This document discusses a new side channel attack called cross correlation that can defeat RSA implementations. It works by analyzing power traces from an RSA device executing signatures to reveal the private exponent. The attack preprocessing compresses and reveals modular operations in traces. It then uses cross correlation analysis to observe operand sharing between operations, allowing retrieval of the full private key. Countermeasures like exponent blinding and randomizing the operation order can prevent this attack.

1. Marc Witteman
Riscure
Defeating RSA
Multiply-Always and Message Blinding
Countermeasures
Session ID: CRYP-201
Session Classification: Advanced

2. Agenda
2
Introduction
Preprocessing modular operations
Cross correlation
Conclusion

3. 3
Introduction
• About the authors
• Side Channel Analysis
• RSA background
• Countermeasures
• Attack concepts

4. About The Authors
 Marc F. Witteman
 CTO, Riscure
 Jasper G. J. van Woudenberg
 Senior Security Analyst, Riscure
 Federico Menarini
 Security Analyst, Riscure
4

5. Side Channel Analysis
 Analyze secret leakage from crypto implementations
 Example power trace of DES on smart card
 Leaks hamming weight of processed data
5

6. RSA background
 Exponentiation is sequence of square and multiply operations
 Naïve implementations do for each key bit
 Always square
 Conditional multiplication (if key bit equals ‘1’)
 Distinction of square and multiply operations may reveal key (SPA)
1 000 11 0 0
8

7. Countermeasures
 noise
 multiply-always
discard multiplication results after processing a zero bit
 message blinding
multiply message with random number, and multiply signature with
a matching inverse that removes the mask
 exponent blinding
add random multiples of φ to the exponent
9
Some common countermeasures
against side channel analysis of RSA

8. Attack concepts
 Cross correlation is an attack class
 Comparable to high-order DPA
 No clear text/cipher text needed
 Attack demonstrated on RSA smart card
implementation with several countermeasures
 Procedure with two innovative steps
 Preprocess modular operations
 Cross correlation analysis
10

9. 11
Preprocessing modular operations
• Compression
• Revealing
• Position finding

10. Compressing modular operations
 Modular operation execution typically increases power
consumption due to switching of many bits in parallel
 Old smart cards have easily recognizable modular operations
 Compression involves selection of threshold, and averaging all
sequential samples above a threshold
 Low pass filtering may be needed if signals are noisy
12

11. Revealing hidden modular operations
 New smart cards hide or scramble power signal (may need EMA)
 Modular operations may be recognized by alignment and averaging
 Pattern recognition works only for first operations (clock jitter)
13

12. • One averaged pattern is used to identify and locate modular
operations in the noisy traces
• Correlate the pattern with the trace, and the peaks indicate
the starting points of the modular operations
Position finding of shifted modular operations
14

13. 15
Cross Correlation
• Operand sharing
• Principle
• Matrix
• Effect of multiply-always
• Neighboring samples

14. Operand sharing
 RSA uses two similar operations
(intermediate signature S, message M, modulus N)
 Square: S’ := S * S mod N
 Multiply: S’ := S * M mod N
 Subsequent square operations usually do not share
operands
 Multiply operations do share an operand (M)
 Operand sharing may be observed if order of square
and multiply operations identical for repetitive
encryptions
16

15. Cross correlation principle
 Consider a set of k traces with n samples as a matrix
 Compute correlation between each pair of sample vectors
17

16. Cross correlation matrix
 Correlation matrix
represented in colored
dots, where a lighter
color corresponds to a
higher correlation
 Multiply operations light
up like a Christmas tree
 Can recognize naïve
binary exponentiation
key: 111101011000101
18

17. Cross correlation with multiply always
 High frequency of
correlating pairs reveals
multiply always variant
 Incidental correlation of
square operation with
predecessor reveals
discarded multiply:
S’ = S * M
S’’ = S * S
 Can recognize key:
11110101100
19

18. Cross correlating neighboring samples
 Compute and display correlation only between adjacent vectors
1 1 11
0 0 0
0
High and low correlation values correspond to key bits set to zero and one
Complete key can be retrieved in short time
20

19. 21
Conclusion
• Apply
• Countermeasures
• Future research
• Summary
• Q&A

20. Apply
 This attack can be applied to any RSA implementation
under the following conditions
 Power consumption or EM radiation can be measured
(with minimal S/N)
 Several thousand crypto operations (signatures) can be executed
 Implementation uses a fixed sequence of modular operations
 No data requirements
 No chosen messages needed
 No known messages or signatures needed
 Attack applies to
 RSA-Straight and RSA-CRT
 Naïve and Montgomery multiplication
 Any hashing or padding scheme
 Attack yields private exponent
22

21. Countermeasures
 Countermeasures that do NOT work
 Message blinding
 Multiply always, Montgomery ladder, or BRIP
 Countermeasures that are NOT enough
 Noise
 Signal reduction
 Random delays / variable clocks
 Countermeasures that work
 Exponent blinding
 Random bit group size
 Any randomization method that makes the order of square and
multiply operations unpredictable
23

22. Future research
Cross correlation attack applies well to RSA,
but the method is not restricted to RSA
We study application of the concepts to
 ECC
 Symmetric algorithms
24

23. Attack summary
 New side channel attack class developed and
demonstrated
 Applies to many different RSA implementations
 Defeats several countermeasures
 Effective countermeasures are possible
25

24. Q&A
Need help?
contact
Marc Witteman
CTO
witteman@riscure.com
Riscure Inc.
901 Mariners Island Blvd
Suite 595
San Mateo, CA 94404
USA
Phone: +1 650 425 7327
www.riscure.com
26
Complete article can be downloaded from:
http://www.riscure.com/tech-corner/publications.html