7.4 R S A IMPLEMENTATIONATTACKS

Visual Studio .NET code 128 encoding with .netuse visual .net code-128c development toprint code128 with .net

case where Kocher s attack applies. Brumley and Boneh [22] have pushed Schindler s results much further, developing a successful timing attack against the highly optimized RSA implementation in OpenSSL. This attack is sufficiently robust that it can be conducted over a network, illustrating that timing attacks are a serious threat to real-world RSA implementations. In this section we discuss Kocher s attack, Schindler s attack, and the Brumley-Boneh attack. We also consider defenses against timing attacks. But first, we introduce the t,echniques used to compute modular exponentiation which are employed in efficient implementations of RSA. Specifically, we discuss repeated squaring, the Chinese Remainder Theorem, Montgomery multiplication, and Karatsuba multiplication.

recognize code 128a for .netUsing Barcode decoder for Visual Studio .NET Control to read, scan read, scan image in Visual Studio .NET applications.

Modular Exponentiation

.net Framework Crystal bar code implementation for .netusing vs .net crystal todevelop bar code on asp.net web,windows application

Suppose we want to compute 620 (mod 29). The obvious approach is to raise 6 to the 20th power, then compute the remainder when this number is divided by 29. For this particular example, we have 620 = 3,656,158,440,062,976 = 24 (mod 29). However, this approach is not feasible when the base and exponent are largeas is the case in RSA-since the intermediate result is too large to compute and store. And even if we could somehow deal with such enormous numbers, computing the remainder by long division would be costly. An improvement would be to do a modular reduction after each multiplication, which would eliminate the problem of large intermediate results. However, there is a better way. A method known as repeated squaring allows us to compute a modular exponentiation without having to deal with any extremely large intermediate values and it also dramatically reduces the number of multiplications as compared to the nai ve approach. In repeated squaring, we build up the exponent one bit at a time, from high-order bit to low-order bit. For example, the exponent 20 is, in binary, 10100, and we have 1=0.2+1

Bar Code barcode library in .netUsing Barcode scanner for .net vs 2010 Control to read, scan read, scan image in .net vs 2010 applications.

2=1.2

5=2.2+1 10=5.2

Web.net uss code 128 implement on .netgenerate, create code128 none for .net projects

20 = 1 0 . 2 .

Control code-128 size in visual basic.netto use code-128 and code128 data, size, image with vb barcode sdk

PUBLIC KEY ATTACKS

UPC-A creation on .netuse vs .net crystal upc barcodes encoding toprint upc-a supplement 5 on .net

Then to find 620 (mod 29) by repeated squaring, we compute

Encode qrcode in .netuse .net vs 2010 qr printing touse qr barcode in .net

(6')' . 6 = 6 (mod 29)

Code 128A printer on .netusing vs .net crystal todisplay code 128 code set b for asp.net web,windows application

6 = (61 ) 2 = 62 = 36 6

Add 2d barcode in .netusing barcode printing for visual .net control to generate, create 2d barcode image in visual .net applications.

7 (mod 29)

OneCode writer for .netusing vs .net tocreate onecode on asp.net web,windows application

(6 ) . 6 = 7 ' 6 (6 )

(mod 29)

=4 =

Draw matrix barcode in .netuse visual studio .net (winforms) 2d barcode implement toencode 2d matrix barcode in .net

16 (mod 29)

Render pdf417 for vbusing barcode maker for .net framework control to generate, create pdf417 image in .net framework applications.

620 = (610)2= 162 = 256 = 24 (mod 29).

Control gtin - 12 size in visual basicto encode gtin - 12 and upc-a supplement 5 data, size, image with visual basic.net barcode sdk

Note that this computation requires five multiplications (as opposed to 20 for the naive approach) and five modular reductions, and all intermediate values are less than N 2 . The repeated squaring algorithm is given in Table 7.4. Table 7.4: Repeated Squaring Compute y = xd (mod N ) , where d = ( d o , d l , d 2 , .. . ,&) in binary, with do s=x for i = 1to n s = s2 (mod N ) if di == 1 then s = s . x (mod N ) end if next i r e t u r n (s )

Control qr-code size on .netto incoporate qr code and qr-codes data, size, image with .net barcode sdk

// //

Control ean-13 supplement 2 image on .netgenerate, create gs1 - 13 none with .net projects

While repeated squaring is clearly preferable t o the naive approach of exponentiation followed by long division, there are many additional refinements that can further irnprove the efficiency of modular exponentiation. These improvements are necessary for efficient RSA implementations due to the large numbers that arise in RSA. Repeated squaring without further refinements is only used in RSA implementations in extremely resource-constrained environments, such as smartcards. Another trick that is conmionly used to speed up modular exponentiation employs the Chinese Remainder Theorem (CRT). The precise statement of the CRT is given in the Appendix. To see how the CRT applies specifically to RSA, first recall that for an RSA decryption (or signature), we must coniput,e a modular exponentiation of the form Cd (mod N ) , where N = p q arid p and q are large primes. Using the CRT, we can compute the modular exponentiation modulo p and modulo y, then "glue" the two results together to obtain the desired result modulo N . Since p and q are each much smaller than N (each is on the order of it is much more efficient to do two modular exponentiations with these relatively small moduli than to do one

Code 39 generating in .netgenerate, create code-39 none for .net projects