a practical fault attack on square and multiply
TRANSCRIPT
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
A Practical Fault Attack on Square andMultiply
Jorn-Marc Schmidt Christoph Herbst
Institute for Applied Information Processing and Communications (IAIK)Graz University of Technology
Inffeldgasse 16a, A-8010 Graz, Austria
{joern-marc.schmidt,christoph.herbst}@iaik.tugraz.at
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
1 IntroductionMotivationSquare and MultiplyRecent WorkOur Fault Model
2 Our Attack
3 Practical IssuesFault InjectionProblems
4 Outlook and Conclusion
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Motivation
Square and multiply is a common stragegy forimplementing modular exponentiationModular exponentiation is used in public key cryptographyRSA is based on modular exponentiationFault attack on RSA implementations without CRT
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Other Modular Exponentiation Methods
Left-to-right square and multiplyRight-to-left square and multiplyk-ary exponentiationSliding window methodMontgomery powering ladder
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Square and Multiply
Function 1 Left-to-Right Square and Multiply AlgorithmInput: Message m, Exponent e = (et , . . . , e0)2, Modulus N
R = 1for i = t downto 0 do
R = R · R mod Nif ei = 1 then
R = R ·m mod Nend if
end forreturn R
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Recent Work
Different attacks on square and multiply - assumingBit flip
Dan Boneh et al. (1997)Feng Bao et al. (1997)Marc Joye et al. (1997)
Safe errorsSung-Ming Yen and Marc Joye (2000)
Random fault in intermediate valueMichele Boreale (2006)
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Our Fault Model
Manipulation of the program flowSkip instructionNot always successfulMotivated by spike attacks
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
1 IntroductionMotivationSquare and MultiplyRecent WorkOur Fault Model
2 Our Attack
3 Practical IssuesFault InjectionProblems
4 Outlook and Conclusion
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Skip a Squaring Operation
Exponent e = (et , . . . , e0)2, leading zeros are neglected(t − k + 1)-th square operation skipped⇒ Sigk , k ∈ {0, . . . , t}Sigt = Sig as R = 1
Sigk =t∏
i=k+1
mei 2i−1 ·k∏
i=0
mei 2imod n.
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Iterative Attack
For k = 0
Sig =
{(Sig0)
2 mod n for e0 = 0(Sig0)
2 ·m−1 mod n for e0 = 1
For k ∈ {1, . . . , t − 1}
Sigk =
{Sigk−1 for ek = 0m2k−1 · Sigk−1 mod n for ek = 1
Results in (1, et−1, . . . , e0).
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
1 IntroductionMotivationSquare and MultiplyRecent WorkOur Fault Model
2 Our Attack
3 Practical IssuesFault InjectionProblems
4 Outlook and Conclusion
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Device Under Test (DUT)
AVR microcontrollerStraight forward left-to-right square and multiplyMontgomery for modulo multiplicationSpikes in the power supply
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Spike Generation
Circuit Board for DUT and Spike generation (low cost)Controlled by PC over serial interfaceSpike offset precision 0.5 clock cyclesSpike length 0.5-5 clock cycles
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Setup for the performed spike attack
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Spike (black) and power consumption (gray)
-2
-1
0
1
2
3
4Su
pply
Vol
tage
(V)
Time
0
1
2
Pow
er C
onsu
mpt
ion
(A)
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Searching the right spike parameters
Right spike positions and length unknownCalculate expected values for ek = 0 and ek = 1Sweep over the whole computation starting from the endIf ek found, calculate expected values for ek+1
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Problems
Fine sweep may lead to double detectionsStore precomputed values indicating a 1 as long as 0 edetectedCompare all following results to these values and repairdetected exponent if match foundAnother Solution: Use power trace to guess positions⇒ requires more knowledge and equipmentAfterwards add a 1 to the detected exponentTest result by calculating a signature
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
1 IntroductionMotivationSquare and MultiplyRecent WorkOur Fault Model
2 Our Attack
3 Practical IssuesFault InjectionProblems
4 Outlook and Conclusion
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Attack in the presence of DPACountermeasures
Square and Always MultiplyMessage BlindingExponent BlindingFurther Countermeasures
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Outlook
Mount attack on ECC double and addAttack Montgomery powering ladder in modified faultmodelInvestigate existing countermeasures in more detail
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Conclusion
We presented a new attack on square and multiplyBased on program flow manipulationPossible to check whether or not fault injection wassuccessfulPractical implementation at low cost
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply
Institute for Applied Information Processing and Communications (IAIK) - VLSI & Security
Thank you for your attention.Questions?
Jorn-Marc Schmidt Christoph Herbst
Institute for Applied Information Processing and Communications (IAIK)Graz University of Technology
Inffeldgasse 16a, A-8010 Graz, Austria
{joern-marc.schmidt,christoph.herbst}@iaik.tugraz.at
Jorn-Marc Schmidt, Christoph Herbst A Practical Fault Attack on Square and Multiply