dpa presentation
DESCRIPTION
DPATRANSCRIPT
Differential Power Analysis attacks on AES
Kevin Meritt
Agenda
• Side Channel Attackso Background
• Power Analysis Attackso Background
o Overview
o SPA – Simple Power Analysis
o AES
o DPA – Differential Power Analysis
o CPA – Correlation Power Analysis
Side Channel Attacks
• Exploits information obtained from the physical implementation of a cryptosystemo power consumption, electromagnetic radiation, timing variations
• If side channel data is related to operations involving secret information, that information is vulnerable to attack
• May be used to break cryptosystems with no known weaknesses against attacks at the algorithmic or theoretical level, such as linear and differential cryptanalysis
• Some attacks may require deeper understanding of the cryptosystem's underlying architecture, while others may treat it as a black box
• Analysis of instantaneous power consumption will be the focus of this presentation
Side Channel Information
Indirect outputs from block cipher implementation [1]
Power Analysis Attacks
• Power Analysis Attacks are a type of Side Channel Attack in which an attacker measures the power consumption of a cryptographic device during normal execution
• An attempt is then made to uncover a relationship between the instantaneous power consumption and secret key information
• Statistical methods for power analysis attacks published by Paul Kocher in 1999
• Original research focused on vulnerability of DES-based smart cards, leading to the development of DPA-resistant deviceso Not simply a theoretical attack
o Successful attacks mounted on existing devices to reveal secret key information, creating a serious risk to security
o Enables the creation of duplicate cards, fraudulent payments, identity theft, etc.
Power Analysis Attack Basic Steps
• Identify o Determine a relationship between secret key information and
instantaneous power consumption
o Determine the required inputs to the system, the output values to be
measured, and when to capture them
• Extracto Develop method of extracting the state of the relationship information
o Collection of measurements called traces can be made in a non-invasive
manner while a system performs a cryptographic operation
• Evaluateo Use extracted information to determine all or part of the secret key
information
Simple Power Analysis
• Attacker directly observes power trace waveform
to identify large, noticeable features and mark
regions of interesto Block cipher rounds, individual operations, instructions, etc.
o Timing differences
o Conditional branches
o Example: RSA implementations may be broken by identifying differences
between squaring and multiplication operations
• SPA is relatively easy to detero Avoid conditional execution that depends on secret information
o High frequency, low power operation
o Parallelization may obscure individual operations
SPA Attack on RSA implementation
RSA Conditional Branch
Power Trace for Advanced Encryption Standard
10 rounds of AES-128
Differential Power Analysis (DPA)
• Uses statistical methods to find small variations that
may be overshadowed by noise or measurement
errors
• Exploits information obtained from the physical
implementation of a cryptosystem
Differential Power Analysis Attack
• Selection function D(C, b, Ks) computes value of target bit b, given ciphertext C and key guess Ks
• Collect m power traces of k samples each, T1:m[1:k] and corresponding ciphertext values C1:m
• Sort data into two groups: o D(C, b, Ks) = 0
o D(C, b, Ks) = 1
• If the key guess Ks is correct, the average power trace for D(C, b, Ks) = 1 will be slightly higher at the point of correlation and the average trace for D(C, b, Ks) = 0 will be slightly lower
• If the key guess Ks is incorrect, D(C, b, Ks) will equal the correct bit value with probability P = ½ , yielding average traces that are approximately equal
“Difference of means” DPA Attack
• The differential trace ΔD[j] is computed as the
difference between the two average traceso For an incorrect key guess Ks the ΔD should approach zero
o For an correct key guess Ks the ΔD should approach the target bit's power
contribution at the correlated sample(s)
Advanced Encryption Standard
AES Round Transformations[5]
Differential Power Analysis on AES
• Select intermediate bit to analyzeo Target the S-box in final round
• Since SubBytes operates on each byte independentlyo XORed with final round key value
• Collect power traces and corresponding ciphertext values • Compute intermediate value
o Ciphertext value is knowno Make a guess for key byte
• Partition power traces into 2 setso One set where computed bit is “1” and another where bit is “0”
• Compute average of each set
• Compute the difference between the averageso If the average depends on the selected bit, and the bit “leaks”, then a correlation
will be seen
• Repeat for other 255 key byte guesses using same power measurements
DPA Evaluation Process
DPA with correct Key guess
DPA Evaluation Process (cont’d)
DPA with incorrect Key guess
Correlation Power Analysis on AES
• Extension of DPA where a model of the power
consumption is created for use in the analysis phase
of an attack
• Model needs to approximate the power
consumption of the target cryptographic device
during an encryption operation.
• The resulting power predicted by the model will
then be correlated to the actual measured power
consumption using a key hypothesis.
• The highest peak of the correlation plot gives the
correct key hypothesis
Power Models
• Hamming weight model – assumes amount of
power consumed is proportional to the number of
bits that are logic '1' during an operationo the greater the number of bits that are set will result in a larger amount of
power consumed
• Hamming distance – assumes the number of logic
transitions during a cryptographic operation is
proportional to power consumptiono If a bit is static during an operation, then it is assumed that it will not
contribute to the power.
o Assume that „0‟ to „1‟ and „1‟ to 0‟ transitions consume the same amount
of power.
CPA using Pearson’s Correlation Coefficient
• ρ reflects the degree of linear relationship between two variables X and Y
• covariance – measure of how much 2 random variables change together
• coefficient value ranges from +1 to -1o +1 indicates that there is a
perfect positive linear relationship
o -1 indicates there is a perfect negative linear relationship
o 0 indicates there is no linear relationship
Pearson’s Sample Correlation Coefficient
• For a series of n measurements of X and Y, Pearson correlation can be estimated by the sample correlation coefficient rxy
• x-bar and y-bar – sample means of x and y
• sx and sy – sample standard deviations of x and y
• xi – measured power samples
• yi – calculated power values from Hamming distance model
• If a correlation occurs then there will be a spike in the graph for the correct key byte value
Correlation Power Analysis on AES
• Identify sensitive data register for attacko Target the register in data path prior to SubBytes transformation
• Use Hamming distance power modelo Data transition of 8-bit register
• Collect power traces and corresponding ciphertext values
• Make a guess for key byte
• Compute Hamming distance of data transition for each ciphertext value
• Partition power traces into groups associated with calculated Hamming values
• Use Pearson‟s sample correlation coefficient equation to determine the correlation between the power and the sensitive datao If a correlation occurs then there will be a spike in the graph for the correct key byte
value
• Repeat for other 255 key byte guesses using same power measurements
CPA Attack
Typical AES Hardware implementation
AES CPA Correlation
Showing correct key byte guess of 160
References
[1] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” proceedings of CRYPTO ‟99, Lecture Notes in Computer Science, vol. 1666, Springer, pp. 388–397, 1999.
[2] F.-X. Standaert, “Introduction to Side-Channel Attacks,” in Secure Integrated Circuits and Systems, pp. 27–44, Springer, 2009
[3] W. Hnath, J. Pettengill, “Differential Power Analysis Side-Channel Attacks in Cryptography,” Major Qualifying Project, Worcester Polytechnic Institute, April 2010
[4] S. Shah, R. Velegalati, J. Kaps, D. Hwang, “Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs,” International Conference on Reconfigurable Computing and FPGAs (ReConFig) 2010, pp.274-279, Dec. 2010.
[5] National Institute of Standards and Technology (NIST) of U.S. Department of Commerce, “FIPS 197: Advanced Encryption Standard,” Nov. 2001.