Side-Channel Attack: timing attack Hiroki Morimoto
Overview Review of traditional attacks Side-Channel Attacks Timing Attack Several ways to compromise RSA Countermeasures Conclusion References
Review Basic Attacks: exploiting security holes and weakness in the systems/algorithms choosing inadequate parameters brute force social engineering more … There is 3 types of cryptanalysis: Ciphertext-only Attack Known plaintext Attack Chosen plaintext Attack
What is Side-Channel Attack Side-Channel Attack don’t belong to the traditional attack This attack is based on experiments and statistics not mathematical theories Two types of the side-channel attack Passive Attacks: Observe the target such as computer or cell-phone Gain the “additional” information leaked from the physical implementations/devices caused by any operation i.e. timing information, power consumptions, electromagnetic leaks, voices/sounds Active Attacks: Add “additional” inputs Change the environment or target itself to let abnormal operations or change the program flow i.e. add voltage, clock gritching, or tempest virus
Goal Finds information such as: Algorithm/operation Cryptographic key Partial state information Plaintext/cyphertext more …
Advantages The Attackers can implement: With information easy to obtain With available non-expensive hardware From remote place Often quicker than the regular attack Compared to brute force and dictionaly attacks From few seconds to few hours Without damaging regular operations and physical devices Without notifying the victims
Timing Attack Power Monitoring Attack Fault Analysis Magnetic Emanation Attack Light Emission Attack Sound Attack (Includes wire-tapping and eavesdropping) Examples of Side-Channel Attacks
Timing Attack Timing attack is an example of an attack that exploits the implementation of an algoritm rather than the algorithm itself Measure the time it takes for a certain unit to perform an operation Keep the input, output, and consumed time Check the correlation between time measurements of guess key or input and empirical result (often statistically)
Background Operation takes slightly different amounts of time to process different input because of: Bypass operations such as branching or conditional statements RAM cache hit Processor instruction such as multiplication and division Others … Usually consumed time depends on input data, crypt keys, and modulo in cryptosystems
Usages Timing attack is often used to compromise public-key cryptosystem such as RSA For example, most of smart-card uses RSA. Therefore, inappropriate usage of it revels its secret key easily Sometimes, the key is tamper-proof Timing attacks reveal key length, key values, plaintext, etc…
RSA review Multiple prime RSA key generating algorithm 1. Select two primes: p and q 2. Calculate n = p * q 3. Calculate φ(n) = (p-1) * (q-1) 4. Choose e where gcd(e,φ(n)) = 1 5. Calculate d = e -1 (mod φ(n)) 6. Public Key = (e,n) and Private key = (d) Encryption: c = m e mod n Decryption: m = c d mod n
Modular Exponentiation The way of attacks depend on the details of modular exponentiation For efficiency, modular exponentiation is done via: Simple multiplication Repeated squaring Chinese Remainder Theorem (CRT) Montgomery multiplication Sliding window Karatsuba multiplication
Simple Multiplication The simplest case, the modular exponentiation is done by multiplying the number as many as the values of exponent such as 2^13 = 2 * 2 * 2 * 2 * 2 * 2* ….. Therefore, the execution time is direct proportional to the exponent value (key value)
Attacking Scenario: simple multiplication An attacker eavesdrops the decryption operation where he gets a plaintext and its computation time (the decryption key is 13 which is hidden from the attacker) He guesses the key is 12. He decrypts with the guess key and it returns small computation time Then, he guesses the key is 14 and retuned computation time is greater than empirical data Now, he knows the key is between 12 and 14
Repeated Squaring The most common and fast algorithm The number of loops is proportional to its key bit length Kotcher found a possible attack
In each step, the number is squared and mod by n If the current bit is 1, then a modular multiplication is executed If the current bit is 0, goto the next step Algorithm
Pseudo-Code // Compute c = m d (mod n) // where, in binary, d = (d 0,d 1,d 2,…,d num ) with d 0 = 1 s = m for i = 1 to num s = s 2 (mod n) if d i == 1 then s = s m (mod n) end if next i return s
Example For example: 5 20 = = 25 mod 35 With repeated squaring o d = 20 = base 2, m = 5, and n = 35 o Initialize s = 5^1 (d 0 == 1) – s = (5 * 5) mod 35 and d 1 == 0 s = 25 – s = (25 * 25) mod 35 and d 2 == 1 so that (30 * 5) mode 35 s = 10 – s = (10 * 10) mod 35 and d 3 == 0 s = 30 – s = (30 * 30) mod 35 and d 3 == 0 s = 25 No huge numbers and it’s efficient In this example, 5 steps vs 20 multiplications
Attacking Scenario: repeated squaring This attack also measures the correlation between guessed and empirical time measurements Because the 2 nd consuming time depends on the 1 st data (s) and second bit of the key, and so forth. In other word, the high-order bits affect a result more than the lower-bits. Thus the attacker begins the top of the bit, then continues to next bit and so on The more bits the attacker already knows, the stronger the signal, thus easier to detect (error-correction property)
Attacking Scenario: repeated squaring First, the attacker wants to know the first bit of the secret key where he has a target plaintext and knows its consumed time He decrypts the plaintext with 1111 Next he decrypts the plaintext with 0111 Then he creates two graphs for each pair of consumed times Then he finds the strong correlation for 0111 especially at the last step. Thus the first bit may be 0. He continues this procedure to the next bit and so on He can efficiently recover low-order bits when enough high-order bits are known because of error correlation property
Chinese Reminder Theorem Modular Reduction is done by subtracting multiples of the modules which also takes most of the computation time Given m = c d (mod n) where n = pq With CRT, first compute c d modulo p, and them c d modulo q. After that “glue” them together Two modular reductions of size n 1/2 As opposed to one reduction of size n CRT provides significant speedup by a factor of 4 (comment) several researchers claim above two statements. However, I don’t think so !
Algorithm To compute C d (mod N) where N = pq First pre-computes: d p = d (mod (p 1)) d q = d (mod (q 1)) Second, pre-find a and b such that a = 1 (mod p) and a = 0 (mod q) b = 0 (mod p) and b = 1 (mod q) Now computes: Solution is:
Example Suppose N = 33, p = 11, q = 3 and d = 7 Pre-compute d p = 7 (mod 10) = 7 d q = 7 (mod 2) = 1 Pre-find, a = 12 and b = 22 Suppose decrypt C = 5 C p = 5 (mod 11) = 5 and C q = 5 (mod 3) = 2 x p = 5 7 = 3 (mod 11), x q = 2 1 = 2 (mod 3) Solution: 5 7 = 3 2 = 14 (mod 33) Regular Operation: C d = 5 7 (mod 33) = 14
Limitation: Factors p and q of N must be known Only for private key operations
Attacking Scenario: CRT The attacker doesn’t have to know anything As we mentioned before, the CRT operates first computes c d modulo p, and then c d modulo q First guess c d and measure the consumed time for first (or second) operation. If the p is smaller than c d, takes no time. If the p is larger than c d, it must subtract p at least once Then extract the p (or q)
Attacking Scenario: CRT The attacker wants to know decryption key (d) First, he tries to extract the value p so that he runs the program with c d = 1, 3, 5, 7, 11 …. and measures the consumed times The consumed times are constant from 1 to 5, but increase after 7. Thus, p might be 7 Then he does the same operation to find q Now, he knows q and p Thus, he can calculate n = p * q and φ(n) = (p-1) * (q-1) Because e is public so that d = e -1 (mod φ(n))
Countermeasures How To prevent or make difficult to do timing attack 1. Reduce or eliminate coherence between the execution time and parameters such as input data, modulo, and keys OR 1. Add noises because the number of samples needed to obtain enough information are proportional to the noises
Examples of Countermeasures Constant Time Calculation Random Time Calculation RSA Blinding Avoid Conditional Operation Time Equalization of Multiplication and Exponentiation
Constant Time Calculation In this strategy, the time it takes to do any operation must be independent from input and key (constant and equal at every time) Thus, every operation takes the slowest operational time by waiting However, this strategy raises the execution time dramatically (corresponding to the worst case)
Random Time Calculation In this strategy, the time it takes to do any operation changes every operation at each time It is done by waiting a random time before going to the next execution However, this strategy also raises the execution time and its random variance must be large and completely random
RSA Blinding The idea is same as the random time calculation; time it takes to do any operation changes every operation at each time However, randomized time is done via multiplying the random seed before the operation and multiplying the inverse of the seed after the operation. In other word, it changes m (plaintext) or c (ciphertext) This strategy adds slight execution time
Algorithm and Example Algorithm: Generate random r First multiply r e : m” = r e c (mod N) Then decrypt: m’ = m” d (mod N) Finally, multiply by r 1 (mod N) : m = r 1 m’ = r 1 (r e c) d = r 1 rc d = c d (mod N) Example: c = 3, r = 2, e = 3, d = 7, and N = 33 m” = 2 3 * 3 (mod 33) = 24 m’ = 24 7 (mod 33) = 18 m = ½ * 18 = 9 Regular Operation: m = 3 7 (mod 33) = 9
Avoid Branch and Conditional Operation Conditional Statement often depends on input or key As we mentioned before, branch and condition statements (i.e. if statement) changes the consuming time So that eliminates any branch and conditional statement to equalize the computational time Also the calculation must be performed via elementary operations (such as AND, OR, and XOR)
Time Equalization of Multiplication and Exponentiation Time taken by multiplication and exponentiation (especially squaring) are different Therefore, when one need to equalize them by performing both operations when one of the operations required and discards unnecessary result So, the attacker will not be able to learn when and how many multiplications and exponentiations are made This strangely also adds overhead
Conclusion Side-Channel Attack is a real threat with wide range ofpossibility and a large impact Side-Channel Attack is not a traditional cryptanalysis Side-Channel Attack is easy, quick, inexpensive, and few risk to be notified by victims When one design algorithm or system such as cryptosystem, one must think about additional output leaked from the devices, too.
References Bar-El Hagai “Introduction to Side Channel Attack” Kocher Paul. “Timing Attacks On Implementation of DH, RSA, DSS and Other Systems” Haas Job. “Side Channel Analysis and Embedded Systems Impact and Coutner measure” Endrodi, Csilla, “Side-Channel Attack of RSA” Cid Carlos. “Cryptanalysts of RSA: A Survey”