The topics covered in this lecture are RSA modular exponentiation and Timing Attack.

To compute y = x^{e} mod n, a common algorithm is:

y = 1;

z = x;

while (e != 0) {

if (e odd) {

y = y * z mod n ;

}

z = z * z mod n;

e = e div 2;

}

precondition: n > 1, 1 < x < n, e >=0

postcondition: y = x^{e0} mod n

We introduce a counter to make the proof eaiser. The counter does not affect on the computation:

y = 1;

z = x;

i = 0;

while (e != 0) {

if (e odd) {

y = y * z mod n;

}

z = z * z mod n;

e = e div 2;

i = i + 1;

}

The loop invariants are: z = x^{2i}mod n and x^{e0}=
y * z^{e }mod n. Where e_{0} is the original input value in
the variable e. (There's no need to make the distinction for x since it
is not changed.) We show that the invariants are true before the loop starts,
i.e.,

x = z =?= x^{2i} = x^{20} = x

and

x^{e0} =?= y * z^{e} = 1 * x^{e}.

Next, we assume that the invariants are true immediately after the while
test, and show that the body of the loop preserves the invariant. Let e
= 2e'+b, where b is a bit.

z_{new }= z * z = x^{2i} * x^{2i} = x^{(2i+ 2i)} = x^{(2 * 2i)} = x^{(2i+1)}

and since

i_{new} = i + 1

z_{new} = x^{(2inew)}

so the z invariant holds.

Similarly we check the y invariant.

x^{e0} =?= y * z^{e} = y z^{(2e' + b)} = y *
(z^{2})^{e'} * z^{b} = (y * z^{b}) * (z_{new})^{e'}

Now y_{new} = y * z^{b} (b can be 0 or 1. Y is going
to be computed when e is odd or in other words b is 1). Therefore, our
above equation is going to look like :

= y_{new} * (z_{new})^{e'}

Loop Invariant holds true. Now using, loop invariants to prove the post condition. The loop exits when e = 0. Plugging the value of e :

x^{e0} =?= y * z^{e} = y * z^{0}
= y * 1 = y

**Timing
Attack(Differential Timing Analysis)**

A snooper can determine a private key by keeping track of how long a computer takes to decipher messages. Timing attacks are applicable not just to RSA, but to other public-key cryptography systems. This attack is alarming for two reasons: It comes from a completely unexpected direction and it is a ciphertext-only attack. It is analogous to a burlgar guessing the combination of a safe by observing how long it takes for somone to turn the dial from number to number. The attack can be adapted to work with any implementation that does not run in fixed time.

In the above algorithm, modular exponentiation is accomplished bit by
bit, with one modular multiplication performed, at each iteration and an
additional modular multiplication performed for each 1 bit.The attack proceeds
bit by bit starting with the leftmost bit, b_{k}. Suppose that
the first i bits are known (To obtain the entire exponent, start with i
= 0 and repeat the attack until the entire exponent is known.) For a given
ciphertext, the attacker can complete the first i iterations of the while
loop. The operation of the subsequent step depends on the unknown exponent
bit. If the bit is set, y = (y * z ) mod n will be executed. For a few
values of y and z, the modular multiplication will be extremely slow, and
the attacker knows which these are. Therefore, if the observed time
to execute the decryption algorithm is always slow when this particular
iteration is slow with the 1 bit, then this bit is assumed to be 1. If
a number of observed execution times for the entire algorithm are fast,
then this bit is assumed to be 0. We are gathering statistics. If our hypothesis
is right we have classified correctly. The algorithm can extract
the bits in linear time.