it was right under your nose - ches 2017 rump …...26 it was right under your nose 1 / 9 it was...
TRANSCRIPT
![Page 1: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/1.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 1 / 9
It was right under your nose
2017.09.26
SICADA(Side Channel Analysis Design Academy)
Dept. of Information Security, Cryptology, and Mathematics, Kookmin University
Bo-Yeon Sim and Dong-Guk Han
![Page 2: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/2.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 2 / 9
▣ Previously proposed attacks on PKCs were based on
the patterns of data-dependent conditional branches
Algorithm. Left to Right Binary Method
INPUT 𝑀,𝑁, 𝑘 = 𝑘𝑛−1, 𝑘𝑛−2, ⋯ , 𝑘0 2
OUTPUT 𝑀𝑘 𝑚𝑜𝑑 𝑁
Step 1. 𝑅 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅 = 𝑅 × 𝑅 𝑚𝑜𝑑 𝑁
2.2. IF 𝑘𝑖 = 1 then 𝑅 = 𝑅 ×𝑀 𝑚𝑜𝑑 𝑁
Step3. Return 𝑅
Countermeasure make it regular
1996 Timing Attacks
1998 Simple Power Analysis
Mathematical proof
![Page 3: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/3.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 3 / 9
▣ Previously proposed attacks on PKCs were based on
statistical characteristic according to intermediate values
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑘 = 𝑘𝑛−1, 𝑘𝑛−2, ⋯ , 𝑘0 2
OUTPUT 𝑀𝑘 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑘𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
Countermeasure apply a randomization method
𝑛 traces
1996 Timing Attacks
1998 Simple Power Analysis
Differential Power Analysis
Mathematical proof
SPA Countermeasure
![Page 4: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/4.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 4 / 9
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑘 = 𝑘𝑛−1, 𝑘𝑛−2, ⋯ , 𝑘0 2
OUTPUT 𝑀𝑘 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑘𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
▣ Previously proposed attacks on PKCs were based on
the interrelationship between data, and etc.
+ data / exponent blinding
1996 Timing Attacks
2001 Big Mac Attack
Various Template Attacks
Various Collision Attacks
1998 Simple Power Analysis
Differential Power Analysis
DPA Countermeasure
Mathematical proof
SPA Countermeasure
![Page 5: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/5.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 5 / 9
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑑 = 𝑑𝑛−1, 𝑑𝑛−2, ⋯ , 𝑑0 2
OUTPUT 𝑀𝑑 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑑𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑑 = 𝑑𝑛−1, 𝑑𝑛−2, ⋯ , 𝑑0 2
OUTPUT 𝑀𝑑 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑑𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
Countermeasure
▣ Previously proposed attacks on PKCs were based on
DPA Countermeasure
DPA Countermeasure
Mathematical proof
SPA Countermeasure
various countermeasures
have been proposed
![Page 6: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/6.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 6 / 9
Do you think is it secure?
![Page 7: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/7.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 7 / 9
1st
2nd
3r
d
4t
h
5t
h
6t
h
𝑤𝑒 𝑐𝑎𝑛 𝑑𝑖𝑠𝑡𝑖𝑛𝑔𝑢𝑖𝑠ℎ 𝑡𝑤𝑜 𝑔𝑟𝑜𝑢𝑝𝑠 𝑡ℎ𝑟𝑜𝑢𝑔ℎ 𝑆𝑃𝐴
The attack does not require sophisticated pre-processing
such as decapsulation, localization, multi-probe, and principle component analysis
▣ Attack on Protected PKC using a Single Trace
In hardware implementation
![Page 8: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/8.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 8 / 9
Algorithm. Left to Right Square and Multiply Always
INPUT 𝑀,𝑁, 𝑘 = 𝑘𝑛−1, 𝑘𝑛−2, ⋯ , 𝑘0 2
OUTPUT 𝑀𝑘 𝑚𝑜𝑑 𝑁
Step 1. 𝑅0 = 1
Step 2. For 𝑖 = 𝑛 − 1 down to 0 do
2.1. 𝑅0 = 𝑅0 × 𝑅0 𝑚𝑜𝑑 𝑁
2.2. 𝑅1−𝑘𝑖 = 𝑅0 ×𝑀 𝑚𝑜𝑑 𝑁
Step4. Return 𝑅0
▣ The power consumption is related to the 𝒌𝒊 value
Private key bits are directly loaded during the check phase,
but no countermeasures have been considered to protect this phase
𝒌 = 𝒌𝒏−𝟏𝒌𝒏−𝟐⋯𝒌𝟎 𝟐
⋯𝒌𝒊 𝒌𝒊
+ data / exponent blinding
![Page 9: It was right under your nose - CHES 2017 rump …...26 It was right under your nose 1 / 9 It was right under your nose 2017.09.26 SICADA(Side Channel Analysis Design Academy) Dept](https://reader034.vdocuments.site/reader034/viewer/2022050203/5f5709bbb491947a63250f25/html5/thumbnails/9.jpg)
2017. 09. 26 It was right under your noseSide Channel Analysis Design Academy 9 / 9
I am going to present our paper at ISPEC 2017.
If you have any questions, let’s see you there.