cryptanalytic timing attacks 2
DESCRIPTION
Advanced Cryptography - Theoretical AnalysisTRANSCRIPT
Cryptanalytic Timing Attacks against IDEA Product block cipher
(Ref: "Side Channel Cryptanalysis of Product Ciphers" by John Kelsey , Bruce Schneier , David Wagner , and Chris Hall in September 1998 )
Srilal Buddika
Outline
1. Motivation
2. About IDEA
3. IDEA Block Cipher Design
4. Cryptanalytic History on IDEA
5. Timing Attack against IDEA
6. Conclusion
7. Discussion
2
3
About IDEA
IDEA stands for International Data Encryption Algorithm (1991)
IDEA is Block Cipher
Block Size : 64 bits Key Size : 128 bits
8 Rounds + Output Transformation (half-round)
Why IDEA ?
The algorithm was designed to achieve high data throughput for use in
real-time communications system, especially for wireless communication
4
IDEA Block Cipher Design (1)
Round Structure
Addition modulo 216
Bitwise exclusive OR
Multiplication modulo 216 + 1
IDEA Block Cipher Design (2)
5
Stage – 1 of a Round
6
IDEA Block Cipher Design (3)
Second Stage of the round
7
IDEA Block Cipher Design (4)
Output Transformation (half-round)
8
IDEA Block Cipher Design (5)
Key Generation
Key Size = 128 bit
Sub-key Size = 16 bit i.e. Simply Key divided in to eight pieces
Algorithm:
1. Take 1st eight sub-keys 2. Then rotate the key 25 bits to the left 3. Repeat the step-1
9
Cryptanalytic History on IDEA
Considered as really secure
Best attack can break IDEA reduced to 6 rounds (Full IDEA = 8.5 rounds)
Weak Key problem with too many 0-bits (Exposed to Side-Channel Attacks)
10
IDEA can be cryptanalyzed with a piece of side-channel information
E.g. Whether one of the inputs into one of the multiplications is zero
Timings can be acquired in two simple ways:
1. The cryptanalyst makes extremely precise timings of each encryption (A Ciphertext-Only Timing Attack)
2. The cryptanalyst measures total time to encrypt many similar plaintext blocks at a time (An Adaptive Chosen Plaintext Timing Attack)
Timing Attack against IDEA (1)
11
Timing Attacks against IDEA (2)
Attacking Scenario
1. Record precise timings for n encryptions. Also store the resulting ciphertextblocks and let T0.. n-1 be the timings, and C0.. n-1 be the ciphertext blocks.
2. Group the ciphertext blocks and timings into 216 subsets, based on the low-order 16 bits of the output.
3. Test the average times of each group against the average times of all thegroups statistically, to find whether one of the sets has (with someacceptably high probability) a lower average than the other sets.
4. If so, then the inputs to the last multiply of the output transformation musthave been 0 for all inputs in that set. Hence solve for the last multiplicativesub-key.
12
Timing Attacks against IDEA (3)
5. If there is no difference, then either we've chosen some parameters (i.e., n)wrong, or the sub-key is a 0.
6. Repeat steps 2-3, above, for the high-order 16 bits and solve the firstmultiplicative sub-key of the output transformation. We now have 32 bitsof expanded key.
7. We now attack the second additive sub-key in the output transformation.For each possible value of this sub-key, we look at which ciphertext blockslead us to a zero value going into the first multiplication of the last round'sMA box .
8. For one of these sub-key guesses, the average timing should be less than forall the other sub-key guesses. This reveals the right sub-key.
9. If there is no difference, then either we've chosen some parameters wrong,or the first sub-key in the MA-box is zero. We have now recovered 48 bits ofexpanded key.
13
Timing Attacks against IDEA (4)
10. We now attack the first additive sub-key in the output transformation, andthe first sub-key in the MA-box. We do this as follows:
Break the ciphertext blocks and timings up into 216 subsets based on the valueof the leftmost (first) input to the MA-box
For each possible sub-key value for the first additive sub-key of the outputtransformation, break each subset up into 216 sub-subsets, based on what thevalue of the second MA-box input would be if this were the right sub-key
For the right sub-key, each subset will have one sub-subset which has a smallertiming value than all the other sub-subsets in that subset. We have now found64 bits of sub-key
We now choose any three of these sub-subsets, and use them to solve for thefirst multiplicative sub-key of the MA-box. We have now found 80 bits of sub-key
Finally, we can brute-force/exhaustive search the remaining 48 bits. (There arealso other ways to continue this attack)
Conclusion
14
This kind of attack might also be practical for recovering the key froma Ciphers which always encrypts under the same IDEA key. Thecryptanalyst or the attacker does not need to know anything about theplaintext for this attack, but must always know precisely when theencryption started and when it ended with the collected ciphertextblocks.
There's something important to know that, this is not the only sidechannel that can discover this kind of information but things likeradiation and power consumption can also leak this multiply-by-zerocondition.
Thank You !
15