Re: Side Channel Attacks - inside out

From: Stefan Tillich (stefanti_at_sbox.tugraz.at)
Date: 07/10/05


Date: Sun, 10 Jul 2005 23:18:49 +0200


Galathas schrieb:

> Hi to everyone!!
>
> Is there, please, anyone more experienced, with good knowledge of side
> channels attack on cipher algorithms ?? If so, may those of you please,
> post here some info about what is it,

A side-channel attack targets an implementation of a crptographic
algorithm. When processing sensitive data (e.g. private keys),
information about it can leak out of the device (e.g. a smartcard) via
different physical effects (the so-called side-channels). Most prominent
are timing, power consumption and electromagnetic emanation.

Wikipedia has a definition:
http://en.wikipedia.org/wiki/Side_channel_attack

Also try Google with "Side channel analysis" or "Side channel attacks".

Paul Kocher's site has an introduction to Differential Power Analysis:
http://www.cryptography.com/resources/whitepapers/DPATechInfo.pdf

Another introduction can be found here:
http://www.iaik.at/aboutus/people/oswald/papers/dpa_tutorial.pdf

If you want a more scientific approach I'd recommend to start with the
papers from Paul Kocher:

"Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and
Other Systems"
Available at
http://www.cryptography.com/resources/whitepapers/TimingAttacks.pdf

and

"Differential Power Analysis"
Available at
http://www.cryptography.com/resources/whitepapers/DPA.pdf

That should cover the basics of Side-channel analysis.

how it is applied when breaking
> cipher algorithms,

As stated before, you break implementations of cryptographic algorithms.
To put it in a nutshell:
1. Measure a physical value of the cryptographic device in operation
which is in some form dependent on the secret data you want to find out.
2. Make hypotheses about the secret data (i.e. guess a part of the
private key) and model the effect of your presumed value on the
side-channel.
3. Find the correct hypotheses by looking at the collected data from
step 1. And you're done :-)

and what are basic rules to secure algorithms
> against SC attacks ??

Simple: Make sure that there is no data-dependent effect on any
externally observable physical parameters (at least of sensitive data)
of your cryptographic device.

There is no general solution for thwarting SCA. There are two possible
approaches to breaking data-dependency of physical values:
- Make the effect constant (constant time, constant power consumption).
- Introduce randomization (masking, noise generators, randomized execution)
All countermeasures come at a cost (increased execution time, increased
power consumption, ...) so there is always a tradeoff of implementation
security and cost.

HTH
Steve