CSE 127: Lecture 7


The topics covered in this lecture are Differential Timing Analysis

Differential Timing Analysis

The modexp is invoked in a smartcard with an externally provided x, the private decryption exponent d, the number of bits in the exponent and modulus k (say 1024), and the public modulus n.

Recall that the public key is (e,n), and the secret key is d, where e d = 1 mod phi(n).

The low order bit of the exponent is 1, so e[0]==1. We unroll the loop and constant propagte this fact, so the original loop

Integer modexp(Integer x, Bit e[], int k, Integer n)
{
	Integer y = 1, z = x;
	int	i;

	//                k-1       i
	// exponent e = sum   e[i] 2
	//                i=0
	for (i = 0; i < k; i++) {
		if (1 == e[i]) {
			y = y * z mod n;
		}
		z = z * z mod n;
	}
	return y;
}
becomes
Integer modexp(Integer x, Bit e[], int k, Integer n)
{
	// Z
	Integer y = 1, z = x;
	int	i;

	y = y * z mod n; // x
	z = z * z mod n; // x^2
	// A
	if (1 == e[1]) {
		y = y * z mod n; // D
	}
	z = z * z mod n;
	// B
	for (i = 2; i < k; i++) {
		if (1 == e[i]) {
			y = y * z mod n;
		}
		z = z * z mod n;
	}
	// C
	return y;
}
We can select a variety of inputs x and measure the total time that passes until we get a return value. Call this time t(x).

We construct a timing model for the computation. This allows us to determine TZA. Set tau(x)=t(x)-TZA. We know also that tau(x)=TAB+TBC.

We do not know if e[1] is one or zero. If it is zero, TAB is essentially zero. If it is one, then TAB is data dependent; in particular, it varies as a function of the input x.

Next, we model TBC as a random variable. We quickly lose track of y since we do not know the e[] values, and so this value looks like a large amount of noise added to the signal TAB that we are trying to detect.

To detect whether TAB is actually data dependent, we chose random input values x, determine whether the time required to compute y * z mod n is "high" or "low" (the statement at D), measure tau(x), and put it into a "high" or "low" set of timing values. After many measurements, we average the values, so we get a "high" high-set-mean(tau(x))=TAB+TBC, and a low-set-mean(tau(x))=TAB+TBC. Since

high-set-mean(tau(x))=high-set-mean(TAB)+high-set-mean(TBC)
low-set-mean(tau(x))=low-set-mean(TAB)+low-set-mean(TBC)
and with enough samples high-set-mean(TBC)=low-set-mean(TBC) since this measurement arises from the same random variable, the values high-set-mean(tau(x)) should differ from low-set-mean(tau(x)) when e[1] is 1.

To see how small signals can be detected, take a look at this C simulation program. To build it, you should use the command

cc -o sig_detect sig_detect.c -lm
or
gcc -o sig_detect sig_detect.c -lm
since you must tell the linker to include the math library.

Assignment 2

Take this tar file and read the README.txt file for instructions.

The assignment is due 2003-02-05 23:59.

Links

These are links additional security-related information. Exploring them is optional unless otherwise stated.


[ search CSE | CSE | bsy's home page | links | webster | MRQE | google | yahoo | citeseer | pgp certserver | openpgp certserver ]
picture of bsy

bsy+cse127.w03@cs.ucsd.edu, last updated Sat Feb 8 14:05:05 PST 2003. Copyright 2003 Bennet Yee.
email bsy.


Don't make me hand over my privacy keys!