the chip mia and the table
play

The Chip, Mia and the Table Lejla Batina March 4, 2020 Institute - PowerPoint PPT Presentation

Nov 01, 2023 •223 likes •884 views

The Chip, Mia and the Table Lejla Batina March 4, 2020 Institute for Computing and Information Sciences Radboud University High-Tech Women in Science and Technology March 4, 2020, Darmstadt 1 The Chip, Mia and the Table 2 Opening So,

  1. The Chip, Mia and the Table Lejla Batina March 4, 2020 Institute for Computing and Information Sciences Radboud University High-Tech Women in Science and Technology March 4, 2020, Darmstadt 1

  2. The Chip, Mia and the Table 2

  3. Opening “So, you want to be a cryptographer”, Bruce Schneier’s newsletter, Oct. 1999 3

  4. Crypto devices 4

  5. Critical infrastructure, human SCADA systems, IoT devices 5

  6. Side-channel attacks 6

  7. Using physical leakages 7

  8. Using physical leakages ◮ Recovering secrets through timing, power consumption, EM 7

  9. Using physical leakages ◮ Recovering secrets through timing, power consumption, EM ◮ Often, optimizations enable leakages 7

  10. Relevance September 3, 2019 8

  11. Relevance October 3, 2019 September 3, 2019 8

  12. Relevance November 13, 2019 October 3, 2019 September 3, 2019 8

  13. Relevance November 13, 2019 October 3, 2019 September 3, 2019 December 12, 2019 8

  14. The chip

  15. An RSA crypto chip of Pijnenburg Securealink cca year 2000 The chip featured: ◮ Modular exponentiator for RSA (2 units, up to 2048 bit) ◮ Symmetric crypto: (3)DES, SAFER ◮ Hashing: MD5, SHA1 and RIPEMD ◮ True Random Number Generator 9

  16. ECC RFID chip 2007 10

  17. ECC RFID chip: Results ◮ Several protocols were designed for different RFID applications ◮ ECC co-processor that can compute: • ECC scalar multiplications • finite field operations ◮ Schnorr protocol: one scalar multiplication • 14K gates, 79K cycles • 30 µ Watt@500 KHz and performance of 158 msec • energy of 4.8 µ Joule 11

  18. MIA

  19. Information theoretic approach to side-channel analysis Started cca 2006 ◮ MIA was proposed as a new SCA distinguisher ◮ started a new line of research into information theoretic view to side-channel analysis 12

  20. MIA and the chip: Location-based leakage

  21. Motivation ◮ Registers, memory and other storage units exhibit identifiable and data-related leakage 13

  22. Motivation ◮ Registers, memory and other storage units exhibit identifiable and data-related leakage when accessed ◮ Exploit dependence between the secret key and the location of the activated component 13

  23. Motivation ◮ Registers, memory and other storage units exhibit identifiable and data-related leakage when accessed ◮ Exploit dependence between the secret key and the location of the activated component Algorithm 3: Montgomery ladder Input: P , k = ( k x − 1 , k x − 2 , ..., k 0 ) 2 Output: Q = k · P R 0 ← P R 1 ← 2 · P for i = x − 2 downto 0 do b = 1 − k i R b = R 0 + R 1 R k i = 2 · R k i end for return R 0 13

  24. Previous work ◮ Sugawara et al. considered so-called “geometric” leakage in an ASIC 14

  25. Previous work ◮ Sugawara et al. considered so-called “geometric” leakage in an ASIC ◮ Heyszl et al. recovered the secret scalar by exploiting the spatial dependencies of the double-and-add-always algorithm for ECC on FPGA 14

  26. Previous work ◮ Sugawara et al. considered so-called “geometric” leakage in an ASIC ◮ Heyszl et al. recovered the secret scalar by exploiting the spatial dependencies of the double-and-add-always algorithm for ECC on FPGA ◮ Schlosser et al. use photonic side-channel to recover the exact SRAM location accessed during the activation of an AES S-box lookup table 14

  27. Previous work ◮ Sugawara et al. considered so-called “geometric” leakage in an ASIC ◮ Heyszl et al. recovered the secret scalar by exploiting the spatial dependencies of the double-and-add-always algorithm for ECC on FPGA ◮ Schlosser et al. use photonic side-channel to recover the exact SRAM location accessed during the activation of an AES S-box lookup table ◮ Algorithmic countermeasures such as register renaming were considered 14

  28. Previous work ◮ Sugawara et al. considered so-called “geometric” leakage in an ASIC ◮ Heyszl et al. recovered the secret scalar by exploiting the spatial dependencies of the double-and-add-always algorithm for ECC on FPGA ◮ Schlosser et al. use photonic side-channel to recover the exact SRAM location accessed during the activation of an AES S-box lookup table ◮ Algorithmic countermeasures such as register renaming were considered ◮ Literature sometimes referred to those as address attacks 14

  29. Previous work ◮ Sugawara et al. considered so-called “geometric” leakage in an ASIC ◮ Heyszl et al. recovered the secret scalar by exploiting the spatial dependencies of the double-and-add-always algorithm for ECC on FPGA ◮ Schlosser et al. use photonic side-channel to recover the exact SRAM location accessed during the activation of an AES S-box lookup table ◮ Algorithmic countermeasures such as register renaming were considered ◮ Literature sometimes referred to those as address attacks 14

  30. Location-based leakage revisited ◮ Distinguishing the activity of small regions 15

  31. Location-based leakage revisited ◮ Distinguishing the activity of small regions ◮ Exploiting the spatial dependencies of crypto algorithms 15

  32. Location-based leakage revisited ◮ Distinguishing the activity of small regions ◮ Exploiting the spatial dependencies of crypto algorithms ◮ Forward Neural Networks classifiers exploiting location-based side-channel on the SRAM of a ARM Cortex-M4 15

  33. Location-based leakage revisited ◮ Distinguishing the activity of small regions ◮ Exploiting the spatial dependencies of crypto algorithms ◮ Forward Neural Networks classifiers exploiting location-based side-channel on the SRAM of a ARM Cortex-M4 ◮ 2 SRAM regions of 128 bytes each can be distinguished with 100% success rate and 256 SRAM byte-regions with 32% success rate 15

  34. Adversarial model ◮ Implementation of a key-dependent crypto operation using certain storage components in a deterministic way e.g. a lookup-table (AES LUT) 16

  35. Adversarial model ◮ Implementation of a key-dependent crypto operation using certain storage components in a deterministic way e.g. a lookup-table (AES LUT) ◮ Location leakage is caused by switching circuitry and is observable via EM emissions on the die surface 16

  36. Adversarial model ◮ Implementation of a key-dependent crypto operation using certain storage components in a deterministic way e.g. a lookup-table (AES LUT) ◮ Location leakage is caused by switching circuitry and is observable via EM emissions on the die surface ◮ Adversary aims to infer which part of the table is active 16

  37. Adversarial model ◮ Implementation of a key-dependent crypto operation using certain storage components in a deterministic way e.g. a lookup-table (AES LUT) ◮ Location leakage is caused by switching circuitry and is observable via EM emissions on the die surface ◮ Adversary aims to infer which part of the table is active ◮ Adversary uncovers the location information leading to key recovery 16

  38. Experimental setup Figure: Modified Pinata ARM STM32F417IG device. Figure: Decapsulated Pinata with Langer microprobe on top. 17

  39. Setup details ◮ Decapsulated Piñata with ARM Cortex-M4 in 90 nm technology ◮ ICR HH 100-27 Langer microprobe d = 100 µ m ◮ Rectangular grid of 300 × 300 measurement spots ◮ Sampling rate of 1 Gs/sec resulting in 170 k samples ◮ Near-field probe with positioning accuracy of 50 µ m Figure: ARM Cortex-M4 after removal of the plastic layer. ◮ Sequential accesses to a cont. region of 16 KBytes in the SRAM using ARM assembly 18

  40. Experiment Figure: Distinguishing two 8 KByte regions of the SRAM. Yellow region = stronger Figure: Red rectangle shows the location leakage from class 1, blue = stronger from where the highest differences were class 2. observed. 19

  41. Parameters Parameter Description Unit Our example ≤ 6 mm 2 (whole chip) u 2 S chip surface area u 2 0 . 03 mm 2 O probe area G scan grid dimension – 300 A component areas vector with 1D entries – P component positions vector with 2D entries – 20

  42. Location Leakage Model Figure: Vectors p 1 , p 2 show the position of two components whose areas ( a 1 , a 2 ) are solid black-line rectangles. 21

  43. Information theoretic analysis Perceived information metric � � PI ( L ; R ) = H [ R ] − H true , model [ L | R ] = H [ R ]+ Pr [ r ] · Pr true [ l | r ] · log 2 Pr model [ r | l ] d l r ∈R l ∈L g 2 Pr model [ l | r ] 1 where Pr model [ r | l ] = r ∗ ∈R Pr model [ l | r ∗ ] , Pr true [ l | r ] = n test , n test test set size � (1) 22

  44. Experiment 1: Grid partitioning and dimension Figure: Effect of 256-byte LUT partitioning Figure: Effect of grid dim. g = 100 , 40 and to 2, 8 and 16 regions. ǫ = 20. ǫ = { 6 mm 2 , 0 . 03 mm 2 , 100 , 92 µ m 2 , random } { 6 mm 2 , 0 . 03 mm 2 , g , 92 µ m 2 , random } . 23

  45. Experiment 2: Technology scaling and algorithmic noise Figure: Feature size of 180 nm , 120 nm , Figure: Alg. noise using 10 90 nm and word area a = noise-generating words. Parameters ǫ = 368 µ m 2 , 163 µ m 2 , 92 µ m 2 . Parameters { 6 mm 2 , 0 . 03 mm 2 , 40 , 92 µ m 2 , random } , ǫ = { 6 mm 2 , 0 . 03 mm 2 , 40 , a , random } , 2 x 2 x 128 bytes, 250 meas. per spot for 400k 128 bytes, 250 meas. per spot for 400k traces. traces. 24

Recommend

Who are the Chip Doctors ? Since 1991 The Chip Doctors, LLC have been providing assistance to the

Who are the Chip Doctors ? Since 1991 The Chip Doctors, LLC have been providing assistance to the

M easure, A nalyze , C orrective action, and S ustainability In Search of Chip Quality & Financial Return for Biomass Products Confidential: Proprietary information that is Patented and Trade Marked by The Chip Doctors, LLC and Fiber-M, Inc.

1.2k views • 46 slides
Exploring Chip to Chip Photonic Networks Philip Watts Computer Laboratory University of Cambridge

Exploring Chip to Chip Photonic Networks Philip Watts Computer Laboratory University of Cambridge

Exploring Chip to Chip Photonic Networks Philip Watts Computer Laboratory University of Cambridge Acknowledgement: Royal Commission for the Exhibition of 1851 Exploring Chip to Chip Photonics p g p p Bandwidth improvements in

90 views • 8 slides
The Parallella Computer and the Epiphany Chip William Tracy 2016 Table of Contents Introduction

The Parallella Computer and the Epiphany Chip William Tracy 2016 Table of Contents Introduction

The Parallella Computer and the Epiphany Chip William Tracy 2016 Table of Contents Introduction The Kickstarter The Epiphany The Parallella Key Definitions Adapteva: The company behind the Epiphany and the Parallella Key Definitions

788 views • 44 slides
7 On-Chip Interconnection Networks Chip Multiprocessors (ACS MPhil) Robert Mullins

7 On-Chip Interconnection Networks Chip Multiprocessors (ACS MPhil) Robert Mullins

7 On-Chip Interconnection Networks Chip Multiprocessors (ACS MPhil) Robert Mullins Introduction Vast transistor budgets, but .... Poor interconnect scaling Pressure to decentralise designs Need to manage complexity and power

960 views • 63 slides
Methods for Analyzing ChIP-Seq data Introduction to the ChIP-Seq server at SIB Lausanne Public

Methods for Analyzing ChIP-Seq data Introduction to the ChIP-Seq server at SIB Lausanne Public

Methods for Analyzing ChIP-Seq data Introduction to the ChIP-Seq server at SIB Lausanne Public ChIP-seq data: the bioinformatics event of the year 2007: Large data sets have become available: Barski et al. (2007): human CD4+ cell lines histone

396 views • 8 slides
Columbia University Chip-Scale Interconnection Networks Chip multi-processors create need

Columbia University Chip-Scale Interconnection Networks Chip multi-processors create need

Hybrid On-chip Data Networks Gilbert Hendry Keren Bergman Lightwave Research Lab Columbia University Chip-Scale Interconnection Networks Chip multi-processors create need for high performance interconnects Performance bottleneck of

742 views • 46 slides
Calibration des Microroc (II) Alex, Cyril, Giom, Jean, Max 09 Mai 2011, Annecy 1 Reminder 2

Calibration des Microroc (II) Alex, Cyril, Giom, Jean, Max 09 Mai 2011, Annecy 1 Reminder 2

Reminder Comparison single chip & ASU chip Chip to chip variations Outlook Calibration des Microroc (II) Alex, Cyril, Giom, Jean, Max 09 Mai 2011, Annecy 1 Reminder 2 Comparison single chip & ASU chip 3 Chip to chip variations 4

454 views • 7 slides
SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection

SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection

SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection Networks Shaahin Hessabi Department of Computer Engineering g g Sharif University of Technology Signal Transmission on SoC We focus on global wires

800 views • 66 slides
Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip debug interfaces are a well-known attack vector - Used as a stepping stone to further an attack - Can provide chip-level control of a target

766 views • 35 slides
2015 CHIP Progress 2015 CHIP Overview In May-August 2015, Ottawa County developed its first

2015 CHIP Progress 2015 CHIP Overview In May-August 2015, Ottawa County developed its first

2015 CHIP Progress 2015 CHIP Overview In May-August 2015, Ottawa County developed its first Community Health Improvement Plan (CHIP) The most prevalent health issues according to the 2014 CHNA included: Access to Health Care

628 views • 40 slides
Final Assembly Chip Core Your final project chip consists of a core The Chip Core is

Final Assembly Chip Core Your final project chip consists of a core The Chip Core is

Final Assembly Chip Core Your final project chip consists of a core The Chip Core is everything that is inside and a pad ring the Pad Ring Core is the guts Try to floorplan your core so that its as small a rectangle as

230 views • 11 slides
Study Of Chip Breaker El-Sherbeeny, PhD 2014 Project-Group 6 TYPES ES OF F CHI HIP a)

Study Of Chip Breaker El-Sherbeeny, PhD 2014 Project-Group 6 TYPES ES OF F CHI HIP a)

Study Of Chip Breaker El-Sherbeeny, PhD 2014 Project-Group 6 TYPES ES OF F CHI HIP a) Continuous Chip b) Built-Up Edge Chip c) Serrated Chip d) Discontinuous Chip El-Sherbeeny, PhD 2014 Project-Group 6 I this project will

393 views • 11 slides
Chip and Chip and PIN PIN is B is Brok oken en Steven J. Murdoch, Saar Drimer, Ross Anderson,

Chip and Chip and PIN PIN is B is Brok oken en Steven J. Murdoch, Saar Drimer, Ross Anderson,

Chip and Chip and PIN PIN is B is Brok oken en Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond University of Cambridge S&P 2010 Presented by: Yi Zhang September 1 2016 EMV Card As of early 2008, there were 730 million

142 views • 12 slides
ChIP-seq data analysis 04-05-12 Outlook Friday 04-05-12: Next-generation sequencing

ChIP-seq data analysis 04-05-12 Outlook Friday 04-05-12: Next-generation sequencing

ChIP-seq data analysis 04-05-12 Outlook Friday 04-05-12: Next-generation sequencing ChIP-seq experimental design ChIP-seq data analysis: Mapping of sequenced reads to a reference geneome Peak calling

692 views • 43 slides
Pinal County July 13 th , 2016 Presentation by Chip Bourgeault & Jay Taranto Tax

Pinal County July 13 th , 2016 Presentation by Chip Bourgeault & Jay Taranto Tax

Pinal County July 13 th , 2016 Presentation by Chip Bourgeault & Jay Taranto Tax Management Associates, Inc. TABLE OF CONTENTS Audit Program Background and Statistics 1. Estimated Program Revenues 2. Audit Program Methodology 3.

460 views • 21 slides
CHA, CHIP, HTWC and you! PHAC presentation Erin Jolly, MPH, Senior Program Coordinator, CHIP

CHA, CHIP, HTWC and you! PHAC presentation Erin Jolly, MPH, Senior Program Coordinator, CHIP

January 14, 2020 CHA, CHIP, HTWC and you! PHAC presentation Erin Jolly, MPH, Senior Program Coordinator, CHIP coordinator Eva Hawes, MPH, CHES, Translational Research and Policy Analyst, CHA lead Healthy People, Thriving Communities Plan for

942 views • 50 slides
NEU TABLE By HAY Neu Table is a small table designed by HAY with a round or a square tabletop.

NEU TABLE By HAY Neu Table is a small table designed by HAY with a round or a square tabletop.

NEU TABLE By HAY Neu Table is a small table designed by HAY with a round or a square tabletop. Neu Table fjts a wide variety of indoor and outdoor environments, including offjces, cafs, restaurants, gardens, terraces and balconies. Neu Table

422 views • 10 slides
2016 Performance-Related Accountability Requirement 5.2.4 Monitoring and Revising the CHIP

2016 Performance-Related Accountability Requirement 5.2.4 Monitoring and Revising the CHIP

6/30/2016 2016 Performance-Related Accountability Requirement 5.2.4 Monitoring and Revising the CHIP Section 4: Walkthrough of Optional MDH Templates Relevant documents: CHIP Annual Report Template, CHIP Monitoring Spreadsheet, Checklist

522 views • 17 slides
Ahoy mateys! Its Camp TRaining Day! Eat, get to know those at your table & follow along

Ahoy mateys! Its Camp TRaining Day! Eat, get to know those at your table & follow along

Ahoy mateys! Its Camp TRaining Day! Eat, get to know those at your table & follow along in your workbooks. Ship out -- not Chip out! At camp we will explore how to think, trust and connect with ourselves, others and God!

743 views • 38 slides
PCI/PII Awareness Training Ben Jordan Security Specialist Credit Card Security: Chip Cards

PCI/PII Awareness Training Ben Jordan Security Specialist Credit Card Security: Chip Cards

PCI/PII Awareness Training Ben Jordan Security Specialist Credit Card Security: Chip Cards The chip contains a cryptographic key for authentication Downfall Online transactions do not require any authentication from the chip Chip

772 views • 29 slides
5 Chip Multiprocessors (II) Chip Multiprocessors (ACS MPhil) Robert Mullins Overview

5 Chip Multiprocessors (II) Chip Multiprocessors (ACS MPhil) Robert Mullins Overview

5 Chip Multiprocessors (II) Chip Multiprocessors (ACS MPhil) Robert Mullins Overview Synchronization hardware primitives Cache Coherency Issues Coherence misses Cache coherence and interconnects Directory-based

693 views • 52 slides
VASA: Single-chip MPEG-2 422P@HL CODEC LSI with Multi-chip Configuration for Large Scale

VASA: Single-chip MPEG-2 422P@HL CODEC LSI with Multi-chip Configuration for Large Scale

VASA: Single-chip MPEG-2 422P@HL CODEC LSI with Multi-chip Configuration for Large Scale Processing beyond HDTV Level J. Naganuma , H. Iwasaki, K. Nitta, K. Nakamura, T. Yoshitome, M. Ogura, Y. Nakajima, Y. Tashiro, T. Onishi, M. Ikeda, and M.

436 views • 19 slides
Chip Seal ROAD FUTURE: TOWN OF STAR VALLEY RANCH Presentation Goals Chip Seal Class 101 (4

Chip Seal ROAD FUTURE: TOWN OF STAR VALLEY RANCH Presentation Goals Chip Seal Class 101 (4

Chip Seal ROAD FUTURE: TOWN OF STAR VALLEY RANCH Presentation Goals Chip Seal Class 101 (4 questions) What is It? How is it Different from Asphalt? Why Use it? How is Chip Seal Placed? Review Silver Creek Township TSVR

661 views • 33 slides
Ahlstrom The global source for fiber-based materials Blue Chip Seminar, September 7, 2006 CEO,

Ahlstrom The global source for fiber-based materials Blue Chip Seminar, September 7, 2006 CEO,

1 Ahlstrom The global source for fiber-based materials Blue Chip Seminar, September 7, 2006 CEO, Jukka Moisio 2 Table of contents Ahlstrom in brief Profitable growth through organic investments and acquisitions. Divestment of

706 views • 25 slides

More recommend