Cryptobytes - Volume 6, No. 1, Spring 2003. Radio-Frequency Identification: Security Risks and Challenges ... 2 RFID Primer RFID systems are ... would each be equipped with an RFID

CONTENTS

I. Radio-Frequency Identification: Security Risks and Challenges

II. Identity-based Encryption: a Survey

III. Advances in Side-ChannelCryptanalysis, Electro-magnetic Analysis and Template Attacks

RSA LaboratoriesVolume 6, No. 1, Spring 2003

I. Radio-Frequency Identification: Security Risks and ChallengesSanjay E. Sarma, Stephen A. Weis and Daniel W. Engels

A B S T R A C T

Low-cost Radio Frequency Identification (RFID) tags affixed to consumer items as “smart-labels” may emerge as one of the most pervasive computing technologies in history. WhileRFID systems can yield great productivity gains, they may also expose new threats to the secu-rity and privacy of both individuals and organizations. This article gives a brief introductionto RFID technology and describes potential security and privacy risks. We present several chal-lenges to providing desired security properties in the unique setting of low-cost RFID devicesand identify several areas for future research.

II. Identity-Based Encryption: a SurveyMartin Gagné

A B S T R A C T

Identity-Based Encryption is a form of public key encryption for which the public key can bean arbitrary string, and in particular, a string that identifies the user who holds the associatedprivate key, like his email address. The original motivation for identity-based cryptography wasto simplify certificate management, but it has many other applications. In this paper, we sur-vey recent proposals for usable identity-based encryption schemes.

III. Advances in Side-Channel Cryptanalysis, ElectromagneticAnalysis and Template Attacks

Dakshi Agrawal, Bruce Archambeault, Suresh Chari, Josyula R. Rao and Pankaj Rohatgi

A B S T R A C T

We describe two recent advances which substantially increase the scope and power of side-channel cryptanalysis. The first advance is the exploitation of information leakage from elec-tromagnetic emanations. The second advance, known as template attacks, is a superior dataanalysis technique which substantially reduces the number of side-channel samples needed foran attack. These advances pose a risk to all cryptographic implementations, including thoseimmune against earlier side-channel attacks.

CryptoBytes

Radio-Frequency Identification: Security Risks and Challenges�

Sanjay E. Sarma, Stephen A. Weis and Daniel W. Engels

Abstract

Low-cost Radio Frequency Identification (RFID)tags affixed to consumer items as “smart-labels” mayemerge as one of the most pervasive computing tech-nologies in history. While RFID systems can yieldgreat productivity gains, they may also expose newthreats to the security and privacy of both individualsand organizations. This article gives a brief introduc-tion to RFID technology and describes potential secu-rity and privacy risks. We present several challengesto providing desired security properties in the uniquesetting of low-cost RFID devices and identify severalareas for future research.

1 Introduction

Automatic Identification (Auto-ID) systems are acommon tool in manufacturing processes, just-in-timeinventory control, logistics and point of sale productidentification. For over twenty years, the bar code hasbeen a familiar optical Auto-ID system found on manyconsumer items. Perhaps the most common bar codeis the linear, or one-dimensional, Universal ProductCode (UPC) designed in 1973 [24]. The US PostalService and several commercial shipping companieshave also adopted two-dimensional bar codes, whichare able to carry more data. More recently, RadioFrequency Identification (RFID) systems have madeinroads into retail logistics markets. In the near fu-

�Work carried out at the MIT Auto-ID Center and Laboratoryfor Computer Science. Authors may be reached at: �sesarma,sweis, dwe�@mit.edu

ture, low-cost RFID “smart-labels” may become aneconomical, and efficient replacement for optical barcodes.

Radio Frequency Identification systems haveemerged as a practical Auto-ID platform in industriesas varied as automobile manufacturing, microchipfabrication, even cattle herding. RFID systems arecomposed of radio frequency (RF) tags, or transpon-ders, and RF tag readers, or transceivers. Tag read-ers broadcast an RF signal to access resident datastored on tags, typically including a unique identifi-cation number.

Most tags consist of an antenna or other couplingelement connected to an integrated circuit, allowingthe incorporation of tag functionality such as writablestorage, environmental sensors, access control or en-cryption. Simple RFID devices may be found every-day in keyless entry systems, automated tollbooths,subway stations or in clothing. Several examples ofRFID tags appear in Figure 1.

RFID tags offer several advantages over opticalbar codes. Data may be read automatically: withoutline of sight, through non-conducting material suchas cardboard or paper, at a rate of several hundredtags per second and from a distance of several me-ters. Given that optical barcodes are scanned over 5billion times daily [24], efficiency gains from usingRFID tags could substantially lower the cost of taggeditems.

2

RSA Laboratories CryptobytesVolume 6, No.1 — Spring 2003

Figure 1: An RFID tag, an RFID tag with printed barcode and dust-sized RFID microchips.

By integrating a unified identification system on alllevels in the supply chain, every party involved in thelifespan of a product may reap the benefits of an RFIDbased object identification system. This includes notonly manufacturers and retailers, but also consumers,regulatory bodies such as the United States Food andDrug Administration, and even waste disposal firms.The potential cost savings are likely to make RFIDtags one of the most widely deployed microchips inhistory.

Unfortunately, the universal deployment of RFIDtags in consumer items may create new security issuesnot present in closed manufacturing environments.Consumer privacy may be compromised by nearby at-tackers extracting data from unprotected tags. Individ-uals may be physically detected by associating theiridentities with tags they carry, violating “location pri-vacy” similar to an issue in Bluetooth [11]. Corporateespionage is another risk: A retailer’s inventory la-beled with unprotected RFID tags could be monitoredor tracked by competitors; yielding valuable sales andmarketing data.

Presently, most deployed RFID systems are usedfor identification of higher value items, such as mi-crochips or automobile components. In these indus-tries, tags costing US$0.50-US$1.00 or more are eco-

nomical. At these costs, tags may be equipped withresources to support strong cryptographic primitives,tamper resistant packaging or other security enhanc-ing features. Many developments relevant to smartcard research are applicable to these higher valueRFID tags.

However, significant consumer market penetrationwill occur only if tags are priced below US$0.10 andcan be incorporated into most paper packaging. Un-der this price ceiling, supporting strong cryptographicprimitives is presently not a viable option. Even if sili-con manufacturing developments allow more featuresto be included in a low-cost, US$0.05 tag, there willbe continual pressure from high volume customers foreven lower cost tags.

This is due to the economics of the RFID tag mar-ket. Tag purchases will likely be made by manufac-turers in high volumes. Even slight differentials intag design costs translate into large financial savings.Consider the recent purchase of 500 million low-costtags [18] by a major consumer product manufacturer.A difference of US$0.01 between two tag design costsrepresents US$5,000,000 in savings. Tags support-ing greater functionality, such as strong cryptographicprimitives, must offer tag owners enough economicbenefits to justify their higher costs.

3


The design of low-cost RFID systems is part of on-going research at the MIT Auto-ID Center [3]. Anoverview of RFID systems and their security issuesis available in [21]. Proposals addressing several ofthese issues are presented in [26]. As mentioned, theresource-starved environment of low-cost RFID tagsis most closely related to issues explored in the con-text of smart cards. Particularly relevant are cost andsecurity trade-offs of smart cards, presented in [1].

RFID tags will frequently operate in insecure en-vironments, possibly subjected to intense physical at-tacks. Discussion of smart card operation in hostileenvironments is presented in [9], and a comprehensiveoverview of many physical attacks and countermea-sures appears in [25]. Specific low-cost attacks appearin [2] and are part of ongoing research at the Univer-sity of Cambridge’s TAMPER Lab [23]. Cautionaryinformation regarding the implementation of AES insmart cards is available in [7]. Due to passive power-ing and a wireless interface, RFID tags may be espe-cially susceptible to fault induction, timing attacks orpower analysis attacks, highlighted in [4, 15, 14], and[13].

In this article, Section 2 provides a brief introduc-tion to the components and operation of RFID sys-tems. Section 3 states assumptions about design fea-tures, performance requirements and resource limita-tions. Section 4 focuses on the security and privacy as-pects of RFID systems, detailing risks and challengesin Sections 4.1 and 4.2, respectively.

2 RFID Primer

RFID systems are composed of three key elements:

� the RFID tag, or transponder, carries object iden-tifying data.

� the RFID reader, or transceiver, interfaces withtags to read or write tag data.

� the back-end database aggregates and utilizes tagdata collected by readers.

All items to be identified in an RFID system arephysically labeled with a tag. Tags are typically com-posed of a microchip for data storage and logical op-erations, and a coupling element, such as an antennacoil, used to communicate to readers via radio fre-quencies (RF). In addition, tags may contain a directcontact interface as found in smart cards. Tag memorymay be a read-only, write-once read-many or be fullyrewritable.

Tag readers interrogate tags for their data throughan RF interface. To provide additional functionality,readers may also contain internal storage, processingpower or connections to back-end databases. Compu-tation may be carried out by readers on behalf of tags,particularly in cryptographic applications.

Tags may either be actively powered through an on-board power source such as a battery, or passivelypowered. Passive tags inductively receive powerthrough an RF signal from the reader. To offer ananalogy for this process, one may think of readersas “shouting” out to passive tags, then extracting datafrom the resultant echoes. Extending this analogy, thereader’s shouts may be monitored by eavesdroppersfrom a greater range than the tag’s echoes. We willexplore this issue further in Section 4.

The maximum distance that a reader can communi-cate with a tag is determined by the type of tag. Activetags can boost reply signals with on-board power andreply to readers at a greater range than passive tags.Active tags may carry an on-board clock and performcalculations or take sensor readings in the absence of areader. Passive tags may only operate in the presenceof a reader and are inactive otherwise.

Readers may use tag contents as a look-up key intoa back-end database. The back-end database mayassociate product information, tracking logs, or key

4


management data with particular tags. Independentdatabases may be built by anyone with access to tagcontents, allowing unrelated users along the supplychain to develop their own applications.

To illustrate the interaction of RFID system com-ponents, consider an example application of an RFID-enabled warehouse. Each item in the warehousewould be labeled with an RFID tag containing iden-tifying information such as the manufacturer, producttype and a unique serial number. These contents maybe referred to collectively as the tag ID and in practicecould be represented by 96 bits.

Shelves, forklifts and doorways in the warehousewould each be equipped with an RFID tag reader.Shelves would “know” which items they containedand when items were removed. Similarly, forkliftswould know which items they were carrying and doorswould know which items passed through.

Each of these transactions would be recorded bythe tag readers in a back-end database, creating an ac-count of the entire history and whereabouts of a par-ticular item. External information, such as shippingor purchasing data may be associated with a particularitem’s record in the back-end database.

Many applications for this type of data are appar-ent. For example, a RFID-enabled warehouse couldtake an instant inventory of its contents. Items couldbe located instantly, yet could be stored or moved atany time. Finally, preventing “shrinkage” (an industryeuphemism for theft) and identifying its culprits couldbe aided by this RFID-enabled warehouse.

3 Design Assumptions

The narrow cost requirements of low-cost RFIDsystems make low-cost tags extremely resource scarceenvironments. A practical 2-3 year estimate of the se-

curity resources available to a US$0.05 design, suchas those proposed by the MIT Auto-ID Center [3, 20],may be limited to hundreds of bits of storage, roughly5,000-10,000 gates and a max communication rangeof a few meters. Such low-cost tags will almost cer-tainly be passively powered, due to costs associatedwith active power sources.

A US$0.05 tag in 2003 may have approximately250-1000 gates available for security features. Fur-thermore, security protocols and computations mustallow for read rates of hundreds per second. Depend-ing on the particular tag implementation, power con-sumption may be another limiting factor.

These limits are far below the requirements for apublic-key cryptographic system, even a resource effi-cient scheme such as NTRU [10, 16]. Most symmet-ric encryption algorithms are also beyond available tagresources. For example, commercial AES implemen-tations typically have on the order of 20,000-30,000gates [6], which is more than is available for the entirelow-cost tag design. Even the hardware implementa-tions of standard cryptographic hash functions such asSHA-1 are currently too costly [6].

We assume tags have insecure memories whose en-tire contents may be extracted by physical attacks asdescribed in [25]. These attacks may include laser orwater etching, X-ray or ion probing, TEMPEST at-tacks, clock glitching, circuit disruption or many othervaried attacks. Luckily, these attacks require physicaltag access and are likely to be detected when carriedout in public. Privacy is rather a moot point if some-one can surreptitiously obtain a tagged item, conducta physical attack, then return the item without detec-tion. The important implication is that RFID tags can-not be trusted to securely store long-term secrets, suchas shared keys, when left in isolation.

The reader-to-tag, or forward channel, may be mon-itored from a great distance. Depending on the im-plementation, the relatively weaker tag-to-reader, or

5


backward channel, may also be monitored from a con-siderable distance. This largely depends on the com-munication frequency between tags and readers. At900 MHz, eavesdroppers could theoretically monitorthe forward channel from 1 kilometer and the back-ward channel from up to 100 meters. Fortunately,in practice attaining these ranges would be difficult.The 13.56 MHz and 2.45 GHz operating frequenciesalso have asymmetric eavesdropping ranges, but fromshorter distances. It should be noted that these rangesare for non-interactive eavesdropping only and thatany active communication with tags must occur withina short distance, perhaps 2 meters.

Tags may be equipped with a physical contact chan-nel for critical functions or “imprinting” tags with se-cret keys [22]. Additionally, we may assume the tagpackaging contains a barcode, human-readable digitsor other information to corroborate tag data, as in thedesign presented in [12]. To further authenticate tags,readers may measure physical properties such as tagsignal power levels or response times, as used in [17].This may act as a countermeasure against spoofing at-tempts.

It is assumed that a secure connection exists be-tween tag readers and the back-end database. Tagreaders may also perform cryptographic calculationsor interface with key management systems on behalfof tags. Tags may be assumed to have a mechanism toreveal their presence, called a ping. Anyone may pinga tag, which will respond with some non-identifyingsignal. Finally, tags will be equipped with a kill com-mand rendering them permanently inoperable. Thekill command may be designed to be a slow operationwhich physically disables the tag, perhaps by discon-necting the antenna or shorting a fuse.

4 Security and Privacy

4.1 Risks

Privacy is a major issue in a ubiquitous RFIDsystem. Consumer products labeled with insecuretags may reveal sensitive information when queriedby nearby snoops. Most consumers prefer to keeptheir brand of RFID-tagged underwear or prescriptionmedicine private from nosy passersby. Retail busi-nesses also may be threatened by unauthorized read-ers. For example, a corporate spy could periodicallytake inventory of a store’s shelves to infer sales data.

A related threat is that of tracking, or violations of“location privacy”. Concerns over location privacywere recently raised when a major tire manufacturerannounced plans to embed RFID tags in their prod-ucts [19]. Although the tag contents may be secured,predictable tag responses could allow tags to be as-sociated with their holders’ identity. Even if tags donot leak unique identifying information individually,a set of tags may be tracked as a “constellation”; adistinct taste in brands could betray someone’s iden-tity. Individuals carrying tags may be tracked as theypass by fixed tag readers. Corporate spies might beable to derive valuable logistics information from in-secure RFID tagged packages, even without knowingthe actual contents of the package themselves.

Denial of service is another threat. Attackers couldattempt to jam RF signal channels, or to disable tagsby some other means. This is especially relevant tothe retail market, where there is an interest in RFID-enabled automatic checkout. Theft may result if tagsare able to be “cloaked” from store readers. Of course,preventing low-tech attacks, such as dropping an iteminto a metal lined bag, would require traditional coun-termeasures such as security guards or cameras.

6


Thieves should not be able to effectively spoof tags,either. A thief could create their own tag to spoof avalid item. By replacing actual items with these de-coy tags, a thief might fool a shelf that the valid itemswere still in stock. Alternatively, a thief could attemptto rewrite valid RFID tag contents so that they repre-sented lower value items at checkout.

It should be noted that these risks are most impor-tant on a widespread scale. Existing bar code systemsare publicly readable, can be spoofed or disabled, andtherefore exhibit the same risks. However, these at-tacks do not have the potential to be carried out wire-lessly, on a massive scale. The challenges of address-ing these issues is to prevent wide-scale or automatedattacks made feasible by RFID’s efficient wireless in-terface, without exceeding narrow cost barriers.

4.2 Challenges

The primary challenge in providing privacy and ac-cess control mechanisms in low-cost RFID is scarcityof resources. As mentioned, tags will only have a frac-tion of the gate count available in smart cards. Secu-rity mechanisms of passively powered tags will needto be carefully designed so as not to leave tags in aninsecure state in the event of power loss or interrup-tion.

Additionally, security protocols must account forthe asymmetric signal strength between the forwardand backward channels. For example, anti-collisionalgorithms carried out by tag readers addressing mul-tiple tags may leak data over the “loud” forward chan-nel, a threat described in [26].

Low-cost tag security mechanisms typically are notexpected to be resilient to lengthy, determined at-tacks. Recall that attacks would need to originate fromwithin the short (e.g., 2-meter) operating range of atag, making it easier to detect in a retail setting. Anec-dotally, low-cost tags used by retailers might be re-

quired to be resistant to protocol attacks (i.e., not rely-ing on physical or electromagnetic properties) for ap-proximately 10 minutes. Making a liberal assumptionthat tags can support 1000 commands per second, thisrepresents 600,000 brute force attempts.

Under these constraints, a simple access control“lock” mechanism based on hash functions has beenproposed in [21] and [26]. A challenge to the researchcommunity is to provide hardware-efficient crypto-graphic hash functions within low-cost RFID tag re-source constraints. Low-cost symmetric encryptionschemes are another desirable primitive. The aptlynamed “Tiny Encryption Algorithm” [27, 28], whichhas a small implementation size relative to DES orAES, may be a step in the right direction.

To address location privacy, tags cannot respond toqueries in a predictable manner. This motivates in-clusion of an on-board random number generator torandomize tag responses, as in the extension of thehash-lock design from [26]. The further developmentof practical low-cost pseudo-random number genera-tors, or sources of physical randomness [8] would ben-efit RFID designs, as well as many other applications.Hardware-efficient perfect one-way hash functions [5]would be another useful primitive to counter tag track-ing.

Regardless of the underlying mechanisms provid-ing privacy and access control, management of tagkeys is an important issue. Initialization, storage andtransfer of keys should be economical. Since tags maypass through the hands of manufacturers, retailers andconsumers, there should exist an efficient means totransfer tag ownership. In some settings, physical pos-session of a tag may confer tag ownership, perhapsthrough a contact channel or some optical informationon a tag. In other scenarios, such as a rental setting,some external key data must represent tag ownership.Providing flexible access control and key managementtools at a reasonable cost is a challenge to the designof tags, readers and back-end databases.

7


Flexibility and openness of design are of utmost im-portance to a successful RFID system. Future tag de-velopments will allow greater storage, faster perfor-mance and new functionality to be incorporated intolow-cost tag designs. Current security mechanisms forRFID systems should not impede utilization of futuretechnologies, nor should they adversely affect the userexperience. Retailers will not adopt RFID systems ifthey necessarily hinder the consumer check-out pro-cess. No one expects customers to undergo compli-cated security procedures every time they purchase aquart of milk.

On the other hand, RFID tags should be as open aplatform as possible, supporting both existing appli-cations and applications yet to be conceived. Securityfeatures should not interfere with the development ofnew applications by third parties. Many useful con-sumer applications could emerge from grass-roots de-velopment and should not be impaired by proprietaryor closed security mechanisms.

5 Conclusion

The success of a consumer RFID system may de-pend on developing appropriate tools for providing se-curity and privacy. Hardware efficient hash functions,symmetric encryption and random number generatorsall play a crucial role in developing the RFID secu-rity mechanisms necessary to dissuade large-scale at-tacks. New protocols resilient to eavesdropping, faultinduction, or power analysis while maintaining perfor-mance and costs will be a valuable area of research.Integrating RFID systems with a key management in-frastructure is another issue requiring further develop-ment.

In many ways, a universal low-cost RFID system isa precursor to ubiquitous computing. Improving tech-nology and allowing integration of more features willblur the line between RFID tags, smart cards and gen-

eral purpose computers. Security lessons learned fromRFID systems will benefit the development of secureubiquitous computing systems of the future.

6 Acknowledgments

Images courtesy of the MIT Auto-ID Center,Checkpoint Systems and Alien Technology. Thanks toRon Rivest and Peter Cole for their support and input.Thanks to Lawrence Gold for review and comments.

References

[1] Martin Abadi, Michael Burrows, C. Kaufman,and Butler W. Lampson. Authentication andDelegation with Smart-cards. In TheoreticalAspects of Computer Software, pages 326–345,1991.

[2] Ross Anderson and Markus Kuhn. Low Cost At-tacks on Tamper Resistant Devices. In IWSP.LNCS, 1997.

[3] Auto-ID Center. http://www.autoidcenter.org.

[4] Dan Boneh, Richard A. DeMillo, and Richard J.Lipton. On the Importance of Checking Cryp-tographic Protocols for Faults. In EURO-CRYPT’97, volume 1233, pages 37–51. LNCS,Advances in Cryptology, 1997.

[5] Ran Canetti, Daniele Micciancio, and OmerReingold. Perfectly One-Way Probabilistic HashFunctions. In ACM Symposium on Theory ofComputing, pages 131–140, 1998.

[6] CAST Inc. AES and SHA-1 CryptoprocessorCores. http://www.cast-inc.com.

[7] Suresh Chari, Charanjit Jutla, Josyula R. Rao,and Pankaj Rohatgi. A Cautionary Note Regard-ing Evaluation of AES Candidates on Smart-Cards. In Second Advanced Encryption Standard(AES) Candidate Conference, Rome, Italy, 1999.

8


[8] Blaise Gassend, Dwaine Clarke, Marten vanDijk, and Srinivas Devadas. Controlled Phys-ical Random Functions. In Computer SecurityConference, December 2002.

[9] Howard Gobioff, Sean Smith, J. Doug Tygar,and Bennet Yee. Smart Cards in Hostile Environ-ments. In Workshop on Elec. Commerce, 1996.

[10] Jeffrey Hoffstein, Jill Pipher, and Joseph H. Sil-verman. NTRU: A Ring-Based Public Key Cryp-tosystem. LNCS, 1423:267–283, 1998.

[11] Markus Jakobsson and Susanne Wetzel. SecurityWeaknesses in Bluetooth. LNCS, 2020:176+,2001.

[12] Ari Juels and Ravikanth Pappu. Squealing Eu-ros: Privacy Protection in RFID-Enabled Ban-knotes. In Financial Cryptography, 2003.

[13] Burton S. Kaliski Jr and Matt J. B. Robshaw.Comments on Some New Attacks on Crypto-graphic Devices. RSA Laboratories’ BulletinNo. 5, July 1997. http://www.rsasecurity.com/.

[14] Paul Kocher, Joshua Jaffe, and Benjamin Jun.Differential Power Analysis. LNCS, 1666:388–397, 1999.

[15] Paul C. Kocher. Cryptanalysis of Diffie-Hellman, RSA, DSS, and other Systems UsingTiming Attacks. Technical report, CryptographyResearch, Inc., 1995.

[16] NTRU. GenuID. http://www.ntru.com/.

[17] Adrian Perrig, Ran Canetti, J.D. Tygar, andDawn Song. The TESLA Broadcast Authenti-cation Protocol. RSA CryptoBytes, 5(2):2–13,Summer/Fall 2002.

[18] RFID Journal. Gillette to Purchase 500 MillionEPC Tags. http://www.rfidjournal.com, Novem-ber 2002.

[19] RFID Journal. Michelin Embeds RFID Tagsin Tires. http://www.rfidjournal.com, January2003.

[20] Sanjay E. Sarma. Towards the Five-Cent Tag.Technical Report MIT-AUTOID-WH-006, MITAuto-ID Center, 2001.

[21] Sanjay E. Sarma, Stephen A. Weis, andDaniel W. Engels. RFID Systems and Securityand Privacy Implications. In CHES, pages 454–470. LNCS, 2002.

[22] Frank Stajano and Ross Anderson. The Res-urrecting Duckling: Security Issues for Ad-hocWireless Networks. In IWSP, volume 1796,pages 172–194. LNCS, 1999.

[23] TAMPER Lab. University of Cambridge Tam-per and Monitoring Protection Engineering Re-search Lab. http://www.cl.cam.ac.uk/Research/.

[24] Uniform Code Council. Homepage.http://www.uc-council.org/.

[25] Steve H. Weingart. Physical Security Devices forComputer Subsystems: A Survey of Attacks andDefences. In CHES, volume 1965, pages 302–317. LNCS, 2000.

[26] Stephen A. Weis, Sanjay E. Sarma, Ronald L.Rivest, and Daniel W. Engels. Security andPrivacy Aspects of Low-Cost Radio FrequencyIdentification Systems. In Security in PervasiveComputing, 2003.

[27] David J. Wheeler and Robert M. Needham.TEA, a Tiny Encryption Algorithm. Techni-cal report, Computer Laboratory, University ofCambridge, 1995.

[28] David J. Wheeler and Robert M. Needham. TEAExtensions. Technical report, Computer Labora-tory, University of Cambridge, 1997.

9


Identity-Based Encryption: a Survey

Martin Gagne �

[email protected]

Abstract

Identity-based encryption is a form of public key en-cryption for which the public key can be an arbitrarystring, and in particular, a string that identifies the userwho holds the associated private key, like his email ad-dress. The original motivation for identity-based cryp-tography was to simplify certificate management, butit has many other applications. In this paper, we sur-vey recent proposals for usable identity-based encryp-tion schemes.

1 Introduction

The concept of Identity-Based Encryption (IBE) wasfirst formulated by Shamir in 1984 [28]. In such ascheme, the public key can be an arbitrary string. Forexample, if Alice wants to send a message to Bob [email protected], then she simply encrypts the mes-sage using the string “[email protected]” as the pub-lic key. The original motivation for this idea wasto eliminate the need for directories and certificatesby using the identity of the receiver as the publickey, but it can also be used to implement ephemeral(short lived) public keys, manage user credentials, orfor the delegation of decryption keys. Recently, ithas also been used to build forward-secure encryp-tion schemes. Efficient solutions for the related no-tion of identity-based signatures were quickly found

�Partially supported by NSF ITR CCR-0205733 and thePackard Foundation.

([13, 12]), but identity-based encryption proved tobe much more challenging. Most schemes proposedsince 1984 ([9, 31, 30, 24, 20]) were unsatisfactorybecause they were too computationally intensive, theyrequired tamper resistant hardware, or they were notsecure if users colluded.1 In this paper, we survey re-cent proposals of identity-based encryption schemeswhich do not suffer from any of these drawbacks[7, 2], and some variants of [2] which provide addi-tional functionality [22, 17].

Informally, an identity-based encryption schemeconsists of four algorithms: (1) Setup generates thesystem parameters and a master-key, (2) Extract usesthe master-key to generate the private key correspond-ing to an arbitrary string ID � �� , (3) Encryptencodes a plaintext using a public key ID and (4)Decrypt decodes ciphertexts using the correspond-ing private key. The algorithm Setup is run by atrusted authority which we call the private key gen-erator (PKG). The PKG also runs the algorithm Ex-tract at the request of a user who wishes to obtainthe private key corresponding some string (see Fig-ure 1). Note that the user likely needs to prove to thePKG that he is the legitimate “owner” of this string(for example, to obtain the private key correspond-ing to “[email protected]”, the user must prove [email protected] is truly his email address). The al-gorithms Encrypt and Decrypt are run by the usersto encrypt and decrypt messages.

1We are talking here about schemes which do not require anonline authority for decryption. Mediated identity-based encryp-tion schemes are relatively easy to build, [1] is a good example.

10


PKGID�� ID� � ID�

user 1 user 2 user 3

�

PKG�ID� � � �ID� � �ID�

user 1 user 2 user 3

Figure 1: Private key request in an IBE scheme.

The rest of this paper is structured as follows. InSection 1.1, we discuss some applications of identity-based encryption schemes. In Section 2, we present asimple identity-based encryption scheme to introducethe concept. We formally define the notion of identity-based encryption and give the security model in Sec-tion 3. In Section 4, we survey the identity-based en-cryption schemes whose security can be proven in themodel of Section 3.

1.1 Applications of Identity-BasedEncryption

We already mentioned that the original motivation foridentity-based encryption was to simplify certificatemanagement. We now present other applications.

Revocation of public keys. Public key certificatescontain a preset expiration date. In an identity-based encryption scheme, we can make the keys ex-pire by encrypting the messages using the public key“receiver-address � current-date” where current-datecan be the day, week, month or year depending on thefrequency at which we want the users to renew theirprivate key. Note that unlike traditional public key in-frastructure, the senders do not need to obtain new cer-tificates every time the private keys are renewed, how-ever, the receiver must query the PKG each time toobtain the new private key. So identity-based encryp-

tion is a very efficient way of implementing ephemeralpublic keys. This is also useful if, for example, the pri-vate key is kept on a laptop: if the laptop is stolen, onlythe private key corresponding to that period of timeis compromised, the master-key is unharmed. Thisapproach can also be used to send messages into thefuture since the receiver will not be able to decryptthe message until he gets the private key for the datespecified by the sender from the PKG (see [27, 10] formethods of sending messages into the future using astronger security model).

Managing user credentials. By encrypting the mes-sages using the address “receiver-address � current-date � clearance-level”, the receiver will be able todecrypt the message only if he has the required clear-ance. This way, the private key generator can be usedto grant user credentials. To revoke a credential, thePKG simply stops providing the private key in the nexttime period.

Delegations of decryption keys. Suppose a managerhas several assistants each responsible for a differenttask. Then the manager can act as the private key gen-erator and give his assistants the private keys corre-sponding to their responsibilities (so the public keywould be ‘Duty’). So each assistant can decrypt themessages whose subject fall within its responsibilities,but cannot decrypt messages intended for other assis-tants. The manager can decrypt all the messages usinghis master-key.

Forward-secure encryption. Some of the schemespresented in this paper can also be used as build-ing blocks to construct forward-secure encryptionschemes ([4]) and key-insulated cryptosystems ([11]).In a forward-secure encryption scheme, the receiver’sprivate key evolves at each time period so that if theprivate key of a time period is compromised, all themessages encrypted in previous time periods secure2.In a key-insulated encryption scheme, the secret key is

2However, all the private keys for time periods after the expo-sure are also compromised.

11


divided into two parts, both evolving at every time in-terval, which must be combined to obtain the privatedecryption key. Future secret keys are compromisedonly if both parts are exposed in the same time pe-riod3.

2 A Simple Identity-BasedEncryption Scheme

We now introduce an identity-based encryptionscheme based on quadratic residues proposed byCocks [7]. This scheme is not as efficient and possi-bly not as secure as the schemes we present in Section4, but it is easier to understand and not as involvedmathematically. We present it here to introduce theconcepts of identity-based encryption.

In the setup phase, the PKG generates two randomprimes � and �, each congruent to � �� such that� � �� is hard to factor. The PKG also picks a cryp-tographic hash function � � �� , where �is the set of integers in��

� whose Jacobi symbol is 1.� and � are then published by the PKG, � and � arekept secret. Note that under these conditions, for any� � �, either � or �� is a square modulo� . 4

To extract the private key corresponding to a stringID � �� , the PKG computes

�ID � �ID��

� ��

and sends �ID to the requesting user. One can eas-ily show that the resulting � ID satisfies either ��ID ��ID �� or ��ID � ��ID �� dependingon which of�ID or ��ID is a square �� .

The encryption function encodes the bits of themessage one at a time. Given a single bit � encoded as

3See [11] for more details about the security of these schemes.4This is because�� is a quadratic non-residue both in�� and

��.

1 or -1 and the identifying string ID of the receiver, thesender generates random values ��

�, �� ,with Jacobi symbol

��

�� and computes � � ��

�ID�� and � � �� ID�� .The ciphertext is � � �� .

The receiver recovers the bit � from a ciphertext�� using his private decryption key � ID as fol-lows. First, he picks � � if ��ID � �ID, other-wise, he picks � �. Then, he computes

� �

� � ��ID

�

��

This � is the original bit since �� ID ��ID��

�� where � is the �� value corresponding to ,so�

� ��ID

�

��

�� ID�

�

��

��

unless � � �ID� �� which is extremely unlikely5.

The security of this scheme is based on theQuadratic Residuosity Problem i.e. on the difficultyof determining if whether or not a number � � � isa square modulo � if the factorization of � is un-known. Unfortunately, [7] does not provide a proof ofsecurity in a security model as strong as the one wegive in Section 3. Also, it is very easy to delete, addor modify bits in the encrypted message, so additionalintegrity protection must be employed to confirm thevalidity of the message.

Another drawback of this scheme is the messageexpansion factor of � �� (this would be 2048 inpractice nowadays). However, the main use of publickey cryptosystems is the exchange of session keys, so,for a 128 bit session key, the total length of the cipher-texts would be 32K bytes, an acceptable overhead formany applications.

5If � � �ID��

�, then either � � ��ID, so the sender hasguessed the receiver’s private key, or �� ID�� is a non-trivial factor of � , so the receiver can factor � .

12


3 Definitions

Identity-Based Encryption. An identity-based en-cryption scheme consists of four randomized algo-rithms: Setup, Extract, Encrypt and Decrypt.

Setup: takes as input a security parameter and out-puts params (system parameters) and master-key. Thesystem parameters must include the description of themessage space � and the ciphertext space �. Thesystem parameters will be publicly known while themaster-key is known only to the private key generator(PKG).

Extract: takes as input the system parametersparams, the master-key and an arbitrary string ID �� and outputs the private key � ID correspondingto the public key ID.

Encrypt: takes as input the system parametersparams, a public key ID and a plaintext � � andoutputs a corresponding ciphertext.

Decrypt: takes as input the system parametersparams, a private key �ID and a ciphertext � � � andoutputs the corresponding plaintext.

These algorithms must satisfy the standard con-sistency constraints, namely if all the algorithms areapplied correctly, then any message in the plaintextspace encrypted with the algorithm Encrypt shouldbe correctly decrypted by the algorithm Decrypt.

We note that each user needs to establish a securechannel with the private key generator when request-ing his private key in order to keep the private key se-cret.

Chosen ciphertext security. A public key encryptionscheme is considered secure if an adversary is unableto obtain any information about a ciphertext even ifhe is given the decryption of any other ciphertext ofhis choice. The standard definition of security captur-

ing this notion is that of chosen ciphertext security de-fined by Rackoff and Simon in [26]. However, in oursetting the adversary may also be able to obtain theprivate key corresponding to some IDs of this choiceother than the one on which he is being tested. Thesystem should remain secure against such an attack.Therefore, the definition of security must be strength-ened a little to allow the adversary to obtain the privatekey corresponding to any IDs except the one on whichhe is being tested.

The notion of semantic security against adaptivechosen ciphertext attack for an identity-based encryp-tion scheme is defined through the following game:

The challenger chooses a security parameter �and runs the Setup algorithm. He returns to theadversary the public system parameters paramsand keeps the master-key to himself.

The adversary issues queries �� whereeach query is one of:– Extraction query �ID�. The challenger re-sponds by running the algorithm Extract to gener-ate the private key �� corresponding to the publickey ID� and sends it to the adversary.– Decryption query �ID�� . The challenger re-sponds by running algorithm Extract to generatethe private key �� corresponding to the public keyID�, uses the algorithm Decrypt together with thisprivate key to decode the ciphertext � � and re-turns the resulting plaintext to the adversary.

The adversary outputs two equal length plain-texts �� and a public key ID on whichhe wishes to be tested. ID must not have appearedin any previous extraction query. The challengerpicks a random bit � � �� and sends � �Encryptparams� ID� � as the challenge to theadversary.

The adversary issues queries �� as be-fore, except that he cannot issue the extractionquery �ID or the decryption query �ID� �.

13


The adversary outputs a guess � � � �� . Theadversary wins the game if �� .

The advantage of an attacker � against the schemeis defined to be �� ,where the probability is over the random choicesmade by the challenger and the adversary. We saythat an identity-based encryption scheme is seman-tically secure against adaptive chosen ciphertext at-tack if no polynomially bounded adversary (in �) hasnon-negligible advantage (in �) in the game describedabove.

4 Secure Identity-Based EncryptionSchemes

The cryptosystems described in this section make useof a bilinear map �� , where �� and�� are cyclic groups of order � for some large prime�.6 The map must satisfy the following properties:

1. Bilinear: For all �� ,�� .7

2. Non-Degenerate: For a given point � � � � ,�� for all � � � � if and only if � ��

8. From that and bilinearity, we can find that if �is a generator of � � , then �� is a generator of � � .

3. Computable: There is an efficient algorithm tocompute �� for any �� .

The security of the schemes in this section is basedon the Bilinear Diffie-Hellman Problem (BDHP). TheBDHP in �� , where � � and �� are cyclic

6For consistency with previously published literature, we de-note �� additively and � � multiplicatively.

7In particular, �� for all �� and��

8This is the identity element in �� . We denote the identityelement in �� by ��

groups of order � and �� is a bilinearmap, can be stated as follows: Given a generator �of � � and three elements �� for �� random in��, compute �� .

The Weil and Tate pairings on elliptic curves are theonly known ways to build secure bilinear maps ([21]).We refer the reader to [15] section 6 or [21] for moredetails on these constructions.

4.1 The Boneh-Franklin Scheme

The first efficient and secure identity-based encryptionscheme was given by Boneh and Franklin in [2]. Toencrypt a message, the sender uses the bilinear map tocombine the identity of the receiver, the PKG’s publickey and a random short term private key into a sessionkey used to mask the message. The receiver can recre-ate the same session key by using the bilinear map tocombine his private key and the short term public keysent with the ciphertext. Here is the description of thescheme in full details:

Setup: Given a security parameter �,(1) generate cyclic groups � � �� of prime order � to-gether with a bilinear map �� corre-sponding to this security parameter (say � could be a�-bit prime). Pick a random generator � � � � .(2) pick a random ��

� and compute �� .(3) pick cryptographic hash functions��

�� , �� ,

�� ,

�� for some integer � � �.

The plaintext space is � � �� and the cipher-text space is � � �

�� . The

public system parameters are params � �� . The master-key is .

Extract: Given a string ID � �� , the master-key and system parameters params, compute�ID ��ID � � �

� and �ID � �ID, and return �ID.

14


Encrypt: Given a plaintext � �, a public key IDand public parameters params,(1) compute �ID � ��ID,(2) pick a random � � �� and compute � �� ,(3) compute � � �� ID,(4) set the ciphertext to � � �� .

Decrypt: Given a ciphertext �� , a privatekey �ID and system parameters params,(1) compute �� ID,(2) compute � � � ��,(3) compute � � ��,(4) compute � � �� . If � �� , reject theciphertext, else return .

Note that is encrypted as � � � ��.This can be replaced by� � �� where isa semantically secure symmetric encryption scheme 9.

Consistency of this scheme easily follows from thebilinearity of ��. This scheme is semantically secureagainst adaptive chosen ciphertext attack in the ran-dom oracle model10 if the BDHP is intractable in�� . See [2] for a full proof of security andexact security analysis.

In this scheme, as in all other identity-based encryp-tion schemes, the security of the PKG’s master-key iscapital because the security of all other private keysdepend on it. One way to increase its security is to dis-tribute the master-key among various sites using tech-niques of threshold cryptography [16]. The master-key is distributed in an �-out-of-� fashion by givingeach PKG one share � if a Shamir secret sharing of �� . Given � PKG responses ��

�� ID, a

user could then construct � ID ��!��

�� where the

!�’s are the appropriate Lagrange coefficients.

9See [2] and [14] for more details.10This means that in the security proof, the hash functions are

modeled by random functions which are accessible to both thechallenger and the adversary.

4.2 Authenticated ID-Based Encryption

Lynn [22] found that the Boneh-Franklin schemecould be modified to provide message authenticationat no additional computational cost, i.e. upon recep-tion, the receiver can verify the identity of the senderand whether or not the message has been tamperedwith. This eliminates the need for digital signatureswhen authentication is required. The level of securityachieved is the same as that in a private conversation,i.e. secure authenticated communication without theability to prove to a third party that any informationwas ever exchanged. To provide origin authentication,the bilinear map is now used to combine the identityof both the sender and the receiver. The session key ishashed with a random value to obtain a different maskeach time the encryption function is executed.

Setup: Same steps as in the Boneh-Franklin schemeexcept that the hash function�� now must be definedas follows: �� for some � � �.The plaintext space is � � �� , the ci-phertext space is � � �� .The public system parameters are params �� . The master-keyis .

Extract: Same as for the Boneh-Franklin scheme.

Encrypt: Given a plaintext � �, a private key�ID�

, a public key ID� and system parameters params,(1) pick a random � � �� ,(2) compute � � �� ,(3) compute � � ��ID�

� ��ID�,(4) set the ciphertext to � � �� .

Decrypt: Given a ciphertext �� , a publickey ID�, a private key �ID�

and system parametersparams,(1) compute � � ��ID�� ID�,(2) compute � � � �� ,(3) compute � � ��,

15


(4) compute � � �� . If � �� , reject theciphertext, else return .

Again, � � � �� can be replaced by� � �� where is a semantically securesymmetric cryptosystem.

Consistency of this scheme easily follows from thebilinearity of ��. Lynn shows that the scheme is se-cure against adaptive chosen ciphertext attack in therandom oracle model provided that the BDHP is in-tractable in �� .11 Under the same assump-tions, he shows that an adversary has only negligibleprobability of forging a valid ciphertext from a senderID� to a receiver ID� , even if he is given access to ex-traction, encryption and decryption oracles, providedhe has not queried the private keys corresponding toID� or ID�. Therefore the ciphertext is its own au-thentication code, i.e. if a ciphertext is valid, then itis authentic. See [22] for full proofs of security andexact security analysis.

We mention that in [23], Malone-Lee gives anidentity-based signcryption scheme based on theBDHP, i.e. a scheme in which the ciphertexts are au-thenticated and non-repudiable12. However, he doesnot give any formal proof of security.

4.3 Hierarchical ID-Based Encryption

One disadvantage of the two previous schemes is that,in a large network, the private key generator wouldhave a quite burdensome job. One solution to thisproblem is to allow a hierarchy of PKGs in which thePKGs have to compute private keys only to the en-tities immediately below them in the hierarchy (see

11The security model from Section 3 must be slightly modifiedto account for the fact that the encryption function now requires aprivate key, but the idea is the same.

12In the scheme by Lynn, the ciphertexts are repudiable sincethere is no difference between a ciphertext encrypted by andsent to � and a ciphertext encrypted by � and sent to .

Figure 2). In such a system, the users are no longerrepresented by a string ID, but by a tuple of IDs con-taining the ID of each of their ‘ancestors’ in the hi-erarchy. For example, �ID�� ID� would be theparent of �ID�� ID��. We present a scheme byGentry and Silverberg [17], which extends the Boneh-Franklin scheme to obtain a fully scalable hierarchi-cal ID-based encryption scheme (the two schemes areidentical if there is only one level). We note that in thisscheme, the ID tuple of any entity in the hierarchy, ex-cept the root, can be used as a public key. To simplifythe notation, we write ID�� to denote �ID�� ID�

root PKGmk�ID��

� � mk�ID��

�ID�� ID�

��mk�ID��ID��

� � mk�ID��ID��

�ID�� ID�� ID�� ID�

��mk�ID��ID��ID��

� � mk�ID��ID��ID��

�ID�� ID�� ID�� ID�� ID�� ID�

��

Figure 2: Hierarchy of PKG’s

Root Setup: Given a security parameter �(1) generate cyclic groups � � �� of prime order � to-gether with a bilinear map �� cor-responding to this security parameter (say � is a �-bitprime). Pick a random generator �� .(2) pick a random � ��

� and compute �� .(3) pick cryptographic hash functions��

� , �� ,

�� and

�� for some integer � � �.

The plaintext space is � � �� and the ci-phertext space is � � �

�� .

The public system parameters are params �� . The rootsecret is �.

Lower-level Setup: Given the system parametersparams, each entity ID��

other than the root picksa random ID��

� �� and computes �ID��

� ID��,

which it keeps secret.

16


Extract: Given the ID tuple �ID�� ID� ofone of its children, its private key mkID��

��ID��

� �� ID�� ID��

, its secret value

ID��13 and system parameters params, PKG

ID��computes the private key as follows:

(1) compute �ID�� ID��,

(2) compute �ID�� ID��

� ID��ID��

,(3) return ��ID��

� �� ID�� ID��

.The private key corresponding to �ID�� ID� is��ID��

� �� ID�� ID��

(the user �ID�� ID�already knows�ID��

).

Encrypt: Given a plaintext � �, an ID tuple�ID�� ID� and system parameters params,(1) compute �ID��

� ��ID�� for � � " � #,(2) compute � � �� ID��

,(3) pick a random � � �� and compute � �� ,(4) set the ciphertext to � � �� ID��

� � � � ��ID��

� � �� .

Decrypt: Given a ciphertext � �� , a private key��ID��

� �� ID�� ID��

and system param-eters params,(1) compute

�� ID��

�� ID��

� ��

(2) compute � � � ��,

(3) compute � � ��,(4) compute � � �� . If �� , reject theciphertext, else return .

As before, we can replace � � � �� by� � �� where is a semantically securesymmetric cryptosystem.

For this setting, we modify our security model sothat the adversary is not allowed to posses the private

13For definiteness, if � � �, then the private key is mk �� where is the identity element in �� , and PKG’s secretvalue is �.

key of any ancestor of the entity on which he is be-ing challenged. Gentry and Silverberg proved that thescheme is secure against adaptive chosen ciphertextattack in the random oracle model provided that theBDHP is intractable in �� .

We mention that Horwitz and Lynn [19] alsoproposed a 2-level hierarchical ID-based encryptionscheme, but it has only limited resistance to user col-lusion.

5 Summary and Open Problems

We surveyed recent proposals for usable identity-based encryption schemes. The schemes based on bi-linear maps seem most promising because we haveprecise proofs of their security in a strong securitymodel. However, the security of these schemes isbased on a new hardness assumption which has notbeen studied much. It would be interesting to see ifwe can relate the Bilinear Diffie-Hellman Problem toother well studied problems (Cheon and Lee [6] andYacobi [32] made first steps in this direction).

As for Cocks’ scheme, a decrease in the expan-sion factor would also be a major improvement to thescheme. One could also try to relate the QuadraticResiduosity Problem to the Factoring Problem.

It is also an open problem to design an identity-based encryption scheme that is secure in the stan-dard computational model rather than in the randomoracle model. Boneh and Franklin [2] mention thatone might hope to do this by modifying the Boneh-Franklin scheme using the techniques of Cramer-Shoup [8] to obtain a scheme based on the deci-sion analog of the BDHP. Another interesting problemwould be to build identity-based encryption schemesbased on other complexity assumptions.

We mention that many results have been published

17


in other areas of identity-based cryptography, namely,Paterson [25], Hess [18] and Cha and Cheon [3]each proposed new identity-based signature schemes,and Smart [29], Zhang, Liu and Kim [33] and Chenand Kudla [5] each proposed new identity-based keyagreement protocols.

Acknowledgments

I would like to thank Matthew Franklin and MarkusJakobsson for their comments on previous versions ofthis paper.

References

[1] D. Boneh, X. Ding and G. Tsudik. Identity basedencryption using mediated RSA, in � rd Work-shop on Information Security Application, JejuIsland, Korea, Aug. 2002.

[2] D. Boneh and M. Franklin. Identity Based En-cryption from the Weil Pairing, to appear inSIAM Journal of Computing.

[3] J. Cha and J. Cheon. An Identity-Based Signaturefrom Gap Diffie-Hellman Groups, PKC 2003,LNCS 2567 pp. 18-30, 2002.

[4] R. Canetti, S. Halevi and J. Katz. A Forward-Secure Public-Key Encryption Scheme, to appearin Proceedings of Eurocrypt 2003.

[5] L. Chen and C. Kudla. Identity Based Authenti-cated Key Agreement from Pairings, CryptologyePrint Archive14, Report 2002/184, 2002.

[6] J. Cheon and D. Lee. Diffie-Hellman Problemsand Bilinear Maps, Cryptology ePrint Archive,Report 2002/117, 2002.

14http://eprint.iacr.org/

[7] C. Cocks. An Identity Based Encryption SchemeBased on Quadratic Residues, Cryptography andCoding, LNCS 2260, pp. 360-363, 2001.

[8] R. Cramer and V. Shoup. A practical public keycryptosystem probably secure against adaptivechosen ciphertext attack, Proceedings of Crypto’98, LNCS 1462, pp. 13-25, 1998.

[9] Y. Desmedt and J.-J. Quisquater. Public-key sys-tems based on the difficulty of tampering, Pro-ceedings of Crypto ’86, LNCS 263, pp. 111-117,1986.

[10] G. Di Crescenzo, R. Ostrovsky and S. Ra-jagopalan. Conditional Oblivious Transfer andTimed-Release Encryption, Proceedings of Eu-rocrypt ’99, LNCS 1592, pp. 74-89, 1999.

[11] Y. Dodis, M. Franklin, J. Katz, A. Miyaji and M.Yung. Intrusion-Resilient Public-Key Encryp-tion, to appear in RSA 2003 – Cryptographer’sTrack.

[12] U. Feige, A. Fiat and A. Shamir. Zero-Knowledge Proofs of Identity, Journal of Cryp-tology, Vol. 1, pp. 77-94, 1988.

[13] A. Fiat and A. Shamir. How to Prove Your-self: Practical Solutions to Identification andSignature Problems, Proceedings of Crypto ’86,LNCS 263, pp. 186-194, 1987.

[14] E. Fujisaki and T. Okamoto. Secure Integra-tion of Asymmetric and Symmetric EncryptionSchemes, Proceedings of Crypto ’99, pp. 537-554, 1999.

[15] M. Gagne. Applications of Bilinear Mapsin Cryptography, Master’s thesis, Uni-versity of Waterloo, 2002. available athttp://wwwcsif.cs.ucdavis.edu/˜gagne/thesis.pdf

[16] P. Gemmel. An Intoduction to Threshold Cryp-tography, CryptoBytes, a technical newsletter ofRSA Laboratories, Vol. 2, No. 7, 1997.

18


[17] C. Gentry and A. Silverberg. Hierarchical ID-Based Cryptography, Proceedings of Asiacrypt2002, LNCS 2501 pp. 548-566, 2002.

[18] F. Hess. Exponent Group Signature Schemesand Efficient Identity Based Signature SchemesBased on Pairings, Cryptology ePrint Archive,Report 2002/012, 2002.

[19] J. Horwitz and Ben Lynn. Toward HierarchicalIdentity-Based Encryption, Proceedings of Euro-crypt 2002, LNCS 2332, pp. 466-481, 2002.

[20] D. Huhnlein, M. Jacobson and D. Weber.Towards Practical Non-interactive Public KeyCryptosystems Using Non-maximal ImaginaryQuadratic Orders, Proceedings of SAC 2000,LNCS 2021, pp. 275-287, 2000.

[21] A. Joux. The Weil and Tate Pairings as Build-ing Blocks for Public Key Cryptosystems, ANTS2002, LNCS 2369, pp. 20-32, 2002.

[22] B. Lynn. Authenticated Identity-Based En-cryption, Cryptology ePrint Archive, Report2002/072, 2002.

[23] J. Malone-Lee. Identity-Based Signcryption,Cryptology ePrint Archive, Report 2002/098,2002.

[24] U. Maurer and Y. Yacobi. Non-interactivepublic-key cryptosystem, Proceedings of Euro-crypt ’91, LNCS 547, pp. 498-507, 1991.

[25] K. Paterson. ID-Based Signatures from Pairingson Elliptic Curves, Electronics Letters, Vol. 38(18), 1025-1026, 2002.

[26] C. Rackoff and D. Simon. Noninteractive Zero-Knowledge Proof of Knowledge and Chosen Ci-phertext Attack, Proceedings of Crypto ’91, pp.433-444, 1991.

[27] R. Rivest, A. Shamir and D. Wagner. Time lockpuzzles and timed release cryptography, Techni-cal report, MIT/LCS/TR-684.

[28] A. Shamir. Identity-Based Cryptosystems andSignature Schemes, Proceedings of Crypto ’84,pp. 47-53, 1984.

[29] N. Smart. An Identity Based Authenticated KeyAgreement Protocol Based on the Weil Pairing,Electronics Letters, Vol 38, pp 630-632, 2002.

[30] S. Tsuji and T. Itoh. An ID-based cryptosystembased on the discrete logarithm problem, IEEEJournal on Selected Areas in Communication,vol. 7, no. 4, pp. 467-473, 1989.

[31] H. Tanaka. A realization scheme for the identity-based cryptosystem, Proceedings of Crypto ’87,LNCS 293, pp. 341-349, 1987.

[32] Y. Yacobi. A Note on the Bilinear Diffie-HellmanAssumption, Cryptology ePrint Archive, Report2002/113, 2002.

[33] F. Zhang, S. Liu and K. Kim. ID-BasedOne Round Authenticated Tripartite Key Agree-ment Protocol with Pairings, Cryptology ePrintArchive, Report 2002/122, 2002.

19


Advances in Side–Channel CryptanalysisElectromagnetic Analysis and Template Attacks

Dakshi Agrawal Bruce Archambeault Suresh Chari Josyula R. RaoPankaj Rohatgi

IBM T. J. Watson Research CenterP.O. Box 704

Yorktown Heights, NY 10598email: {agrawal,barch,schari,jrrao,rohatgi}@us.ibm.com

Abstract

We describe two recent advances which substan-tially increase the scope and power of side–channelcryptanalysis. The first advance is the exploitationof information leakage from electromagnetic emana-tions. The second advance, known as template at-tacks, is a superior data analysis technique which sub-stantially reduces the number of side–channel sam-ples needed for an attack. These advances pose a riskto all cryptographic implementations, including thoseimmune against earlier side–channel attacks.

1 Introduction

Side–channel cryptanalysis has emerged as an ex-tremely powerful and practical tool for breaking com-mercial implementations of cryptography. These at-tacks exploit the fact that implementations of cryptog-raphy on physical devices leak much more informa-tion than just the input–output relationship [12, 13]. Alarge number of attacks have been published, exploit-ing leakages from subtle channels, such as the timingof operations and the instantaneous power consump-tion of the device.

In contrast to most cryptanalytic attacks, timing andpower attacks are extremely easy to mount, while theirconsequences are equally devastating. Hence, ven-dors expend substantial effort to protect their prod-ucts against such attacks. While timing attacks arewidely applicable, simple countermeasures are quiteeffective and have been incorporated in most imple-mentations. On the other hand, power–analysis at-tacks are notoriously hard to counter: Even thoughsound countermeasures are available [9, 4], apply-ing them is an error-prone task. Fortunately, suchattacks only afflict smart cards and other simple de-vices where the unfiltered power line is readily ac-cessible. As a consequence, while third–party valida-tion of power–analysis countermeasures has becomethe norm for smart card development, vendors of de-vices with inaccessible power lines have been spared.Some vendors have also attempted to side–step theseattacks by throwing in ad–hoc countermeasures at aprotocol level. For example, implementations vulner-able to statistical attacks on multiple invocations areprotected by protocol–tweaks which limit the numberof invocations available to the attacker.

In this article, we describe two recent advanceswhich substantially increase the scope and power ofside–channel attacks. These advances pose a signif-icant risk to all existing cryptographic implementa-

20


tions, including those deemed secure against power–analysis attacks. Implementations relying on inacces-sible power lines or ad–hoc, protocol–level counter-measures are especially vulnerable to these advances.

The first advance is the practical exploitation ofinformation leaked from electromagnetic (EM) em-anations [1]. For a long time it was rumored thatEM–based attacks were an extremely powerful toolfor espionage. It is known that defense organizationsgo to great lengths to contain EM emanations fromtheir equipment and facilities. Not surprisingly, largeamounts of information about EM–analysis continuesto be classified [18, 10]. Our work in [1] shows thatthese rumors and precautions were fully justified: Notonly does EM–analysis provide an avenue for attack-ing cryptographic devices from a distance where thepower line is inaccessible, it also provides informationnot available in the power side–channel.

The second advance, termed template attacks in [5],is a technique for attacking cryptographic implemen-tations where an attacker is limited to very few in-vocations, and where traditional side channel attacksdo not work. Such situations arise frequently in thecase of stream ciphers and in cases where protocol–level countermeasures to side–channel analysis havebeen deployed. The technique is motivated by re-sults from signal detection and estimation theory. Ituses a test device, identical to the target device beingattacked, to build detailed noise models of the side–channel for different device states. These models (ortemplates) are used to classify the available signal(s)from the target device. The sophistication and accu-racy of these models determines how close the tech-nique approaches optimality in terms of utilizing allthe information present within the available signals.

While our advances substantially improve the stateof the art in side–channel attacks, defending againstthem need not be more onerous than defending againstpower–analysis attacks. Sound randomization–basedcountermeasures against power–analysis [4, 9] are

applicable to all types of limited information leak-age. Randomized implementations are usually im-mune against template attacks, since the adversarycannot force his test device to mimic the randomchoices made by the target device. To defend againstEM attacks, hardware vendors must profile all EMleakages from their raw hardware and take steps toreduce egregious ones. Implementors of cryptogra-phy on such hardware should take into account the netleakage from the power and EM channels to select theappropriate countermeasures. We hope that, in light ofthese advances, implementors will treat side–channelattacks seriously and address them using sound coun-termeasures rather than ad–hoc ones.

2 EM Emanation Analysis

2.1 Understanding EM Emanations

There are two broad categories of EM emanations:

1. Direct Emanations: These result from intentionalcurrent flows within circuits. Many of these consist ofshort bursts of current with sharp rising edges, result-ing in emanations over a wide frequency band. Often,components at higher frequencies are more useful tothe attacker due to noise and interference prevalent inthe lower bands. In complex circuits, isolating directemanations can be very difficult due to interferencefrom other signals. Minimizing interference requiresthe use of tiny field probes positioned very close tothe signal source and/or special filters to extract thedesired signal.

2. Unintentional Emanations: Increased miniatur-ization and complexity of modern CMOS devices re-sults in electrical and electromagnetic coupling be-tween components in close proximity. Small cou-plings, typically ignored by circuit designers, providea rich source of compromising emanations. These em-anations manifest themselves as modulations of thecarrier signals generated, present or introduced within

21


the device. Typical sources of such carriers include theharmonic–rich clock signal(s) and signals used for in-ternal and external communication. Depending on thetype of coupling, the carrier can be either AmplitudeModulated (AM) or Angle Modulated (e.g., FM) bythe sensitive signal, or the modulation could be morecomplex. If the modulated carrier can be captured,then the sensitive signal can be recovered using an EMreceiver tuned to the carrier frequency and performingthe appropriate demodulation.

Initial published work on EM–analysis [11, 16] fo-cused exclusively on direct emanations. However, theresulting attacks were limited in scope. The best at-tacks were semi-invasive and required careful posi-tioning of micro-antennas on the passivation layer ofthe chip substrate. Such attacks were not known to bebetter than power–analysis attacks.

The key to unlocking the power of the EM side–channel lies in exploiting unintentional emanationsrather than direct emanations. Some modulated car-riers are much stronger and propagate much furtherthan direct emanations. This enables attacks to be car-ried out at a distance without resorting to any invasivetechniques. This situation has an analogue in astron-omy where planets around distant stars are detectednot via direct observation but via indirect observation.While the reflected light coming from a planet is quitefeeble and easily overwhelmed by light from the star,a planet affects the star’s light in measurable ways.For example, a revolving planet can produce a notice-able wobble in the star’s position due to gravitationaleffects, or produce a detectable dimming of the star’slight when it comes between the star and the Earth.

2.2 EM Attack Equipment

Just like power–analysis, an EM attack system re-quires sample collection equipment such as a digitaloscilloscope or a PC-based data sampling card. Thecritical piece of equipment for enabling EM attacksis an EM receiver/demodulator which can be tuned

to various modulated carriers and performs demodu-lation to extract the sensitive signal. Here, the maintradeoff is between cost and convenience. Those withbudgets in the tens of thousands of dollars can buy anew/used high-end receiver such as the Dynamic Sci-ences R-1550 [7], which covers a wide band and of-fers the user a large selection of bandwidths and de-modulation options. Those on low budgets could set-tle for a used ICOM IC-R7000 receiver which can behad for under $1000, but provides only limited band-width, is noisier, and requires software to demodulateits IF output. Those on low budgets and unwilling toput up with noise and limited bandwidth can constructtheir own receiver for under $1000 by using com-monly available low–noise electronic components anddemodulation software; the additional inconveniencewith this approach is the need for frequent calibra-tion. Picking up EM signals also requires the use ofEM near-field probes and antennas appropriate for theband being considered. However, these items are notexpensive and can even be assembled using low-costmaterials from a hardware store.

2.3 EM Attacks on an RSA–Accelerator

We illustrate the power of the EM side-channel bymeans of an example of special interest to the readersof this newsletter. We analyzed a commercial, PCI–based SSL/RSA accelerator, R 1, installed in an Intel-based server. We programmed the server to repeat-edly decrypt a fixed ciphertext, i.e. invoke R to per-form modular exponentiation with the given cipher-text, modulus and exponent.

In a real–world setting, mounting power and tim-ing attacks on such a setup is infeasible and/or risky.The server’s power supply is well filtered and con-taminated by large currents from a number of com-ponents. For power–analysis, the attacker will have tophysically open the server to access R, and make addi-

1We are using a pseudonym to protect vendor identity. R israted to perform 200, 1024-bit CRT based RSA private key ops/s.

22


tional hardware modifications to tap the power/groundlines feeding the RSA engine. Theoretically, R suffersfrom a timing attack, due to conditional subtractionin the Montgomery reduction step [15, 6]. With per-fect timing information, this attack can extract reason-ably sized keys (1024-bits or more) with a few milliontiming samples. However, in practice, the timing ob-tained by interacting with the server will be very in-accurate due to random delays introduced by networklatency, server load, server OS, server-to-R commu-nication, etc. Compensating for this inaccuracy willrequire a several–fold increase in the number of tim-ing samples, thus rendering this attack infeasible.

The situation changes dramatically when EM em-anations are considered. Even though R is inside aclosed server, a large number of carriers are availableon the outside. This holds not just for R but for allRSA accelerators that we have tested, including somedesigned to meet the tamper resistance standard ofFIPS. One typically finds many high energy carriersat multiples of the accelerator’s clock frequency andseveral intermediate strength intermodulated carriersat other frequencies. These intermodulated carriersarise due to non-linear interactions among the variouscarriers present within the accelerator’s operating en-vironment. The presence of so many signals permitsa variety of attacks to be mounted at various distancesfrom the device.

Even at distances of fifty feet and through wallsand glass, one can capture some high energy ema-nations from R. These are mostly modulated carri-ers at the odd–harmonics of R’s internal clock. AM–demodulating these carriers yields signals where thestart and end of the modular exponentiation is clearlydelimited. These signals greatly enhance the tim-ing attack on R, to the point where it may even be-come practical. An EM detector stationed inconspic-uously in another room, 40-50 feet away, could pre-cisely measure RSA operation timing, regardless ofnetwork/server/communication latency. Such an EM-enhanced timing attack still has a few disadvantages:

0.5 1 1.5 2 2.5

−1000

−500

0

500

1000

1500

TIME ( ms )

AM

PLI

TU

DE

Figure 1: EM Signal from SSL Accelerator R.

Firstly, a large number of invocations are needed,and secondly, the attack does not work if the soft-ware controlling R implements the RSA data–blindingcountermeasure[12].

If, on the other hand, the adversary can get a smallEM capturing/retransmitting device within 4-5 feetfrom R, he will have a wide range of EM attacks athis disposal, including attacks which use a single in-vocation and attacks which bypass the data blindingdefense. At the very least, he can launch EM versionsof the numerous published power–analysis attacks thatexploit specific leakages that occur in RSA hardwarefound in smart cards. Unless R has been specificallydesigned to resist all known power–analysis attacks,there is no hope that it can survive EM attacks at thisdistance. The reader will better appreciate this situ-ation by looking at the quality of information aboutRSA internals that is available in these EM emana-tions: It is at least as good, if not better, than what isavailable in power–analysis scenarios.

Figure 1 shows the signal obtained by AM demodu-lating a 461.46Mhz intermodulated carrier with a bandof 150Khz for a period of 2.5ms during which R com-

23


0.9 0.95 1 1.05 1.1 1.15 1.2

−1000

−500

0

500

1000

TIME ( ms )

AM

PLI

TU

DE

Figure 2: Same exponent, different data.

putes two successive and identical 2048-bit modularexponentiations with a 12-bit exponent. For clarity,the figure shows an average taken over ten signal sam-ples. One can clearly see a basic signal shape repeatedtwice, with each repetition corresponding to a modu-lar exponentiation. The first repetition spans the timeinterval from 0 to 1.2ms and the second from 1.2msto 2.4ms. The signal also shows the internal structureof the exponentiation operation. From time 0ms to0.9ms, R receives the exponentiation request and per-forms some precomputation to initialize itself to ex-ponentiate using the Montgomery method. The actual12-bit exponentiation takes place approximately fromtime 0.9ms to 1.2ms. A closer inspection of this re-gion reveals substantial information leakage which isbeneficial to an adversary. Figure 2 plots an expandedview of this region for two different exponentiation re-quests which have the same modulus and exponent butdifferent data. The two signals are plotted in differentcolors. From the start, one can see that the two signalsgo in and out of alignment due to data dependent tim-ing of the Montgomery multiplications employed bythis implementation.

In fact, if an adversary knows the modulus and thedata being exponentiated then, according to the work

0.9 0.95 1 1.05 1.1 1.15 1.2

−1000

−500

0

500

1000

TIME ( ms )A

MP

LIT

UD

E

Figure 3: Same data, different exponents.

of [20], Montgomery multiplication timings for oneor a few invocations are enough to recover the secretexponent. An earlier approach that also works is theMESD (multi-exponent, single data) style attack of[14]. In MESD, the adversary tries to match the ob-served signal with a signal generated from an identicalRSA device on identical data by adjusting the bits of aprefix of a trial exponent. When the prefix of the bitsof the trial exponent match those of the unknown ex-ponent, the corresponding prefix of the observed sig-nal matches the generated one. For example Figure3 plots the region of exponentiation for two differentexponentiation requests having the same modulus anddata but different exponents. The first 5 bits of thetwo exponents are the same and, as can be seen, thetwo signals are initially aligned and timing differencesonly arise at around 1.05ms which is somewhere in themiddle of the 12-bit exponentiation.

Even if the adversary does not know the modulusand the data being exponentiated (e.g., Chinese Re-maindering and/or data blinding are used), the RSAimplementation can still be broken using results of[3, 20, 17]. This is because the statistics of the condi-tional subtract operation in Montgomery reduction de-pend on whether a square or a multiply is carried out.

24


4482 4484 4486 4488 4490 4492 4494 4496

−150

−100

−50

0

50

Figure 4: Leakage of an S-box output bit in 4side–channels during Region 1 of computation. Thesolid line shows power channel leakage and differentbroken-line styles show leakages from 3 EM channels.

In fact, such timing statistics from just a few hundredtraces are sufficient to recover the secret exponent.

At intermediate distances of 10-15 feet, the levelof noise increases but there is still enough informa-tion to enable several attacks. In particular, the attackbased on conditional–subtract statistics [3, 20, 17] stillworks on all RSA implementations, albeit with an in-creased number of, say, a few thousand samples. Ifan attacker at this distance is further limited to onlya few samples, he could still mount template attackson non-blinded, non-CRT RSA implementations to re-cover the key.

2.4 Multiplicity of EM channels

As mentioned earlier, several EM signals can beisolated from any device. This raises several interest-ing questions: One question is whether such a multi-plicity is beneficial to an attacker, i.e., do different EMsignals provide different types of information, or isthere just one type of information leakage which hap-pens to be present with differing magnitudes withindifferent EM signals? Another important question iswhether the EM side–channels as a whole are any bet-ter than the power side–channel, i.e., are EM–attacksstill useful when the power side–channel is available?

7633 7634 7635 7636 7637 7638 7639 7640

−20

0

20

40

60

80

Figure 5: S-box bit leakage in power and EM channelsin Region 2.

We answer these questions by applying Differen-tial Power Analysis (DPA) and Differential Electro-magnetic Analysis (DEMA) attacks to measure infor-mation leakage. It is well known that the sensitivedata (for example, a bit of the output of an S-box) haslarge co-variance with the side–channel signal at timeswhen it leaks and zero co-variance when it does not.This is the underlying basis for attacks such as DPAand DEMA. Thus, by comparing the co-variance plotsfor the same sensitive data using different signals, wecan compare its leakage across these different signals.We performed one DPA and three DEMA attacks on aDES implementation on a smart-card, based on pre-dicting an S-box output bit in the first round. TheDEMA attacks used different EM signals.

We plotted all four co-variance plots together andaligned them in time. The first thing we noted is thatthe most prominent leakages occur at different timesin the different signals. This means that the mech-anism of leakage is different in these signals. Fig-ures 4 and 5 show two regions in time where someof the prominent leakages occur. These plots showthe leakages of the S-box bit (i.e., the value of theco-variance) for all four signals with respect to time(in 10ns units). Each different signal is plotted in adifferent line–style, with the power leakage being asolid line and the 3 EM leakages plotted in differentbroken–line styles. In Figure 4 we see a region wherethere is substantial leakage in two EM channels, mi-nor leakage in the third and no leakage in the powerchannel. This shows that EM channels have leakages

25


missed by the power channel. Figure 5 shows a regionwhere the two EM channels which had large leakagesin the earlier region failed to pick up a leakage thatwas picked up very well by the third EM channel aswell as the power channel.

Now that we have strong evidence that differentEM channels carry different information and thatsome EM channels leak certain information much bet-ter than the power channel, the true power of EM–analysis finally emerges. Not only can an attackermount EM attacks in situations where the power chan-nel is unavailable, sometimes he can use a single EMchannel to mount attacks which are impractical usingthe power channel. This has serious implications forthe security of current power–analysis resistant imple-mentations. We have verified on smart cards that cer-tain DPA resistant implementations are indeed vulner-able to single channel EM attacks.

In fact, the situation is much worse. An attackercould potentially do much better by combining infor-mation leakages from multiple EM channels and/orthe power channel. Developing countermeasures forsuch attacks requires a methodology to assess the netinformation leakage from all the EM signals (and thepower signal) realistically available to an adversary.Dealing with multiple channels and assessing their netinformation leakage is quite complex and sometimescounter–intuitive and is outside the scope of this paper.The interested reader can find more about our work onthese aspects of the EM side–channel(s) in [2].

3 Template Attacks

Most of the devastating side–channel attacks re-ported in the literature can be classified as either Sim-ple Power Analysis (SPA) or Differential Power Anal-ysis (DPA) [13]. In SPA, the key can be extractedfrom a single (or few) sample(s) due to substantialleakages when executing key–dependent code. For in-stance, if the implementation contains key–dependent

branching, the side-channel will usually reveal whichbranches were executed, hence yielding the key. SPAis also possible on implementations which use instruc-tions for which sensitive information is clearly vis-ible over and above the noise inherent in the side-channel. For example, if an instruction conditionallysets a carry bit, there could be enough leakage in theside–channel to disclose the value of this bit. Whenthere is no key-dependent branching and low leakageinstructions are used, SPA is not possible and statis-tical techniques such as DPA are needed. DPA relieson the statistical analysis of a large number of side–channel samples of the cryptographic operation, in-voked with the same secret key and possibly differ-ing data. Intuitively, with a large number of samples,the random noise component can be substantially re-duced by averaging, and the smaller leakage signalsextracted. To date, all side-channel attacks, even thoseusing EM emanations, are variants of the basic tech-niques of SPA and DPA.

In [5], we showed that SPA/DPA-based techniquesare sub-optimal since they do not exploit all the infor-mation available in each side–channel sample. Con-sequently, some implementations believed to be im-mune to side–channel attacks simply because the ad-versary is limited to one or at most a few compromis-ing samples, can in reality be broken using templateattacks which extract more information from the sam-ples. Many such implementations are found in appli-cations where higher-level protocols limit the numberof samples an adversary can collect. Such situationsalso arise naturally in the case of many stream ciphers.

Consider an implementation of the stream cipherRC4. While there are cryptanalytic results highlight-ing minor statistical weaknesses, there are no majorstatistical biases that can be easily exploited by side–channel attacks. To our knowledge, no successfulside–channel attack on a reasonably designed2 RC4

2IEEE 802.11 uses RC4 in a protocol which reuses significantportions of the secret key, thus making implementations vulnera-ble to DPA and indeed to cryptographic attacks

26


implementation has been reported. In a well designedsystem, the RC4 cipher will always be initialized witha fresh secret key. Initializing the 256-byte internalstate of RC4 using the secret key is simple enough tobe implemented using low leakage instructions, in akey–independent manner. Thus, simple attacks suchas SPA are unlikely. After initialization, the only se-cret is the internal state. However, this state evolvesvery rapidly as the cipher outputs more bytes. Thisrapidly evolving secret state is outside the controlof the adversary. This provides inherent immunityagainst statistical attacks such as DPA, since the ad-versary cannot freeze the active part of the state tocollect multiple samples.

For RC4, the best that an adversary can hope foris to obtain a single sample of the side–channel leak-age during the key initialization phase. As mentionedabove, a good implementation of RC4 will not be vul-nerable to SPA on such a sample. We verified this factby coding an implementation of RC4 on a smart card.However, the same implementation is easily brokenwith a single sample using the template attack tech-nique. The template attack technique can theoreticallyextract all possible information available in each sam-ple and is hence the strongest form of side–channelattack possible in an information theoretic sense.

Template attacks require the adversary to possessa programmable device identical to the device beingattacked. While such an assumption is limiting, it ispractical in many cases and has been used before inother side–channel attacks [8, 14]. In the followingsubsection, we outline the theoretical underpinningsof the template attack and describe some heuristics formaking the attacks practical.

3.1 Template Attack Technique

Assume we have a device performing one of K pos-sible operation sequences: For example, these couldbe the executions of the same code for K different val-ues of some key bits. An adversary who gets a sample

S of the side–channel during this operation wishes toidentify which of the K operation sequences is beingexecuted or to significantly reduce the set of of possi-bilities. We call this the sample classification problem.

In signal processing, it is customary to model theobserved sample as a combination of an intrinsic sig-nal component generated by the operation and a noisecomponent which is intrinsically generated or ambi-ent. Whereas the signal component is the same for re-peated invocations of the operation, the noise compo-nent is best modeled as a random sample drawn froma noise probability distribution. This distribution de-pends on several factors such as the type of operationbeing performed and the physical operating environ-ment. It is well known [19] that the optimal approachfor solving the sample classification problem is to usethe maximum likelihood approach, i.e., the best guessis to pick the operation such that the probability of theobserved noise component in S is maximized. Com-puting this probability requires the adversary to pre-cisely model both the intrinsic signal and the noiseprobability distribution for each of the K operations.We refer to such models for intrinsic signals and noiseprobability distributions as templates. Once each ofthe K templates for the different operations are avail-able, the sample classification problem can be solved.

Translating this theoretical technique into an attackpresents several practical problems. The first problemis to obtain templates without complete and detailedphysical specifications of the device to be attacked oreven full access to it. We get around this problem byusing an experimental device, identical to one to beattacked, to build the templates that are needed. Whileno two devices are truly identical, devices which comefrom the same hardware revision are similar enoughfor this technique to work.

The second problem is that it is difficult to esti-mate the noise probability distribution, since the noiseis a real valued function of time, and even band-limited noise needs to be modeled as a T -dimensional

27


vector of reals in a certain range.3 Even assumingsmoothness properties, estimating the probability den-sity function over this huge domain becomes infea-sible when T is large. Luckily, modeling the noiseof physical systems is a well-studied problem in Sig-nal Detection and Estimation Theory [19] and we canuse any of the several accurate and computationallyfeasible noise models that are available. For exam-ple, for our RC4 attack, we found that the Multivari-ate Gaussian Noise model is sufficient, whereas sim-pler models based on univariate statistics gave poor re-sults. Most of the effort in estimating the multivariateGaussian noise distribution goes towards computingthe pairwise noise correlations for the T points, whichrequires around O(T2) work.

The third problem is that, in cryptographic settings,the key–finding problem does not directly translateinto a sample classification problem since the valueof K, the entire key space, is huge. Clearly, building atemplate for each possible cryptographic key is infea-sible. The solution is to meld the basic sample clas-sification approach with details of the cryptographicoperation being attacked. The result is a process ofiterative classification of signals from the signal pro-cessing viewpoint and an extend-and-prune strategyfrom the perspective of searching the key space. Theadversary uses the experimental device to identify asmall prefix S0 of the sample S, depending only ona few unknown key bits K0. Using the experimentaldevice, he builds templates for S0 with each possiblevalue for K0. Using these templates, he classifies S0,i.e., prunes the set of possibilities for the values of K0

being used in S0 to a very small number. Then, inthe next iteration, a longer prefix S1 of S involvingadditional key bits K1 is considered. Each remainingpossible value of K0 is then extended by all possiblevalues of K1, and templates are constructed for thesekey values using the longer prefix. Again, the sampleS is used to prune the set of possible values for both

3T is the number of sampling points or, more exactly, the num-ber of points used for sample classification

K0 and K1. This process is repeated with longer andlonger prefixes of S until all the key bits are coveredand a manageable size set of possibilities for the en-tire key remains. The actual key can then be identifiedfrom this set by testing with known input/outputs.

The success of this strategy critically depends onhow effectively the pruning process reduces the com-binatorial explosion in the extension process. In gen-eral, the extent of information leakage from an im-plementation on a particular device inherently placestheoretical bounds on the success of the template at-tack; the best an adversary can do is to approach thistheoretical bound by building extremely accurate tem-plates. In the particular case of cryptographic algo-rithms implemented on CMOS devices, the chancesof success are likely to be quite good due to the twinproperties of contamination and diffusion. Contami-nation refers to key–dependent leakages which can beobserved over multiple cycles in a section of computa-tion. In CMOS devices, direct manipulation of the keybits makes them part of the device state and these stateleakages can persist for several cycles. Additionally,other variables affected by the key, such as key depen-dent table indices and values, cause further contam-ination at other cycles. The extent of contaminationdetermines the level of success in pruning candidatesfor fresh key bits introduced in the expansion phase.However, if two keys are almost the same, even withcontamination, pruning at this stage may not be ableto eliminate one of them. Diffusion is the well-knowncryptographic property wherein small differences inkey bits are increasingly magnified in subsequent por-tions of the computation. Even when certain candi-dates for key bits are not eliminated due to contamina-tion effects, diffusion will ensure that closely spacedkeys will be pruned rapidly at later stages.

28


0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 0.10

−1000

−500

0

200

TIME (ms)

AM

PLI

TU

DE

Figure 6: Power sample during first five iterations ofRC4 state initialization loop.

3.2 Template attack on RC4

We describe how template attacks can be used onour implementation of RC4. RC4 operates on a 256-byte state table T to generate a pseudo-random streamof bytes that is then XOR’ed with the plaintext. TableT is initially fixed, and first, a variable length key (1 to256 bytes) is used to update T using the pseudo codebelow:

i1 = i2 = 0;for (ctr = 0; ctr < 256; ctr++) {i2 = (key[i1] + T[ctr] + i2) % 256;swap_byte(&T[ctr], &T[i2]);i1 = (i1 + 1) % key_data_len;

}

A portion of the corresponding power side–channelis shown in Figure 6. The observable structural repeti-tion is exactly five successive iterations of the loop.We first verified that simple side-channel analysistechniques do not work on our implementation. Fig-ure 7 is based on side channel samples from the RC4

key initialization phase: The upper trace is the differ-ence between two single power samples when the keysare the same, the lower trace when they are different.Contrary to expectation, the first case shows larger dif-ferences. This ambiguity exists even when one looksat differences of averages of up to five invocations, asshown in Figure 8. Clear and consistent differencesemerge only when one considers averages of severaltens of samples. Therefore, it would appear that sucha carefully coded RC4 implementation cannot be at-tacked using SPA using the single available sample.

0 500 1000 1500 2000 2500 3000−80

−60

−40

−20

0

20

40

0 500 1000 1500 2000 2500 3000−30

−20

−10

0

10

20

30

40

Figure 7: Differences of power samples: upper figureshows sample difference for same key, lower showsdifference for two different keys.

RC4 is, however, an ideal candidate for template at-tacks. It is evident from inspecting the code snippetabove that the key byte used in each iteration causessubstantial contamination. The loading of the keybyte, the computation of index i2 and the use of i2in swapping the bytes of the state table T all contam-inate the side–channel at different cycles. Averagingover a large number of samples makes the extent ofthis contamination easily visible by highlighting sig-nificant and widespread differences for two different

29


0 500 1000 1500 2000 2500 3000−100

−50

0

50

100

0 500 1000 1500 2000 2500 3000−60

−40

−20

0

20

40

Figure 8: Differences of averages of 5 power samples:Upper figure is for the same key and the lower is fortwo different keys.

values of the key byte. Further, the use of i2 and thestate in subsequent iterations, and the fact that RC4is a well-designed stream cipher, quickly propagatessmall key differences to cause diffusion. Thus, one ex-pects that templates corresponding to different choicesof key bytes are very different and can be used to effi-ciently and effectively classify a single sample.

We have obtained very good results in using tem-plate attacks to break this implementation of RC4 [5].Inspecting the averaged RC4 side–channel samplesusing several different keys, we identified 42 points inthe side–channel sample in each iteration where sig-nificant differences appeared. These are the placeswhere the key has good contamination and thus thesepoints are well suited to classify keys. Our first at-tempt used statistical models that treated these 42points independently, i.e, we only looked at meansand standard deviations of the samples at each of thepoints. Although encouraging results were obtainedfor distinguishing between pairs of key bytes whichwere very different (error close to 0%), there were un-acceptably high classification errors (as much as 35%)

for pairs of keys with only a few bit differences. Thusthis approach was deemed unsuitable for an extend-and-prune attack due to high errors which would resultin large number of potential candidates being retained.

Next, we used the Multivariate Gaussian Noisemodel. For our experiment, we used 10 choices forthe first key byte. These were carefully chosen to bevery close and therefore yielded poor results with uni-variate statistics. For each of the 10 values of the keybyte, we took 2000 samples of the side–channel. Weused the same 42 points of interest as in the univari-ate experiment. The templates consisted of the meansand the noise covariance at these points. We usedthe templates and the maximum likelihood estimatorto classify each of these 20000 samples. Our exper-iments showed that the multivariate Gaussian noisemodel was able to correctly identify the right key byteout of the ten possibilities with an average classifica-tion success probability of 99.3% and worst case suc-cess probability of 98.1% (sample chosen randomlyamong 2000 samples with same key byte). Since the10 key bytes were carefully chosen to reflect the worstcase, these results can be extrapolated to the case of256 different values of the key byte. Even if we pes-simistically assume for each key byte there are 50−60bytes which are close, we would get an average classi-fication error of 5 − 6% while classifying all possiblevalues of that byte.

With the multivariate approach, we can extractsmall sized keys, even by using the drastic pruningstrategy of retaining only one possibility for the keybyte at each iteration. If the key is small, we needto run this process only for a few iterations and theoverall error, bounded by the sum of the errors in eachiteration, will still be small. For example, we can dobetter than 50% (total error = 8×6%) for about 8 bytesof key material.

With a little more effort, much better results can beobtained. We could keep more candidates at the end ofeach pruning stage and significantly reduce the proba-

30


bility of error. For example, with a slight modificationof the maximum likelihood method, we can keep atmost 1.3 hypotheses (on an average) for the key byteand have a 98.67% guarantee that the correct byte isretained. Using this approach independently for eachiteration, for an n-byte key, we can reduce the num-ber of possibilities down to (1.3)n while retaining thecorrect key with probability at least (100 − 1.33n)%.Thus, we are able to substantially reduce the 8n bits ofentropy in the key to about 0.38n. The results of an ac-tual template attack will be better than these estimatessince the templates will built for longer and longerprefixes of the computation and not independently foreach iteration. Due to the diffusion property of theRC4 key initialization algorithm, candidates havingincorrect values for the initial key bytes are likely tobe eliminated at later stages of the process. Thus thefinal number of candidates will be substantially lowerthan (1.3)n.

References

[1] D. Agrawal, B. Archambeault, J. R. Rao and P.Rohatgi. The EM Side Channel(s). Proceedingsof CHES 2002, Springer, Lecture Notes in Com-puter Science 2523, B. Kaliski, C. K. Koc, C.Paar (Eds.), pages 29–45.

[2] D. Agrawal, B. Archambeault, J. R. Raoand P. Rohatgi. The EM Side Channel(s):Attacks and Assessment Methodologies. Seehttp://www.research.ibm.com/intsec/emf-paper.ps.

[3] A. V. Borovik and C. D. Walter. A Side Chan-nel Attack on Montgomery Multiplication, pri-vate technical report, Datacard platform seven,July ’99.

[4] S. Chari, C. S. Jutla, J. R. Rao and P. Rohatgi.Towards Sound Countermeasures to Counter-act Power–Analysis Attacks. Proceedings of

CRYPTO ’99, Springer, Lecture Notes in Com-puter Science 1666, M.J. Wiener (Ed.), pages398–412.

[5] S. Chari, J. R. Rao and P. Rohatgi. TemplateAttacks. Proceedings of CHES 2002, Springer,Lecture Notes in Computer Science 2523, B.Kaliski, C. K. Koc, C. Paar (Eds.), pages 13–28.

[6] J.-F. Dhem, F. Koeune, P.-A. Lerox, P. Mestr’e,J.-J. Quisquater and J.-L. Willems. A PracticalImplementation of the Timing Attack. Proceed-ings of CARDIS ’98, Springer, Lecture Notesin Computer Science 1820, J.-J Quisquater, B.Schneier (Eds.), pages 167–182.

[7] Dynamic Sciences International Inc. Seehttp://www.dynamic-sciences.com/r1550.html.

[8] P. N. Fahn and P. J, Pearson. IPA: A New Classof Power Attacks. Proceedings of CHES ’99,Springer, Lecture Notes in Computer Science1717, C. K. Koc, C. Paar (Eds.), pages 173–186.

[9] L. Goubin and J. Patarin. DES and DifferentialPower Analysis (The “Duplication” Method).Proceedings of CHES ’99, Proceedings of CHES’99, Springer, Lecture Notes in Computer Sci-ence 1717, C. K. Koc, C. Paar (Eds.), pages 158–172.

[10] NSA TEMPEST Documents. Seehttp://cryptome.org/nsa-tempest.htm.

[11] K. Gandolfi, C. Mourtel and F. Olivier. Electro-magnetic Attacks: Concrete Results. Proceed-ings of CHES 2001, Springer, Lecture Notes inComputer Science 2162, C. K. Koc, D. Nac-cache, C. Paar (Eds.), pages 251–261.

[12] P. Kocher. Timing Attacks on Implementationsof Diffie-Hellman, RSA, DSS and Other Sys-tems. Proceedings of CRYPTO ’96, Springer,Lecture Notes in Computer Science 1109, N.Koblitz (Ed.), pages 104–113.

31


[13] P. Kocher, J. Jaffe and B. Jun. DifferentialPower Analysis: Leaking Secrets. Proceedingsof CRYPTO ’99, Springer, Lecture Notes inComputer Science 1666, M.J. Wiener (Ed.), pp388–397.

[14] T.S. Messerges, E.A. Dabbish, and R.H. Sloan.Power Analysis Attacks of Modular Exponenti-ation in Smart Cards. Proceedings of CHES ’99,Springer, Lecture Notes in Computer Science1717, C. K. Koc, C. Paar (Eds.), pages 144–157.

[15] P. L. Montgomery. Modular multiplication with-out trial division, Mathematics of Computation,44 (1985), no 170, pages 519–521.

[16] J.-J. Quisquater and D. Samyde. ElectroMag-netic Analysis (EMA): Measures and Counter-Measures for Smart Cards. Proceedings of E-smart 2001, Springer, Lecture Notes in Com-puter Science 2140, I. Attali, T. P. Jensen (Eds.),pages200-210.

[17] W. Schindler, A Timing Attack against RSAwith Chinese Remainder Theorem. Proceedingsof CHES 2000, Springer, Lecture Notes in Com-puter Science 1965, C. K, Koc, C. Paar (Eds.),pages 109–124.

[18] The complete unofficial TEM-PEST web page. Available athttp://www.eskimo.com/ joelm/tempest.html.

[19] H. L. Van Trees. Detection, Estimation, andModulation Theory, Part I. John Wiley & Sons.New York. 1968.

[20] C. D. Walter and S. Thompson. DistinguishingExponent Digits by Observing Modular Subtrac-tions. Proceedings of CT-RSA 2001, Springer,Lecture Notes in Computer Science 2020, D.Naccache (Ed.), pages 192–207.

32

A B O U T R S A L A B O R A T O R I E S

An academic environment within a commercial organization,RSA Laboratories is the research center of RSA Security Inc.,the company founded by the inventors of the RSA public-keycryptosystem. Through its research program, standards develop-ment, and educational activities, RSA Laboratories providesstate-of-the-art expertise in cryptography and security technol-ogy for the benefit of RSA Security and its customers.

Please see www.rsasecurity.com/rsalabs for more information.

N E W S L E T T E R A V A I L A B I L I T Y A N D

C O N T A C T I N F O R M A T I O N

CryptoBytes is a free publication and all issues, both currentand previous, are available at www.rsasecurity.com/rsalabs/cryptobytes. While print copies may occasionally be distributed,publication is primarily electronic.

For more information, please contact:

[email protected].

©2003 RSA Security Inc. All rights reserved.

RSA and RSA Security are registered trademarks of RSA Security Inc. All other trademarks are the

property of their respective owners.

CRYPTOBYTES VOLUME 6, NO. 1, 2003
