1 / 29

Lecture 3: Power Analysis

Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren. Lecture 3: Power Analysis. Required Reading. http://www.dpabook.org http://www.springerlink.com/content/g01q1k. Fundamentals. Fundamentals. AES Circuit Design Statistics

neola
Download Presentation

Lecture 3: Power Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Security – Theory vs. Reality 0368-4474-01, Winter 2011Guest Lecturer: Yossi Oren Lecture 3: Power Analysis

  2. Required Reading http://www.dpabook.org http://www.springerlink.com/content/g01q1k

  3. Fundamentals

  4. Fundamentals • AES • Circuit Design • Statistics • Introduction to Power Analysis

  5. The AES Cipher AES Plaintext Ciphertext Key

  6. The AES Cipher (2) Source: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

  7. The AES Cipher (3) void RijndaelEncrypt( u8 input[16], u8 output[16] ) { […] for (r=1; r<=9; r++) { ByteSub(state); ShiftRow(state); MixColumn(state); KeyAdd(state, roundKeys, r); } […] Source: http://users.ece.utexas.edu/~gerstl/ee382v-ics_f09/soc/tutorials/System_C_Code_Examples_2/date04_examples/cosimulate/sw_only/

  8. Statistics 101 ⇐ Low Variance High ⇒ Variance ⇐ Low Correlation High ⇒ Correlation

  9. Side Channel Attacks Radiation Heat EM Sound Crypto Device Plaintext Ciphertext Bad Inputs Errors Key Timing Power Vibration

  10. Theory of power analysis • Power consumption is variable • Power consumption depends on instruction • Power consumption depends on data

  11. Power Consumption is Variable? Vdd P1 C1 a q q C2 N1 Power consumption A GND • The power consumption of a CMOS gate depends on the data: q: 0->0 virtually no power cons. q: 1->1 virtually no power cons. q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)

  12. Power Consumption is Variable! Source: DPA Book

  13. Power Depends on Instruction Source: DPA Book

  14. Power Depends on Data Source: DPA Book

  15. Q&A (Fundamentals) • AES • Circuit Design • Statistics

  16. Correlation Power Analysis (CPA)

  17. Correlation Power Analysis • Simple Power Analysis • Warm-upCorrelation Power Analysis • Full Correlation Power Analysis

  18. Power Analysis Attack Scenario • Plaintexts and ciphertexts may be chosen, known or unknown Crypto Device Plaintexts Ciphertexts Key Power

  19. Theory of power analysis • Power consumption is variable • Power consumption depends on instruction • Power consumption depends on data

  20. Simple Power Analysis (SPA) • Pros: • Small amount of traces • Cons: • Detailed reverse engineering • Long manual part

  21. Differential Power Analysis (DPA) • Use statistical properties of traces to recover key • Pros: • Very limited reverse engineering • Harder to confuse • Cons: • Large amount of traces • Two main types of DPA: • Difference of means (traditional DPA) • Correlation power analysis (CPA)

  22. CPA Basics • We want to discover the correct key value (ck) and when it is used (ct) • Idea: • On the correct time, the power consumption of all traces is correlated with the correct key • On other times and other keys the traces should show low correlation

  23. Warm-up CPA • Assume plaintext and correct key are known but correct time is unknown • Form hypothesis and test it • Good hypothesis: • Depends on known plaintext • Depends on small amount of key bits • Non-linear – sensitive to small changes • Maps to power consumption using a model

  24. Warm-up CPA in Numbers • 1000 traces, each consisting of 1 million points • Each trace uses a different known plaintext – 1000 plaintexts • 1 known key • Hypothesis is vector of 1000hypothetical power values • Output of warm-up CPA: vector of 1 million correlation values with peak at ct

  25. Warm-up CPA in Pictures

  26. Full CPA • Plaintext is known, but correct key and correct time unknown • Idea: run warm-up CPA many times in parallel • Create many competing hypotheses

  27. Full CPA in Numbers • 1000 traces, each consisting of 1 million points • Each trace uses a different known plaintext – 1000 plaintexts • Key is unknown – 256 guesses for first byte • Hypothesis is matrix of 1000X256hypothetical power values • Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (ck,ct)

  28. Full CPA in Pictures

  29. Q&A (CPA) • Simple Power Analysis • Warm-up Correlation Power Analysis • Full Correlation Power Analysis

More Related