480 likes | 506 Views
Randomised Algorithms for Reducing Side Channel Leakage. Colin D. Walter. www.comodo.com (Bradford, UK) colin.walter@comodo.com. Overview. Randomisation as a possible solution to DPA: Liardet/Smart Oswald/Aigner Ha/Moon Equalising ECC Add and Double Code.
E N D
Randomised Algorithms for Reducing Side Channel Leakage Colin D. Walter www.comodo.com (Bradford, UK) colin.walter@comodo.com
Overview • Randomisation as a possible solution to DPA: • Liardet/Smart • Oswald/Aigner • Ha/Moon • Equalising ECC Add and Double Code. • Another side channel attack on exponentiation which defeats standard counter-measures: Big Mac. • MIST Division Chains • Overlapping Windows (Itoh et al.) Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Randomisation of Inputs • Using blinded expntD+rφ(N) with random r is one solution. For ECC it is expensive: r needs perhaps 32 bits, which adds 32 extra bits to a typical key length of 160 or 192 bits – around 20%. • Message blinding prevents known ciphertext attacks: C is replaced by rECbefore decryption, the result rDECD = rMis multiplied by r–1to recover M. (rE and r–1 are stored, and their squares used the next time.) • Randomised point representations in ECC may also help: for random r in the field the projective representation (x,y,z) can be replaced with (rx,ry,rz), which represents the same point. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Randomisation of Algorithms • Randomisation of the algorithms themselves (as opposed to their inputs), particularly exponentiation, is used toprevent the averaging normally employed to perform SPA/DPA. • A different (random) sequence of operations is designed to ensure the average has no key-dependent bias: squares and multiplies (adds and doubles in ECC) occur in different orders every time even for the same inputs. • Randomised Algorithms may help solve the problems of DPA, perhaps saving the cost of key blinding (which also randomly changes the sequence of squares and multiplies.) • Need & Seed for Random Number Generators (RNGs) Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
The Liardet-Smart Expn Algm • Decryption/Signing in ECC: Q = kP for point Pand secret keyk. • kis represented with randomly varied 2-power basesmiand corresponding digits ki: k = ((...((kn)mn–1+kn–1)mn–2+...)m1+k1)m0+k0 Digits are generated in the orderk0, k1,… • kPis computed by processing digits from most to least significant: k = m0(m1(... mn–2(mn–1(knP)+kn–1P)+...)+k1P)+k0P Digits are used in the order kn, kn–1,… Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Liardet-Smart Recoding(CHES 2001) i 0 ; Whilek > 0 do { If (k mod 2) =0 then { mi 2 ; ki 0 ; } else { Choose base mi {21,22,...2R} randomly ; kik minmod mi ; } // minmod returns the least abs value residue. k (k–ki) / mi; ii+1 ; } ; Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Efficiency • The odd point multiples kiP (1 ≤ ki ≤ 2R–1) are pre-computed. • For uniformly random choice of mi, there is 1 double and 1/(R+1) adds per key bit. • For R = 1 this is the usual “square-and-multiply” algorithm (“double-and-add”) with half an add per bit on average. • If mi = 2R always for odd digits ki and mi = 2, ki = 0 for even digits ki, this becomes sliding window exponentiation.This is a derivative of m-ary exponentiation (m = 2R) which halves the space necessary for pre-computed values (only odd multiples need be stored). Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Power Analysis Attacks • First, note that the negative digits mean an inverse must be computed. This is free for ECC (subtraction and addition of points cost the same) but requires work in RSA. So this algorithm is really only suitable for ECC. • With standard projective or affine representation for points, adds and doubles in ECC are easily distinguished using timing differences in a single power trace because the code for them is different. • Adds may represent any of many digits, so reconstructing the exponent from one trace creates an infeasibly large search space. • Averaging does not produce useful information. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Blinding etc. is necessary • Unfortunately, if i) the same key is re-used, and ii) blinding of the key is omitted, and iii) doubles & adds can be distinguished (on a single expn), then their patterns over several expnsdo reveal the secret key. • So either: i) blinding should be used, or ii) code used for adds and doubles must appear identical to SPA/ DPA/ SEMA/ DEMA, or iii) the add should always be done, and the result chosen appropriately. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Balanced Code • Code for which adds and multiplies are indistinguishable appeared at CHES 2001 and CHES 2002. (See Nigel Smart’s talks for details.) • Performing the addeverytime and selecting the required result can be done as follows (the required value is in R[0]): R[0] ← 2R[0] ; Ifki= 0 thenx ← 1 elsex ← 0 ; R[x] ← R[0] + P ; • While this minimises the power differences (if compiled suitably), it may be susceptible to EMA because of the different locations which emit EMR when assigning to R[x]. • Use random register re-location for this. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Oswald-Aigner (CHES 2001) Finite Automaton: PandQare points on the elliptic curve: P initialised to pt at infty, Q initialised to input point rb is a random bit used to select a dotted transition for each key bit. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Oswald-Aigner (CHES 2001) • Keyk is represented with randomly varied digits ki{–1,0,1,2}: k = 2nkn+ 2n–1kn–1+...+2k1+k0 • Digits are chosen in the orderk0,k1,… and processed as they are generated, using the formulae on the FA transitions. • After processing i bits, Q contains the value 2iP0 where P0 is the initial input point. This is required for adding 2ikiP0:it is added to P if ki = 1, doubled again first then added if ki = 2, and subtracted if ki = –1. • The variableP in the FA contains the multiple of the initial point P0formed so far, i.e. (2iki+...+2k1+k0)P0 and so eventually contains the desired outputkP0. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Efficiency • For most reasonable distributions of random bits choices, this gives 1 double and just over ½ add per key bit. • With mild alterations, and suitable choice of random bits, the FA generates a “NAF” – a non-adjacent form in which no two successive digits are non-zero. • Again, the generation cost for this representation is minimal, and the cost of computing kPis similar to that of the standard square-and-multiply algorithm. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Power Analysis Attacks • Again, this is for ECC not RSA because inverses must be found. • With standard algorithms for point operations, adds and doubles are easily distinguished using timing differences in a single power trace because the code for them is different. • But, again, adds may represent any of several digits, so reconstructing the exponent from one trace creates an infeasibly large search space. • Again, averaging does not produce useful information. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Blinding etc. is necessary • Unfortunately, if i) the same key is re-used, and ii) blinding of the key is omitted, and iii) doubles & adds can be distinguished (on a single expn), then their patterns over several expnsreveals the secret key. • So either: i) key blinding should be used, or ii) code used for adds and doubles must appear identical to SPA/ DPA/ SEMA/ DEMA, or iii) the add should always be done, and the result chosen appropriately. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
The Ha-Moon Expn Algm • Decryption/Signing in ECC: Q = kP for point Pand secret keyk. • kis represented with random recoding to 2-power basem and digits ki: k = ((...((kn)m+kn–1)m+...)m+k1)m+k0 Digits are generated in the order of usekn, kn–1,… • Digit multiples k'Pare computed over chosen digit range. • kPis computed by processing digits from most to least significant: k = m0(m1(... mn–2(mn–1(knP)+kn–1P)+...)+k1P)+k0P Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Yen-Ha-Moon Recoding(ICICS 2004) Assume binary coding k = b2n–1b2n–2…b1b0. Pre-compute & store R[i] iPfor 0 ≤i≤ 14P. rb2n–1b2n–2 ; Forifromn–2 downto 0 do { borrow 4r ; r (Random {1,2,3}) ; R[0] 4R[0]+R[borrow – r + b2i+1b2i ] } ; R[0] R[0]+R[r] Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Efficiency • Positive digits, so suitable for RSA as well as ECC. • No non-zero digits, so time as for square-and-always-multiply. • Re-coding can be done “on-the-fly”, i.e. the re-coded exponent does not need to be stored before use. • Base and digit range are chosen to fit available resources, but more space is required than Oswald-Aigner to achieve greater security. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Power Analysis Attacks • The previous problems with Liardet-Smart and Oswald-Aigner have been solved: The pattern of adds and doubles is always the same. • If Hamming weight of operands can be observed, then digit values can be deduced and the secret key reconstructed. • If the same key is re-used, weak or inconclusive leakage can be pooled over many scalar multiplications to recover the key. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Blinding etc. is necessary • Unfortunately, if i) the same key is re-used, and ii) blinding of the key is omitted, then weak Haming weight leakage over several expnsreveals the secret key. • So random blinding of the key should be used. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
“Big Mac” Attack on RSA & ECC • Summary: A variation of DPA is used to determine the secret exponent in an embedded RSA or ECC cryptosystem. • Assumption: The implementation uses a small multiplier whose power consumption is data dependent and measurable. • Properties: i) On average, a Mult-Acc opna×b+chas data dependent contributions roughly linear in the Hamming weights of a & b; ii) Required random variation occurs because of the initial state set up by the previous mult-acc opn.iii) No knowledge of I/O required. • Reference: CHES 2001. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Combining Traces I • The long integer productA×B in an exponentiation contains a large number of small digit multiply-accumulates: ai×bj+ck • Identify the power sub-traces of each ai×bj+ck from the power trace of A×B; • Average the power traces for fixed i as jvaries: this gives a trace triwhich depends on ai but only on the average of the digits of B. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Combining Traces a0b0 a0b1 a0b2 a0b3 Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Combining Traces a0b3 a0b2 a0b1 a0b0 Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Combining Traces Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Combining Traces Average the traces: a0(b0+b1+b2+b3)/4 Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Combining Traces _ • b is effectively an average random digit; • So trace is characteristic of a0 only, not B. tr0 _ a0b Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Combining Traces II • The dependence of tri onBis minimal ifBhas enough digits; • Concatenate the average tracestrifor eachaito obtain a tracetrAwhich reflectsproperties ofAmuch more strongly than those ofB; • The smaller the multiplier or the larger the number of digits (or both) then the more characteristic trA will be. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Combining Traces • Question: Is the trace trA sufficiently characteristic to determine repeated use of a multiplicand A in an exponentiation routine? tr3 tr0 tr1 tr2 trA Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Distinguish Digits? • Averaging over the digits of B has reduced the noise level; • In m-ary exponentiation we only need to distinguish: • squares from multiplies • the multiplicands A(1), A(2), A(3), …, A(m–1) • For small enough m (the radix of the exponent) and large enough number of digits they can be distinguished in a simulation of clean data. • There is a danger that this “theoretical” attack could be made practical. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Distance between Power Traces current trA0 trA1 i 0 n d(A0,A1) = (i=0(trA0(i)trA1(i))2)½ n Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Simulation Results • Equal exponent digits can be identified – their traces are close; • Unequal exponent digit traces are not close; • Squares can be distinguished from multns– their traces are not close to any other traces; • There are very few errors for typical cases. • Pre-computations A(i+1) A A(i) mod N provide traces for known multiplicands. So: • We can determine which multive opns are squares; • We can determine the expnt digit for each multn; • Minor extra detail for i = 0, 1 and m–1; • This can be done independently for each opn. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Conclusions on “Big Mac” • The independence of deducing each digit value means attack time proportional to secret key length; • Longer modulus means better discrimination between traces; • So no greater safety against this attack from longer keys! • With the usual DPA averaging already done, it may be possible to use a single exponentiationto obtain the secret key; • So blinding expntD+rφ(N) with random r may be no defence. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
MIST– Yet Another Expn Algm • There are currently two expn algorithms which offer some hope. They appear stronger than those described earlier. Both are described in Ches 2002. • The first is MIST. It is based on the concept of division chains, which are a special type of addition chain (which is a means of describing an expn scheme.) • The other is by Itoh et al. which is based on digit blinding of the secret key. • Both these are suitable for RSA since they do not require inverses: digits are non-negative. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
m-ary Expn(Reversed) { To compute: P = CD} Q C ; P 1 ; While D > 0 do Begin d D mod m ; If d 0 then P Qd × P ; Q Qm ; D D div m ; { Invariant: CD.Init= QD× P } End { Output: P = CD for the initial value of D } The example of 23510is given in the notes. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
TheMISTExpn Algorithm { To compute: P = CD} Q C ; P 1 ; While D > 0 do Begin Choose a random base m, e.g. from {2,3,5} ; d D mod m ; If d 0 then P Qd × P ; Q Qm ; D D div m ; { Invariant: CD.Init= QD× P } End { Output: P = CD for the initial value of D } Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
“Randomary” Exponentiation The main computational part of the loop is: If d 0 then P Qd × P ; Q Qm • To provide the required efficiency, a set of possible values for m are chosen so that there is always an efficient addition chain for m which contains d, e.g. 1+1=2, 2+1=3, 2+3=5 is an addition chain for base m=5 suitable for digits d = 0, 1, 2 or 3. • Comparable to the 4-ary method regarding time complexity when the base set is {2,3,5}. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Example Fix the base set = {2, 3, 5}. Consider D= 23510. D m, d Q(before)Qd Qm(next Q) P(after) 235 3, 1 C 1 (C 1)1 = C 1 (C 1)3 = C 3 1×C 1 = C 1 78 2, 0 C 3 (C 3)0 = 1(C 3)2 = C 6 C 1 39 5, 4 C 6 (C 6)4 = C 24 (C 6)5 = C 30 C1×C24 = C 25 7 2, 1 C 30 (C 30)1 = C 30 (C 30)2 = C 60 C25×C30 = C 55 3 3, 0 C 60 (C 60)0 = 1(C 60)3 = C 180 C 55 1 2, 1 C 180 (C 180)1= C180 (C 180)2= C 360 C55×C180= C 235 The exponent is pre-computed as 23510 = 120312450213. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Choice of Base Set • Security: Bases must be chosen so that sequences of squares & multiplies or opd sharing do not reveal m.(This is the information which BigMac recovers from leakage.) • Efficiency: • Bases m must be chosen so that raising to the power mis (time) efficient enough. • Space is required to store addition chains. • As few registers as possible should be used for the exponentiation. • One Solution: Take the set of bases {2,3,5}. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Choice of Base Example algorithm (see CT-RSA 2002): m 0 ; If Random(8) < 7 then If (D mod 2) = 0 then m 2 else If (D mod 5) = 0 then m 5 else If (D mod 3) = 0 then m 3 ; If m = 0 then Begin p Random(8) ; If p < 6 then m 2 else If p < 7 then m 5 else m 3 End Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
An Operand Re-Use Theorem THEOREM: For MIST, the search space for exponents with the same operand sharing sequence as Dhas sizeapproxD1/3. • These are the hypotheses resulting from the assumption that a “Big Mac” attack is possible. It yields the knowledge about operand sharing which is what breaks m-ary exponentiation. • Under the same hypotheses, the search space for m-ary expn has size D0, i.e. 1! • Oswald reduces the time by performing a prioritized search • Exponent blinding is still recommended with this algorithm. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Overlapping Windows (Itoh et al.) 1 1 0 0 1 0 0 1 0 ……. 1 0 1 1 1 0 ← D (the secret key) 1 0 1 0← w0 = 1100 – random 10 1 0 1 0 ← prev rand 10 . copy dn 10 0 1 1 1← w1 = 1010 – random 11 1 1 0 1 ← prev rand 11 . copy dn 01 1 0 1 1← w2 = 1101 – random 10 1 0 0 ……. ← prev rand 10 . copy dn 0... 1 0 1 1 1 0 0 1 ← wn–1 = 1011 – random 10 1 0 1 0 ← prev rand 10 . copy dn 10 1 0 1 0 ← wn (= remaining value) Windows of widthk=4 bits and with overlap h=2 bits Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Efficiency • If the windows have fixed width of k bits, say, the overlap is fixed at h bits, and m = 2k–h, then D = (((w0m+w1)m+w2)+…)m+wn–1)m´+wnfor suitable m´ which depends on the number of bits left. • Evaluation is done as for m-ary exponentiation (left to right) where m = k–h is the non-overlap width, but the powers from 1 to 2k–1 have to be pre-computed, i.e. all possible values for digits wi. • Space efficiency is larger than for m-ary exponentiation because of the space needed to store 2k pre-computed values. • Time efficiency depends entirely on m, and so is equivalent to that of m-ary exponentiation. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Enhancements • For security, h > ½k is recommended: an overlap of at least half the width of the window (overlap = amount of randomness). • The windows have a fixed width (determined by the chosen digit range), but the overlap widths can be varied if desired. • A further refinement of this is to offset the table of pre-computed values by Cr. (C = ciphertext, r= random blinding factor, say b=32 bits). • In this refinement, for random wiof log2kbits, the digit in the representation of D is 2bwi+r. This is the value subtracted from D in the first slide, and these are the values that are stored in the table as well. • This leaves a bottom digit of bbits to process – does that leak? Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Conclusions • Exponentiation leaks very easily. We are only beginning to understand the many ways the secret key might be reconstructed from side channel leakage. • Randomisation has the potential of removing the predictability required for current state-of-the-art in DPA and DEMA attacks. • There are a number of randomised exponentiation algorithms available to help solve the problems. Some are known to offer little, others are unproven, others seem to be secure – perhaps. • Almost certainly these algorithms should be used only when thoroughly investigated, and only in conjunction with other standard counter-measures, such as message and key blinding, “always add”, balanced code for add/double, etc. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Not an end – just a beginning! Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Bibliography IV This is a list of key references which discuss the topics covered in more detail (see also those for the other talk). Those with CDW as an author are mostly available at http://www.comodogroup.com/research/crypto/publications.html • E. Brier & M. Joye, Weierstraß Elliptic Curves and Side-Channel Attacks, PKC 2002, LNCS 2274, Springer, 2002, 335–345. • P.-Y. Liardet & N.P. Smart, Preventing SPA/DPA in ECC Systems Using the Jacobi Form, CHES 2001, LNCS 2162, Springer, 2001, pp. 391–401. • CDW, Breaking the Liardet-Smart Randomized Exponentiation Algorithm, Proc. Cardis 2002, Usenix Assoc, Berkeley, CA, 2002, 59–68. • E. Oswald & M. Aigner, Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks, CHES 2001, LNCS 2162, Springer, 2001, pp. 39–50. • CDW, Issues of Security with the Oswald-Aigner Exponentiation Algorithm, RSA 2004, LNCS 2964, Springer, 2004, 208–221. Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions
Bibliography V • CDW, Sliding Windows succumbs to Big Mac Attack, CHES 2001, LNCS 2162, Springer, 2001, pp. 286–299. • CDW,MIST: An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis, CT-RSA 2002, LNCS 2271, Springer, pp. 53–66. • CDW, Some Security Aspects of the MIST Randomized Exponentiation Algorithm, CHES 02, LNCS 2523, Springer 2002, pp. 276–290. • CDW, Longer Keys may facilitate Side Channel Attacks, SAC 2003, LNCS, vol. 3006, Springer-Verlag, pp. 42-57. • CDW, Seeing through Mist given a Small Fraction of an RSA Private Key, CT-RSA 2003, LNCS 2612, Springer 2003, pp. 391–402. • K. Itoh, J. Yajima, M. Takenaka & N. Torii, DPA Countermeasures by Improving the Window Method, CHES 02, LNCS 2523, pp. 303–317. • E. Oswald, Markov Model Side-Channel Analysis, SCA-Lab Technical Report SeriesIAIK, TR 2004/03/01, athttp://www.iaik.tugraz.at/aboutus/people/oswald/papers/TR2004-03-01-MarkovModelSCA.pdf Colin D. Walter, Comodo Research Lab, Bradford, UK Next Generation Digital Security Solutions