dpa bitslicing and masking at 1 ghz
play

DPA, Bitslicing and Masking at 1 GHz Josep Balasch, Benedikt - PowerPoint PPT Presentation

Jul 07, 2023 •248 likes •516 views

DPA, Bitslicing and Masking at 1 GHz Josep Balasch, Benedikt Gierlichs, Oscar Reparaz, and Ingrid Verbauwhede KU Leuven ESAT / COSIC (Belgium) CHES 2015 Saint-Malo, France 16 September 2015 CHES 2015 Motivation (I) Typical targets of side

  1. DPA, Bitslicing and Masking at 1 GHz Josep Balasch, Benedikt Gierlichs, Oscar Reparaz, and Ingrid Verbauwhede KU Leuven ESAT / COSIC (Belgium) CHES 2015 Saint-Malo, France 16 September 2015 CHES 2015

  2. Motivation (I) • Typical targets of side channel related publications Smart card, microcontrollers Cryptographic coprocessors • Good targets for side channel analysis o Not very complex, slow frequencies o Common evaluation platforms J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 2

  3. Motivation (II) • Paradigm shift: cryptography is moving to software in the main processor Mobile phones Internet of Things (IoT) source: http://www.cryptomathic.com source: http://www.engineering.com • Does the research on side channel analysis apply to more complex processors that operate at gigahertz frequency? J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 3

  4. Related work • Timing attacks o Leakage through caches, branches, HPC, etc. • No lookup tables with secret indexes • No branches on secret values • Not easy o NaCl cryptographic software library • Power or Electromagnetic attacks o Mostly SPA/SEMA on RSA or ECC • High clock frequency less important • Critical operations at much slower rate J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 4

  5. Research challenge Can we do DPA/DEMA on block ciphers running on high-end embedded processors? J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 5

  6. Platform • BeagleBone Black single board computer • Hardware: Texas Instruments Sitara SOC • DDR3 memory controller, 3D graphics, HDMI, … • USB, Ethernet • ARM Cortex-A8 processor • Apple Iphone4, Samsung Galaxy S, … • 32-bit processor • 13 stage pipeline • Dynamic branch prediction • L1 and L2 cache • Up to 1 GHz clock frequency • Software: Complete Linux distribution • OS image on embedded MMC • 102 processes incl. X, SSH, Apache2, etc. J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 6

  7. AES software implementation • Bitslicing o Describe algorithm as sequence of Boolean operations o Suitable for hardware: circuit description o But also for software: SIMD instructions Bitsliced representation J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 7

  8. AES software implementation • Bitslicing o Written in C language o Hardware gates  software macros J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 8

  9. Developing an attack • How to measure side channel leakage of ARM core? o Contactless power measurement (EM of decoupling capacitors) • Type of probe, position and orientation are important … while (1) { SLEEP DO_SOMETHING SLEEP } … Magnetic near field probe (30 MHz to 3 GHz) J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 9

  10. Developing an attack • How to keep antenna in good position? J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 10

  11. Developing an attack • Challenges: timing and triggering • Execute bitsliced AES and search for good trigger • Reduced sampling rate AES ? ? J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 11

  12. Developing an attack • More zoom AES J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 12

  13. Developing an attack • More, more zoom AES J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 13

  14. Developing an attack • Practical issues: o Trigger is quite stable, but measurements are desynchronized o Bad measurements  filtered out o Good measurements  aligned o Post-processing is costly! • 7x more time than measurement J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 14

  15. Attack on unprotected implementation • First order CPA, 10.000 measurements • Divide and conquer, attack byte-by-byte as usual • Predictions specific to bitsliced implementation 99% confidence o Hamming weight of 2 bits out of 32 interval for zero J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 15

  16. Research challenge • This attack is surprisingly easy • How can we protect our bitsliced software implementation? J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 16

  17. Masked bitsliced implementation • Apply (hardware) gate-level masking • Substitute 5 macros with secure versions o SXOR, SMOV, SROTL, SNOT: trivial o SAND : secure AND gate by Trichina • Fetch randomness from /dev/urandom J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 17

  18. Attack on protected implementation • First attack with masks equal zero (fetch from /dev/zero) o First order CPA should work • Code is different  traces are different o Find new pattern for alignment o Tune parameters for filtering out traces and alignment J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 18

  19. Attack on protected implementation • Second attack with random masks • What do we expect? o Masking in software is difficult o Processor is complex o This is our first attempt o We write C code • … probably not secure • Collect 2 million measurements, keep 1.2 million • Apply same attack as before J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 19

  20. Attack on protected implementation J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 20

  21. Attack on protected implementation • Result differs for different key bytes and register • Full key extraction possible with 1.2 million traces • Masked implementation is surprisingly resistant  • Second-order analysis • Combine all possible pairs of time samples o Absolute difference o Centered product • Apply same attack as before J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 21

  22. Attack on protected implementation • Attack with centered product combination did not work • Absolute difference combination o If we know already which time samples to combine • Real attack requires more effort J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 22

  23. Conclusion • Side channel analysis of complex & high-performance processor, operating at the gigahertz range, and running a complex OS. • We show that DPA / DEMA attacks can be mounted o Attacks are surprisingly easy o But triggering and alignment are difficult • We show that gate-level masking can be used to protect bitsliced software J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 23

  24. Thanks for your attention! QUESTIONS extended version: https://eprint.iacr.org/2015/727 J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 24

  25. • FFT shows main frequency component at 1 GHz J. Balasch, B. Gierlichs, O. Reparaz, I. Verbauwhede CHES 2015 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

6/8/2017 Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we Quantify Masking Risk? co-founder and shareholder Qview Medical (Los Altos, CA) Nico Karssemeijer consultant, co-founder and

883 views • 18 slides
Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function in Understanding the Masking-Shadowing Function in Microfacet-Based BRDFs 2014-09-01 Microfacet-Based BRDFs Eric Heitz Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble

808 views • 77 slides
Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth Oswald March, 2013 Michael Tunstall (University of Bristol) Masking Tables March, 2013 1 / 21 Introduction Differential Power Analysis exploits

249 views • 21 slides
Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th International Conference on Finite Fields and their Applications June 5, 2017 Violetta Weger Weight two Masking in the McEliece system Outline 1

1.31k views • 34 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
(ORF-RE) Program Round 9 Information Sessions March/April 2017 Ministry of Research, Innovation

(ORF-RE) Program Round 9 Information Sessions March/April 2017 Ministry of Research, Innovation

Ontario Research Fund Research Excellence (ORF-RE) Program Round 9 Information Sessions March/April 2017 Ministry of Research, Innovation and Science Presenter: Karla Morris, Senior Policy Advisor MRIS Contact:karla.morris@ontario.ca The

473 views • 20 slides
ECO 317 Economics of Uncertainty Lectures: Tu-Th 3.00-4.20, Avinash Dixit Precept: Fri

ECO 317 Economics of Uncertainty Lectures: Tu-Th 3.00-4.20, Avinash Dixit Precept: Fri

ECO 317 Economics of Uncertainty Lectures: Tu-Th 3.00-4.20, Avinash Dixit Precept: Fri 10.00-10.50, Andrei Rachkov All in Fisher Hall B-01 1 ECO 317 Fall 09 No.1 Thu. Sep. 17 RISK MARKETS Intrade: http://www.intrade.com

279 views • 8 slides
of predicate abstraction A. Cimatti, J. Dubrovin, T. Junttila, M. Roveri Fondazione Bruno

of predicate abstraction A. Cimatti, J. Dubrovin, T. Junttila, M. Roveri Fondazione Bruno

Structure-aware computation of predicate abstraction A. Cimatti, J. Dubrovin, T. Junttila, M. Roveri Fondazione Bruno Kessler, Trento, Italy Helsinki Institute of Technology, Finland Predicate abstraction: symbolic view Concrete state as

586 views • 24 slides
2015 Fourth Quarter Update February 3, 2016 Safe Harbor Statement Some of what well discuss

2015 Fourth Quarter Update February 3, 2016 Safe Harbor Statement Some of what well discuss

2015 Fourth Quarter Update February 3, 2016 Safe Harbor Statement Some of what well discuss today concerning future company performance will be forward-looking information within the meanings of the securities laws. Actual results may

452 views • 10 slides
Disclosures I have nothing to disclose Current Status of Organ Donation in Japan Shigeyoshi

Disclosures I have nothing to disclose Current Status of Organ Donation in Japan Shigeyoshi

9/30/2016 Disclosures I have nothing to disclose Current Status of Organ Donation in Japan Shigeyoshi Yamanaga, MD Chief of Renal Transplantation Program Department of Surgery, Japanese Red Cross Kumamoto Hospital Japanese Red Cross

734 views • 8 slides
Great & Growing Need Knowledge and Diabetes rates are much higher and rising more

Great & Growing Need Knowledge and Diabetes rates are much higher and rising more

9/29/2016 Great & Growing Need Knowledge and Diabetes rates are much higher and rising more Spirituality surrounding quickly Organ Donation in the Prevalence of end-stage renal disease is 3.5 times Native American higher compared

572 views • 8 slides
Probabilistic Logics and the Synthesis of Reliable Organisms from Unreliable Components John Z.

Probabilistic Logics and the Synthesis of Reliable Organisms from Unreliable Components John Z.

Probabilistic Logics and the Synthesis of Reliable Organisms from Unreliable Components John Z. Sun Massachusetts Institute of Technology September 21, 2011 Outline Automata Theory Error in Automata Controlling Error Extensions 2 / 19

600 views • 19 slides

More recommend