence of multiplies and squares, which is a negative correlation between the extra reduction of two consecutive calculations. They also explained it from a mathematical viewpoint and exploit this correlation to successfully attack the RSA with regular exponentiation method in a real environment.
For that, is there any other correlations of extra reductions exist in the implementation of the modular power algorithm to be utilized? In order to improve efficiency, there is a lot of improved modular power algorithm, which mainly focuses on classical exponentiation. The research to date has tended to focus on a regular exponentiation algorithm rather than the fixed window exponentiation. The aim of this essay is to explore the relationship between pre-computation and post-computation in the fixed window exponentiation. Journal of Computer and Communications In this paper, we propose a strong positive correlation between the extra reductions during the Montgomery Modular Multiplication of pre-computation and post-computation.
This new dependency can be used to recover the secret key because the iteration in the post-computation could share common operand with pre-computation. In addition, we show it by conducting simulation experiments.
This paper demonstrates that our attack can successfully attack modular power algorithm based on fixed window exponentiation. Our attack does not require explicit knowledge of the message, neither does require cryptographic parameters. This work will generate fresh insight into the security of modular power algorithm.
The rest of paper is organized as follows. In Section 2, we show that some correlation between extra-reductions of pre-computation and post-computation, and explain our attack in detail. In Section 3, experiment and experimental results are presented. In Section 4, we conclude our paper.

Our Attack
This section points out that there exists a new correlation in the fixed window exponentiation algorithm and how to apply it using our attack.

Vulnerability of the Fixed Window Exponentiation Algorithm
Each modular multiplication operation has two operands. It is clear that two operations would be absolutely independent when they do not share one operand. Instead, if two operations have common operands there is a correlation between them. More precisely, when the extra reduction appear in both two modular multiplication operations, there exists strong positive correlation. It is because of when the operand is sufficiently large, both operations are likely to have an extra reduction at the same time.
We studied each step of the algorithm in detail. Obviously, the fixed window algorithm always executes pre-computation and post-computation. It can be seen that there is a common multiplier factor between the pre-computation ) in the fixed window exponentiation Algorithm and the post-computation ( * mod j c c m k n   =   ) in the fixed window exponentiation Algorithm . That is when the index 1 i − is equal to j k , the same multiplier factor exists for a certain step. Therefore, there is a significant relation between modular power operation in pre-computation and post-computation. In this paper, we attempt to recover the private key using side-channel attack by relating the extra reductions to the key.

Knowledge of Recovering the Key
We recover secret key bit by bit using the Pearson correlation coefficient [13]. It has a value between +1 and −1, where 1 is a total positive linear correlation, 0 is no linear correlation, and −1 is total negative linear correlation. When the correlation coefficient value is high, the random variables are related, and it means Journal of Computer and Communications the hypothesis on the sub-key is correct. On the contrary, the correlation coefficient value less than 0 means that the initial guess was wrong. In practice, a good hypothesis is usually determined to give the highest correlation of all possible hypotheses.
For fixed window exponentiation algorithm, it functions by scanning the bits of an exponent from left to right. When Pearson's correlation coefficient of extra reduction information in post-computation and pre-computation is large, each window key value in post-computation is most likely the corresponding pre-computation index value. Thus, our attack ensures the recovery of bits of the key at a time, from most significant to least significant.

Method of the Attack
To verify our correlation predictions, we use l length static key k to perform n times the cryptographic operation with fixed window exponentiation algorithm and capture the corresponding side-channel information.
In the modular exponentiation, the secret exponent k is split into windows of fixed size w at each iteration where the most significant bit is 1. For each encryp-     The graph also displays each cell in the first row is darker in color. A possible explanation for this is that there is always a common multiplier factor between the pre-computation and the post-computation, when the sub-key value is 1. In summary, these results confirmed that there exists a strong positive correlation between extra reductions of the pre-computation and the post-computation, provided that they have common operands. In other words, when Pearson correlation is the largest, the key in the post-computation would probably be the same as the key in the pre-computation.
Based on the value of this correlation coefficient is maximum, ˆj k is estimated private key value in an attack and The minimal values would depend on the key length in this step.
To estimate the key ˆj k , we define decision function FWA F :

Summary of the Attack
The entire attack process is divided into three parts. First, the attacker needs to

Experiment
In this section, we introduce our experiment and discuss the efficiency of the attack method. We put the correlation technique on a simulation of a fixed window exponentiation algorithm to testify our theoretical correlation predictions

Experiment Setup
We simulated our attack against the latest version 2.6.0 of mbed TLS with the private primes parameters defined by RSA-1024-p and RSA-1024-q. All of the experiments presented were run using an Intel Core i7-6700 CPU running at 3.410 GHz with 8 GB of RAM on windows. The secret keys length is 1024-bit. The experiment are as follows: For different window size, we need to do repeated experiments. 1) Generated a random plaintext; 2) Simulate the RSA encryption process using k in the code blocks; 3) Save whether an extra-reduction is performed (

Experimental Results
We at most run 10,000 queries to key recovery attempts for 1024-bit RSA with random input messages. Figure 2 plots the correlation between pre-computation and post-computation at different window sizes when the lock key values are equal in pre-computation and post-computation. As the window size increases, the relationship becomes more obvious between pre-computation and post-computation. Additionally, the smaller the window size, the wider the range of Pearson coefficients. Journal of Computer and Communications It can be seen from Figure 3, when the requires is less than 3500, the smaller window size, the better the attack effect. In other words, as the window size is larger, the attack requires more queries to reach a given success rate. This is caused by Figure 2. We also can notice that as the number of queries increases, the success rate of guessed key value also increases. And when the number of queries is enough, we successfully recovered the key using side-channel information on the total number of extra reduction. From a statistical point of view, the reason for this is that the sample size is large, estimating the precision of unknown parameters will increase. as the window size decreases, the percentage of each key bit that is correctly guessed gradually increases. Table 1 illustrates the number of that queries are approximately needed to recover all secret key in different window size using our attack method. The number of queries also mean time spent on the attack. Without regard to noise, for smaller window size, the key recovery method needs approximately 6000 total queries. There is a little difference between different window size on the queries of the attack.

Conclusion
In this paper, we analyze the vulnerability of the fixed window exponentiation algorithm with respect to side-channel attacks in detail. We find a new dependency relationship, namely a strong positive correlation between the extra reduction of pre-computation and post-computation at the end of Montgomery modular multiplications. Further, we exploit it to attack an RSA exponentiation with unknown the plaintext, modulus, and secret exponent.

Conflicts of Interest
The author declares no conflicts of interest regarding the publication of this paper.