+ All Categories

Sliding Windows Succumbs to

Big Mac Attack

Colin D. Walterwww.co.umist.ac.uk

CHES 2001 C.D. Walter, UMIST 2


• Re-think the power of DPA;

• Use it on a single exponentiation;

• Longer keys are more unsafe!

CHES 2001 C.D. Walter, UMIST 3

DPA Attack on RSA

Summary: Differential Power Analysis (DPA) is used to determine the secret exponent in an embedded RSA cryptosystem.

Assumption: The implementation uses a small multiplier whose power consumption is data dependent and measurable.

CHES 2001 C.D. Walter, UMIST 4


• P. Kocher, J. Jaffe & B. Jun Introduction to Differential Power

Analysis and Related Attacks Crypto 99

• T. S. Messerges, E.A. Dabbish & R.H. Sloan Power Analysis Attacks of Modular Exponentiation in Smartcards CHES 99

CHES 2001 C.D. Walter, UMIST 5


• Switching a gate in the H/W requires more power than not doing so;

• On average, a Mult-Acc opn a×b+c has data dependent contributions roughly linear in the Hamming weights of a and b;

• Variation occurs because of the initial state set up by the previous mult-acc opn.

CHES 2001 C.D. Walter, UMIST 6

First Results

• This theory was checked by simulation

and found to be broadly correct;

• Refinements were made to this model

(which will be reported elsewhere);

• These give a more precise & detailed

partial ordering.

CHES 2001 C.D. Walter, UMIST 7

Combining Traces I

• The long integer product A×B in an exponentiation contains a large number of small digit multiply-accumulates: ai×bj+ck

• Identify the power subtraces of each ai×bj+ck

from the power trace of A×B;

• Average the power traces for fixed i as j varies: this gives a trace tri which depends on ai but

only the average of the digits of B.

CHES 2001 C.D. Walter, UMIST 8

Combining Traces

a0b0 a0b1 a0b2 a0b3

CHES 2001 C.D. Walter, UMIST 9

Combining Traces


CHES 2001 C.D. Walter, UMIST 10

Combining Traces



CHES 2001 C.D. Walter, UMIST 11

Combining Traces




CHES 2001 C.D. Walter, UMIST 12

Combining Traces





CHES 2001 C.D. Walter, UMIST 13

Combining Traces

CHES 2001 C.D. Walter, UMIST 14

Combining Traces


Average the traces:

CHES 2001 C.D. Walter, UMIST 15

• b is effectively an average random digit;

• So trace is characteristic of a0 only, not B.


Combining Traces



CHES 2001 C.D. Walter, UMIST 16

Combining Traces II

• The dependence of tri on B is minimal

if B has enough digits;

• Concatenate the average traces tri for each ai to obtain a trace trA which reflects properties of A much more strongly than those of B;

• The smaller the multiplier or the larger the number of digits (or both) then the more characteristic trA will be.

CHES 2001 C.D. Walter, UMIST 17

Combining Traces


CHES 2001 C.D. Walter, UMIST 18

Combining Traces

tr0 tr1

CHES 2001 C.D. Walter, UMIST 19

Combining Traces

tr0 tr1 tr2

CHES 2001 C.D. Walter, UMIST 20

Combining Traces

tr0 tr1 tr2 tr3

CHES 2001 C.D. Walter, UMIST 21

• Question: Is the trace trA sufficiently characteristic to determine repeated use of a multiplier A in an exponentiation routine?

Combining Traces


CHES 2001 C.D. Walter, UMIST 22

Distinguish Digits?

• Averaging over the digits of B has reduced the noise level;

• In m-ary exponentiation we only need to distinguish: – squares from multiplies– the multipliers A(1), A(2), A(3), …, A(m–1)

• For small enough m and large enough number of digits they can be distinguished in a simulation of clean data.

CHES 2001 C.D. Walter, UMIST 23

Distances between Traces



d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n



CHES 2001 C.D. Walter, UMIST 24




d(0,1) = ( i=0(tr0(i)tr1(i))2 )½ n


gate switch count

CHES 2001 C.D. Walter, UMIST 25

Simulation Results

16-bit multiplier, 4-ary expn, 512-bit modulus.

d(i,j) = distance between traces for ith and jth multiplications of expn.

Av d for same multipliers 2428 gates

SD for same multipliers 1183

Av d for different multipliers 23475 gates

SD for different multipliers 481

CHES 2001 C.D. Walter, UMIST 26

Simulation Results

• Equal exponent digits can be identified – their traces are close;

• Unequal exponent digit traces are not close;

• Squares can be distinguished from multns: their traces are not close to any other traces;

• There are very few errors for typical cases.

CHES 2001 C.D. Walter, UMIST 27

Expnt Digit Values

• Pre-computations A(i+1) A A(i) mod M provide traces for known multipliers. So:

• We can determine which multive opns are squares;

• We can determine the exp digit for each multn;

• Minor extra detail for i = 0, 1 and m–1;

• This can be done independently for each opn.

CHES 2001 C.D. Walter, UMIST 28

Some Conclusions

• The independence means attack time proportional to secret key length;

• Longer modulus means better discrimination between traces;

• No greater safety against this attack from longer keys.

CHES 2001 C.D. Walter, UMIST 29


• With the usual DPA averaging

already done, it may be possible

to use a single exponentiationsingle exponentiation to

obtain the secret key;

• So using expSo using expntnt dd++rrφ(φ(MM) with ) with

random random rr may be no defence. may be no defence.

CHES 2001 C.D. Walter, UMIST 30

Final Conclusions

• Sliding Windows expn method may be broken in this way;

• Like a Big Mac, you can nibble away at each secret exponent digit in turn and enjoy finding out its value.

Top Related