spa and dpa attacks
DESCRIPTION
SPA and DPA attacks . Pascal Paillier Gemplus ARSC/STD/CRY. Outline. Side Channel Cryptanalysis SPA – Simple Power Analysis DPA – Differential Power Analysis Acquisition procedure Selection & prediction Differential operator and curves Reverse engineering using the DPA indicator - PowerPoint PPT PresentationTRANSCRIPT
SPA and DPA attacks SPA and DPA attacks
Pascal Paillier
Gemplus ARSC/STD/CRY
OutlineOutlineSide Channel CryptanalysisSide Channel CryptanalysisSPA – Simple Power AnalysisSPA – Simple Power AnalysisDPA – Differential Power AnalysisDPA – Differential Power Analysis– Acquisition procedureAcquisition procedure– Selection & predictionSelection & prediction– Differential operator and curvesDifferential operator and curves– Reverse engineering using the DPA indicatorReverse engineering using the DPA indicator
Attacking a Secret Key algorithm with DPAAttacking a Secret Key algorithm with DPA– Typical targetTypical target– Hypothesis testing (guesses management)Hypothesis testing (guesses management)
Which are Side Channel AttacksWhich are Side Channel Attacks 1. Differential Fault Analysis (DFA)1. Differential Fault Analysis (DFA)
– Biham-Shamir (1997)Biham-Shamir (1997)
2. Timing Attacks2. Timing Attacks– Kocher (1996)Kocher (1996)
3. 3. Simple Power AnalysisSimple Power Analysis (SPA) (SPA)– Kocher, Jaffe, Jun (1998)Kocher, Jaffe, Jun (1998)
4. 4. Differential Power AnalysisDifferential Power Analysis (DPA) (DPA)– Kocher, Jaffe, Jun (1998)Kocher, Jaffe, Jun (1998)
Side ChannelsSide Channels
Kocher et al., June 1998: Measure instantaneous Kocher et al., June 1998: Measure instantaneous power consumption of a device while it runs a power consumption of a device while it runs a cryptographic algorithmcryptographic algorithmDifferent power consumption when operating on Different power consumption when operating on logical ones vs. logical zeroes. logical ones vs. logical zeroes.
Systems under ThreatSystems under Threat
Implementations of Cryptographic AlgorithmsImplementations of Cryptographic Algorithms
On smart cardsOn smart cards
On general/specific purpose hardwareOn general/specific purpose hardware
On softwareOn software
Power AttacksPower AttacksPublished on the web by Paul KOCHER (1998)Published on the web by Paul KOCHER (1998)– Big noise in the cryptographic communityBig noise in the cryptographic community– Big fear in the smart card industry !Big fear in the smart card industry !
Power Attacks are powerful and genericPower Attacks are powerful and generic– Statistical & signal processingStatistical & signal processing– Known random messagesKnown random messages– Targetting a known algorithmTargetting a known algorithm– Running on a single smart cardRunning on a single smart card
Attack performed in 2 stepsAttack performed in 2 steps– Acquisition phase : on-line with the smart cardAcquisition phase : on-line with the smart card– Analysis phase : off-line on a PC (hypothesis testing)Analysis phase : off-line on a PC (hypothesis testing)
What is a Power Analysis Attack ?What is a Power Analysis Attack ?Side-channel attacks Side-channel attacks exploit correlation exploit correlation between secret between secret parameters and parameters and variations in timing, variations in timing, power consumption, power consumption, and other emanations and other emanations from cryptographic from cryptographic devices to reveal secret devices to reveal secret keyskeys
CryptographicDevice
RCurrent
orPower
Measurement
Power Supply
Attacker’s Point
Information LeakageInformation Leakage
Acquisition procedureAcquisition procedure
Algorithm Output(sign/cipher Si)
Input data(messages Mi)
Power Consumption
Curves Ci (or other side channel
leakage like EM radiation)
Play the algorithm N times(100 < N < 100000)
Acquisition procedureAcquisition procedure
Main PCruns Acquisition
software
Serverstores files
and runs Treatmentsoftware
Cardreader
Card extentionGCR
Oscilloscopefile transfer
command emission
Arm scoperetrieve file
Current waveformacquisition
Scope triggeron IO
Protection box
R
Monitoring equipment for iterated acquisitions
POWER MEASUREMENT SETUPPOWER MEASUREMENT SETUP
• Oscilloscope
• Carefully choose resistors-
capacitors
• Reduce noise
• Collect power traces
FREQUENCY AND SUPPLY VOLTAGE:FREQUENCY AND SUPPLY VOLTAGE:
UNDER THE CONTROL OF THE ATTACKERUNDER THE CONTROL OF THE ATTACKER
-
Acquisition procedureAcquisition procedureAfter data collection, what is available ?After data collection, what is available ?– N plain and/or cipher random textsN plain and/or cipher random texts
0000 B688EE57BB63E03EB688EE57BB63E03E0101 185D04D77509F36F185D04D77509F36F0202 C031A0392DC881E6 …C031A0392DC881E6 …
– N corresponding power consumption waveformsN corresponding power consumption waveforms
What an Attacker KnowsWhat an Attacker Knows
Precise power measurementsPrecise power measurements
Which algorithm is computedWhich algorithm is computed
Ciphertexts and plaintextsCiphertexts and plaintexts
Any additional informationAny additional information
Simple Power AnalysisSimple Power Analysis
(E.g., Kocher 1998) Attacker directly uses (E.g., Kocher 1998) Attacker directly uses power consumption to learn bits of secret power consumption to learn bits of secret key. Wave forms visually examined.key. Wave forms visually examined.Big features like rounds of DES, square Big features like rounds of DES, square vs. multiply in RSA exponentiation, and vs. multiply in RSA exponentiation, and small features, like bit value.small features, like bit value.Relatively easy to defend against. Relatively easy to defend against.
Simple Power AnalysisSimple Power AnalysisSimple attack, needs a few secondsSimple attack, needs a few secondsDirect observation of a system‘s power consumptionDirect observation of a system‘s power consumptionCan gain very useful informationCan gain very useful information
How SPA WorksHow SPA Works
0 1 0 1 1
Key = 101011
Double-and-Add Algorithm:
Power Trace =
With “Dummy” Operations:
Power Trace =0 1 0 1 1
SPA result ExampleSPA result Example Interpret power consumption measurement What is learned: device’s operation, key material Base: power consumption variance of µP instructions DES operation by smart card
Selection & predictionSelection & prediction
Assume the data are processed by a known deterministic Assume the data are processed by a known deterministic function function ff (transfer, permutation...) (transfer, permutation...)
Knowing the data, one can recompute off line its image through Knowing the data, one can recompute off line its image through ff
Si = f [Mi]fMi
Now Now selectselect a single bit among S bits (in S buffer) a single bit among S bits (in S buffer)
One can One can predictpredict the true story of its variations the true story of its variationsii MessageMessage bitbit00 B688EE57BB63E03EB688EE57BB63E03E 1111 185D04D77509F36F185D04D77509F36F 0 0 22 C031A0392DC881E6C031A0392DC881E6 11 … … for i = 0,N-1for i = 0,N-1
DPA operator & curveDPA operator & curvePartition the data and related curves into two Partition the data and related curves into two packs according to selected bitpacks according to selected bit
fMi bit (Si) = 0
bit (Si) = 1
… … and assign and assign -1 to pack 0-1 to pack 0 and and +1 to pack 1+1 to pack 100 B688EE57BB63E03EB688EE57BB63E03E 11 +1+111 185D04D77509F36F185D04D77509F36F 0 0 -1-122 C031A0392DC881E6C031A0392DC881E6 11 +1+1 … … for i = 0, N-1for i = 0, N-1
Sum the signed consumption curves and normaliseSum the signed consumption curves and normalise<=> Difference of averages<=> Difference of averages(N(N0 0 + N+ N11 = N) = N)
0
0
1
1
NC
NC
DPA
DPA operator & curveDPA operator & curve
DPA curve constructionDPA curve construction
Selection bit
N
C031A0...185D04D...
1
B688EE...M0
MNM1
W01
Average
0
-
DPAcurve
DPA Result ExampleDPA Result Example
Average PowerConsumption
Power ConsumptionDifferential Curve
With Correct Key Guess
Power ConsumptionDifferential Curve
With Incorrect Key Guess
Power ConsumptionDifferential Curve
With Incorrect Key Guess
DPA operator & curveDPA operator & curveSpikes explanation : Hamming Weight of the bit’s byteSpikes explanation : Hamming Weight of the bit’s byte
Average = E [HW0] = 0 + 3.5 Average = E [HW1] = 1 + 3.5
= E [HW1] - E [HW0 ] = 1
1 0 0 1 1 0 10 1 1 0 1 0 01 0 1 1 1 1 1
...
Contrast (peak height) proportional to NContrast (peak height) proportional to N1/2 1/2 (evaluation (evaluation criterion) criterion)
If prediction was wrong : selection bit would be random If prediction was wrong : selection bit would be random E E [HW0] = E [HW1] = 4 [HW0] = E [HW1] = 4 => => = 0 = 0
0 1 0 0 1 0 1 10 1 1 0 1 0 1 01 1 0 0 1 0 0 0
...
Selection bit
012...
Reverse engineering using DPAReverse engineering using DPAUse DPA to locate when Use DPA to locate when predictiblepredictible things occur things occurExample : locate an algo trace by targetting its output Example : locate an algo trace by targetting its output (ciphertext transfer to RAM, ciphertext is given)(ciphertext transfer to RAM, ciphertext is given)
DPA curves
Consumption curve
CONCLUSIONSCONCLUSIONSDPA vs. SPADPA vs. SPA
• Low amount of experiments
• Faster to launch
• Not many implementation details
• Noise is not so important
• Attacks even small features
REFERENCESREFERENCES1.1. Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power
Analysis”, Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. Analysis”, Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. 1999, pp. 388-3971999, pp. 388-397
2.2. Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Countermeasure Based on the Masking Method”, ICICS 2001, LNCS Countermeasure Based on the Masking Method”, ICICS 2001, LNCS 2288, 2002, pp. 440-4562288, 2002, pp. 440-456
3.3. Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”, Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”, Proceedings of Workshop on Cryptographic Hardware and Embedded Proceedings of Workshop on Cryptographic Hardware and Embedded Systems, Aug. 1999, pp. 158-172Systems, Aug. 1999, pp. 158-172
4.4. Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Masking against Differential Power Analysis”, CHES 2000, LNCS 1965, Masking against Differential Power Analysis”, CHES 2000, LNCS 1965, 2000, pp. 231-2372000, pp. 231-237
5.5. Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES and AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, and AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, pp. 309-318pp. 309-318
6.6. D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to Foil DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38Foil DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38
REFERENCESREFERENCES7. S. Almanei, “Protecting Smart Cards from Power Analysis Attacks”, http://
islab.oregonstate.edu/koc/ece679cahd/s2002/almanei.pdf, May. 20028. Adi Shamir, “Protecting Smart Cards from Passive Power Analysis with
Detached Power Supplies”, CHES 2000, LNCS 1965, 2000, pp. 71-779. P. Y. Liardet, N. P. Smart, “Preventing SPA/DPA in ECC Systems Using the
Jacobi Form”, CHES 2001, LNCS 2162, 2001, pp. 391-40110. Jean-Sebastien Coron. Resistance Against Differential Power Analysis
for Elliptic Curve Cryptosystems [Published in C_ .K. Ko_c and C. Paar, Eds., Cryptographic Hardware and Embedded Systems, vol. 1717 of Lecture Notes in Computer Science, pp. 292{302, Springer-Verlag, 1999.]
11. Marc Joye and Christophe Tymen. Protections against differential analysis for elliptic curve cryptography: An algebraic approach. In C¸ .K. Ko¸c, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 377–390. Springer-Verlag, 2001.