power analysis attacks
TRANSCRIPT
Power Analysis AttacksEngineering 9877
Lee StewartMarch 2015
2
Background Simple Power Analysis (SPA) Attacks Differential Power Analysis (DPA) Attacks Stages of a DPA Attack Example Countermeasures References
Outline
3
Side-channel attack - hardware cryptanalytic techniques which exploits the physical behavior of an IC to extract secrets implied in cryptographic operations. [4]◦ Timing◦ Power consumption◦ Electromagnetic emission [3]
Background
4
Power Analysis Attack – technique which involves examining the power consumed by a device running public-key cryptographic algorithms over time. [3]
Background
5
A technique that involves directly interpreting power consumption measurements (i.e. traces) collected during cryptographic operations. [2]
Simple Power Analysis Attack
6
A statistical method for analyzing sets of measurements to identify data-dependent correlations. [2]
Differential Power Analysis Attack
7
Device instrumentation◦ Smart card: R in series with ground line◦ FPGA: R in series with Vcc [2]
Stages of DPA Attack
8
Measurement◦ Power traces are recorded while device performs
cryptographic operations and stored on a PC. Signal processing (optional)
◦ Isolate/highlight signal and reduce noise. Prediction and selection function
generation◦ Used to assign traces to subsets◦ Typically based on an educated guess as to a possible
value for one or more intermediates within a cryptographic calculation.
◦ Selection function is single bit (0/1) or multi-bit. [2]
Stages of DPA Attack
9
Averaging ◦ the averages of the input trace subsets defined
by the selection function outputs. Evaluation
◦ Large peaks in the trace = correct guess◦ Small peaks = incorrect guess [2]
Stages of DPA Attack
10
Moradi, Barenghi, Kasper, and Paar used DPA to extract the secret key of a triple DES bitstream encryption from a Virtex-II Pro XC2CP7 FPGA
Time: 3 minutes Traces: 25,000 [5]
Example
11
Leakage reduction◦ Factor k decrease in SNR = k2 increase in number
of traces Balancing
◦ Make power less dependent on data/operations [2] Masking – conceal x with mask m
◦ Boolean mask: ◦ Arithmetic mask:
[1]
Countermeasures
12
[1] Danger, J. L., Guilley, S., Barthe, L., Benoit, P. (2011). Countermeasures against physical attacks in FPGAs. Security trends for FPGAS (pp. 73-100) Springer. [2] Kocher, P., Jaffe, J., Jun, B., & Rohatgi, P. (2011). Introduction to differential power analysis. Journal of Cryptographic Engineering, 1(1), 5-27. [3] Li, H., Wu, K., Xu, G., Yuan, H., & Luo, P. (2011). Simple power analysis attacks using chosen message against ECC hardware implementations. Paper presented at the Internet Security (WorldCIS), 2011 World Congress on, 68-72. [4] Lomne, V., Dehaboui, A., Maurine, P., Torres, L., & Robert, M. (2011). Side channel attacks. Security trends for FPGAS (pp. 47-72) Springer. [5] Moradi, A., Barenghi, A., Kasper, T., & Paar, C. (2011). On the vulnerability of FPGA bitstream encryption against power analysis attacks: Extracting keys from xilinx virtex-II FPGAs. Paper presented at the Proceedings of the 18th ACM Conference on Computer and Communications Security, 111-124. mobile devices. Paper presented at the Proceedings of the World Congress on Engineering, 1
References
13
Thank YouQuestions?