Presentation is loading. Please wait.

Presentation is loading. Please wait.

Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK www.comodogroup.com Colin D Walter.

Published byOctavia Conley Modified over 9 years ago

Similar presentations

Presentation on theme: "Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK www.comodogroup.com Colin D Walter."— Presentation transcript:

1 Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK www.comodogroup.com Colin D Walter Comodo Research Lab, Bradford, UK www.comodogroup.com

2 2/16 Overview Side Channel Leakage History The Oswald-Aigner Exponentiation Algorithm Recovering Secret Key Bits Counter-measures Conclusion

3 3/16 Side Channel Leakage Gates use of power is state and data dependent. Wire transmission of power is data dependent. —So current & EMR are data dependent. —For example, noticeable differences between loading data and commencing a long integer computation. Conditional Statements are data driven. —So execution time may be data dependent —For example, a conditional modular subtraction may have only one arm. So the value of the condition may be deducible. Conclusion: secret key information may leak.

4 4/16 History NSA – no such activity? – Tempest shielding. Kocher et al (1996-7): Timing & Power side channel papers. Walter & Thompson (2001): Theory for practical attack on RSA. Oswald, Aigner, Smart, Liardet (2001): Randomised Algorithms. Walter (2002): Liardet-Smart – use unblinded keys only once. Okeya & Sakurai (2002): Oswald-Aigner, special case. Here (2004): Oswald-Aigner, extended general case.

5 5/16 The Oswald-Aigner Algorithm The Exp n Algorithm contains randomisation to obscure the relationship between data and side channel leakage. Finite Automaton to compute P = kQ rb = random bit secret key k: read R to L.

6 6/16 Main Assumptions Suppose: 1.Doubles & Adds can be distinguished using power/EMR/time. 2.Adds & Subtracts are indistinguishable. 3.The secret k is re-used many times (≥10, say) without blinding. 4.The random bits rb are chosen independently with fixed probability which depends on the current state of the automaton. 5.k has uniformly distributed, independently chosen bits,...

7 7/16 Recovering Secret Key Bits (1) Each point multiplication generates a word over {D,A} where the number of Ds is the number of bits in k. – e.g. 11001 yields AD D D AD AD under r-to-l binary exp n alg m Here other choices are also possible. The i th “D” is generated by the i th bit of k, so we can align traces. Patterns AD, D and DA are possible for a bit. Between two Ds: DD, DAD and DAAD are possible. The relative frequencies determine the bit of k.

8 8/16 Recovering Secret Key Bits (2) Example Strings Key 11001, Ds aligned:  bit order reversed  binary exp case 10011 ADDDADAD ADDDADADA ADDDADDA ADDDADDA ADADDADAD ADADDADADA ADADDADDA ADADDADDA

9 9/16 Recovering Secret Key Bits (3) 1.For each bit pattern, compute frequency of each {A,D} pattern. 2.Deduce the possible bit patterns, ranked by likelihood. 3.Remove inconsistencies where associated bit strings overlap. Observation: it is easier to recognise bits from longer patterns.

10 10/16 Recovering Secret Key Bits (4) If p(rb=1) = ½ in each state, then the prob of each state is: 0: ⅜1: ¼ 2: ¼3: ⅛ So the prob of each D-to-D sub-string is: DD15/32 DAD16/32 DAAD1/32

11 11/16 Recovering Secret Key Bits (5) Example. 2 bits is enough with ~10 traces. For bit pair k i+1 k i : DAAD in some trace means it is 11, DAD or DAAD in some trace means it is not 00, no DAD or DAAD means 00 (probably), no DD or DAAD means 10 (probably), both DD and DAD means it is x1, both DD and DAD but no DAAD means 01 (probably). Apply this to example on slide 8. (Above bit order as in key, but reversed in trace table.)

12 12/16 Deduction Errors Using 10 traces to deduce the most likely bit pair and assuming p(rb) = ½, only 1 in 166 bits is incorrect. It is computationally feasible to search for, and recover, k with standard ECC key length. Precisely, k is recovered from O(log log k) traces and O( (log k) 2 ) decryptions Bits are recovered from local data, not sequentially L-to-R or R-to-L, so less re-computation when errors are made. Clearly, therefore, this algorithm should not be used where the initial assumptions hold.

13 13/16 Counter-Measures Can the parameters be changed to improve security? No! Whatever the chosen probability of rb = 1 in a given state, similar deductions can be made. Solutions: 1.Add fresh, random blinding for each use of k. 2.“Add and always double”, so every DD, DAD and DAAD is disguised as DAAD (very expensive). 3.“Balanced” code which is the same for A and D.

14 14/16 Dangers Longer {A,D}-patterns are more exclusive: the under-lying {0,1}-pattern may have uniquely determined substrings. Fewer traces but more computation are required with this approach. Experimentally, O( 4 √k) keys match a pattern given by k. In fact, about 20 patterns for a 16-bit section of a key, and hence 20 16 ≈ 2 69 decryption checks for a 256-bit key. This is just computationally feasible. So a single use of the key with this algorithm may be unsafe (making key blinding insufficient as a counter-measure).

15 15/16 Alternative Randomised Algorithms Besides the previous counter-measures, there are more secure randomised algorithms: 1.M IST : Walter (RSA 2001) 2.Overlapping Windows: Itoh et al (CHES 2002)

16 16/16 Conclusions The original randomised algorithm of Oswald & Aigner can only be used securely for a few times with the same key unless other counter-measures are employed (although it is undoubtedly more secure than “square and multiply”.) No parameter choice improves the situation. Standard counter-measures improve the security. The analysis is applicable to other randomised algorithms where at each point the unprocessed part of the key is fixed. It is clearer how to construct safer randomised algorithms. There are also suitable alternative algorithms.

Download ppt "Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK www.comodogroup.com Colin D Walter."

Similar presentations

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
Noise, Information Theory, and Entropy (cont.) CS414 – Spring 2007 By Karrie Karahalios, Roger Cheng, Brian Bailey.

Noise, Information Theory, and Entropy (cont.) CS414 – Spring 2007 By Karrie Karahalios, Roger Cheng, Brian Bailey.
parity bit is 1: data should have an odd number of 1's

parity bit is 1: data should have an odd number of 1's
Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
Fast Algorithms For Hierarchical Range Histogram Constructions

Fast Algorithms For Hierarchical Range Histogram Constructions
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.

©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
More on protocol implementation Packet parsing Memory management Data structures for lookup.

More on protocol implementation Packet parsing Memory management Data structures for lookup.
Transforming out Timing Leaks (Agat’s approach) Terkel K. Tolstrup Informatics and Mathematical Modelling Technical University of.

Transforming out Timing Leaks (Agat’s approach) Terkel K. Tolstrup Informatics and Mathematical Modelling Technical University of.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Copyright 2008 Koren ECE666/Koren Part.6a.1 Israel Koren Spring 2008 UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Digital Computer.

Copyright 2008 Koren ECE666/Koren Part.6a.1 Israel Koren Spring 2008 UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Digital Computer.
Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University.

Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.

Similar presentations

Ads by Google