1 / 11

A First Step Towards Automatic Application of Power Analysis Countermeasures

A First Step Towards Automatic Application of Power Analysis Countermeasures. Ali Galip Bayrak EPFL, Switzerland June 7 th , 2011. and Francesco Regazzoni (UCL and Alari) Philip Brisk (UC Riverside, USA) François-Xavier Standaert (UCL, Belgium) Paolo Ienne (EPFL, Switzerland).

vera
Download Presentation

A First Step Towards Automatic Application of Power Analysis Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A First Step Towards Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak EPFL, Switzerland June 7th,2011 and Francesco Regazzoni (UCL and Alari) Philip Brisk (UC Riverside, USA) François-Xavier Standaert (UCL, Belgium) Paolo Ienne (EPFL, Switzerland)

  2. Side-Channel Attacks Cryptographic Algorithm Ciphertext (e.g., “aB14t752s”) Plaintext (e.g., “Encrypt me”) Secret Key (e.g., “I’m unknown”) Leakage (power consumption, EM radiation, timing etc.) 2

  3. Power Analysis Attacks 3

  4. Motivation PROBLEM: They are handled manually!!! VS ATTACK! COUNTERMEASURE! Software Implementation Protected Implementation • Analyze the algorithm • Determine the weaknesses • Apply the countermeasure 4

  5. Automatic Protection Flow 5

  6. Step I: Information Leakage Analysis Normalized Mutual Information of Key and Leakage Main point: Determine the leaking parts of the software!

  7. Step II: Transformation Target Identification Local Modifications: Protect each sensitive instruction (peephole optimization). Random Precharging (used here) Global Modifications: Protect all the nodes between two sensitive nodes. Masking sbci r28,0xfd ld r25,r28:r29 movw r18,r26 subi r18,0x4f sbci r19,0xfd movw r28,r18 ld r30,r28:r29 Main point:Determine the portions of the implementation that need to be protected!

  8. Step III: Code Transformation sbci r28,0xfd lds r25,rnd mov r24,r25 ld r25,r28:r29 … movw r18,r26 subi r18,0x4f sbci r28,0xfd ld r25,r28:r29 movw r18,r26 subi r18,0x4f sbci r19,0xfd movw r28,r18 ld r30,r28:r29 … Main point:Apply the given protection on the determined portions of the implementation!

  9. Experimental Results (Security) • Advanced Encryption Standard (AES) is used. • Traces are collected from board with 8-bit AVR MCU. • Correlation-based DPA attack is used for attack. ρ = 0.437 ρ = 0.048 Correlation values for unprotected and protected implementations are shown. Number of necessary traces to mount a successful attack increases over 76 times. 9

  10. Experimental Results (Performance) # of clock cycles during the execution of three different implementations 4212 100% 2700 64% 1190 10

  11. Conclusions AUTOMATIC PROTECTION Software Implementation Protected Implementation Off-the-Shelf Compiler AP Security-Aware Compiler security vs. performance vs. energy etc. 11

More Related