Using Genetic Algorithm in Inner Product to Resist Modular Exponentiation From Higher Order DPA Attacks

Evolutionary computation techniques have always provided fascinating results in all the fields of science and engineering. However in the area of computer security, their contribution has been comparatively very less. More specifically if we consider the side-channel attacks, use of these nature based techniques have been very nominal. Therefore, we proposed a secure protocol in this paper to combat against the Higher Order Differential Power Analysis attacks on modular exponentiation based cryptosystems using one of the popular evolutionary computation techniques. The proposed work first uses Genetic Algorithm for splitting the huge exponent within the modular exponentiation into multiple non-uniform shares. Then, this shares are randomly chosen for computing individual modular exponentiation with the help of nearest neighbor algorithm. Using Genetic Algorithm, our proposed protocol can generate reasonable number of shares which exposes secret exponent at the least. As a result, it provides significant resistance to Higher Order Differential Power Analysis attacks. Moreover, randomization in computing individual modular exponentiation secures the cryptosystem from generic power analysis attacks like SPA and DPA.


I. INTRODUCTION
Among all the side channel attacks, power analysis attacks [1] have been a major threat to modular exponentiation within RSA cryptosystems [2]. Messerges et al. [3] were the first to show the possibilities of mounting Simple Power Analysis (SPA) and Differential Power Analysis (DPA) attacks on ''squaring-multiplication'' based implementation of modular exponentiation. Where SPA could easily identify the location of each operation by visualizing the spikes in power traces, DPA used statistical models to extract the secret key or exponent.
One approach to combat against the power analysis attacks is to remove the power consumption dependency on data and operations of the cryptosystems. This can be achieved by randomizing the secret data or fundamental operations The associate editor coordinating the review of this manuscript and approving it for publication was Junaid Arshad . of the cryptographic algorithms. This technique is popularly known as hiding. It aims to mitigate SPA and DPA by minimizing the correlation between power consumption and secret data. Binary Random Initial Point (BRIP) introduced by Mamiya et al. [4] was designed using randomization within RSA to combat against power analysis attacks. BRIP was later extended and improved by Kim et al. [5], [6] and Wang et al. [7]. Recently, Mahanta et al. have presented two works to resist power analysis attacks based on data randomization [8] and operation randomization [9].
Another resisting approach is by injecting dummy instructions between the fundamental operations of the cryptosystems for uniform power consumption. But it costs computational penalty due to which it is used along with masking where, the secret intermediate values are associated or masked with some unknown random values. Fournaris et al. [10] and Ambrose et al. [22] used this approach in their works to combat against power analysis attacks from RSA. Masking in asymmetric cryptosystems is called blinding. Binding in RSA based modular exponentiation cryptosystems, can be implemented along with the message and exponent but it needed additional multiplicative inverse operation to remove the effect of message blinding. However, the message blinding technique presented by Kim et al. [11] was one of those kinds which did not require any multiplicative inverse.
There appears significant works in literature which have used the above approaches to combat against the power analysis attacks. However, all these works aimed to protect cryptosytems from generic SPA and DPA attacks only. Higher order DPA (HODPA) and Correlation power analysis (CPA) attacks which have been major threats in present scenario are yet to be addressed. In order to protect a cryptosystems from HODPA and CPA, it is necessary that the secret sensitive data and their related intermediate data are split into n shares which would result into protection from n th order DPA attacks [35]. Recently, Balash et al. [12], [13], and [36] presented a state-of-art of using inner products for masking in symmetric cryptosystems to defend HODPA. Based on Dziembowski et al. [14] model, they proposed a leakage resilient design, in which the shares leaked minimum information of the secret data in presence of noise. However, in their approach these shares were only random numbers which were generated in multiple iterations without any defined way.

A. OUR CONTRIBUTION
In this paper, for splitting the secret exponent in modular exponentiation into multiple shares, we have adopt the concept of inner product. Genetic Algorithm has been used in inner product (IP-GA) to form limited the number of shares of the exponent as well as make these shares diverse in each execution. To facilitate randomization, an entropy based algorithm known as nearest neighbor (E-NN) has also been proposed which randomly chooses a share among all the shares to compute individual modular exponentiation. The secure modular exponentiation along with IP-GA and E-NN is then implemented in decryption RSA and CRT-RSA of different key sizes. To measure the possible leakage from each share, mutual information analysis with the original exponent has been computed. Also, a security analysis of the proposed protocol to combat popular DPA and HODPA attacks has been presented. Conventional countermeasures like message and exponent blinding alone have severely failed to resist advanced DPA attacks like horizontal correlation analysis [45], [46] and template attacks [47], [48]. While we probe our proposed secured model to horizontal attacks and template attacks, we could find that these attacks can be resisted to significant extent. Hence, the role of our proposed protocol to combat these modern and future attacks is very crucial.
The remaining section of the paper is discussed as follows: a brief survey on related works has been provided in Section 2. Section 3 presents some preliminary concepts related to the proposed work. In Section 4, detail discussion of the proposed protocol with implementation in RSA and CRT-RSA is presented. The security analysis of the proposed protocol with respect to DPA, HODPA and some advanced attacks have been discussed in section 5. The analysis through the results have been presented in section 6 and finally a conclusion has been formulated.

II. RELATED WORKS
Hiding aimed to randomize the order of execution of fundamental operations of the cryptosystems. As a result, through SPA it would not be possible to identify the actual sample points of the operations. Hence, if the modular exponentiation was implemented in binary methods with hiding, extraction of the correct key by locating the squaring and multiplication operations would be extremely difficult. The BRIP method [4], which was mainly designed for Elliptic Curve Cryptography (ECC), introduced a random initial point for every execution. As a result, the initial values for execution would be different at every point of execution providing resistance to DPA attacks. Kim et al. [5] proposed secured binary exponentiation for RSA and CRT-RSA by randomizing the message and key with help of a random number r. The effect of r was removed by two different ways of computing r −1 depending on whether the bit is 0 or 1. They also improved their work using random blinding [6] which was more secured and had lesser computational cost than Mamiya's. The improved method was a generalized concept that could be used for RSA as well as ECC. However, Wang et al. [7] challenged the works of Kim showing that their improved countermeasure could still reveal sensitive information. They modified Kim's approach and proposed to compute r −1 at four different points based on the all the possible combinations of 0 and 1 i.e 00, 01, 10 and 11. Recently, Mahanta et al. have proposed two different countermeasures for modular exponentiation based cryptosystems. The first countermeasure [8] computed comparative modular exponentiation with completely randomized exponent or key for RSA and CRT-RSA decryption to resist DPA to a large extent. In their second work [9] they executed operation randomization using Fisher Yates Shuffling technique to attain significant security against DPA attacks.
Unlike hiding, blinding associated the secret data (say x) with a blinding factor (λ) in such a way that it turns impossible to retrieve x if λ is not known. For RSA cryptosystems in which the primary operation is modular exponentiation (m e mod N ), both the message (m) and exponent (e) can be blinded. For message blinding, the blinding factor is associated in such a way that, Similarly, the exponent can be blinded with the blinding factor and φ(N ) by, But merely using any of these techniques or both were still not sufficient enough to protect RSA and CRT-RSA from DPA attacks as seen in [15]- [19]. Besides it would also have additional computational cost of multiplicative inverse to remove effects of blinding factor. However, a secured and efficient way to compute message blinding without multiplicative inverse was presented by Kim et al. [11]. To make blinding more efficient, random instructions were also injected in between the fundamental operations [20]- [22]. In some other approaches, blinding with improved modular exponentiation were also proposed [23], [24]. However, none of these works addressed HODPA and CPA leaving a threat of being vulnerable to such attacks.

III. PRELIMINARIES OF PROPOSED WORK
Here, we discuss few preliminary concepts which are later employed in our proposed protocol. This section helps in better anticipating our proposed protocol which is presented in detail in section 4.

A. INNER PRODUCT
As mentioned in previous section, in order to protect a cryptosystem from HODPA the sensitive data (key and intermediate values) needs to be split into multiple shares. Thus, a cryptosystems will be protected from n th order DPA if sensitive data is split into n shares. The significance of using inner product (IP) is its ability to represent a number (say X) as a summation of the products of random pairs. Each element of these pairs will belong to two vectors, say L and R such that, L = l 1 , l 2 , .., l n and R = r 1 , r 2 , .., r n containing n random values. The inner product represented by L, R can be computed by n i=1 l i × r i . This approach was demonstrated in [14] which was later used in [12], [13], [36] in identifying a masking scheme for the Advanced Encryption Standard (AES) cryptosystem.
In asymmetric cryptosytems like RSA, the decryption key (d) is extremely sensitive and mostly very large. In order to protect the cryptosystems from HODPA attacks, splitting of d would be one of the most effective measures. We have used IP as an approach to split of d into multiple shares. However, instead of using it conventionally we have associated Genetic Algorithm (GA) for choosing random values to form the IP pairs (l, r). Using GA, the proposed approach could generate reasonable number shares which would leaked minimum mutual information of d. Hence, even if we consider that these shares have leakage of power consumption, but the information provided by them will be very less for successful power analysis attacks. Therefore, in our proposed protocol, we considered the following assumptions for computing inner product(a) vector R would store n-2 independent 64 bit random variables (b) the last, (n − 1) th value in R would always be 1 and (c) vector L would store the product, L i−1 × R i with L 0 ∈ r, where r is a 64 bit random variable generated using randomgen(). Hence, the number of shares generated from the secret exponent is limited by these notions.

B. GENETIC ALGORITHM
One of the most widely used evolutionary computation techniques for optimization is GA. In almost all the fields where optimization can be done, GA has always produced outstanding results [25]. GA maintains a population of possible individuals based on some selection function and other operators like mutation and recombination. Each of these individuals are provided a fitness value and using a proper fitness function GA pulls out those individuals having highest fitness. The initially selected individuals acts as parents and undergoes mutation and crossover to generate/reproduce new values/offspring which depicts the next population. To summarize, GA is mainly composed of three main operations, • Selection: From a population of possible individuals select the ones having highest fitness values.
• Crossover: It exchanges some bits between the parents so that the new individuals inherits the parents. There can be single point crossover where each parent occurs once in the offspring or double crossover where one parent can occur at multiple times in the offspring.
• Mutation: Some bits within the selected individuals are replaced with one another based on a mutation rate which determines to what extent mutation needs to be performed.
GA has been previously used in building optimal addition chains for modular exponentiation [37], [39], and [43]. Even successful timing attacks over RSA has appeared in literature [38]. Besides, it has been also used to protect AES S-box against DPA attacks [40], [41]. In 2012, Batina et al. [44] presented the concept of generating evolutionary ciphers (EVOC) with evolutionary computing to resist DPA attacks. Their model could generate dynamic ciphers using TRNG which forbids not only attackers but also the designers from knowing the ciphers. These ciphers were randomly selected using an intelligent search algorithm. They have challenged the Kocher's model [1] of DPA attacks by making the selection function unknown to the attackers with dynamic ciphers. As the attackers are prevented from creating a selection function, they cannot mount DPA attacks. However, unlike EVOC, our objective is to obtain optimal shares of the large secret exponent in modular exponentiation to resist HODPA attacks. For this purpose GA has been used in inner product to generate the optimum IP pairs (L, P) which resembles as shares of the secret exponent d and leaks least mutual information about it.

C. NEAREST NEIGHBOR ALGORITHM
Greedy approach is considered by this algorithm to search the minimum distance between two end points. Initially it was used in solving the problems like traveling salesman with efficiency but doesn't guarantees optimal solution. Presently, the algorithm is employed in various fields of machine learning, pattern recognition and image processing. The Euclidean distance shown in Equation 3 computes the nearest neighbors for a population where, x i and y i are the value of i th attribute. We extend the nearest neighbor algorithm in our proposed work to search the minimum distance between the entropy (H) based IP shares. Let, S 1 , S 2 , .., S n be the IP shares of the secret key (d) upto n shares, then the distance from S 1 is computed by, where, S i equals to n th shares. As our proposed approach to find the nearest neighbor is entropy, we have named the algorithm as ''Entropy based Nearest Neighbor (E-NN)'' throughout the paper. Use of E-NN enables us to randomly choose n shares of an IP share to execute an individual modular exponentiation. Thus E-NN offers operation hiding by randomizing the order of individual modular exponentiation and resist from DPA and HODPA attack as a whole.

IV. PROPOSED WORK
As mentioned in previous sections, none of the existing resting techniques proposed how to address HODPA attacks.
Here, we present first Genetic Algorithm with Inner product for splitting the exponent of modular exponentiation into multiple shares. We then propose an algorithm known as nearest neighbor based on entropy (E-NN) to randomize these shares prior to execution to exhibit operation hiding for resisting SPA & DPA attacks.

A. SPLITTING EXPONENT THROUGH INNER PRODUCT WITH GENETIC ALGORITHM (IP-GA)
We have mentioned earlier that in order to resist a cryptosystem from HODPA the sensitive data with intermediate values needs to be split into multiple shares. Asymmetric cryptosystems have been built in the pillars of modular exponentiation. Specifically in RSA, a private key (d) is being used for decryption and the challenge remains in preserving the secrecy of this key making it a highly sensitive data. HODPA attacks can be resisted, if this private key can be split into multiple shares which in return will also split sensitive intermediate results. Modular exponentiation with multiple shares of d can be computed by the following property, Property 1: To compute m = c d mod N , where d, c, m are the private key, the cipher text and plain text respectively.
We start with generic GA by considering a population of size 50 (popsize = 50) random individuals using algorithm 1. The individuals in the population are random numbers of 64 bit that are generated using a random function. Each possible pair of individuals (l, r) from this population is assigned a fitness value f as shown below, Using the selection function shown in algorithm 2, the pairs having highest fitness value are selected. This pair further undergoes a single point crossover and swap mutation to change their characteristics. A crossover point C p is chosen for both l and r. The bits of these shares from C p to the last bit are exchanged in each of these shares respectively to form l c & r c which further undergoes mutation. Two mutation points M p1 & M p2 have been chosen for each share l c & r c respectively such that M p1 & M p2 ∈ (2, len), where len is the length of l and r. Since both the mutation points lie between 2 and len, the probability of choosing a point is 1 len−2 which will be the mutation rate. As the size of each individual in the population is 64 bit, hence the mutation rate in our proposed approach will be 1 62 ≈ 0.016. The bits at M p1 and M p2 are then exchanged within each l c and r c separately for mutation.
Crossover and mutation are general operators of GA which was mentioned in earlier section. But in our proposed work, these operators make significance recoding within the shares. This is analogous with blinding, which also recodes the exponent by associating it with a blinding factor. As these shares are also used for generating the next population, there will be a diverse population in every iteration.
Finally, using algorithm 1 and algorithm 2 along with crossover and mutation, we present the our proposed IP with GA (IP-GA) in algorithm 3 to split the large exponent d into multiple shares in an efficient way. More precisely, algorithm 3 generates two vectors L[ ] and R[ ] which contains values to form the inner product pairs. These vectors are later used for exhibiting hiding through randomization with proposed E-NN algorithm as discussed next. All the inner product pairs are generated using the prior assumptions, using property 2, and recombined to generate the original exponent d.

Algorithm 2 Assigning Fitness Value and Selection
Input: where, S i with i = 1..m denotes a share of d. To compute the probability value (p(S i )) of every share, it is necessary to find all the possible combination (c i ) of S i via considering its hamming weight (HW) such that if x i = length(S i ) and h i = HW (S i ) then, Our proposed protocol E-NN is based on greedy optimization method. Therefore, we required to select an initial local best solution. For selection, we consider first value in H as best local (S lb ) and compare with other entropy values in H based on its distance. The share with minimum distance based on entropy (Equation 4) from S lb compared to other shares is allot as the next S lb and its index in vector H is further stored into a new vector I. The operation continues till every values of the entropy are in an incremented order and their corresponding indices are stored in I. Further, the array I with random indices of the shares will ease to randomization to resist DPA attacks. The complete operation is described in the algorithm 4. Our proposed approach for computing secured modular exponentiation in RSA and CRT-RSA widely considered publickey cryptosystems. Algorithm 5 can be directly used for RSA decryption with d as secret decryption key and M be the cipher text. Algorithm 6 demonstrates how our proposed approach has been implemented in CRT-RSA. Its worth mentioning that the steps have been shown during decryption only consists of cipher text c, private key d and modulo N . For CRT-RSA, the recombination has been done using Gauss combination given by, where s is the final result and s p , s q are intermediate results for d p and d q respectively.

V. SECURITY ANALYSIS
The security of the proposed protocol is analysis in the following steps:

• Modular exponentiation with shares
At any instance say i = 1, algorithm 5 first computes . Then, m d inter mod N is computed. Here, d inter is the inner product of the pairs from L and R computed by algorithm 3 which is one of the n shares of d, fulfilling the necessary condition to resist HODPA.
• Recoding of shares The initial IP pair L ini , R ini selected from the initial population using algorithm 2 are recoded to L c , R c during crossover and subsequently to L m , R m in mutation. The final IP pair is consists of R m and product of L m , R m . Due to recoding, it will be very difficult to guess a share from a given population providing additional security in the entire computation.

A. RESISTANCE TO DPA ATTACKS
The primary strength of our proposed work is that the entire modular exponentiation is done asynchronously with n shares of the exponent. Algorithm 1 to algorithm 4 are computed before the actual modular exponentiation takes place. Hence, the over head is only during precomputation. Besides due to GA, with every iteration a new population is being generated and hence all the shares are different from the previous ones which strengthens the security to a very large extent. We next discuss in brief some of the popular DPA attacks to show how our proposed approach is capable to resist them.
The generic DPA attacks by Messerges et al. [3] examined the correlations between known bits and secret exponent to distinguish multiplication operations from squaring. Even if the modular exponentiation in algorithm 5 is performed using binary methods, each of these execution would involve only one of the shares of the exponent randomly chosen at a time. Hence, if their attack is mounted on the proposed model, correlations will be generated for any arbitrary share of the secret exponent making those attacks unsuccessful.
Other attacks mostly targeted exponent and message blinding type countermeasures. These attacks would first guess the blinding factor and then target to recover the key. However, most of them were implemented for small exponents only.
Our proposed approach has been designed for large exponents of 1024-2048 bits and hence feasibility of these attacks are very less. But, it would be worth mentioning that we have not taken any measures on message blinding and hence may be vulnerable to attacks based on it like Witteman et al. [33] and Wunan et al. [32].
The Double Count Attacks (DCA) proposed by Kaminaga et al. [28] proposed a position checker tool for 2 t − ary implementation of RSA. Their tool could reconstruct the entire exponent when 1536 bit RSA was implemented using 2 6 − ary method. But, algorithm 4 in our proposed work randomizes the exponentiation using E-NN algorithm due to which reconstructing the exponent using DCA would be extremely difficult. Similar to DCA, due to randomization, Big Mac attacks proposed by Walter [29] and Horizontal correlation attacks [30] which was an extension to Big Mac attacks could also be resisted by our work. For both these attacks, correct time synchronization of the modular exponentiation was a critical factor which is broken by choosing random shares of d as can be seen in algorithm 5.

B. RESISTANCE TO HODPA ATTACKS
The proposed attack model by Kim et al. [31] was based on second-order correlation power analysis attacks on RSA. Their attack model was enhanced work of Okeya-Sokurai model [42] who targeted the BRIP countermeasure of Mamiya et al. [4] on ECC. For mounting their attack, first power traces were collected without any consideration of plain texts or cipher texts. As the target operation was multiplication only, these traces were reconstructed by extracting and concatenating the signals of multiplication from power traces produced during the main exponentiation. The newly constructed traces were defined as C i (1 ≤ i ≤ n) for n traces. The points corresponding to multiplication signals C i = M i,0 ||M i,1 || . . . .||M i,n−1 were separately defined as C i = (C i,0 , .., C i,1 * L−1 )||C i,1 * L , .., C i,2 * L−1 )||..||C i,(n−1) * L , .., C i,n * L−1 )||, where M i,k (0 ≤ k ≤ n − 1) was the multiplication signal corresponding to (k + 1) th action in the i th power trace with L be the length of the multiplication power trace and n be the size of the secret exponent.
Then second-order correlation was computed on the reconstructed power traces C i (1 ≤ i ≤ n). These correlated traces CT i (2 ≤ i ≤ n) implied the relation between multiplication at corresponding MSB of the secret exponent and other multiplications. The correlation traces showing high correlation values revealed the secret key bits. These points will be the point of interest which could not be visually distinguished. This new attack could easily find points of interest and does not require any profiling stage making it practical. Besides, this attack required fewer power traces than Okeya-Sakurai model [42].
However, it could be clearly seen that the triumph of Kim's model [31] totally depends on synchronized exponent bits else recovery won't be possible. Countermeasures with message blinding would fall to their attacks but if we probe our proposed secured model into their attack it can be seen that during one modular exponentiation only a single share of the secret exponent is computed. It can be seen in step 6 & 7 of algorithm 5, d inter = L [index] × R[index] and result inter = M d i nter mod N . The power traces that would be reconstructed with our model say P j (1 ≤ j ≤ m) and corresponding correlated traces PT j (2 ≤ j ≤ m) will be for m bits of j th share of secret key. Hence, the number of power traces that would be required to recover bits from all the shares will increase significantly to a very large extent. Further, even if bits of each exponent share was correctly revealed, for accurate recovery of the secret key each of the shares has to be recombined in proper order. However, we have proposed E-NN in algorithm 3 for hiding the operations which would make it computationally infeasible to recover the actual secret exponent. The requirement of large number of power traces and additional computation in rearranging the shares in correct order would make their attack or any similar HODA attacks impractical.
Our proposed work would however be vulnerable to those DPA attacks which targets the key generation for RSA like Vuilaume et al. [34]. We summarize all these findings in Tab. 1 showing the various attacks which our proposed approach can resist and which are beyond. There are many resisting techniques to protect SPA/DPA in RSA and CRT-RSA in literature. However, it was seen that none of these works have addressed HODPA so far except ours. Comparison of our proposed work with some relevant SPA/DPA resisting protocols for modular exponentiation based cryptosystems such as RSA is shown in Tab. 2.

C. RESISTANCE TO HORIZONTAL CORRELATION & TEMPLATES ATTACKS
One of the special cases of power analysis attacks is Horizontal correlation analysis. Such an attack on exponentiation was presented by Clavier et al. in [45] where they exploited the vulnerability of RSA encryption with a single power curve. In their attack model each single bit of the secret exponent (d) was determined by identifying the multiplication operations with the message (m) performed during the encryption. Considering that s bits of d say are known, the (s + 1) th bit was identified to be 1 if and only if the next operation is a multiplication with m. Their analysis showed that with l bit multiplier, on a RSA encryption of key size n, ( n l ) 2 segments will be generated in a single power trace. Thus longer keys will be at a higher risks with their attack. They further showed that general countermeasures like exponent blinding or secured methods like ''multiply-always'' or ''montogomery ladder'' will susceptible to their attack. However, randomizing the execution order during exponentiation can be an effective solution to protect such attacks. The horizontal attacks in ECC by Dugardin et al. [46], where the scalar multiplications in ECC were targeted for revealing the secret key also showed that general blinding or randomization of scalar multiplications will not efficient against their attack. In context to our proposed approach, we are able to split large exponent to smaller shares and then have changed the execution order of every shares using the E-NN algorithm. Hence, if Clavier's attack model is probed, then by identifying the multiplication operations only the bits of the exponent may be revealed. But to obtain the secret key in proper order, each of the shares need to be identified and then rearranged which will be difficult because each shares will be of different size and with t shares, the number of combinations possible will be 2 t . Similar resistance can be provided to the attack model of Dugardin et al. [46].
Template attacks have been challenging the security of public key cryptosystems like RSA and ECC to great extent. These attacks combine statistical modeling and power analysis with two different phases, first for template acquisition and second for template matching. The online template attacks by Batina et al. [47], [48] shows the potential threat and severity of such attacks in ECC. Their attack model only uses one template trace per bit scalar which can be applied to all kind of scalar multiplications. The pattern matching was done using Pearson's correlation coefficient. Their attack on ''Double-and-Add-Always'' algorithm was based on the two possible outcomes 2P and 3P which were dependent on the MSB to be 0 or 1. Considering these two possible states the key bits can be recovered iteratively. Their attack also targets the Montgomery Ladder, Side-channel atomicity approaches. The strength of their attack can be revealed by the fact that countermeasures which uses blinding or bit randomization does not effect their attack. In context with our proposed approach in algorithm 5, the exponentiation in line number 7 is computed randomly for one of the shares generated using algorithm 3. As Genetic algorithm has been used to create the shares, for every implementation of the algorithm will generate new shares and eventually new patterns for the same secret exponent. With the attack proposed by Batina et al. [47], [48], while correlating patterns the representation points will be always different. Even if this factor is overcome and key bits of every share is depicted but still due to random execution of the shares, the bits have to be rearranged in correct order for complete reveal of the correct key. This will be difficult because of the same fact as horizontal correlation analysis that with t shares the the number of combination possible will be 2 t . But, still our proposed approach will not guarantee complete security from Batina's online template attack models.

VI. RESULTS AND DISCUSSION
We analyze the results for our proposed protocol in this section. Two parameters have been analyzed, complexity and mutual information analysis. We first present a brief detail on the standard benchmark used in our implementation.

A. BENCHMARK
To evaluate the proposed work, we consider the benchmarks offered by Public key Cryptography Standards (PKCS) v2.1.10. PKCS which is devised and published by RSA Security has offered benchmarks for numerous  Simulation of the proposed protocol is done in Mupad, a part of Matlab 2014b. Due to very large (1024-2048) bit value, Mupad is very compatible. We also consider, 8 Gb RAM 2.27 GhZ configured workstation for implementing our proposed protocol to achieve the results.

B. COMPLEXITY
In order to address HODPA attacks, the proposed work first splits the secret exponent into multiple shares. Then, each individual modular exponentiation is randomly implemented with these shares one at a time. However, these steps are being precomputed prior to actual modular exponentiation. Hence, there is an overhead in the time complexity due to the precomputation.
As the sensitive data has been split using inner product with GA, the over complexity will be similar to complexity of GA.  For hiding, the shares have been randomized using E-NN in algorithm 4. Since for finding every share of d, a new population is generated hence the number of shares will be equal to number of populations i.e. n. Further, in algorithm 4, each of the n shares computes distance from n-1 shares without repetition. Hence, the complexity for hiding will be, O(Hiding) = O(n(n − 1)) However, algorithm 3 & 4 are precomputed as can be seen in algorithms 5 & 6. Hence, the proposed work have a large potential to combat against the attacks such as DPA and HODPA but at an computational overhead of O(gn) + O(n(n − 1)).
The precomputation for the shares performed in algorithm 3 and randomizing the order of execution through algorithm 4 will also consume some additional space. With In all our computations, we could find that the maximum number of shares generated was 15 (m = 15) in case of 2048 bit RSA.

C. MUTUAL INFORMATION ANALYSIS
It is an entropy based measurement which depicts the amount of mutual information two independent values shares. It is mainly a distinguisher introduced in 2008 [26] to mount HODPA attacks. It leads to successful recovery of key with minimum information of the leakage device [27]. MIA has proven to be an effective measurement for successfully mounting HODPA attacks.
However, in our analysis we have used Mutual Information Analysis (MIA) to measure the amount of information each individual share of the sensitive variable would leak if any HODPA attack is mounted. The lesser is the MIA value, higher will be the security. For each share we computed the entropy H (S) using Equation 6 as in proposed E-NN algorithm. Similar to Equation 6. we can compute the entropy Using both Equation 6 & 10 we can compute the joint entropy of S and d by, However, since S and d are partial independent variables and few outcome of S is known. Therefore, the uncertainty of knowing d can be represented by conditional entropies of the two variables as shown below, where, Taking these entropy varieties, the mutual dependency between two variables X and Y is referred as mutual information can be depicted by,     Since the information leaked from a device built within CMOS for HODPA is actually the transition taking from from 1 → 0 and 0 → 1, the hamming weight is employed to model the leakage. In context to inner product the gross leakage is presented as, Leak(L, R) = HW (L 1 ) + HW (R 1 ), .., HW (L n ) + HW (R n )  Due to the leakage, the mutual information will hence be, I (d; Leak(L, R)), where d is the actual secret data. Tables 3, 4 and 5 elaborates MIA of the proposed work in RSA of size 1024, 1536 and 2048 bits for 6 test cases. Figure 1 represents these results graphically. Similarly, for all variances of CRT-RSA, MIA has been furnished in tables 6 to 8 along with figures 2, 3 and 4 for the same test cases.

D. MUTUAL INFORMATION ANALYSIS WITH GAUSSIAN NOISE
In general, every leaked share is associated with an independent Gaussian noise which affects the entire leakage. Hence, where, denotes Gaussian noise computed by, where, µ = mean and σ = standard deviation. In our analysis, we have also computed the mutual information for the shares associated with Gaussian noise. We have considered µ = 0 and the range of σ from 0.4, 0.6, 0.8, 1.0, 1.2, 1.4, 1.6 and 1.8 to see the effects. We found that for each increase in σ , the mutual information was immensely effected. Larger the noise, lesser was the amount of mutual information leaked from the shares. Fig. 5 shows the decrease in mutual information from the shares after addition of noise for both RSA and CRT-RSA.

VII. CONCLUSION
A secured approach of computing modular exponentiation to combat DPA and HODPA attacks is presented in this paper. The proposed approach first splits the sensitive data (secret exponent) into multiple shares via inner product using Genetic Algorithm. He was a recipient of two SPARC projects worth 166 lakh rupees from MHRD, Government of India, in AI in collaboration with Arizona State University, USA, and The University of Queensland Australia, and also the recipient of numerous prestigious awards, such as Erasmus+ Faculty Mobility Grant to Poland, DUO-India Professors Fellowship for research in responsible AI in collaboration with Brunel University London, U.K., LEAP Grant at the University of Cambridge, U.K., UKIERI Grant with Aston University, U.K., and a grant from Royal Academy of Engineering, U.K., under Newton Bhabha Fund. Currently, he is an Associate Editor of IEEE ACCESS journal.
VIJAYAKUMAR VARADARANJAN received the Diploma degree (Hons.), the B.E. degree (Hons.) in CSE, the MBA degree (Hons.) in HRD, the M.E. degree (Hons.) in CSE, and the Ph.D. degree from Anna University, in 2012. He was a Professor and an Associate Dean of the School of Computing Science and Engineering, VIT University, Chennai, India. He has more than 18 years of experience including industrial and institutional. He also served as the Team Lead in industries like Satyam, Mahindra Satyam, and Tech Mahindra for several years. He is currently an Adjunct Professor with the School of Computer Science and Engineering, University of New South Wales, Sydney, Australia. He is also a Visiting Postdoctoral Scientist with the Centro de Tecnologia, Federal University of Piauí, Brazil. He has published many articles in national and international level journals/conferences/books. He has initiated a number of international research collaborations with universities in Europe, Australia, Africa, Malaysia, Singapore, and North and South America. He had also initiated joint research collaboration between VIT University and various industries. He also organized several international conferences and special sessions in the USA, Vietnam, Africa, Malaysia, and India, including ARCI, IEEE, ACSAT, ISRC, ISBCC, and ICBCC. His research interests include computational areas covering grid computing, cloud computing, computer networks, cyber security, and big data. He received the University-Level Best Faculty Award, for the year 2015 to 2016. He also received First Rank Award for his M.E. degree. He is a member of several national and international professional bodies, including IFSA, EAI, BIS, ISTE, IAENG, CSTA, and IEA. He is a reviewer of IEEE TRANSACTIONS, Inderscience, and Springer journals. He is also the lead guest editor for few journals in Inderscience, Springer, Elsevier, IOS, UM, and IGI Global. VOLUME 10, 2022