is there safety in numbers against side channel leakage? colin d. walter umist, manchester, uk

Is there Safety in Numbers

against Side Channel Leakage?

Colin D. WalterUMIST, Manchester, UK

www.co.umist.ac.uk

RSA Conf, Amsterdam, Oct 2001

C.D. Walter, UMIST 2

History• NSA Tempest programme• P. Kocher (Crypto 96)

Timing attack on implementations of Diffie-Hellman, RSA, DSS, and other systems

• Dhem,…, Quisquater, et al. (CARDIS 1998)A practical implementation of the Timing Attack

• P. Kocher, J. Jaffe & B. Jun (Crypto 99) Introduction to Differential Power Analysis ….

• Messerges, Dabbish & Sloan (CHES 99) Power Analysis Attacks of Modular Exponentiation in Smartcards



Recent Attacks

• C. D. Walter & S. Thompson (CT-RSA 2001) Distinguishing Exponent Digits by Observing Modular Subtractions– a timing attack which averaged over a number of

exponentiations with same exponent

• C. D. Walter (CHES 2001) Sliding Windows succumbs to Big Mac Attack – a DPA attack which averaged using

the trace from a single exponentiation



Security Model

• Smartcard running RSA;

• Unknown modulus M, unknown exponent D;

• Known algorithms;

• Single H/W multiplier;

• Non-invasive, passive attack;

• Attacker unable to read or influence I/O;

• Can observe timing variations in long int ×n;

• Can measure multiplier power usage.



Context: • AB mod M

• Output from Montgomery modular multiplication: S < 2M

• Require output S < M or < 2n

• So conditional subtraction in S/W– This affects timing, and we assume it

can be observed.

The Timing Attack on RSA



Partial Product S

• Last step of Montgomery modr multn :

S (S + aB + qM)/r

a = top digit of A, dependent on size of A

q, S effectively randomly distributed

• For random A and fixed B, the average S is a linear function of B, indepnt of A

• Larger B more frequent final subtractions



Distribution of S

• For a multiply S behaves like random variable 2–nαβ + γ where α, β have the distributions of A, B and γ is uniform.

• For a square S behaves like 2–nα2 + γ.

• Integrating over values of α and β, the probability of S being greater than 2n is: … for multiply, … for square



Squares vs Multiplies

… for multiply, … for square.

• So probabilities of conditional subtraction of M are different.

• With sufficient observations we can distinguish squares from multiplies.

• ( Care: non-uniform distribution on [0..2n]. )



The Attack

• Obtain frequencies for each opn by performing many exponentiations;

• Separate squares from multiplications;

• In square-and-multiply exponentiation obtain the bits of the secret key D.

• Careless implementation of Modular Multiplication is dangerous.



m-ary Exponentiation

• If square-and-multiply leaks,

use m-ary exponentiation. Is it safer?

• Example: 4-ary to compute AD mod M– Each multiply is by one of

A, A2 or A3

• Can these be distinguished?



Differentiating Multipliers

• Pre-computations of A, A2 and A3 provide observation subsets with completely different distributions, hence different frequencies.

• Form 8 subsets for which the conditional subtraction is / is not made for these.

• Use vector of 8 freqs to identify multiplier and hence the exponent digit.



Sub in Initial Squaring



No Sub in Initial Squaring



Result• In m-ary exponentiation we maymay be

able to discover the bits of secret key D.

• Careless implementation of Modular Multiplication is dangerousdangerous also for m-ary exponentiation.

• Counter-measures:Counter-measures: avoid conditional subtractions oror replace D by D+rφ(M) for fresh, random 32-bit r.



Longer Keys?

• Frequencies of multipliers & squares are unaffected by key length.

• Exponent digits are equally identifiable.

• If p = prob of correctly assigning exp digit, and t = no. of exp digits then p is independent of key length and pt

= prob of correctly deducing key D.

• pt decreases. So longer key length is safer.



The DPA Attack on RSA

Summary: Differential Power Analysis (DPA) is used here to determine the secret key D from a single exponentiation.

Assumption: The implementation uses a single, small multiplier whose power consumption is data dependent and measurable.



Multipliers

• Switching a gate in the H/W requires more power than not doing so;

• On average, a Mult-Acc opn a×b+c has data dependent contributions roughly linear in the Hamming weights of a, b and c;

• Variation occurs because of the state left by the previous mult-acc opn.



Combining Traces I

• The long integer product A×B in an exponentiation contains a large number of small digit multiply-accumulates: ai×bj+ck

• Identify the power subtraces of each ai×bj+ck

from the power trace of A×B;

• Average the power traces for fixed i as j varies: this gives a trace tri which depends on ai

but only the average of the digits of B.



Combining Traces

a0b0 a0b1 a0b2 a0b3



Combining Traces

a0b0



Combining Traces

a0b0

a0b1



Combining Traces

a0b0

a0b1

a0b2



Combining Traces

a0b0

a0b1

a0b2

a0b3



Combining Traces



Combining Traces

a0(b0+b1+b2+b3)/4

Average the traces:



• b is effectively an average random digit;

• So trace is characteristic of a0 only, not B.

tr0

Combining Traces

a0b_

_



Combining Traces II

• The dependence of tri on B is minimal

if B has enough digits;

• Concatenate the average traces tri for each ai to obtain a trace trA which reflects properties of A much more strongly than those of B;

• The smaller the multiplier or the larger the number of digits (or both) then the more characteristic trA will be.



Combining Traces

tr0



Combining Traces

tr0 tr1



Combining Traces

tr0 tr1 tr2



Combining Traces

tr0 tr1 tr2 tr3



• This is the analogue of the freqy vector.

• Question: Is the trace trA sufficiently characteristic to determine repeated use of a multiplier A in an exponentiation routine?

Combining Traces

trA



Distinguish Digits?

• Averaging over the digits of B has reduced the noise level;

• In m-ary exponentiation we only need to distinguish: – squares from multiplies– the multipliers A(1), A(2), A(3), …, A(m–1)

• For small enough m and large enough number of digits they can be distinguished in a simulation of clean data.



Distances between Traces

tr0

tr1

d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n

in0

power



Simulation

tr0

tr1

d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n

in0

gate switch count



Simulation Results

16-bit multiplier, 4-ary expn, 512-bit modulus.

d(i,j) = distance between traces for ith and jth multiplications of expn.

Av d for same multipliers 2428 gates

SD for same multipliers 1183

Av d for different multipliers 23475 gates

SD for different multipliers 481



Simulation Results

• Equal exponent digits can be identified – their traces are close;

• Unequal exponent digit traces are not close;

• Squares can be distinguished from multns: their traces are not close to any other traces;

• There are very few errors for typical cases.



Expnt Digit Values

• As in timing case, pre-computations A(i+1) A A(i) mod M

provide traces for known multipliers. So:

• We can determine which multive opns are squares;

• We can determine the exp digit for each multn;

• We can determine the secret exponent D.



Longer Keys?

• Attack time is polynomial in key length t;

• Longer key means better average in traces and longer concatenated traces; so higher probability pt of correct digits.

• No greater safety against this attack from longer keys if pt

t goes up with t.



Longer Keys – Simulation

Example: 8-ary expn, 32-bit multiplier.

Double the key length: is p2t2 > pt ?

Key Length t 256 384 512 768 1024

Av to nearest 1529 2366 3750 4501 6246

SD to nearest 885 1403 2386 2535 3612

Av to others 5890 11753 17896 32594 53070SD to others 1108 2412 2279 4646 4581



Longer Keys?

• Av distance between equal multipliers is linear in key length;

• Av SD between equal multipliers is linear in key length;

• Av distance between different multipliers is not linear in key length: it goes up by a factor of 3 when key length doubles;

• Av SD between equal multipliers is linear in key length.



Longer Keys?

• So, to be closer to a wrong digit, traces have to be more than:

– 2.2 SDs above average for 256-bit keys



• Assuming an approx. normal distribution, the probs pt are then, resp: 0.9861 0.99865 0.9999999943



Longer Keys? – No Way!

• So, for the simulation, we can deduce two digits more accurately than one when the key length is doubled.

• So the secret key So the secret key isis easier to deduce when easier to deduce when its length is increased.its length is increased.

• The implementation becomes The implementation becomes moremore insecure as key length increases.insecure as key length increases.



WarningWarning

• With the DPA averaging above,

it may be possible to use a

single exponentiationsingle exponentiation to

obtain the secret key

especially if the key length is increased;

• Using Using DD++rrφ(φ(MM) with random ) with random rr

may be no defence. may be no defence.



Final Conclusion

• Re-think the power of side-channel attacks on the implementation :

• they may become easier when the key length is increased.

is there safety in numbers against side channel leakage? colin d. walter umist, manchester, uk

Documents