ebook img

Why Cryptography Should Not Rely on Physical Attack Complexity PDF

136 Pages·2015·3.919 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Why Cryptography Should Not Rely on Physical Attack Complexity

T-Labs Series in Telecommunication Services Juliane Krämer Why Cryptography Should Not Rely on Physical Attack Complexity T-Labs Series in Telecommunication Services Series editors Sebastian Möller, Berlin, Germany Axel Küpper, Berlin, Germany Alexander Raake, Berlin, Germany More information about this series at http://www.springer.com/series/10013 ä Juliane Kr mer Why Cryptography Should Not Rely on Physical Attack Complexity 123 Juliane Krämer Technical University of Berlin Berlin Germany ISSN 2192-2810 ISSN 2192-2829 (electronic) T-Labs Series in Telecommunication Services ISBN978-981-287-786-4 ISBN978-981-287-787-1 (eBook) DOI 10.1007/978-981-287-787-1 LibraryofCongressControlNumber:2015947940 SpringerSingaporeHeidelbergNewYorkDordrechtLondon ©SpringerScience+BusinessMediaSingapore2015 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpart of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission orinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilar methodologynowknownorhereafterdeveloped. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfrom therelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authorsortheeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinor foranyerrorsoromissionsthatmayhavebeenmade. Printedonacid-freepaper SpringerScience+BusinessMediaSingaporePteLtd.ispartofSpringerScience+BusinessMedia (www.springer.com) Für meine Eltern Publications Related to this Thesis Theprimaryresultsofthisworkhavebeenpresentedinthefollowingpublications: (cid:129) Blömer, Gomes da Silva, Günther, Krämer, Seifert: A Practical Second-Order Fault Attack against a Real-World Pairing Implementation. In Proceedings of Fault Tolerance and Diagnosis in Cryptography (FDTC), 2014, Busan, Korea (cid:129) Krämer, Kasper, Seifert: The Role of Photons in Cryptanalysis. In Proceedings of 19th Asia and South Pacific Design Automation Conference (ASP-DAC), 2014, Singapore (cid:129) Krämer, Nedospasov, Schlösser, Seifert: Differential Photonic Emission Analysis. In Proceedings of Constructive Side-Channel Analysis and Secure Design—Fourth International Workshop (COSADE), 2013, Paris, France (cid:129) Schlösser, Nedospasov, Krämer, Orlic, Seifert: Simple Photonic Emission Analysis of AES. Journal of Cryptographic Engineering, Springer-Verlag (cid:129) Schlösser, Nedospasov, Krämer, Orlic, Seifert: Simple Photonic Emission Analysis of AES. In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2012, Leuven, Belgium Additionally, Juliane Krämer has authored the following publications: (cid:129) Krämer, Stüber, Kiss: On the Optimality of Differential Fault Analyses on CLEFIA. Cryptology ePrint Archive, Report 2014/572 (cid:129) Krämer: Anwendungen von identitätsbasierter Kryptographie. SmartCard Workshop 2014, Darmstadt, Germany (cid:129) Michéle,Krämer,Seifert:Structure-BasedRSAFaultAttacks.InProceedingsof 8th International Conference on Information Security Practice and Experience (ISPEC), 2012, Hangzhou, China (cid:129) Krämer, Nedospasov, Seifert: Weaknesses in Current RSA Signature Schemes. In Proceedings of 14th International Conference on Information Security and Cryptology (ICISC), 2011, Seoul, Korea vii Contents 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Thesis Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.1 Problem Statement. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.2 Thesis Contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Mathematical and Cryptological Background . . . . . . . . . . . . . . . . 7 2.1 Elliptic Curves and Bilinear Pairings . . . . . . . . . . . . . . . . . . . . 7 2.1.1 Elliptic Curves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.2 Bilinear Pairings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 Cryptographic Algorithms and Protocols. . . . . . . . . . . . . . . . . . 16 2.2.1 The Advanced Encryption Standard . . . . . . . . . . . . . . . . 16 2.2.2 Identity-Based Cryptography from Pairings. . . . . . . . . . . 18 2.3 Side Channel Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.3.1 Timing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.3.2 Power Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3.3 Electromagnetic Analysis . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.4 Other Side Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.4 Fault Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.4.1 RSA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.4.2 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . . 24 2.4.3 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . 25 3 Photonic Emission Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.1 Photonic Emission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.1.1 Photonic Emission in CMOS. . . . . . . . . . . . . . . . . . . . . 28 3.1.2 Detection of Photonic Emission. . . . . . . . . . . . . . . . . . . 29 3.1.3 Applications of Photonic Emission. . . . . . . . . . . . . . . . . 31 ix x Contents 3.2 Experimental Setups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.2.1 The Target Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.2.2 Emission Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.2.3 Spatial and Temporal Analysis . . . . . . . . . . . . . . . . . . . 37 4 The Photonic Side Channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.1 Simple Photonic Emission Analysis . . . . . . . . . . . . . . . . . . . . . 43 4.1.1 Physical Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.1.2 Cryptanalysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 4.1.3 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 4.2 Differential Photonic Emission Analysis . . . . . . . . . . . . . . . . . . 62 4.2.1 Physical Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.2.2 Cryptanalysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.2.3 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 5 Higher-Order Fault Attacks Against Pairing Computations . . . . . . 79 5.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 5.1.1 Low-Cost Glitching Platform. . . . . . . . . . . . . . . . . . . . . 81 5.1.2 Instruction Skips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5.2 Physical Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5.2.1 Realization of Higher-Order Fault Attacks. . . . . . . . . . . . 86 5.2.2 Second-Order Fault Attack Against the Eta Pairing . . . . . 87 5.3 Cryptanalysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 5.3.1 Modification of n in the Eta Pairing. . . . . . . . . . . . . . . . 92 5.3.2 Modification of f in the Eta Pairing. . . . . . . . . . . . . . . . 96 5.3.3 Modification of f in the Reduced Tate Pairing. . . . . . . . . 97 5.4 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 6 Future Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 6.1 The Photonic Side Channel. . . . . . . . . . . . . . . . . . . . . . . . . . . 103 6.1.1 Exploring the Full Attack Potential . . . . . . . . . . . . . . . . 103 6.1.2 Developing Countermeasures. . . . . . . . . . . . . . . . . . . . . 105 6.2 Fault Attacks Against Pairing-Based Cryptography. . . . . . . . . . . 106 6.2.1 Exploring the Full Attack Potential . . . . . . . . . . . . . . . . 107 6.2.2 Targeting Cryptographic Protocols. . . . . . . . . . . . . . . . . 107 7 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 7.1 The Photonic Side Channel. . . . . . . . . . . . . . . . . . . . . . . . . . . 109 7.2 Fault Attacks Against Pairing-Based Cryptography. . . . . . . . . . . 110 7.3 Advice for Cryptographers . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Acronyms ABE Attribute-Based Encryption AES Advanced Encryption Standard APD Avalanche Photo Diode CCD Charge-Coupled Device CMOS Complementary Metal–Oxide–Semiconductor CPU Central Processing Unit DDK Die Datenkrake DEMA Differential Electromagnetic Analysis DES Data Encryption Standard DFA Differential Fault Analysis DLP Discrete Logarithm Problem DoM Difference of Means DPA Differential Power Analysis DPEA Differential Photonic Emission Analysis DRAM Dynamic Random-Access Memory DSA Digital Signature Algorithm DUA Device Under Attack ECC Elliptic Curve Cryptography ECDLP Elliptic Curve Discrete Logarithm Problem ECDSA Elliptic Curve Digital Signature Algorithm EM Electromagnetic EMA Electromagnetic Analysis FIFO First In–First Out FPGA Field Programmable Gate Array GSM Global System for Mobile Communications GSR Global Success Rate HD Hamming Distance HRP Hidden Root Problem HW Hamming Weight IBC Identity-Based Cryptography IBE Identity-Based Encryption xi

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.