u n u s u a l side channel countermeasure ideas (that lend themselves to some form of provability)
TRANSCRIPT
Unusual Side Channel Countermeasure Ideas
(that lend themselves to some form of provability)
The Solutions’ Galaxy
The Solutions’ Galaxy
Hamster Wheel KeysEric Brier, David Naccache, Nigel Smart
k
A common practice
In the past several authors proposed to prevent side channel attacks by having a key evolve in time.
The typical setting is the following:
ID, ik0=f(ID,k)
ki
ki=H(H(…H(k0)…)
secure communication using ki
move ki to RAM
write ki+1=H(ki) in NVM
erase ki from NVM
k
The time consuming part
ID, ik0=f(ID,k)
ki
ki=H(H(…H(k0)…)
secure communication using ki
move ki to RAM
write ki+1=H(ki) in NVM
erase ki from NVM
Implemented Solutions
Repeated application of H
Hashing trees, even patented.
Issues
Repeated application of H: The system slows down with time.
Hashing trees: Clumsy bookkeeping and sensitive to card tearing.
Most importantly: we want to quantify leakage, i.e. model leakage depending on the H we use.
The Alternative
H(k) = a kb mod p
Why?
Because the terminal has an easy shortcut:
Hi(k) = au kv mod pwhere
u=(bi-1)/(b-1) mod(p) and v=bi mod (p)
Quick Implementation
Hi(k) = au kv mod pwhere
u=(bi-1)/(b-1) mod(p) and v=bi mod (p)
Precompute C=k a1/(b-1)
Precompute D=1/a
Hi(k) = DCv mod p
Variants
H(k) = {akb mod 3, akb mod 5,…, akb mod pi}
Advantage: Word operations instead of long-integer arithmetic. Note that different a and b values could be used for different coordinates.
However, as will be seen later, this is less secure wrt side channel leakage as each coordinate can be an independent target to side channel analysis.
Before We Proceed
We do not claim the invention of these PRNGs!
The main contribution of this work is :
- Stress that one can capitalize on the shortcut offered by their arithmetic properties to very simply implement key-evolving smart-card based protocols.
- Analyze the resilience of these generators to leakage of a piece of the key.
Realistic Assumptions
a, k and p can be arbitrary and secret. No penalty.
b would typically be of moderate size because of the burden of exponentiation on the card’s size.
Hence, we should reasonably assume that b is public.
Leakage Model
At each iteration some bits of axb mod p and x leak.
Question: Under which assumptions can we infer k?
Advantage of looking at the problem from this angle: we have algebraic tools to analyze multivariate modular equations.
The variables in question are the chunks of axb that the side channel does not provide at each session.
H(x) = x2 mod nThis is the BBS generator.
If less than log log n bits leak at each step then this is secure under the factoring assumption even when n is known to the attacker.
If n is known to the attacker and each operation leaks “more” bits of x, then x can be inferred. Analysis of “more” in two slides.
If leakage is in between or n unknown: open problem.
H(x) = x2 mod pSee Gomez, Gutierrez and Ibeas for known p.
If ¾ of x leak than x is revealed. (Same performance as brutal linearization).
But we can do better.
Consider the equation (A+x)2=B+y mod p
Here A and B is what leaks via side channel. Denote this equation E
Gomez, Gutierrez and Ibeas “Cryptanalysis of the quadratic generator“
Consider all the equations of the type xi Ej which are verified modulo nj with i+2j2d
This gives a constraint of the order of n to the
power of the sum of the j for i+2j2d, which equals d(d+1)(2d+1)/6
The degrees of freedom on all linerarized variables is of the order n to the power the sum of the (i+j) for i+2jd, which gives d(d+1)^2
We hence get a size ratio < the quotient of these two sizes, which simplfies into (2d+1)/6/(d+1). This quantity tends to 1/3 when d.
If H(x)=xe mod n, the constraints are sont i+ejed.We get the same contraintes with more freedom
i.e. d(d+1)(6+e+e^2+2de+2de^2).
The factorized ratio is then 2(2d+1)/(6+e+e^2+2de+2de^2)
This tends 2/(e^2+e) when d tends to infinity.
As e increases the attacker’s handicap increases very quickly.
H(x) = x+P on an ECCSee Gutierrez and Ibeas for known p.
If 5/6 of x leak than x is revealed.
For unknown P or unknown ECC: open problem.
Same techniques should normally apply but we did not check in detail.
Gutierrez and Ibeas, « inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits »
H(x) = 2x on an ECC
Practical Recommendations
H(k) = a kb mod n
Use unknown a, unknown composite n and b=8.
a and k should be of the size of n.
Use only ¼ of the bits of H(k) as key material.
Use one bit out of four in H(k) as key material.
Quick Implementation
Let C=f(1,ID,MasterKey)=k a1/7
Let D=f(2,ID,MasterKey)=1/a
Solve and personalize k and a in the card
The terminal uses the shortcut formula:
Hi(k) = DCv mod n where v=8i mod (n)
k
A Possible Implementation
ID, iC=f(1,ID,k)
ki
ki=DCv mod n
secure communication using ki
move ki to RAM
write ki+1=aki8 in NVM
erase ki from NVM
D=f(2,ID,k)
v=8i mod(n)
An Ideal Power Attack Countermeasure
(in 3 slides)
Jean-Max Dutertre, Amir Pasha Mirbaha, David Naccache, Assia Tria
IdeaPower the µP from a photovoltaic panel facing a powerful LED.
+-
Vss
Vcc
VccµPIO
CLK
RST
Constructing the DeviceWe are currently ordering a photovoltaic panel about the size of a
smart card and an OLED panel about the same size.
Step 1: Place both panels face-to-face, have the OLED glow to its maximal capacity and check that the derived power allows to power the µP.
LED PV Panel
Step 2: Characterize the energy transfer-rate as function of resistor value.
Step 3: Construct a generic power attack isolation board.
+-
Vss
Vcc
VccµPIO
CLK
RST
Constructing the Device
For More on PV Physicshttp://en.wikipedia.org/wiki/Solar_cell
Can’t Do Less
David Naccache, Christof Paar, Florian Praden
Investors deal with two questions
- How to get funds?Logistics
- How to spend funds rationally?Tactics & Strategy
Here we address the second.
The Subleq Machine
Subleq is a Turing-complete machine having only one instruction.
subleq a b c *(b)=*(b)-*(a) if the result is negative or zero, go to c
else execute the next instruction.
The Subleq Machine
Since subleq has only three arguments and since there is no confusion of instructions possible (there is only one!), a subleq code can be regarded as a sequence of triples.
a1 b1 c1
a2 b2 c2
a3 b3 c3
:
…interleaved with data
Since data can be embedded in the code, the sequence of triples can be interleaved with data. For instance:
a1 b1 c1
data1 data2
a2 b2 c2
data3
a3 b3 c3
:
How does it work?
*b = *b-*a;
if (*b0) program_counter = c;
else program_counter =
program_counter+3;
Genealogy
Subleq is an OISC (“One Instruction Set Computer) which comes from the Minsky machine concept.
The Minsky machine is a register machine with only two instructions: “increment” and “decrement-and-branch”.
Allowing for comfort
Memory is loaded with instructions and data altogether (no distinction).
Hence the code can potentially self-modify and consider that any cell is a, b or c.
We can pre-store constants (like 0,1 etc)
e.g. we devote a cell called Z to contain zero, N to contain -1
What does this do?
subleq Z Z c
JMP c
subleq Z Z c
What does this do?
subleq a a $+1
CLR a
subleq a a $+1
What does this do?
CLR bsubleq a Z $+1subleq Z b $+1CLR Z
MOV a b
subleq b b $+1 *b=0subleq a Z $+1 Z=-*asubleq Z b $+1 *b=0-(-*a)=*a
subleq Z Z $+1 Z=0
What does this do?
subleq a Z $+1subleq b Z $+1 CLR csubleq Z c $+1CLR Z
ADD a b c
subleq a Z $+1 Z=0-*asubleq b Z $+1 Z=-*a-*bsubleq c c $+1 *c=*c-*c=0subleq Z c $+1 *c=0+*a+*bsublez Z Z $+1 Z=0
What does this do?
CLR tCLR s subleq a t $+1subleq b s $+1subleq s t $+1 CLR c CLR s subleq t s $+1subleq s c $+1
SUB a b c
subleq t t $+1 *t=0subleq s s $+1 *s=0subleq a t $+1 *t=-*asubleq b s $+1 s=-*bsubleq s t $+1 t=-*a+*b subleq c c $+1 *c=0 subleq s s $+1 *s=0 subleq t s $+1 *s=0-(-*a+*b)=*a-*bsubleq s c $+1 *c=0-(*a-*b)=*b-*a
What does this do?
CLR tsubleq a t $+1 CLR ssubleq t s $+1subleq b s c
BLE a b c
subleq t t $+1 t=0subleq a t $+1 *t=-*asubleq s s $+1 *s=0subleq t s $+1 *s=*asubleq b s c *s=*a-*b
if *a-*b0 goto c
What does this do?
CLR tsubleq a t $+1 CLR ssubleq b s $+1subleq s t $+1 subleq N t c
BHI a b c
subleq t t $+1 *t=0subleq a t $+1 *t=-*asubleq s s $+1 *s=0subleq b s $+1 *s=-*bsubleq s t $+1 *t=-*a+*bsubleq N t c *t=-*a+*b-(-1)
if *b-*a+10 goto c
What have we got so far?JMP a goto aMOV a b *b=*aSUB a b c *c=*b-*aADD a b c *c=*b+*aBHI a b c if *b-*a+10 goto c
if *b<*b+1*a goto c
if *b<*a goto c if *a>*b goto c
BLE a b c if *a-*b0 goto c if *a*b goto c
CLR a *a=0
What does this do?
CLR u;v;w MOV b vsubleq N w $+1subleq u u $+1 subleq a u $+1CLR csubleq u c $+1subleq w v $+4subleq Z Z $-8
What does this do?
CLR u;v;w *u=*v=*w=0 MOV b v *v=*bsubleq N w $+1 *w=0-(-1)=1subleq u u $+1 *u=0subleq a u $+1 *u=-*aCLR c *c=0subleq u c $+1subleq w v $+4subleq Z Z $-8
What does this do?
*v=*b
*w=0-(-1)=1 *u=-*a *c=0subleq u c $+1subleq w v $+4subleq Z Z $-8
What does this do?
*v=*b
*w=1 *u=-*a *c=0subleq u c $+1subleq w v $+4subleq Z Z $-8
What does this do?
*v=*b
*w=1 *u=-*a *c=0subleq u c $+1 *c=*c-*u=*c+*asubleq w v $+4subleq Z Z $-8
What does this do?
*v=*b
*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v=*v-*w if…subleq Z Z $-8
What does this do?
*v=*b
*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v=*v-1 if…subleq Z Z $-8
What does this do?
*v=*b
*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v-- if…subleq Z Z $-8
What does this do?
*v=*b
*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8
What does this do?
*v=*b
*w=1 *u=-*a *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8 else
What does this do?
*v=*b
*w=1 *c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8 else
What does this do?
*v=*b
*c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8 else
What does this do?
*v=*b
*c=0subleq u c $+1 *c=*c+*asubleq w v $+4 *v--; if(*v0)subleq Z Z $-8 else
What does this do?
*v=*b
*c=0 *c=*c+*a
*v--; if(*v0)else
MUL a b c
*v=*b
*c=0 *c=*c+*a
*v--; if(*v0)else
MUL a b c
*v=*b *c=0 *c=*c+*a
*v--; if(*v0)else
MUL a b c
*v=*b *c=0 *c=*c+*a
*v--; if(*v0)else
What does this do?
MOV a L1 data Z data ZL1: data Z
BRX a
MOV a L1 *L1=*a data Z data ZL1: data Z
What does this do?
subleq b Z L1subleq Z Z L2
L1 subleq Z Z $+1subleq Z b c
L2 subleq Z Z $+1
BEQ b c
subleq b Z L1 Z=-*b if Z0subleq Z Z L2 else reset Z
L1 subleq Z Z $+1 reset Zsubleq Z b c *b=*b-0 if *b0
L2 subleq Z Z $+1
c
What does this do?
MOV b vMOV a wCLR csubleq N c $+1subleq w v $+4subleq Z Z $-8
What does this do?
MOV b v *v=*bMOV a w *w=*aCLR c *c=0subleq N c $+1 *c=*c-(-1)subleq w v $+4subleq Z Z $-8
What does this do?
MOV b v *v=*bMOV a w *w=*aCLR c *c=0subleq N c $+1 *c++subleq w v $+4 *v=*v-*w if(*v0)
subleq Z Z $-8 else
What does this do?
MOV b v *v=*bMOV a w *w=*aCLR c *c=0subleq N c $+1 *c++subleq w v $+4 *v=*v-*w if(*v0)
subleq Z Z $-8 else
What does this do?
*v=*b*w=*a*c=0*c++*v=*v-*w
if(*v0)else
DIV a b c
*v=*b
*c=0*c++*v=*v-*a
if(*v0)else
DIV a b c
*v=*b*c=0*c++*v=*v-*a
if(*v0)else
DIV a b c
*v=*b*c=0*c++*v=*v-*a
if(*v0)else
What else do we need?
Boolean operations such as AND, XOR.
Assuming that we have AND, we can design the XOR:
)BA(2BAAB2)AB(2)AB(2BA i
7
0ii
1ii
7
0ii
ii
7
0ii
i
Where is all this going?
The machine can do everything a smartcard can do.
Still, it’s execution is hyper-regular.
Eliminates instruction-dependent leakage. Only leakage is data-dependent.
Where is all this going?
A “reductionist” approach.
Push all security issues into the subleq machine.
If the subleq machine is side-channel resistant then no matter what algorithm we implement on it, the implementation is side-channel resistant!
Where is all this going?
But any algorithm can be coded on the machine.
Hence it suffices to concentrate all effort on protecting the machine.
But the machine is very simple, hence (conceivably!) much easier to secure than an AES or RSA coprocessor.
Hardware Architecture
RAM
• We assume that we have a RAM initialized with the code.
Read[i]
M[i]
Hardware Architecture
RAM
• We assume that we have a RAM initialized with the code.
Read[i+1]
M[i+1]
Hardware Architecture
RAM
• We assume that we have a RAM initialized with the code.
Read[i+2]
M[i+2]
Hardware Architecture
RAM
• We assume that we have a RAM initialized with the code.
Write[i+1]
M[i+1]-M[i]
Hardware Architecture
RAM
• We assume that we have a RAM initialized with the code.
Write[i+1]
M[i+1]-M[i]
What Have We Done?Implemented the machine in FPGA (600 CLBs),
wrote a compiler.
Circa 7 subleqs per 8-bit assembler instruction.But the machine is so simple that clock can be
very fast.
Explored variants:SUBXORLEQ, SUBLEQXOR, SUBANDLEQ, etc.
Paper underway (soon on ePrint).