Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST2 History NSA Tempest programme P. Kocher (Crypto 96) Timing attack on implementations of Diffie- Hellman, RSA, DSS, and other systems Dhem,…, Quisquater, et al. (CARDIS 1998) A practical implementation of the Timing Attack P. Kocher, J. Jaffe & B. Jun (Crypto 99) Introduction to Differential Power Analysis …. Messerges, Dabbish & Sloan (CHES 99) Power Analysis Attacks of Modular Exponentiation in Smartcards
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST3 Recent Attacks C. D. Walter & S. Thompson (CT-RSA 2001) Distinguishing Exponent Digits by Observing Modular Subtractions –a timing attack which averaged over a number of exponentiations with same exponent C. D. Walter (CHES 2001) Sliding Windows succumbs to Big Mac Attack –a DPA attack which averaged using the trace from a single exponentiation
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST4 Security Model Smartcard running RSA; Unknown modulus M, unknown exponent D; Known algorithms; Single H/W multiplier; Non-invasive, passive attack; Attacker unable to read or influence I/O; Can observe timing variations in long int × n ; Can measure multiplier power usage.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST5 Context: A B mod M Output from Montgomery modular multiplication: S < 2M Require output S < M or < 2 n So conditional subtraction in S/W –This affects timing, and we assume it can be observed. The Timing Attack on RSA
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST6 Partial Product S Last step of Montgomery mod r mult n : S (S + aB + qM)/r a = top digit of A, dependent on size of A q, S effectively randomly distributed For random A and fixed B, the average S is a linear function of B, indep nt of A Larger B more frequent final subtractions
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST7 Distribution of S For a multiply S behaves like random variable 2 –n αβ + γ where α, β have the distributions of A, B and γ is uniform. For a square S behaves like 2 –n α 2 + γ. Integrating over values of α and β, the probability of S being greater than 2 n is: … for multiply, … for square
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST8 Squares vs Multiplies … for multiply, … for square. So probabilities of conditional subtraction of M are different. With sufficient observations we can distinguish squares from multiplies. ( Care: non-uniform distribution on [0..2 n ]. )
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST9 The Attack Obtain frequencies for each op n by performing many exponentiations; Separate squares from multiplications; In square-and-multiply exponentiation obtain the bits of the secret key D. Careless implementation of Modular Multiplication is dangerous.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST10 m-ary Exponentiation If square-and-multiply leaks, use m-ary exponentiation. Is it safer? Example: 4-ary to compute A D mod M –Each multiply is by one of A, A 2 or A 3 Can these be distinguished?
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST11 Differentiating Multipliers Pre-computations of A, A 2 and A 3 provide observation subsets with completely different distributions, hence different frequencies. Form 8 subsets for which the conditional subtraction is / is not made for these. Use vector of 8 freq s to identify multiplier and hence the exponent digit.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST12 Sub in Initial Squaring
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST13 No Sub in Initial Squaring
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST14 Result mayIn m-ary exponentiation we may be able to discover the bits of secret key D. dangerousCareless implementation of Modular Multiplication is dangerous also for m-ary exponentiation. Counter-measures: orCounter-measures: avoid conditional subtractions or replace D by D+rφ(M) for fresh, random 32-bit r.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST15 Longer Keys? Frequencies of multipliers & squares are unaffected by key length. Exponent digits are equally identifiable. If p = prob of correctly assigning exp digit, and t = no. of exp digits then p is independent of key length and p t = prob of correctly deducing key D. p t decreases. So longer key length is safer.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST16 The DPA Attack on RSA Summary: Differential Power Analysis (DPA) is used here to determine the secret key D from a single exponentiation. Assumption: The implementation uses a single, small multiplier whose power consumption is data dependent and measurable.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST17 Multipliers Switching a gate in the H/W requires more power than not doing so; On average, a Mult-Acc op n a×b+c has data dependent contributions roughly linear in the Hamming weights of a, b and c; Variation occurs because of the state left by the previous mult-acc op n.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST18 Combining Traces I The long integer product A×B in an exponentiation contains a large number of small digit multiply-accumulates: a i ×b j +c k Identify the power subtraces of each a i ×b j +c k from the power trace of A×B; Average the power traces for fixed i as j varies: this gives a trace tr i which depends on a i but only the average of the digits of B.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST19 Combining Traces a0b0a0b0 a0b1a0b1 a0b2a0b2 a0b3a0b3
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST20 Combining Traces a0b0a0b0
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST21 Combining Traces a0b0a0b0 a0b1a0b1
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST22 Combining Traces a0b0a0b0 a0b1a0b1 a0b2a0b2
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST23 Combining Traces a0b0a0b0 a0b1a0b1 a0b2a0b2 a0b3a0b3
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST24 Combining Traces
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST25 Combining Traces a 0 (b 0 +b 1 +b 2 +b 3 )/4 Average the traces:
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST26 b is effectively an average random digit; So trace is characteristic of a 0 only, not B. tr 0 Combining Traces a0ba0b _ _
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST27 Combining Traces II The dependence of tr i on B is minimal if B has enough digits; Concatenate the average traces tr i for each a i to obtain a trace tr A which reflects properties of A much more strongly than those of B; The smaller the multiplier or the larger the number of digits (or both) then the more characteristic tr A will be.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST28 Combining Traces tr 0
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST29 Combining Traces tr 0 tr 1
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST30 Combining Traces tr 0 tr 1 tr 2
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST31 Combining Traces tr 0 tr 1 tr 2 tr 3
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST32 This is the analogue of the freq y vector. Question: Is the trace tr A sufficiently characteristic to determine repeated use of a multiplier A in an exponentiation routine? Combining Traces tr A
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST33 Distinguish Digits? Averaging over the digits of B has reduced the noise level; In m-ary exponentiation we only need to distinguish: –squares from multiplies –the multipliers A (1), A (2), A (3), …, A (m–1) For small enough m and large enough number of digits they can be distinguished in a simulation of clean data.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST34 Distances between Traces tr 0 tr 1 d(0,1) = ( i=0 ( tr 0 (i) tr 1 (i) ) 2 ) ½ n i n0 power
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST35 Simulation tr 0 tr 1 d(0,1) = ( i=0 ( tr 0 (i) tr 1 (i) ) 2 ) ½ n i n0 gate switch count
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST36 Simulation Results 16-bit multiplier, 4-ary exp n, 512-bit modulus. d(i,j) = distance between traces for ith and jth multiplications of exp n. Av d for same multipliers 2428 gates SD for same multipliers 1183 Av d for different multipliers23475 gates SD for different multipliers 481
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST37 Simulation Results Equal exponent digits can be identified – their traces are close; Unequal exponent digit traces are not close; Squares can be distinguished from mult ns : their traces are not close to any other traces; There are very few errors for typical cases.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST38 Exp nt Digit Values As in timing case, pre-computations A (i+1) A A (i) mod M provide traces for known multipliers. So: We can determine which mult ive op ns are squares; We can determine the exp digit for each mult n ; We can determine the secret exponent D.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST39 Longer Keys? Attack time is polynomial in key length t; Longer key means better average in traces and longer concatenated traces; so higher probability p t of correct digits. No greater safety against this attack from longer keys if p t t goes up with t.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST40 Longer Keys – Simulation Example: 8-ary exp n, 32-bit multiplier. Double the key length: is p 2t 2 > p t ? Key Length t Av to nearest SD to nearest Av to others SD to others
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST41 Longer Keys? Av distance between equal multipliers is linear in key length; Av SD between equal multipliers is linear in key length; Av distance between different multipliers is not linear in key length: it goes up by a factor of 3 when key length doubles; Av SD between equal multipliers is linear in key length.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST42 Longer Keys? So, to be closer to a wrong digit, traces have to be more than: –2.2 SDs above average for 256-bit keys –3.0 SDs above average for 512-bit keys –5.7 SDs above average for 1024-bit keys Assuming an approx. normal distribution, the probs p t are then, resp:
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST43 Longer Keys? – No Way! So, for the simulation, we can deduce two digits more accurately than one when the key length is doubled. So the secret key is easier to deduce when its length is increased.So the secret key is easier to deduce when its length is increased. The implementation becomes more insecure as key length increases.The implementation becomes more insecure as key length increases.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST44 Warning single exponentiationWith the DPA averaging above, it may be possible to use a single exponentiation to obtain the secret key especially if the key length is increased; Using D+rφ(M) with random r may be no defence.Using D+rφ(M) with random r may be no defence.
RSA Conf, Amsterdam, Oct 2001 C.D. Walter, UMIST45 Final Conclusion Re-think the power of side-channel attacks on the implementation : they may become easier when the key length is increased.