Table of Contents 1. Trusted Objects 2. PRIDE 3. CEMA 4. DFA 5. - PowerPoint PPT Presentation

O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY Alexandre Adomnicai 1 , 6 Benjamin Lac 2 , 6 Anne Canteaut 5 Jacques J.A. Fournier 3 Laurent Masson 1 Renaud Sirdey 4 Assia Tria 2 1Trusted Objects, Rousset, France 2CEA-Tech, Gardanne, France 3CEA-Leti, Grenoble, France 4CEA-List, Saclay, France 5Inria, Paris, France 6ENSM-SE, Gardanne, France Lightweight Cryptography Workshop 2016 NIST, October 17-18 2016

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives Table of Contents 1. Trusted Objects 2. PRIDE 3. CEMA 4. DFA 5. Costs analysis 6. Countermeasures 7. Conclusions & Perspectives O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 2 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives About Trusted Objects ⊲ Trusted Objects is an independent company founded by experienced managers and backed up by a network of industry experts and private investors. ⊲ Trusted Objects ’ mission is to deliver ◦ Products : Embedded secure firmware IPs for IoT applications. ◦ Solutions : Secure Element solution, in partnership with secure hardware provider. ◦ Services : Security assessment & recommendations, life cycle management, personalization , ... O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 3 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives TO136 Secure Element ⊲ A secure element (SE) is a tamper-resistant hardware platform, capable of securely hosting applications and storing confidential and cryptographic data. ⊲ A SE can be used in addition of a host micro-controller ( µ C), i.e. the cryptographic computations are delagated to the SE via a bus, but can be also used as a main secure µ C to handle both application and communication . ⊲ The TO136 secure element build from our firmware and a secure hardware , communicates through I2C bus. ⊲ To date, our solution is made from ‘traditionnal cryptography‘ such as ◦ Elliptic Curve Cryptography (ECDSA, ECDH, ECIES, ...) ◦ AES, SHA2, HMAC, ... O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 4 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives PRIDE block cipher 1/2 ⊲ PRIDE is an interative 64-bit block cipher composed of 20 rounds and introduced at CRYPTO 2014 by Albretch & al [1]. ⊲ We focused on PRIDE because nowadays, it is one of the most efficient lightweight block ciphers when looking at software implementations [2]. ⊲ As PRIDE is a simple FX-construction [4], it uses a 128-bit key k = k 0 || k 1 where k 0 is used for pre and post-whitening while k 1 is used to produce subkeys f r ( k 1 ) where f r ( k 1 ) = k 10 || g ( 0 ) r ( k 11 ) || k 12 || g ( 1 ) r ( k 13 ) || k 14 || g ( 2 ) r ( k 15 ) || k 16 || g ( 3 ) r ( k 17 ) for each round r with g ( i ) r ( x ) = ( x + C i r ) mod 256 and C i are constants. O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 5 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives PRIDE block cipher 2/2 ⊲ Our implementation can be outlined as follows f 1 ( k 1 ) f 2 ( k 1 ) f 19 ( k 1 ) f 20 ( k 1 ) P ( k 0 ) P ( k 0 ) ⊕ ⊕ ⊕ ⊕ ⊕ R ′ ⊕ M R R R C with R = L− layer ◦ S− layer and R ′ = S− layer where S− layer = P ◦ S ◦ P − 1 . ⊲ The design of PRIDE is close to LS-design ciphers. Each round consists in a round key addition , a S-box layer and a L-box one (except for the final round which omits the last operation). Hence, a round R can be schematized as follows O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 6 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives Simple Electromagnetic Analysis 1/2 ⊲ We have implemented PRIDE in C language on a chip embedding an Cortex-M3 µ C. ⊲ Our attacks were performed using a fixed key k = k 0 || k 1 where k 0 = 0xa371b246f90cf582 and k 1 = 0xe417d148e239ca5d . ⊲ A simple electromagnetic analysis (SEMA) on the whole execution of PRIDE was first performed in order to identify our attack targets . 0,2 0,15 0,1 Voltage (V) 0,05 0 -0,05 -0,1 0 50 100 150 200 250 300 Time ( µ s) Figure: Electromagnetic emanations during a PRIDE execution O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 7 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives Simple Electromagnetic Analysis 2/2 ⊲ At first, it was not obvious to distinguish each operation within a round. ⊲ Then, we took a look at the last round, which allowed us to determine the different paterns due to the absence of the L− layer . k 0 pre f 1 ( k 1 ) 0.25 whitening addition S-layer L-layer 0.2 0.15 Voltage (V) 0.1 0.05 0 -0.05 -0.1 -0.15 5 10 15 20 25 30 35 Time ( µ s) Figure: Electromagnetic emanations of the first two rounds of PRIDE block cipher O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 8 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives Correlation Electromagnetic Analysis General principle ⊲ The principle is to make the attack in two stages ◦ recovering P ( k 0 ) ◦ recovering f 20 ( k 1 ) ⊲ We chose to focus on the last round because in the first one, A = c ⊕ ( a & b ) P ( k 0 ) and f 20 ( k 1 ) are added successively to the state. B = d ⊕ ( b & c ) ⊲ The leakage model was based on the Hamming weight C = a ⊕ ( A & B ) (HW) of the manipulated data. D = b ⊕ ( B & C ) ⊲ In the case of PRIDE, contrary to some other block ciphers PRIDE S-Box formulation such as AES where each byte passes through the S-box independently , each byte depends on several others on a nibble a || b || c || d during the S− layer operation. ⊲ We chose to attack the key adition layer where each byte could be treated independently . O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 9 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives Correlation Electromagnetic Analysis Experimentation ⊲ PRIDE was executed for 1000 random plaintexts . The traces matrix is denoted     T 0 t 0 , 0 · · · t 0 , 999     . . . ...     T = .  = . .  .   . . . T 6499 t 6499 , 1 · · · t 6499 , 999 ⊲ Then, we computed the estimation matrices in order to recover each byte P ( k 0 ) i for 0 ≤ i ≤ 7     e i e i E i · · · 0 , 0 0 , 999 0     E i = . . . ...      = . . .    . . . E i e i e i · · · 255 255 , 0 255 , 999 where e i HK , j = HW ( C j , i ⊕ H K ) . ⊲ Finally, we computed the correlation coefficients matrices P i from E i and T ′ where T ′ ⊂ T denotes the traces points corresponding to the last S− layer .     ρ i ρ i P i · · · 0 , 0 0 , 255 0     . P i = . .    ...  .  = . .    . = . . P i ρ i ρ i · · · n − 1 n − 1 , 0 n − 1 , 255 where ρ i t , HK = Corr ( T ′ t , E i HK ) . O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 10 / 25

Trusted Objects PRIDE CEMA DFA Costs analysis Countermeasures Conclusions & Perspectives Correlation Electromagnetic Analysis Experimentation ⊲ A symmetry about the x-axis appears because the key hypotheses are simply XORed with the ciphertexts. ⊲ The two’s complement H K of each key byte hypothesis H K leads to a symmetric relation � � i.e. ∀ i ∀ j , E i HK , j = 8 − E i regarding the estimation matrix . HK , j ⊲ We can differentiate 8 correlation classes where each one corresponds to a set of key byte hypotheses S d where the Hamming distance between the real key byte and each element equals d ( i.e. ∀ H K ∈ S d , HD ( H K , K ) = d ). 0.5 0.4 0.3 Correlation coefficient 0.2 0.1 0 good key byte hypothesis K -0.1 H K such as HD ( H K , K ) = 1 -0.2 H K such as HD ( H K , K ) = 2 H K such as HD ( H K , K ) = 3 -0.3 H K such as HD ( H K , K ) = 4 H K such as HD ( H K , K ) = 5 -0.4 H K such as HD ( H K , K ) = 6 H K such as HD ( H K , K ) = 7 -0.5 twos-complement K 165 170 175 180 185 190 Points Figure: Key recovery of P ( k 0 ) 0 with 256-bit key hypotheses O N THE IMPORTANCE OF CONSIDERING PHYSICAL ATTACKS WHEN IMPLEMENTING LIGHTWEIGHT CRYPTOGRAPHY - LWC Workshop 2016 11 / 25