Marc Witteman

Riscure

Defeating RSA Multiply-Always and Message Blinding

Countermeasures

Session ID: CRYP-201

Session Classification: Advanced

Agenda

2

Introduction

Preprocessing modular operations

Cross correlation

Conclusion

3

Introduction• About the authors

• Side Channel Analysis

• RSA background

• Countermeasures

• Attack concepts

About The Authors

Marc F. Witteman

CTO, Riscure

Jasper G. J. van Woudenberg

Senior Security Analyst, Riscure

Federico Menarini

Security Analyst, Riscure

4

Side Channel Analysis

Analyze secret leakage from crypto implementations

Example power trace of DES on smart card

Leaks hamming weight of processed data

5

RSA background

Exponentiation is sequence of square and multiply operations

Naïve implementations do for each key bit

Always square

Conditional multiplication (if key bit equals ‘1’)

Distinction of square and multiply operations may reveal key (SPA)

1 000 11 0 0

8

Countermeasures

noise

multiply-alwaysdiscard multiplication results after processing a zero bit

message blindingmultiply message with random number, and multiply signature with a matching inverse that removes the mask

exponent blindingadd random multiples of φ to the exponent

9

Some common countermeasures

against side channel analysis of RSA

Attack concepts

Cross correlation is an attack class Comparable to high-order DPA

No clear text/cipher text needed

Attack demonstrated on RSA smart card implementation with several countermeasures

Procedure with two innovative steps Preprocess modular operations

Cross correlation analysis

10

11

Preprocessing modular operations• Compression

• Revealing

• Position finding

Compressing modular operations

Modular operation execution typically increases power consumption due to switching of many bits in parallel

Old smart cards have easily recognizable modular operations

Compression involves selection of threshold, and averaging all sequential samples above a threshold

Low pass filtering may be needed if signals are noisy

12

Revealing hidden modular operations

New smart cards hide or scramble power signal (may need EMA)

Modular operations may be recognized by alignment and averaging

Pattern recognition works only for first operations (clock jitter)

13

• One averaged pattern is used to identify and locate modular

operations in the noisy traces

• Correlate the pattern with the trace, and the peaks indicate

the starting points of the modular operations

Position finding of shifted modular operations

14

15

Cross Correlation• Operand sharing

• Principle

• Matrix

• Effect of multiply-always

• Neighboring samples

Operand sharing

RSA uses two similar operations(intermediate signature S, message M, modulus N) Square: S’ := S * S mod N

Multiply: S’ := S * M mod N

Subsequent square operations usually do not share operands

Multiply operations do share an operand (M)

Operand sharing may be observed if order of square and multiply operations identical for repetitive encryptions

16

Cross correlation principle

Consider a set of k traces with n samples as a matrix

Compute correlation between each pair of sample vectors

17

Cross correlation matrix

Correlation matrix represented in colored dots, where a lighter color corresponds to a higher correlation

Multiply operations light up like a Christmas tree

Can recognize naïve binary exponentiationkey: 111101011000101

18

Cross correlation with multiply always

High frequency of correlating pairs reveals multiply always variant

Incidental correlation of square operation with predecessor reveals discarded multiply:S’ = S * MS’’ = S * S

Can recognize key: 11110101100

19

Cross correlating neighboring samples

Compute and display correlation only between adjacent vectors

1 1 11

0 0 00

High and low correlation values correspond to key bits set to zero and one

Complete key can be retrieved in short time

20

21

Conclusion• Apply

• Countermeasures

• Future research

• Summary

• Q&A

Apply

This attack can be applied to any RSA implementation under the following conditions Power consumption or EM radiation can be measured

(with minimal S/N) Several thousand crypto operations (signatures) can be executed Implementation uses a fixed sequence of modular operations

No data requirements No chosen messages needed No known messages or signatures needed

Attack applies to RSA-Straight and RSA-CRT Naïve and Montgomery multiplication Any hashing or padding scheme

Attack yields private exponent

22

Countermeasures

Countermeasures that do NOT work Message blinding

Multiply always, Montgomery ladder, or BRIP

Countermeasures that are NOT enough Noise

Signal reduction

Random delays / variable clocks

Countermeasures that work Exponent blinding

Random bit group size

Any randomization method that makes the order of square and multiply operations unpredictable

23

Future research

Cross correlation attack applies well to RSA,

but the method is not restricted to RSA

We study application of the concepts to

ECC

Symmetric algorithms

24

Attack summary

New side channel attack class developed and demonstrated

Applies to many different RSA implementations

Defeats several countermeasures

Effective countermeasures are possible

25

Q&A

Need help?

contact

Marc Witteman

CTO

witteman@riscure.com

Riscure Inc.

901 Mariners Island Blvd

Suite 595

San Mateo, CA 94404

USA

Phone: +1 650 425 7327

www.riscure.com

26

Complete article can be downloaded from: http://www.riscure.com/tech-corner/publications.html