It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was...
Transcript of It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was...
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 1 / 9
It was right under your nose
2017.09.26
SICADA(Side Channel Analysis Design Academy)
Dept. of Information Security, Cryptology, and Mathematics, Kookmin University
Bo-Yeon Sim and Dong-Guk Han
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 2 / 9
▣ Previously proposed attacks on PKCs were based on
the patterns of data-dependent conditional branches
Algorithm. Left to Right Binary Method
INPUT 𝑀,𝑁, 𝑘 = 𝑘𝑛−1, 𝑘𝑛−2, ⋯ , 𝑘0 2
OUTPUT 𝑀𝑘 𝑚𝑜𝑑 𝑁
Step 1. 𝑅 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅 = 𝑅 × 𝑅 𝑚𝑜𝑑 𝑁
2.2. IF 𝑘𝑖 = 1 then 𝑅 = 𝑅 ×𝑀 𝑚𝑜𝑑 𝑁
Step3. Return 𝑅
Countermeasure make it regular
1996 Timing Attacks
1998 Simple Power Analysis
Mathematical proof
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 3 / 9
▣ Previously proposed attacks on PKCs were based on
statistical characteristic according to intermediate values
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑘 = 𝑘𝑛−1, 𝑘𝑛−2, ⋯ , 𝑘0 2
OUTPUT 𝑀𝑘 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑘𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
Countermeasure apply a randomization method
𝑛 traces
1996 Timing Attacks
1998 Simple Power Analysis
Differential Power Analysis
Mathematical proof
SPA Countermeasure
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 4 / 9
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑘 = 𝑘𝑛−1, 𝑘𝑛−2, ⋯ , 𝑘0 2
OUTPUT 𝑀𝑘 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑘𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
▣ Previously proposed attacks on PKCs were based on
the interrelationship between data, and etc.
+ data / exponent blinding
1996 Timing Attacks
2001 Big Mac Attack
Various Template Attacks
Various Collision Attacks
1998 Simple Power Analysis
Differential Power Analysis
DPA Countermeasure
Mathematical proof
SPA Countermeasure
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 5 / 9
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑑 = 𝑑𝑛−1, 𝑑𝑛−2, ⋯ , 𝑑0 2
OUTPUT 𝑀𝑑 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑑𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑑 = 𝑑𝑛−1, 𝑑𝑛−2, ⋯ , 𝑑0 2
OUTPUT 𝑀𝑑 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑑𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
Countermeasure
▣ Previously proposed attacks on PKCs were based on
DPA Countermeasure
DPA Countermeasure
Mathematical proof
SPA Countermeasure
various countermeasures
have been proposed
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 6 / 9
Do you think is it secure?
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 7 / 9
1st
2nd
3r
d
4t
h
5t
h
6t
h
𝑤𝑒 𝑐𝑎𝑛 𝑑𝑖𝑠𝑡𝑖𝑛𝑔𝑢𝑖𝑠ℎ 𝑡𝑤𝑜 𝑔𝑟𝑜𝑢𝑝𝑠 𝑡ℎ𝑟𝑜𝑢𝑔ℎ 𝑆𝑃𝐴
The attack does not require sophisticated pre-processing
such as decapsulation, localization, multi-probe, and principle component analysis
▣ Attack on Protected PKC using a Single Trace
In hardware implementation
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 8 / 9
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑘 = 𝑘𝑛−1, 𝑘𝑛−2, ⋯ , 𝑘0 2
OUTPUT 𝑀𝑘 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑘𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
▣ The power consumption is related to the 𝒌𝒊 value
Private key bits are directly loaded during the check phase,
but no countermeasures have been considered to protect this phase
𝒌 = 𝒌𝒏−𝟏𝒌𝒏−𝟐⋯𝒌𝟎 𝟐
⋯𝒌𝒊 𝒌𝒊
+ data / exponent blinding
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 9 / 9
I am going to present our paper at ISPEC 2017.
If you have any questions, let’s see you there.