Introduction to Side Channel Analysis. Elisabeth Oswald University of Bristol

Similar documents
Elliptic Curve Cryptography and Security of Embedded Devices

How to Evaluate Side-Channel Leakages

DPA-Resistance without routing constraints?

Side-channel attacks on PKC and countermeasures with contributions from PhD students

Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Information Security Theory vs. Reality

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi

Random Delay Insertion: Effective Countermeasure against DPA on FPGAs

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Efficient Application of Countermeasures for Elliptic Curve Cryptography

Differential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b, Jiachao Chen2,c, Junrong Liu3,d

A DPA attack on RSA in CRT mode

Correlation Power Analysis. Chujiao Ma

Investigations of Power Analysis Attacks on Smartcards *

Provably Secure Higher-Order Masking of AES

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl

Start Simple and then Refine: Bias-Variance Decomposition as a Diagnosis Tool for Leakage Profiling

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Masking and Dual-rail Logic Don't Add Up

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Improving DPA by Peak Distribution Analysis

Intro to Physical Side Channel Attacks

Linear Regression Side Channel Attack Applied on Constant XOR

Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur

Affine Masking against Higher-Order Side Channel Analysis

Leakage Resilient Cryptography in Practice

Hardware Security Side channel attacks

Summary. Secured Arithmetic Operators for Cryptography. Introduction. Terminology

Multiple-Differential Side-Channel Collision Attacks on AES

Side-channel analysis in code-based cryptography

Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection

A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks

DIFFERENTIAL FAULT ANALYSIS ATTACK RESISTANT ARCHITECTURES FOR THE ADVANCED ENCRYPTION STANDARD *

Systematic Construction and Comprehensive Evaluation of Kolmogorov-Smirnov Test Based Side-Channel Distinguishers

Channel Equalization for Side Channel Attacks

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Provable Security against Side-Channel Attacks

Multi-target DPA attacks: Pushing DPA beyond the limits of a desktop computer

Symmetric Crypto Systems

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks

Formal Verification of Side-Channel Countermeasures

Symmetric Crypto Systems

Lightweight Cryptography Meets Threshold Implementation: A Case Study for Simon

My traces learn what you did in the dark: recovering secret signals without key guesses

Fault Attacks Against Lattice-Based Signatures

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

DTIS Review of Fault Injection Mechanisms and Consequences on Countermeasures Design. Bruno Robisson Jean-Baptiste Rigaud Assia Tria

On the Use of Masking to Defeat Power-Analysis Attacks

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

On the Practical Security of a Leakage Resilient Masking Scheme

Inner Product Masking Revisited

Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations

Power Analysis to ECC Using Differential Power between Multiplication and Squaring

Efficient, portable template attacks

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

On the Masking Countermeasure and Higher-Order Power Analysis Attacks

Several Masked Implementations of the Boyar-Peralta AES S-Box

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Protecting AES with Shamir s Secret Sharing Scheme

CS293 Report Side Channel Attack with Machine Learning

Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES

Side Channel Analysis and Protection for McEliece Implementations

How to Estimate the Success Rate of Higher-Order Side-Channel Attacks

Power Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.

Comprehensive Evaluation of AES Dual Ciphers as a Side-Channel Countermeasure

SIDE Channel Analysis (SCA in short) exploits information. Statistical Analysis of Second Order Differential Power Analysis

Algebraic Side-Channel Collision Attacks on AES

A Collision-Attack on AES Combining Side Channel- and Differential-Attack

Remote Timing Attacks are Practical

Quantum Wireless Sensor Networks

Improved Collision-Correlation Power Analysis on First Order Protected AES

Statistical Analysis for Access-Driven Cache Attacks Against AES

Leakage Resilient ElGamal Encryption

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel Evaluations

Algorithmic Number Theory and Public-key Cryptography

Differential Cache Trace Attack Against CLEFIA

Side-Channel Analysis on Blinded Regular Scalar Multiplications

Templates as Master Keys

Square Always Exponentiation

Consolidating Inner Product Masking

Making Masking Security Proofs Concrete

Success through confidence: Evaluating the effectiveness of a side-channel attack.

A Stochastic Model for Differential Side Channel Cryptanalysis

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Sliding-Window Correlation Attacks Against Encryption Devices with an Unstable Clock

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Multiple-Differential Side-Channel Collision Attacks on AES

Electromagnetic Side Channels of an FPGA Implementation of AES

Exponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security

A Five-Round Algebraic Property of the Advanced Encryption Standard

A Statistics-based Fundamental Model for Side-channel Attack Analysis

A New Framework for Constraint-Based Probabilistic Template Side Channel Attacks

Institutionen för systemteknik

Mutual Information Analysis

Efficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications

PARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM

Transcription:

Introduction to Side Channel Analysis Elisabeth Oswald University of Bristol

Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage and very briefly Part 3: Countermeasures Part 4: Current research Please do ask questions as & when they arise

Types of attacks Measure some physical characteristics like power consumption, electromagnetic emanation, timing Device (Smart Card, phone,..) Crypto (AES, RSA-OAEP, ECC, ) Implementation of Algorithm (Software + Hardware) Dismantle Induce Error (Laser, Voltage, Electromagnetic Pulse, )

Types of attacks in a nutshell Non-Invasive Attacks Device attacked as is, only accessible interfaces exploited, relatively inexpensive Semi-Invasive Attacks Device is depackaged but no direct electrical contact is made to the chip surface, more expensive Invasive Attacks No limits what is done with the device Passive Attacks The device is operated largely or even entirely within its specification Side-channel attacks: timing attacks, power + EM attacks, cache trace Read out memory of device without probing or using the normal read-out circuits Probing depackaged devices but only observe data signals Active Attacks The device, its inputs, and/or its environment are manipulated in order to make the device behave abnormally Insert fault in device without depackaging: clock glitches, power glitches, or by changing the temperature Induce faults in depackaged devices with e.g. X-rays, electromagnetic fields, or light Depackaged devices are manipulated by probing, laser beams, focused ion beams

Security is hard in practice! Crypto devices ought to protect keys from being revealed/extracted Cryptographers have been very good in proving algorithms secure in theory Engineers have learned how to deal with the practical mess Real life often gets in the way Limited computing power Limited memory Limited time

Outline Part 1: SCA overview & leakage Focus on power analysis Part 2: SCA attacks & exploiting leakage Part 3: Countermeasures Part 4: Current research Please do ask questions as & when they arise

Power Analysis Attacks Power consumption of cryptographic device depends on instructions and data. V dd q Data q a q CMOS Inverter A GND Power consumption

(Simple) Power analysis Use snapshot of power consumption Single or few power traces Analyse patterns within one trace Patterns correspond to secret key

Differential power analysis Attacker requires many power traces Fixed key, varying data Analyse patterns/differences across different traces (but at same point in time) t t K=0 D=1 K=0 D=2 K=0 D=3 t

SPA and DPA exploit leakage Global leakage per time index Power analysis, EM analysis Local leakage per time index EM analysis, timing derived via EM Global leakage Timing, cache trace, timing derived via power consumption Amount of leakage does depend on side channel!

Does leakage behaviour change? Of course: it depends on e.g. power consumption which depends on parameters such as supply voltage, clock frequency, but also which parts of a device are accessed, scheduling of processes, etc.

How can we measure leakage? Theoretical issues Average entropy vs. min entropy Univariate vs. multivariate Practical issues Which configuration of device? (parallel processing, pipelining, interrupts, etc.) Multivariate: points of interest?

Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage Part 3: Countermeasures Part 4: Current research Please do ask questions as & when they arise

SCA attack types Disclaimer: there are no universally accepted definitions/descriptions for any of the concepts I will mention SPA, template based SPA, collision attacks DPA, template based DPA, univariate, multivariate

SPA-type attacks SPA attacks exploit key-dependent differences that occur within a trace. Use only very few power traces. k = 31 Some SPA attacks can be extremely successful Unprotected multiplications or scalar multiplications (ECC) can be trivially broken Simple timing analysis can be shockingly successful Just think of all the implementations of PIN/password comparisons implemented efficiently (i.e. check item by item with stop as soon as mismatch is detected) Obstacles in practice Often need to know how implementation work Profiling required for template-based SPA attacks k = 21 difference

DPA-type attacks Data Device under Attack (Key) Data Model of the Device under Attack Key Hypothesis Real power consumption Statistical Analysis Hypothetical power consumption Decision about Key Hypothesis

DPA: Measuring real power consumption (1/5) Cryptographic device (device under attack) Measurement circuit, probe Oscilloscope/PC Challenge is not to induce too much noise Maybe more art than science

DPA: key hypothesis (2/5) Key guess in model is typically small Example: AES State Mixes key with message bit-wise Uses key byte-wise AES round State' s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 SubBytes ( ) s' 0,0 s' 0,1 s' 0,2 s' 0,3 s' 1,0 s' 1,1 s' 1,2 s' 1,3 s 2,0 s 2,1 Ss 2,2 i,j s 2,3 SBox S' i,j s 3,0 s 3,1 s 3,2 s 3,3 s 3,0 s 3,1 s 3,2 s 3,3 3 s 2,0 s 2,1 s 2,2 s 2,3 2 S 2,2 s' 2,0 s' 2,1 s' 2,2 s' 2,3 s' 3,0 s' 3,1 s' 3,2 s' 3,3 s 0,0 s 0,1 s 0,2 s 0,3 0 s' 0,0 s' 0,1 s' 0,2 s' ShiftRows ( ) 0,3 s 1,0 s 1,1 s 1,2 s 1,3 1 s' 1,0 s' 1,1 s' 1,2 s' 1,3 S 2,0 S 2,1 S 2,2 S 2,3 s' 2,0 S 2,3 s' 2,1 Ss' 2,2 2,0 s' 2,3 S 2,1 S 0,2 s0,0 s0,1 s0,2 s0,3 S 1,2 s1,0 s1,1 s1,2 s1,3 S 2,2 s2,0 s2,1 s2,2 s2,3 s3,0 s3,1 s3,2 s3,3 S 3,2 Rotate left MixColumns ( ) (`03 x 3 + `01 x 2 + `01 x + `02 ) mod (x 4 + 1) s' 3,0 s' 3,1 s' 3,2 s' 3,3 S' 0,2 s'0,0 s'0,1 s'0,2 s'0,3 S' 1,2 s'1,0 s'1,1 s'1,2 s'1,3 S' 2,2 s'2,0 s'2,1 s'2,2 s'2,3 s'3,0 s'3,1 s'3,2 s'3,3 S' 3,2 s0,0 s0,1 s0,2 s0,3 s 1,0 s 1,1 s 1,2 s 1,3 s2,0 s2,1 s2,2 s2,3 s 3,0 s 3,1 s 3,2 s 3,3 SubBytes ( ) ShiftRows ( ) MixColumns ( ) AddRoundKey( ) s'0,0 s'0,1 s'0,2 s'0,3 s' r,c s' 1,0 s' 1,1 10010110 s' 1,2 s' 1,3 Byte s'2,0 s'2,1 s'2,2 s'2,3 s' 3,0 s' 3,1 s' 3,2 s' 3,3 s0,0 s0,1 s0,2 s0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 AddRoundKey ( ) k0,0 k0,1 k0,2 k0,3 AddRoundKey ( ) k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 s'0,0 s'0,1 s'0,2 s'0,3 s' 1,0 s' 1,1 s' 1,2 s' 1,3 s' 2,0 s' 2,1 s' 2,2 s' 2,3 Si,j ki,j S'i,j s 3,0 s 3,1 s 3,2 s 3,3 k 3,0 k 3,1 k 3,2 k 3,3 s' 3,0 s' 3,1 s' 3,2 s' 3,3

DPA: model (3/5) Model of device Implement cryptographic algorithm (similar architecture if possible) Calculate intermediate value using key guess Map intermediate value to hypothetical power consumption value

DPA: Three popular statistical tests (4/5) arg max s* ( *), M s ρ L Correlation analysis using Pearson s correlation coefficient. arg max s* p( M s* L) Bayesian analysis using normal distribution to determine probability. arg max E( L s* M s* = 0 ) E( L M s* = 1 M hypothetical leakage, determined from model L physical leakage, measured from device ) Distance of means test.

DPA: evaluation/key ranking (5/5) 1 d 1 d 2 d q k 1 k 2 k K Algorithm 3 V 1,1 V 1,2 V 1,K V 2,1 V 2,2 V 2,K V q,1 V q,2 2 Power model Traces l 1,1 l 1,2 l 1,T l 2,1 l 2,2 l 2,T V q,k 4 m 1,1 m 1,2 m 1,K m 2,1 m 2,2 m 2,K l q,1 l Dq,2 l q,t m q,1 m q,2 m q,k Statistics 5 r 1,1 r 1,2 r 1,T r 2,1 r 2,2 r 2,T r K,1 r K,2 r K,T

Effectiveness of DPA attacks: using ρ 2 8z 1 α / 2 We know the relationship n = 3 + 2 1+ ρ between the ρ and n ln 1 ρ A simple device (power model) allows attacker to determine ρ= ρ ck,ct via simulation or computation Previous slides: 8-bit microcontroller showing HW leakage, bit-model ρ ck,ct = ρ(m ck, l ct )=ρ(lsb(v ck ),HW(v ck ))=0.35 n 220 traces Disadvantage: works in specific scenarios only

Effectiveness of DPA attacks: success rate (SR) Ranking of key hypothesis Succ A (q)=sr correct key is ranked top in sr attack runs using q queries Generic measure

Does it matter which statistics to use? All 3 previously mentioned statistics are equally effective (in standard DPA attacks using mean-free data) Correlation: arg Bayes: E( L M s* s* max ρ( L, M ) = arg max s* 2 s* 2 s* s* E(( M ) ) E( M ) s* s* E( L M ) arg max p( M L) = arg max s* 2 s* s* E(( M ) ) )

Relationship between information and correlation Assuming we have Gaussian leakages and models which are close enough to Gaussian, this implies a direct relationship between correlation (i.e. how well does an attack work) and leakage In all other cases this relationship is NOT that simple

Experiments: Entropy (3/3) Practical evidence for Thm.4: Holds even for HW and Binary power models!

Other attacks: e. g. multivariate stuff, aka template attacks Characterisation Phase Determine interesting points, build templates: A template consists of the pair (m,c) that defines a multivariate normal distribution. Analysis Phase Match the templates to the given trace(s). The template that fits best, indicates the correct key.

Other attacks: e.g. second-order DPA (on masked implementations) Pre-processing prepares traces for DPA step. Targeted intermediate values occur in (P K) M Different clock cycles The same clock cycle The same clock cycle but power consumption characteristic allows exploiting leakage directly (L(S(P K) M)-L(P K M) S -box S(P K) M Then DPA attack on pre-processed traces using suitable hypothesis HW(S(P K) P K)

Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage Part 3: Countermeasures Part 4: Current research Please do ask questions as & when they arise

Countermeasures Intermediate values correspond to values processed in the device Power consumption of device can be related to processed values Intermediate values as predicted by attacker Masking Intermediate values as processed by device Hiding Power consumption of device Goal of any countermeasure: Make power consumption independent of intermediate values!

Masking: concealing intermediate values by random values Each intermediate value v is concealed by a random value m which is called the mask m generated at random and independent from v m is not known to the attacker m is generated anew for each new encryption run v m = v m Power consumption characteristics of device are not changed! Can be used to protect existing devices, logic styles

Hiding: modifying relationship between interm. values and power consumption Power consumption of device is independent of processed data if Device consumes random amounts of power in each clock cycle Device consumes equal amounts of power in each clock cycle Power consumption characteristics of a device are changed Same intermediate values are processed

Countermeasures: Protocol level First patents by Kocher: key update mechanism First academic contribution: PhD thesis of Borst Today: plenty of works that define leakage resilient schemes based on the key update idea

Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage Part 3: Countermeasures Part 4: Current research Please do ask questions as & when they arise

Current research Practitioner community: seems to be caught up with details -> find variation of attack X on implementation Y Do not look at system holistically Theory community: seem to only focus on high-level protocols -> can prove scheme X secure in model Y Do not pay any attention to practice (i.e. does model Y make sense, can scheme X be implemented)

Current research Fundamental questions still unanswered How do we measure leakage (univariate, multivariate, configuration of device, statistical method, etc.) How does leakage translate into SR of attacks How can high-level ideas be mapped on secure implementations (SCA aware compilers, design flow?)

Want more? Check out on IACR eprint One for all Leakage resilient cryptography The DPA book Visit: www.dpabook.org OpenSCA toolbox Follow links from http://www.cs.bris.ac.uk/home/eoswald/opensca.html

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback