Cryptographers have traditionally analysed cipher systems by modeling cryptographic algorithms as ideal mathematical objects. Conventional techniques such as differential [6]
and linear [7] cryptanalysis are very useful for exploring weaknesses in algorithms. But the physical implementations often result in the leakage of side-channel information.
Attacks have been proposed that use such information as timing measurements [8], power consumption [9], electromagnetic emissions and faulty hardware. In this section we examine the weakness of RSA cryptographic algorithms to power analysis attacks.
Specifically, attacks on the modular exponentiation process are described.
Power analysis attacks work by exploiting the differences in power consumption be-tween when a tamper-resistant device processes a logical zero and when it processes a logical one. For example, when the secret data on a smartcard is accessed, the power consumption may be different depending on the Hamming weight of the data. If an at-tacker knows the Hamming weight of the secret key the atat-tacker could potentially learn the entire secret key. This type of attack, where the adversary directly uses a power consumption signal to obtain information about the secret key is referred to as a Simple Power Analysis (SPA) attack and is described in section 2.4.1. Differential Power Analysis (DPA) is described in section 2.4.2 and it is based on the same underlying principle of an SPA attack, but uses statistical analysis techniques to extract very tiny differences in power consumption signals.
2.4.1 Simple Power Attack (SPA)
An SPA attack, as described in [9], involves directly observing a system’s power con-sumption. Suppose that the attackers not only have unlimited access, but also have detailed knowledge of the software and hardware of the systems. If an attacker can deter-mine where certain instructions are being executed, it can be relatively simple to extract useful information.
SPA on a single-key cryptographic algorithm, such as DES, could be used to learn the Hamming weight of the key bytes. DES uses only a 56-bit key so learning the Hamming weight information alone makes DES vulnerable to a brute-force attack. In fact,
depend-ing on the implementation, there are even stronger SPA attacks. A two-key, public-key cryptosystem, such as an RSA or elliptic curve cryptosystem, might also be vulnerable to an SPA attack on the Hamming weight of the individual key bytes, however it is possible an even stronger attack can be made directly against the square-and-multiply algorithm.
If exponentiation were performed in software using one of the square-and-multiply algorithms, there could be a number of potential vulnerabilities. The main problem with both algorithms is that the outcome of the ”‘if statement”’ might be observed in the power signal. This would directly enable the attacker to learn every bit of the secret exponent.
A simple fix is to always perform a multiply and to only save the result if the exponent bit is an one. This solution is very costly for performance and still may be vulnerable if the act of saving the result can be observed in the power signal.
2.4.2 Differential Power Attack (DPA)
A DPA attack is more powerful than an SPA attack because the attacker does not need to know as many details about how the algorithm was implemented. The technique also gains strength by using statistical analysis to help recover side-channel information.
The problem with an SPA attack is that the information about the secret key is difficult to directly observe. The information about the key was often obscured with noise and modulated by the device’s clock signal. DPA can be used to reduce the noise and also to ”‘demodulate”’ the data. Any power biases at the time corresponding to the guess bit operation are visible as an obvious spike in the difference signal and much of the noise is eliminated because averaging reduces the noise variance.
Three attacks of DPA, was described in [10]. Other assumptions used for particular attacks are stated in the following that describe the specific attack details.
Single-Exponent, Multiple-Data (SEMD) Attack
The SEMD attack assumes that the smartcard is willing to exponentiate an arbitrary number of random values with two exponents: the secret exponent and a public exponent.
The basic attack is that by comparing the power signal of an exponentiation using a known exponent to a power signal using an unknown exponent, the adversary can learn where the two exponents differ, thus learn the secret exponent. In reality, the comparison is nontrivial because the intermediate data results of the square-and-multiply algorithm
cause widely varying changes in the power signals, thereby making direct comparisons unreliable. The solution to this problem is to use averaging and subtraction.
Multiple-Exponent, Single-Data (MESD) Attack
The MESD attack is more powerful than the SEMD attack. The SEMD attack is a very simple attack requiring little sophistication on the part of the adversary, but the resulting DPA bias signal is sometimes difficult to interpret. The Signal-to-Noise Ratio (SNR) can be improved using the MESD attack. The assumption for the MESD attack is that the smartcard will exponentiate a constant value using exponents chosen by the attacker. This value may or may not be known to the attacker.
Zero-Exponent, Multiple-Data (ZEMD) Attack
The ZEMD attack is similar to the MESD attack, but has a different set of assump-tions. One assumption for the ZEMD attack is that the smartcard will exponentiate many random messages using the secret exponent. This attack does not require the adversary know any exponents, hence the zero-exponent nomenclature. Instead, the adversary needs to be able to predict the intermediate results of the square-and-multiply algorithm using an off-line simulation. This usually requires that the adversary know the algorithm be-ing used by the exponentiation hardware and the modulus used for the exponentiation.
There are only a few common approaches to implementing modular exponentiation algo-rithms, so it is likely an adversary can determine this information. It is also likely that the adversary can learn the modulus because this information is usually public.
2.4.3 Countermeasure of RSA Against DPA and SPA
Potential countermeasures to the attacks described in this paper include many of the same techniques described to prevent timing attacks on exponentiation. Kocher’s [8]
suggestion for adapting the techniques used for blinding signatures can also be applied to prevent power analysis attacks. Prior to exponentiation, the message could be blinded with a random value, vi and unblinded after exponentiation with vf = (vi−1)emod N . An efficient way is presented in [8] to calculate and maintain (vi, vf) pairs.
Message blinding would prevent the MESD and ZESD attacks, but since the same exponent is being used, the SEMD attack would still be effective. To prevent the SEMD attack, exponent blinding would be necessary. In an RSA cryptosystem, the exponent
can be blinded by adding a random multiple of φ(N ) = (p − 1)(q − 1), where and N = pq.
Note that Mφ(N ) mod N ≡ 1 mod N , the result of exponentiation is unchanged since Mk·φ(n)+E mod N ≡ Mk·φ(N)× ME mod N
≡ (Mφ(N ))k× ME mod N
≡ (1)k× ME mod N
≡ ME mod N (2.15)
,where k is a random number.