Upload
simone-randall
View
35
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Sliding Windows Succumbs to Big Mac Attack. Colin D. Walter www.co.umist.ac.uk. Aims. Re-think the power of DPA; Use it on a single exponentiation; Longer keys are more unsafe !. DPA Attack on RSA. - PowerPoint PPT Presentation
Citation preview
CHES 2001 C.D. Walter, UMIST 2
Aims
• Re-think the power of DPA;
• Use it on a single exponentiation;
• Longer keys are more unsafe!
CHES 2001 C.D. Walter, UMIST 3
DPA Attack on RSA
Summary: Differential Power Analysis (DPA) is used to determine the secret exponent in an embedded RSA cryptosystem.
Assumption: The implementation uses a small multiplier whose power consumption is data dependent and measurable.
CHES 2001 C.D. Walter, UMIST 4
History
• P. Kocher, J. Jaffe & B. Jun Introduction to Differential Power
Analysis and Related Attacks Crypto 99
• T. S. Messerges, E.A. Dabbish & R.H. Sloan Power Analysis Attacks of Modular Exponentiation in Smartcards CHES 99
CHES 2001 C.D. Walter, UMIST 5
Multipliers
• Switching a gate in the H/W requires more power than not doing so;
• On average, a Mult-Acc opn a×b+c has data dependent contributions roughly linear in the Hamming weights of a and b;
• Variation occurs because of the initial state set up by the previous mult-acc opn.
CHES 2001 C.D. Walter, UMIST 6
First Results
• This theory was checked by simulation
and found to be broadly correct;
• Refinements were made to this model
(which will be reported elsewhere);
• These give a more precise & detailed
partial ordering.
CHES 2001 C.D. Walter, UMIST 7
Combining Traces I
• The long integer product A×B in an exponentiation contains a large number of small digit multiply-accumulates: ai×bj+ck
• Identify the power subtraces of each ai×bj+ck
from the power trace of A×B;
• Average the power traces for fixed i as j varies: this gives a trace tri which depends on ai but
only the average of the digits of B.
CHES 2001 C.D. Walter, UMIST 15
• b is effectively an average random digit;
• So trace is characteristic of a0 only, not B.
tr0
Combining Traces
a0b_
_
CHES 2001 C.D. Walter, UMIST 16
Combining Traces II
• The dependence of tri on B is minimal
if B has enough digits;
• Concatenate the average traces tri for each ai to obtain a trace trA which reflects properties of A much more strongly than those of B;
• The smaller the multiplier or the larger the number of digits (or both) then the more characteristic trA will be.
CHES 2001 C.D. Walter, UMIST 21
• Question: Is the trace trA sufficiently characteristic to determine repeated use of a multiplier A in an exponentiation routine?
Combining Traces
trA
CHES 2001 C.D. Walter, UMIST 22
Distinguish Digits?
• Averaging over the digits of B has reduced the noise level;
• In m-ary exponentiation we only need to distinguish: – squares from multiplies– the multipliers A(1), A(2), A(3), …, A(m–1)
• For small enough m and large enough number of digits they can be distinguished in a simulation of clean data.
CHES 2001 C.D. Walter, UMIST 23
Distances between Traces
tr0
tr1
d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n
in0
power
CHES 2001 C.D. Walter, UMIST 24
Simulation
tr0
tr1
d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n
in0
gate switch count
CHES 2001 C.D. Walter, UMIST 25
Simulation Results
16-bit multiplier, 4-ary expn, 512-bit modulus.
d(i,j) = distance between traces for ith and jth multiplications of expn.
Av d for same multipliers 2428 gates
SD for same multipliers 1183
Av d for different multipliers 23475 gates
SD for different multipliers 481
CHES 2001 C.D. Walter, UMIST 26
Simulation Results
• Equal exponent digits can be identified – their traces are close;
• Unequal exponent digit traces are not close;
• Squares can be distinguished from multns: their traces are not close to any other traces;
• There are very few errors for typical cases.
CHES 2001 C.D. Walter, UMIST 27
Expnt Digit Values
• Pre-computations A(i+1) A A(i) mod M provide traces for known multipliers. So:
• We can determine which multive opns are squares;
• We can determine the exp digit for each multn;
• Minor extra detail for i = 0, 1 and m–1;
• This can be done independently for each opn.
CHES 2001 C.D. Walter, UMIST 28
Some Conclusions
• The independence means attack time proportional to secret key length;
• Longer modulus means better discrimination between traces;
• No greater safety against this attack from longer keys.
CHES 2001 C.D. Walter, UMIST 29
WarningWarning
• With the usual DPA averaging
already done, it may be possible
to use a single exponentiationsingle exponentiation to
obtain the secret key;
• So using expSo using expntnt dd++rrφ(φ(MM) with ) with
random random rr may be no defence. may be no defence.