Protocol-level DPA
Countermeasures
Paul Kocher
President & Chief Scientist
Cryptography Research, Inc.
www.cryptography.com
575 Market St., 21st Floor, San Francisco, CA 94105
© 1998-2005 Cryptography Research, Inc. Material described in this presentation are protected under
issued and/or pending US and/or international patents. All trademarks are the property of their respective
owners. The information contained in this presentation is provided for illustrative purposes only, and is
provided without any guarantee or warranty whatsoever, and does not necessarily represent official opinions
of CRI or its partners. Unauthorized copying, use or redistribution is prohibited. Self-Protecting Digital
Content, SPDC, and the “DPA Lock” logo are trademarks of Cryptography Research, Inc.
Cryptography Research, Inc:
Leader In Advanced Cryptosystems
™
1
Leakage rates

Leakage rates

Let L be the max information leaked to attacker per operation




Can never prove L=0 for a real-world device


units: bits/operation (typically not an integral # of bits)
If L = 0, side channel attacks are not a problem (0 leakage)
If leaked information includes the entire key, fail in 1 operation
DPA statistics: Can pull keys from even very tiny leaks
Instead, make protocols that survive up to Lmax leakage

Device secure if leakage less than Lmax (w/safety margin)
Cryptography Research, Inc:
Leader In Advanced Cryptosystems
™
2
Tolerating leakage: Protocol example #1

Hash 256-bit key with SHA256 between transactions


Hash destroys previously-leaked partial information about Ki
Cryptographic strength = (256 – 2L0 – L1) bits


L0 = max leakage per SHA256, L1 = max leakage/transaction
L0 counted twice: each Ki derived AND transformed with hash
K0
Perform transaction using K0 (transaction counter=0)
K1=SHA256(K0)
K1
Perform transaction using K1 (transaction counter=1)
K2=SHA256(K1)
K2
Perform transaction using K2 (transaction counter=2)
K3=SHA256(K2)
K3
Perform transaction using K3 (transaction counter=3)
Ki=SHA256(Ki-1)
Cryptography Research, Inc:
Leader In Advanced Cryptosystems
™
3
Tolerating leakage: Protocol example #1

Design survives any reasonable leakage function

(Only requirement: does not interact with SHA256 update in a
way that enables attackers to utilize information leaked before
an update in attacking the value after the update.)
K0
Perform transaction using K0 (transaction counter=0)
K1=SHA256(K0)
K1
Perform transaction using K1 (transaction counter=1)
K2=SHA256(K1)
K2
Perform transaction using K2 (transaction counter=2)
K3=SHA256(K2)
K3
Perform transaction using K3 (transaction counter=3)
Ki=SHA256(Ki-1)
Cryptography Research, Inc:
Leader In Advanced Cryptosystems
™
4
Tolerating leakage: Protocol example #2
Shared key (K)
FA
FA
FA
FB
FB
FB FA
FA
FB FA
FB FA
Apply FA (bit 0 of H is 0)
FB
Apply FB (bit 1 of H is 1)
FB
FA
Apply FA (bit 2 of H is 0)
Path:
Can be based on a
transaction counter
or a negotiated
nonce. (See paper.)
FB Apply FA (bit 3 of H is 0)
Apply FA (bit 4 of H is 0)
FA
Apply FB (bit 5 of H is 1)
FB
…
• K: 2L0
Apply FB (bit 126 of H is 1) • Intermediates: 3L0
• Each KS: L0+L1
Apply FA (bit 127 of H is 0)
FB
FA
Session key (Ks)
Max leaks:
(Transaction
secured with Ks)
Cryptography Research, Inc:
(L0=leak from FA,FB)
(L1=leak from trans.)
Leader In Advanced Cryptosystems
™
5
Tolerating leakage: Variations (symmetric)

Other variations possible for symmetric crypto


Example: Save RAM with reversible update operations,
Also has O(log(N)) run-time for client/server protocols
Begin
State = K0, C=0
End
D=5
Cryptography Research, Inc:
Leader In Advanced Cryptosystems
™
6
Validation strategy

If a device’s protocols can tolerate some leakage, can
get much higher assurance of security:

Verify that the protocols have the claimed properties


Verify that the hardware leaks less than the survivable leakage,
with a suitable safety margin


Conventional crypto evaluation
Hardware analysis
Contrast: If protocols require zero leakage, validation is
likely to be impossible (if high assurance is required)
Cryptography Research, Inc:
Leader In Advanced Cryptosystems
™
7
For More Information

P. Kocher, “Design and Validation Strategies for Obtaining
Assurance in Countermeasures to Power Analysis and
Related Attacks”, NIST Physical Security Testing
Workshop – Honolulu, Sept. 26, 2005.
http://csrc.nist.gov/cryptval/physec/papers/physecpaper09.pdf

P. Kocher, “Leak Resistant Cryptographic Indexed Key
Update”, US Patent No. 6,539,092 (Filed July 2, 1999,
provisional filed July 2, 1998.)
http://www.cryptography.com/technology/dpa/Patent6539092.pdf
P.S. Cryptography Research is hiring…
Cryptography Research, Inc:
Leader In Advanced Cryptosystems
™
8