Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’...
Transcript of Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’...
![Page 1: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/1.jpg)
Lejla Batina
Digital Security Group, Ins5tute for Compu5ng and Informa5on Sciences (iCIS)
Radboud University, The Netherlands
Implementation attacks and countermeasures
Summer school on real-‐world crypto and privacy, June 1, 2015 Solaris, Croa5a
![Page 2: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/2.jpg)
OUTLINE
• Implementa5on of security vs secure implementa5ons • Side-‐channel analysis basics • Power analysis aKacks • EM analysis • Countermeasures • Fault analysis • SCA on PKC • Recent and future challenges • Conclusions
2
![Page 3: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/3.jpg)
EMBEDDED CRYPTOGRAPHIC DEVICES
Embedded security: - resource limitation - physical accessibility
3
![Page 4: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/4.jpg)
THE GOALS OF THE ATTACKERS
• Secret keys/data • Unauthorized access • IP/piracy • (Loca5on) privacy • (Theore5cal) cryptanalysis [RS01] • Reverse engineering • Finding backdoors in chips [SW12] • …
4
![Page 5: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/5.jpg)
PHYSICAL SECURITY BEFORE
• Tempest – known since early 1960s that computers generate EM radia5on that leaks info about the data being processed
• In 1965, MI5: microphone near the rotor-‐cipher machine used by the Egyp5an Embassy the click-‐sound the machine produced was analyzed to deduce the core posi5on of the machines rotors
• 1979: effect of cosmic rays on memories (NASA & Boeing) • First academic publica5ons on SCA by Paul Kocher: 1996 (5ming) and 1999 (power)
• Faults -‐ Bellcore aKack in 1997 by Boneh, DeMillo and Lipton
5
![Page 6: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/6.jpg)
PHYSICAL SECURITY TODAY
• As a research area took off in the late 90’s • CHES workshop since 1999 • Many successful aKacks published on various placorms and real products e.g. KeeLoq [EK+08], CryptoMemory [BG+12], Simon Voss (2013)
• Security evalua5on labs e.g. Riscure
6
![Page 7: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/7.jpg)
CONCEPTS OF SIDE-‐CHANNEL LEAKAGE
• Side-‐channel leakage is based on (non-‐inten5onal) physical informa5on that enables new kind of aKack
• Closely 5ed to implementa5ons • Oken, opDmizaDons enable leakages o Cache: faster memory access o Special tricks to boost performance o Square vs mul5ply (for PK)
7
![Page 8: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/8.jpg)
SIDE-CHANNEL ATTACKS BASICS
8
![Page 9: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/9.jpg)
SIDE-‐CHANNEL LEAKAGE
• Timing, Power, EM, Sound, Temperature, Light, … • Observe physical quan55es in the device's vicinity and use this informa5on for secret data (key) recovery
Input Output
Leakages
Key
9
![Page 10: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/10.jpg)
LEAKAGE IS OFTEN EXPLOITABLE
1. Due to the (dependency of leakages on) sequences of instruc5ons executed
2. Due to the data (also sensi5ve!) being processed in pieces
10
![Page 11: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/11.jpg)
ATTACK CATEGORIES
11
Side-‐channel aKacks Fault aKacks
Microprobing
![Page 12: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/12.jpg)
ATTACKERS CAPABILITIES
• “Simple” aKacks: one or a few measurements -‐ visual inspec5on
• Differen5al aKacks: mul5ple (some5mes millions of) measurements - Use of sta5s5cs, signal processing, etc.
• Higher order aKacks: n-‐th order is using n different samples
• Combining two or more side-‐channels • Combining side-‐channel aKacks with theore5cal cryptanalysis
12
![Page 13: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/13.jpg)
IMPLEMENTATION ATTACKS -‐ EQUIPMENT
!
13
![Page 14: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/14.jpg)
POWER ANALYSIS ATTACKS
14
![Page 15: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/15.jpg)
SIMPLE POWER ANALYSIS (SPA)
• Based on one or a few measurements • Mostly discovery of data-‐(in)dependent but instruc5on-‐dependent proper5es e.g. - Symmetric:
– Number of rounds (resp. key length) – Memory accesses (usually higher power consump5on)
- Asymmetric: – The key (if badly implemented, e.g. RSA / ECC) – Key length – Implementa5on details: for example RSA w/wo CRT
• Search for repe55ve paKerns
conditional operation
15
![Page 16: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/16.jpg)
EXAMPLE
time axis
16
This is a power consumption trace of …
![Page 17: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/17.jpg)
LEARNING FROM SPA– DES EXAMPLE
17
![Page 18: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/18.jpg)
DIFFERENTIAL POWER ANALYSIS (DPA)
Model of side-channel Real key
Sub-key hypothesis Real side-channel
Input
Real output Hypothetical output
Statistical analysis
Hypothesis correct?
18
01101….
HW(S-box)
![Page 19: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/19.jpg)
Ins$tute for Compu$ng and Informa$on Sciences Radboud University Nijmegen, The Netherlands
*[email protected] 8www.cs.ru.nl/B.Ege
power trace
correlation trace – correct key
correlation trace – 2nd best key
correlation traces – all keys
![Page 20: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/20.jpg)
LEAKAGE MODELS • Transi5on = Hamming distance model - Counts number of 0-‐>1 and 1-‐>0 transi5ons - Assuming same power consumed for both, ignores sta5c power consump5on
- Typically for register outputs in ASIC’s - HD(v0, v1)=HW(v0 xor v1) - Requires knowledge of preceding or succeeding vi
• Hamming weight model - Typical for pre-‐charged busses
• Weighted Hamming weight/distance model • Signed Hamming distance (0-‐>1 neq 1-‐>0) • Dedicated models for combina5onal circuits
20
![Page 21: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/21.jpg)
SIDE-CHANNEL ATTACKS:COUNTERMEASURES
21
![Page 22: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/22.jpg)
SIDE-CHANNEL ATTACKS COUNTERMEASURES
Countermeasures
Algorithmic
Masking
LUT Mask
Circuit Mask
Intrinsic Resistance
Hardware-assisted
Random Disarrangement
Random Delay
Async Logic
SNR Reduction
Special Logic
Filtering
22
![Page 23: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/23.jpg)
SOFTWARE COUNTERMEASURES
• Time randomiza5on: the opera5ons are randomly shiked in 5me - use of NOP opera5ons - add random delays - use of dummy variables and instruc5ons (sequence scrambling)
- data balancing (a data element is represented redundantly to make H.w. constant)
• Permuted execu5on - rearranged instruc5ons e.g. S-‐boxes
• Masking techniques
23
![Page 24: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/24.jpg)
HARDWARE COUNTERMEASURES • Noise genera5on - HW noise generator requires the use of RNG - total power is increased (problem for handheld devices)
• Power signal filtering - ex.: RLC filter (R-‐resistor, C-‐capacitor, L-‐inductor) smoothing the pow. cons. signal by removing high frequency components
- one should use ac5ve comp. (transistors) in order to keep power cons. rela5vely constant -‐ problem for mob. phones
• Novel circuit designs - special logic styles
24
![Page 25: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/25.jpg)
THE IMPACT OF NOISE
Raw Traces
Correlation Trace
25
![Page 26: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/26.jpg)
PREPROCESSING
Pre-Processed Traces
Correlation Trace
26
![Page 27: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/27.jpg)
EM SIDE CHANNELS
27
![Page 28: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/28.jpg)
EM HISTORY
• Compromising emana5ons discovered many years ago – TEMPEST
• Not exclusive to crypto devices – e.g. vulnerability to EM analysis was found in some vo5ng machines in 2006 in The Netherlands:
• Van Eck in 1985: video display units generate EM that can be reconstructed up to 1 km
• Markus Kuhn. Compromising emana5ons: eavesdropping risks of computer displays
hKp://www.cl.cam.ac.uk/techreports/UCAM-‐CL-‐TR-‐577.pdf
28
![Page 29: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/29.jpg)
EM AS SIDE-‐CHANNEL
• Each current-‐carrying component produces EM field • EM is a 3-‐dim vector field as a func5on of 5me • Probe can act as a coil: - a small magne5c coil is used allowing precise posi5oning
• SEMA and DEMA • Focusing also on frequency analysis • Usually more difficult than PA – the issue of antenna posi5oning, etc.
• More leakage available: locally-‐based leakage
29
![Page 30: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/30.jpg)
CLASSICAL VS SIDE-‐CHANNEL CRYPTANALYSIS
• Knowledge: - Input/output pairs - Input/output pairs + some leakage
• Applicability - Generally applicable - Limited to certain implementa5on Combining both could be beneficial when access to side-‐channel info is restricted!
30
![Page 31: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/31.jpg)
EM COUNTERMEASURES
• Faraday cage - A Faraday Cage (shield) can be described as an enclosure created by conduc5ng materials that blocks external electric fields (both sta5c and non-‐sta5c)
• Design for low power => reducing EM signals • Asynchronous design • Dual rail logic
31
![Page 32: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/32.jpg)
ADVANCED ATTACKS
32
![Page 33: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/33.jpg)
TEMPLATE ATTACKS [CRR02]
• Strongest form of SC aKacks in an informa5on theore5c sense • Assump5on that the same device (as the one under aKack) is available
• Precisely modeling noise instead of elimina5ng it – similarly to techniques in signal detec5on and es5ma5on
• Suitable when only a few samples or measurements are available i.e. adversary has to work with far fewer signals - Stream ciphers - Fast hardware crypto modules - EM measurements
• Consist of 2 phases: - Characteriza5on or profiling phase (building templates) - Template matching or Key recovery
33
![Page 34: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/34.jpg)
TEMPLATE ATTACKS: ASSUMPTIONS
• Strong assump5ons on adversary • Find templates for certain sequences of instruc5ons or execute the same code for different values of key bits: - Templates consist of the mean signal and noise probability distribu5on (noise characteriza5on) for that par5cular case
- Templates are created for all sub-‐key values (e.g. bytes) consis5ng of a vector of means and the noise covariance matrix
• Maximum-‐likelihood rule finds the right key
34
![Page 35: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/35.jpg)
HIGHER-‐ORDER DPA: THE IDEA
• As men5oned in the original DPA paper: “Of par5cular importance are high-‐order DPA func5ons that combine mul5ple samples from within a trace.” • 2nd order DPA aKack: Messerges in 2000 [Mes00b]
35
W1 (PTI){A: Result = PTI xor SecretKey…return CTO}
W2 (PTI){B: RandomMask = rand()mPTI = PTI xor RandomMaskC: Result = mPTI xor SecretKey…return CTO}
1st order DPA applies 2nd order DPA applies
![Page 36: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/36.jpg)
FAULT ANALYSIS
36
![Page 37: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/37.jpg)
HISTORY • 1978: one of the first examples fault injec5on was uninten5onal, discovered by May and Woods (radioac5ve par5cles)
• 1979: effect of cosmic rays on memories (NASA & Boeing) • 1992: use of laser beam to charge par5cles on microprocessors, discovered by Habing
• 1997: 1st academic pub. by Boneh, DeMillo, and Lipton showing what’s possible with a single fault [BDL97]
• 1997: differen5al fault analysis on secret-‐key cryptosystems by Biham and Shamir [BS97]
• 2002: 1st pub. implemen5ng Bellcore aKack [AB+12] • 2003: 1st FDTC workshop
37
![Page 38: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/38.jpg)
ATTACKER GOALS
• Insert computa5onal fault - Null key - Wrong crypto result (Differen5al Fault Analysis -‐ DFA)
• Change sokware decision - Force approval of false PIN - Reverse life cycle state - Enforce access rights
• …
38
![Page 39: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/39.jpg)
COUNTERMEASURES Generic
• Correctness check: encrypt twice • Random delays: limits the precision • Masking: - Linear secret sharing complicates probing wires of the device - Adversary cannot predict the effect of the injected fault
Hardware • Supply voltage, frequency detectors • Ac5ve shields • Redundancy: duplica5on of hardware blocks • Dual rail implementa5ons • (m-‐of-‐n) encoding: each bit is represented by n wires, from which exactly m carry a 1
39
![Page 40: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/40.jpg)
SIDE-CHANNEL ANALYSIS ON PKC
40
![Page 41: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/41.jpg)
INSECURE RSA IMPLEMENTATION
RSA modular exponentiation In: message m,key e(l bits)
Output: me mod n
A = 1
for j = l – 1 to 0
A = A2 mod n /* square */
if (bit j of k) is 1 then A = A x m mod n /* multiply */
Return A
j < 0
Loop Init
bit j of k = 1?
A = A x m
j = j - 1
Return A A = A2
Side-Channel
41
![Page 42: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/42.jpg)
• What is the private RSA exponent?
[courtesy: C. Clavier]
Simple Power Analysis (RSA)
42
![Page 43: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/43.jpg)
SIMPLE POWER ANALYSIS (RSA)
[courtesy: C. Clavier] 43
![Page 44: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/44.jpg)
PROTECTING RSA FROM SPA
Input: N, m and e. Output: c = me mod N. 1. Let e = [et, et-1, …, e1, e0]2; 2. c := 1; 3. For i:=t downto 0 do 4. c:= c2 mod N; 5. if ei ==1 then 6. c:=cm mod N;
Return c.
Left-to-right binary method Input: N, m and e. Output: c = me mod N. 1. Let e = [1, et-1, …, e1, e0]2; 2. R[0] := m; R[1] = m2 mod
N; 3. For i:=t-1 downto 0 do 4. R[1-ei] := R[0]R[1] mod N; 5. R[ei] := R[ei]R[ei] mod N;
Return R[0].
Montgomery Powering Ladder
44
![Page 45: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/45.jpg)
PROTECTING RSA FROM DPA -‐ RANDOMIZATION
Input: N, m and e. Output: c = me mod N. 1. r = Random(); //r <N 2. ms := rm; 3. v= ms
e mod N; 4. u:= re mod N; 5. c:=v/u mod N;
Return c.
Randomized m
Input: N, m, φ(N) and d. Output: s = md mod N. 1. r = Random(); 2. d’=d+r φ(N) ; 3. s:= md’ mod N;
Return s.
Randomized d
45
![Page 46: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/46.jpg)
PROTECTING ECC FROM DPA -‐ RANDOMIZATION
Input: k, P. Output: Q = kP. 1. r = Random(); //r <
order(P) 2. k’ := k + r *order(P); 3. Q= k’ P; // [order(P)] P = O.
Return Q.
Randomized scalar Base point blinding Input: k, P. Output: Q = kP. precomputed: R, S=kR. 1. T := P + R; 2. Q’ = k T; 3. Q = Q’ – S 4. r = Random(); //r < 232
5. R = rR, S = rS; //update R, S
Return Q.
46
![Page 47: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/47.jpg)
SCA: RECENT DEVELOPMENTS
• Theory - Metrics for side-‐channel analysis - Leakage resilient crypto
• Theory and Prac5ce - More advances in aKacks: algorithm specific (combined with cryptanalysis)
- SCA and faults combined - Machine learning methods for analysis - New countermeasures - New models
47
![Page 48: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/48.jpg)
CONCLUSIONS AND OPEN PROBLEMS
• Physical access allows many aKack paths • Trade-‐offs between assump5ons and computa5onal complexity
• Requires knowledge in many different areas • Combining SCA with theore5cal cryptanalysis • “Cheap” and effec5ve countermeasures are s5ll to be found
48
![Page 49: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/49.jpg)
THANK YOU FOR YOUR ATTENTION
![Page 50: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random](https://reader033.fdocuments.in/reader033/viewer/2022051814/603861b362f484412a389db8/html5/thumbnails/50.jpg)
REFERENCES • [KJJ99] P. Kocher, J. Jaffe, B. Jun. “Differen5al Power Analysis”. CRYPTO 1999. • [QS01] J. -‐J. Quisquater and D. Samyde. “ElectroMagne5c Analysis (EMA): Measures and Counter-‐
Measures for Smart Cards”mart 2001. • [GMO01] K. Gandolfi et al. “Electromagne5c Analysis: Concrete Results”. CHES’01. • [Koc96] P. Kocher. “Timing AKacks on Implementa5ons of Diffie-‐Hellman, RSA, DSS, and Other
Systems”. CRYPTO 1996 • [RS01] T. Romer and J.-‐P. Seifert. “Informa5on Leakage AKacks against Smart Card
Implementa5ons of the Ellip5c Curve Digital Signature Algorithm”. E=Smart 2001 • [CRR03] Chari, Rao and Rohatgi. Template aKacks. CHES 2002. • [AA+02] Dakshi Agrawal, Bruce Archambeault, Josyula R. Rao, and Pankaj Rohatgi. The EM Side-‐
channel(s). CHES 2002. • [Mess00b] T. S. Messerges: Using Second-‐Order Power Analysis to AKack DPA Resistant
Sokware. CHES 2000. • [Cor99] Jean-‐Sébas5en Coron: Resistance against Differen5al Power Analysis for Ellip5c Curve
Cryptosystems. CHES 1999. • [BG+12] J. Balasch et al. “Power Analysis of Atmel CryptoMemory -‐ Recovering Keys from Secure
EEPROMs.” CT-‐RSA 2012. • [EK+08] T. Eisenbarth et al. “On the Power of Power Analysis in the Real World: A Complete
Break of the KeeLoqCode Hopping Scheme”, CRYPTO 2008.
50