[IEEE 2006 International Conference - Modern Problems of Radio Engineering, Telecommunications, and...
Transcript of [IEEE 2006 International Conference - Modern Problems of Radio Engineering, Telecommunications, and...
347
Comparative Analysis of Secret Information Leakage
Risk during Timing Analysis of General Modular
Exponentiation MethodsMykola Karpinskyy, Ihor Vasyltsov, Lesya Vasylkiv
Abstract - This paper represents the mathematical backgroundto estimate the secret information leakage risks during timinganalysis the most general modern modular exponentiationmethods. The comparison of the leakage risk of those methodshas been done. Possible countermeasures to decrease the secretinformation leakage risk level have also been proposed.Keywords - Secret Information Leakage Risk, Timing Analysis,
Binary Modular Exponentiation Method, P-ary ModularExponentiation Method, Sliding Window ModularExponentiation Method.
I. INTRODUCTIONTiming analysis (TA) is one of the simplest and easy-to-
implement side-channel analysis (SCA) attacks. Such kind ofattack can be very effective when the eavesdropper has theaccess to the encrypt tools [1]. So, development of thecountermeasures to decrease the secret information leakagerisk is a very important question.As basic operation of most of asymmetric cryptoalgorithms
the modular exponentiation algorithms have been used. So,the very important task is to estimate the risk of secretinformation leakage during timing analysis to those operations(algorithms).
In this paper authors investigate some of the most generalmodem modular exponentiation methods: Binary, P-ary andSliding Window Methods.
Every of noted methods can be realized in two directions ofreading bits of the exponent - from left to right (LTR) andfrom right to left (RTL). The details on algorithmimplementation of these methods can be found in [2, 4, 6]
Il. TIMING MODELS OF MODULAR EXPONENTIATIONMETHODS
As TA on general LTR and TRL Binary Methods have beenconsidered in [5, 6], in this paper the main attention is paid tothe risk analysis of 0-ary and Sliding Window Methods. Themethodology of the analysis will be similar to [5, 6].
Accordingly to [5], the time requested to perforn the P-aryand Sliding Window Methods for LTR and RTL directionscan be defined as below:
0
TipTh =t- +c, +(fP-I)s, + Z(dij +s.,.)+e, (1)j=k-l
Mykola Karpinskyy - University of Bielsko-Biala, ul.Willowa2,43-309 Bielsko-Biala, Poland, E-mail: mkarpinskiLdath.bielsko.pl
Ihor Vasyltsov, Lesya Vasylkiv - Department of InformationTechnology Security, Ternopil State Economical University, Lvivska11, 46004 Ternopil, Ukraine, E-mail: igorvasiltsovgmail.ru;kbzatanc.edu.ua
Tjo, =ti +(13+l)ci +bi +2(3-l)s- +
k-i k-l
+ Ed,j + dIj +Sj +eIj=O n=- nj=lnj=O nj=l
TiSwLR =e +t +bi +(2'-l +p)si +
0 0
+(p+l)c, +pq, + Lsi + Lcii=k-l i=k-l
nj =O
(2)
(3)
TiswR:=ei +ti +b- +(2w1 +2+p)c, +
w-I ~~~~~~k-I 4+(3 2 +P)s, +pdi +pq, + ZsIi (4)J=on -l =0
where t, , c1 , bi is constant; e- is the time measurementerrors; for the 0-ary method from right to left d1 can be
equal zero, when n =1, and (d j + S ) can be zero, when
n i =0 ; for Sliding Window Method E c, depends oni=k-ln =0
number of "one" window p in binary representation of theexponent.The exponent bits influence on the values of: t, d3, S
To realize the attack cryptanalytic performs on the identicalPC the similar exponentiation as real, to get the times Ti,k-lIOand Ti,k l1l (for every LTR method) or Ti,0o0 and Ti0 1 (forevery RTL method, accordingly) for the exponents 0 and 1.After that he/she can construct the table of differencesbetween real and guessed timings in the way that was shownin[5].
Cryptanalytic can find the exponent nk-2 (or n, for everymethod from left to right) and continue so on for theconsideration the other exponent bits n k-3 ,.no.(n2 n--nk-I )
III. THE TIMING ANALYSISLet jo is a particular value of j in the algorithms from
section II and let g = 0, for the exponent 0
1, for the exponent I
Let si,jo g >0 for f-ary method from left to right (because
TCSET'2006, February 28-March 4, 2006, Lviv-Slavsko, Ukraine
348
it doesn't depend from ni ) and R jo0g = { O,g =0 is the time> O,g =-1
of the multiplication for fI-ary method from right to left,when ni =1. Then the times
T'JO1jO LTR = ti + 2ci + (1 )si +jo+i , (5)
+ E (di, +sj)+(dij) + jj7g)j=k-l
t,Jog1R =tj +(f+3)ci +b- +
jo- jo- +5~~)+d~~ +§j0g) . (6)+ dij + (di,j + s,j)+(di,jo +i-,)
j=0 j=Onj=l nj=l
For Sliding Window Method it can be noted that:Ti jo0g swLm = ti + bi + (2 + pjo )si + (pjo + I)Ci +
Jo j0+1(7
+ P. qi i++ j +j
j=k-i j=k-1nji =0
'1 jo g SL -=ti +bi +(2w- +2+p0 )ci +
+ (3*2w-1 +p. )s. +p- di + (7)
jo-IJ AJo+ pjoqI + Sij ij + Si'jo sg
j=0nj =O
Now can be calculated:
ATP =LTLTR WT,JOLTR0 , (8)
= e, + E (dij +Sij)+(sijo-iJog)
ATiPRfl TiRTL TiJg1ER =
k-i k-I (9)=e1+ Xd-j+ XS,j+(S,J0 ij0,g)
J=Jo +1 J=Jo +1nj=1
ATSWLVI Tl~j 0,g =ej +(p-pjoX +(p-pjo : +0 0 (lAX
+(P-Pjo ++D L9j+(Cj ,jjjo,g) (10)j=jo- j=jo-1
n=0AT SWRT= T, T;jo0g =q + ( P-p PJk-I +(11 )
+(p-pj,A- +(p-pp0q, + j; il,j0dg)J=Jo+1
If s;jojg was correctly guessed, so s;j0,g -s0. From this,0
it follows that AT = e,+ (di +sij) andj=jO -1
k-I k-i
ATi RT==ei + Xdij + Xsjj=jo +1 j=jO +1
nj 1
For Sliding Window Method if c Jo- =j 8 then
0 0
ATiswL,m = ei +(p-Pio)(si +c1 +qi)+ sij + ci j andj=j0-i j=jo -
n1=0k-I
ATiswR-m = ei + (p - pj0 )(s1 + ci + di + qi) + sj,, accordingly.J=jo +1
But in the reality Si,j-,g s. jo or c , 0 .cijo0g , so thatmeans that correct guessing is difficult. That is why theprobability of successful attack should be estimated.
IV. SECRET INFORMATION LEAKAGE RiSKLet us calculate the variance of the random variable
T - Tij g with the next conditions:
1. g is correct (i.e. nj is correctly guessed), then thevariances
a.2(AT)LTR =&r2e+ 2(dj +sj) =o2(e)+ jo(d)+j0o&(s) ,(12),j-jO
k-l k-i
(AT)RTL =a5 e+ Xdj + Xij=J=io +1 j=jo+1 ,(13)
= 2(e)+ (k - jo _1I)f2(d)+ )2(k - i0 - 1)2(s)2 ~~~~~22
a2(AT)SWLTR = a (e) + (p- pjo )(I(s) + a (c) + a2(q)) +
+joa2(s) + ij 2(C) (14)
2
a2 (ATj)SWRTL = a 2(e) + (p-Pjo )(a2 (S) + GI (C) +2 2 12 (
(15)+ a2(d) + a (q)) + -(k - jo -l)a (s)2
If supposed that time of exponentiation z = zo modmequals ( - I)s, that mean d= ( -l)s, so:
a2(AT)OLTR = a (e) + jo 2(s), (16)
a2(AT)pRTL = (k - jo - 1)(0 -)a2(S). (17)2
2. g is incorrect. Then for f-ary method from left to
right can be only one case | J° g and so:
a2(AT)pLTR = (o+ 1)(jo + 2)a2(S) , (18)For fJ-ary method from right to left and for Sliding Window
Method can be two cases:
a) | J° * 0 (for fi-ary method from right to left) or
.0 (for Sliding Window Method), then:
TCSET'2006, February 28-March 4, 2006, Lviv-Slavsko, Ukraine
349
a2 (AT)ORTL = a2 (e) + ((k - jo- 1)(p-I ) + 2)a2 (s) (19)2
a (AT)SW LTR =a2 (e) + (p - pjo )(a2(s) + a2 (c) + a2 (q)) +1 2 (20)
+joa (s)+(-j0+2 (c2~~~~~~
a (AT)SW RTL = a2 (e) + (p - p )(a2 (s) + a2 (c) + a2 (d) +
+ a2(q)) + (! (k - jo - 1) + 2)a2(s) (21)2
=0 1c-'J =0
b) (sJ0g=
(for p-ary method) or 1,0'Jo .0 (for
fsij =0 =
Sliding Window Method), then:
a2 (AT)ORTL = a2 (e) + (( - -)(k - jo - 1) + 1)a2 (s) ,(22)2
&(ATTi )SWLTR=& (e) +(p-PJO )(&(s) +¢(c)+&M(qX)+
+jo0&(s)+(- jo +1)af2(c) (23)2
0&(ATSWRTL= o(e)+(p-pj0 )(o(s)+&(c)+&(d)+
+a2(q))+ I(k-jo-1)+Ia(s) . (24)2
This variance can be used as the criterion of the guessingabout exponent bits correctness, as the column of the tablewith the correctly guessing has a variance which is 2a2 (s) for
0-ary method from left to right and a2 (S) or 2Ca2 (s) for f~-arymethod from right to left and a2 (c) for Sliding Window
method from left to right or 2a2 (c) for Sliding Windowmethod from right to left lower than another data columns. Sothis feature will allow to estimate the risk of secretinformation leakage during timing analysis of binary methodmodular exponentiation.
Let assume that d, c, q and s is normally distributed. LetN( d,a2d ), N(c,ca2c ), N(qq,a2q) are distributing of d, c, q,
and N(ls,a2s) - ofs.
Let N(go, a2o) is a distributing of expecting value AT,
p(s2 >S2 ) P(2aojkZ +aK >O)=
=PZ>- a2 sv2YOZ 2) ~a 29
where ID s is theao 2 )
curve from -x to Z.From this can be done:
(26)
area under the standard normal
as = l(+a =1j(So fiLTR \Od +sS ) . o
(27)
a ( a2 2a OPRT (k-jo 21(a + 1 a) (k-jo -l)(1- I),2)Wd2 )2
ac Ia2 a 2 ,(29)ao0SWLTR ijp 2 a2 a20
Joa +a)+Jo2 2Jac a
a_ =
(p-p- )(ac + +d +1)+-(k-jo-1)Jocs as c~s 2
.(30)
From this, the risk of secret information leakage for ,-aryand Sliding Window methods can be estimated as:
(31)
PPRTL (SW >SV) oP(Z> (k jo - 1)(2 - 1) )
PSWRTL V
where JOaLTR = JO(yd + jOas = 3jOa, or
2 1-- Y2(YOORL =( -jo -)(P-2 (25)s Z>-
accordingly.Accordingly to the analysis of Secret Information Leakage
Risk in [4, 6]:
K .(34)2a ar2+ I
4a(-p-)ay 21+ (-o-)
With the increasing of K, the probability of the successattack is increasing too. It is also obvious that the risk of thesecret information leakage is increasing relatively to thenumber of correctly guessed bits, since the entropy isdecreasing.
TCSET'2006, February 28-March 4, 2006, Lviv-Slavsko, Ukraine
I
2> S2~~P Z>-POLTR W v 40io ))
350
V. ESTIMATION OF THE DEPENDENCE OF SECRETINFORMATION LEAKAGE RISK ON NUMBER OFCORRECTLY GUESSED BITS OF EXPONENT
In [5] there are the averaged abstract approximations fortime requested to compute c, b, t, q, s, d operations. If weassume that approximations, then Egs. (33) and (34) can bechanged to:
PSWLTR(SW > SV 1 Z > 4(259.56p-pj )+2565jO) (35)
PSWRTL(SW S- 4(2.424 tp- ) + 0.5jQ)
(36)
To compare the analyzed modular exponentiation methods,
let us make a raw assumption that pj = p * Jk and than, from
probability approximation, it arises that p - pj = Jo . So, this3
will allow us to compare the risk trends for analyzed methodsas below.
The dependences of secret information leakage risk on j0for binary [5], f-ary and Sliding Window methods from left toright and from right to left, where number of experimentsequal 100 and exponent has 1024 bits, are shown on Figs. 1and 2, accordingly.
0 5
0.4bi LTR
lA I 0.3._....0
(DSWIL2T-
0.1I
1 .- 4 0t.: a L. ..A,
0 200 400 600 800 1000 1200
Fig. 1 Dependences of secret information leakage risk on jo forevery methods from left to right
05 r-
()4
'b b In R TL 0.3 :II& .n '.
200400 600 800 000I 200
k-jo
Fig. 2 Dependences of secret information leakage risk on jo forevery methods from right to left
As was noted in Section IV ({ s 1J is the area under
the standard normal curve from -- to Z. So, the secretinformation risk is the lowest in the case, when 0-ary Methodfrom left to right or Sliding Window Method from left to rightis used.
VI. PROTECTION AGAINST TIMING ANALYSISATTACK
There are two major approaches to decrease the risk ofsecret information leakage during Timing analysis attack [3]:
1) increasing of the measurement error &2(e) byimplementing the additional random calculations to decreasethe possibility of correct secret key bits guessing;
2) decreasing K - the number of messages encryptedwith the same key to decrease the probability of secretinformation leakage risk to the value 0.5.
VII. CONCLUSIONIn this paper the probability model to estimate the risk of
secret information leakage during timing analysis of generalmethods for has been shown. Form the practical point of view,these results allow to make the consistent choice of themodular exponentiation method for the implementation in thereal-world application systems with taking into account theexistent modem attacks.The obtained theoretical results also can be used to develop
the similar probability models for modem modularexponentiation algorithms.Two main approaches to decrease the risk of secret
information leakage during Timing analysis attack have beenproposed in the paper.
REFERENCES[1] J. Muir Techniques of Side Channel Cryptanalysis. /l A
thesis presented to the University of Waterloo infulfillment of the thesis requirement for the degree ofMaster of Mathematics in Combinatorics andOptimization, Waterloo, Ontario, Canada, 2001.
[2] B. CMeub, A. MenibHm, P. nonoBHq CyqacHaKpHmTorpa4i.. OCHOBHi noHmrm. - JIbBiB: BaK, 2003.
[3] I. Vasyltsov, L. Vaslkiv, N. Vasylkiv, M. Chyrka.Investigation of Modem Exponentiation Algorithms /lMamepianu MicHapo6Hoi KoHqbepeH4ii "Cy4acHinpo6CleMu pa6iomexHiiku, meneKoMyiiKayiu,KOMfn 'omepuoi iHNeeepti" TCSET'2004, 24 - 28muororo 2004, JII6BiB-CJIaBCbKo, YxpalHa. C.291-293
[4] I. Vasyltsov, L. Vaslkiv, N. Vasylkiv, M. Chyrka.Information Leakage Risk Estimation during TimingAnalysis of Binary Method Modular Exponentiation /lMamepianu VIII MieHapo&noi uayKo6o-mexni1NoiKoHu/epenyii 'i4oceui po3po6ku ma 3acmocyeaiwmnpima6o - meximaoeiYirux CAIIP e MiKpoeJleKmpoNiqi"CADSM'2005, 23 - 26 moToro 2005, JIbBiB-HIoJuHa,YKpaiHa. C. 124-126
[5] I.B. BacHv16UoB, JI.O. BacWirnKii CTi#KicTb cyqacHHxanropHTMiB MoMJyJpHoro eKcnoHeHsJiJlBaHHsi aoMacoBoro aHlaJi3y H1 HayKoeo-mexnitwui dypIiHaJ,,3axucm iHoopMayil", N21 2005. C. 54-69
[6] M. Karpinskyy, I. Vasyltsov, L. Vasylkiv. Estimation ofthe Secret Information Leakage Risk during TimingAnalysis of Binary Modular Exponentiation Method llMamepianu 2-t MiacHaponoi HayKoeo-mexfivu'oiKouqbepeiyii ,, Cy'lacHi KOMnf 'omepHi cucmemu maMepe3Ii: po3po6Ka ma euKopucmafHil" ACSN-2005, 21-23 BepecHlA 2005, JIbBiB, YKpalHa. C. 132-135
TCSET'2006, February 28-March 4, 2006, Lviv-Slavsko, Ukraine
0,\111-1
--
0
WD RTI,
_1WRT