160 likes | 187 Views
This study aims to investigate the implementation strength of public key cryptography, considering standard counter-measures and imperfect side-channel leakage. It explores the interaction between counter-measures, the feasibility of published attacks, and the security of longer keys.
E N D
Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter Colin.Walter@comodo.com
Outline • Aims • History • Key Blinding Counter-Measure • Side Channel Leakage Model • Best Fit Metric • Phases 1 & 2 • Computational Feasibility • Conclusion
Aim • The aim is to investigate the implementationstrength of public key cryptography assuming: • standard counter-measures • imperfect side-channel leakage • Do counter-measures interact to weaken a system? • Are published attacks impossible in real life? • Are longer keys more secure?
History • Refs to side channel leakage in patents (USPTO 1978): seeAbstract to US Patent 4211919 • Kocher et al (CRYPTO 1996, 1999): Timing and Power Attacks on smart cards – the concepts. • Coron (CHES 1999): Lists three standard randomising counter-measures for ECC. • Fouque et al (CHES 2006): Attack on Blinded RSA keys. • Here (WISA 2007): Extension of Fouque to an imperfect side channel.
4-ary Exponentiation Inputs: key D = (dn-1dn-2…d1d0)4; modulus M;ciphertext C. Precompute Cdmod M for each digit value d. P¬1 ; For i ¬ 0 to n-1 do Begin P¬(P2)2modM ; if di≠0then P¬Cdi×PmodM ; End ; Output: plaintext P = CDmod M • The side channel may distinguish squares from multiplications but not multns by different values of d.
The Leakage Model • Standard counter-measures are in place. • There is a (weak) side channel which gives a probability that a square or multiply occurs. • I/O of the exponentiation is unknown. • The adversary knows the algorithms. • The public parameters M and E are available. • The correctness of secret key D can be checked. • Only a realistic number of side channel traces are allowed.
Assumed Counter-Measures • An m-ary or sliding windows algorithm is used to prevent attackers from distinguishing exponent digits. • Input text is blinded to prevent attacker from modelling the identical leakage. • The secret key D is blinded on each re-use to prevent the adversary improving the signal to noise ratio with repeated use of the same D. This means D is replaced by Di = D+riφ(N) for 20- to 32-bit random ri.
Initial Calculations • The top half bits of φ(N) and N are identical, so known. • DE = 1+kφ(N) where k < E, D < φ(N). • Di = (1+(k+riE))φ(N) / E≈ (1+(k+riE))N / E • k+riE is typically a 32- to 48- unknown number. • Use the leakage from the first half of trace for Dito guess k+riE. • Information theoretically, a leakage of 1 bit per 32 key bits means we need 32×32 to 32×48 bits in the top half to guess k+riE successfully,i.e. keys of 2048 to 3072 bits – or longer keys.
Best Fit Metric & Phase 1 • Let pj = prob that jth operation of trace is a squaring. • Let D' be a guess at the key used for the trace tr. • Put dj = +1 if jth operation of D' is a squaring,dj = –1 if jth operation is a multiplication • Let μm(tr,D') = Σ0≤j<mdj (pj–½) This measures how well D'matches the leakage trover the first m operations (for the top half of N). • For each side channel trace tr, choose k+rE, and hence D', to maximise this.
Does it Work? • Is the best guess at k+rE the correct one? • The leakage is weak, so there are better incorrect guesses. • The correct guess lies in the top fraction of best guesses. • The fraction containing the correct guess is (almost) independent of how many bits need guessing. • The fraction containing the correct guess gets rapidly smaller as key length increases, so the search space is smaller. • k+rE becomes known if the key is long enough.
Phase 2: Recovering φ(N) We now assume k+riE is known forDi = (1+(k+riE))φ(N) / E • Phase 2: Choose bits of φ(N) to maximise the metricμm = Σj μm(trj,Dj) • Bits are chosen one by one from most to least significant. (m picked to measure only contributions of chosen bits.) • Use several bits lookahead to allow for the influence of carries and bit recoding in the exponentiation algorithm. • Are the bits choices correct? • What influences their correctness?
Bit Accuracy Accuracy of each bit determination depends on: • Number of available traces • Level of leakage • Number of lookahead bits The algorithm is self-correcting – bit errors are isolated. For 2048-bit key, 10 lookahead bits, 100 traces,…the prob of correct bit was 0.9995 This is 1 error in 2000, so half of a set of keyswill be recovered correctly.
Computational Feasibility • Phase 1 – recovering the k+riE : O( REt log(RE) ) leaked bit operations to process where R = # choices for r (216 to 232)E = public exponent (e.g. 216+1)t = # traces needed in phase 2. It is highly parallelisable, with low space requirements. • Phase 2 – recovering φ(N) : much less work than phase 1. • The attack is computationally feasible if RE is not too large
Improved Counter-Measures • Bits are determined more accurately for longer keys. • Other work suggests fewer bit errors for longer keys. • Different exponentiation & modular multiplication algorithms only affect the level of leakage per key bit. • Computational feasibility decreases with more blinding: it is essentially proportional to this. So: • If possible, choose less leaky HW & algorithms • Choose enough blinding & large enough public keyto make it computationally infeasible to check every value of k+rE.
Conclusions • Many essential and first-class SW counter-measures can be inadequate on their own. • Information theoretic expectations should be treated as realisable. • Imprecise leakage is useful to an adversary. • Longer keys tend to be weaker for a fixed levelof randomisation counter-measures. • Randomisation needs to be scaled up for longer keys.