andFrancesco Regazzoni (UCL and Alari)

Philip Brisk (UC Riverside, USA)François-Xavier Standaert (UCL, Belgium)

Paolo Ienne (EPFL, Switzerland)

A First Step Towards Automatic Application of Power Analysis Countermeasures

A First Step Towards Automatic Application of Power Analysis Countermeasures

Ali Galip Bayrak EPFL, Switzerland

June 7th, 2011

Side-Channel AttacksSide-Channel Attacks

Plaintext

(e.g., “Encrypt me”)

Secret Key(e.g., “I’m unknown”)

Ciphertext

(e.g., “aB14t752s”)

Cryptographic

Algorithm

Leakage (power consumption, EM radiation, timing etc.)

2

Power Analysis Attacks Power Analysis Attacks

3

MotivationMotivation

4

ATTACK! COUNTERMEASURE!

VSPROBLEM:

They are handled manually!!!

Software

Implementation

Analyze the algorithm

Determine the weaknesses

Apply the countermeasure

Protected

Implementation

Automatic Protection FlowAutomatic Protection Flow

5

Step I: Information Leakage AnalysisStep I: Information Leakage Analysis

6

Main point:

Determine the

leaking parts

of the software!

Normalized Mutual Information of Key and Leakage

Step II: Transformation Target IdentificationStep II: Transformation Target Identification

7

Global Modifications: Protect all the nodes between two sensitive nodes.

Masking

Main point: Determine the portions of the implementation

that need to be protected!

Local Modifications: Protect each sensitive instruction (peephole optimization).

Random Precharging (used here)

sbci r28,0xfd

ld r25,r28:r29

movw r18,r26

subi r18,0x4f

sbci r19,0xfd

movw r28,r18

ld r30,r28:r29

Step III: Code TransformationStep III: Code Transformation

8

sbci r28,0xfd

ld r25,r28:r29

movw r18,r26

subi r18,0x4f

sbci r19,0xfd

movw r28,r18

ld r30,r28:r29

sbci r28,0xfd

lds r25,rnd

mov r24,r25

ld r25,r28:r29

…

movw r18,r26

subi r18,0x4f

Main point: Apply the given protection on the determined

portions of the implementation!

…

Experimental Results (Security)Experimental Results (Security)

ρ = 0.437

ρ = 0.048

Correlation values for unprotected and protected implementations are shown.

Number of necessary traces to mount a successful attack

increases over 76 times.

• Advanced Encryption Standard (AES) is used.

• Traces are collected from board with 8-bit AVR MCU.

• Correlation-based DPA attack is used for attack.

9

Experimental Results (Performance)Experimental Results (Performance)# of clock cycles during the execution of three different implementations

64%

100%

1190

2700

4212

10

ConclusionsConclusions

11

AUTOMATIC

PROTECTION

Software

Implementation

Protected

Implementation

Off-the-Shelf

CompilerAP

Security-Aware Compilersecurity vs. performance vs. energy etc.