Side-Channel%20Attack:%20timing%20attack

1
Side-Channel Attack timing attack
Hiroki Morimoto
2
Overview

• Review of traditional attacks
• Side-Channel Attacks
• Timing Attack
• Several ways to compromise RSA
• Countermeasures
• Conclusion
• References

3
Review

• Basic Attacks
• exploiting security holes and weakness in the
  systems/algorithms
• choosing inadequate parameters
• brute force
• social engineering
• more
• There is 3 types of cryptanalysis
• Ciphertext-only Attack
• Known plaintext Attack
• Chosen plaintext Attack

4
What is Side-Channel Attack

• Side-Channel Attack dont belong to the
  traditional attack
• This attack is based on experiments and
  statistics not mathematical theories
• Two types of the side-channel attack
• Passive Attacks
• Observe the target such as computer or cell-phone
• Gain the additional information leaked from the
  physical implementations/devices caused by any
  operation
• i.e. timing information, power consumptions,
  electromagnetic leaks, voices/sounds
• Active Attacks
• Add additional inputs
• Change the environment or target itself to let
  abnormal operations or change the program flow
• i.e. add voltage, clock gritching, or tempest
  virus

5
(No Transcript)
6
Goal

• Finds information such as
• Algorithm/operation
• Cryptographic key
• Partial state information
• Plaintext/cyphertext
• more

7
Advantages

• The Attackers can implement
• With information easy to obtain
• With available non-expensive hardware
• From remote place
• Often quicker than the regular attack
• Compared to brute force and dictionaly attacks
• From few seconds to few hours
• Without damaging regular operations and physical
  devices
• Without notifying the victims

8
Examples of Side-Channel Attacks

• Timing Attack
• Power Monitoring Attack
• Fault Analysis
• Magnetic Emanation Attack
• Light Emission Attack
• Sound Attack (Includes wire-tapping and
  eavesdropping)?

9
Timing Attack

• Timing attack is an example of an attack that
  exploits the implementation of an algoritm rather
  than the algorithm itself
• Measure the time it takes for a certain unit to
  perform an operation
• Keep the input, output, and consumed time
• Check the correlation between time measurements
  of guess key or input and empirical result (often
  statistically)?

10
Background

• Operation takes slightly different amounts of
  time to process different input because of
• Bypass operations such as branching or
  conditional statements
• RAM cache hit
• Processor instruction such as multiplication and
  division
• Others
• Usually consumed time depends on input data,
  crypt keys, and modulo in cryptosystems

11
Usages

• Timing attack is often used to compromise
  public-key cryptosystem such as RSA
• For example, most of smart-card uses RSA.
  Therefore, inappropriate usage of it revels its
  secret key easily
• Sometimes, the key is tamper-proof
• Timing attacks reveal key length, key values,
  plaintext, etc

12
RSA review

• Multiple prime RSA key generating algorithm
• 1. Select two primes p and q
• 2. Calculate n p q
• 3. Calculate f(n) (p-1) (q-1)?
• 4. Choose e where gcd(e,f(n)) 1
• 5. Calculate d e-1(mod f(n))6. Public Key
  (e,n) and Private key (d)?
• Encryption c me mod nDecryption m cd mod n

13
Modular Exponentiation

• The way of attacks depend on the details of
  modular exponentiation
• For efficiency, modular exponentiation is done
  via
• Simple multiplication
• Repeated squaring
• Chinese Remainder Theorem (CRT)?
• Montgomery multiplication
• Sliding window
• Karatsuba multiplication

14
Simple Multiplication

• The simplest case, the modular exponentiation is
  done by multiplying the number as many as the
  values of exponent such as 213 2 2 2 2
  2 2 ..
• Therefore, the execution time is direct
  proportional to the exponent value (key value)?

15
Attacking Scenario simple multiplication

• An attacker eavesdrops the decryption operation
  where he gets a plaintext and its computation
  time (the decryption key is 13 which is hidden
  from the attacker)?
• He guesses the key is 12. He decrypts with the
  guess key and it returns small computation time
• Then, he guesses the key is 14 and retuned
  computation time is greater than empirical data
• Now, he knows the key is between 12 and 14

16
Repeated Squaring

• The most common and fast algorithm
• The number of loops is proportional to its key
  bit length
• Kotcher found a possible attack

17
Algorithm

• In each step, the number is squared and mod by n
• If the current bit is 1, then a modular
  multiplication is executed
• If the current bit is 0, goto the next step

18
Pseudo-Code
// Compute c md (mod n)? // where, in binary, d
(d0,d1,d2,,dnum) with d0 1 s m for i
1 to num s s2 (mod n)? if di 1
then s s ? m (mod n)? end
if next i return s
19
Example

• For example
• 520 95367431640625 25 mod 35
• With repeated squaring
• d 20 10100 base 2, m 5, and n 35
• Initialize s 51 (d0 1)?
• s (5 5) mod 35 and d1 0 ? s 25
• s (25 25) mod 35 and d2 1 so that (30 5)
  mode 35 ? s 10
• s (10 10) mod 35 and d3 0 ? s 30
• s (30 30) mod 35 and d3 0 ? s 25
• No huge numbers and its efficient
• In this example, 5 steps vs 20 multiplications

20
Attacking Scenario repeated squaring

• This attack also measures the correlation between
  guessed and empirical time measurements
• Because the 2nd consuming time depends on the 1st
  data (s) and second bit of the key, and so forth.
  In other word, the high-order bits affect a
  result more than the lower-bits.
• Thus the attacker begins the top of the bit, then
  continues to next bit and so on
• The more bits the attacker already knows, the
  stronger the signal, thus easier to detect
  (error-correction property)

21
Attacking Scenario repeated squaring

• First, the attacker wants to know the first bit
  of the secret key where he has a target plaintext
  and knows its consumed time
• He decrypts the plaintext with 1111
• Next he decrypts the plaintext with 0111
• Then he creates two graphs for each pair of
  consumed times
• Then he finds the strong correlation for 0111
  especially at the last step. Thus the first bit
  may be 0.
• He continues this procedure to the next bit and
  so on
• He can efficiently recover low-order bits when
  enough high-order bits are known because of error
  correlation property

22
Chinese Reminder Theorem

• Modular Reduction is done by subtracting
  multiples of the modules which also takes most of
  the computation time
• Given m cd (mod n) where n pq
• With CRT, first compute cd modulo p, and them cd
  modulo q. After that glue them together
• Two modular reductions of size n1/2
• As opposed to one reduction of size n
• CRT provides significant speedup by a factor of 4
• (comment) several researchers claim above two
  statements. However, I dont think so !

23
Algorithm

• To compute Cd (mod N) where N pq
• First pre-computes
• dp d (mod (p ? 1))
• dq d (mod (q ? 1))?
• Second, pre-find a and b such that
• a 1 (mod p) and a 0 (mod q)
• b 0 (mod p) and b 1 (mod q)?
• Now computes
• Solution is

24
Example

• Suppose N 33, p 11, q 3 and d 7
• Pre-compute
• dp 7 (mod 10) 7
• dq 7 (mod 2) 1
• Pre-find, a 12 and b 22
• Suppose decrypt C 5
• Cp 5 (mod 11) 5 and Cq 5 (mod 3) 2
• xp 57 3 (mod 11), xq 21 2 (mod 3)?
• Solution 57 3 ? 12 22 ? 2 14 (mod 33)?
• Regular Operation Cd 57 (mod 33) 14

25
Limitation

• Factors p and q of N must be known
• Only for private key operations

26
Attacking Scenario CRT

• The attacker doesnt have to know anything
• As we mentioned before, the CRT operates first
  computes cd modulo p, and then cd modulo q
• First guess cd and measure the consumed time for
  first (or second) operation.
• If the p is smaller than cd, takes no time.
• If the p is larger than cd, it must subtract p at
  least once
• Then extract the p (or q)?

27
Attacking Scenario CRT

• The attacker wants to know decryption key (d)?
• First, he tries to extract the value p so that he
  runs the program with cd 1, 3, 5, 7, 11 . and
  measures the consumed times
• The consumed times are constant from 1 to 5, but
  increase after 7. Thus, p might be 7
• Then he does the same operation to find q
• Now, he knows q and p
• Thus, he can calculate n p q and f(n)
  (p-1) (q-1)?
• Because e is public so that d e-1(mod f(n))?

28
Countermeasures

• How To prevent or make difficult to do timing
  attack
• Reduce or eliminate coherence between the
  execution time and parameters such as input data,
  modulo, and keys
• OR
• Add noises because the number of samples needed
  to obtain enough information are proportional to
  the noises

29
Examples of Countermeasures

• Constant Time Calculation
• Random Time Calculation
• RSA Blinding
• Avoid Conditional Operation
• Time Equalization of Multiplication and
  Exponentiation

30
Constant Time Calculation

• In this strategy, the time it takes to do any
  operation must be independent from input and key
  (constant and equal at every time)?
• Thus, every operation takes the slowest
  operational time by waiting
• However, this strategy raises the execution time
  dramatically (corresponding to the worst case)?

31
Random Time Calculation

• In this strategy, the time it takes to do any
  operation changes every operation at each time
• It is done by waiting a random time before going
  to the next execution
• However, this strategy also raises the execution
  time and its random variance must be large and
  completely random

32
RSA Blinding

• The idea is same as the random time calculation
  time it takes to do any operation changes every
  operation at each time
• However, randomized time is done via multiplying
  the random seed before the operation and
  multiplying the inverse of the seed after the
  operation. In other word, it changes m
  (plaintext) or c (ciphertext)?
• This strategy adds slight execution time

33
Algorithm and Example

• Algorithm
• Generate random r
• First multiply re m rec (mod N)?
• Then decrypt m m d (mod N)?
• Finally, multiply by r?1 (mod N) m r?1m
  r?1(rec)d r?1rcd cd (mod N)?
• Example c 3, r 2, e 3, d 7, and N 33
• m 23 3 (mod 33) 24
• m 247 (mod 33) 18
• m ½ 18 9
• Regular Operation m 37 (mod 33) 9

34
Avoid Branch and Conditional Operation

• Conditional Statement often depends on input or
  key
• As we mentioned before, branch and condition
  statements (i.e. if statement) changes the
  consuming time
• So that eliminates any branch and conditional
  statement to equalize the computational time
• Also the calculation must be performed via
  elementary operations (such as AND, OR, and XOR)?

35
Time Equalization of Multiplication and
Exponentiation

• Time taken by multiplication and exponentiation
  (especially squaring) are different
• Therefore, when one need to equalize them by
  performing both operations when one of the
  operations required and discards unnecessary
  result
• So, the attacker will not be able to learn when
  and how many multiplications and exponentiations
  are made
• This strangely also adds overhead

36
Conclusion

• Side-Channel Attack is a real threat with wide
  range ofpossibility and a large impact
• Side-Channel Attack is not a traditional
  cryptanalysis
• Side-Channel Attack is easy, quick, inexpensive,
  and few risk to be notified by victims
• When one design algorithm or system such as
  cryptosystem, one must think about additional
  output leaked from the devices, too.

37
References

• Bar-El Hagai Introduction to Side Channel
  Attack
• Kocher Paul. Timing Attacks On Implementation of
  DH, RSA, DSS and Other Systems
• Haas Job. Side Channel Analysis and Embedded
  Systems Impact and Coutner measure
• Endrodi, Csilla, Side-Channel Attack of RSA
• Cid Carlos. Cryptanalysts of RSA A Survey