on the power of power analyses · dpa oracles study of the power leakage on asics & fpgas...
TRANSCRIPT
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
On the Power of Power Analyses
Sylvain GUILLEY, Laurent SAUVAGE, Florent FLAMENT, MaximeNASSAR, Nidhal SELMANE, Jean-Luc DANGER, Philippe
HOOGVORST, Tarik GRABA, Yves MATHIEU & Renaud PACALET< [email protected]>
Institut TELECOM / TELECOM-ParisTechCNRS – LTCI (UMR 5141)
SECURE
ALI (ENSTA) and SALSA (LIP6/INRIA) seminarFriday March 6th, 2009, 11:00–12:00, LIP6, room 847.
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
1
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Presentation Outline
1 Introduction
2 AttacksDPA OraclesStudy of the Power Leakage on ASICs & FPGAs
3 Counter-MeasuresInformation HiddingInformation MaskingEncrypted Leakage
4 New Applications of DPAOn-line Test of PCB or ASICsSCA for Reverse-Engineering: SCARE
5 Conclusions & PerspectivesThe DPA ContestEveSoC: an eavesdropping SoC
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
2
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Trusted Objects Security Market Segmentation
Large markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lo-end devices
RFID tags, smart dust
SIM, Pay-TV, Bank (EMV), national-ID, E-Passport,healthcare, public transportation
TPM, DRM and other ad hoc digital media usage limitationtechniques
Access control, login, biometry
Small markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hi-end devices
VPN, encrypting USB dongles, secured PCs
Government and military PDA, firewalls, IDS
State cryptography for embassies and warfare commandment
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
3
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Market Demand versus Available Products
Large markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lo-end devices
Application Specific Integrated Circuits = ASICs.
Small markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hi-end devices
Field Programmable Gates Array = FPGAs.
Current trend for more FPGAs
Low-power models. e.g. ACTEL Igloo
Computing-intensive models. e.g. ATMEL AT40K
Embedded FPGAs are also an envisionned products addressingthe “performance” versus “flexibility” trade-off.
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
4
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
“Trusted Computing” Context: Side-Channel Attacks
The Problematic
Cryptographic algorithms have traditionally been studied towithstand theoretical attacks;
However, when these algorithms are implemented onembedded devices such as smartcards, many other specificattacks become possible (like SCA = Side-Channel Attacks).
TA
Attacked circuit
EMA
SPA, DPA, CPA, templates . . .
time
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
5
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
“Trusted Computing” Context: Fault Attacks
The Problematic
Faulty results allow an attacker to gain information about thesecrets;
The rationale is that the knowledge of both c = AES(k , m)
and c* = AES*(k , m) makes it possible to discard some
values of k when the error (identified by “*”) occurspreferencially in one of the latest rounds.
Typology of fault errors
Non-invasive: power or clock perburbation [10,6]
Semi-invasive: depackaging required ⇒ laser attacks possible
Invasive: complete reverse-engineering possible
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
6
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
DPA OraclesStudy of the Power Leakage on ASICs & FPGAs
Presentation Outline
1 Introduction
2 AttacksDPA OraclesStudy of the Power Leakage on ASICs & FPGAs
3 Counter-MeasuresInformation HiddingInformation MaskingEncrypted Leakage
4 New Applications of DPAOn-line Test of PCB or ASICsSCA for Reverse-Engineering: SCARE
5 Conclusions & PerspectivesThe DPA ContestEveSoC: an eavesdropping SoC
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
7
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
DPA OraclesStudy of the Power Leakage on ASICs & FPGAs
Power & Electro-Magnetic Traces Analysis
CMOS gate dissipation model
conducted dissipation ⇒ power side-channelradiated dissipation ⇒ electro-magnetic side-channel
no change ⇒ no dissipationchange ⇒ dissipation
Hence the law: dissipation = f (activity).
CMOS circuits dissipation model
Power = Σi∈nets ξ↑i i(t − 1) · i(t) + ξ↓i i(t − 1) · i(t)
Referred to as the Hamming Distance model, since ξ↑i ≈ ξ↓i .
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
8
Sample Encryptions With Hamming Distance Classes [1/3]
-40
-20
0
20
40
60
80
100
0 5000 10000 15000 20000
Avera
ge tra
ce [m
V]
Time
Hamming distance 24Hamming distance 28Hamming distance 32Hamming distance 36Hamming distance 40
Sample Encryptions With Hamming Distance Classes [2/3]
-8
-6
-4
-2
0
2
4
6
8
0 5000 10000 15000 20000
Avera
ge tra
ce [m
V]
Time
Hamming distance 24Hamming distance 28Hamming distance 32Hamming distance 36Hamming distance 40
Sample Encryptions With Hamming Distance Classes [3/3]
-8
-6
-4
-2
0
2
4
6
8
14000 14500 15000 15500 16000 16500
Avera
ge tra
ce [m
V]
Time
Hamming distance 24Hamming distance 28Hamming distance 32Hamming distance 36Hamming distance 40
DPAdiff, DPAcov and CPA Oracles
Amongst the many oracles that have been proposed, we focus onthree of them, noted:
1 DPAdiff: Differential Power Analysis (difference of means),
2 DPAcov: Differential Power Analysis (covariance) and
3 CPA: Correlation Power Analysis,
defined in equations (1), (2) and (3).
DPAdiff
The idea behind the DPAdiff is to exhibit an asymptotic differencebetween the behaviors.The “difference of means” criterion introduced by Paul Kocher is:
DPAdiff.=
1
m0
∑
i/Di=0
Ti −1
m1
∑
i/Di=1
Ti , (1)
where m0 and m1 denote the number of traces for each decision.More specifically,
m0.= #{i ∈ [0, m[/Di = 0} and, symmetrically,
m1.=
∑m−1i=0 Di , with the following complementation property
m0 + m1 = m.
DPAcov
A seemingly different approach consists in computing a covariancebetween the m traces and their associated decision functions. TheDPA covariance estimator is:
DPAcov.=
1
m
∑
i
Ti × Di −1
m
∑
i
Ti ×1
m
∑
i
Di . (2)
It extracts the contribution of Di : only the net i is selected out ofthe whole netlist j [5].
DPAdiff versus DPAcov
The two definitions of the DPA actually coincide, as far as thedecision function is balanced:
Proof.
Assuming that m0 = m1 = m/2,
DPAcov =1
m
∑
i
Ti ×
(
Di −1
2
)
=1
2m
∑
i
Ti × (−1)Di
Covariance withthe characterfunction of D.
=1
4DPAdiff .
Mono-bit versus Multi-bit DPA
Vectorial Decision Function D
D ∈ {0, 1}n
Dominant practice: assumebits are indiscernible
Hence partition tracesaccording to |D| ∈ [0, n]
Several philosophies:1 Thomas S.
MESSERGES [9]: pruneall but |D| = 0 or n, andcontinue a la mono-bit
2 Eric BRIER [2]: weightthe partitions with |D|
3 Thanh-Ha LE [8,7]:weight the partitions with(−1,−2, 0,+2,+1)
0
500
1000
1500
2000
2500
1 2 3 4 5 6 7 8
# tra
ces to b
reak the p
art
ial key
DES S-Box
Mono-bit: (-1, +1)4 bits: (-2, -1, 0, +1, +2)
CPA
By definition [2], CPA is a normalization of the DPA. It is definedas a correlation coefficient, estimated by:
CPA.=
DPAcov
σT · σD∈ [−1, +1] , (3)
where σX is the standard deviation of the random variable X , forwhich an unbiased empirical estimator is√
1m−1
∑m−1i=0
(
Xi −1m
∑m−1j=0 Xj
)2.
DPAcov versus CPA (1/2)
DPAcov after 1k traces
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
3224168
Diffe
rence o
f p
ote
ntia
l [m
V]
Time [clock cycles]
Correctpeaks
Noisy peak(@ clock 38)
DPA differential trace
Averaging over 1k traces
CPA after 1k traces
-30
-20
-10
0
10
20
30
3224168C
orr
ela
tion f
acto
r [-
10
0%
:+1
00
%]
Time [clock cycles]
Correctpeaks
CPA differential traceEstimation over 1k traces
DPAcov versus CPA (2/2)
DPAcov after 10k traces
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
3224168
Diffe
rence o
f p
ote
ntia
l [m
V]
Time [clock cycles]
Correctpeaks
Noisy peak(@ clock 38)has vanished
DPA differential trace
Averaging over 10k traces
CPA after 10k traces
-30
-20
-10
0
10
20
30
3224168C
orr
ela
tion f
acto
r [-
10
0%
:+1
00
%]
Time [clock cycles]
Correctpeaks
CPA differential traceEstimation over 10k traces
Comparison between SecMat v{1,3}[ASIC] &SecMat v3[FPGA] in terms of power leakage
1 SecMat v1[ASIC]:
Dedicated power supply for the DES moduleNo clock tree (non-fatal bug)
2 SecMat v3[ASIC]:
Shared power supply between all modulesClock tree OK
3 SecMat v3[FPGA]:
SecMat v3[ASIC] VHDL code synthesized in an Altera StratixEPS1S25Global power supply10,157 logic elements and 286,720 RAM bits for the whole SoCDES alone is 1,125 logic elements (LuT4)
NEW! The power traces acquired from those three circuits areavailable for download from http://www.dpacontest.org/.
SecMat v1[ASIC] – covariance with |LR[0] ⊕ LR[1]|
-20
0
20
40
60
80
-8 0 8 16
Vo
lta
ge
[m
V]
Time [clock periods]
Average power trace
-20
0
20
40
60
80
-8 0 8 16
Vo
lta
ge
[m
V]
Time [clock periods]
Covariance result (same scale as the average power trace)
SecMat v1[ASIC]:
Typical trace: 92 mV
Typical DPA: 3.0 mV
⇒ Side-channel leakage:3.3 %
-0.5
0
0.5
1
1.5
2
2.5
3
-8 0 8 16
Vo
ltage [
mV
]
Time [clock periods]
Covariance result (zoomed)
SecMat v3[ASIC] – covariance with |LR[0] ⊕ LR[1]|
0
5
10
15
20
25
30
35
40
0 8 16 24
Vo
lta
ge
[m
V]
Time [clock periods]
Average power trace
0
5
10
15
20
25
30
35
40
0 8 16 24
Vo
lta
ge
[m
V]
Time [clock periods]
Covariance result (same scale as the average power trace)
SecMat v3[ASIC]:
Typical trace: 38 mV
Typical DPA: 0.6 mV
⇒ Side-channel leakage:1.5 %
0
0.1
0.2
0.3
0.4
0.5
0.6
0 8 16 24
Vo
ltage [
mV
]
Time [clock periods]
Covariance result (zoomed)
SecMat v3[FPGA] – covariance with |LR[0] ⊕ LR[1]|
-15
-10
-5
0
5
10
15
20
0 8 16 24 32
Vo
lta
ge
[m
V]
Time [clock periods]
Average power trace
-15
-10
-5
0
5
10
15
20
0 8 16 24 32
Vo
lta
ge
[m
V]
Time [clock periods]
Covariance result (same scale as the average power trace)
SecMat v3[FPGA]:
Typical trace: 19 mV
Typical DPA: 0.19 mV
⇒ Side-channel leakage:1.0 %
64/(2, 125 × 1 + (10, 157 −2, 125) × 0.5) ≈ 1 % ⇒ OK
0
0.05
0.1
0.15
0.2
0 8 16 24 32
Voltage [
mV
]
Time [clock periods]
Covariance result (zoomed)
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Presentation Outline
1 Introduction
2 AttacksDPA OraclesStudy of the Power Leakage on ASICs & FPGAs
3 Counter-MeasuresInformation HiddingInformation MaskingEncrypted Leakage
4 New Applications of DPAOn-line Test of PCB or ASICsSCA for Reverse-Engineering: SCARE
5 Conclusions & PerspectivesThe DPA ContestEveSoC: an eavesdropping SoC
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
24
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Vulnerabilities in Unprotected CryptographicImplementations
SCA Roots
0 → 0 and 1 → 1 transitions do not consume energy,whereas
0 → 1 and 1 → 0 transitions does consume energy.
Combined with statistical tools (covariance, correlation, etc), thisenables devastating side-channel attacks (SCAs).
Types of Counter-Measures: Make the energy dissipation . . .
1 . . . constant: Possible at the gate-level.
2 . . . random: Many flaws at 2+ orders.
3 . . . encrypted: Adaptation of a masking scheme.
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
25
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Power-Constant Algorithms: WDDL [11]
SCA Roots
0 → 0 and 1 → 1 transitions do not consume energy,whereas
0 → 1 and 1 → 0 transitions does consume energy.
Combined with statistical tools (covariance, correlation, etc), thisenables devastating side-channel attacks (SCAs).
WDDL Counter-Measure against SCAs
Each data is represented as a couple (True, False),
Every computation starts with a pre-(dis)-charge to (0, 0),
This way, every evaluation yields a constant dissipation:(0, 0) → {(0, 1), (1, 0)}∗ is a constant dissipation process.
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
26
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Secure Triple-Track Logic [1] (Optimized for FPGAs)
Example of the AND STTL gate
C
C
CBVV
A1
B1
Y1
A0
B0
AV
Y0
YV
Mapping in LuT4s
Example of the first block: Y1.= A1 · B1 · V + Y1 · (A1 · B1 + V ).
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
27
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Placement and Routing of Altera WDDL+ Netlists [4]
Fine-grain pairwiseplacement:
Placement in LAB isdumped at X, Y & N
levels.
Reordering of cellswithin the LAB to havepairwise couplesadjacent (N and N+1).
0.646ns
0.671ns
0.653ns
0.658ns
N=0
N=1
N=2
N=3
N=4
N=5
N=6
N=7
N=8
N=9
LAB (X+1, Y)LAB (X, Y)
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
28
Early Evaluation in WDDL Illustrated
WDDL example andvulnerability:
A1
B1
C1
D1
Y1
A0
B0
C0
D0
Y0
|1
|2‘True’ half
&1
&2‘False’ half
-50
0
50
100
150
3002001000
Insta
nt pow
er
[µW
]
Time [ps]
-50
0
50
100
150
3002001000
Insta
nt pow
er
[µW
]
Time [ps]
B1:
A1:
C1:
A0:
B0:
C0:
D1:
D0:
Y1:
Y0:
B1:
A1:
C1:
A0:
B0:
C0:
D1:
D0:
Y1:
Y0:
SDF Simulation on Altera [3]
⇒ DES sbox #3
0
20
40
60
80
100
0 2 4 6 8 10
Bin
co
un
t [%
]
Delay [ns]
wire_c3b6_truewire_3c49_false
The 64 evaluation dates.
SecMat v1[ASIC] —Simulation of WDDL with 1 ns Early Evaluation
-1.5
-1
-0.5
0
0.5
1
1.5
2
2.5
3
-8 0 8 16
Vo
lta
ge
[m
V]
Time [clock periods]
SecMat v1[ASIC] (@ 20 Gsample/s)
EarlyLate
Early-Late
-1.5
-1
-0.5
0
0.5
1
1.5
2
2.5
3
-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V
olta
ge
[m
V]
Time [nanoseconds]
SecMat v1[ASIC] (@ 20 Gsample/s)
EarlyLate
Early-Late
SecMat v3[ASIC] —Simulation of WDDL with 1 ns Early Evaluation
-0.2
-0.1
0
0.1
0.2
0.3
0.4
0.5
0.6
0 8 16 24
Vo
lta
ge
[m
V]
Time [clock periods]
SecMat v3[ASIC] (@ 5 Gsample/s)
EarlyLate
Early-Late
-0.2
-0.1
0
0.1
0.2
0.3
0.4
0.5
0.6
-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V
olta
ge
[m
V]
Time [nanoseconds]
SecMat v3[ASIC] (@ 5 Gsample/s)
EarlyLate
Early-Late
SecMat v3[FPGA] —Simulation of WDDL with 1 ns Early Evaluation
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0 8 16 24 32
Vo
lta
ge
[m
V]
Time [clock periods]
SecMat v3[FPGA] (@ 10 Gsample/s)
EarlyLate
Early-Late
-0.1
-0.05
0
0.05
0.1
0.15
0.2
-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V
olta
ge
[m
V]
Time [nanoseconds]
SecMat v3[FPGA] (@ 10 Gsample/s)
EarlyLate
Early-Late
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Masking the Registers Against First-Order DPA
Rationale (state-of-the-art)
Let x be a sensitive variable, that discloses a secret if leaked.
Let’s protect x by splitting it into two shares (x ⊕ m, m).
Thus the arithmetic sum A = |x ⊕ m| + |m| is leaked insteadof the compromising |x | (if the leak is linear).
Now, the averaged value of A for a uniformly distributed maskm ∈ {0, 1}n is:
A.=
1
2n
∑
m=0
A =1
2n
2n−1∑
m=0
|x ⊕ m| + |m|
=1
2n
∑
|m| + |m| = 2 × n/2 = n ,
which is independent of x .
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
34
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Second-Order DPA Flow of Binary Masking
Statistics of A
The second order statistics of A depends on x .
There are n + 1 possible distributions, depending on the valueof |x |:
1
0876543210
|Delta(x
)| =
0
1
0876543210
|Delta(x
)| =
1
1
0876543210
|Delta(x
)| =
2
1
0876543210
|Delta(x
)| =
3
1
0876543210
|Delta(x
)| =
4
An attack, qualified of “zero-offset”, is able to exploit thisdata-dependent variance (2nd order dispersion).
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
35
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Three Solutions to Reduce or Cancel the 2nd- andHigher-Order Biases
Claim Activity Leaked
#0 A = |x ⊕ m| + |m|#1 A = |x ⊕ m| + |B(m)|#2 A = |x ⊕ m| + |m1| + |m2|, with m = m1 θ m2
#3 A = |x ⊕ m| + |m1| + |m2|, with |m2| constant
Patent pending
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
36
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Rationale
y = DES(x, kc)
Masked DFF
ki
x
Encrypted bitstream
Masked DESkb
kc
Side-channel:EMA, power
FPGA Three keys
1 kc : crypto-graphic
2 ki : imple-mentation
3 kb:bitstream
Patent pending
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
37
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
Realization: Re-using a Security Paradigm
Theorem
Constant masking ⇒ leakage encrypted by Vernam
(if the registers are targeted with a first-order attack).
Unconditional Security
Use of a constant secret mask ki (protected by the bitstreamkey kb)
It happens that the leakage is exactly kc ⊕ ki .
Knowing kc ⊕ ki discloses 0 bit of information on kc (Vernam).
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
38
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
How to Have the Leakages Encrypted [1/2]
Leftmasked
data (Li)
Leftmask(MLi)
FP
Rightmask(MRi)
Rightmasked
data (Ri)
Ciphertext
Message ki
IPIP
m′
S(x) ⊕ m′
P
P
S’
S E
E
kc
m
xm
Feistel function f
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
39
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
Information HiddingInformation MaskingEncrypted Leakage
How to Have the Leakages Encrypted [2/2]
Leftmask(MLi)
Rightmask(MRi)
ki
IP
m
S’m′
P
S(x) ⊕ m′
E
Leftmasked
data (Li)
FP
Rightmasked
data (Ri)
Ciphertext
Message
IP
P S E
kc
xm
Feistel function f
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
40
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
On-line Test of PCB or ASICsSCA for Reverse-Engineering: SCARE
Presentation Outline
1 Introduction
2 AttacksDPA OraclesStudy of the Power Leakage on ASICs & FPGAs
3 Counter-MeasuresInformation HiddingInformation MaskingEncrypted Leakage
4 New Applications of DPAOn-line Test of PCB or ASICsSCA for Reverse-Engineering: SCARE
5 Conclusions & PerspectivesThe DPA ContestEveSoC: an eavesdropping SoC
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
41
-250
-200
-150
-100
-50
0
50
100
150
200
250
0 5 10 15 20 25 30 35 40
Po
we
r (m
V)
Time (ns)
0 transition1 transition
2 transitions3 transitions4 transitions5 transitions6 transitions7 transitions8 transitions
-0.3
-0.2
-0.1
0
0.1
0.2
0.3
0 5 10 15 20 25 30 35 40
Po
we
r [µ
V]
Time [ns]
Signatures comparison of rump_out_7 bit on two sane implementations
rump_out_7 referencerump_out_7 sane
noise level
-0.3
-0.2
-0.1
0
0.1
0.2
0.3
0 5 10 15 20 25 30 35 40
Po
we
r [µ
V]
Time [ns]
Signatures comparison of rng_out_2 bit between rump bit0 stuck and reference implementation
rng_out_2 referencerng_out_2 rump bit0 stuck
noise level
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
On-line Test of PCB or ASICsSCA for Reverse-Engineering: SCARE
Sequential SCARE
Sequential SCARE consists insolving:arg maxS
∑
x (−1)S0(x)⊕S(x).Under this form, it appearsclearly that DPA is a particularcase of SCARE, where thepossible Sboxes to retrieve canbe written S = τk ◦ S0. Thespace to explore for finding amaximum is of size:
|k | = 2n, in the case of theDPA, to be contrasted with
|S | = 22ntwo-input Boolean
functions.
-0.0001
-5e-05
0
5e-05
0.0001
0.00015
0.0002
0 5000 10000 15000 20000
"secmatv1_2006_04_0809_hamming_dist_scare_WAVE_1.csv1bit_output_inversed" u 0:9"" u 0:11
The correct function is 9 (seepeaks at dates 5 228, 5 739 and6 360), and the best concurrentfunction a (see peak at date5 132).
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
47
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
The DPA ContestEveSoC: an eavesdropping SoC
Presentation Outline
1 Introduction
2 AttacksDPA OraclesStudy of the Power Leakage on ASICs & FPGAs
3 Counter-MeasuresInformation HiddingInformation MaskingEncrypted Leakage
4 New Applications of DPAOn-line Test of PCB or ASICsSCA for Reverse-Engineering: SCARE
5 Conclusions & PerspectivesThe DPA ContestEveSoC: an eavesdropping SoC
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
48
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
The DPA ContestEveSoC: an eavesdropping SoC
Secure-IC: Innovation is at the Core of the Strategy
Secure-IC products http://www.Secure-IC.com/
1 High performance cryptographic IPs robust againstside-channel attacks (SCA) and faults injection (FI) forFPGAs or ASICs.
2 Generic CAD tools for SCA resistant circuits.
3 Evaluation of electronic circuit’s robustness against SCA andFI.
4 Development of custom applications or circuits to secureembedded systems.
5 Embedded systems securization Consulting.
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
49
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
The DPA ContestEveSoC: an eavesdropping SoC
The DPA Contest: http://www.DPAcontest.org/
0
500
1000
1500
2000
2500
Sep 1
st 09
Aug 1
st 09
Jul 1st 09
Jun 1
st 09
May 1
st 09
Apr
1st 09
Mar
1st 09
Feb 1
st 09
Jan 1
st 09
Dec 1
st 08
Nov 1
st 08
Oct 1st 08
Sep 1
st 08
Aug 1
2th
08
160
140
120
100
80
60
40
20
0
Num
ber
of tr
aces to b
reak D
ES
SV
N r
evis
ion for
the s
ubm
issio
n
SVN revision for the submissionNumber of traces to break DES
Best attack at this date
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
50
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
The DPA ContestEveSoC: an eavesdropping SoC
A “System-on-Chip” Suitable for CryptoCore in SASEBO
CryptoCore (Cryptographic Hardware Project —Computer Structures Laboratory, Tohoku University,Japan).
SECURE
SecMat: a fully-fledged System-on-Chip enablingseemless CryptoCore programmation in SASEBOgreen/blue: portable VHDL; programmable in C.
distributed in GPL under brand name EveSoC.
SASEBO (Side-channel Attack Standard EvaluationBoard).
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
51
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
The DPA ContestEveSoC: an eavesdropping SoC
References[1] Evaluation on FPGA of Triple Rail Logic Robustness against DPA and DEMA.
In DATE, track A4 (Secure embedded implementations), April 20–24 2009.Nice, France.
[2] Eric Brier, Christophe Clavier, and Francis Olivier.Correlation Power Analysis with a Leakage Model.Proc. of CHES’04, 3156:16–29, August 11–13 2004.ISSN: 0302-9743; ISBN: 3-540-22666-4; DOI: 10.1007/b99451; Cambridge, MA, USA.
[3] Sylvain Guilley, Sumanta Chaudhuri, Laurent Sauvage, Tarik Graba, Jean-Luc Danger, Philippe Hoogvorst,Ving-Nga Vong, and Maxime Nassar.Shall we trust WDDL?In Future of Trust in Computing, volume 2, Berlin, Germany, jun 2008.
[4] Sylvain Guilley, Sumanta Chaudhuri, Laurent Sauvage, Tarik Graba, Jean-Luc Danger, Philippe Hoogvorst,Vinh-Nga Vong, and Maxime Nassar.Place-and-Route Impact on the Security of DPL Designs in FPGAs.In HOST, pages 29–35. IEEE Computer Society, 2008.June 9, Anaheim, USA. ISBN = 978-1-4244-2401-6.
[5] Sylvain Guilley, Philippe Hoogvorst, Renaud Pacalet, and Johannes Schmidt.Improving Side-Channel Attacks by Exploiting Substitution Boxes Properties.In BFCA – http: // www. liafa. jussieu. fr/ bfca/ , pages 1–25, 2007.May 02–04, Paris, France.
[6] Farouk Khelil, Mohamed Hamdi, Sylvain Guilley, Jean-Luc Danger, and Nidhal Selmane.Fault Attack on AES FPGA Encryption Platform.In NTMS, pages 1–5, Tangier, Morocco, nov 2008.
[7] Thanh-Ha Le, Cecile Canovas, and Jessy Clediere.An overview of side channel analysis attacks.
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
52
IntroductionAttacks
Counter-MeasuresNew Applications of DPA
Conclusions & Perspectives
The DPA ContestEveSoC: an eavesdropping SoC
In ASIACCS, pages 33–43, 2008.
[8] Thanh-Ha Le, Jessy Clediere, Cecile Canovas, Bruno Robisson, Christine Serviere, and Jean-Louis Lacoume.A Proposition for Correlation Power Analysis Enhancement.In CHES, volume 4249 of LNCS, pages 174–186. Springer, 2006.Yokohama, Japan.
[9] Thomas S. Messerges, Ezzy A. Dabbish, and Robert H. Sloan.Investigations of Power Analysis Attacks on Smartcards.In USENIX — Smartcard’99, pages 151–162, May 10–11 1999.Chicago, Illinois, USA (Online PDF).
[10] Nidhal Selmane, Sylvain Guilley, and Jean-Luc Danger.Setup Time Violation Attacks on AES.In EDCC, The seventh European Dependable Computing Conference, pages 91–96, Kaunas, Lithuania, may2008.ISBN: 978-0-7695-3138-0, DOI: 10.1109/EDCC-7.2008.11.
[11] K. Tiri and I. Verbauwhede.A Logic Level Design Methodology for a Secure DPA Resistant ASIC or FPGA Implementation.In DATE’04, pages 246–251, February 2004.Paris, France.
Sylvain GUILLEY < [email protected] > On the Power of Power AnalysesSECURE
53