Introduction to Side-Channel Attacks...Microelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 7 Side-channel attacks Take advantage of physical leakages such

UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 1

Introduction to Side-Channel Attacks

F.-X. Standaert

UCL Crypto Group, Universite catholique de Louvain

BCRYPT Course on Embedded Security, June 2009


Outline

◮ Introduction

◮ Basics of Side-Channel Attacks◮ Origin of the leakages◮ Measurement setups◮ SPA, DPA

◮ Exemplary attack against the DES

◮ Improved attacks

◮ Countermeasures

◮ Further readings


Cryptographic devices


Attacks against cryptographic devices

◮ Classical (or Black box) cryptanalysis: only uses thecryptographic primitives inputs and outputs, e.g theplaintexts, ciphertexts for block ciphers

◮ Physical attacks: additionally take advantage ofphysical specificities in the implementations

◮ Probing attacks◮ Side-channel attacks◮ Fault insertion attacks◮ . . .


Physical attacks


Classification of physical attacks

◮ According to the type of attack

Active vs. PassiveEx: fault insertion timing attack

Invasive vs. Non invasiveEx: probing … EMA … power analysis

Side-channel attacks

◮ According to the strength of the adversary: commoncriteria, FIPS 140-2, IBM taxonomy, . . .


Side-channel attacks

◮ Take advantage of physical leakages such as timinginformation (1996), power consumption (1998),electromagnetic radiation (2001), cache hits/misses(2005), branch predictions (2006), . . .

◮ Continuous problem: there is a “certain” amount ofinformation that is leaked ⇒ difficult to model

◮ By contrast probing and fault attacks are discreteproblems: a wire can/cannot be read, a faultcan/cannot be inserted ⇒ easier to model


Origin of the leakages

◮ Dynamic power consumption in CMOS devices

CL

VDD

Gnd

Rmeas

Rmeas

CL

VDD

Gnd

Rmeas

Rmeas

Pdyn = CLV2DDP0→1f

◮ P0→1 ⇒ data dependent physical leakage

◮ But ; Pdyn is the only source of information


Origin of the leakages

◮ EM radiation in CMOS devices

dB =µId l× r

4πr 2

◮ Data dependent current intensity◮ As for the power consumption

◮ Field orientation depends on the current direction


Measurement setups

◮ Target device: smart card ASIC, FPGA, . . .

◮ Measurement circuit: resistor inserted in supply circuit,small antenna (hand made coil), . . .

◮ Digital oscilloscope (1 Gsample/s)


Measurement setups


SPA

◮ Operation dependent leakage variations

◮ Example: AES encryption, 10 rounds

◮ Not an attack in itself for block ciphers◮ Preliminary step before other attacks

◮ May be very powerful (e.g. public key cryptography)


DPA

◮ Data dependent leakage variations

time

volta

ge

8 transitions6 transitions4 transitions2 transitions0 transitions

◮ e.g. CMOS: power consumption dependent on thenumber of bit switches within the target device


Exemplary attack against the DES

◮ The Data Encryption Standard

◮ FPGA implementation, loop architecture

f

Li Ri

L0 R0

Ki

Ri

Expansion

Ki

S0 S1 S2 S3 S4 S5 S6 S7

Permutation

(a) DES (b) f function



1. Input selection: random plaintexts

2. Internal values derivation

3. Leakage modeling (Hamming weights)

0 1 2 3

0 5 12 7 2

1 9 0 12 6

2 14 4 1 13

3 7 5 5 8

4 3 10 15 1

Key[0…5]

Ri

Key[0…5]

Ri

0 1 2 3

0 2 2 3 1

1 2 0 2 2

2 3 1 1 3

3 3 2 2 1

4 2 2 4 1

Ri

Expansion

Ki

S0 S1 S2 S3 S4 S5 S6 S7

Permutation

6 known bits

6 known bits6 key bits

4 bits guessed

6 bits guessed

4 bits guessed



4. Leakage measurement

5. Leakage reduction (select representative samples)

P R(L)

0 1.675

1 1.432

2 1.221

3 1.498

4 1.937

leakage

time

P R(L)

0 1.675

1 1.432

2 1.221

3 1.498

4 1.937



◮ In practice, power consumption vs. EM radiation

0 50 100 150 200 250 300 350 4000

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

time samples

pow

er c

onsu

mpt

ion

0 50 100 150 200 250 300 350 400−0.2

−0.15

−0.1

−0.05

0

0.05

0.1

0.15

0.2

0.25

time samples

EM

rad

iatio

n



6. Statistical test◮ e.g. correlation coefficient

Key[0…5] 0 1 2 3

corr -0.09 0.05 0.32 -0.11

corr(M, L) =

∑m∈M,l∈L

(m − M

)·

(l − L

)

√∑

m∈M

(m − M

)2·

∑l∈L

(l − L

)2

0 50 100 150 200−1

−0.8

−0.6

−0.4

−0.2

0

0.2

0.4

0.6

0.8

1

number of measurement queries

corr

elat

ion

correct key candidate


Improved attacks

◮ Improved measurement setups◮ Adaptive selection of the inputs◮ Pre-processing of the traces (e.g. averaging, filtering)◮ Improved leakage models by profiling, characterization◮ Exploitation of multiple samples, multivariate statistics

◮ Higher-order attacks◮ Template attacks

◮ Different statistical tests◮ Difference of mean◮ Correlation analysis◮ Bayesian classification

◮ Combine different channels (e.g. power, EM)


Improved attacks

◮ Example: univariate template attack◮ Optimal statistical test◮ Profiled leakage model◮ Most powerful type of attack◮ 6= multivariate

◮ Mainly identical to the previous attack◮ Only 3 steps vary...


Improved attacks

0. Preparation of the leakage model◮ Assume Gaussian noise:

N (R(li )|µis , σ

is) =

1

σis

√2π

exp−(R(li ) − µ

is)

2

2σis2

◮ Estimate the means µis ’s and variances σ

is ’s for each

key class s from Nt leakage traces

3. Leakage modeling: use Pr[R(li)|s∗] = N (R(li)|µis∗, σ

is∗)

◮ In place of Hamming weights


Improved attacks

6. Statistical test: L(s∗) = Pr[s∗|R(lq)]

0 10 20 30 40 50 60 70 800

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

number of measurement queries

likel

ihoo

d

correct key candidate


Countermeasures

◮ Never perfect (only make the attack harder)◮ Physical level

◮ Shields, conforming glues, PUFs, detectors◮ Detachable power supplies

◮ Technological level◮ Dynamic and differential logic styles◮ Noise addition

◮ Algorithmic level◮ Time randomization, encryption of the buses◮ Hiding, masking

◮ Protocol level (e.g. key updates)

◮ vs. implementation cost !


Countermeasure 1: masking

◮ Goal: have data-independent leakage

◮ How: by “randomizing” the computation

◮ e.g. block cipher S-box

S

S’

p

k

m

= S(p k) q

q

S(p k m)


Countermeasure 1: masking

◮ R1(L) ⊥⊥ k, R2(L) ⊥⊥ k

time

leakage

S(p k) q S’(p,k,m) = q

R1(L)R2(L)

◮ But ∃f such that f (R1(L), R2(L)) ∝ k

◮ Univariate → bivariate◮ The rest of the attack remains unchanged


Countermeasure 2: hiding

◮ Goal: have data-independent leakage

◮ How: by forcing constant leakage

◮ e.g. dual rail precharged logic WDDL

p k WDDL

S-BOXp k

S(p k)

S(p k)

CMOS

S-BOXp k S(p k)


Countermeasure 2: hiding

◮ Hamming weight/distance models seem meaningless

◮ But ∃ data dependent leakage variations

◮ ∃ f such that R(L) ∝ f (p, k)

◮ An efficient attack may require to◮ Change the leakage model

◮ But possibly involves a 6= adversarial context

◮ Use device-independent attacks


Countermeasures: cost


Summary

◮ Practical attacks (against real world devices)

◮ Usually ad hoc attacks: statistics, leakage model, ...

◮ Usually ad hoc (and expensive) countermeasures

◮ Can be sophisticated, combined with other (classical,computational) cryptanalytic techniques

◮ Main issue: how to formally analyze the security of aleaking cryptographic implementation?


Further readings

◮ Recent results on side-channel attacks can be found inthe proceedings of the CHES conference:http://www.sigmod.org/dblp/db/conf/ches/index.html

◮ e.g. correlation attacks, template attacks, collisionattacks, masking schemes, higher-order attacks . . .


Thanks

Documents

Introduction to Side-Channel Attacks...Microelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 7 Side-channel attacks Take advantage of physical leakages such