DPA CONTEST 08/09 A SIMPLE IMPROVEMENT OF CLASSICAL CORRELATION POWER ANALYSIS ATTACK ON DES

Transcription

1 DPA CONTEST 08/09 A SIMPLE IMPROVEMENT OF CLASSICAL CORRELATION POWER ANALYSIS ATTACK ON DES, Fakultät für Informatik Antonio Almeida Prof. Dejan Lazich Karlsruhe, 9 th June 2010 KIT Universität des Landes Baden-Württemberg und nationales Großforschungszentrum in der Helmholtz-Gemeinschaft

2 DPA CONTEST ORGANIZATION August 2008 to August 30 th 2009 We began our participation in the contest: middle July 2009 Results debriefed at CHES2009, during a special session on September 7 th Organizers: Cryptographic Algorithm: Simple DES

3 GOALS Make it possible for researchers to objectively compare their different power attack algorithms on DES Construct a software in any programming language implementing an attack algorithm on a given set of power consumption traces Results/Ranking published on a Hall of Fame

4 DES Hardware Implementation message key Only one register everything else is combinatorial Just one round per clock period

5 Traces Experimental setup for traces acquisition

6 Database Entry DES Trace/file content Data Given entries 4 GByte Plaintext Secret Key Ciphertext Acquisition Date Filename Secret Key should not be used in the algorithm!!

7 Accessing the Data Remote ENST query answer Local download

8 Trace at encryption an example Measurements: points Preprocessing 16 DES Rounds Final processing

9 Trace with 16 DES rounds at encryption

10 CONTEST RULES Number of traces, N T,needed to guess the key Stability of the key algorithm continuously keeps the same guessed key when accumulating more traces Fixed threshold: 100 traces with the same key i.e. if the algorithm finds a certain key and keeps it for at least 100 traces, we consider that it has definitely found the key. Thus, the number of traces needed to find the key including the 100 stable traces is the mark given to an algorithm if the key found is the correct one min N T =101 Brute force should not be allowed for more than 8 bits of key #SBOXES 8 x = 56 bit key

11 CONTEST RULES evolution How to order the traces? 1st Proposal: Fixed Order Database entries accessed in a fixed order/database order given by the Contest Organizers NOT FAIR: this order influences the result; it does not strictly reflects the quality of the attack algorithm 2nd Proposal: Custom Order Database entries accessed in a chosen order defined by the contestant NOT FAIR: same reason as before; the contestant may look for a specific order instead of improving the quality of the algorithm

12 CONTEST RULES evolution 3rd and valid Proposal - Representative Order Database entries randomly accessed N T being the average on 1000 attacks FAIR: Order does NOT influence the result Critics about DPA Contest rules: Francois-Xavier Standaert, Philippe Bulens, Giacomo de Meulenaer, Nicolas ( 2008/517 Veyrat-Charvillon, Improving the Rules of the DPA Contest (eprint

13 DPA Reference Implementation ( 1998 ) Paul Kocher et al., Differential Power Analysis ciphertext Method originally proposed in the 16 th round Key hypothesis tested bit on output of SBOX Partition D=1 Partition D=0 differential trace power trace selection function/distinguisher current consumption proportional to 1 0 and 0 1 bit transitions

14 DPA Reference Implementation PLAINTEXT KEY

15 power DPA Reference Implementation Implemented in the 1 st round msg, trace peak subkey 1 4 des_breaker while key_stable < 100 () getnewtrace () processnewtrace () get_key numbertraces++ # subkeys subkey length/sbox input 8 x 6 = 48 bits last 8 bits with full search 1 4 des_breake sbox_breaker r sbox=1 des_break sbox_breaker er des_break sbox_breaker er des_break sbox_breaker er... sbox=2 sbox=3 sbox=4 sbox=8 des_breake r sbox_breaker skey=1 () D key=1 skey=2 key=1 skey=3 skey=64 key=1... () D () D () D... skey=1 () D key=1 skey=2 key=1 skey=3 skey=64 key=1... () D () D () D ( Distinguisher ) DPA selection function

16 Trace DES rounds hours calculating... 3 minutes and... ready

17 CPA Reference Implementation E. Brier, C. Clavier, F. Olivier, Correlation Power Analysis with a Leakage Model ( 2004 ) Idea: data leakage through the power side-channel depends on the number of bit transitions in a register during a clock cycle, at a given time Power trace i, for a reference state R Linear correlation factor message Number of traces Hamming distance between the previous and current state of the register

18 corr CPA Reference Implementation Implemented in the 1 st round msg, trace peak subkey 1 4 des_breaker while key_stable < 100 () getnewtrace () processnewtrace () get_key numbertraces++ # subkeys subkey length/sbox input 8 x 6 = 48 bits last 8 bits with full search 1 4 des_breake sbox_breaker r sbox=1 des_break sbox_breaker er des_break sbox_breaker er des_break sbox_breaker er... sbox=2 sbox=3 sbox=4 sbox=8 des_breake r sbox_breaker skey=1 () D key=1 skey=2 key=1 skey=3 skey=64 key=1... () D () D () D... skey=1 () D key=1 skey=2 key=1 skey=3 skey=64 key=1... () D () D () D ( Distinguisher ) selection function

19 CPA Reference Implementation PLAINTEXT KEY

20 CPA Reference Implementation PLAINTEXT KEY What about the left side?

21 A Simple Improvement of CPA by ( CPA-LS ) considering the left side Motivation Left-side is also responsible for current consumption, as it contributes with bit transitions If not taken into account, it will act as noise in the calculations, decreasing the SNR SNR and key stability are strongly related We should consider the influence of the left side when calculating the correlation coefficient in order to obtain key stability faster

22 Results Implementation Comparision #output bits considered in each SBOX 1-bit CPA 1-bit DPA 4-Bit CPA 4-Bit DPA 4-Bit CPA-LS traces traces traces traces traces 163 traces improvement with just one extra line of code!

23 USE OF PREVIOUS SUBKEY ESTIMATIONS IN THE NEXT SUBKEY ESTIMATION Problem: In the DPA calculations for a certain subkey/sbox, the other subkeys/sboxes interfere destructively, decreasing the SNR Solution: Consider the influence of each SBOX in the other SBOXES... SBOX1 SBOX2 SBOX3 SBOX4 SBOX5 SBOX6 SBOX7 SBOX8 SBOX8 However, some SBOXES are more stable than others

24 USE OF PREVIOUS SUBKEY ESTIMATIONS IN THE NEXT SUBKEY ESTIMATION Which SBOX permutation is the best one? SBOX1 SBOX2 SBOX3 SBOX4 SBOX5 SBOX6 SBOX7 SBOX8 8! = possibilities

25 USE OF PREVIOUS SUBKEY ESTIMATIONS IN THE NEXT SUBKEY ESTIMATION Problem: Find strategy to construct best SBOX permutation (Which SBOXES are more stable?) We tried a few strategies to find best permutation on the fly but... we lacked time to find a good one + sideleftconsideringcpa We believe that previoussubkeyestimations would considerably improve most of the results

26 Results Final standings Pos Author Method # traces 1 C. Limoges. Uni Clavier Maximum Likelihood 1 141,42 2 C. Limoges. Uni Clavier Maximum Likelihood 2 145,06 3 C. Clavier Limoges. Uni Maximum Likelihood 3 152,42 4 Montpellier. Lab Lomne BS-enhanced CPA Mitsubishi Saeki&Suzuki Dual round BS-CPA UniTohoku Kim. Y stochastic model attack 230,78 7. CorpToshiba Shimizu CPA with build-up technique 234,38 8 ParisTelecom Pacalet. R COP CPA 252,83 9. CorpToshiba Shimizu Alledged Max. Likelihood 253,73 10 ParisTelecom Pacalet. R COP CPA 265,

27 Results Final standings 13 KA. Uni Lazich&Almeida LS CPA 367, CorpToshiba Shimizu Classical DPA 371, CorpToshiba Shimizu Classical CPA 388,99 16 ParisTelecom Sauvage. L BS-CPA on 2-sboxes 149,00??? 17 Reference Implementation 4-bit DPA 485,35 18 Reference Implementation 4-bit CPA 530,45 19 Reference Implementation 1-bit DPA 1250,18 20 Reference Implementation 1-bit CPA 1435,

28 QUESTIONS?