1 / 30

Sliding Windows Succumbs to Big Mac Attack

Sliding Windows Succumbs to Big Mac Attack. Colin D. Walter www.co.umist.ac.uk. Aims. Re-think the power of DPA; Use it on a single exponentiation; Longer keys are more unsafe !. DPA Attack on RSA.

simone-randall
Télécharger la présentation

Sliding Windows Succumbs to Big Mac Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sliding Windows Succumbs to Big Mac Attack Colin D. Walter www.co.umist.ac.uk

  2. Aims • Re-think the power of DPA; • Use it on a single exponentiation; • Longer keys are more unsafe! C.D. Walter, UMIST

  3. DPA Attack on RSA Summary: Differential Power Analysis (DPA) is used to determine the secret exponent in an embedded RSA cryptosystem. Assumption: The implementation uses a small multiplier whose power consumption is data dependent and measurable. C.D. Walter, UMIST

  4. History • P. Kocher, J. Jaffe & B. Jun Introduction to Differential Power Analysis and Related Attacks Crypto 99 • T. S. Messerges, E.A. Dabbish & R.H. Sloan Power Analysis Attacks of Modular Exponentiation in Smartcards CHES 99 C.D. Walter, UMIST

  5. Multipliers • Switching a gate in the H/W requires more power than not doing so; • On average, a Mult-Acc opna×b+chas data dependent contributions roughly linear in the Hamming weights of a and b; • Variation occurs because of the initial state set up by the previous mult-acc opn. C.D. Walter, UMIST

  6. First Results • This theory was checked by simulation and found to be broadly correct; • Refinements were made to this model (which will be reported elsewhere); • These give a more precise & detailed partial ordering. C.D. Walter, UMIST

  7. Combining Traces I • The long integer product A×B in an exponentiation contains a large number of small digit multiply-accumulates: ai×bj+ck • Identify the power subtraces of each ai×bj+ck from the power trace of A×B; • Average the power traces for fixed i as jvaries: this gives a trace triwhich depends on ai but only the average of the digits of B. C.D. Walter, UMIST

  8. Combining Traces a0b0 a0b1 a0b2 a0b3 C.D. Walter, UMIST

  9. Combining Traces a0b0 C.D. Walter, UMIST

  10. Combining Traces a0b1 a0b0 C.D. Walter, UMIST

  11. Combining Traces a0b2 a0b1 a0b0 C.D. Walter, UMIST

  12. Combining Traces a0b3 a0b2 a0b1 a0b0 C.D. Walter, UMIST

  13. Combining Traces C.D. Walter, UMIST

  14. Combining Traces Average the traces: a0(b0+b1+b2+b3)/4 C.D. Walter, UMIST

  15. Combining Traces _ • b is effectively an average random digit; • So trace is characteristic of a0 only, not B. tr0 _ a0b C.D. Walter, UMIST

  16. Combining Traces II • The dependence of tri onBis minimal ifBhas enough digits; • Concatenate the average tracestrifor eachaito obtain a tracetrAwhich reflectsproperties ofAmuch more strongly than those ofB; • The smaller the multiplier or the larger the number of digits (or both) then the more characteristic trA will be. C.D. Walter, UMIST

  17. Combining Traces tr0 C.D. Walter, UMIST

  18. Combining Traces tr0 tr1 C.D. Walter, UMIST

  19. Combining Traces tr0 tr1 tr2 C.D. Walter, UMIST

  20. Combining Traces tr3 tr0 tr1 tr2 C.D. Walter, UMIST

  21. Combining Traces • Question: Is the trace trA sufficiently characteristic to determine repeated use of a multiplier A in an exponentiation routine? trA C.D. Walter, UMIST

  22. Distinguish Digits? • Averaging over the digits of B has reduced the noise level; • In m-ary exponentiation we only need to distinguish: • squares from multiplies • the multipliers A(1), A(2), A(3), …, A(m–1) • For small enough m and large enough number of digits they can be distinguished in a simulation of clean data. C.D. Walter, UMIST

  23. Distances between Traces power tr0 tr1 i 0 n n d(0,1) = ( i=0(tr0(i)tr1(i))2)½ C.D. Walter, UMIST

  24. Simulation gate switch count tr0 tr1 i 0 n n d(0,1) = ( i=0(tr0(i)tr1(i))2)½ C.D. Walter, UMIST

  25. Simulation Results 16-bit multiplier, 4-ary expn, 512-bit modulus. d(i,j) = distance between traces for ith and jth multiplications of expn. Av d for same multipliers 2428 gates SD for same multipliers 1183 Av d for different multipliers 23475 gates SD for different multipliers 481 C.D. Walter, UMIST

  26. Simulation Results • Equal exponent digits can be identified – their traces are close; • Unequal exponent digit traces are not close; • Squares can be distinguished from multns: their traces are not close to any other traces; • There are very few errors for typical cases. C.D. Walter, UMIST

  27. Expnt Digit Values • Pre-computations A(i+1) A A(i) mod M provide traces for known multipliers. So: • We can determine which multive opns are squares; • We can determine the exp digit for each multn; • Minor extra detail for i = 0, 1 and m–1; • This can be done independently for each opn. C.D. Walter, UMIST

  28. Some Conclusions • The independence means attack time proportional to secret key length; • Longer modulus means better discrimination between traces; • No greater safety against this attack from longer keys. C.D. Walter, UMIST

  29. Warning • With the usual DPA averaging already done, it may be possible to use a single exponentiationto obtain the secret key; • So using expntd+rφ(M) with random r may be no defence. C.D. Walter, UMIST

  30. Final Conclusions • Sliding Windows expn method may be broken in this way; • Like a Big Mac, you can nibble away at each secret exponent digit in turn and enjoy finding out its value. C.D. Walter, UMIST

More Related