on the power of power analyses
play

On the Power of Power Analyses Sylvain GUILLEY, Laurent SAUVAGE, - PowerPoint PPT Presentation

Oct 14, 2023 •675 likes •1.23k views

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives On the Power of Power Analyses Sylvain GUILLEY, Laurent SAUVAGE, Florent FLAMENT, Maxime NASSAR, Nidhal SELMANE, Jean-Luc DANGER, Philippe

  1. Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives On the Power of Power Analyses Sylvain GUILLEY, Laurent SAUVAGE, Florent FLAMENT, Maxime NASSAR, Nidhal SELMANE, Jean-Luc DANGER, Philippe HOOGVORST, Tarik GRABA, Yves MATHIEU & Renaud PACALET < sylvain.guilley@TELECOM-ParisTech.fr > Institut TELECOM / TELECOM-ParisTech CNRS – LTCI (UMR 5141) SECURE ALI (ENSTA) and SALSA (LIP6/INRIA) seminar Friday March 6th, 2009, 11:00–12:00, LIP6, room 847. Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses SECURE 1

  2. Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Presentation Outline 1 Introduction 2 Attacks DPA Oracles Study of the Power Leakage on ASICs & FPGAs 3 Counter-Measures Information Hidding Information Masking Encrypted Leakage 4 New Applications of DPA On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE 5 Conclusions & Perspectives The DPA Contest EveSoC: an eavesdropping SoC Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses SECURE 2

  3. Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Trusted Objects Security Market Segmentation Large markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lo-end devices RFID tags, smart dust SIM, Pay-TV, Bank (EMV), national-ID, E-Passport, healthcare, public transportation TPM, DRM and other ad hoc digital media usage limitation techniques Access control, login, biometry Small markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hi-end devices VPN, encrypting USB dongles, secured PCs Government and military PDA, firewalls, IDS State cryptography for embassies and warfare commandment Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses SECURE 3

  4. Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Market Demand Available Products versus Large markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lo-end devices Application Specific Integrated Circuits = ASIC s. Small markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hi-end devices Field Programmable Gates Array = FPGA s. Current trend for more FPGA s Low-power models. e.g. ACTEL Igloo Computing-intensive models. e.g. ATMEL AT40K Embedded FPGAs are also an envisionned products addressing the “performance” versus “flexibility” trade-off. Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses SECURE 4

  5. Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives “Trusted Computing” Context: Side-Channel Attacks The Problematic Cryptographic algorithms have traditionally been studied to withstand theoretical attacks; However, when these algorithms are implemented on embedded devices such as smartcards, many other specific attacks become possible (like SCA = Side-Channel Attacks ). EMA SPA, DPA, CPA, templates . . . TA Attacked circuit time Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses SECURE 5

  6. Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives “Trusted Computing” Context: Fault Attacks The Problematic Faulty results allow an attacker to gain information about the secrets; The rationale is that the knowledge of both c = AES( k , m ) and c * = AES * ( k , m ) makes it possible to discard some values of k when the error (identified by “ * ”) occurs preferencially in one of the latest rounds. Typology of fault errors Non-invasive : power or clock perburbation [10,6] Semi-invasive : depackaging required ⇒ laser attacks possible Invasive : complete reverse-engineering possible Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses SECURE 6

  7. Introduction Attacks DPA Oracles Counter-Measures Study of the Power Leakage on ASICs & FPGAs New Applications of DPA Conclusions & Perspectives Presentation Outline 1 Introduction 2 Attacks DPA Oracles Study of the Power Leakage on ASICs & FPGAs 3 Counter-Measures Information Hidding Information Masking Encrypted Leakage 4 New Applications of DPA On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE 5 Conclusions & Perspectives The DPA Contest EveSoC: an eavesdropping SoC Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses SECURE 7

  8. Introduction Attacks DPA Oracles Counter-Measures Study of the Power Leakage on ASICs & FPGAs New Applications of DPA Conclusions & Perspectives Power & Electro-Magnetic Traces Analysis CMOS gate dissipation model conducted dissipation ⇒ power side-channel radiated dissipation ⇒ electro-magnetic side-channel no change ⇒ no dissipation change ⇒ dissipation Hence the law: dissipation = f (activity). CMOS circuits dissipation model ξ ↑ i i ( t − 1) · i ( t ) + ξ ↓ Power = Σ i ∈ nets i i ( t − 1) · i ( t ) Referred to as the Hamming Distance model, since ξ ↑ i ≈ ξ ↓ i . Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses SECURE 8

  9. Sample Encryptions With Hamming Distance Classes [1/3] 100 Hamming distance 24 Hamming distance 28 Hamming distance 32 80 Hamming distance 36 Hamming distance 40 60 Average trace [mV] 40 20 0 -20 -40 0 5000 10000 15000 20000 Time

  10. Sample Encryptions With Hamming Distance Classes [2/3] 8 Hamming distance 24 Hamming distance 28 6 Hamming distance 32 Hamming distance 36 Hamming distance 40 4 Average trace [mV] 2 0 -2 -4 -6 -8 0 5000 10000 15000 20000 Time

  11. Sample Encryptions With Hamming Distance Classes [3/3] 8 Hamming distance 24 Hamming distance 28 6 Hamming distance 32 Hamming distance 36 Hamming distance 40 4 Average trace [mV] 2 0 -2 -4 -6 -8 14000 14500 15000 15500 16000 16500 Time

  12. DPA diff , DPA cov and CPA Oracles Amongst the many oracles that have been proposed, we focus on three of them, noted: 1 DPA diff : Differential Power Analysis (difference of means), 2 DPA cov : Differential Power Analysis (covariance) and 3 CPA: Correlation Power Analysis, defined in equations (1), (2) and (3).

  13. DPA diff The idea behind the DPA diff is to exhibit an asymptotic difference between the behaviors. The “difference of means” criterion introduced by Paul Kocher is: = 1 T i − 1 DPA diff . � � T i , (1) m 0 m 1 i / D i =0 i / D i =1 where m 0 and m 1 denote the number of traces for each decision. More specifically, m 0 . = # { i ∈ [0 , m [ / D i = 0 } and, symmetrically, m 1 . = � m − 1 i =0 D i , with the following complementation property m 0 + m 1 = m .

  14. DPA cov A seemingly different approach consists in computing a covariance between the m traces and their associated decision functions. The DPA covariance estimator is: = 1 T i × D i − 1 T i × 1 DPA cov . � � � D i . (2) m m m i i i It extracts the contribution of D i : only the net i is selected out of the whole netlist j [5].

  15. DPA diff versus DPA cov The two definitions of the DPA actually coincide, as far as the decision function is balanced: Proof. Assuming that m 0 = m 1 = m / 2, � � 1 D i − 1 � DPA cov = T i × m 2 i  Covariance with 1  � T i × ( − 1) D i the character = 2 m function of D .  i 1 = 4 DPA diff .

  16. Mono-bit versus Multi-bit DPA Vectorial Decision Function D D ∈ { 0 , 1 } n Mono-bit: (-1, +1) 4 bits: (-2, -1, 0, +1, +2) Dominant practice: assume 2500 # traces to break the partial key bits are indiscernible Hence partition traces 2000 according to | D | ∈ [0 , n ] 1500 Several philosophies: Thomas S. 1 1000 MESSERGES [9]: prune all but | D | = 0 or n , and 500 continue ` a la mono-bit ´ Eric BRIER [2]: weight 2 the partitions with | D | 0 1 2 3 4 5 6 7 8 Thanh-Ha LE [8,7]: 3 DES S-Box weight the partitions with ( − 1 , − 2 , 0 , +2 , +1)

  17. CPA By definition [2], CPA is a normalization of the DPA. It is defined as a correlation coefficient, estimated by: = DPA cov CPA . ∈ [ − 1 , +1] , (3) σ T · σ D where σ X is the standard deviation of the random variable X , for which an unbiased empirical estimator is � � 2 � � m − 1 � m − 1 1 X i − 1 j =0 X j . m − 1 i =0 m

  18. DPA cov versus CPA (1/2) DPA cov after 1k traces CPA after 1k traces 1.2 DPA differential trace CPA differential trace Averaging over 1k traces Estimation over 1k traces 30 1 Correlation factor [-100%:+100%] Correct Difference of potential [mV] peaks 0.8 20 0.6 Correct Noisy peak 10 peaks (@ clock 38) 0.4 0 0.2 -10 0 -0.2 -20 -0.4 -30 8 16 24 32 8 16 24 32 Time [clock cycles] Time [clock cycles]

  19. DPA cov versus CPA (2/2) DPA cov after 10k traces CPA after 10k traces 1.2 DPA differential trace CPA differential trace Averaging over 10k traces Estimation over 10k traces 30 1 Correlation factor [-100%:+100%] Correct Difference of potential [mV] peaks 0.8 20 0.6 Correct Noisy peak 10 peaks (@ clock 38) has vanished 0.4 0 0.2 -10 0 -0.2 -20 -0.4 -30 8 16 24 32 8 16 24 32 Time [clock cycles] Time [clock cycles]

Recommend

Power Analyses Page Piccinini Instructor DataCamp A/B Testing in R What are power analyses? -

Power Analyses Page Piccinini Instructor DataCamp A/B Testing in R What are power analyses? -

DataCamp A/B Testing in R A / B TESTING IN R Power Analyses Page Piccinini Instructor DataCamp A/B Testing in R What are power analyses? - Cambridge Dictionary of Statistics Power Significance level Effect size DataCamp A/B Testing in R

805 views • 52 slides
THE POWER OF ONE J. CORPENI NG POWER OF ONE THE POWER OF ONE HISTORY PROVES ALL THINGS OF

THE POWER OF ONE J. CORPENI NG POWER OF ONE THE POWER OF ONE HISTORY PROVES ALL THINGS OF

THE POWER OF ONE J. CORPENI NG POWER OF ONE THE POWER OF ONE HISTORY PROVES ALL THINGS OF VALUE START WITH ONE PERSON WHO ACTS TO BETTER THE WORLD AROUND HIM YOU POWER OF ONE POWER OF ONE THREE KEY WORDS TODAY: IMAGINE BELIEVE

347 views • 17 slides
Some Methodological Issues in CDM Analyses of Power Sector Projects Ram M. Shrestha School of

Some Methodological Issues in CDM Analyses of Power Sector Projects Ram M. Shrestha School of

Some Methodological Issues in CDM Analyses of Power Sector Projects Ram M. Shrestha School of Environment Resources and Development Asian Institute of Technology Thailand AIM Workshop, 24-25 March 2000, NIES, Tsukuba, Japan 1 Introduction

498 views • 13 slides
ME POWER helps me .because if I did not know I have my Me Power when I

ME POWER helps me .because if I did not know I have my Me Power when I

everyone has it each of us makes the choice to use it (or not) Me Power is positive Your Me Power ! This I believe about children. A - B - C Me Power! A SSERT B ELIEFS C OURAGE ** A SSERT** standing up for yourself and

488 views • 20 slides
main twist today: separate DC power flow : ( Y ) = 0 , v = 1 , &amp; linearization power flow

main twist today: separate DC power flow : ( Y ) = 0 , v = 1 , &amp; linearization power flow

Power flow equations Fast power system analysis via implicit Basic ingredients in an n -bus power system linearization of the power flow manifold complex bus voltage u h = v h e j h C injected complex power s h = p h + j q h Allerton

291 views • 5 slides
POWER GEN Power Generation Solutions Power Generation Solutions Currently the demand for

POWER GEN Power Generation Solutions Power Generation Solutions Currently the demand for

POWER GEN Power Generation Solutions Power Generation Solutions Currently the demand for electric power in the world at a fast pace, so the creation of new power generation plants is a primary need for the industry. Power plants require high

813 views • 12 slides
Language and Power What is power? ability to control ones environment, influence

Language and Power What is power? ability to control ones environment, influence

Language and Power What is power? ability to control ones environment, influence events. Power and Authority Power, Hegemony and Discourse Antonio Gramsci (18911937) Michel Foucault (1926-1984) Language and Power So

594 views • 11 slides
XP Power - Investor Presentation 2011 Annual Results XP Power Introduction to XP Power

XP Power - Investor Presentation 2011 Annual Results XP Power Introduction to XP Power

XP Power - Investor Presentation 2011 Annual Results XP Power Introduction to XP Power Leading developer and manufacturer of mission critical power control hardware Supplies Industrial, Healthcare and Technology sectors Blue

584 views • 24 slides
Power Market, Power Trading and Power Exchange National Seminar Challenges &amp; Opportunities

Power Market, Power Trading and Power Exchange National Seminar Challenges &amp; Opportunities

Power Market, Power Trading and Power Exchange National Seminar Challenges &amp; Opportunities in Power Generation, Transmission &amp; Distribution 23-03-12 Power System Operation Corporation Ltd. Eastern Regional Load Despatch Centre Market

978 views • 65 slides
How to Speak A, B and C A is for Audience B is for Body Language Power Power Power C

How to Speak A, B and C A is for Audience B is for Body Language Power Power Power C

How to Speak A, B and C A is for Audience B is for Body Language Power Power Power C is for Connection S-O-F-T-E-N S: is for Smile O: Is for Open Posture F is for Facial Expression T: is for Tone E: is for Eye Contact N: is for Nodding

449 views • 16 slides
Power-performance modeling, analyses and challenges Kirk W. Cameron Computer Science Virginia

Power-performance modeling, analyses and challenges Kirk W. Cameron Computer Science Virginia

11 th Charm++ Workshop: Power-performance modeling, analyses and challenges Kirk W. Cameron Computer Science Virginia Tech This material is based upon work supported by the National Science Foundation under Grant No. 0910784 and 0905187. My

522 views • 35 slides
Low Power Microprocessors Low Power Microprocessors Low Power Technology Gao Wei &amp; Tian

Low Power Microprocessors Low Power Microprocessors Low Power Technology Gao Wei &amp; Tian

Advanced Digital IC Design Outline Why is Low-Power Important? Low Power Microprocessors Low Power Microprocessors Low Power Technology Gao Wei &amp; Tian Youge Conclusions References Low Power Microprocessors, Gao Wei &amp; Tian Youge,

411 views • 6 slides
Power Converters and Power Quality II CERN Accelerator School on Power Converters Baden, Friday 9

Power Converters and Power Quality II CERN Accelerator School on Power Converters Baden, Friday 9

Power Converters and Power Quality II CERN Accelerator School on Power Converters Baden, Friday 9 th May 2014 Dr. Daniel Siemaszko Power Converters and Power Quality II Outline Active power converters for grid connection Power

622 views • 48 slides
POWER and ARM p. 1 IBM POWER: high-end server processor POWER 8: up to 192 cores, each with

POWER and ARM p. 1 IBM POWER: high-end server processor POWER 8: up to 192 cores, each with

POWER and ARM p. 1 IBM POWER: high-end server processor POWER 8: up to 192 cores, each with up to 8 h/w threads https://en.wikipedia.org/wiki/POWER8 Power7: IBMs Next-Generation Server Processor. Kalla, R.; Sinharoy, B.; Starke, W.J.;

1.48k views • 100 slides
1 QoS depends on Transmitter Power Control depends on Transmitter Power Control QoS Related

1 QoS depends on Transmitter Power Control depends on Transmitter Power Control QoS Related

The Last Issue The Last Issue Power Consumption Issues Standy/PowerON Processing Power Consumption Wireless Multimedia System Transmitting Power Consumption Routing Power Consumptions Dr. Eric Wu

890 views • 12 slides
Mechanical Power &amp; Power Transmissions Overview of Presentation Power Transmission

Mechanical Power &amp; Power Transmissions Overview of Presentation Power Transmission

Mechanical Power &amp; Power Transmissions Overview of Presentation Power Transmission Motors Types of power transmission: Gears Chain Belt VersaPlanetary Design Considerations Design Calculator

675 views • 31 slides
Power Market Participation of Flexible Loads and Reactive Power Providers: Real Power, Reactive

Power Market Participation of Flexible Loads and Reactive Power Providers: Real Power, Reactive

Power Market Participation of Flexible Loads and Reactive Power Providers: Real Power, Reactive Power, and Regulation Reserve Capacity Pricing at T&amp;D Networks DIMACS, Rutgers U January 21, 2013 Michael Caramanis mcaraman@bu.edu Outline

548 views • 32 slides
First Quarter 2018 Results The Power Brands in Power Transmissions The Power Brands in Power

First Quarter 2018 Results The Power Brands in Power Transmissions The Power Brands in Power

First Quarter 2018 Results The Power Brands in Power Transmissions The Power Brands in Power Transmissions Q1 2018 Conference Call Details Live Webcast Replay April 27, 2018 at 10:00 AM ET Through May 11, 2018 877-407-8293 Domestic

503 views • 15 slides
MARINE JET POWER X SERIES 1 MARINE JET POWER X SERIES MARINE JET POWER X SERIES 2 2

MARINE JET POWER X SERIES 1 MARINE JET POWER X SERIES MARINE JET POWER X SERIES 2 2

MARINE JET POWER X SERIES 1 MARINE JET POWER X SERIES MARINE JET POWER X SERIES 2 2 INTRODUCING THE X SERIES We are pleased to present the latest innovation in waterjet lifecycle costs in mind, from easy installation to accessibility for

144 views • 12 slides
OF YOUR POWER TSi Power Modern Machines need Modern Power Conditioning Technologies Power

OF YOUR POWER TSi Power Modern Machines need Modern Power Conditioning Technologies Power

www.tsipower.in TAKE CHARGE OF YOUR POWER TSi Power Modern Machines need Modern Power Conditioning Technologies Power Conditioning Technologies must keep pace with modern manufacturing technologies. TSi Power (P) Ltd., Vadodara, India

535 views • 22 slides
On or Off? Outline Power Production Transition to Carbon-zero Energy Nuclear Power

On or Off? Outline Power Production Transition to Carbon-zero Energy Nuclear Power

NextGenSim 2020: On or Off? Outline Power Production Transition to Carbon-zero Energy Nuclear Power Risks Power Production Like all energy sources, nuclear power has advantages and disadvantages. Fossil Fuel Power 1. Boil water 2.

593 views • 28 slides
(power x 0) == 1 (power x (+ n 1)) == (* (power x n) x) (power x 0) == 1 (power x (+ (* 2 m)

(power x 0) == 1 (power x (+ n 1)) == (* (power x n) x) (power x 0) == 1 (power x (+ (* 2 m)

(power x 0) == 1 (power x (+ n 1)) == (* (power x n) x) (power x 0) == 1 (power x (+ (* 2 m) 0)) == (square (power x m)) (power x (+ (* 2 m) 1)) == (* x (square (power x m))) (all-fours? d) == (= d 4), [d is digit] (all-fours? (+ (* 10 m)

609 views • 16 slides
POWER OF ATTORNEY AND GUARDIANSHIP Power of Attorney What is it and who can create it? A

POWER OF ATTORNEY AND GUARDIANSHIP Power of Attorney What is it and who can create it? A

POWER OF ATTORNEY AND GUARDIANSHIP Power of Attorney What is it and who can create it? A Power of Attorney is the delegation of legal authority to a person to do acts on his/her own behalf. To appoint a power of attorney, the

262 views • 25 slides
Thank you for your interest in S olar Power Why Solar Power? Empowering Mountaineers are always

Thank you for your interest in S olar Power Why Solar Power? Empowering Mountaineers are always

Solar Open House Hickory Ridge October 3, 2015 Why go with Solar Power? &amp; How to make it happen for you. Thank you for your interest in S olar Power Why Solar Power? Empowering Mountaineers are always free Becoming an power

656 views • 31 slides

More recommend