A Formal Study of Power Variability Issues and Side-Channel Attacks - PowerPoint PPT Presentation

A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices Mathieu Renauld, Fran¸ cois-Xavier Standaert, Nicolas Veyrat-Charvillon, Dina Kamel, Denis Flandre. May 2011 UCL Crypto Group Cryptopuces - May 2011 1 Microelectronics Laboratory

Outline Introduction Scaling trends - variability Motivation Framework - MI Perceived Information Template + variability Results Conclusion UCL Crypto Group Cryptopuces - May 2011 2 Microelectronics Laboratory

Outline Introduction Scaling trends - variability Motivation Framework - MI Perceived Information Template + variability Results Conclusion UCL Crypto Group Cryptopuces - May 2011 3 Microelectronics Laboratory

Electronic devices are everywhere... And may contain sensitive data. RFID tags Sensor networks Smartcards UCL Crypto Group Cryptopuces - May 2011 4 Microelectronics Laboratory

Introduction K Adversary Cryptographic P C algorithm Classical cryptanalysis UCL Crypto Group Cryptopuces - May 2011 5 Microelectronics Laboratory

Introduction K Adversary Cryptographic P C algorithm Implementation Physical leakage Side-Channel cryptanalysis UCL Crypto Group Cryptopuces - May 2011 5 Microelectronics Laboratory

Block ciphers UCL Crypto Group Cryptopuces - May 2011 6 Microelectronics Laboratory

Example of attacks Numerous side-channel attacks. ◮ Non-profiled attacks: DPA, CPA, ... ◮ Profiled attacks: template attacks, stochastic models, ... Divide-and-conquer strategy. L k ⊕ y x P S UCL Crypto Group Cryptopuces - May 2011 7 Microelectronics Laboratory

Example of attack : template attack Univariate template attack. 1. Profiling phase. ◮ Measurements on a training device. The attacker determines the plaintexts and keys. ◮ Assumption: Gaussian noise. ◮ Building templates N ( l | ˆ σ 2 µ x , ˆ x ) (= pdf). ˆ σ x ˆ µ x UCL Crypto Group Cryptopuces - May 2011 8 Microelectronics Laboratory

Example of attack : template attack 2. Attack phase. ◮ Measurements on the target device ⇒ { p i , l i } . ◮ Compute Pr[ k ∗ | l , p ] ∀ k ∗ . l 1 l 2 ◮ Choose ˜ k such that ˜ Pr[ k ∗ | l , p ]. k = arg max k ∗ UCL Crypto Group Cryptopuces - May 2011 9 Microelectronics Laboratory

Outline Introduction Scaling trends - variability Motivation Framework - MI Perceived Information Template + variability Results Conclusion UCL Crypto Group Cryptopuces - May 2011 10 Microelectronics Laboratory

Motivation General trend in electronics: scaling down the circuit size. ◮ Logic styles are more difficult to balance ◮ Non-linearity increases ◮ Variability UCL Crypto Group Cryptopuces - May 2011 11 Microelectronics Laboratory

Motivation Classical assumption: Chip production unit UCL Crypto Group Cryptopuces - May 2011 12 Microelectronics Laboratory

Motivation Classical assumption: User Chip production Attack! unit Adversary UCL Crypto Group Cryptopuces - May 2011 12 Microelectronics Laboratory

Motivation With variability: User Chip production ??? unit Adversary UCL Crypto Group Cryptopuces - May 2011 12 Microelectronics Laboratory

Background: framework How do we fairly evaluate the security of an implementation? Example: Adversary A breaks implementation I 1 in 10 power traces and breaks implementation I 2 in 10.000 power traces. Is I 2 1000 times more secure than I 1 , or is A not adapted to break I 2 ? UCL Crypto Group Cryptopuces - May 2011 13 Microelectronics Laboratory

Background: framework F.-X. Standaert, T.G. Malkin and M. Yung presented A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks at Eurocrypt 2009. Concept: separating the evaluation of the implementation from the evaluation of the adversary. ◮ Implementation → information theoretic metric (MI). ◮ Adversary → security metric (succes rate according to the number of traces). UCL Crypto Group Cryptopuces - May 2011 14 Microelectronics Laboratory

Background: framework Information theoretic metric MI( X ; L ): how much the uncertainty on X is reduced by knowing L . MI( X ; L ) = H[ X ] − H[ X | L ] � � = H[ X ] − Pr[ l ] Pr[ x | l ] log 2 Pr[ x | l ] l ∈L x ∈X � � = H[ X ] − Pr[ l ]Pr[ x | l ] log 2 Pr[ x | l ] l ∈L x ∈X Bayes: Pr[ x | l ]Pr[ l ] = Pr[ l | x ]Pr[ x ] � � = H[ X ] − Pr[ x ]Pr[ l | x ] log 2 Pr[ x | l ] l ∈L x ∈X � � = H[ X ] − Pr[ x ] Pr[ l | x ] log 2 Pr[ x | l ] x ∈X l ∈L UCL Crypto Group Cryptopuces - May 2011 15 Microelectronics Laboratory

Perceived information � � Pr chip [ l | x ] log 2 ˆ MI( X ; L ) = H[ X ] − Pr model [ x | l ] Pr[ x ] x ∈X l ∈L Interpretation: ◮ Pr chip [ l | x ] are the pdf from the actual chip. ˆ Pr model [ x | l ] are the estimated pdf from the adversary’s ◮ model. Are those pdf the same? UCL Crypto Group Cryptopuces - May 2011 16 Microelectronics Laboratory

Perceived information - AES Sbox in 65 nm Perfect profiling phase ˆ Pr model = Pr chip l ∈L Pr chip [ l | x ] log 2 ˆ MI( X ; L ) = H[ X ] − � x ∈X Pr[ x ] � Pr model [ x | l ] Mutual information = IT metric. UCL Crypto Group Cryptopuces - May 2011 17 Microelectronics Laboratory

Perceived information - AES Sbox in 65 nm Bounded profiling phase Variability Simpler model ˆ Pr model = Pr chip l ∈L Pr chip [ l | x ] log 2 ˆ MI( X ; L ) = H[ X ] − � x ∈X Pr[ x ] � Pr model [ x | l ] PI Perceived information = informal measure. UCL Crypto Group Cryptopuces - May 2011 17 Microelectronics Laboratory

Templates in presence of variability In 65nm: impossible to produce 2 exactly identical chips. → profiling on a different chip. σ chip 2 , x σ chip 1 , x µ chip 2 , x µ chip 1 , x UCL Crypto Group Cryptopuces - May 2011 18 Microelectronics Laboratory

Templates in presence of variability In 65nm: impossible to produce 2 exactly identical chips. → profiling on several chips. σ chip 1 , x µ chip 2 , x µ chip 1 , x µ chip 4 , x µ chip 3 , x µ chip 5 , x UCL Crypto Group Cryptopuces - May 2011 18 Microelectronics Laboratory

Templates in presence of variability In 65nm: impossible to produce 2 exactly identical chips. → profiling on several chips. ˆ σ model , x ˆ µ model , x UCL Crypto Group Cryptopuces - May 2011 18 Microelectronics Laboratory

Templates in presence of variability In 65nm: impossible to produce 2 exactly identical chips. → profiling on several chips. � σ 2 σ 2 ˆ model , x + ˆ noise , x ˆ µ model , x UCL Crypto Group Cryptopuces - May 2011 18 Microelectronics Laboratory

Results Perceived information UCL Crypto Group Cryptopuces - May 2011 19 Microelectronics Laboratory

Results Data complexity UCL Crypto Group Cryptopuces - May 2011 20 Microelectronics Laboratory

Model soundness Model soundness: the asymptotic success rate of a Bayesian adversary exploiting it in order to recover a target value is 1. Here: target value = transition. ˆ � Pr chip [ l | s ] log 2 ˆ ˆ Pr model [ s ∗ | l ] , = − H s , s ∗ l ∈L ˆ ˆ ˆ  h 1 , 1 h 1 , 2 h 1 , |S|  ... ˆ ˆ ˆ h 2 , 2 h 2 , 2 h 2 , |S| ...   =  ,   ... ... ... ...  ˆ ˆ ˆ h |S| , 1 h |S| , 2 h |S| , |S| ... UCL Crypto Group Cryptopuces - May 2011 21 Microelectronics Laboratory

Model soundness UCL Crypto Group Cryptopuces - May 2011 22 Microelectronics Laboratory

Results Success rate for non-profiled attacks UCL Crypto Group Cryptopuces - May 2011 23 Microelectronics Laboratory

Outline Introduction Scaling trends - variability Motivation Framework - MI Perceived Information Template + variability Results Conclusion UCL Crypto Group Cryptopuces - May 2011 24 Microelectronics Laboratory

Conclusions ◮ Important to take variability into account. ◮ Perceived information is a useful informal metric when the adversary is not optimal. ◮ HW leakage model is not always relevant. UCL Crypto Group Cryptopuces - May 2011 25 Microelectronics Laboratory