Sliding Windows Succumbs to Big Mac Attack Colin D. Walter www.co.umist.ac.uk
Sliding Windows Succumbs to Big Mac Attack
Dec 31, 2015
Sliding Windows Succumbs to Big Mac Attack. Colin D. Walter www.co.umist.ac.uk. Aims. Re-think the power of DPA; Use it on a single exponentiation; Longer keys are more unsafe !. DPA Attack on RSA. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Sliding Windows Succumbs to
Big Mac Attack
Colin D. Walterwww.co.umist.ac.uk
CHES 2001 C.D. Walter, UMIST 2
Aims
• Re-think the power of DPA;
• Use it on a single exponentiation;
• Longer keys are more unsafe!
CHES 2001 C.D. Walter, UMIST 3
DPA Attack on RSA
Summary: Differential Power Analysis (DPA) is used to determine the secret exponent in an embedded RSA cryptosystem.
Assumption: The implementation uses a small multiplier whose power consumption is data dependent and measurable.
CHES 2001 C.D. Walter, UMIST 4
History
• P. Kocher, J. Jaffe & B. Jun Introduction to Differential Power
Analysis and Related Attacks Crypto 99
• T. S. Messerges, E.A. Dabbish & R.H. Sloan Power Analysis Attacks of Modular Exponentiation in Smartcards CHES 99
CHES 2001 C.D. Walter, UMIST 5
Multipliers
• Switching a gate in the H/W requires more power than not doing so;
• On average, a Mult-Acc opn a×b+c has data dependent contributions roughly linear in the Hamming weights of a and b;
• Variation occurs because of the initial state set up by the previous mult-acc opn.
CHES 2001 C.D. Walter, UMIST 6
First Results
• This theory was checked by simulation
and found to be broadly correct;
• Refinements were made to this model
(which will be reported elsewhere);
• These give a more precise & detailed
partial ordering.
CHES 2001 C.D. Walter, UMIST 7
Combining Traces I
• The long integer product A×B in an exponentiation contains a large number of small digit multiply-accumulates: ai×bj+ck
• Identify the power subtraces of each ai×bj+ck
from the power trace of A×B;
• Average the power traces for fixed i as j varies: this gives a trace tri which depends on ai but
only the average of the digits of B.
CHES 2001 C.D. Walter, UMIST 8
Combining Traces
a0b0 a0b1 a0b2 a0b3
CHES 2001 C.D. Walter, UMIST 9
Combining Traces
a0b0
CHES 2001 C.D. Walter, UMIST 10
Combining Traces
a0b0
a0b1
CHES 2001 C.D. Walter, UMIST 11
Combining Traces
a0b0
a0b1
a0b2
CHES 2001 C.D. Walter, UMIST 12
Combining Traces
a0b0
a0b1
a0b2
a0b3
CHES 2001 C.D. Walter, UMIST 13
Combining Traces
CHES 2001 C.D. Walter, UMIST 14
Combining Traces
a0(b0+b1+b2+b3)/4
Average the traces:
CHES 2001 C.D. Walter, UMIST 15
• b is effectively an average random digit;
• So trace is characteristic of a0 only, not B.
tr0
Combining Traces
a0b_
_
CHES 2001 C.D. Walter, UMIST 16
Combining Traces II
• The dependence of tri on B is minimal
if B has enough digits;
• Concatenate the average traces tri for each ai to obtain a trace trA which reflects properties of A much more strongly than those of B;
• The smaller the multiplier or the larger the number of digits (or both) then the more characteristic trA will be.
CHES 2001 C.D. Walter, UMIST 17
Combining Traces
tr0
CHES 2001 C.D. Walter, UMIST 18
Combining Traces
tr0 tr1
CHES 2001 C.D. Walter, UMIST 19
Combining Traces
tr0 tr1 tr2
CHES 2001 C.D. Walter, UMIST 20
Combining Traces
tr0 tr1 tr2 tr3
CHES 2001 C.D. Walter, UMIST 21
• Question: Is the trace trA sufficiently characteristic to determine repeated use of a multiplier A in an exponentiation routine?
Combining Traces
trA
CHES 2001 C.D. Walter, UMIST 22
Distinguish Digits?
• Averaging over the digits of B has reduced the noise level;
• In m-ary exponentiation we only need to distinguish: – squares from multiplies– the multipliers A(1), A(2), A(3), …, A(m–1)
• For small enough m and large enough number of digits they can be distinguished in a simulation of clean data.
CHES 2001 C.D. Walter, UMIST 23
Distances between Traces
tr0
tr1
d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n
in0
power
CHES 2001 C.D. Walter, UMIST 24
Simulation
tr0
tr1
d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n
in0
gate switch count
CHES 2001 C.D. Walter, UMIST 25
Simulation Results
16-bit multiplier, 4-ary expn, 512-bit modulus.
d(i,j) = distance between traces for ith and jth multiplications of expn.
Av d for same multipliers 2428 gates
SD for same multipliers 1183
Av d for different multipliers 23475 gates
SD for different multipliers 481
CHES 2001 C.D. Walter, UMIST 26
Simulation Results
• Equal exponent digits can be identified – their traces are close;
• Unequal exponent digit traces are not close;
• Squares can be distinguished from multns: their traces are not close to any other traces;
• There are very few errors for typical cases.
CHES 2001 C.D. Walter, UMIST 27
Expnt Digit Values
• Pre-computations A(i+1) A A(i) mod M provide traces for known multipliers. So:
• We can determine which multive opns are squares;
• We can determine the exp digit for each multn;
• Minor extra detail for i = 0, 1 and m–1;
• This can be done independently for each opn.
CHES 2001 C.D. Walter, UMIST 28
Some Conclusions
• The independence means attack time proportional to secret key length;
• Longer modulus means better discrimination between traces;
• No greater safety against this attack from longer keys.
CHES 2001 C.D. Walter, UMIST 29
WarningWarning
• With the usual DPA averaging
already done, it may be possible
to use a single exponentiationsingle exponentiation to
obtain the secret key;
• So using expSo using expntnt dd++rrφ(φ(MM) with ) with
random random rr may be no defence. may be no defence.
CHES 2001 C.D. Walter, UMIST 30
Final Conclusions
• Sliding Windows expn method may be broken in this way;
• Like a Big Mac, you can nibble away at each secret exponent digit in turn and enjoy finding out its value.
Related Documents
