50
Lejla Batina Digital Security Group, Ins5tute for Compu5ng and Informa5on Sciences (iCIS) Radboud University, The Netherlands Implementaon aacks and counrmeasures Summer school on realworld crypto and privacy, June 1, 2015 Solaris, Croa5a

Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

  • Upload
    others

  • View
    7

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

Lejla Batina

Digital  Security  Group,    Ins5tute  for  Compu5ng  and  Informa5on  Sciences  (iCIS)  

Radboud  University,  The  Netherlands    

 

Implementation attacks and countermeasures

Summer  school  on  real-­‐world  crypto  and  privacy,    June  1,  2015  Solaris,  Croa5a  

Page 2: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

OUTLINE  

•  Implementa5on  of  security  vs  secure  implementa5ons  •  Side-­‐channel  analysis  basics  •  Power  analysis  aKacks  •  EM  analysis  •  Countermeasures  •  Fault  analysis  •  SCA  on  PKC  •  Recent  and  future  challenges      •  Conclusions  

 

2

Page 3: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

EMBEDDED  CRYPTOGRAPHIC  DEVICES  

Embedded security: -  resource limitation -  physical accessibility

3

Page 4: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

THE  GOALS  OF  THE  ATTACKERS  

•  Secret  keys/data  • Unauthorized  access  •  IP/piracy  •  (Loca5on)  privacy  •  (Theore5cal)  cryptanalysis  [RS01]  • Reverse  engineering  •  Finding  backdoors  in  chips  [SW12]  • …  

4

Page 5: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

PHYSICAL  SECURITY  BEFORE  

•  Tempest  –  known  since  early  1960s  that  computers  generate  EM  radia5on  that  leaks  info  about  the  data  being  processed  

•  In  1965,  MI5:  microphone  near  the  rotor-­‐cipher  machine  used  by  the  Egyp5an  Embassy  the  click-­‐sound  the  machine  produced  was  analyzed  to  deduce  the  core  posi5on  of  the  machines  rotors  

•  1979:  effect  of  cosmic  rays  on  memories  (NASA  &  Boeing)  •  First  academic  publica5ons  on  SCA  by  Paul  Kocher:  1996  (5ming)  and  1999  (power)  

•  Faults  -­‐  Bellcore  aKack  in  1997  by  Boneh,  DeMillo  and  Lipton  

5

Page 6: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

PHYSICAL  SECURITY  TODAY  

•  As  a  research  area  took  off  in  the  late  90’s    •  CHES  workshop  since  1999  • Many  successful  aKacks  published  on  various  placorms  and  real  products  e.g.  KeeLoq  [EK+08],  CryptoMemory  [BG+12],  Simon  Voss  (2013)  

•  Security  evalua5on  labs  e.g.  Riscure  

6

Page 7: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

CONCEPTS  OF  SIDE-­‐CHANNEL  LEAKAGE  

•  Side-­‐channel  leakage  is  based  on  (non-­‐inten5onal)  physical  informa5on  that  enables  new  kind  of  aKack  

•  Closely  5ed  to  implementa5ons  •  Oken,  opDmizaDons  enable  leakages  o  Cache:  faster  memory  access  o  Special  tricks  to  boost  performance  o  Square  vs  mul5ply  (for  PK)    

7

Page 8: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SIDE-­CHANNEL ATTACKS BASICS

8

Page 9: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SIDE-­‐CHANNEL  LEAKAGE  

•  Timing,  Power,  EM,  Sound,  Temperature,  Light,  …  •  Observe  physical  quan55es  in  the  device's  vicinity  and  use  this  informa5on  for  secret  data  (key)  recovery  

Input Output

Leakages

Key

9

Page 10: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

LEAKAGE  IS  OFTEN  EXPLOITABLE  

1.  Due  to  the  (dependency  of  leakages  on)  sequences  of  instruc5ons  executed  

2.  Due  to  the  data  (also  sensi5ve!)  being  processed  in  pieces    

 

10

Page 11: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

ATTACK  CATEGORIES  

11

Side-­‐channel  aKacks   Fault  aKacks  

Microprobing  

Page 12: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

ATTACKERS  CAPABILITIES  

•  “Simple”  aKacks:  one  or  a  few  measurements  -­‐        visual  inspec5on  

•  Differen5al  aKacks:  mul5ple  (some5mes  millions  of)  measurements  - Use  of  sta5s5cs,  signal  processing,  etc.  

•  Higher  order  aKacks:  n-­‐th  order  is  using  n  different  samples  

•  Combining  two  or  more  side-­‐channels  •  Combining  side-­‐channel  aKacks  with  theore5cal  cryptanalysis  

12

Page 13: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

IMPLEMENTATION  ATTACKS  -­‐  EQUIPMENT  

!

13

Page 14: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

POWER ANALYSIS ATTACKS

14

Page 15: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SIMPLE  POWER  ANALYSIS  (SPA)  

•  Based  on  one  or  a  few  measurements  •  Mostly  discovery  of  data-­‐(in)dependent  but  instruc5on-­‐dependent  proper5es  e.g.  -  Symmetric:  

– Number  of  rounds  (resp.  key  length)  – Memory  accesses  (usually  higher  power  consump5on)  

-  Asymmetric:  – The  key  (if  badly  implemented,  e.g.  RSA  /  ECC)  – Key  length  –  Implementa5on  details:  for  example  RSA  w/wo  CRT  

•  Search  for  repe55ve  paKerns  

conditional operation

15

Page 16: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

EXAMPLE  

time axis

16

This is a power consumption trace of …

Page 17: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

LEARNING  FROM  SPA–  DES  EXAMPLE  

17

Page 18: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

DIFFERENTIAL  POWER  ANALYSIS  (DPA)  

Model of side-channel Real key

Sub-key hypothesis Real side-channel

Input

Real output Hypothetical output

Statistical analysis

Hypothesis correct?

18

01101….

HW(S-box)

Page 19: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

Ins$tute  for  Compu$ng  and  Informa$on  Sciences  Radboud  University  Nijmegen,  The  Netherlands  

*[email protected]    8www.cs.ru.nl/B.Ege  

   

power trace

correlation trace – correct key

correlation trace – 2nd best key

correlation traces – all keys

Page 20: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

LEAKAGE  MODELS  •  Transi5on  =  Hamming  distance  model    - Counts  number  of  0-­‐>1  and  1-­‐>0  transi5ons    - Assuming  same  power  consumed  for  both,  ignores  sta5c  power  consump5on    

- Typically  for  register  outputs  in  ASIC’s  - HD(v0, v1)=HW(v0  xor  v1)  - Requires  knowledge  of  preceding  or  succeeding  vi

•  Hamming  weight  model  - Typical  for  pre-­‐charged  busses  

• Weighted  Hamming  weight/distance  model  •  Signed  Hamming  distance  (0-­‐>1  neq  1-­‐>0)  •  Dedicated  models  for  combina5onal  circuits  

20

Page 21: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SIDE-­CHANNEL ATTACKS:COUNTERMEASURES

21

Page 22: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SIDE-CHANNEL ATTACKS COUNTERMEASURES

Countermeasures

Algorithmic

Masking

LUT Mask

Circuit Mask

Intrinsic Resistance

Hardware-assisted

Random Disarrangement

Random Delay

Async Logic

SNR Reduction

Special Logic

Filtering

22

Page 23: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SOFTWARE  COUNTERMEASURES  

•  Time  randomiza5on:  the  opera5ons  are  randomly  shiked  in  5me  - use  of  NOP  opera5ons  - add  random  delays  - use  of  dummy  variables  and  instruc5ons  (sequence  scrambling)  

- data  balancing  (a  data  element  is  represented  redundantly  to  make  H.w.  constant)  

•  Permuted  execu5on  -  rearranged  instruc5ons  e.g.  S-­‐boxes  

• Masking  techniques  

23

Page 24: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

HARDWARE  COUNTERMEASURES  •  Noise  genera5on  - HW  noise  generator  requires  the  use  of  RNG  -  total  power  is  increased  (problem  for  handheld  devices)  

•  Power  signal  filtering  - ex.:  RLC  filter  (R-­‐resistor,  C-­‐capacitor,  L-­‐inductor)  smoothing  the  pow.  cons.  signal  by  removing  high  frequency  components  

- one  should  use  ac5ve  comp.  (transistors)  in  order  to  keep  power  cons.  rela5vely  constant  -­‐  problem  for  mob.  phones  

•  Novel  circuit  designs  - special  logic  styles  

24

Page 25: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

THE  IMPACT  OF  NOISE  

Raw Traces

Correlation Trace

25

Page 26: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

PREPROCESSING  

Pre-Processed Traces

Correlation Trace

26

Page 27: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

EM SIDE CHANNELS

27

Page 28: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

EM  HISTORY  

•  Compromising  emana5ons  discovered  many  years  ago  –  TEMPEST    

•  Not  exclusive  to  crypto  devices  –  e.g.  vulnerability  to  EM  analysis  was  found  in  some  vo5ng  machines  in  2006  in  The  Netherlands:          

•  Van  Eck  in  1985:  video  display  units  generate  EM  that  can  be  reconstructed  up  to  1  km    

•  Markus  Kuhn.  Compromising  emana5ons:  eavesdropping  risks  of  computer  displays  

hKp://www.cl.cam.ac.uk/techreports/UCAM-­‐CL-­‐TR-­‐577.pdf  

 

28

Page 29: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

EM  AS  SIDE-­‐CHANNEL  

•  Each  current-­‐carrying  component  produces  EM  field  •  EM  is  a  3-­‐dim  vector  field  as  a  func5on  of  5me  •  Probe  can  act  as  a  coil:  -  a  small  magne5c  coil  is  used  allowing  precise  posi5oning  

•  SEMA  and  DEMA    •  Focusing  also  on  frequency  analysis  •  Usually  more  difficult  than  PA  –  the  issue  of  antenna  posi5oning,  etc.  

• More  leakage  available:  locally-­‐based  leakage

29

Page 30: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

CLASSICAL  VS  SIDE-­‐CHANNEL  CRYPTANALYSIS  

•  Knowledge:  - Input/output  pairs  - Input/output  pairs  +  some  leakage  

•  Applicability  - Generally  applicable  - Limited  to  certain  implementa5on      Combining  both  could  be  beneficial  when  access  to  side-­‐channel  info  is  restricted!  

30

Page 31: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

EM  COUNTERMEASURES  

•  Faraday  cage  - A  Faraday  Cage  (shield)  can  be  described  as  an  enclosure  created  by  conduc5ng  materials  that  blocks  external  electric  fields  (both  sta5c  and  non-­‐sta5c)  

•  Design  for  low  power  =>  reducing  EM  signals  •  Asynchronous  design  •  Dual  rail  logic  

31

Page 32: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

ADVANCED ATTACKS

32

Page 33: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

TEMPLATE  ATTACKS  [CRR02]  

•  Strongest  form  of  SC  aKacks  in  an  informa5on  theore5c  sense  •  Assump5on  that  the  same  device  (as  the  one  under  aKack)  is  available  

•  Precisely  modeling  noise  instead  of  elimina5ng  it  –  similarly  to  techniques  in  signal  detec5on  and  es5ma5on  

•  Suitable  when  only  a  few  samples  or  measurements  are  available  i.e.  adversary  has  to  work  with  far  fewer  signals  -  Stream  ciphers  -  Fast  hardware  crypto  modules  -  EM  measurements    

•  Consist  of  2  phases:  -  Characteriza5on  or  profiling  phase  (building  templates)  -  Template  matching  or  Key  recovery  

33

Page 34: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

TEMPLATE  ATTACKS:  ASSUMPTIONS  

•  Strong  assump5ons  on  adversary  •  Find  templates  for  certain  sequences  of  instruc5ons  or  execute  the  same  code  for  different  values  of  key  bits:  -  Templates  consist  of  the  mean  signal  and  noise  probability  distribu5on  (noise  characteriza5on)  for  that  par5cular  case  

-  Templates  are  created  for  all  sub-­‐key  values  (e.g.  bytes)  consis5ng  of  a  vector  of  means  and  the  noise  covariance  matrix  

• Maximum-­‐likelihood  rule  finds  the  right  key  

34

Page 35: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

HIGHER-­‐ORDER  DPA:  THE  IDEA  

•  As  men5oned  in  the  original  DPA  paper:    “Of  par5cular  importance  are  high-­‐order  DPA  func5ons  that  combine  mul5ple  samples  from  within  a  trace.”    •  2nd  order  DPA  aKack:  Messerges  in  2000  [Mes00b]  

35

W1 (PTI){A: Result = PTI xor SecretKey…return CTO}

W2 (PTI){B: RandomMask = rand()mPTI = PTI xor RandomMaskC: Result = mPTI xor SecretKey…return CTO}

1st  order  DPA  applies   2nd  order  DPA  applies  

Page 36: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

FAULT ANALYSIS

36

Page 37: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

HISTORY  •  1978:  one  of  the  first  examples  fault  injec5on  was  uninten5onal,  discovered  by  May  and  Woods  (radioac5ve  par5cles)  

•  1979:  effect  of  cosmic  rays  on  memories  (NASA  &  Boeing)  •  1992:  use  of  laser  beam  to  charge  par5cles  on  microprocessors,  discovered  by  Habing  

•  1997:  1st  academic  pub.  by  Boneh,  DeMillo,  and  Lipton  showing  what’s  possible  with  a  single  fault  [BDL97]  

•  1997:  differen5al  fault  analysis  on  secret-­‐key  cryptosystems  by  Biham  and  Shamir  [BS97]  

•  2002:  1st  pub.  implemen5ng  Bellcore  aKack  [AB+12]  •  2003:  1st  FDTC  workshop  

37

Page 38: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

ATTACKER GOALS  

•  Insert  computa5onal  fault  - Null  key  - Wrong  crypto  result  (Differen5al  Fault  Analysis  -­‐  DFA)  

•  Change  sokware  decision  - Force  approval  of  false  PIN  - Reverse  life  cycle  state  - Enforce  access  rights  

•  …  

38

Page 39: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

COUNTERMEASURES    Generic  

•  Correctness  check:  encrypt  twice  •  Random  delays:  limits  the  precision  •  Masking:  -  Linear  secret  sharing  complicates  probing  wires  of  the  device    -  Adversary  cannot  predict  the  effect  of  the  injected  fault    

 Hardware  •  Supply  voltage,  frequency  detectors  •  Ac5ve  shields  •  Redundancy:  duplica5on  of  hardware  blocks  •  Dual  rail  implementa5ons  •  (m-­‐of-­‐n)  encoding:  each  bit  is  represented  by  n  wires,  from  which  exactly  m  carry  a  1    

  39

Page 40: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SIDE-­CHANNEL ANALYSIS ON PKC

40

Page 41: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

INSECURE  RSA  IMPLEMENTATION  

RSA modular exponentiation In: message m,key e(l bits)

Output: me mod n

A = 1

for j = l – 1 to 0

A = A2 mod n /* square */

if (bit j of k) is 1 then A = A x m mod n /* multiply */

Return A

j < 0

Loop Init

bit j of k = 1?

A = A x m

j = j - 1

Return A A = A2

Side-Channel

41

Page 42: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

•  What  is  the  private  RSA  exponent?  

[courtesy: C. Clavier]

Simple  Power  Analysis  (RSA)  

42

Page 43: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SIMPLE  POWER  ANALYSIS  (RSA)  

[courtesy: C. Clavier] 43

Page 44: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

PROTECTING  RSA  FROM  SPA  

Input: N, m and e. Output: c = me mod N. 1.  Let e = [et, et-1, …, e1, e0]2; 2.  c := 1; 3.  For i:=t downto 0 do 4.  c:= c2 mod N; 5.  if ei ==1 then 6.  c:=cm mod N;

Return c.

Left-to-right binary method Input: N, m and e. Output: c = me mod N. 1.  Let e = [1, et-1, …, e1, e0]2; 2.  R[0] := m; R[1] = m2 mod

N; 3.  For i:=t-1 downto 0 do 4.  R[1-ei] := R[0]R[1] mod N; 5.  R[ei] := R[ei]R[ei] mod N;

Return R[0].

Montgomery Powering Ladder

44

Page 45: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

PROTECTING  RSA  FROM  DPA  -­‐  RANDOMIZATION  

Input: N, m and e. Output: c = me mod N. 1.  r = Random(); //r <N 2.  ms := rm; 3.  v= ms

e mod N; 4.  u:= re mod N; 5.  c:=v/u mod N;

Return c.

Randomized m

Input: N, m, φ(N) and d. Output: s = md mod N. 1.  r = Random(); 2.  d’=d+r φ(N) ; 3.  s:= md’ mod N;

Return s.

Randomized d

45

Page 46: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

PROTECTING  ECC  FROM  DPA  -­‐  RANDOMIZATION  

Input: k, P. Output: Q = kP. 1.  r = Random(); //r <

order(P) 2.  k’ := k + r *order(P); 3.  Q= k’ P; // [order(P)] P = O.

Return Q.

Randomized scalar Base point blinding Input: k, P. Output: Q = kP. precomputed: R, S=kR. 1.  T := P + R; 2.  Q’ = k T; 3.  Q = Q’ – S 4.  r = Random(); //r < 232

5.  R = rR, S = rS; //update R, S

Return Q.

46

Page 47: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

SCA:  RECENT  DEVELOPMENTS  

•  Theory  - Metrics  for  side-­‐channel  analysis  - Leakage  resilient  crypto  

•  Theory  and  Prac5ce  - More  advances  in  aKacks:  algorithm  specific  (combined  with  cryptanalysis)  

- SCA  and  faults  combined  - Machine  learning  methods  for  analysis  - New  countermeasures  - New  models  

47

Page 48: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

CONCLUSIONS  AND  OPEN  PROBLEMS  

• Physical  access  allows  many  aKack  paths  •  Trade-­‐offs  between  assump5ons  and  computa5onal  complexity  

• Requires  knowledge  in  many  different  areas  • Combining  SCA  with  theore5cal  cryptanalysis  •  “Cheap”  and  effec5ve  countermeasures  are  s5ll  to  be  found  

48

Page 49: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

THANK YOU FOR YOUR ATTENTION

Page 50: Implementa on a acks and coun rmeasures attacks.pdf• Secretkeys/data • Unauthorized’access’ ... Masking LUT Mask Circuit Mask Intrinsic Resistance Hardware-assisted Random

REFERENCES  •  [KJJ99]  P.  Kocher,  J.  Jaffe,  B.  Jun.  “Differen5al  Power  Analysis”.  CRYPTO  1999.  •  [QS01]  J.  -­‐J.  Quisquater  and  D.  Samyde.  “ElectroMagne5c  Analysis  (EMA):  Measures  and  Counter-­‐

Measures  for  Smart  Cards”mart  2001.  •  [GMO01]  K.  Gandolfi  et  al.  “Electromagne5c  Analysis:  Concrete  Results”.  CHES’01.  •  [Koc96]  P.  Kocher.  “Timing  AKacks  on  Implementa5ons  of  Diffie-­‐Hellman,  RSA,  DSS,  and  Other  

Systems”.  CRYPTO  1996  •  [RS01]  T.  Romer  and  J.-­‐P.  Seifert.  “Informa5on  Leakage  AKacks  against  Smart  Card  

Implementa5ons  of  the  Ellip5c  Curve  Digital  Signature  Algorithm”.  E=Smart  2001  •  [CRR03]  Chari,  Rao  and  Rohatgi.  Template  aKacks.  CHES  2002.    •  [AA+02]  Dakshi  Agrawal,  Bruce  Archambeault,  Josyula  R.  Rao,  and  Pankaj  Rohatgi.  The  EM  Side-­‐

channel(s).  CHES  2002.  •  [Mess00b]  T.  S.  Messerges:  Using  Second-­‐Order  Power  Analysis  to  AKack  DPA  Resistant  

Sokware.  CHES  2000.  •  [Cor99]  Jean-­‐Sébas5en  Coron:  Resistance  against  Differen5al  Power  Analysis  for  Ellip5c  Curve  

Cryptosystems.  CHES  1999.  •  [BG+12]  J.  Balasch  et  al.  “Power  Analysis  of  Atmel  CryptoMemory  -­‐  Recovering  Keys  from  Secure  

EEPROMs.”  CT-­‐RSA  2012.  •  [EK+08]  T.  Eisenbarth  et  al.  “On  the  Power  of  Power  Analysis  in  the  Real  World:  A  Complete  

Break  of  the  KeeLoqCode  Hopping  Scheme”,  CRYPTO  2008.  

50