Embed Size (px)
Citation preview
Side Channel Analysis of AVR XMEGA
Ilya Kizhvatov
CHES 2009 Rump Session
AVR XMEGA
8-bit RISC µC with the AVR corereleased by Atmel in 2008awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AESavailable over-the-counter for <10 USD apieceapplications: sensors, ZigBee, wireless encryption, networkingreported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
AVR XMEGA8-bit RISC µC with the AVR core
released by Atmel in 2008awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AESavailable over-the-counter for <10 USD apieceapplications: sensors, ZigBee, wireless encryption, networkingreported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
AVR XMEGA8-bit RISC µC with the AVR corereleased by Atmel in 2008
awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AESavailable over-the-counter for <10 USD apieceapplications: sensors, ZigBee, wireless encryption, networkingreported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
AVR XMEGA8-bit RISC µC with the AVR corereleased by Atmel in 2008awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AESavailable over-the-counter for <10 USD apieceapplications: sensors, ZigBee, wireless encryption, networkingreported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
AVR XMEGA8-bit RISC µC with the AVR corereleased by Atmel in 2008awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AESavailable over-the-counter for <10 USD apieceapplications: sensors, ZigBee, wireless encryption, networkingreported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
AVR XMEGA8-bit RISC µC with the AVR corereleased by Atmel in 2008awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AES
available over-the-counter for <10 USD apieceapplications: sensors, ZigBee, wireless encryption, networkingreported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
AVR XMEGA8-bit RISC µC with the AVR corereleased by Atmel in 2008awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AESavailable over-the-counter for <10 USD apiece
applications: sensors, ZigBee, wireless encryption, networkingreported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
AVR XMEGA8-bit RISC µC with the AVR corereleased by Atmel in 2008awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AESavailable over-the-counter for <10 USD apieceapplications: sensors, ZigBee, wireless encryption, networking
reported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
AVR XMEGA8-bit RISC µC with the AVR corereleased by Atmel in 2008awarded product of the year by ElectronicProducts Magazine
promising set of features4-channel DMAinter-peripheral event systemADC/DAC, EBI, SPI, TWI, PDI, WDT, IRCOM, AWeX, . . .advanced clocking options (PLL, DFLL)low power consumption
symmetric crypto engines: DES, AESavailable over-the-counter for <10 USD apieceapplications: sensors, ZigBee, wireless encryption, networkingreported use by [Rhode et al. CARDIS’08], [Eisenbarth et al.CHES’09]
1 / 4
XMEGA Crypto Engines
DES Instructionperforms single DES roundfull DES in 17 clock cycles
AES Peripheral
AES-128 in 375 clock cycles (vs. 3-4K cycles in software)around 10 Mbps bandwidth at maximum clock speedDMA transfer triggering, support for CBC mode
What about resistance to implementation attacks?
no single word about countermeasures in the datasheet oranywhere else
2 / 4
XMEGA Crypto Engines
DES Instructionperforms single DES roundfull DES in 17 clock cycles
AES Peripheral
AES-128 in 375 clock cycles (vs. 3-4K cycles in software)around 10 Mbps bandwidth at maximum clock speedDMA transfer triggering, support for CBC mode
What about resistance to implementation attacks?
no single word about countermeasures in the datasheet oranywhere else
2 / 4
Side-Channel Attack on XMEGA AES Engine
0 10 20 30 40 50 60 70 80−0.2
−0.1
0
0.1
0.2
Clock cycle
ρ
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000−0.2
−0.1
0
0.1
0.2
0.3
N
ρ
3 / 4
Side-Channel Attack on XMEGA AES Engine
Attack detailsCPA in HD leakage model3000 power traces for full128-bit key recovery100 MS/s sampling ratesetup cost ≈ $1000reveals that implementationis not parallel
0 10 20 30 40 50 60 70 80−0.2
−0.1
0
0.1
0.2
Clock cycle
ρ
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000−0.2
−0.1
0
0.1
0.2
0.3
N
ρ
3 / 4
Take care when using XMEGA crypto features
http://cryptolux.org/Implementation_attacks
4 / 4
![Atmel AVR XMEGA C Manual - Microchip Technology · 2017. 5. 5. · XMEGA C [MANUAL] 3 Atmel-8465H-AVR-XMEGA C-12/2014 Atmel-8465H-AVR-XMEGA C-Datasheet_12/2014 2. Overview The AVR](https://img.pdfslide.net/doc/110x75/6111be10dc2737184a43a022/atmel-avr-xmega-c-manual-microchip-technology-2017-5-5-xmega-c-manual-3.jpg)
![Atmel AVR XMEGA E Manual - caxapa.rucaxapa.ru/thumbs/406112/...16-bit-AVR-Microcontro.pdf · XMEGA E [MANUAL] 2 42005A–AVR–04/2013 1. About the manual This document contains in-depth](https://img.pdfslide.net/doc/110x75/5ae0c0d27f8b9a8f298e9565/atmel-avr-xmega-e-manual-e-manual-2-42005aavr042013-1-about-the-manual.jpg)
![8/16-bit Atmel AVR XMEGA Microcontrollers E5 [DATASHEET] 5 Atmel-8153H–AVR-ATxmega8E5-ATxmega16E5-ATxmega32E5_Datasheet–07/2014 4. Overview The Atmel AVR XMEGA is a family of low](https://img.pdfslide.net/doc/110x75/5ea9d1ba0c5ca912136930b1/816-bit-atmel-avr-xmega-microcontrollers-e5-datasheet-5-atmel-8153haavr-atxmega8e5-atxmega16e5-atxmega32e5datasheeta072014.jpg)
![8/16-bit Atmel AVR XMEGA Microcontrollers - caxapa.rucaxapa.ru/thumbs/406112/...16-bit-AVR-Microcontrol.pdf · XMEGA E5 [DATASHEET] 4 8153B–AVR–04/2013 4. Overview The Atmel AVR](https://img.pdfslide.net/doc/110x75/5ae0c0d27f8b9a8f298e956c/816-bit-atmel-avr-xmega-microcontrollers-e5-datasheet-4-8153bavr042013.jpg)
![Atmel AVR XMEGA B Manual - Microchip Technologyww1.microchip.com/...8-and-16-bit-AVR-Microcontrollers-XMEGA-B_M… · XMEGA B MANUAL. XMEGA B [MANUAL] 2 Atmel-8291C-AVR-XMEGA B -09/2014](https://img.pdfslide.net/doc/110x75/5b76f9aa7f8b9ade6f8c05a8/atmel-avr-xmega-b-manual-microchip-xmega-b-manual-xmega-b-manual-2-atmel-8291c-avr-xmega.jpg)
