## On Using Fast Exponentiation Algorithm in PDAs (or: How Secure is the Discrete Logarithm Problem Assumption in PDAs?) Extended Abstract

### Cached

### Download Links

### BibTeX

@MISC{Susilo_onusing,

author = {Willy Susilo and Jianyong Huang and Jennifer Seberry},

title = {On Using Fast Exponentiation Algorithm in PDAs (or: How Secure is the Discrete Logarithm Problem Assumption in PDAs?) Extended Abstract},

year = {}

}

### OpenURL

### Abstract

Personal Digital Assistants (PDAs) are the miniature of normal size PCs, with a very limited computational power. In this paper, we investigate the security of PDAs when they are used to perform some cryptographic applications. In our context, we investigate the computation y = g x (mod p), for a prime p, which is believed to be secure in the sense of the Discrete Logarithm Problem (DLP) assumption. To be more precise, knowing only p, g and y, it is hard to derive x. We note that this computation is the most important operation in most cryptographic algorithms. However, due to the limited computational power of PDAs, such computation requires some amount of time (and battery life). We show that by observing one of these parameters, we can reduce the hard problem of DLP to be predictable, and hence it is not secure. We also show how to securely generate these kind of computations with PDAs by employing some different techniques, so that they will not reveal any additional information to a passive eavesdropper. In contrast to previous works, we do not assume that the attacker can take the full control of the PDA. This assumption is only applicable to a smart card whenever it is used in a malicious smart card reader.

### Citations

2744 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ly algorithm on a PDA is not secure. This basic cryptographic computation is the most important operation required in most cryptographic algorithms (for example, Diffie-Hellman key exchange algorithm =-=[9]-=-, ElGamal encryption algorithm [10], etc.). The rest of this paper is organized as follows. In the next section, we briefly describe some related background information on PDAs and the Discrete Logari... |

2492 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1997
(Show Context)
Citation Context ...opose a technique that could be used to compute the above cryptographic operation. This technique is inspired by [1], together with the basic technique known as the left-to-right 4-ary exponentiation =-=[18]-=-. The idea of the method that we use in this section is as follows. To compute gx (mod p), we only need to know gi (mod p), where i = 0, 1, · · ·,15. The method works as follows. Firstly, we convert x... |

1124 |
A public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...e. This basic cryptographic computation is the most important operation required in most cryptographic algorithms (for example, Diffie-Hellman key exchange algorithm [9], ElGamal encryption algorithm =-=[10]-=-, etc.). The rest of this paper is organized as follows. In the next section, we briefly describe some related background information on PDAs and the Discrete Logarithm Problem (DLP) related to our pu... |

687 | Differential Power Analysis
- Kocher, Jaffe, et al.
(Show Context)
Citation Context ...ution is to use a blinding method [8]. Joye proposed several techniques to prevent timing attacks [13] in a smart card. Kocher et al. introduced another kind of attack, known as power analysis attack =-=[21, 22]-=-. Power analysis attacks work by measuring the power consumption of a tamperresistant device when it performs the cryptographic operations. Power analysis attacks fall into two basic categories. One i... |

425 | Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems
- Kocher
- 1996
(Show Context)
Citation Context ...ation. For a complete survey, we refer the reader to [11] . 2.3 Related Works: Side-Channel Attacks An important related work is the concept introduced by Kocher which is known as the “Timing Attack” =-=[15]-=-. He showed that an attacker may be able to find fixed DiffieHellman exponents, factor RSA keys, and break other cryptosystems, by only observing the amount of time required to perform private key ope... |

154 | A survey of fast exponentiation methods
- Gordon
- 1998
(Show Context)
Citation Context ... with a basic cryptographic calculation, i.e. the use of the squareand-multiply algorithm to find y from y = gx (mod p). For a complete survey on Fast Exponentation algorithms, we refer the reader to =-=[11]-=-. We are interested to know whether there is any relation between the time (or the battery life) taken to perform the computation and the secret 1value (namely x), which is x = logg(y). The result is... |

146 |
Semi numerical Algorithms, volume 2 of The Art of Computer Programming
- Knuth
- 1997
(Show Context)
Citation Context ...r of 1s in the binary representation of x. This algorithm is well-known and is the most common algorithm used to compute gx (mod p). For the complete history of this algorithm, we refer the reader to =-=[14]-=-. It is noted in [8] that the time required for the multiplication part of the algorithm is constant, independent of the factors, except that if the intermediary result of the multiplication is greate... |

111 |
Security for Ubiquitous Computing
- Stajano
- 2002
(Show Context)
Citation Context ...ave become an important part of our life. Currently, PDAs can perform the same operations as normal personal computers (PC), but they are more desirable as their small size means they fit in a pocket =-=[24]-=-. The recent trend is for users to use PDAs instead of a laptop. Thus there is a real need to make PDAs more useful for electronic commerce applications. We note that there were several previous works... |

75 |
B.Jun, Introduction to Differential Power Analysis and Related
- Kocher
(Show Context)
Citation Context ...ution is to use a blinding method [8]. Joye proposed several techniques to prevent timing attacks [13] in a smart card. Kocher et al. introduced another kind of attack, known as power analysis attack =-=[21, 22]-=-. Power analysis attacks work by measuring the power consumption of a tamperresistant device when it performs the cryptographic operations. Power analysis attacks fall into two basic categories. One i... |

70 | Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
- Chaum, Heijst, et al.
- 1992
(Show Context)
Citation Context ...eral cryptosystems, including the ElGamal [10] cryptosystem. This intractability assumption has also been used to create signature schemes, such as fail-stop signatures [27] and undeniable signatures =-=[7]-=-. It is also used to create a server-aided computation [3], such as the one proposed in [6]. Maurer and Wolf [17] proved that the Diffie-Hellman problem and the DLP are polynomialtime equivalent in a ... |

60 | A practical implementation of the timing attack
- Dhem, Koeune, et al.
- 2000
(Show Context)
Citation Context ... representation of x. This algorithm is well-known and is the most common algorithm used to compute gx (mod p). For the complete history of this algorithm, we refer the reader to [14]. It is noted in =-=[8]-=- that the time required for the multiplication part of the algorithm is constant, independent of the factors, except that if the intermediary result of the multiplication is greater than the modulus, ... |

41 |
Hand-held computers can be better smart cards
- BALFANZ, FELTEN
- 1999
(Show Context)
Citation Context ...t that the work on smart cards is completely different to the one that we are investigating. A PDA (or a handheld device, in a more general term) has more computational power compared to a smart card =-=[4]-=-, and therefore, it is desirable to allow a PDA 3to perform some cryptographic computations without the need of an untrusted/trusted PC. 3 Experiments with Square-and-Multiply Algorithm in PDAs In th... |

37 | The relationship between breaking the diffie–hellman protocol and computing discrete logarithms
- Maurer, Wolf
- 1999
(Show Context)
Citation Context ...o create signature schemes, such as fail-stop signatures [27] and undeniable signatures [7]. It is also used to create a server-aided computation [3], such as the one proposed in [6]. Maurer and Wolf =-=[17]-=- proved that the Diffie-Hellman problem and the DLP are polynomialtime equivalent in a cyclic group G of order |G| = ∏ p ei i , where all the multiple prime factors of |G| are polynomial in log|G|. 2... |

37 |
Power Analysis Attacks of Modular Exponentiation in Smartcards
- Messerges, Dabbish, et al.
- 1999
(Show Context)
Citation Context ...yption Standard (DES) and the Advanced Encryption Standard (AES) [20] were described in [22] and [5], respectively. The work on the power analysis attack on the public key algorithm was introduced in =-=[26]-=-. More specifically, Messerges et.al. [26] tried to attack the modular exponentiation in a smart card. This is closely related to our work, however [26] assumed that the attacker has the full control ... |

27 |
Cryptography: Theory and Practice, Second Edition
- Stinson
- 2002
(Show Context)
Citation Context ...ultiply Algorithm One of the most important cryptographic assumptions used in the construction of several cryptosystems is the Discrete Logarithm Problem (DLP) Assumption, which is defined as follows =-=[25]-=-. Problem Instance. I = (p, α, β), where p is prime, α ∈ Zp is a primitive element and β ∈ Z∗ p. Objective. Find the unique integer a, 0 ≤ a ≤ p−2, such that αa ≡ β (mod p). In other words, a ≡ logα(β... |

25 |
Power analysis of the key scheduling of the AES candidates
- Biham, Shamir
- 1999
(Show Context)
Citation Context ...e the security of symmetric key cryptographic algorithms. For example, the analysis of the Digital Encryption Standard (DES) and the Advanced Encryption Standard (AES) [20] were described in [22] and =-=[5]-=-, respectively. The work on the power analysis attack on the public key algorithm was introduced in [26]. More specifically, Messerges et.al. [26] tried to attack the modular exponentiation in a smart... |

23 | M.: Server-supported signatures
- Asokan, Tsudik, et al.
- 1996
(Show Context)
Citation Context ...m. This intractability assumption has also been used to create signature schemes, such as fail-stop signatures [27] and undeniable signatures [7]. It is also used to create a server-aided computation =-=[3]-=-, such as the one proposed in [6]. Maurer and Wolf [17] proved that the Diffie-Hellman problem and the DLP are polynomialtime equivalent in a cyclic group G of order |G| = ∏ p ei i , where all the mul... |

21 | Generating RSA keys on a handheld using an untrusted server
- Modadugu, Boneh, et al.
- 2000
(Show Context)
Citation Context ...more useful for electronic commerce applications. We note that there were several previous works that attempted to connect PDAs to PCs to assist them to perform some “heavy” computations, for example =-=[6]-=-. However, due to the recent development of PDAs, for example the new Intel XScale processor with 400 MHz, it is possible for PDAs to perform such computations by themselves. The problem with connecti... |

7 | Timing attack: what can be achieved by powerful adversary
- Hachez, Koeune, et al.
(Show Context)
Citation Context ...mplementation of a timing attack was described in [8], which was proposed with the implementation on a smart card. The error correction that could be used to improve the result of [8] was proposed in =-=[12]-=-. In [15], Kocher mentioned several countermeasures to prevent timing attacks. The straightforward solution is to make all operations take exactly the same amount of time. However, this method is not ... |

7 | Recovering Lost Efficiency of Exponentiation Algorithms on Smart Cards
- Joye
(Show Context)
Citation Context ...l operations take exactly the same amount of time. However, this method is not practical. A better solution is to use a blinding method [8]. Joye proposed several techniques to prevent timing attacks =-=[13]-=- in a smart card. Kocher et al. introduced another kind of attack, known as power analysis attack [21, 22]. Power analysis attacks work by measuring the power consumption of a tamperresistant device w... |

7 |
How to make efficient failstop signatures
- Heijst, Pedersen
- 1992
(Show Context)
Citation Context ...ion has been used to create several cryptosystems, including the ElGamal [10] cryptosystem. This intractability assumption has also been used to create signature schemes, such as fail-stop signatures =-=[27]-=- and undeniable signatures [7]. It is also used to create a server-aided computation [3], such as the one proposed in [6]. Maurer and Wolf [17] proved that the Diffie-Hellman problem and the DLP are p... |

6 |
Selecting cryptographic key sizes. http://www.cryptosavvy.com/. Extended abstract appeared
- Lenstra, Verheul
- 1999
(Show Context)
Citation Context ...ffie-Hellman problem and the DLP are polynomialtime equivalent in a cyclic group G of order |G| = ∏ p ei i , where all the multiple prime factors of |G| are polynomial in log|G|. 2It is predicted in =-=[16]-=- that the size of the Discrete Logarithm field that is used in DLP must be at least 1881 bits, to make it secure until the year 2020. It is also noted that the size of subgroup DLP must be at least 15... |

1 |
The Windows CE Technology Tutorial
- Muench
- 2000
(Show Context)
Citation Context ...ptographic calculation that we are interested in exploring, together with some previous works. 2.1 Pocket PC PDA Pocket PC is a new operating system, which is not a port from Windows NT or Windows 9x =-=[19]-=-. The Windows CE (or Pocket PC) APIs are modeled after those of Windows NT, but internally Windows CE is a new code base. The Pocket PC operating system is the operating system that is used in a Pocke... |

1 |
Zaurus: Personal mobile tool. http://www.myzaurus.com
- Sharp
(Show Context)
Citation Context ...ditional PC. We only consider the Pocket PC environment (also known as Windows CE) in this paper. However, an extension to another operating system such as Linux (used in Yopi [28] and Sharp’s Zaurus =-=[23]-=-) is straightforward. In this paper, we are interested in using PDAs with a basic cryptographic calculation, i.e. the use of the squareand-multiply algorithm to find y from y = gx (mod p). For a compl... |

1 |
Korean start-up works hard to Pocket Linux
- Williams
(Show Context)
Citation Context ...without involving any additional PC. We only consider the Pocket PC environment (also known as Windows CE) in this paper. However, an extension to another operating system such as Linux (used in Yopi =-=[28]-=- and Sharp’s Zaurus [23]) is straightforward. In this paper, we are interested in using PDAs with a basic cryptographic calculation, i.e. the use of the squareand-multiply algorithm to find y from y =... |