This document discusses a new side channel attack called cross correlation that can defeat RSA implementations. It works by analyzing power traces from an RSA device executing signatures to reveal the private exponent. The attack preprocessing compresses and reveals modular operations in traces. It then uses cross correlation analysis to observe operand sharing between operations, allowing retrieval of the full private key. Countermeasures like exponent blinding and randomizing the operation order can prevent this attack.
3. 3
Introduction
• About the authors
• Side Channel Analysis
• RSA background
• Countermeasures
• Attack concepts
4. About The Authors
Marc F. Witteman
CTO, Riscure
Jasper G. J. van Woudenberg
Senior Security Analyst, Riscure
Federico Menarini
Security Analyst, Riscure
4
5. Side Channel Analysis
Analyze secret leakage from crypto implementations
Example power trace of DES on smart card
Leaks hamming weight of processed data
5
6. RSA background
Exponentiation is sequence of square and multiply operations
Naïve implementations do for each key bit
Always square
Conditional multiplication (if key bit equals ‘1’)
Distinction of square and multiply operations may reveal key (SPA)
1 000 11 0 0
8
7. Countermeasures
noise
multiply-always
discard multiplication results after processing a zero bit
message blinding
multiply message with random number, and multiply signature with
a matching inverse that removes the mask
exponent blinding
add random multiples of φ to the exponent
9
Some common countermeasures
against side channel analysis of RSA
8. Attack concepts
Cross correlation is an attack class
Comparable to high-order DPA
No clear text/cipher text needed
Attack demonstrated on RSA smart card
implementation with several countermeasures
Procedure with two innovative steps
Preprocess modular operations
Cross correlation analysis
10
10. Compressing modular operations
Modular operation execution typically increases power
consumption due to switching of many bits in parallel
Old smart cards have easily recognizable modular operations
Compression involves selection of threshold, and averaging all
sequential samples above a threshold
Low pass filtering may be needed if signals are noisy
12
11. Revealing hidden modular operations
New smart cards hide or scramble power signal (may need EMA)
Modular operations may be recognized by alignment and averaging
Pattern recognition works only for first operations (clock jitter)
13
12. • One averaged pattern is used to identify and locate modular
operations in the noisy traces
• Correlate the pattern with the trace, and the peaks indicate
the starting points of the modular operations
Position finding of shifted modular operations
14
14. Operand sharing
RSA uses two similar operations
(intermediate signature S, message M, modulus N)
Square: S’ := S * S mod N
Multiply: S’ := S * M mod N
Subsequent square operations usually do not share
operands
Multiply operations do share an operand (M)
Operand sharing may be observed if order of square
and multiply operations identical for repetitive
encryptions
16
15. Cross correlation principle
Consider a set of k traces with n samples as a matrix
Compute correlation between each pair of sample vectors
17
16. Cross correlation matrix
Correlation matrix
represented in colored
dots, where a lighter
color corresponds to a
higher correlation
Multiply operations light
up like a Christmas tree
Can recognize naïve
binary exponentiation
key: 111101011000101
18
17. Cross correlation with multiply always
High frequency of
correlating pairs reveals
multiply always variant
Incidental correlation of
square operation with
predecessor reveals
discarded multiply:
S’ = S * M
S’’ = S * S
Can recognize key:
11110101100
19
18. Cross correlating neighboring samples
Compute and display correlation only between adjacent vectors
1 1 11
0 0 0
0
High and low correlation values correspond to key bits set to zero and one
Complete key can be retrieved in short time
20
20. Apply
This attack can be applied to any RSA implementation
under the following conditions
Power consumption or EM radiation can be measured
(with minimal S/N)
Several thousand crypto operations (signatures) can be executed
Implementation uses a fixed sequence of modular operations
No data requirements
No chosen messages needed
No known messages or signatures needed
Attack applies to
RSA-Straight and RSA-CRT
Naïve and Montgomery multiplication
Any hashing or padding scheme
Attack yields private exponent
22
21. Countermeasures
Countermeasures that do NOT work
Message blinding
Multiply always, Montgomery ladder, or BRIP
Countermeasures that are NOT enough
Noise
Signal reduction
Random delays / variable clocks
Countermeasures that work
Exponent blinding
Random bit group size
Any randomization method that makes the order of square and
multiply operations unpredictable
23
22. Future research
Cross correlation attack applies well to RSA,
but the method is not restricted to RSA
We study application of the concepts to
ECC
Symmetric algorithms
24
23. Attack summary
New side channel attack class developed and
demonstrated
Applies to many different RSA implementations
Defeats several countermeasures
Effective countermeasures are possible
25