Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
DPA : Attaques et Contre-mesures
Shivam BHASIN, Taoufik CHOUTA, Guillaume DUC, Jean-Luc DANGER,
Aziz EL AABID, Florent FLAMENT, Philippe HOOGVORST,
Tarik GRABA, Sylvain GUILLEY, Houssem MAGHR’EBI,
Olivier MEYNARD, Maxime NASSAR, Renaud PACALET,
Laurent SAUVAGE, Nidhal SELMANE and Youssef SOUISSI.
Institut TELECOM / TELECOM-ParisTech
CNRS – LTCI (UMR 5141)
SECURE
GDR SoC-SiP
14:00 – 14:45
AMPHI SAPHIR, TELECOM ParisTech, PARIS.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
1/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Presentation Outline
1
2
3
4
5
Context
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
Conclusions and Perspectives
Conclusions
Perspectives
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
2/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Presentation Outline
1
2
3
4
5
Context
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
Conclusions and Perspectives
Conclusions
Perspectives
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
3/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Adversary’s goal
Secrets extraction.
Protection
Conceal the secrets in a device (ASIC) ...
... or in the bitstream of an FPGA.
Representativity of the study
Most problems come down to this...
Example:
Fetching a data in an encrypted memory
⇒ decrypt the memory,
⇒ attack the CPU,
⇒ use side-channel attacks = SCA (for instance).
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
4/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
There are other applications of SCA
SCARE: secret cryptography.
Test (virtual oscilloscope).
Subliminal channel for IPs watermarking.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
5/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Presentation Outline
1
2
3
4
5
Context
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
Conclusions and Perspectives
Conclusions
Perspectives
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
6/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Typical side-channels
EMA
Timing
Attacks [5].
SPA, DPA, templates, etc.
TA
Power Analysis
Attacks [6].
Attacked circuit
S. Guilley, < [email protected] >
Time
Electro-magnetic
Attacks [1].
DPA attacks & counter-measures
SECURE
7/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Are SCAs intrusive?
Side-Channel Attacks (SCA) versus Fault Injection Attacks (FIA)
SCA: passive
FIA: active
But what about the experimental setup?
Non-intrusive
Intrusive
Deportable IC (smartcard) Timing, power, EM
—
Soldered IC or BGA (FPGA)
Timing, EM
power
The know-how in measurements is capital.
→ The 3rd version (2010–2011) of the DPA contest
(http://www.dpacontest.org/) will have an acquisition
competition, based on SASEBO GII.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
8/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
ALTERA Excalibur evaluation board “customized for DPA”
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
9/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Parallax ALTERA Stratix board “customized for DPA” [3]
Serial
port
Pads and
board
supply
(5.0 V)
FPGA
Core
supply
Side-channel measurement
S. Guilley, < [email protected] >
(1.5 V)
DPA attacks & counter-measures
SECURE
10/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
XCV800 home-made board suitable for global EMA
Antenna
Acquisition setup
Pictures are courtesy of ESAT, Katholieke Universiteit Leuven,
Belgium, (Elke De Mulder [7]).
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
11/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
In-house ALTERA Stratix “as is” suitable for local
EMA [9, 8]
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
12/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
XILINX Virtex-5 evaluation board “customized for EMA”
Metallic
cover
FPGA
chip
FF324 (182 pins) socket
XC5VLX50 evaluation board
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
13/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
ALTERA Stratix with chemical preparation for EMA
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
14/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Modus operandi
Information known/unknown by the attacker
Known: Observations O;
Known: (usually) either the plaintext or the ciphertext.
Unknown: the encryption key (case of symmetric encryption).
Strategy: divide-and-conquer
Partition observations according to a sensitive variable S:
depends on the secret K ,
not too many bits of K , since attack = exhaustive search,
is computable from the plaintext / ciphertext.
Therefore:
attacks target the first or the last round (in general),
MixColumns in AES hard to invert ⇒ attack the last round.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
15/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Use the traces O to distinguishing between the correct
partitioning from wrong ones
Distinguishers use a model
M(S) is the physical syndrome related to the manipulation
of the secret S. It is called the leakage model.
Examples of distinguishers
|E(O|M(S) = 0) − E(O|M(S) = 1)|: . . . . . . . . . . . . . . . . . . DoM
ES ((O|M(S) − EO|M(S))(M(S) − EM(S))): . . . Covariance
ρs (O|S = s; M(s)): . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CPA
Es H (O|M(S) = M(s)) or I(O; M(S)): . . . . . . . . . . . . . . . . . MIA
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
16/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Models M(S)
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
(classification by [10])
Partition-based:
If unprotected:
M(s) = |s|;
Hamming weight; Bus cleared in SW
M(s) = |s ⊕ R|;
Hamming weight; Bus precharged in SW
M(s) = |s ⊕ s−1 |;
Hamming distance; typical of HW
M(s) = |s · s−1 | + (1 − δ)|s · s−1 |; Idem, but in near-field EMA
If protected:
M(s) = s. Warning: 2n values!
Difficult to be more inventive if the countermeasure is sound...
but we’ll see ,
Comparison-based:
(profiled attacks)
M(S) = E (O|S);
S. Guilley, < [email protected] >
templates
DPA attacks & counter-measures
SECURE
17/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Various leakage models for DES (iterative architecture)
Attack on the first round of DES
32
t=0
Attack on the last round of DES
32
L0
32
32
R0
R15
L15
t = 15
model C
K1
K16
model A
Feistel
function: f
model D
model D
model A
Feistel
function: f
model B
model B
model C
t=1
L1
R1
32
L16
R16
32
32
t = 16
32
Caption: black = known values; red = unknown sensitive values
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
18/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Finding the best leakage models is not obvious
1
0.6
1
0.8
1
0.8
0.6
0.8
Success rate 0.6
0.5
0.4
0.3
0.4 Success rate 0.6
0.4
0.2
0.4
0.2
0
0.2
0
0.2
0.1
0
0
600
4000
3500
3000
2500
2000
Traces for profiling
1500
1000
500
500
400
0
500
1000
0
300
1500
200
2000
2500
3000
Traces for online attack
3500
40000
Success rate for model A.
Success rate 0.6
0.4
0.2
0
40000
Success rate for model B.
0.9
0.8
0.7
0.6
0.5
0.4 Success rate
0.3
0.2
0.1
0
1
0.8
500
1000
1500
2000
2500
3000
Traces for online attack
3500
Traces for profiling
100
1
1
0.8
0.8
0.6
0.6
0.4
0.4
0.2
0.2
0
0
0
4000
3500
3000
2500
2000
Traces for profiling
1500
1000
500
500
1000
1500
2000
2500
3000
Traces for online attack
3500
40000
Success rate for model C.
S. Guilley, < [email protected] >
0
4000
3500
3000
2500
2000
Traces for profiling
1500
1000
500
500
1000
1500
2000
2500
3000
Traces for online attack
3500
40000
Success rate for model D.
DPA attacks & counter-measures
SECURE
19/42
So, shall we conclude the Hamming distance (HD)
— model D — is the ultimate model for HW?
Covariance result (same scale as the average power trace)
80
80
60
60
Voltage [mV]
Voltage [mV]
Average power trace
40
20
40
20
0
0
-20
-20
-8
0
8
Time [clock periods]
16
-8
0
8
Time [clock periods]
16
Covariance result (zoomed)
3
SecMat v1[ASIC]:
Typical DPA: 3.0 mV
⇒ Side-channel leakage:
3.3 %
See [4]
2.5
2
Voltage [mV]
Typical trace: 92 mV
1.5
1
0.5
0
-0.5
-8
0
8
Time [clock periods]
16
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Combined attacks!
1
Various distinguishers for a same partitioning;
2
One distinguisher can be evaluated on various partitionings;
3
The diversity can also come from the multiplicity of timing
samples usually garnered during an acquisition campaign;
4
It can also arise from multi-modal acquisitions;
5
There can be situations where the most suitable partitioning
can evolve from sample to sample in a side-channel capture.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
21/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol-Level
Register Transfer Level
Netlist Level
Presentation Outline
1
2
3
4
5
Context
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
Conclusions and Perspectives
Conclusions
Perspectives
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
22/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol-Level
Register Transfer Level
Netlist Level
Targeted strategies
Protocol-level:
Most wanted since provable
Register-Transfer Level:
Masking. Easiest to implement; Boolean or algorithmic.
Encrypted leakage
Glitch-full circuits
Netlist or implementation level:
Hiding (= DPL, Dual-rail with Precharge Logic)
Degenerated counter-measures / “Make difficult” strategies
DPL w/o precharge
Noise generator, Dummy instructions, Varying clock, etc.
⇒ And as for attacks, countermeasures can be combined.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
23/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol level:
100×
Protocol-Level
Register Transfer Level
Netlist Level
if ≈ 1 bit is leaked per 100 encryptions...
Alice:
Bob:
AESk0
AES−1
k0
k0
hash
k0
hash
k1
k1
AESk1
100×
AES−1
k1
k1
hash
k1
hash
k2
S. Guilley, < [email protected] >
k2
DPA attacks & counter-measures
SECURE
24/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol-Level
Register Transfer Level
Netlist Level
Masking
Principle
Every variable s, potentially sensible, is represented as a share
{s0 , s1 , · · · , sn−1 }
To reconstruct s, all the si are required.
.
Example: n = 2, s = s0 ⊕ s1 .
Leakage resistant since variables are never used plain;
Attractive but works only fine for registers.
Efforts done to protect also the combinational logic.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
25/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol-Level
Register Transfer Level
Netlist Level
Encrypted Leakage
FPGA
x
ASIC (tamper-proof)
x
Encrypted bitstream
Trusted Platform Module
Masked DES
kb
Masked DFF
kc
Masked DES
Side-channel:
EMA, power
Masked DFF
kc
ki
personalization
y = DES(x, kc )
S. Guilley, < [email protected] >
NVM
Side-channel:
EMA, power
ki
y = DES(x, kc )
DPA attacks & counter-measures
SECURE
26/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol-Level
Register Transfer Level
Netlist Level
Glitch-full circuits
(a)
(b)
input
FP
8
FP
64
PC1 ◦FP
8×1
IP
LS
Parity bits
0
1
2
0
1
2
3
0
1
2
3 → 1 MUX
4 → 1 MUX
3 → 1 MUX
IF
LR
CD
Round 1:
Round logic
Key schedule
Round 2:
Round logic
Key schedule
56
...
...
...
...
Round 15:
Round logic
Key schedule
Round 16:
Round logic
Key schedule
purely combinatorial logic
output
8
(2)
(1)
“Normal” “IP”
representation
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
27/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol-Level
Register Transfer Level
Netlist Level
Glitch-full circuits
(a)
(b)
input
FP
8
FP
64
PC1 ◦FP
8×1
IP
LS
Parity bits
0
1
2
0
1
2
3
0
1
2
3 → 1 MUX
4 → 1 MUX
3 → 1 MUX
IF
LR
CD
Round 1:
Round logic
Key schedule
Round 2:
Round logic
Key schedule
56
...
...
...
...
Round 15:
Round logic
Key schedule
Round 16:
Round logic
Key schedule
purely combinatorial logic
output
8
(2)
(1)
“Normal” “IP”
representation
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
27/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol-Level
Register Transfer Level
Netlist Level
(a)
(b)
200
...
25
11 ns
20
15
10
5
Average +/- standard deviation [mV]
Round #8
Round #7
Round #6
Round #5
Round #4
Round #3
30
Round #2
220
Round #1
Average +/- standard deviation [mV]
35
180
All 16 rounds
160
140
120
35 ns
100
80
60
<1 ns
>2 ns
40
20
0
0
0
(a)
(b)
200
400
600
Time [ns]
800
1000
0
50
100
Time [ns]
150
200
Sequential iterative DES encryption signature, with the
average variation margin, for statistics collected on 10k
measurements.
Average combinatorial DES encryption signature, with
the average variation margin, for statistics collected on
100k measurements.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
28/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Protocol-Level
Register Transfer Level
Netlist Level
Hiding: Placement and Routing of Xilinx WDDL+ Netlists.
P&R tools “naturally” separate true and false paths
Example with AES substitution box SUBBYTES with and
without placement constraints (2 × 2 LuT4 per slice)
Unconstrained placement Constrained placement
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
29/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Attack on Information Masking
Attack on Information Hiding
Presentation Outline
1
2
3
4
5
Context
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
Conclusions and Perspectives
Conclusions
Perspectives
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
30/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Left
masked
data (Li )
Left
mask
(M Li )
Attack on Information Masking
Attack on Information Hiding
Message
ki
IP
IP
Right
mask
(M Ri )
Feistel function f
P
P
Right
masked
data (Ri )
m
m′
S’
S(x ⊕ kc )
⊕m′
xm
S
E
E
kc
FP
Ciphertext
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
31/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Left
masked
data (Li )
Left
mask
(M Li )
Attack on Information Masking
Attack on Information Hiding
Message
ki
IP
IP
Right
mask
(M Ri )
Feistel function f
P
P
Right
masked
data (Ri )
m
m′
S’
S(x ⊕ kc )
⊕m′
xm
S
E
E
kc
FP
Ciphertext
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
32/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Attack on Information Masking
Attack on Information Hiding
Attacks on masking
Correct key (i.e. physical L)
p(L = 0) = 1/16
1
2
3
O|L = 1
4
H(O|L = 0) = 0
Incorrect key (i.e. random L)
p(L = 1) = 4/16
O|L = 0
0
O|L = 0
0
1
(1/2)
0
1
2
3
4
H(O|L = 1) = 0
O|L = 1
2
3
4
0
1
p(L = 2) = 6/16
O|L = 2
0
1
2
3
4
H(O|L = 3) = 0
O|L = 2
2
3
4
H(O|L = 0) = 2.03 H(O|L = 1) = 2.03
0
1
p(L = 3) = 4/16
O|L = 3
0
1
2
3
4
H(O|L = 3) = 0
O|L = 3
2
3
4
H(O|L = 2) = 2.03
S. Guilley, < [email protected] >
0
1
p(L = 4) = 1/16
O|L = 4
0
1
2
3
4
H(O|L = 4) = 0
⇒ H(O|L) = 0 bit
O|L = 4
2
3
4
0
1
2
3
4
H(O|L = 3) = 2.03 H(O|L = 4) = 2.03
⇒ H(O|L) = 2.03 bit
DPA attacks & counter-measures
SECURE
33/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Attack on Information Masking
Attack on Information Hiding
Attacks on masking
Incorrect key (i.e. random L)
Correct key (i.e. physical L)
p(L = 0) = 1/16
O|L = 0
0
2
(2/2)
p(L = 1) = 4/16
O|L = 1
4
6
8
0
2
p(L = 2) = 6/16
O|L = 2
4
6
8
0
2
4
6
8
H(O|L = 0) = 2.03
H(O|L = 1) = 1.81
H(O|L = 3) = 1.5
O|L = 0
O|L = 1
O|L = 2
0
2
4
6
8
0
2
4
6
8
H(O|L = 0) = 2.54 H(O|L = 1) = 2.54
0
2
p(L = 3) = 4/16
O|L = 3
0
2
4
6
8
H(O|L = 3) = 1
O|L = 3
4
6
8
H(O|L = 2) = 2.54
S. Guilley, < [email protected] >
0
2
p(L = 4) = 1/16
O|L = 4
0
2
4
6
8
H(O|L = 4) = 0
⇒ H(O|L) = 1.39 bit
O|L = 4
4
6
8
0
2
4
6
8
H(O|L = 3) = 2.54 H(O|L = 4) = 2.54
⇒ H(O|L) = 2.54 bit
DPA attacks & counter-measures
SECURE
34/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Models M(S)
Attack on Information Masking
Attack on Information Hiding
(classification by [10])
Partition-based:
If unprotected:
M(s) = |s|;
Hamming weight; Bus cleared in SW
M(s) = |s ⊕ R|;
Hamming weight; Bus precharged in SW
M(s) = |s
Hamming distance; typical of HW
P⊕ s−1 |;
M(s) = i s · s−1 + (1 − δ)s · s−1 ; Idem, but in near-field EMA
If protected:
M(s) = s. WARNING: 2n values!
Difficult to be more inventive if the countermeasure is sound...
M(S) = S1 + S2 ;
Zero-offset
M(S) = (S1 , S2 ) ;
Multi-variate MIA (MMIA [2])
Comparison-based:
(profiled attacks)
M(S) = E (O|S);
S. Guilley, < [email protected] >
templates
DPA attacks & counter-measures
SECURE
35/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Attack on Information Masking
Attack on Information Hiding
0.04
Evaluation
0.03
0.02
Round 10
Precharge
MUTUAL INFORMATION
0.05
Round 10
Precharge
AES−WDDL−no−EE
AES−WDDL−EE
Round 9
Evaluation
0.06
Round 9
Attacks on DPL
0.01
0
sensitive not sensitive
−0.01
0
200
400
600
800
1000
1200
SAMPLES
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
36/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Conclusions
Perspectives
Presentation Outline
1
2
3
4
5
Context
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
Conclusions and Perspectives
Conclusions
Perspectives
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
37/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Conclusions
Perspectives
Formal practice-oriented framework [11]
Attacks metric
Leakage metric
Reduction function
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
38/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Conclusions
Perspectives
Counter-Measures are still ad hoc
1
Multiplicative masking of AES (M.-L. Akkar and Ch. Giraud,
CHES 2001)
Zero Attack (Jovan Dj. Golic, Christophe Tymen, CHES 2002)
2
Provable secure S-Box implementation based on FFT (E.
Prouff et al, CHES 2006)
Bias of the mask attack (S. Coron, CHES 2008)
3
MDPL (Th. Popp and S. Mangard, CHES 2005)
Folding attack (P. Schaumont and K. Tiri, CHES 2007),
Subset attack (E. de Mulder et al, WIFS 2009)
4
DRSL (Z. Chen and Y. Zhou, CHES 2006)
Glitch on precharge (M. Nassar, DATE 2009)
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
39/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Conclusions
Perspectives
Call for Further Researches
⇒ Open Issues
Need for formal proofs of security
Can be at protocol level (work in progress).
Could also be at implementation level (new research area).
Devise countermeasures globally ...
... taking into account all possible weaknesses:
Observation.
Perturbation.
Manipulation.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
40/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Conclusions
Perspectives
[1]
Karine Gandolfi, Christophe Mourtel, and Francis Olivier.
Electromagnetic Analysis: Concrete Results.
In CHES, volume 2162 of LNCS, pages 251–261. Springer, May 14-16 2001.
Paris, France.
[2]
Benedikt Gierlichs, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede.
Revisiting Higher-Order DPA Attacks: Multivariate Mutual Information Analysis.
In CT-RSA, volume 5985 of LNCS, pages 221–234. Springer, March 1-5 2010.
San Francisco, CA, USA.
[3]
Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Tarik Graba, and Yves Mathieu.
Evaluation of Power-Constant Dual-Rail Logic as a Protection of Cryptographic Applications in FPGAs.
In SSIRI, pages 16–23, Yokohama, Japan, jul 2008. IEEE Computer Society.
DOI: 10.1109/SSIRI.2008.31, http://hal.archives-ouvertes.fr/hal-00259153/en/.
[4]
Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Nidhal Selmane, and Renaud Pacalet.
Silicon-level solutions to counteract passive and active attacks.
In FDTC, 5th Workshop on Fault Detection and Tolerance in Cryptography, IEEE-CS, pages 3–17,
Washington DC, USA, aug 2008.
(Up-to-date version on http://hal.archives-ouvertes.fr/HAL:
http://hal.archives-ouvertes.fr/hal-00311431/en/).
[5]
Paul C. Kocher, Joshua Jaffe, and Benjamin Jun.
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.
In Proceedings of CRYPTO’96, volume 1109 of LNCS, pages 104–113. Springer-Verlag, 1996.
(http://www.cryptography.com/timingattack/paper.htmlPDF).
[6]
Paul C. Kocher, Joshua Jaffe, and Benjamin Jun.
Differential Power Analysis.
In Proceedings of CRYPTO’99, volume 1666 of LNCS, pages 388–397. Springer-Verlag, 1999.
(PDF).
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
41/42
Context
Side-Channel Attacks
Counter-Measures to SCAs
Attacks on Counter-Measures
Conclusions and Perspectives
Conclusions
Perspectives
[7]
Elke De Mulder, Pieter Buysschaert, Sıddıka Berna Örs, Peter Delmotte, Bart Preneel, Guy Vandenbosch,
and Ingrid Verbauwhede.
Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem.
In IEEE International Conference on Computer as a tool (http: // www. eurocon2005. org. yu/ EUROCON),
pages 1879–1882, November 2005.
Belgrade, Serbia & Montenegro.
[8]
Laurent Sauvage, Sylvain Guilley, Jean-Luc Danger, Yves Mathieu, and Maxime Nassar.
Successful Attack on an FPGA-based Automatically Placed and Routed WDDL+ Crypto Processor.
In DATE, track A4 (Secure embedded implementations), April 20–24 2009.
Nice, France. Electronic version: http://hal.archives-ouvertes.fr/hal-00325417/en/.
[9]
Laurent Sauvage, Sylvain Guilley, and Yves Mathieu.
ElectroMagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack of a Cryptographic
Module.
ACM Trans. Reconfigurable Technol. Syst., 2(1):1–24, March 2009.
Full text in
http://hal.archives-ouvertes.fr/hal-00319164/en/.
[10] François-Xavier Standaert, Benedikt Gierlichs, and Ingrid Verbauwhede.
Partition vs. Comparison Side-Channel Distinguishers: An Empirical Evaluation of Statistical Tests for
Univariate Side-Channel Attacks against Two Unprotected CMOS Devices.
In ICISC, volume 5461 of LNCS, pages 253–267. Springer, December 3-5 2008.
Seoul, Korea.
[11] François-Xavier Standaert, Tal Malkin, and Moti Yung.
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks.
In EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages 443–461. Springer, April 26-30
2009.
Cologne, Germany.
S. Guilley, < [email protected] >
DPA attacks & counter-measures
SECURE
42/42