u n u s u a l side channel countermeasure ideas (that lend themselves to some form of provability)

Unusual Side Channel Countermeasure Ideas

(that lend themselves to some form of provability)

The Solutions’ Galaxy

Hamster Wheel KeysEric Brier, David Naccache, Nigel Smart

k

A common practice

In the past several authors proposed to prevent side channel attacks by having a key evolve in time.

The typical setting is the following:

ID, ik0=f(ID,k)

ki

ki=H(H(…H(k0)…)

secure communication using ki

move ki to RAM

write ki+1=H(ki) in NVM

erase ki from NVM

k

The time consuming part

ID, ik0=f(ID,k)

ki

ki=H(H(…H(k0)…)


move ki to RAM

write ki+1=H(ki) in NVM

erase ki from NVM

Implemented Solutions

Repeated application of H

Hashing trees, even patented.

Issues

Repeated application of H: The system slows down with time.

Hashing trees: Clumsy bookkeeping and sensitive to card tearing.

Most importantly: we want to quantify leakage, i.e. model leakage depending on the H we use.

The Alternative

H(k) = a kb mod p

Why?

Because the terminal has an easy shortcut:

Hi(k) = au kv mod pwhere

u=(bi-1)/(b-1) mod(p) and v=bi mod (p)

Quick Implementation

Hi(k) = au kv mod pwhere

u=(bi-1)/(b-1) mod(p) and v=bi mod (p)

Precompute C=k a1/(b-1)

Precompute D=1/a

Hi(k) = DCv mod p

Variants

H(k) = {akb mod 3, akb mod 5,…, akb mod pi}

Advantage: Word operations instead of long-integer arithmetic. Note that different a and b values could be used for different coordinates.

However, as will be seen later, this is less secure wrt side channel leakage as each coordinate can be an independent target to side channel analysis.

Before We Proceed

We do not claim the invention of these PRNGs!

The main contribution of this work is :

- Stress that one can capitalize on the shortcut offered by their arithmetic properties to very simply implement key-evolving smart-card based protocols.

- Analyze the resilience of these generators to leakage of a piece of the key.

Realistic Assumptions

a, k and p can be arbitrary and secret. No penalty.

b would typically be of moderate size because of the burden of exponentiation on the card’s size.

Hence, we should reasonably assume that b is public.

Leakage Model

At each iteration some bits of axb mod p and x leak.

Question: Under which assumptions can we infer k?

Advantage of looking at the problem from this angle: we have algebraic tools to analyze multivariate modular equations.

The variables in question are the chunks of axb that the side channel does not provide at each session.

H(x) = x2 mod nThis is the BBS generator.

If less than log log n bits leak at each step then this is secure under the factoring assumption even when n is known to the attacker.

If n is known to the attacker and each operation leaks “more” bits of x, then x can be inferred. Analysis of “more” in two slides.

If leakage is in between or n unknown: open problem.

H(x) = x2 mod pSee Gomez, Gutierrez and Ibeas for known p.

If ¾ of x leak than x is revealed. (Same performance as brutal linearization).

But we can do better.

Consider the equation (A+x)2=B+y mod p

Here A and B is what leaks via side channel. Denote this equation E

Gomez, Gutierrez and Ibeas “Cryptanalysis of the quadratic generator“

Consider all the equations of the type xi Ej which are verified modulo nj with i+2j2d

This gives a constraint of the order of n to the

power of the sum of the j for i+2j2d, which equals d(d+1)(2d+1)/6

The degrees of freedom on all linerarized variables is of the order n to the power the sum of the (i+j) for i+2jd, which gives d(d+1)^2

We hence get a size ratio < the quotient of these two sizes, which simplfies into (2d+1)/6/(d+1). This quantity tends to 1/3 when d.

If H(x)=xe mod n, the constraints are sont i+ejed.We get the same contraintes with more freedom

i.e. d(d+1)(6+e+e^2+2de+2de^2).

The factorized ratio is then 2(2d+1)/(6+e+e^2+2de+2de^2)

This tends 2/(e^2+e) when d tends to infinity.

As e increases the attacker’s handicap increases very quickly.

H(x) = x+P on an ECCSee Gutierrez and Ibeas for known p.

If 5/6 of x leak than x is revealed.

For unknown P or unknown ECC: open problem.

Same techniques should normally apply but we did not check in detail.

Gutierrez and Ibeas, « inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits »

H(x) = 2x on an ECC

Practical Recommendations

H(k) = a kb mod n

Use unknown a, unknown composite n and b=8.

a and k should be of the size of n.

Use only ¼ of the bits of H(k) as key material.

Use one bit out of four in H(k) as key material.

Quick Implementation

Let C=f(1,ID,MasterKey)=k a1/7

Let D=f(2,ID,MasterKey)=1/a

Solve and personalize k and a in the card

The terminal uses the shortcut formula:

Hi(k) = DCv mod n where v=8i mod (n)

k

A Possible Implementation

ID, iC=f(1,ID,k)

ki

ki=DCv mod n


move ki to RAM

write ki+1=aki8 in NVM

erase ki from NVM

D=f(2,ID,k)

v=8i mod(n)

An Ideal Power Attack Countermeasure

(in 3 slides)

Jean-Max Dutertre, Amir Pasha Mirbaha, David Naccache, Assia Tria

IdeaPower the µP from a photovoltaic panel facing a powerful LED.

+-

Vss

Vcc

VccµPIO

CLK

RST

Constructing the DeviceWe are currently ordering a photovoltaic panel about the size of a

smart card and an OLED panel about the same size.

Step 1: Place both panels face-to-face, have the OLED glow to its maximal capacity and check that the derived power allows to power the µP.

LED PV Panel

Step 2: Characterize the energy transfer-rate as function of resistor value.

Step 3: Construct a generic power attack isolation board.

+-

Vss

Vcc

VccµPIO

CLK

RST

Constructing the Device

For More on PV Physicshttp://en.wikipedia.org/wiki/Solar_cell

Can’t Do Less

David Naccache, Christof Paar, Florian Praden

Investors deal with two questions

- How to get funds?Logistics

- How to spend funds rationally?Tactics & Strategy

Here we address the second.

The Subleq Machine

Subleq is a Turing-complete machine having only one instruction.

subleq a b c *(b)=*(b)-*(a) if the result is negative or zero, go to c

else execute the next instruction.

The Subleq Machine

Since subleq has only three arguments and since there is no confusion of instructions possible (there is only one!), a subleq code can be regarded as a sequence of triples.

a1 b1 c1

a2 b2 c2

a3 b3 c3

:

…interleaved with data

Since data can be embedded in the code, the sequence of triples can be interleaved with data. For instance:

a1 b1 c1

data1 data2

a2 b2 c2

data3

a3 b3 c3

:

How does it work?

*b = *b-*a;

if (*b0) program_counter = c;

else program_counter =

program_counter+3;

Genealogy

Subleq is an OISC (“One Instruction Set Computer) which comes from the Minsky machine concept.

The Minsky machine is a register machine with only two instructions: “increment” and “decrement-and-branch”.

Allowing for comfort

Memory is loaded with instructions and data altogether (no distinction).

Hence the code can potentially self-modify and consider that any cell is a, b or c.

We can pre-store constants (like 0,1 etc)

e.g. we devote a cell called Z to contain zero, N to contain -1

What does this do?

subleq Z Z c

JMP c

subleq Z Z c

What does this do?

subleq a a $+1

CLR a

subleq a a $+1

What does this do?

CLR bsubleq a Z $+1subleq Z b $+1CLR Z

MOV a b

subleq b b $+1 *b=0subleq a Z $+1 Z=-*asubleq Z b $+1 *b=0-(-*a)=*a

subleq Z Z $+1 Z=0

What does this do?

subleq a Z $+1subleq b Z $+1 CLR csubleq Z c $+1CLR Z

ADD a b c

subleq a Z $+1 Z=0-*asubleq b Z $+1 Z=-*a-*bsubleq c c $+1 *c=*c-*c=0subleq Z c $+1 *c=0+*a+*bsublez Z Z $+1 Z=0

What does this do?

CLR tCLR s subleq a t $+1subleq b s $+1subleq s t $+1 CLR c CLR s subleq t s $+1subleq s c $+1

SUB a b c

subleq t t $+1 *t=0subleq s s $+1 *s=0subleq a t $+1 *t=-*asubleq b s $+1 s=-*bsubleq s t $+1 t=-*a+*b subleq c c $+1 *c=0 subleq s s $+1 *s=0 subleq t s $+1 *s=0-(-*a+*b)=*a-*bsubleq s c $+1 *c=0-(*a-*b)=*b-*a

What does this do?

CLR tsubleq a t $+1 CLR ssubleq t s $+1subleq b s c

BLE a b c

subleq t t $+1 t=0subleq a t $+1 *t=-*asubleq s s $+1 *s=0subleq t s $+1 *s=*asubleq b s c *s=*a-*b

if *a-*b0 goto c

What does this do?

CLR tsubleq a t $+1 CLR ssubleq b s $+1subleq s t $+1 subleq N t c

BHI a b c

subleq t t $+1 *t=0subleq a t $+1 *t=-*asubleq s s $+1 *s=0subleq b s $+1 *s=-*bsubleq s t $+1 *t=-*a+*bsubleq N t c *t=-*a+*b-(-1)

if *b-*a+10 goto c

What have we got so far?JMP a goto aMOV a b *b=*aSUB a b c *c=*b-*aADD a b c *c=*b+*aBHI a b c if *b-*a+10 goto c

if *b<*b+1*a goto c

if *b<*a goto c if *a>*b goto c

BLE a b c if *a-*b0 goto c if *a*b goto c

CLR a *a=0

What does this do?

CLR u;v;w MOV b vsubleq N w $+1subleq u u $+1 subleq a u $+1CLR csubleq u c $+1subleq w v $+4subleq Z Z $-8

What does this do?

CLR u;v;w *u=*v=*w=0 MOV b v *v=*bsubleq N w $+1 *w=0-(-1)=1subleq u u $+1 *u=0subleq a u $+1 *u=-*aCLR c *c=0subleq u c $+1subleq w v $+4subleq Z Z $-8

What does this do?

*v=*b

*w=0-(-1)=1 *u=-*a *c=0subleq u c $+1subleq w v $+4subleq Z Z $-8

What does this do?

*v=*b

*w=1 *u=-*a *c=0subleq u c $+1subleq w v $+4subleq Z Z $-8

What does this do?

*v=*b

*w=1 *u=-*a *c=0subleq u c $+1 *c=*c-*u=*c+*asubleq w v $+4subleq Z Z $-8

What does this do?

*v=*b

*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v=*v-*w if…subleq Z Z $-8

What does this do?

*v=*b

*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v=*v-1 if…subleq Z Z $-8

What does this do?

*v=*b

*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v-- if…subleq Z Z $-8

What does this do?

*v=*b

*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8

What does this do?

*v=*b

*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8 else

What does this do?

*v=*b

*w=1 *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8 else

What does this do?

*v=*b

*c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8 else

What does this do?

*v=*b

*c=0 *c=*c+*a

*v--; if(*v0)else

MUL a b c

*v=*b

*c=0 *c=*c+*a

*v--; if(*v0)else

MUL a b c

*v=*b *c=0 *c=*c+*a

*v--; if(*v0)else

What does this do?

MOV a L1 data Z data ZL1: data Z

BRX a

MOV a L1 *L1=*a data Z data ZL1: data Z

What does this do?

subleq b Z L1subleq Z Z L2

L1 subleq Z Z $+1subleq Z b c

L2 subleq Z Z $+1

BEQ b c

subleq b Z L1 Z=-*b if Z0subleq Z Z L2 else reset Z

L1 subleq Z Z $+1 reset Zsubleq Z b c *b=*b-0 if *b0

L2 subleq Z Z $+1

c

What does this do?

MOV b vMOV a wCLR csubleq N c $+1subleq w v $+4subleq Z Z $-8

What does this do?

MOV b v *v=*bMOV a w *w=*aCLR c *c=0subleq N c $+1 *c=*c-(-1)subleq w v $+4subleq Z Z $-8

What does this do?

MOV b v *v=*bMOV a w *w=*aCLR c *c=0subleq N c $+1 *c++subleq w v $+4 *v=*v-*w if(*v0)

subleq Z Z $-8 else

What does this do?

*v=*b*w=*a*c=0*c++*v=*v-*w

if(*v0)else

DIV a b c

*v=*b

*c=0*c++*v=*v-*a

if(*v0)else

DIV a b c

*v=*b*c=0*c++*v=*v-*a

if(*v0)else

What else do we need?

Boolean operations such as AND, XOR.

Assuming that we have AND, we can design the XOR:

)BA(2BAAB2)AB(2)AB(2BA i

7

0ii

1ii

7

0ii

ii

7

0ii

i

Where is all this going?

The machine can do everything a smartcard can do.

Still, it’s execution is hyper-regular.

Eliminates instruction-dependent leakage. Only leakage is data-dependent.


A “reductionist” approach.

Push all security issues into the subleq machine.

If the subleq machine is side-channel resistant then no matter what algorithm we implement on it, the implementation is side-channel resistant!


But any algorithm can be coded on the machine.

Hence it suffices to concentrate all effort on protecting the machine.

But the machine is very simple, hence (conceivably!) much easier to secure than an AES or RSA coprocessor.

Hardware Architecture

RAM

• We assume that we have a RAM initialized with the code.

Read[i]

M[i]


RAM


Read[i+1]

M[i+1]


RAM


Read[i+2]

M[i+2]


RAM


Write[i+1]

M[i+1]-M[i]

What Have We Done?Implemented the machine in FPGA (600 CLBs),

wrote a compiler.

Circa 7 subleqs per 8-bit assembler instruction.But the machine is so simple that clock can be

very fast.

Explored variants:SUBXORLEQ, SUBLEQXOR, SUBANDLEQ, etc.

Paper underway (soon on ePrint).

u n u s u a l side channel countermeasure ideas (that lend themselves to some form of provability)

Documents

b i mod p slide

ak b mod p i

b y mod p

bits of ax b mod p

dc v mod p slide

nvm slide

b values

quick implementation