Sliding Windows Succumbs to Big Mac Attack - PowerPoint PPT Presentation

About This Presentation
Title:

Sliding Windows Succumbs to Big Mac Attack

Description:

So trace is characteristic of a0 only, not B. tr0. Combining Traces. a0. b CHES 2001 ... number of digits (or both) then the more characteristic trA will be. ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 31
Provided by: ColinW62
Category:

less

Transcript and Presenter's Notes

Title: Sliding Windows Succumbs to Big Mac Attack


1
Sliding Windows Succumbs to Big Mac Attack
  • Colin D. Walter
  • www.co.umist.ac.uk

2
Aims
  • Re-think the power of DPA
  • Use it on a single exponentiation
  • Longer keys are more unsafe!

3
DPA Attack on RSA
  • Summary Differential Power Analysis
    (DPA) is used to determine the secret exponent
    in an embedded RSA cryptosystem.
  • Assumption The
    implementation uses a small multiplier whose
    power consumption is data dependent and
    measurable.

4
History
  • P. Kocher, J. Jaffe B. Jun
    Introduction to Differential Power Analysis
    and Related Attacks Crypto 99
  • T. S. Messerges, E.A. Dabbish R.H. Sloan Power
    Analysis Attacks of Modular Exponentiation in
    Smartcards CHES 99

5
Multipliers
  • Switching a gate in the H/W requires more power
    than not doing so
  • On average, a Mult-Acc opn abc has data
    dependent contributions roughly linear in the
    Hamming weights of a and b
  • Variation occurs because of the initial state set
    up by the previous mult-acc opn.

6
First Results
  • This theory was checked by simulation and found
    to be broadly correct
  • Refinements were made to this model (which will
    be reported elsewhere)
  • These give a more precise detailed partial
    ordering.

7
Combining Traces I
  • The long integer product AB in an exponentiation
    contains a large number of small digit
    multiply-accumulates aibjck
  • Identify the power subtraces of each aibjck
    from the power trace of AB
  • Average the power traces for fixed i as j varies
    this gives a trace tri which depends on ai but
    only the average of the digits of B.

8
Combining Traces
a0?b0
a0?b1
a0?b2
a0?b3
9
Combining Traces
a0?b0
10
Combining Traces
a0?b1
a0?b0
11
Combining Traces
a0?b2
a0?b1
a0?b0
12
Combining Traces
a0?b3
a0?b2
a0?b1
a0?b0
13
Combining Traces
14
Combining Traces
Average the traces
a0?(b0b1b2b3)/4
15
Combining Traces
_
  • b is effectively an average random digit
  • So trace is characteristic of a0 only, not B.
  • tr0

_
a0?b
16
Combining Traces II
  • The dependence of tri on B is minimal if
    B has enough digits
  • Concatenate the average traces tri for each ai
    to obtain a trace trA which reflects properties
    of A much more strongly than those of B
  • The smaller the multiplier or the larger the
    number of digits (or both) then the more
    characteristic trA will be.

17
Combining Traces
tr0
18
Combining Traces
tr0
tr1
19
Combining Traces
tr0
tr1
tr2
20
Combining Traces
tr0
tr1
tr2
tr3
21
Combining Traces
  • Question Is the trace trA sufficiently
    characteristic to determine repeated use of a
    multiplier A in an exponentiation routine?

trA
22
Distinguish Digits?
  • Averaging over the digits of B has reduced the
    noise level
  • In m-ary exponentiation we only need to
    distinguish
  • squares from multiplies
  • the multipliers A(1), A(2), A(3), ,
    A(m1)
  • For small enough m and large enough number of
    digits they can be distinguished in a simulation
    of clean data.

23
Distances between Traces
power
tr0
tr1
i
n
0
n
d(0,1) ( ? i0(tr0(i)?tr1(i))2 )½
24
Simulation
gate switch count
tr0
tr1
i
n
0
n
d(0,1) ( ? i0(tr0(i)?tr1(i))2 )½
25
Simulation Results
  • 16-bit multiplier, 4-ary expn, 512-bit modulus.
  • d(i,j) distance between traces for ith and
    jth
    multiplications of expn.
  • Av d for same multipliers 2428 gates
  • SD for same multipliers 1183
  • Av d for different multipliers 23475 gates
  • SD for different multipliers 481

26
Simulation Results
  • Equal exponent digits can be identified their
    traces are close
  • Unequal exponent digit traces are not close
  • Squares can be distinguished from multns their
    traces are not close to any other traces
  • There are very few errors for typical cases.

27
Expnt Digit Values
  • Pre-computations A(i1) ? A ? A(i) mod M
    provide traces for known multipliers. So
  • We can determine which multive opns are squares
  • We can determine the exp digit for each multn
  • Minor extra detail for i 0, 1 and m1
  • This can be done independently for each opn.

28
Some Conclusions
  • The independence means attack time proportional
    to secret key length
  • Longer modulus means better discrimination
    between traces
  • No greater safety against this attack from longer
    keys.

29
Warning
  • With the usual DPA averaging already done, it may
    be possible to use a single exponentiation to
    obtain the secret key
  • So using expnt drf(M) with random r may be
    no defence.

30
Final Conclusions
  • Sliding Windows expn method may be broken in this
    way
  • Like a Big Mac, you can nibble away at each
    secret exponent digit in turn and enjoy finding
    out its value.
Write a Comment
User Comments (0)
About PowerShow.com