


























Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Signature generation methods in elliptic curve cryptosystems, specifically focusing on rsa signature generation using chinese remainder theorem and method ii. It also covers timing and power cryptanalysis, including simple power analysis (spa) and differential power analysis (dpa), and countermeasures to these attacks. Historical context, requirements for mounting the attacks, and examples of attacks and countermeasures.
Typology: Study notes
1 / 34
This page cannot be seen from the preview
Don't miss anything!



























Cryptographic transformation (Encryption, Decryption, Signing, etc.) Secret key, K input output
Cryptographic transformation (Encryption, Decryption, Signing, etc.) Secret key, K input output Leaked information: Timing Power consumption Electromagnetic radiation
Inventor: Paul Kocher Time: November 1995 November 29, 1995: presentation of the basic concept at the university seminar December 11, 1995: article in New York Times January 1996: presentation at the RSA Data Security Conference ;
Times of signing messages M 1 .. MP time TSGN(M 1 ) TSGN(M 2 ) TSGN(M 3 )
d dL- 1 dL- 2 dL- 3.... d 2 d 1 d 0 Operation: SGN(M) = S = Md^ mod N S= P=M for i = 0 to L- 1 { if (di==1) S = S·P mod N P = P·P mod N } Computations performed in the first iteration (for i=0): For di= P = P ·P mod N For di= P = P·P mod N S = S·P mod N Analysis of correlations between the time of the first iteration, T 1 and the time of the entire transformation, TSGN time TSGN(M 1 ) TSGN(M 2 )
T 1 (M 1 |d 0 =0) T 1 (M 1 |d 0 =1) T 1 (M 2 |d 0 =0) T 1 (M 2 |d 0 =1) Average times T 1 (M 3 |d 0 =0) T 1 (M 3 |d 0 =1)
time
.... TSGN(M 1 ) - T 1 (M 1 |d 0 =0) TSGN(M 1 ) - T 1 (M 1 |d 0 =1) TSGN(M 2 ) - T 1 (M 2 |d 0 =0) TSGN(M 2 ) - T 1 (M 2 |d 0 =1) TSGN(M 3 ) - T 1 (M 3 |d 0 =0) TSGN(M 3 ) - T 1 (M 3 |d 0 =1) TSGN(M 1 ) TSGN(M 2 ) TSGN(M 3 ) Distribution of the execution times of the entire transformation Distribution of the execution times of all iterations except the first one For d 0 = For d 0 = Standard deviation Standard deviation Standard deviation Assuming correct guessing of d 0 (and thus the time of the first iteration) Standard deviation of the execution times of remaining iterations decreases Assuming incorrect guessing of d 0 (and thus the time of the first instruction) Standard deviation of the presumed execution time of the remaining iterations increases
Method II Choose random Y SGN(M) = ([M·( Y-^1 )e]d^ mod N) · Y mod N = = [Md^ mod N] ·[ ( Y-^1 )ed^ mod N] · Y mod N = = Md^ mod N R. Rivest ( Y-^1 )e^ mod N maybe computed in advance Only two additional multiplications
Requirements regarding the capabilities necessary to mount the attack not met for many applications (e.g., e-mail) Simple countermeasure that increases the time of transformations to a very small extant (<1%) Problems with modification of applications already deployed, in particular hardware implementations
Inventors: Paul Kocher, Joshua Jaffe i Benjamin Jun Cryptography Research Time: first developments - beginning of 1997 first publication - June 1998 Attack that enables to recover a key stored in a cryptographic device based on the measurement of power consumption during cryptographic operations The most vulnerable devices: smart cards , cryptographic tokens Time necessary to recover the key: Equipment: basic measurement equipment (ammeter, oscilloscope) seconds for simple power analysis several hours for differential power analysis Requirements: access to the device (e.g., a smart card)
Measurements by Paul Kocher 16 rounds of DES magnified view of the second and third round Permutation IP Permutation IP-^1 If a sequence of instructions depends on the key bits, it is straightforward to recover the key Example: Generation of the RSA signature S= for i =L-1 downto 0 { S = S^2 mod N if ( di == 1 ) S = S · M mod N } private key bit
Example: Generation of the RSA signature multiplication squaring time Power consumption during the signature generation dL- 1 =1 dL- 2 =
From the presentation by Marc Joye, Thomson Security Labs, Quo vadis cryptology? workshop, Warsaw, May 2007
Countermeasures Sequence of instructions independent of the key bits (with the exception of instructions having the same power pattern)
Power consumption depends not only on the type of the executed instructions but also on values of operands Examples :
R 16 L 16 F IP-^1 Ciphertext, D R 15 L 15 K 16
known to the opponent Instruction I a - bit no 1 of the result of F 32 32 32 a = f ( K , D ) K - fragment of the K 16
unknown to the opponent L 16 = g ( D ) E K K 16 known to the opponent E(L 16 ) (^48 ) 6 unknown to the opponent P F(L 16 , K 16 ) a = f ( K , D ) a S1 S2 S3 S4 S5 S6 S7 S Bit a appears as an input to the instruction I , for which an average power consumption P I ( a ) depends strongly on the value of a P I ( a =0) P I ( a =1) Average power consumption by the instruction I for different values of the input bit a
Phase I: Target Specification Phase D I
Phase II: Data collection phase Measuring power consumption for N different data blocks Di ( i.e ., N different plaintexts and the corresponding ciphertexts) P I ( f ( K , D 1 )) P I ( f ( K , D 2 )) P I ( f ( K , D 3 ))
P I ( f ( K , DN - 1 )) P I ( f ( K , DN )) Phase III: Data analysis phase Assume a certain value of the key fragment K and add MN/2 power consumptions corresponding to the same value of a K= Kz a=^... P I ( f ( Ki , Di 2 )=0) a=... P I ( f ( Kz , Dj 1 )=1) P I ( f ( Kz , Dj 2 )=1) P I ( f ( Kz , Dj 3 )=1) P I ( f ( Kz ,^ Dj M )=1) P I ( f ( Kz , Di 1 )=0) P I ( f ( Kz , Di 3 )=0) P I ( f ( Kz , Di M )=0) Correct value of the key fragment K: a=^... a=...
f ( K* , Di )= K = K*
f ( K* , Di )= T I (K=K) T I (K=K) D I · N /
Attack does not require the knowledge of the position of the instruction I in time Instructions affected by bit a will show up automatically on an averaged diagram, corresponding to the correct value of the key fragment K
Example of the attack Pankaj Rohatgi, IBM, 1999 Implementation of the AES candidate Twofish on a smart card 128 - bit key recovered based on about 50 encryptions of independent data blocks
By observing power consumption during encryptions of multiple blocks of plaintext, it is possible to determine the exact location of instructions belonging to key scheduling Biham, Shamir 1999
All encryptions performed using the same key : Data 1 Data 2 Data 3 key scheduling The last phase of each period of computing an internal key, corresponds to storing the key in memory Storing 6 bytes of an internal key to memory
Analysis of power consumption during storing the internal keys to memory enables to determine the Hamming weight (the number of ones ) for all bytes of the internal keys Hamming weight (number of ones in a byte)
5 4 3 4 3 3
III. Filter at the power input + physical shielding Problem: Limited accuracy of the filter Possibility of deactivation in case of the access to the card
Proposed countermeasures IV. Software balancing of the operand^ complement^ operand Problem: Significant reduction of speed Correlations still present for more complex arithmetic operations
Proposed countermeasures V. Hardware balancing All instructions executed by the processor has the same power consumption for all operand values Problem: Very costly and hard to design
Proposed countermeasures
Countermeasures Lack of effective countermeasures in existing cards “ We have not yet encountered a card that couldn’t be broken ” Paul Kocher, 1998 Protection methods developed and licensed by Cryptography Research currently introduced to several types of cards Microcontroller Switch control GND VCC C2 C
S S S S C C C C VDD VDD MC MC S S S S supply from C recharging C C C C C VDD VDD MC MC S S S S C C C C VDD VDD MC MC S S S S C C C C VDD VDD MC MC S S S S C C C C VDD VDD MC MC S S S S supply from C1 supply from C1 & C2 supply from C recharging C supply from C