Embed Size (px)
Citation preview
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
DPA : Attaques et Contre-mesures
Shivam BHASIN, Taoufik CHOUTA, Guillaume DUC, Jean-Luc DANGER,
Aziz EL AABID, Florent FLAMENT, Philippe HOOGVORST,
Tarik GRABA, Sylvain GUILLEY, Houssem MAGHR’EBI,
Olivier MEYNARD, Maxime NASSAR, Renaud PACALET,
Laurent SAUVAGE, Nidhal SELMANE and Youssef SOUISSI.
Institut TELECOM / TELECOM-ParisTechCNRS – LTCI (UMR 5141)
SECURE
GDR SoC-SiP 14:00 – 14:45AMPHI SAPHIR, TELECOM ParisTech, PARIS.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
1/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Presentation Outline1 Context2 Side-Channel Attacks
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
3 Counter-Measures to SCAsProtocol-LevelRegister Transfer LevelNetlist Level
4 Attacks on Counter-MeasuresAttack on Information MaskingAttack on Information Hiding
5 Conclusions and PerspectivesConclusionsPerspectives
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
2/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Presentation Outline1 Context2 Side-Channel Attacks
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
3 Counter-Measures to SCAsProtocol-LevelRegister Transfer LevelNetlist Level
4 Attacks on Counter-MeasuresAttack on Information MaskingAttack on Information Hiding
5 Conclusions and PerspectivesConclusionsPerspectives
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
3/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Adversary’s goal
Secrets extraction.
Protection
Conceal the secrets in a device (ASIC) ...
... or in the bitstream of an FPGA.
Representativity of the study
Most problems come down to this...
Example:
Fetching a data in an encrypted memory⇒ decrypt the memory,⇒ attack the CPU,⇒ use side-channel attacks = SCA (for instance).
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
4/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
There are other applications of SCA
SCARE: secret cryptography.
Test (virtual oscilloscope).
Subliminal channel for IPs watermarking.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
5/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Presentation Outline1 Context2 Side-Channel Attacks
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
3 Counter-Measures to SCAsProtocol-LevelRegister Transfer LevelNetlist Level
4 Attacks on Counter-MeasuresAttack on Information MaskingAttack on Information Hiding
5 Conclusions and PerspectivesConclusionsPerspectives
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
6/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Typical side-channels
TA
Attacked circuit
EMASPA, DPA, templates, etc.
Time
TimingAttacks [5].
Power AnalysisAttacks [6].
Electro-magneticAttacks [1].
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
7/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Are SCAs intrusive?
Side-Channel Attacks (SCA) versus Fault Injection Attacks (FIA)
SCA: passive
FIA: active
But what about the experimental setup?
Non-intrusive Intrusive
Deportable IC (smartcard) Timing, power, EM —
Soldered IC or BGA (FPGA) Timing, EM power
The know-how in measurements is capital.→ The 3rd version (2010–2011) of the DPA contest(http://www.dpacontest.org/) will have an acquisitioncompetition, based on SASEBO GII.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
8/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
ALTERA Excalibur evaluation board “customized for DPA”
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
9/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Parallax ALTERA Stratix board “customized for DPA” [3]
Pads and
board
supply
(5.0 V)
Core
supply
(1.5 V)
Serial
port
Side-channel measurement
FPGA
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
10/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
XCV800 home-made board suitable for global EMA
Antenna Acquisition setup
Pictures are courtesy of ESAT, Katholieke Universiteit Leuven,Belgium, (Elke De Mulder [7]).
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
11/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
In-house ALTERA Stratix “as is” suitable for localEMA [9,8]
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
12/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
XILINX Virtex-5 evaluation board “customized for EMA”
FPGAchip
Metalliccover
FF324 (182 pins) socket
XC5VLX50 evaluation boardS. Guilley, < [email protected]> DPA attacks & counter-measures
SECURE
13/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
ALTERA Stratix with chemical preparation for EMA
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
14/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Modus operandi
Information known/unknown by the attacker
Known: Observations O;
Known: (usually) either the plaintext or the ciphertext.
Unknown: the encryption key (case of symmetric encryption).
Strategy: divide-and-conquer
Partition observations according to a sensitive variable S :
depends on the secret K ,not too many bits of K , since attack = exhaustive search,is computable from the plaintext / ciphertext.
Therefore:
attacks target the first or the last round (in general),MixColumns in AES hard to invert ⇒ attack the last round.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
15/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Use the traces O to distinguishing between the correctpartitioning from wrong ones
Distinguishers use a model
M(S) is the physical syndrome related to the manipulationof the secret S . It is called the leakage model.
Examples of distinguishers
|E(O|M(S) = 0) − E(O|M(S) = 1)|: . . . . . . . . . . . . . . . . . .DoM
ES ((O|M(S) − EO|M(S))(M(S) − EM(S))): . . . Covariance
ρs (O|S = s; M(s)): . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CPA
EsH (O|M(S) = M(s)) or I(O; M(S)): . . . . . . . . . . . . . . . . .MIA
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
16/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Models M(S) (classification by [10])
Partition-based:
If unprotected:
M(s) = |s|; Hamming weight; Bus cleared in SWM(s) = |s ⊕ R|; Hamming weight; Bus precharged in SWM(s) = |s ⊕ s
−1|; Hamming distance; typical of HWM(s) = |s · s
−1| + (1 − δ)|s · s−1|; Idem, but in near-field EMA
If protected:
M(s) = s. Warning: 2n values!Difficult to be more inventive if the countermeasure is sound...but we’ll see ,
Comparison-based: (profiled attacks)
M(S) = E (O|S); templates
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
17/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Various leakage models for DES (iterative architecture)
L1
L0 R0
R1
Feistelfunction: f
t = 1
32
model B
model C
t = 0
32 32
model A
model D
K1
32
L16
R15
Feistelfunction: f
L15
R16
model D
32
model B
32
model AK16
32
32
model C
t = 16
t = 15
Attack on the first round of DES Attack on the last round of DES
Caption: black = known values; red = unknown sensitive values
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
18/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Finding the best leakage models is not obvious
0
0.2
0.4
0.6
0.8
1
0 500
1000 1500
2000 2500
3000 3500
4000 0
100
200
300
400
500
600
0
0.2
0.4
0.6
0.8
1
Success rate
Traces for online attack
Traces for profiling
Success rate
0
0.1
0.2
0.3
0.4
0.5
0.6
0 500
1000 1500
2000 2500
3000 3500
4000 0 500
1000 1500
2000 2500
3000 3500
4000
0
0.2
0.4
0.6
0.8
1
Success rate
Traces for online attack
Traces for profiling
Success rate
Success rate for model A. Success rate for model B.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
0 500
1000 1500
2000 2500
3000 3500
4000 0 500
1000 1500
2000 2500
3000 3500
4000
0
0.2
0.4
0.6
0.8
1
Success rate
Traces for online attack
Traces for profiling
Success rate
0
0.2
0.4
0.6
0.8
1
0 500
1000 1500
2000 2500
3000 3500
4000 0 500
1000 1500
2000 2500
3000 3500
4000
0
0.2
0.4
0.6
0.8
1
Success rate
Traces for online attack
Traces for profiling
Success rate
Success rate for model C. Success rate for model D.S. Guilley, < [email protected]> DPA attacks & counter-measures
SECURE
19/42
So, shall we conclude the Hamming distance (HD)— model D — is the ultimate model for HW?
-20
0
20
40
60
80
-8 0 8 16
Vo
lta
ge
[m
V]
Time [clock periods]
Average power trace
-20
0
20
40
60
80
-8 0 8 16
Vo
lta
ge
[m
V]
Time [clock periods]
Covariance result (same scale as the average power trace)
SecMat v1[ASIC]:
Typical trace: 92 mV
Typical DPA: 3.0 mV
⇒ Side-channel leakage:3.3 %
See [4]-0.5
0
0.5
1
1.5
2
2.5
3
-8 0 8 16
Voltage [
mV
]
Time [clock periods]
Covariance result (zoomed)
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
Combined attacks!
1 Various distinguishers for a same partitioning;
2 One distinguisher can be evaluated on various partitionings;
3 The diversity can also come from the multiplicity of timingsamples usually garnered during an acquisition campaign;
4 It can also arise from multi-modal acquisitions;
5 There can be situations where the most suitable partitioningcan evolve from sample to sample in a side-channel capture.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
21/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
Presentation Outline1 Context2 Side-Channel Attacks
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
3 Counter-Measures to SCAsProtocol-LevelRegister Transfer LevelNetlist Level
4 Attacks on Counter-MeasuresAttack on Information MaskingAttack on Information Hiding
5 Conclusions and PerspectivesConclusionsPerspectives
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
22/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
Targeted strategies
Protocol-level:
Most wanted since provable
Register-Transfer Level:
Masking. Easiest to implement; Boolean or algorithmic.Encrypted leakageGlitch-full circuits
Netlist or implementation level:
Hiding (= DPL, Dual-rail with Precharge Logic)
Degenerated counter-measures / “Make difficult” strategies
DPL w/o precharge
Noise generator, Dummy instructions, Varying clock, etc.
⇒ And as for attacks, countermeasures can be combined.S. Guilley, < [email protected]> DPA attacks & counter-measures
SECURE
23/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
Protocol level: if ≈ 1 bit is leaked per 100 encryptions...
AES−1
k0
hash hash
AESk0
k0 k0
k1k1
100×
AES−1
k1
hash hash
AESk1
k1 k1
k2k2
100×
Alice: Bob:
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
24/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
Masking
Principle
Every variable s, potentially sensible, is represented as a share{s0, s1, · · · , sn−1}
To reconstruct s, all the si are required.
Example: n = 2, s.= s0 ⊕ s1.
Leakage resistant since variables are never used plain;
Attractive but works only fine for registers.
Efforts done to protect also the combinational logic.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
25/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
Encrypted Leakage
y = DES(x, kc)
Masked DFF
ki
x
Encrypted bitstream
Masked DESkb
kc
Side-channel:EMA, power
FPGA
y = DES(x, kc)
Masked DFF
x
Masked DESSide-channel:EMA, power
ASIC (tamper-proof)
personalization NVMki
kc
Trusted Platform Module
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
26/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
Glitch-full circuits
(a) (b)
IP
FP
1 20 1 2 30
FP
8
input
LS
PC1◦FP
0 1 2
outp
ut
8
64
56
Parity bits
8×1
... ... ...
“Normal” “IP”
representation
pure
lyco
mbin
ato
riallo
gic
IF
3→1 MUX
LR CD
Key schedule
Key schedule
Round logic
3→1 MUX 4→1 MUX
Round logic
Key scheduleRound logic
Round logic
Key schedule
Round 2:
Round 15:
Round 16:
...
Round 1:
(1)
(2)
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
27/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
Glitch-full circuits
(a) (b)
IP
FP
1 20 1 2 30
FP
8
input
LS
PC1◦FP
0 1 2
outp
ut
8
64
56
Parity bits
8×1
“Normal” “IP”
representation
pure
lyco
mbin
ato
riallo
gic
... ... ...
IF
3→1 MUX
LR CD
Key schedule
Key schedule
Round logic
3→1 MUX 4→1 MUX
Round logic
Key scheduleRound logic
Round logic
Key schedule
...
Round 1:
Round 2:
Round 15:
Round 16: (1)
(2)
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
27/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
(a) (b)
0
5
10
15
20
25
30
35
0 200 400 600 800 1000
Avera
ge
+/-
sta
nd
ard
de
via
tio
n [
mV
]
Time [ns]
Ro
un
d #
1
Ro
un
d #
2
Ro
un
d #
3
Ro
un
d #
4
Ro
un
d #
5
Ro
un
d #
6
Ro
un
d #
7
Ro
un
d #
8
...
11 ns
0
20
40
60
80
100
120
140
160
180
200
220
0 50 100 150 200
Avera
ge
+/-
sta
nd
ard
de
via
tio
n [
mV
]
Time [ns]
35 ns
All 16 rounds
<1 ns >2 ns
(a) Sequential iterative DES encryption signature, with theaverage variation margin, for statistics collected on 10kmeasurements.
(b) Average combinatorial DES encryption signature, withthe average variation margin, for statistics collected on100k measurements.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
28/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Protocol-LevelRegister Transfer LevelNetlist Level
Hiding: Placement and Routing of Xilinx WDDL+ Netlists.
P&R tools “naturally” separate true and false pathsExample with AES substitution box SUBBYTES with andwithout placement constraints (2 × 2 LuT4 per slice)
Unconstrained placement Constrained placement
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
29/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Attack on Information MaskingAttack on Information Hiding
Presentation Outline1 Context2 Side-Channel Attacks
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
3 Counter-Measures to SCAsProtocol-LevelRegister Transfer LevelNetlist Level
4 Attacks on Counter-MeasuresAttack on Information MaskingAttack on Information Hiding
5 Conclusions and PerspectivesConclusionsPerspectives
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
30/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Attack on Information MaskingAttack on Information Hiding
Leftmask(MLi)
Rightmask(MRi)
ki
IP
m
S’m′
P
S(x ⊕ kc)
⊕m′
E
Leftmasked
data (Li)
FP
Rightmasked
data (Ri)
Ciphertext
Message
IP
P S E
kc
xm
Feistel function f
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
31/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Attack on Information MaskingAttack on Information Hiding
Leftmasked
data (Li)
Leftmask(MLi)
FP
Rightmask(MRi)
Rightmasked
data (Ri)
Ciphertext
Message ki
IPIP
m′
S(x ⊕ kc)
P
P
S’
S E
E
kc
m
xm
Feistel function f
⊕m′
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
32/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Attack on Information MaskingAttack on Information Hiding
Attacks on masking (1/2)
0 41 2 3
O|L=0
0 41 2 3 0 41 2 3 0 41 2 3 0 41 2 3 0 41 2 3
p(L=0)=1/16 p(L=1)=4/16 p(L=2)=6/16 p(L=3)=4/16 p(L=4)=1/16
H(O|L=0)=0 H(O|L=1)=0 H(O|L=3)=0 H(O|L=3)=0 H(O|L=4)=0 ⇒ H(O|L)=0 bit
H(O|L=0)=2.03 H(O|L=1)=2.03 H(O|L=2)=2.03 H(O|L=3)=2.03 H(O|L=4)=2.03 ⇒ H(O|L)=2.03 bit
Inco
rrec
tke
y(i
.e.
random
L)
0 41 2 3
O|L=4
0 41 2 3
O|L=2
0 41 2 3
O|L=1
0 41 2 3
O|L=3
Cor
rect
key
(i.e
.physi
calL
)
O|L=3O|L=2 O|L=4O|L=1O|L=0
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
33/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Attack on Information MaskingAttack on Information Hiding
Attacks on masking (2/2)
0 82 4 6
O|L=0
0 82 4 6
O|L=1
0 82 4 6
O|L=4
0 82 4 6
O|L=2
0 82 4 6
O|L=3
Cor
rect
key
(i.e
.physi
calL
)
0 82 4 6
O|L=0
0 82 4 6
O|L=1
0 82 4 6
O|L=2
0 82 4 6
O|L=3
0 82 4 6
O|L=4
p(L=0)=1/16 p(L=1)=4/16 p(L=2)=6/16 p(L=3)=4/16 p(L=4)=1/16
H(O|L=0)=2.03 H(O|L=1)=1.81 H(O|L=3)=1.5 H(O|L=3)=1 H(O|L=4)=0 ⇒ H(O|L)=1.39 bit
H(O|L=0)=2.54 H(O|L=1)=2.54 H(O|L=2)=2.54 H(O|L=3)=2.54 H(O|L=4)=2.54 ⇒ H(O|L)=2.54 bit
Inco
rrec
tke
y(i
.e.
random
L)
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
34/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Attack on Information MaskingAttack on Information Hiding
Models M(S) (classification by [10])
Partition-based:
If unprotected:
M(s) = |s|; Hamming weight; Bus cleared in SWM(s) = |s ⊕ R|; Hamming weight; Bus precharged in SWM(s) = |s ⊕ s
−1|; Hamming distance; typical of HWM(s) =
∑i s · s−1 + (1− δ)s · s
−1; Idem, but in near-field EMA
If protected:
M(s) = s. WARNING: 2n values!Difficult to be more inventive if the countermeasure is sound...M(S) = S1 + S2 ; Zero-offsetM(S) = (S1,S2) ; Multi-variate MIA (MMIA [2])
Comparison-based: (profiled attacks)
M(S) = E (O|S); templates
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
35/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
Attack on Information MaskingAttack on Information Hiding
Attacks on DPL
0 200 400 600 800 1000 1200−0.01
0
0.01
0.02
0.03
0.04
0.05
0.06
SAMPLES
MU
TU
AL
IN
FO
RM
AT
ION
AES−WDDL−no−EE
AES−WDDL−EE
Eva
luat
ion
Pre
char
ge
Rou
nd
9
Rou
nd
9
Eva
luat
ion
Rou
nd
10P
rech
arge
Rou
nd
10
sensitive not sensitive
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
36/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
ConclusionsPerspectives
Presentation Outline1 Context2 Side-Channel Attacks
Side-ChannelsSide-Channels AcquisitionsAttack Algorithms
3 Counter-Measures to SCAsProtocol-LevelRegister Transfer LevelNetlist Level
4 Attacks on Counter-MeasuresAttack on Information MaskingAttack on Information Hiding
5 Conclusions and PerspectivesConclusionsPerspectives
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
37/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
ConclusionsPerspectives
Formal practice-oriented framework [11]
Attacks metric
Leakage metric
Reduction function
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
38/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
ConclusionsPerspectives
Counter-Measures are still ad hoc
1 Multiplicative masking of AES (M.-L. Akkar and Ch. Giraud,CHES 2001)
Zero Attack (Jovan Dj. Golic, Christophe Tymen, CHES 2002)
2 Provable secure S-Box implementation based on FFT (E.Prouff et al, CHES 2006)
Bias of the mask attack (S. Coron, CHES 2008)
3 MDPL (Th. Popp and S. Mangard, CHES 2005)
Folding attack (P. Schaumont and K. Tiri, CHES 2007),Subset attack (E. de Mulder et al, WIFS 2009)
4 DRSL (Z. Chen and Y. Zhou, CHES 2006)
Glitch on precharge (M. Nassar, DATE 2009)
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
39/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
ConclusionsPerspectives
Call for Further Researches ⇒ Open Issues
Need for formal proofs of security
Can be at protocol level (work in progress).
Could also be at implementation level (new research area).
Devise countermeasures globally ...
... taking into account all possible weaknesses:
Observation.
Perturbation.
Manipulation.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
40/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
ConclusionsPerspectives
[1] Karine Gandolfi, Christophe Mourtel, and Francis Olivier.Electromagnetic Analysis: Concrete Results.In CHES, volume 2162 of LNCS, pages 251–261. Springer, May 14-16 2001.Paris, France.
[2] Benedikt Gierlichs, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede.Revisiting Higher-Order DPA Attacks: Multivariate Mutual Information Analysis.In CT-RSA, volume 5985 of LNCS, pages 221–234. Springer, March 1-5 2010.San Francisco, CA, USA.
[3] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Tarik Graba, and Yves Mathieu.Evaluation of Power-Constant Dual-Rail Logic as a Protection of Cryptographic Applications in FPGAs.In SSIRI, pages 16–23, Yokohama, Japan, jul 2008. IEEE Computer Society.DOI: 10.1109/SSIRI.2008.31, http://hal.archives-ouvertes.fr/hal-00259153/en/.
[4] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Nidhal Selmane, and Renaud Pacalet.Silicon-level solutions to counteract passive and active attacks.In FDTC, 5th Workshop on Fault Detection and Tolerance in Cryptography, IEEE-CS, pages 3–17,Washington DC, USA, aug 2008.(Up-to-date version on http://hal.archives-ouvertes.fr/HAL:http://hal.archives-ouvertes.fr/hal-00311431/en/).
[5] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun.Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.In Proceedings of CRYPTO’96, volume 1109 of LNCS, pages 104–113. Springer-Verlag, 1996.(http://www.cryptography.com/timingattack/paper.htmlPDF).
[6] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun.Differential Power Analysis.In Proceedings of CRYPTO’99, volume 1666 of LNCS, pages 388–397. Springer-Verlag, 1999.(PDF).
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
41/42
ContextSide-Channel Attacks
Counter-Measures to SCAsAttacks on Counter-MeasuresConclusions and Perspectives
ConclusionsPerspectives
[7] Elke De Mulder, Pieter Buysschaert, Sıddıka Berna Ors, Peter Delmotte, Bart Preneel, Guy Vandenbosch,and Ingrid Verbauwhede.Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem.In IEEE International Conference on Computer as a tool (http: // www. eurocon2005. org. yu/EUROCON),pages 1879–1882, November 2005.Belgrade, Serbia & Montenegro.
[8] Laurent Sauvage, Sylvain Guilley, Jean-Luc Danger, Yves Mathieu, and Maxime Nassar.Successful Attack on an FPGA-based Automatically Placed and Routed WDDL+ Crypto Processor.In DATE, track A4 (Secure embedded implementations), April 20–24 2009.Nice, France. Electronic version: http://hal.archives-ouvertes.fr/hal-00325417/en/.
[9] Laurent Sauvage, Sylvain Guilley, and Yves Mathieu.ElectroMagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack of a CryptographicModule.ACM Trans. Reconfigurable Technol. Syst., 2(1):1–24, March 2009.
Full text in http://hal.archives-ouvertes.fr/hal-00319164/en/.
[10] Francois-Xavier Standaert, Benedikt Gierlichs, and Ingrid Verbauwhede.Partition vs. Comparison Side-Channel Distinguishers: An Empirical Evaluation of Statistical Tests forUnivariate Side-Channel Attacks against Two Unprotected CMOS Devices.In ICISC, volume 5461 of LNCS, pages 253–267. Springer, December 3-5 2008.Seoul, Korea.
[11] Francois-Xavier Standaert, Tal Malkin, and Moti Yung.A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks.In EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages 443–461. Springer, April 26-302009.Cologne, Germany.
S. Guilley, < [email protected]> DPA attacks & counter-measuresSECURE
42/42
