Randomized Exponentiation Algorithms

A randomized algorithm for function f takes the usual inputs for f together with a stream of random numbers and combines them in a way such that partial or complete knowledge of the atomic operations used to compute f does not easily reveal the values of some or all inputs. The output of f is still computed correctly, but the value is independent of the random input stream. In this chapter we consider randomized algorithms for the exponentiation function and assume that side channel leakage reveals a certain level of partial knowledge about the arithmetic and read/write operations performed on the manipulated big numbers. Our object is to make it computationally infeasible for an attacker to use this information to deduce the secret exponent during its use over the lifetime of a cryptographic token. For example, in the usual square-and-multiply algorithm (Figure 17.1, [6]), full knowledge of the sequence of squares and multiplies immediately determines the complete exponent uniquely. Specifically, there is an exponent bit for every square; and every time the square is followed by a multiplication the bit must be a 1, whereas it must be a 0 when the square is followed by another square. As a rule, leaked information is rarely without error; a number of squares may be incorrectly recorded as multiplications and vice versa. Hence there is normally some error correction to be performed. If the number of errors is small enough, a search of nearby keys will discover the true value D in a computationally feasible time. Its correctness can be confirmed easily by using the corresponding public key E and the relation PED = P. Traversing the search space must often be done intelligently, selecting the most probable alternatives first in order to have any hope of finding the key. In typical protocols using RSA [13], the same secret key D is re-used a number of times, during which it may or may not be possible to blind it by, for example, adding