Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Transcription

1 Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

2 Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions: Knows the details of the cryptographic algorithm Tries to find out secret keys from the inputs and outputs Does not consider the weakness in hardware implementations

3 Implementation of crypto algorithms Implementation of a strong algorithm is not necessarily secure Defective computation Information leak Timing Power Electromagnetic

4 Side Channel Attacks Side channel attacks exploit information from hardware Is easy to carry out Does not require expensive equipment 4

5 Side channel attacks Key Plaintext Cipher Side Channel Attack Ciphertext

6 Power analysis Non-invasively extract information from the power consumption of a cryptographic hardware device. Common power analysis attacks SPA: Simple Power Analysis Different operations consume different power Effective if operations are dependent on key bits DPA: Differential Power Analysis Different data consume different power even if the operations are the same CPA: Correlation Power Analysis More advanced than DPA

7 Example: DES Power Trace Kocher et al. 1999

8 DPA Exploits the relationship between power consumption and the operations or data using advanced statistical methods Goal Secret keys used by cryptographic device AES as target Widely used cipher Applicable to other systems

9 Example of DPA on 1-bit operations Assumption: M K = Y M can be controlled by the attacker K is unknown Generating 0 and 1 consumes different amount of energy Attack: Set M = 0, do the operation and measure the power (P0) Set M = 1, do the operation and measure the power (P1) Guess a value of K, and check it with power traces If K = 0, then Y is 0 in P0 and 1 in P1. If K = 1, then Y is 1 in P0 and 0 in P1.

10 Attacking table lookups (1) Mem[M K] = Y Similar assumptions M and K have multiple bits M can be controlled by the attacker K is unknown Y is the table lookup results (value loaded from the memory) Select one bit in Yt

11 Attacking table lookups (2) Generate a set of input so the table lookups are uniformly distributed over all entries M0,, Mn Feed the input to the device and measure the power consumption P0,, Pn For each possible value of K Place the power traces into two sets, according to Yt S0: if Yt = 0 and S1: if Yt = 1 Compute the average of power traces in each set Compute the differences of the averages Find the largest differences

12 DPA Process Identify the target operation Select power model, target, selection function, a set of inputs Measurement/Data collection Setup for instrumentation Feed the selected inputs to the device Data analysis Signal processing For each value of the key related to the targeted state Generate the value of the targeted state from the guess Place power traces into subsets according to the selection function Compare the differences between averaged power traces from subsets Evaluation

13 Summary of AES Operations Round operations: Substitute bytes Shift rows Mix columns Add round key

14 Attacking the S-Box (or Table Lookup) Plaintext Key xor Table Key xor If a plaintext byte is known, as well as a first-round table lookup, a key byte is learned Table Table Key xor Ciphertext The same is true for cipher text bytes and final round table lookups

15 Selection Function Prediction about some aspect of the computation that varies in a key-dependant manner Used to assign traces to subsets based on the prediction. Real leaks can be complicated 0-1 vs. 1-0 transition Hamming weight/distance model Word-oriented leaks FPGA writing byte differences

16 Selection Function Target of attack is information of round key Known key analysis Chosen message analysis Non-binary and multi-bit function improve efficiency of attacks Binary and single-bit function can be used without requiring additional assumptions

17 Hamming Distance Model Assumption: power consumption mainly due to switching activity. Let x and x be two consecutive intermediate values of AES. Let t be the time at which x switches into x. Then the power consumption of the device at this time is proportional to DH(x, x )=WH(x XOR x ) Where WH denote the Hamming weight

18 Hamming Weight SubBytes S in (?) SBox 16 Sin(?) C(?) 0 no transition 1 yes transition ShiftRow Key guess S out C(i:i+1) ShiftRow C(?) DPA output:

19 Setup Unknown secret key device measurement Input analysis A Selection Function D = SBOX (K for an intermediate g m) value subkey guess

20 Instrumentation High-speed analog to digital conversion system Accurate enough to detect small fluctuations Important factor in selecting a scope: Deep memory Trigger flexibility Signal to noise ratio Rapid trigger re-arming time and fast transfer rate

21 Data Collection Capture traces from target device Clean measurements are not required for DPA attacks 4000 traces from a smart card while performing AES-128 Different plaintext, same key 8-bit A/D converter

22 Signal Processing Improves efficiency of the DPA process and outcome (Optional) Remove alignment errors Isolate features Highlight signals Reduce noise

23 Categorize Power Traces Collect the power traces of N encryption operations Use the same secret key, but different plaintexts Usually1,000+ traces are used Try all possible values of K 16 For each guess, place the N power traces into two sets S 0, S 1 according to the selection function S0 = { S ij D(.,.,.) = S1 = { S ij D(.,.,.) = 0} 1}

24 Compute the average power and differences Calculate the average power for each set A 0 [j] for S 0, A 1 [j] for S 1 : 1 A0[ j] = S0 1 A1 [ j] = S 1 S S 0 + S 1 =N, S i is the total number of the power traces in the set S i The discrete time DPA bias signal T[j] is calculated: ij S S 0 ij S S 1 ij S D[ j] = A0 [ j] A1 [ j] ij

25 Distribution of power consumption If our calculation is wrong: Gaussian Distribution Mix everything together Mean 120 unit Standard deviation Least significant bit is 1: M = Sd = 10.7 Least significant bit is 0: M = Sd = 9.7

26 DPA Process If key block guess is correct, spike where D correlates with values being processed. Confirm the Ks is correct, then guess the rest of the key blocks. Power consumption data Correct Ks guess Incorrect Ks guesses

27 Correct guess If the guessed key-related value is correct, power traces are placed in subsets correctly according to selection function and spike occurs

28 Comparison I i,n = S[X i,n xor K n ] Use the LSB of Ii to check 256 guesses

29 Evaluation Analyze test results to determine most likely candidate key guesses Large peaks for correct key guess The final three steps (prediction, averaging, and evaluation) are often iterated. Find 1 st round key, then begin attack on 2 nd round key.

30 DPA Prevention Methods: Reduce signal size (Cost and size increase) Leakage reduction Noise introduction Obfuscation Incorporating randomness Protocol level countermeasures Balancing Blinding and masking Risk reduced but not eliminated.

31 Summary Algorithms that are mathematically strong may be vulnerable to power analysis attacks Potential victims: RFID, smartcard FPGA, SoCs ASIC HSM, mobile phone Product have DPA countermeasure implemented if it have the DPA security logo:

32 DPA Contest Objective comparison of attack algorithms. Metrics used for evaluation: Partial success rate Partial guessing entropy Global success rate Execution time Memory footprint

33 Project 4: DPA Contest Selection function: Hamming Weight DPA attack on AES-128 Ciphertext Power traces Recover keys for 10 th round Substitute byte (Sbox) given Key expansion master key

34 DPA Process Identify the target operation Select power model, target, selection function, a set of inputs Measurement/Data collection Setup for instrumentation Feed the selected inputs to the device Data analysis Signal processing For each value of the key related to the targeted state Generate the value of the targeted state from the guess Place power traces into subsets according to the selection function Compare the differences between averaged power traces from subsets Evaluation

35 Categorize For each power trace/ciphertext, what is the power consumption (Hamming Weight model) for each key guess? 1-bit DPA on each bit of an Sbox (categorize into 0 and 1)

36 10 th Round of AES Round operations: Substitute bytes e6a636e30c85f35e980f3546a04daff7 Shift rows round key e6 a6 36 e3 0c 85 f3 5e 98 0f a0 4d af f7

37 DPA Ciphertext HW Power trace e6a636e30c85f35e980f3546a04daff e9f7a9d7d2387d7ee8c7c5235c354dd

38 Multi-bit DPA Looks at all bits for an Sbox instead of each individual ones. Single-bit DPA: Average difference for 256 key guess of each bit of Sbox Multi-bit DPA (more accurate): Average difference for 256 key guess of the Sbox Key guess with biggest power variation is correct guess.

39 References P. Kocher, J. Jaffe, and B. Jun, Differential power analysis, Proceedings of CRYPTO'99, vol. 1666, pp , August Kong, J.; Aciicmez, O.; Seifert, J.-P.; Huiyang Zhou;, "Hardware-software integrated approaches to defend against software cache-based side channel attacks," High Performance Computer Architecture, HPCA IEEE 15th International Symposium on, vol., no., pp , Feb URL: isnumber= Kocher, Jaffe, Jun. Introduction to Differential Power Analysis and Related Attacks. Power Analysis. Wikipedia.