Power Analysis – an overview Agenda Analysis Measurements Benedikt Gierlichs KU Leuven – COSIC, Belgium benedikt.gierlichs@esat.kuleuven.be Pre-processing Attacks Summer School on Evaluation Design and security of cryptographic algorithms and devices for real-world applications Countermeasures Šibenik, Croatia , 5 June 2014 Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 2 Measuring power consumption Measuring power consumption (2) • Not average power over time, not peak power • Logic: constant supply voltage, supply current varies • Instantaneous power over time • Predominant technology: CMOS – Trace or curve, many samples – Low static power consumption Time – Relatively high dynamic power consumption Central computer – Power consumption depends on input • Typical setup: • CMOS inverter: Input Output Current 0 -1 0 0 1 1 Low tra n s itio n 0 1 1 0 Discharge Oscilloscope 1 0 0 1 Charge Clock generator 1 1 0 0 Low Power supply Probes Device under attack Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 3 Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 4 Benedikt Gierlichs, KU Leuven - COSIC
Measuring power consumption (3) Measuring power consumption (4) • Oscilloscope can only measure voltage • Contactless (passive RFID) i – Generate voltage signal, proportional to current – Public transport ticket, access control, etc. U R – Electronic passport, contactless credit card, etc. • Measure in VDD or GND line • Harvest energy from field supplied by – Resistor (Ohm's law: U = R x i), measure U over resistor – Current probe: current field voltage reader – Dedicated measurement circuits – No immediate access to power lines [gemsecuritysystem.com] [Tektronix] • Would require "opening" the device, tamper evidence • Measure 'global' E or H field of the device • Measure how much power RFID took from field – Field intensity proportional to power consumption – Best with analogue processing – Field orientation depends on current direction [KOP09, KOP11, OP11] [Rohde&Schwarz] Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 5 Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 6 Measuring power consumption (5) Power analysis attacks • What matters? • If power consumption "patterns" depend on secret values, [JO05] power analysis attacks can possibly reveal the secrets • Simple power analysis (SPA) attacks • Noise: will typically increase number of measurements [KJJ99] • Differential power analysis (DPA) attacks required (see countermeasures later) – Intrinsic, ambient, quantization, countermeasures, etc. • Internal collision attacks • Bandwidth • Algebraic side channel attacks [RSV09] – How much is enough? Is sampling rate limiting factor? Probes etc. • Orthogonal: non-profiled (ad-hoc) versus profiled • Sampling rate – Non-profiled: little prior knowledge about how the device leaks and • Trigger point noise distribution, relies on assumptions – Profiled: profiling of the leakage behaviour and noise distribution, – Stable trigger point simplifies many attacks typically training of a classifier; machine learning; feature selection Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 7 Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 8 Benedikt Gierlichs, KU Leuven - COSIC
Simple power analysis attacks Simple power analysis attacks (2) • Anything but simple (except in examples ) • Patterns (many-cycle sequences) show, e.g.: – Symmetric crypto algorithms: • Visual inspection of few traces, worst/best case: single shot • Number of rounds (resp. key length), loops • Memory accesses (sometimes higher power consumption) • Often exploitation of direct key dependencies, input and RSA sign, S = M d mod N output data need not be known (but they are useful for – Asymmetric crypto algorithms: with d =d n-1 d n-2 ...d 0 verification) • Key (if badly implemented, e.g. RSA / ECC) • Key length x = 1 • Require: expertise, experience, detailed knowledge about for j = n-1 to 0 • Implementation details (e.g. RSA with CRT) x = x² mod N conditional target device and implementation if d j == 1 then operation • Search for repetitive patterns x = xM mod N • Example: patterns end if end for return S = x Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 9 Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 10 Simple power analysis attacks (3) Internal collision attacks • Example: RSA exponentiation S = M d mod N • Collision: a key-dependent intermediate • Crypto coprocessor optimized for squaring result takes the same value for two different inputs: f(input1,key) = f(input2,key) • Detection: – Collision not visible in output, hence internal collision – If a collision occurs, the curves corresponding to the two inputs should be 'similar' at time/points where collision is expected – Statistical methods detect this, e.g. least-squares test, correlation • Exploitation: relatively simple cryptanalysis – Exploit occurrence and absence of collisions – Possibly adaptively chosen inputs [courtesy: C. Clavier] [SWP03] (DES) and [SLFP04] (AES) Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 11 Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 12 Benedikt Gierlichs, KU Leuven - COSIC
Internal collision attacks (2) Internal collision attacks (3) • Collision persists: for short up to long interval • Example for public-key crypto: ECC – Single intermediate result, long sequence of intermediate results – ECC scalar multiplication kP usually works on the binary expansion of k (k n-1 , k n-2 ,...,k 1 ,k 0 ) – Typically: the longer, the easier to detect – A sequence of point doublings and point additions – One needs to know where to look for collision • The doubling attack – To find out what happened in iteration i, test which values are • Extensions: collisions in two or more different intermediate computed in iteration i+1 results, one or multiple traces – First trace: input P – f 1 (input 1 ,key) = f 2 (input 1 ,key) with f 1 ≠ f 2 • Iteration 1: P 2P or P 3P depending on k n-2 – f 1 (input 1 ,key) = f 2 (input 2 ,key) with input 1 ≠ input 2 • Iteration 2: the doubling computes 2·2P or 2·3P – ... – Second trace: input 2P ? – Requires shifting the traces before comparison • Iteration 1: the doubling computes 2·2P • Compare that to doubling in iteration 2 of P trace [FV03] Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 13 Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 14 Differential power analysis attacks Differential power analysis attacks (2) • Recall: divide and conquer principle • Differential attacks use statistics to exploit the data- – Block ciphers: strength from a sequence of many 'weak' steps dependent variations of the power consumption – Intermediate results often depend only on a few key bits – Recover the secret in several small chunks • ~50 to millions of measurements – Problem: no access to weak intermediate results • Input or output of implementation need to be known (typically) • Recall CMOS: power consumption of an operation varies with • Require little knowledge about target device and the operand value(s) intermediate results 'leak' implementation (but extra knowledge helps!) • Variation relatively small, not directly observable – Statistics detect weak signals • Weak adversary + strong attack = highly relevant Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 15 Šibenik, 05.06.2014 Summer School on Design and Security - Benedikt Gierlichs 16 Benedikt Gierlichs, KU Leuven - COSIC
Recommend
More recommend
