300 likes | 597 Views
SPA and DPA attacks . Pascal Paillier Gemplus ARSC/STD/CRY. Outline. Side Channel Cryptanalysis SPA – Simple Power Analysis DPA – Differential Power Analysis Acquisition procedure Selection & prediction Differential operator and curves Reverse engineering using the DPA indicator
E N D
SPA and DPA attacks Pascal Paillier Gemplus ARSC/STD/CRY
Outline • Side Channel Cryptanalysis • SPA – Simple Power Analysis • DPA – Differential Power Analysis • Acquisition procedure • Selection & prediction • Differential operator and curves • Reverse engineering using the DPA indicator • Attacking a Secret Key algorithm with DPA • Typical target • Hypothesis testing (guesses management)
Which are Side Channel Attacks 1. Differential Fault Analysis (DFA) • Biham-Shamir (1997) • 2. Timing Attacks • Kocher (1996) • 3. Simple Power Analysis (SPA) • Kocher, Jaffe, Jun (1998) • 4. Differential Power Analysis (DPA) • Kocher, Jaffe, Jun (1998)
Side Channels • Kocher et al., June 1998: Measure instantaneous power consumption of a device while it runs a cryptographic algorithm • Different power consumption when operating on logical ones vs. logical zeroes.
Systems under Threat • Implementations of Cryptographic Algorithms • On smart cards • On general/specific purpose hardware • On software
Power Attacks • Published on the web by Paul KOCHER (1998) • Big noise in the cryptographic community • Big fear in the smart card industry ! • Power Attacks are powerful and generic • Statistical & signal processing • Known random messages • Targetting a known algorithm • Running on a single smart card • Attack performed in 2 steps • Acquisition phase : on-line with the smart card • Analysis phase : off-line on a PC (hypothesis testing)
Power Supply Current or Power Measurement R Attacker’s Point Cryptographic Device What is a Power Analysis Attack ? • Side-channel attacks exploit correlation between secret parameters and variations in timing, power consumption, and other emanations from cryptographic devices to reveal secret keys
Input data (messages Mi) Output (sign/cipher Si) Power Consumption Curves Ci (or other side channel leakage like EM radiation) Acquisition procedure Play the algorithm N times (100 < N < 100000) Algorithm
Acquisition procedure Monitoring equipment for iterated acquisitions
POWER MEASUREMENT SETUP • Oscilloscope • Carefully choose resistors- • capacitors • Reduce noise • Collect power traces - FREQUENCY AND SUPPLY VOLTAGE: UNDER THE CONTROL OF THE ATTACKER
Acquisition procedure • After data collection, what is available ? • N plain and/or cipher random texts 00 B688EE57BB63E03E 01 185D04D77509F36F 02 C031A0392DC881E6 … • N corresponding power consumption waveforms
What an Attacker Knows • Precise power measurements • Which algorithm is computed • Ciphertexts and plaintexts • Any additional information
Simple Power Analysis • (E.g., Kocher 1998) Attacker directly uses power consumption to learn bits of secret key. Wave forms visually examined. • Big features like rounds of DES, square vs. multiply in RSA exponentiation, and small features, like bit value. • Relatively easy to defend against.
Simple Power Analysis • Simple attack, needs a few seconds • Direct observation of a system‘s power consumption • Can gain very useful information
0 1 0 1 1 How SPA Works Key = 101011 Double-and-Add Algorithm: Power Trace = With “Dummy” Operations: 0 1 0 1 1 Power Trace =
SPA result Example • Interpret power consumption measurement • What is learned: device’s operation, key material • Base: power consumption variance of µP instructions • DES operation by smart card
Mi Si = f [Mi] f Selection & prediction • Assume the data are processed by a known deterministic function f (transfer, permutation...) • Knowing the data, one can recompute off line its image through f • Now select a single bit among S bits (in S buffer) • One can predict the true story of its variations i Message bit 0 B688EE57BB63E03E 1 1 185D04D77509F36F 0 2 C031A0392DC881E61 … for i = 0,N-1
bit (Si) = 0 Mi f bit (Si) = 1 DPA operator & curve • Partition the data and related curves into two packs according to selected bit • … and assign -1 to pack 0 and +1 to pack 1 0 B688EE57BB63E03E 1 +1 1 185D04D77509F36F 0 -1 2 C031A0392DC881E61 +1 … for i = 0, N-1 • Sum the signed consumption curves and normalise • <=> Difference of averages (N0 + N1 = N)
DPA curve 0 Selection bit - N 1 1 W0 C031A0... MN 185D04D... B688EE... M1 M0 Average DPA operator & curve • DPA curve construction
DPA Result Example Average Power Consumption Power Consumption Differential Curve With Correct Key Guess Power Consumption Differential Curve With Incorrect Key Guess Power Consumption Differential Curve With Incorrect Key Guess
Selection bit 0 1 0 0 1 0 1 1 0 1 1 0 1 0 1 0 1 1 0 0 1 0 0 0 ... 1 0 0 11 0 1 0 1 1 01 0 0 1 0 1 11 1 1 ... 0 1 2 ... DPA operator & curve • Spikes explanation : Hamming Weight of the bit’s byte Average = E [HW0] = 0 + 3.5 Average = E [HW1] = 1 + 3.5 D = E [HW1] - E [HW0 ] = 1 • Contrast (peak height) proportional to N1/2 (evaluation criterion) • If prediction was wrong : selection bit would be random E [HW0] = E [HW1] = 4 => D = 0
Consumption curve DPA curves Reverse engineering using DPA • Use DPA to locate when predictible things occur • Example : locate an algo trace by targetting its output (ciphertext transfer to RAM, ciphertext is given)
CONCLUSIONSDPA vs. SPA • Not many implementation details • Noise is not so important • Attacks even small features • Low amount of experiments • Faster to launch
REFERENCES • Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power Analysis”, Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. 1999, pp. 388-397 • Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Countermeasure Based on the Masking Method”, ICICS 2001, LNCS 2288, 2002, pp. 440-456 • Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”, Proceedings of Workshop on Cryptographic Hardware and Embedded Systems, Aug. 1999, pp. 158-172 • Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Masking against Differential Power Analysis”, CHES 2000, LNCS 1965, 2000, pp. 231-237 • Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES and AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, pp. 309-318 • D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to Foil DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38
REFERENCES • S. Almanei, “Protecting Smart Cards from Power Analysis Attacks”, http://islab.oregonstate.edu/koc/ece679cahd/s2002/almanei.pdf, May. 2002 • Adi Shamir, “Protecting Smart Cards from Passive Power Analysis with Detached Power Supplies”, CHES 2000, LNCS 1965, 2000, pp. 71-77 • P. Y. Liardet, N. P. Smart, “Preventing SPA/DPA in ECC Systems Using the Jacobi Form”, CHES 2001, LNCS 2162, 2001, pp. 391-401 • Jean-Sebastien Coron. Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems [Published in C_ .K. Ko_c and C. Paar, Eds., Cryptographic Hardware andEmbedded Systems, vol. 1717 of Lecture Notes in Computer Science, pp. 292{302, Springer-Verlag, 1999.] • Marc Joye and Christophe Tymen. Protections against differential analysis for elliptic curve cryptography: An algebraic approach. In C¸ .K. Ko¸c, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 377–390. Springer-Verlag, 2001.