# CSE 127: Lecture 7

The topics covered in this lecture are Differential Timing Analysis

## Differential Timing Analysis

The modexp is invoked in a smartcard with an externally provided x, the private decryption exponent d, the number of bits in the exponent and modulus k (say 1024), and the public modulus n.

Recall that the public key is (e,n), and the secret key is d, where e d = 1 mod phi(n).

The low order bit of the exponent is 1, so e[0]==1. We unroll the loop and constant propagte this fact, so the original loop

```Integer modexp(Integer x, Bit e[], int k, Integer n)
{
Integer y = 1, z = x;
int	i;

//                k-1       i
// exponent e = sum   e[i] 2
//                i=0
for (i = 0; i < k; i++) {
if (1 == e[i]) {
y = y * z mod n;
}
z = z * z mod n;
}
return y;
}
```
becomes
```Integer modexp(Integer x, Bit e[], int k, Integer n)
{
// Z
Integer y = 1, z = x;
int	i;

y = y * z mod n; // x
z = z * z mod n; // x^2
// A
if (1 == e[1]) {
y = y * z mod n; // D
}
z = z * z mod n;
// B
for (i = 2; i < k; i++) {
if (1 == e[i]) {
y = y * z mod n;
}
z = z * z mod n;
}
// C
return y;
}
```
We can select a variety of inputs x and measure the total time that passes until we get a return value. Call this time t(x).

We construct a timing model for the computation. This allows us to determine TZA. Set tau(x)=t(x)-TZA. We know also that tau(x)=TAB+TBC.

We do not know if e[1] is one or zero. If it is zero, TAB is essentially zero. If it is one, then TAB is data dependent; in particular, it varies as a function of the input x.

Next, we model TBC as a random variable. We quickly lose track of y since we do not know the e[] values, and so this value looks like a large amount of noise added to the signal TAB that we are trying to detect.

To detect whether TAB is actually data dependent, we chose random input values x, determine whether the time required to compute y * z mod n is "high" or "low" (the statement at D), measure tau(x), and put it into a "high" or "low" set of timing values. After many measurements, we average the values, so we get a "high" high-set-mean(tau(x))=TAB+TBC, and a low-set-mean(tau(x))=TAB+TBC. Since

```high-set-mean(tau(x))=high-set-mean(TAB)+high-set-mean(TBC)
low-set-mean(tau(x))=low-set-mean(TAB)+low-set-mean(TBC)
```
and with enough samples high-set-mean(TBC)=low-set-mean(TBC) since this measurement arises from the same random variable, the values high-set-mean(tau(x)) should differ from low-set-mean(tau(x)) when e[1] is 1.

To see how small signals can be detected, take a look at this C simulation program. To build it, you should use the command

```cc -o sig_detect sig_detect.c -lm
```
or
```gcc -o sig_detect sig_detect.c -lm
```
since you must tell the linker to include the math library.