differential power analysis dpa with key ranking and
play

Differential Power Analysis (DPA) With Key Ranking and Enumeration - PowerPoint PPT Presentation

Jan 21, 2024 •443 likes •913 views

Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS Winterschool in Finse, May 2019 The Rise of Side-Channels The Ideal World 2 Modern Cryptology From Katz and Lindells Classic Textbook Three Principles

  1. Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS Winterschool in Finse, May 2019

  2. The Rise of Side-Channels The Ideal World 2 Modern Cryptology From Katz and Lindell’s Classic Textbook Three Principles 1 Formal Definitions: “giving a clear description of what threats are in scope and what security guarantees are desired” 2 Precise Assumptions: “that are simpler to state, since [they] are easier to study and (potentially) refute” 3 Proofs of Security: “that a construction satisfies a definition under certain specified assumptions”

  3. The Rise of Side-Channels The Ideal World 3 FDH-RSA Cryptosystem Black-box perspective of chosen-message attacks S ← H ( M ) d mod N ( N , d , e ) ← $ Kg M S ❆ N , e M , ˆ ˆ S � � S e mod N = H ( ˆ Adv euf - cma ˆ M ) , ˆ M fresh FDH − RSA ( ❆ ) = Pr

  4. The Rise of Side-Channels The Real World 4 The Rise of Side-Channels Paul Kocher’s Revolution https://www.paulkocher.com/ 1996 Timing Attacks 1999 Simple and Differential Power Analysis (DPA) (w. Joshua Jaffe & Benjamin Jun) 2016 https://www.youtube.com/ watch?v=6lt7ExN6Kw4 Power Analysis Measuring power consumption over time allows (relatively) easy recovery of secret keys

  5. The Rise of Side-Channels The Real World 5 SPA: Simple Power Analysis A Simple Attack Against Unprotected RSA What is SPA SPA exploits data-dependent differences in power consumption of a single operation to recover secret information. S ← H ( m ) d mod N Simple Attack s ← 1 , x ← H ( m ) Assume you can tell multiplications while d > 0 and squarings apart. if d odd then So you observe something like s ← s · x mod N SMSSMSSM x ← x 2 mod N Corresponds to exponent d ← ⌊ d / 2 ⌋ ( 10101 ) 2 = 21

  6. The Rise of Side-Channels The Real World 6 DPA: Differential Power Analysis The workhorse of side-channel attacks What is DPA DPA exploits data-dependent correlation in power consumption over multiple, related operations to recover secret information. Power of DPA Any unprotected implementation will eventually be susceptible. Countermeasures All implementations will need protection against side channels.

  7. The Rise of Side-Channels The Real World 7 Power Analysis Attacks Stefan Mangard, Elisabeth Oswald, and Thomas Popp’s Classic Revealing the Secrets of Smart Cards “first comprehensive treatment of power analysis attacks and countermeasures” Aimed at the practitioner From 2007 ⇒ no modern ideas and theory

  8. Outline 1 How Differential Power Attacks Work Our Setting A Typical Pipeline for Key Recovery Profiled Attack Example Key Enumeration and Ranking 2 Enumeration Ranking Conclusion 3 Want to Learn More?

  9. How Differential Power Attacks Work Our Setting 9 Modern Cryptology Black-box Blockciphers What is a Blockcipher A blockcipher E is family of keyed permutations E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n where k is the key length and n the block length Blockcipher Usage Use a mode-of-operation like GCM to create an encryption scheme GCM security proof assumes the blockcipher E is a “PRP” So E is treated as a black box What happens if you can see it “work”?

  10. How Differential Power Attacks Work Our Setting 10 Modern Cryptology AES-128 Round function f C ← M × C S 0 4 8 12 1 5 9 13 x x x x 2 6 10 14 x x AK SB SR MC 3 7 11 15 x x w i − 1 x i y i z i w i Design k = 128, n = 128, where 128 = 16 × 8 (16 bytes) 10 rounds of whitened SP network Non-linearity comes from bytewise S-boxes Images: TikZ for Cryptographers, Jérémy Jean, www.iacr.org/authors/tikz/

  11. How Differential Power Attacks Work Our Setting 11 SCALE: A Resource by Dan Page https://github.com/danpage/scale Side-Channel Attack Lab. Exercises Provides a suite of material related to side-channel (and fault) attacks that is low-cost, accessible, relevant, coherent, and effective. SCALE Data Sets 1 Four platforms: an Atmel atmega328p (an AVR) plus three NXP ARM Cortex-M processors 2 Implementation uses an 8-bit datapath and look-up tables for the S-box and xtime operations (but code not known) 3 2 × 1000 traces of AES-128 each (known vs. unknown key) 4 Traces acquired using a Picoscope 2206B, using triggers for alignment

  12. How Differential Power Attacks Work Our Setting 12 Plotting a Trace SCALE’s AES-128 on an Atmel 0.4 0.2 0.0 0.2 0.4 0 20000 40000 60000 80000 100000 120000 A full trace k = 2B7E151628AED2A6ABF7158809CF4F3C Total of 132 , 292 points You can see a pattern repeating roughly 10 times

  13. How Differential Power Attacks Work Our Setting 13 Finding the Rounds Using crosscorrelation 1200 1000 800 600 400 200 0 0 50000 100000 150000 200000 250000 Crosscorrelation of a trace Compares how well shifs of the trace match the original � c i = a j a i + j j Leads to round duration of 12421

  14. How Differential Power Attacks Work Our Setting 13 Finding the Rounds Using crosscorrelation 0.3 0.2 0.1 0.2 0.0 0.1 0.1 0.2 0.0 0.3 0.4 0.1 0.5 0 2000 4000 6000 8000 10000 12000 0 2000 4000 6000 8000 10000 12000 Plotting the Rounds Jointly Left Rounds 1 and 2 superimposed Round 1 is building up power Right Rounds 5 and 6 superimposed Peaks and jittery areas match well

  15. How Differential Power Attacks Work Our Setting 14 Plotting a Trace SCALE’s AES-128 on an Atmel 0.3 0.2 0.1 0.0 0.1 26000 28000 30000 32000 34000 36000 38000 3rd round close up 1 Some peaks, some jitter 2 Hard to really discern much of interest...

  16. How Differential Power Attacks Work Our Setting 15 Signal versus Noise What determines the power consumption? 0.3 0.2 0.1 0.0 0.1 26000 28000 30000 32000 34000 36000 38000 Engineer’s Perspective (MOP, Ch. 4) P total = P op + P data + P el . noise + P const P op d.o. the operation P el . noise electrical noise P data d.o. the data P const constant base

  17. How Differential Power Attacks Work Our Setting 15 Signal versus Noise What determines the power consumption? 0.3 0.2 0.1 0.0 0.1 26000 28000 30000 32000 34000 36000 38000 Engineer’s Perspective (MOP, Ch. 4) P op + P data = P exp + P sw . noise P op d.o. the operation P exp exploitable signal P data d.o. the data P sw . noise switching noise

  18. How Differential Power Attacks Work Our Setting 15 Signal versus Noise What determines the power consumption? 0.3 0.2 0.1 0.0 0.1 26000 28000 30000 32000 34000 36000 38000 Engineer’s Perspective (MOP, Ch. 4) P total = P exp + P sw . noise + P el . noise + P const P exp exploitable signal P el . noise electrical noise P const constant base P sw . noise switching noise

  19. How Differential Power Attacks Work Our Setting 15 Signal versus Noise What determines the power consumption? 0.3 0.2 0.1 0.0 0.1 26000 28000 30000 32000 34000 36000 38000 Theoretician’s Perspective P total = f ( data ) + N ( 0 , σ ) f ( data ) mainly models P exp , function f incorporates P op and P const σ depends on P sw . noise and P el . noise

  20. How Differential Power Attacks Work Our Setting 15 Signal versus Noise What determines the power consumption? 0.3 0.2 0.1 0.0 0.1 26000 28000 30000 32000 34000 36000 38000 Some Caveats 1 Which operations are performed on which registers can be relevant 2 Looking at multiple points might lead to multivariate dependencies 3 Sometimes noise levels ( σ ) are data-dependent 4 The function f and noise level σ are unknown

  21. How Differential Power Attacks Work Our Setting 15 Signal versus Noise What determines the power consumption? 0.008 0.4 0.007 0.006 0.2 0.005 0.0 0.004 0.003 0.2 0.002 0.001 0.4 0.000 0 20000 40000 60000 80000 100000 120000 0 20000 40000 60000 80000 100000 120000 Atmel AES, Based on 1000 traces Assuming no branches in the execution Left Pointwise sample mean: P const + P op Right Pointwise sample variance: P data + P el . noise Both P exp and P sw . noise depend on your target...

  22. How Differential Power Attacks Work Our Setting 16 Signal versus Noise Intermediate values and target selection Round function f C ← M × C 0 4 8 12 S 1 5 9 13 x x x x 2 6 10 14 x x AK SB SR MC 3 7 11 15 x x w i − 1 x i y i z i w i The Locality of Leakage Intermediate value : 0.3 the (few) byte(s) involved in a 0.2 specific operation 0.1 0.0 Locality assumption: 0.1 leakage primarily depends on the 26000 28000 30000 32000 34000 36000 38000 intermediate value operated upon

  23. How Differential Power Attacks Work Our Setting 16 Signal versus Noise Intermediate values and target selection Round function f C ← M × C 0 4 8 12 S 1 5 9 13 x x x x 2 6 10 14 x x AK SB SR MC 3 7 11 15 x x w i − 1 x i y i z i w i The Locality of Leakage Intermediate value : Target intermediate the (few) byte(s) involved in a value captured by specific operation P exp Locality assumption: The “rest” leakage primarily depends on the contributes to intermediate value operated upon P sw . noise

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

February 2008 Differential Expression, Power, Exploratory Analysis Mauro Delorenzi Bioinformatics

February 2008 Differential Expression, Power, Exploratory Analysis Mauro Delorenzi Bioinformatics

February 2008 Differential Expression, Power, Exploratory Analysis Mauro Delorenzi Bioinformatics Core Facility (BCF) NCCR molecular oncology Swiss Institute of Bioinformatics (SIB) <Mauro.Delorenzi@isb-sib.ch> () February 10, 2008 2 /

1.15k views • 77 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017 Nvidia GTC S7254 Transcriptomic Data Personome.com Biological Pathways Nature.org Differential expression analysis Class labels C1 C2

414 views • 30 slides
6.1 Power series solutions of DEs (and review) a lesson for MATH F302 Differential Equations Ed

6.1 Power series solutions of DEs (and review) a lesson for MATH F302 Differential Equations Ed

6.1 Power series solutions of DEs (and review) a lesson for MATH F302 Differential Equations Ed Bueler, Dept. of Mathematics and Statistics, UAF March 4, 2019 for textbook: D. Zill, A First Course in Differential Equations with Modeling

306 views • 17 slides
A TOOL FOR RANKING ARGUMENTS THROUGH VOTING-GAMES POWER INDEXES Stefano Bistarelli, Francesco

A TOOL FOR RANKING ARGUMENTS THROUGH VOTING-GAMES POWER INDEXES Stefano Bistarelli, Francesco

A TOOL FOR RANKING ARGUMENTS THROUGH VOTING-GAMES POWER INDEXES Stefano Bistarelli, Francesco Faloci, Francesco Santini and Carlo Taticchi INDEX Argumentation Theory Argumentation Semantics Power Indexes Definitions SV-based

415 views • 22 slides
Ranking of manipulated images in a large set using Error Level Analysis Daan Wagenaar &

Ranking of manipulated images in a large set using Error Level Analysis Daan Wagenaar &

12-02-12 Ranking of manipulated images in a large set using Error Level Analysis Daan Wagenaar & Jeffrey Bosma University of Amsterdam In cooperation with the Netherlands Forensic Institute Ranking of manipulated images in a large set

668 views • 32 slides
Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Pratical case and Data State of the art Differential Analysis method based on CCHAC Conclusion Hi-C Differential Analysis: A new method using tree representation based on Contiguity Constrained Hierarchical Agglomerative Clustering (CCHAC)

644 views • 28 slides
Ranking climate change adaptation options through multi-criteria analysis Karianne de Bruin

Ranking climate change adaptation options through multi-criteria analysis Karianne de Bruin

20/01/2014 Ranking climate change adaptation options through multi-criteria analysis Karianne de Bruin Senior Research Fellow CICERO NZCCRI Seminar Series Wednesday 4 th December 2013 Multi criteria analysis Cost benefit analysis

517 views • 19 slides
Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis

Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis

Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis From raw RNAseq data to transcriptome and differential expression analysis. Software for analysis TopHat alignment TopHat alignment in IGV

468 views • 11 slides
Unlocking the Power of Continuity in Single Cell RNA - Seq : Differential Gene Expression Along

Unlocking the Power of Continuity in Single Cell RNA - Seq : Differential Gene Expression Along

Unlocking the Power of Continuity in Single Cell RNA - Seq : Differential Gene Expression Along Developmental Trajectories Hector Roux de Bzieux Talk given at the Statistics Group in Biostatistics and Genomics Seminar on Sandrine Dudoit

549 views • 42 slides
Online Submodular Set Cover, Ranking, and Repeated Active Learning Online Ranking: At each round,

Online Submodular Set Cover, Ranking, and Repeated Active Learning Online Ranking: At each round,

Online Submodular Set Cover, Ranking, and Repeated Active Learning Online Ranking: At each round, the learner produces an ordered list of items, then suffers loss or receives reward. Example: search result ranking Display ranked results Get

162 views • 4 slides
Ranking candidate genes from Ranking candidate genes from perturbation experiments Niko

Ranking candidate genes from Ranking candidate genes from perturbation experiments Niko

Ranking candidate genes from Ranking candidate genes from perturbation experiments Niko Beerenwinkel Gene ranking Goal: Identify (or prioritize) genes that affect readout, i.e., are involved in biological process of interest i l d i bi

433 views • 19 slides
Tutorial: TF-Ranking for sparse features Tutorial: TF-Ranking for sparse features This tutorial

Tutorial: TF-Ranking for sparse features Tutorial: TF-Ranking for sparse features This tutorial

Tutorial: TF-Ranking for sparse features Tutorial: TF-Ranking for sparse features This tutorial is an end-to-end walkthrough of training a TensorFlow Ranking (TF-Ranking) neural network model which incorporates sparse textual features.

257 views • 24 slides
Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue

Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue

Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue University) 1 Outline Motivation of Differential Privacy and Local Differential Privacy (LDP) Frequency Oracles in LDP Tradeoff between

821 views • 53 slides
Easy and Hard Outline Constraint Ranking in OT The Constraint Ranking problem Making fast

Easy and Hard Outline Constraint Ranking in OT The Constraint Ranking problem Making fast

Easy and Hard Outline Constraint Ranking in OT The Constraint Ranking problem Making fast ranking faster Jason Eisner Extension: Considering all competitors U. of Rochester How hard is OT generation? Making slow ranking

288 views • 6 slides
Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1

Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1

Introduction Linear Cryptanalysis Against SPECK An Implementation of Wallns Algorithm Summary Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1 TCA Laboratory, Institute of Software, Chinese

531 views • 41 slides
Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006 References Bull & Innovatron Patents 2 Fault I njection Equipment: Laser 3 Bull & Innovatron Patents Fault I njection Equipment: CLI O

423 views • 39 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES

2.17k views • 28 slides
A Cost Benefit Analysis of Faster Transmission System Protection Schemes and Ground Grid Design

A Cost Benefit Analysis of Faster Transmission System Protection Schemes and Ground Grid Design

A Cost Benefit Analysis of Faster Transmission System Protection Schemes and Ground Grid Design Brian Ehsani SEPTEMBER 5 - 7, 2018 Agenda Example System And Clearing Times Ground Grid Design Cost Analysis Additional Conclusions

909 views • 32 slides
Trapping Webster New Collegiate Dictionary: trap vb 1b: to place in a restricted position

Trapping Webster New Collegiate Dictionary: trap vb 1b: to place in a restricted position

Trapping Webster New Collegiate Dictionary: trap vb 1b: to place in a restricted position Petroleum Geology AES/TA 3820 General Considerations Trapping is the mechanism by which migration of oil and gas is stopped such that an accumulation of

550 views • 37 slides
Todays speakers Nicolas Jimenez, President and CEO Kelly Aimers, FCIA, ACAS, Director of

Todays speakers Nicolas Jimenez, President and CEO Kelly Aimers, FCIA, ACAS, Director of

9/4/2018 ICBCs 2018 Basic Insurance Rate Design Application Streamlined Review Process Presentation September 4, 2018 Todays speakers Nicolas Jimenez, President and CEO Kelly Aimers, FCIA, ACAS, Director of Pricing and

392 views • 37 slides
2Q18 Earnings Presentation August 7, 2018 N Y S E : D N R w w w. d e n b u r y. c o m Agenda

2Q18 Earnings Presentation August 7, 2018 N Y S E : D N R w w w. d e n b u r y. c o m Agenda

2Q18 Earnings Presentation August 7, 2018 N Y S E : D N R w w w. d e n b u r y. c o m Agenda Introduction John Mayer, Director of Investor Relations Overview and Operational Update Chris Kendall, President & Chief Executive

364 views • 22 slides

More recommend