introduction to power analysis
play

Introduction to Power Analysis Benedikt Gierlichs Katholieke - PDF document

Jul 25, 2023 •206 likes •452 views

Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC benedikt.gierlichs@esat.kuleuven.be ECRYPT II Summer School Design and Security of Cryptographic Algorithms and Devices Albena, Bulgaria, 31 May 2011

  1. Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven – COSIC benedikt.gierlichs@esat.kuleuven.be ECRYPT II Summer School Design and Security of Cryptographic Algorithms and Devices Albena, Bulgaria, 31 May 2011 Agenda • Measuring power consumption • Power analysis (exploration of power traces) • Power analysis attacks (revealing secrets) • Differential power analysis attacks: overview • Practical problems • Summary Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 2 Benedikt Gierlichs, K.U.Leuven - COSIC

  2. Measuring power consumption • Not average power over time, not peak power • Instantaneous power over time – Trace or curve, many samples Time • Typical setup: – Target device – Clock and power supply Crypto – Measurement circuit – Digital oscilloscope – PC to control it all and to store the curves Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 3 Measuring power consumption (2) • Logic: constant supply voltage, supply current varies • Predominant technology: CMOS – Low static power consumption – Relatively high dynamic power consumption – Power consumption depends on input • CMOS inverter: Input Output Current 0-1 0 � 0 1 � 1 Low transition 0 � 1 1 � 0 Discharge 1 � 0 0 � 1 Charge 1 � 1 0 � 0 Low Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 4 Benedikt Gierlichs, K.U.Leuven - COSIC

  3. Measuring power consumption (3) • Oscilloscope can only measure voltage i – Generate voltage signal, proportional to current U R • Measure in VDD or GND line – Resistor (Ohm's law: U = R x i), measure U over resistor – Current probe: current � field � voltage – Dedicated measurement circuits [Tektronix] • Measure 'global' E or H field of the device – Field intensity proportional to power consumption – Field orientation depends on current direction [Rohde&Schwarz] Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 5 Power analysis • What can we see looking at a curve? • Information in: – Repetitive patterns: typically coarse, structure of algorithm and implementation (e.g. loops) – Time: what happens when, program flow – Amplitude: what happens at a given moment in time, data flow • the same operation, executed with different operand values, consumes more or less power • Examples: trace inspection Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 6 Benedikt Gierlichs, K.U.Leuven - COSIC

  4. Power analysis (2) Quantized voltage Time • Unprotected software implementation of AES-128 on 8-bit µC – Ten rounds, last round shorter, without MixColumns Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 7 Power analysis (3) Quantized voltage Time • Unprotected software implementation of AES-128 on 8-bit µC – Two rounds, four AES building blocks look different Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 8 Benedikt Gierlichs, K.U.Leuven - COSIC

  5. Power analysis (4) Quantized voltage Time • Few clock cycles on 8-bit µC – Capacitive charge and discharge effect visible in every clock cycle – Loading and unloading capacitors in the circuit • wires, input/output capacitances, parasitic capacitances, etc. – Amplitude depends on operation and operand value(s) Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 9 Power analysis (5) • RSA signature generation with CRT Quantized voltage Time Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 10 Benedikt Gierlichs, K.U.Leuven - COSIC

  6. From power analysis to power analysis attacks • If sequence of patterns, timing or amplitude depends on secret values, power analysis attacks can possibly reveal the secrets [JO05] • Taxonomy: attacks categorized according to approach, requirements, adversarial power, etc. • Categories and criteria not 100% clear, definitions vary, transitions are smooth Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 11 Power analysis attacks [KJJ99] • Simple power analysis (SPA) attacks • Internal collision attacks • Differential power analysis (DPA) attacks • Orthogonal: ad-hoc (non-profiled) versus profiled – Non-profiled: little prior knowledge about how the device leaks, relies on assumptions – Profiled: more or less precise profiling of the leakage behaviour, typically training of a classifier (curve � key(-related information)) Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 12 Benedikt Gierlichs, K.U.Leuven - COSIC

  7. Simple power analysis attacks • Anything but simple (except in examples ☺ ) • Visual inspection of few traces, worst/best case: single shot • Often exploitation of direct key dependencies, input and output data need not be known (but they are useful for verification) • Require: expertise, experience, detailed knowledge about target device and implementation • Examples: patterns, amplitude, timing Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 13 Simple power analysis attacks (2) • Patterns (many-cycle sequences) show, e.g.: – Symmetric crypto algorithms: • Number of rounds (resp. key length), loops • Memory accesses (sometimes higher power consumption) RSA decryption, M = C d mod N – Asymmetric crypto algorithms: with d =d n-1 d n-2 ...d 0 • Key (if badly implemented, e.g. RSA / ECC) • Key length x = C for j = n-2 to 0 • Implementation details (e.g. RSA with CRT) x = x² mod N conditional if d j == 1 then operation x = xC mod N • Search for repetitive patterns end if end for return M = x Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 14 Benedikt Gierlichs, K.U.Leuven - COSIC

  8. Simple power analysis attacks (3) • Example: RSA exponentiation M = C d mod N • Crypto coprocessor optimized for squaring [courtesy: C. Clavier] Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 15 Simple power analysis attacks (4) • Amplitude in a cycle can show: – Exact operand values (extreme case) – Often: Hamming weight or Hamming distance of operand(s) • Can greatly reduce key space – Operation being executed (software, microcontroller) • Reverse engineering of implementation details • Reverse engineering of e.g. proprietary algorithms (SCARE attacks) • Typically requires a classifier, device profiling Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 16 Benedikt Gierlichs, K.U.Leuven - COSIC

  9. Simple power analysis attacks (5) • Example: a MOV instruction with different operand values • Power consumption varies with Hamming weight of operand Quantized voltage • Suppose we have a 'dictionary' that translates power Time consumption values into Hamming weights • Example: SPA attack on the AES key schedule [M02] – Extract HWs of round keys, generate list of suitable round keys – Requires 1 plaintext/ciphertext pair to check remaining candidate keys Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 17 Simple power analysis attacks (6) • Timing, e.g. when an operation is executed, can show: – Data-dependent branches in software implementations – If branch condition does not only depend on key but on intermediate result, one also needs to know input (output) • Example: a bad implementation of AES MixColumns Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 18 Benedikt Gierlichs, K.U.Leuven - COSIC

  10. SPA on a bad implementation of AES MixColumns • Per output byte a couple of XORs and multiplication by 2 [DR98] – Multiplication is in Rijndael's Galois field – Modular reduction necessary • A naive implementation on 8-bit processor: compute {02}a: – Multiply by 2 (e.g. left shift) – Conditionally (e.g. is carry set?) perform the reduction (XOR {1B}) • Execution time depends on MSB of a Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 19 SPA on a bad implementation of AES MixColumns (2) • a = SubBytes() of XOR of some plaintext byte i and key byte j • Compute 256x256 table T – T[i][j] = 1 if MSB of SubBytes(i XOR j) equals 1, else T[i][j] = 0 • Encrypt a few random plaintexts and determine for each of them if {02}a takes more (1) or less (0) time • Compare values with table T to identify column j and thus j • Repeat for b, c and d, then target next MixColumns() – Attack has to be performed in the correct 'temporal' order' to take previously introduced delays into account – Alternative: chosen plaintexts with all but one byte fixed compare: [KQ99] Albena, 31.05.2011 ECRYPT II Summer School - Benedikt Gierlichs 20 Benedikt Gierlichs, K.U.Leuven - COSIC

Recommend

ECE 476 Power System Analysis Lecture 1 Introduction Alejandro D. Dominguez-Garcia Department

ECE 476 Power System Analysis Lecture 1 Introduction Alejandro D. Dominguez-Garcia Department

ECE 476 Power System Analysis Lecture 1 Introduction Alejandro D. Dominguez-Garcia Department of Electrical and Computer Engineering aledan@illinois.edu About Me Received Power Engineering Degree in 2001 form the University of

456 views • 13 slides
Power Grid Analysis Challenges for Large Microprocessor Designs Alexander Korobkov Contents

Power Grid Analysis Challenges for Large Microprocessor Designs Alexander Korobkov Contents

<Insert Picture Here> Power Grid Analysis Challenges for Large Microprocessor Designs Alexander Korobkov Contents Introduction Oracle Sparc design: data size and trend Power grid extraction challenges Early power grid

395 views • 24 slides
XP Power - Investor Presentation 2011 Annual Results XP Power Introduction to XP Power

XP Power - Investor Presentation 2011 Annual Results XP Power Introduction to XP Power

XP Power - Investor Presentation 2011 Annual Results XP Power Introduction to XP Power Leading developer and manufacturer of mission critical power control hardware Supplies Industrial, Healthcare and Technology sectors Blue

584 views • 24 slides
Power Analysis Now available on Siglent SDS5000X Oscilloscopes Power converter design has become

Power Analysis Now available on Siglent SDS5000X Oscilloscopes Power converter design has become

Power Analysis Now available on Siglent SDS5000X Oscilloscopes Power converter design has become an important part of electronic product development. Modern design needs have increased the importance of power supplies that have greater

229 views • 5 slides
Optimization of Power Analysis Using Neural Network Zdenek Martinasek, Jan Hajny and Lukas Malina

Optimization of Power Analysis Using Neural Network Zdenek Martinasek, Jan Hajny and Lukas Malina

About Us Introduction Optimization of Power Analysis Conclusion Optimization of Power Analysis Using Neural Network Zdenek Martinasek, Jan Hajny and Lukas Malina Dpt. of Telecommunications, Brno University of Technology Brno, Czech Republic

439 views • 17 slides
POWER ANALYSIS GRID Environmental & Economic Justice Project Power Analysis Training - Chart 5

POWER ANALYSIS GRID Environmental & Economic Justice Project Power Analysis Training - Chart 5

POWER ANALYSIS GRID Environmental & Economic Justice Project Power Analysis Training - Chart 5 POWER ANALYSIS GRID Competing Agenda, Positions, Policies Environmental & Economic Justice Project Power Analysis Training - Chart 5 POWER

348 views • 20 slides
main twist today: separate DC power flow : ( Y ) = 0 , v = 1 , & linearization power flow

main twist today: separate DC power flow : ( Y ) = 0 , v = 1 , & linearization power flow

Power flow equations Fast power system analysis via implicit Basic ingredients in an n -bus power system linearization of the power flow manifold complex bus voltage u h = v h e j h C injected complex power s h = p h + j q h Allerton

291 views • 5 slides
Tacoma Power Residential Rate Design Analysis Ray Johnson, Rates & Energy Risk Manager

Tacoma Power Residential Rate Design Analysis Ray Johnson, Rates & Energy Risk Manager

Tacoma Power Residential Rate Design Analysis Ray Johnson, Rates & Energy Risk Manager Rachel Gardner Clark, Senior Utilities Economist 1 Introduction About Tacoma Power Basic Stats 180 square miles of service area 155,000

387 views • 19 slides
Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans

Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans

Introduction Study of the reference problem Sensitivity analysis Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans , and Laurent Pfeiffer ed INRIA Saclay and CMAP, Ecole

831 views • 32 slides
ELECTRIFICATION AVL e-Power Measurement and Analysis W.Giczi AVL List GmbH Public CONTENT AVL

ELECTRIFICATION AVL e-Power Measurement and Analysis W.Giczi AVL List GmbH Public CONTENT AVL

ELECTRIFICATION AVL e-Power Measurement and Analysis W.Giczi AVL List GmbH Public CONTENT AVL E-POWER MEASUREMENT SYSTEM A A INTRODUCTION, SYSTEM PORTFOLIO B B PROPERTIES, BENEFITS, USPs C C USE CASES, SYSTEM CONFIGURATIONS D SUMMARY

244 views • 21 slides
Electric Power System Modeling & Simulation Michael Smith 02/15/2010 Outline

Electric Power System Modeling & Simulation Michael Smith 02/15/2010 Outline

Electric Power System Modeling & Simulation Michael Smith 02/15/2010 Outline Introduction Power System Introduction/Background Data Requirements Model/Simulation Development Analysis Conclusion Introduction

176 views • 17 slides
. Power Analysis for Logistic

. Power Analysis for Logistic

. Power Analysis for Logistic Regression Models Fit to Clustered Data: Choosing the Right Rho . CAPS Methods Core Seminar

578 views • 29 slides
Introduction to Statistics with GraphPad Prism 8 Anne Segonds-Pichon v2019-03 Outline of the

Introduction to Statistics with GraphPad Prism 8 Anne Segonds-Pichon v2019-03 Outline of the

Introduction to Statistics with GraphPad Prism 8 Anne Segonds-Pichon v2019-03 Outline of the course Power analysis with G*Power Basic structure of a GraphPad Prism project Analysis of qualitative data: Chi-square test

1.27k views • 101 slides
Prototyping to Design: Early Analysis for Power Distribution Network Kai Wang, Aveek Sarkar,

Prototyping to Design: Early Analysis for Power Distribution Network Kai Wang, Aveek Sarkar,

ISPD 2009 Prototyping to Design: Early Analysis for Power Distribution Network Kai Wang, Aveek Sarkar, Norman Chang, Shen Lin 2009-4-12 Apache Design Solutions Inc. Outline Power integrity challenges Early analysis overview Power

443 views • 40 slides
CONTACTLESS POWER TRANSFER SYSTEM- HARDWARE ANALYSIS Presentation By Dr. Praveen Kumar

CONTACTLESS POWER TRANSFER SYSTEM- HARDWARE ANALYSIS Presentation By Dr. Praveen Kumar

CONTACTLESS POWER TRANSFER SYSTEM- HARDWARE ANALYSIS Presentation By Dr. Praveen Kumar Associate Professor Department of Electronics & Communication Engineering Overview 2 Introduction Computation of mutual inductance for square

967 views • 65 slides
Nuclear Power Plants Extended Loss of All AC Power Analysis of Electromagnetic Pulse Joint

Nuclear Power Plants Extended Loss of All AC Power Analysis of Electromagnetic Pulse Joint

Nuclear Power Plants Extended Loss of All AC Power Analysis of Electromagnetic Pulse Joint FERC/NRC Meeting Jennifer Uhle, Deputy Director Office of Nuclear Reactor Regulation October 21, 2015 Projected Electric Capacity Dependent on License

323 views • 21 slides
Sample size estimation v. 2018-02 Outline Definition of Power Variables of a power

Sample size estimation v. 2018-02 Outline Definition of Power Variables of a power

Sample size estimation v. 2018-02 Outline Definition of Power Variables of a power analysis Difference between technical and biological replicates Power analysis for: Comparing 2 proportions Comparing 2 means

1.01k views • 61 slides
s c i t I L O Power p & Week Two: Introduction/Review Power and Social Class Three

s c i t I L O Power p & Week Two: Introduction/Review Power and Social Class Three

s c i t I L O Power p & Week Two: Introduction/Review Power and Social Class Three Faces of Power Agenda Setting Whats the Matter? who rules America? domhoff on social and economic class why do people promote the openness

142 views • 13 slides
Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction Technical analysis is the attempt to forecast stock prices on the basis of market-derived data. Technicians (also known as quantitative analysts or

853 views • 73 slides
Reducing Power with Activity Trigger Analysis k + , Julien Legriel , Erwan Piriou # ,

Reducing Power with Activity Trigger Analysis k + , Julien Legriel , Erwan Piriou # ,

Introduction Activity Triggers Application Flow Results Conclusion Reducing Power with Activity Trigger Analysis k + , Julien Legriel , Erwan Piriou # , Emmanuel Jan L an Viaud , Fahim Rahim , Oded Maler + , Solaiman

388 views • 21 slides
Lesson 9 Introduction Signal Spectral Analysis: Estimation of the power spectral density

Lesson 9 Introduction Signal Spectral Analysis: Estimation of the power spectral density

Lesson 9 Introduction Signal Spectral Analysis: Estimation of the power spectral density The problem of spectral estimation is very large and has applications very different from each other Applications: To study the vibrations of

825 views • 79 slides
Introduction to Statistics with R Anne Segonds-Pichon v2019-07 Outline of the course Short

Introduction to Statistics with R Anne Segonds-Pichon v2019-07 Outline of the course Short

Introduction to Statistics with R Anne Segonds-Pichon v2019-07 Outline of the course Short introduction to Power analysis Analysis of qualitative data: Chi-square test Analysis of quantitative data: Students t

1.74k views • 112 slides
Actions (in Aid of Civil Power) Regulation, 2011: A Critical Analysis Dr. Sultan-i-Rome

Actions (in Aid of Civil Power) Regulation, 2011: A Critical Analysis Dr. Sultan-i-Rome

Actions (in Aid of Civil Power) Regulation, 2011 1 Dr. Sultan-i-Rome Date: 30 December 2013 Actions (in Aid of Civil Power) Regulation, 2011: A Critical Analysis Dr. Sultan-i-Rome Presentation Introduction The Provincially Administered Tribal

226 views • 7 slides
An analysis of the bid-ask spread in the German power continuous intraday market 15th IAEE

An analysis of the bid-ask spread in the German power continuous intraday market 15th IAEE

An analysis of the bid-ask spread in the German power continuous intraday market 15th IAEE European conference 2017 Clara Balardy Universite Paris-Dauphine - EPEX SPOT Table of contents 1. Context 2. Dynamic analysis 3. Econometric analysis

431 views • 21 slides

More recommend