Professional Documents
Culture Documents
Rohatgi
Rohatgi
E1, D2
E2, D2
E1, D1
E2, D1
S: Data and Key Dependent Exponentiation (2 exponents X 2 data)
Angle Modulation: Example 1
• PCI based RSA/Crypto Accelerator R
inside an Intel/Linux server.
• AM-demodulate a 99Mhz carrier (clock
harmonic).
R performing an RSA operation in a loop
Internals of RSA Exponentiation in R with small exponent
• Not directly….
• But, timing of asynchronously generated G
affected by ongoing computation due to
coupling effects.
– Timing statistics of G (using ~1000 samples)
gives information about internals!!
– G strong enough to be captured at 10-15 feet.
G: Timing Statistics of G for fixed modulus, 3 exponents (2 same)
EM vs. Power
• EM may be only side-channel available.
• Is EM useful in the presence of power channel?
– Direct emanations: micro-sensor positioning,
decorrelated noise [QS01, GMO 01]
– Unintended emanations: Several EM carriers:
• DEMA/DPA correlation plots show extent of leakage from
different EM carriers & comparison with power signal.
– Different carriers carry different information.
– Some EM leakages substantially different/better than Power
leakages.
4 Time Synchronized DPA/DEMA Correlation Plots
4 Time Synchronized DPA/DEMA Correlation Plots
Bad Instructions
• Instructions where some EM leakage >> Power
leakage.
• Typically CPU intensive rather than bus intensive.
• All architectures have BAD Instructions.
• Caution: Bad Instructions can break power
analysis resistant implementations.
• Bad Instruction Example: Bit-test on several 6805
based systems leaks tested bit.
TESTED BIT = 0 IN BOTH TRACES
O
O
TESTED BIT
DIFFERENT
Part II: Template Attacks
• Sometimes a single (few) side-channel sample available.
– Stream ciphers, Ephemeral keys.
– “System Level Countermeasures” to side channel attacks.
• Higher level protocols limit key usage.
• Non-linear key update countermeasure (Kocher et al [KJJ ’99]).
• Are these inherently immune to side-channel attacks?
– Immune to traditional simple/differential attacks
• Easy to secure implementations against SPA/SEMA
– Ensure signal differences < noise level.
• DPA/DEMA and higher order DPA/DEMA inapplicable.
– Cannot remove noise by averaging over multiple samples.
– Not against Template Attacks (with some assumptions).
Example: RC4 on a smart-card
• At best, single trace during RC4 state
initialization with ephemeral key available.
i= j = 0; • Can avoid SPA.
for (ctr=0;ctr < 256; ctr++) • No DPA style attack possible.
{ • One key byte used per iteration.
j = key[i] + state[ctr] + j; • Is a single sample enough to
SwapByte(state[ctr], recover the whole key ?
state[j] ); • Can two fixed keys different in
i=i+1; 1st byte be distinguished during
} 1st iteration ?
Power Sample showing 6 iterations of loop
Sample = Signal + Noise
Signals (and signal difference) for two
fixed keys with different first byte
{
j = key[i] +
state[ctr] + j;
SwapByte(state[ctr],
state[j] );
i=i+1;
}
Sample noise vs. Signal differences (6 iterations)
Sample noise vs. Signal difference in first iteration
Template Attack Basics: How to
distinguish between the two keys ?
• Don’t (cannot) eliminate sample noise, use it!
• How ?
• Use identical device (assumption) for building signal and
noise templates T1 and T2 for keys K1 and K2 in 1st
iteration.
• T1 = {s1(t), 1(t) }, T2= {s2(t), 2(t) }
• Given sample S = s(t) use theoretically optimal maximum
likelihood estimator:
• Which noise is more likely ? s(t)-s1(t) under 1(t)
OR
s(t)-s2(t) under 2(t)
Theory vs. Practice
• Need T1 = {s1(t), 1(t) }, T2= {s2(t), 2(t) }
• s1(t), s2(t) easily estimated by averaging.
• What about 1(t) and 2(t) ?
– Can be restricted to L sample points where s1(t) and
s2(t) differ, e.g., L=42 in example.
– Still infeasible to estimate a general probability dist.
over L.
– Borrow from the large body of work in Signal
Detection and Estimation Theory which deals with
precisely this problem!
• Several realistic and computable noise models available.
• We used the popular Multivariate Gaussian Noise model
Mutivariate Gaussian Noise Model
Key 0xFE 0xEE 0xDE 0xBE 0x7E 0xFD 0xFB 0xF7 0xED 0xEB
byte
98.62 98.34 99.16 98.14 99.58 99.70 99.64 100 99.76 99.94
Questions?