Hardware Security Side channel attacks

Size: px

Start display at page:

Download "Hardware Security Side channel attacks"

Benjamin Flowers
5 years ago
Views:

1 Hardware Security Side channel attacks R. Pacalet May 24, 2018

2 Introduction Outline Timing attacks P. Kocher Optimizations Conclusion Power attacks Introduction Simple Power Analysis (SPA) Differential Power Analysis (DPA) Wrap up on DPA Exercises on DPA Conclusion 2/52 Institut Mines-Telecom R. Pacalet May 24, 2018

3 Introduction 3/52 Institut Mines-Telecom R. Pacalet May 24, 2018

4 Hardware leaks information Eventually, security is always implemented in hardware Electronic devices consume power, take time to compute and emit electromagnetic radiations (not mentioning temperature, noise... ) These side-channels are usually correlated with the processing In security applications the side-channels can be used to retrieve embedded secrets A few hundreds of power traces can be sufficient to retrieve a secret key from a theoretically unbreakable system Unlike in quantum cryptography the information leakage is usually undetectable True for time Almost true for power 4/52 Institut Mines-Telecom R. Pacalet May 24, 2018

Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs,.

5 A bit of history 1956: MI5 against Egyptian Embassy in London (click-sound of the Hagelin enciphering machine) 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6) 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, : New attacks (SEMA, DEMA, TPA). Importance of hardware security increases (CHES) 5/52 Institut Mines-Telecom R. Pacalet May 24, 2018

6 A bit of history 1956: MI5 against Egyptian Embassy in London (click-sound of the Hagelin enciphering machine) 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6) 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, : New attacks (SEMA, DEMA, TPA). Importance of hardware security increases (CHES) 5/52 Institut Mines-Telecom R. Pacalet May 24, 2018

7 A bit of history 1956: MI5 against Egyptian Embassy in London (click-sound of the Hagelin enciphering machine) 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6) 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, : New attacks (SEMA, DEMA, TPA). Importance of hardware security increases (CHES) 5/52 Institut Mines-Telecom R. Pacalet May 24, 2018

8 A bit of history 1956: MI5 against Egyptian Embassy in London (click-sound of the Hagelin enciphering machine) 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6) 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, : New attacks (SEMA, DEMA, TPA). Importance of hardware security increases (CHES) 5/52 Institut Mines-Telecom R. Pacalet May 24, 2018

9 A bit of history 1956: MI5 against Egyptian Embassy in London (click-sound of the Hagelin enciphering machine) 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6) 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, : New attacks (SEMA, DEMA, TPA). Importance of hardware security increases (CHES) 5/52 Institut Mines-Telecom R. Pacalet May 24, 2018

10 A bit of history 1956: MI5 against Egyptian Embassy in London (click-sound of the Hagelin enciphering machine) 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6) 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, : New attacks (SEMA, DEMA, TPA). Importance of hardware security increases (CHES) 5/52 Institut Mines-Telecom R. Pacalet May 24, 2018

11 A bit of history 1956: MI5 against Egyptian Embassy in London (click-sound of the Hagelin enciphering machine) 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6) 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, : New attacks (SEMA, DEMA, TPA). Importance of hardware security increases (CHES) 5/52 Institut Mines-Telecom R. Pacalet May 24, 2018

12 A bit of history 1956: MI5 against Egyptian Embassy in London (click-sound of the Hagelin enciphering machine) 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6) 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, : New attacks (SEMA, DEMA, TPA). Importance of hardware security increases (CHES) 5/52 Institut Mines-Telecom R. Pacalet May 24, 2018

13 History repeats itself 2013, 18 th of December: Daniel Genkin (Technion and Tel Aviv University), Adi Shamir (Weizmann Institute of Science), Eran Tromer (Tel Aviv University) RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. Target: a regular computer computing the GnuPG s current implementation of RSA. Vibrations of electronic components (capacitors and coils) in the voltage regulation circuit as they regulate the voltage accross large fluctuations in power consumption. 6/52 Institut Mines-Telecom R. Pacalet May 24, 2018

14 History repeats itself The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away. 7/52 Institut Mines-Telecom R. Pacalet May 24, 2018

15 History repeats itself The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away. 7/52 Institut Mines-Telecom R. Pacalet May 24, 2018

We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to

16 History repeats itself The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away. 7/52 Institut Mines-Telecom R. Pacalet May 24, 2018

History repeats itself http://www.cs.tau.ac.

17 History repeats itself (the RSA Paso Doble) 8/52 Institut Mines-Telecom R. Pacalet May 24, 2018

18 History repeats itself 9/52 Institut Mines-Telecom R. Pacalet May 24, 2018

History repeats itself https://meltdownattack.

cache hit, exactly on the page that was accessed during

19 History repeats itself Even if a memory location is only accessed during out-of-order execution, it remains cached. Iterating over the 256 pages of probe array shows one cache hit, exactly on the page that was accessed during the outof-order execution. 10/52 Institut Mines-Telecom R. Pacalet May 24, 2018

20 Timing attacks 11/52 Institut Mines-Telecom R. Pacalet May 24, 2018

21 Timing attacks / P. Kocher 12/52 Institut Mines-Telecom R. Pacalet May 24, 2018

22 History First published by Paul Kocher (CRYPTO 96) Implemented by Dhem, Quisquater, et al. (CARDIS 98) Used by Canvel, Hiltgen, Vaudenay, and Vuagnoux to attack OpenSSL (CRYPTO 03) 13/52 Institut Mines-Telecom R. Pacalet May 24, 2018

23 Example #1 Exponentiation M D D = d w 1 d w 2...d 2 d 1 d 0, w-bits exponent d w 1 : Most Significant Bit (MSB), d 0 : LSB D = d 0 +d 1 2+d d w 2 2 w 2 +d w 1 2 w 1 M D = M d 0+d 1 2+d d w 2 2 w 2 +d w 1 2 w 1 = M d 0 M d 1 2 M d M d w 2 2 w 2 M d w 1 2 w 1 ( ) 2 ( ) 4 ( ) 2 = M d 0 M d 1 M d 2... M d w 2 ( ) 2 w 2 M d w 1 w 1 ( ( ) 2 2 ( ) 2 = M d 0 M d 1 M 2) d... M d w 2 ( ) 2 w 2 M d w 1 w 1 ( ( ( ) ) = M d M d 1 M d 2 M d 3... M d w 2 M w 1) d /52 Institut Mines-Telecom R. Pacalet May 24, 2018

24 Example #1 Exponentiation, pseudo-code Multiplication and square algorithm Algorithm 1 Exponentiation 1: A(w) 1 2: for k w do loop from MSB to LSB of D 3: if d k = 1 then bit #k of D (#w 1 is MSB) 4: B(k) A(k +1) M Multiplication 5: else 6: B(k) A(k +1) 7: end if 8: A(k) B(k) 2 Square 9: end for 10: M D = B(0) 15/52 Institut Mines-Telecom R. Pacalet May 24, 2018

25 Example #1 Modular exponentiation, pseudo-code TA prone? Why? What can we expect from TA? Algorithm 2 Modular exponentiation (modexp) 1: A(w) 1 2: for k w do loop from MSB to LSB of D 3: if d k = 1 then bit #k of D (#w 1 is MSB) 4: B(k) (A(k +1) M) mod N Modular multiplication 5: else 6: B(k) A(k +1) 7: end if 8: A(k) B(k) 2 mod N Modular square 9: end for 10: M D = B(0) 16/52 Institut Mines-Telecom R. Pacalet May 24, 2018

26 Example #2 What if timing of modular product and square is data-dependant? What can we expect from TA? Algorithm 3 Modular exponentiation (modexp) 1: A(w) 1 2: for k w do loop from MSB to LSB of D 3: if d k = 1 then bit #k of D (#w 1 is MSB) 4: B(k) (A(k +1) M) mod N Modular multiplication 5: else 6: B(k) A(k +1) 7: end if 8: A(k) B(k) 2 mod N Modular square 9: end for 10: M D = B(0) 17/52 Institut Mines-Telecom R. Pacalet May 24, 2018

27 Example #2: P. Kocher attack A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) Assume attacker measure total modexp time t[i] for large number n of different plaintexts M[i], 1 i n Assume attacker knows leading bits d w 1...d b+1 of D, w > b 0 (none if b = w 1) For each M[i], attacker can compute A(b +1)[i] (thanks to d w 1...d b+1 ) For each M[i], attacker measure or estimate time of (A(b +1)[i] M[i]) mod N Assume for some M[i], (A(b +1)[i] M[i]) mod N is extremely slow (fast) and attacker can distinguish slow, average and fast cases 18/52 Institut Mines-Telecom R. Pacalet May 24, 2018

28 Example #2: P. Kocher attack A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) If t[i] large (slow) when (A(b +1)[i] M[i]) mod N slow bit d b probably 1 B(b)[i] (A(b + 1)[i] M[i]) mod N probably computed t Else d b probably 0 B(b)[i] (A(b + 1)[i] M[i]) mod N probably skipped t The larger the difference, the higher the attacker s confidence Do you understand difference with example #1? 18/52 Institut Mines-Telecom R. Pacalet May 24, 2018

29 Example #2: P. Kocher attack A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) 1 i n, M[i]: plaintext #i T [i]: measured time for M[i] D T [i] = e[i] + k=w 1 k=0 t[i,k] e[i]: measurement error t[i,k]: time of iteration k of M[i] D Attacker knows T [i], not e[i] or t[i,k] Compute w 1 b first iterations M[i],N,d w 1...d b+1 known t m [i,b]: attacker s timing estimate for A(b +1)[i] M[i] mod N 18/52 Institut Mines-Telecom R. Pacalet May 24, 2018

30 Example #2: P. Kocher attack A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) i I slow, j I slow, t m [i,b] > t m [j,b] I slow = n/10 i I fast, j I fast, t m [i,b] < t m [j,b] I fast = n/10 T slow = T fast = i I slow (T [i]) n/10 i I fast (T [i]) n/10 = T slow T fast 18/52 Institut Mines-Telecom R. Pacalet May 24, 2018

31 Example #2: P. Kocher attack A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) > τ d b = 1 < τ d b = 0 τ: threshold Continue with next bit (b 1) until all bits of D known Attack targets one bit at a time Attack efficiency depends on: Number n of experiments Variability of t m [i,b] (data dependency) Noise e[i] I slow and I fast (10% in example) τ 18/52 Institut Mines-Telecom R. Pacalet May 24, 2018

32 P. Kocher attack on RSAREF Mult.: E(t mult ) s σ(t mult ) s Exp.: E(t exp ) s σ(t exp ) s 19/52 Institut Mines-Telecom R. Pacalet May 24, 2018

33 P. Kocher attack on RSAREF RSAREF (functional) reference software library 512 bits modular exponentiation, 256 bits exponent (to speed up experiments) With 250 timing measurements probability of correct decision at any step of attack: /52 Institut Mines-Telecom R. Pacalet May 24, 2018

34 P. Kocher attack on RSAREF RSAREF (functional) reference software library 512 bits modular exponentiation, 256 bits exponent (to speed up experiments) With 250 timing measurements probability of correct decision at any step of attack: /52 Institut Mines-Telecom R. Pacalet May 24, 2018

35 OpenSSL BN library Mult.: E(t mult ) cc σ(t mult ) 130 cc Exp.: E(t exp ) cc σ(t exp ) cc 20/52 Institut Mines-Telecom R. Pacalet May 24, 2018

36 Timing attacks / Optimizations 21/52 Institut Mines-Telecom R. Pacalet May 24, 2018

37 Optimizations A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) Cross-check on modular square timing Once d b known, verification on t s [i,b] Attacker s timing estimate for B b [i] 2 mod N In average, if total time T [i] Large (small) when t s [i,b] large (small)? Yes: better confidence in decision No: doubt about decision 22/52 Institut Mines-Telecom R. Pacalet May 24, 2018

38 Optimizations A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) Detect wrong decisions d b guessed incorrectly ( A(k b)[i], B(k b)[i]) (A(k b)[i],b(k b)[i]) Correlation with measured time not observable any more Attack improvement Keep list of decisions Keep likelihood T slow T fast Likelihood-driven back-tracking Hard decisions soft decisions Resembles channel decoding More memory and CPU usage Reduce number of experiments 22/52 Institut Mines-Telecom R. Pacalet May 24, 2018

39 Optimizations A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) t[i,k]: timing of iteration k of M[i] D mod N t[i,k]: attacker s estimate Variance of timing residue U[i] = k=w 1 t[i,k] k=b+1 [i] = T [i] U[i] = e[i] + = e[i] + k=w 1 k=0 k=b k=0 t[i,k] t[i,k] + k=w 1 k=b+1 t[i,k] k=w 1 (t[i,k] t[i,k]) k=b+1 22/52 Institut Mines-Telecom R. Pacalet May 24, 2018

40 Optimizations A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) If d w 1...d b+1 correct t[i,k > b] t[i,k > b] k=b k=w 1 [i] = e[i] + t[i,k] + (t[i,k] t[i,k]) k=0 k=b+1 e[i] + k=b k=0 t[i,k] ( ) k=b Var i ( ) Var i (e[i]) +Var i t[i,k] k=0 Var( ) when b Var(e) +(b +1) Var(t) 22/52 Institut Mines-Telecom R. Pacalet May 24, 2018

41 Optimizations A(w) 1 for k w 1...b +1 do... A(k) B(k) 2 mod N end for if d b = 1 then B(b) (A(b +1) M) mod N else B(b) A(b +1) end if A(b) B(b) 2 mod N for k b do... A(k) B(k) 2 mod N end for M D = B(0) If d w 1...d a+1 correct but d a...d b+1 wrong for some a b +1 t[i,k > a] t[i,k > a], t[i,a k > b] t[i,a k > b] k=b k=w 1 [i] = e[i] + t[i,k] + (t[i,k] t[i,k]) k=0 k=b+1 e[i] + e[i] + k=b k=0 k=a t[i,k] + t[i,k] k=a (t[i,k] t[i,k]) k=b+1 k=a t[i,k] k=0 k=b+1 Var( ) Var(e) +(a +1) Var(t) +(a b) Var(t) Var(e) +(2 a b +1) Var(t) Var( ) when b 22/52 Institut Mines-Telecom R. Pacalet May 24, 2018

42 Timing attacks / Conclusion 23/52 Institut Mines-Telecom R. Pacalet May 24, 2018

43 Wrap up on TA (1/2) Where does it come from? Time: processing data takes time How does it work? Acquisition phase Same secret Sufficient number of experiments with different input messages Build database of {input, time} pairs (works also with outputs, how?) Analysis phase (usually off-line) Attacker tries to retrieve part s of secret (e.g. 1 bit) Attacker builds timing models TM g (M) Of one part of computation with input M (e.g. 1 modmul) Under assumption that s = g Attacker estimates correlations between the TM g and the T TM g with best correlation g best candidate for s 24/52 Institut Mines-Telecom R. Pacalet May 24, 2018

44 Wrap up on TA (2/2) In our example where we attack one exponent bit at a time For each attacked bit b, 2 timing models: TM 0 (M[i]): modmul time in iteration b of M[i] D mod N if d b = 0 TM 1 (M[i]): modmul time in iteration b of M[i] D mod N if d b = 1 Note: TM 0 (M[i]) = 0 Correlation(TM 1,T ) > Correlation(TM 0,T ) b = 1 Correlation(TM 1,T ) < Correlation(TM 0,T ) b = 0 T slow T fast is an estimator of correlation between TM 1 and T Note: there are much better correlation estimators Pearson correlation coefficient Kolmogorov-Smirnov test,... Whatever the statistical tool, principle remains the same: TM g with best correlation g best candidate for s Analysis usually off-line But interactive, adaptive attacks also exist 25/52 Institut Mines-Telecom R. Pacalet May 24, 2018

45 Pearson correlation coefficient A better statistical tool than partitioning s: portion of the secret under attack n: number of time measurements T [i] (1 i n): time measurements M[i] (1 i n): input messages TM g (M[i]): attacker s timing model for M[i] and guess g on s PCC i (T,TM g ): estimator of correlation between T [i] and TM g (M[i]) g with highest PCC i (T,TM g ) best candidate for s 26/52 Institut Mines-Telecom R. Pacalet May 24, 2018

46 Exercise on timing attacks? Exercise #1: list the hypotheses for a timing attack to be practical 27/52 Institut Mines-Telecom R. Pacalet May 24, 2018

47 Homework Try to understand why DES deciphering is the same as DES enciphering with round keys in reverse order Imagine countermeasures, evaluate their cost and efficiency Study and understand P. Kocher paper and especially the blinding countermeasure he proposes (section 10) Prepare the first lab Read directions Look at provided software libraries Imagine what you will do, why and how Prepare questions 28/52 Institut Mines-Telecom R. Pacalet May 24, 2018

48 Questions? 29/52 Institut Mines-Telecom R. Pacalet May 24, 2018

49 Power attacks 30/52 Institut Mines-Telecom R. Pacalet May 24, 2018

50 Power attacks / Introduction 31/52 Institut Mines-Telecom R. Pacalet May 24, 2018

51 Power in CMOS logic (1/2) Power consumption and cell output transition are correlated S rising edge observed through R P spying resistor: I(VDD) I = I short +I L E: S: 32/52 Institut Mines-Telecom R. Pacalet May 24, 2018

52 Power in CMOS logic (2/2) Power consumption and cell output transition are correlated S falling edge observed through R P spying resistor: I(VDD) I = I short E: S: 33/52 Institut Mines-Telecom R. Pacalet May 24, 2018

53 Power analysis setup (1/2) Power supply Offline analysis Device under attack Recorded traces 34/52 Institut Mines-Telecom R. Pacalet May 24, 2018

54 Power analysis setup (2/2) 35/52 Institut Mines-Telecom R. Pacalet May 24, 2018

55 Power attacks / Simple Power Analysis (SPA) 36/52 Institut Mines-Telecom R. Pacalet May 24, 2018

56 Simple power analysis, example #1 The power trace of a naive DES hardware implementation leaks a lot of information CMOS structures consume power when switching Hamming distance of register transitions Hamming weights in some implementations Clock spikes 37/52 Institut Mines-Telecom R. Pacalet May 24, 2018

57 Simple power analysis, example #1 The power trace of a naive DES hardware implementation leaks a lot of information CMOS structures consume power when switching Hamming distance of register transitions Hamming weights in some implementations Clock spikes 37/52 Institut Mines-Telecom R. Pacalet May 24, 2018

Simple power analysis, example #1 The power trace of a naive DES hardware implementation leaks a lot of information CMOS structures consume power when

58 Simple power analysis, example #1 The power trace of a naive DES hardware implementation leaks a lot of information CMOS structures consume power when switching Hamming distance of register transitions Hamming weights in some implementations Clock spikes 37/52 Institut Mines-Telecom R. Pacalet May 24, 2018

59 Simple power analysis, example #2 Multiply by double and add algorithm Iterate on key bits from MSB to LSB C M K Algorithm 4 The double and add algorithm 1: A 1 1 2: for k 0,w 1 do 3: if K (k) = 1 then 4: B k A k 1 +M Add 5: else 6: B k A k 1 7: end if 8: A k B k 2 Double 9: end for 10: C = M K = B w 1 38/52 Institut Mines-Telecom R. Pacalet May 24, 2018

60 Exercise #2: SPA on DES key schedule Software implementation on a 8 bits CPU Left rotate by 1 position of 28-bits half-key Eight bits accumulator A One bit carry flag C C C 0 A[7..0] Rotate left (ROL) A[7..0] Shift right (LSR) mem[a+3] mem[a+2] mem[a+1] mem[a] 1: CLC; C 0 2: LDA a; A mem(a) 3: ROL; C A A C 4: STA a; mem(a) A 5: LDA a+1; ROL; STA a+1; 6: LDA a+2; ROL; STA a+2; 7: LDA a+3; ROL; STA a+3; 8: AND #$1F; A 000 A[4..0] 9: LSR; C A A[0] 0 A[7..1] 10: LSR; LSR; LSR; A 000 A[7..3] 11: ORA a; A Aormem(a) 12: STA a; 28 bits half-key 39/52 Institut Mines-Telecom R. Pacalet May 24, 2018

61 Power attacks / Differential Power Analysis (DPA) 40/52 Institut Mines-Telecom R. Pacalet May 24, 2018

62 P. Kocher attack on DES (1/2) Last round of DES R (known) + guess g on Key value L(g,R) N pairs of power traces and cipher texts T[i],C[i] Split traces in subsets that should exhibit a different power consumption: S 0 = {T[i] L(g,R[i])(j) = 0} S 1 = {T[i] L(g,R[i])(j) = 1} score(g) = E(S 0 ) E(S 1 ) 4 4 L 4 SBox 6 10 Ciphertext R Key 41/52 Institut Mines-Telecom R. Pacalet May 24, 2018

63 P. Kocher attack on DES (2/2) The larger the difference, the more likely the guess Hence the name Differential Power Analysis (DPA) 42/52 Institut Mines-Telecom R. Pacalet May 24, 2018

64 Power attacks / Wrap up on DPA 43/52 Institut Mines-Telecom R. Pacalet May 24, 2018

65 Wrap up on DPA (1/3)? Where does it come from? Power: computing requires energy Warning: ones do not consume more than zeros: CMOS logic has (almost) no static power consumption Transitions consume power (dynamic power consumption) Guesses on the previous and present value of a node can be cross-checked with the power trace 44/52 Institut Mines-Telecom R. Pacalet May 24, 2018

66 Wrap up on DPA (1/3)? Where does it come from? Power: computing requires energy Warning: ones do not consume more than zeros: CMOS logic has (almost) no static power consumption Transitions consume power (dynamic power consumption) Guesses on the previous and present value of a node can be cross-checked with the power trace 44/52 Institut Mines-Telecom R. Pacalet May 24, 2018

67 Wrap up on DPA (1/3)? Where does it come from? Power: computing requires energy Warning: ones do not consume more than zeros: CMOS logic has (almost) no static power consumption Transitions consume power (dynamic power consumption) Guesses on the previous and present value of a node can be cross-checked with the power trace 44/52 Institut Mines-Telecom R. Pacalet May 24, 2018

68 Wrap up on DPA (1/3)? Where does it come from? Power: computing requires energy Warning: ones do not consume more than zeros: CMOS logic has (almost) no static power consumption Transitions consume power (dynamic power consumption) Guesses on the previous and present value of a node can be cross-checked with the power trace 44/52 Institut Mines-Telecom R. Pacalet May 24, 2018

69 Wrap up on DPA (1/3)? Where does it come from? Power: computing requires energy Warning: ones do not consume more than zeros: CMOS logic has (almost) no static power consumption Transitions consume power (dynamic power consumption) Guesses on the previous and present value of a node can be cross-checked with the power trace 44/52 Institut Mines-Telecom R. Pacalet May 24, 2018

70 Wrap up on DPA (2/3)? How does it work? Two phases: Acquisition phase: same secret, different input messages, sufficient number of experiments => a database of input (output) messages, power trace pairs Analysis phase (usually off-line) Attacker builds power model PM of target implementation For a given input (output) message PM gives estimate of processing power (all of it or only a portion) PM depends on guess g on the secret key: there are as many PM g models as guesses g PM g model that best matches actual power traces is the one of most likely guess g for secret key 45/52 Institut Mines-Telecom R. Pacalet May 24, 2018

71 Wrap up on DPA (2/3)? How does it work? Two phases: Acquisition phase: same secret, different input messages, sufficient number of experiments => a database of input (output) messages, power trace pairs Analysis phase (usually off-line) Attacker builds power model PM of target implementation For a given input (output) message PM gives estimate of processing power (all of it or only a portion) PM depends on guess g on the secret key: there are as many PM g models as guesses g PM g model that best matches actual power traces is the one of most likely guess g for secret key 45/52 Institut Mines-Telecom R. Pacalet May 24, 2018

72 Wrap up on DPA (2/3)? How does it work? Two phases: Acquisition phase: same secret, different input messages, sufficient number of experiments => a database of input (output) messages, power trace pairs Analysis phase (usually off-line) Attacker builds power model PM of target implementation For a given input (output) message PM gives estimate of processing power (all of it or only a portion) PM depends on guess g on the secret key: there are as many PM g models as guesses g PM g model that best matches actual power traces is the one of most likely guess g for secret key 45/52 Institut Mines-Telecom R. Pacalet May 24, 2018

73 Wrap up on DPA (2/3)? How does it work? Two phases: Acquisition phase: same secret, different input messages, sufficient number of experiments => a database of input (output) messages, power trace pairs Analysis phase (usually off-line) Attacker builds power model PM of target implementation For a given input (output) message PM gives estimate of processing power (all of it or only a portion) PM depends on guess g on the secret key: there are as many PM g models as guesses g PM g model that best matches actual power traces is the one of most likely guess g for secret key 45/52 Institut Mines-Telecom R. Pacalet May 24, 2018

74 Wrap up on DPA (2/3)? How does it work? Two phases: Acquisition phase: same secret, different input messages, sufficient number of experiments => a database of input (output) messages, power trace pairs Analysis phase (usually off-line) Attacker builds power model PM of target implementation For a given input (output) message PM gives estimate of processing power (all of it or only a portion) PM depends on guess g on the secret key: there are as many PM g models as guesses g PM g model that best matches actual power traces is the one of most likely guess g for secret key 45/52 Institut Mines-Telecom R. Pacalet May 24, 2018

75 Wrap up on DPA (2/3)? How does it work? Two phases: Acquisition phase: same secret, different input messages, sufficient number of experiments => a database of input (output) messages, power trace pairs Analysis phase (usually off-line) Attacker builds power model PM of target implementation For a given input (output) message PM gives estimate of processing power (all of it or only a portion) PM depends on guess g on the secret key: there are as many PM g models as guesses g PM g model that best matches actual power traces is the one of most likely guess g for secret key 45/52 Institut Mines-Telecom R. Pacalet May 24, 2018

76 Wrap up on DPA (2/3)? How does it work? Two phases: Acquisition phase: same secret, different input messages, sufficient number of experiments => a database of input (output) messages, power trace pairs Analysis phase (usually off-line) Attacker builds power model PM of target implementation For a given input (output) message PM gives estimate of processing power (all of it or only a portion) PM depends on guess g on the secret key: there are as many PM g models as guesses g PM g model that best matches actual power traces is the one of most likely guess g for secret key 45/52 Institut Mines-Telecom R. Pacalet May 24, 2018

77 Wrap up on DPA (3/3) Guesses on the present value only can be cross-checked too if rising and falling transitions consume differently (I I = ɛ) and previous value is uncorrelated If the guess is 0 (1) then we had a falling (rising) transition with probability 1/2 and no transition with probability 1/2 On a large number of traces the average difference should be ɛ/2 Two types of attacks: Hamming distances between two successive states of a node or set of nodes Hamming weights of a node or set of nodes 46/52 Institut Mines-Telecom R. Pacalet May 24, 2018

78 Wrap up on DPA (3/3) Guesses on the present value only can be cross-checked too if rising and falling transitions consume differently (I I = ɛ) and previous value is uncorrelated If the guess is 0 (1) then we had a falling (rising) transition with probability 1/2 and no transition with probability 1/2 On a large number of traces the average difference should be ɛ/2 Two types of attacks: Hamming distances between two successive states of a node or set of nodes Hamming weights of a node or set of nodes 46/52 Institut Mines-Telecom R. Pacalet May 24, 2018

79 Wrap up on DPA (3/3) Guesses on the present value only can be cross-checked too if rising and falling transitions consume differently (I I = ɛ) and previous value is uncorrelated If the guess is 0 (1) then we had a falling (rising) transition with probability 1/2 and no transition with probability 1/2 On a large number of traces the average difference should be ɛ/2 Two types of attacks: Hamming distances between two successive states of a node or set of nodes Hamming weights of a node or set of nodes 46/52 Institut Mines-Telecom R. Pacalet May 24, 2018

80 Wrap up on DPA (3/3) Guesses on the present value only can be cross-checked too if rising and falling transitions consume differently (I I = ɛ) and previous value is uncorrelated If the guess is 0 (1) then we had a falling (rising) transition with probability 1/2 and no transition with probability 1/2 On a large number of traces the average difference should be ɛ/2 Two types of attacks: Hamming distances between two successive states of a node or set of nodes Hamming weights of a node or set of nodes 46/52 Institut Mines-Telecom R. Pacalet May 24, 2018

81 Wrap up on DPA (3/3) Guesses on the present value only can be cross-checked too if rising and falling transitions consume differently (I I = ɛ) and previous value is uncorrelated If the guess is 0 (1) then we had a falling (rising) transition with probability 1/2 and no transition with probability 1/2 On a large number of traces the average difference should be ɛ/2 Two types of attacks: Hamming distances between two successive states of a node or set of nodes Hamming weights of a node or set of nodes 46/52 Institut Mines-Telecom R. Pacalet May 24, 2018

82 Wrap up on DPA (3/3) Guesses on the present value only can be cross-checked too if rising and falling transitions consume differently (I I = ɛ) and previous value is uncorrelated If the guess is 0 (1) then we had a falling (rising) transition with probability 1/2 and no transition with probability 1/2 On a large number of traces the average difference should be ɛ/2 Two types of attacks: Hamming distances between two successive states of a node or set of nodes Hamming weights of a node or set of nodes 46/52 Institut Mines-Telecom R. Pacalet May 24, 2018

83 Power attacks / Exercises on DPA 47/52 Institut Mines-Telecom R. Pacalet May 24, 2018

84 Exercises on DPA (1/2)? Exercise #3: most efficient power model?? Hamming weight (based on current state only)? Hamming distance (based on previous and current states)? Exercise #4: differences with timing attacks?? Exercise #5: DPA easier than TA? Why?? Exercise #6: hypotheses? 48/52 Institut Mines-Telecom R. Pacalet May 24, 2018

85 Exercises on DPA (1/2)? Exercise #3: most efficient power model?? Hamming weight (based on current state only)? Hamming distance (based on previous and current states)? Exercise #4: differences with timing attacks?? Exercise #5: DPA easier than TA? Why?? Exercise #6: hypotheses? 48/52 Institut Mines-Telecom R. Pacalet May 24, 2018

86 Exercises on DPA (1/2)? Exercise #3: most efficient power model?? Hamming weight (based on current state only)? Hamming distance (based on previous and current states)? Exercise #4: differences with timing attacks?? Exercise #5: DPA easier than TA? Why?? Exercise #6: hypotheses? 48/52 Institut Mines-Telecom R. Pacalet May 24, 2018

87 Exercises on DPA (1/2)? Exercise #3: most efficient power model?? Hamming weight (based on current state only)? Hamming distance (based on previous and current states)? Exercise #4: differences with timing attacks?? Exercise #5: DPA easier than TA? Why?? Exercise #6: hypotheses? 48/52 Institut Mines-Telecom R. Pacalet May 24, 2018

88 Exercises on DPA (2/2)? Exercise #7: countermeasures?? Exercise #8: what if energy depends only on key?? Exercise #9: what if energy depends only on input messages?? Exercise #10: what if energy depends neither on key nor on input messages? 49/52 Institut Mines-Telecom R. Pacalet May 24, 2018

89 Exercises on DPA (2/2)? Exercise #7: countermeasures?? Exercise #8: what if energy depends only on key?? Exercise #9: what if energy depends only on input messages?? Exercise #10: what if energy depends neither on key nor on input messages? 49/52 Institut Mines-Telecom R. Pacalet May 24, 2018

90 Exercises on DPA (2/2)? Exercise #7: countermeasures?? Exercise #8: what if energy depends only on key?? Exercise #9: what if energy depends only on input messages?? Exercise #10: what if energy depends neither on key nor on input messages? 49/52 Institut Mines-Telecom R. Pacalet May 24, 2018

91 Exercises on DPA (2/2)? Exercise #7: countermeasures?? Exercise #8: what if energy depends only on key?? Exercise #9: what if energy depends only on input messages?? Exercise #10: what if energy depends neither on key nor on input messages? 49/52 Institut Mines-Telecom R. Pacalet May 24, 2018

92 Power attacks / Conclusion 50/52 Institut Mines-Telecom R. Pacalet May 24, 2018

93 Homework on Power Attacks Read and understand every detail of original paper by P. Kocher Imagine attack against hardware DES implementation, describe in deep details your algorithm: Ciphertexts are known L 0 R 0,...,L 15 R 15,R 16 L 16 values stored successively in same 64 bits register Attacker monitors current on power supply side Find way to blind DES 51/52 Institut Mines-Telecom R. Pacalet May 24, 2018

94 Questions? 52/52 Institut Mines-Telecom R. Pacalet May 24, 2018

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs