side-channel attack: timing attack
DESCRIPTION
Side-Channel Attack: timing attack. Hiroki Morimoto. Overview. Review of traditional attacks Side-Channel Attacks Timing Attack Several ways to compromise RSA Countermeasures Conclusion References. Review. Basic Attacks: exploiting security holes and weakness in the systems/algorithms - PowerPoint PPT PresentationTRANSCRIPT
Side-Channel Attack: timing attack
Hiroki Morimoto
Overview
Review of traditional attacksSide-Channel AttacksTiming AttackSeveral ways to compromise RSACountermeasuresConclusionReferences
Review
Basic Attacks: exploiting security holes and weakness in the
systems/algorithms choosing inadequate parameters brute force social engineering more …
There is 3 types of cryptanalysis: Ciphertext-only Attack Known plaintext Attack Chosen plaintext Attack
What is Side-Channel Attack
Side-Channel Attack don’t belong to the traditional attack This attack is based on experiments and statistics not mathematical theories Two types of the side-channel attack
Passive Attacks: Observe the target such as computer or cell-phone Gain the “additional” information leaked from the physical
implementations/devices caused by any operation i.e. timing information, power consumptions, electromagnetic leaks, voices/sounds
Active Attacks: Add “additional” inputs Change the environment or target itself to let abnormal operations or change the
program flow i.e. add voltage, clock gritching, or tempest virus
Goal
Finds information such as:Algorithm/operationCryptographic keyPartial state informationPlaintext/cyphertextmore …
Advantages
The Attackers can implement:With information easy to obtainWith available non-expensive hardwareFrom remote placeOften quicker than the regular attack
Compared to brute force and dictionaly attacks From few seconds to few hours
Without damaging regular operations and physical devices
Without notifying the victims
Timing AttackPower Monitoring AttackFault AnalysisMagnetic Emanation AttackLight Emission AttackSound Attack (Includes wire-tapping and
eavesdropping)
Examples of Side-Channel Attacks
Timing Attack
Timing attack is an example of an attack that exploits the implementation of an algoritm rather than the algorithm itself
Measure the time it takes for a certain unit to perform an operation
Keep the input, output, and consumed timeCheck the correlation between time
measurements of guess key or input and empirical result (often statistically)
Background
Operation takes slightly different amounts of time to process different input because of: Bypass operations such as branching or conditional
statements RAM cache hit Processor instruction such as multiplication and division Others …
Usually consumed time depends on input data, crypt keys, and modulo in cryptosystems
Usages
Timing attack is often used to compromise public-key cryptosystem such as RSAFor example, most of smart-card uses RSA.
Therefore, inappropriate usage of it revels its secret key easily
Sometimes, the key is tamper-proof
Timing attacks reveal key length, key values, plaintext, etc…
RSA review
Multiple prime RSA key generating algorithm1. Select two primes: p and q2. Calculate n = p * q3. Calculate φ(n) = (p-1) * (q-1)4. Choose e where gcd(e,φ(n)) = 15. Calculate d = e-1(mod φ(n))6. Public Key = (e,n) and Private key = (d)
Encryption: c = me mod nDecryption: m = cd mod n
Modular Exponentiation
The way of attacks depend on the details of modular exponentiation
For efficiency, modular exponentiation is done via: Simple multiplication Repeated squaring Chinese Remainder Theorem (CRT) Montgomery multiplication Sliding window Karatsuba multiplication
Simple Multiplication
The simplest case, the modular exponentiation is done by multiplying the number as many as the values of exponent such as 2^13 = 2 * 2 * 2 * 2 * 2 * 2* …..
Therefore, the execution time is direct proportional to the exponent value (key value)
Attacking Scenario: simple multiplication An attacker eavesdrops the decryption operation
where he gets a plaintext and its computation time (the decryption key is 13 which is hidden from the attacker)
He guesses the key is 12. He decrypts with the guess key and it returns small computation time
Then, he guesses the key is 14 and retuned computation time is greater than empirical data
Now, he knows the key is between 12 and 14
Repeated Squaring
The most common and fast algorithmThe number of loops is proportional to its key
bit lengthKotcher found a possible attack
In each step, the number is squared and mod by n
If the current bit is 1, then a modular multiplication is executed
If the current bit is 0, goto the next step
Algorithm
Pseudo-Code
// Compute c = md (mod n)// where, in binary, d = (d0,d1,d2,…,dnum) with d0 = 1
s = mfor i = 1 to num s = s2 (mod n) if di == 1 then s = s m (mod n) end ifnext ireturn s
Example
For example: 520 = 95367431640625 = 25 mod 35
With repeated squaring o d = 20 = 10100 base 2, m = 5, and n = 35o Initialize s = 5^1 (d0 == 1)– s = (5 * 5) mod 35 and d1 == 0 s = 25– s = (25 * 25) mod 35 and d2 == 1 so that (30 * 5) mode 35 s = 10– s = (10 * 10) mod 35 and d3 == 0 s = 30– s = (30 * 30) mod 35 and d3 == 0 s = 25
No huge numbers and it’s efficient In this example, 5 steps vs 20 multiplications
Attacking Scenario: repeated squaring This attack also measures the correlation between guessed
and empirical time measurements Because the 2nd consuming time depends on the 1st data (s)
and second bit of the key, and so forth. In other word, the high-order bits affect a result more than the lower-bits.
Thus the attacker begins the top of the bit, then continues to next bit and so on
The more bits the attacker already knows, the stronger the signal, thus easier to detect (error-correction property)
Attacking Scenario: repeated squaring First, the attacker wants to know the first bit of the secret
key where he has a target plaintext and knows its consumed time
He decrypts the plaintext with 1111 Next he decrypts the plaintext with 0111 Then he creates two graphs for each pair of consumed
times Then he finds the strong correlation for 0111 especially
at the last step. Thus the first bit may be 0. He continues this procedure to the next bit and so on He can efficiently recover low-order bits when
enough high-order bits are known because of error correlation property
Chinese Reminder Theorem
Modular Reduction is done by subtracting multiples of the modules which also takes most of the computation time
Given m = cd (mod n) where n = pq With CRT, first compute cd modulo p, and them cd
modulo q. After that “glue” them together Two modular reductions of size n1/2
As opposed to one reduction of size n CRT provides significant speedup by a factor of 4 (comment) several researchers claim above two
statements. However, I don’t think so !
Algorithm
To compute Cd (mod N) where N = pq First pre-computes:
dp = d (mod (p 1)) dq = d (mod (q 1))
Second, pre-find a and b such that a = 1 (mod p) and a = 0 (mod q) b = 0 (mod p) and b = 1 (mod q)
Now computes:
Solution is:
Example
Suppose N = 33, p = 11, q = 3 and d = 7 Pre-compute
dp = 7 (mod 10) = 7 dq = 7 (mod 2) = 1
Pre-find, a = 12 and b = 22 Suppose decrypt C = 5
Cp = 5 (mod 11) = 5 and Cq = 5 (mod 3) = 2 xp = 57 = 3 (mod 11), xq = 21 = 2 (mod 3)
Solution: 57 = 3 12 + 22 2 = 14 (mod 33) Regular Operation: Cd = 57 (mod 33) = 14
Limitation:
Factors p and q of N must be known Only for private key operations
Attacking Scenario: CRT
The attacker doesn’t have to know anything As we mentioned before, the CRT operates first
computes cd modulo p, and then cd modulo q First guess cd and measure the consumed time for
first (or second) operation. If the p is smaller than cd, takes no time. If the p is larger than cd, it must subtract p at least
once Then extract the p (or q)
Attacking Scenario: CRT
The attacker wants to know decryption key (d) First, he tries to extract the value p so that he runs
the program with cd = 1, 3, 5, 7, 11 …. and measures the consumed times
The consumed times are constant from 1 to 5, but increase after 7. Thus, p might be 7
Then he does the same operation to find q Now, he knows q and p Thus, he can calculate n = p * q and φ(n) = (p-1) * (q-
1) Because e is public so that d = e-1(mod φ(n))
Countermeasures
How To prevent or make difficult to do timing attack
1. Reduce or eliminate coherence between the execution time and parameters such as input data, modulo, and keys
OR
1. Add noises because the number of samples needed to obtain enough information are proportional to the noises
Examples of Countermeasures Constant Time Calculation Random Time Calculation RSA Blinding Avoid Conditional Operation Time Equalization of Multiplication and
Exponentiation
Constant Time Calculation
In this strategy, the time it takes to do any operation must be independent from input and key (constant and equal at every time)
Thus, every operation takes the slowest operational time by waiting
However, this strategy raises the execution time dramatically (corresponding to the worst case)
Random Time Calculation
In this strategy, the time it takes to do any operation changes every operation at each time
It is done by waiting a random time before going to the next execution
However, this strategy also raises the execution time and its random variance must be large and completely random
RSA Blinding
The idea is same as the random time calculation; time it takes to do any operation changes every operation at each time
However, randomized time is done via multiplying the random seed before the operation and multiplying the inverse of the seed after the operation. In other word, it changes m (plaintext) or c (ciphertext)
This strategy adds slight execution time
Algorithm and Example
Algorithm: Generate random r First multiply re: m” = rec (mod N) Then decrypt: m’ = m” d (mod N) Finally, multiply by r1 (mod N): m = r1m’ = r1(rec)d = r1rcd = cd
(mod N) Example: c = 3, r = 2, e = 3, d = 7, and N = 33
m” = 23 * 3 (mod 33) = 24 m’ = 247 (mod 33) = 18 m = ½ * 18 = 9
Regular Operation: m = 37 (mod 33) = 9
Avoid Branch and Conditional Operation Conditional Statement often depends on input or
key As we mentioned before, branch and condition
statements (i.e. if statement) changes the consuming time
So that eliminates any branch and conditional statement to equalize the computational time
Also the calculation must be performed via elementary operations (such as AND, OR, and XOR)
Time Equalization of Multiplication and Exponentiation Time taken by multiplication and exponentiation
(especially squaring) are different Therefore, when one need to equalize them by
performing both operations when one of the operations required and discards unnecessary result
So, the attacker will not be able to learn when and how many multiplications and exponentiations are made
This strangely also adds overhead
Conclusion
Side-Channel Attack is a real threat with wide range ofpossibility and a large impact
Side-Channel Attack is not a traditional cryptanalysis
Side-Channel Attack is easy, quick, inexpensive, and few risk to be notified by victims
When one design algorithm or system such as cryptosystem, one must think about additional output leaked from the devices, too.
References
Bar-El Hagai “Introduction to Side Channel Attack” Kocher Paul. “Timing Attacks On Implementation of
DH, RSA, DSS and Other Systems” Haas Job. “Side Channel Analysis and Embedded
Systems Impact and Coutner measure” Endrodi, Csilla, “Side-Channel Attack of RSA” Cid Carlos. “Cryptanalysts of RSA: A Survey”