Top Banner
Sliding Windows Succumbs to Big Mac Attack Colin D. Walter www.co.umist.ac.uk
30

Sliding Windows Succumbs to Big Mac Attack

Dec 31, 2015

Download

Documents

simone-randall

Sliding Windows Succumbs to Big Mac Attack. Colin D. Walter www.co.umist.ac.uk. Aims. Re-think the power of DPA; Use it on a single exponentiation; Longer keys are more unsafe !. DPA Attack on RSA. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Sliding Windows Succumbs to Big Mac Attack

Sliding Windows Succumbs to

Big Mac Attack

Colin D. Walterwww.co.umist.ac.uk

Page 2: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 2

Aims

• Re-think the power of DPA;

• Use it on a single exponentiation;

• Longer keys are more unsafe!

Page 3: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 3

DPA Attack on RSA

Summary: Differential Power Analysis (DPA) is used to determine the secret exponent in an embedded RSA cryptosystem.

Assumption: The implementation uses a small multiplier whose power consumption is data dependent and measurable.

Page 4: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 4

History

• P. Kocher, J. Jaffe & B. Jun Introduction to Differential Power

Analysis and Related Attacks Crypto 99

• T. S. Messerges, E.A. Dabbish & R.H. Sloan Power Analysis Attacks of Modular Exponentiation in Smartcards CHES 99

Page 5: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 5

Multipliers

• Switching a gate in the H/W requires more power than not doing so;

• On average, a Mult-Acc opn a×b+c has data dependent contributions roughly linear in the Hamming weights of a and b;

• Variation occurs because of the initial state set up by the previous mult-acc opn.

Page 6: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 6

First Results

• This theory was checked by simulation

and found to be broadly correct;

• Refinements were made to this model

(which will be reported elsewhere);

• These give a more precise & detailed

partial ordering.

Page 7: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 7

Combining Traces I

• The long integer product A×B in an exponentiation contains a large number of small digit multiply-accumulates: ai×bj+ck

• Identify the power subtraces of each ai×bj+ck

from the power trace of A×B;

• Average the power traces for fixed i as j varies: this gives a trace tri which depends on ai but

only the average of the digits of B.

Page 8: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 8

Combining Traces

a0b0 a0b1 a0b2 a0b3

Page 9: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 9

Combining Traces

a0b0

Page 10: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 10

Combining Traces

a0b0

a0b1

Page 11: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 11

Combining Traces

a0b0

a0b1

a0b2

Page 12: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 12

Combining Traces

a0b0

a0b1

a0b2

a0b3

Page 13: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 13

Combining Traces

Page 14: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 14

Combining Traces

a0(b0+b1+b2+b3)/4

Average the traces:

Page 15: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 15

• b is effectively an average random digit;

• So trace is characteristic of a0 only, not B.

tr0

Combining Traces

a0b_

_

Page 16: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 16

Combining Traces II

• The dependence of tri on B is minimal

if B has enough digits;

• Concatenate the average traces tri for each ai to obtain a trace trA which reflects properties of A much more strongly than those of B;

• The smaller the multiplier or the larger the number of digits (or both) then the more characteristic trA will be.

Page 17: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 17

Combining Traces

tr0

Page 18: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 18

Combining Traces

tr0 tr1

Page 19: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 19

Combining Traces

tr0 tr1 tr2

Page 20: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 20

Combining Traces

tr0 tr1 tr2 tr3

Page 21: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 21

• Question: Is the trace trA sufficiently characteristic to determine repeated use of a multiplier A in an exponentiation routine?

Combining Traces

trA

Page 22: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 22

Distinguish Digits?

• Averaging over the digits of B has reduced the noise level;

• In m-ary exponentiation we only need to distinguish: – squares from multiplies– the multipliers A(1), A(2), A(3), …, A(m–1)

• For small enough m and large enough number of digits they can be distinguished in a simulation of clean data.

Page 23: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 23

Distances between Traces

tr0

tr1

d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n

in0

power

Page 24: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 24

Simulation

tr0

tr1

d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n

in0

gate switch count

Page 25: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 25

Simulation Results

16-bit multiplier, 4-ary expn, 512-bit modulus.

d(i,j) = distance between traces for ith and jth multiplications of expn.

Av d for same multipliers 2428 gates

SD for same multipliers 1183

Av d for different multipliers 23475 gates

SD for different multipliers 481

Page 26: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 26

Simulation Results

• Equal exponent digits can be identified – their traces are close;

• Unequal exponent digit traces are not close;

• Squares can be distinguished from multns: their traces are not close to any other traces;

• There are very few errors for typical cases.

Page 27: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 27

Expnt Digit Values

• Pre-computations A(i+1) A A(i) mod M provide traces for known multipliers. So:

• We can determine which multive opns are squares;

• We can determine the exp digit for each multn;

• Minor extra detail for i = 0, 1 and m–1;

• This can be done independently for each opn.

Page 28: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 28

Some Conclusions

• The independence means attack time proportional to secret key length;

• Longer modulus means better discrimination between traces;

• No greater safety against this attack from longer keys.

Page 29: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 29

WarningWarning

• With the usual DPA averaging

already done, it may be possible

to use a single exponentiationsingle exponentiation to

obtain the secret key;

• So using expSo using expntnt dd++rrφ(φ(MM) with ) with

random random rr may be no defence. may be no defence.

Page 30: Sliding Windows Succumbs to Big Mac Attack

CHES 2001 C.D. Walter, UMIST 30

Final Conclusions

• Sliding Windows expn method may be broken in this way;

• Like a Big Mac, you can nibble away at each secret exponent digit in turn and enjoy finding out its value.