On the Power of Power Analyses Sylvain GUILLEY, Laurent SAUVAGE, - - PowerPoint PPT Presentation

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives

On the Power of Power Analyses

Sylvain GUILLEY, Laurent SAUVAGE, Florent FLAMENT, Maxime NASSAR, Nidhal SELMANE, Jean-Luc DANGER, Philippe HOOGVORST, Tarik GRABA, Yves MATHIEU & Renaud PACALET < sylvain.guilley@TELECOM-ParisTech.fr >

Institut TELECOM / TELECOM-ParisTech CNRS – LTCI (UMR 5141)

SECURE

ALI (ENSTA) and SALSA (LIP6/INRIA) seminar Friday March 6th, 2009, 11:00–12:00, LIP6, room 847.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

1

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives

Presentation Outline

1 Introduction 2 Attacks

DPA Oracles Study of the Power Leakage on ASICs & FPGAs

3 Counter-Measures

Information Hidding Information Masking Encrypted Leakage

4 New Applications of DPA

On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE

5 Conclusions & Perspectives

The DPA Contest EveSoC: an eavesdropping SoC

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

2

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives

Trusted Objects Security Market Segmentation

Large markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lo-end devices RFID tags, smart dust SIM, Pay-TV, Bank (EMV), national-ID, E-Passport, healthcare, public transportation TPM, DRM and other ad hoc digital media usage limitation techniques Access control, login, biometry Small markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hi-end devices VPN, encrypting USB dongles, secured PCs Government and military PDA, firewalls, IDS State cryptography for embassies and warfare commandment

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

3

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives

Market Demand versus Available Products

Large markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lo-end devices Application Specific Integrated Circuits = ASICs. Small markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hi-end devices Field Programmable Gates Array = FPGAs. Current trend for more FPGAs Low-power models. e.g. ACTEL Igloo Computing-intensive models. e.g. ATMEL AT40K Embedded FPGAs are also an envisionned products addressing the “performance” versus “flexibility” trade-off.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

4

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives

“Trusted Computing” Context: Side-Channel Attacks

The Problematic Cryptographic algorithms have traditionally been studied to withstand theoretical attacks; However, when these algorithms are implemented on embedded devices such as smartcards, many other specific attacks become possible (like SCA = Side-Channel Attacks).

TA Attacked circuit EMA SPA, DPA, CPA, templates . . .

time Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

5

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives

“Trusted Computing” Context: Fault Attacks

The Problematic Faulty results allow an attacker to gain information about the secrets; The rationale is that the knowledge of both c = AES(k, m) and c* = AES*(k, m) makes it possible to discard some values of k when the error (identified by “*”) occurs preferencially in one of the latest rounds. Typology of fault errors Non-invasive: power or clock perburbation [10,6] Semi-invasive: depackaging required ⇒ laser attacks possible Invasive: complete reverse-engineering possible

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

6

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives DPA Oracles Study of the Power Leakage on ASICs & FPGAs

Presentation Outline

1 Introduction 2 Attacks

DPA Oracles Study of the Power Leakage on ASICs & FPGAs

3 Counter-Measures

Information Hidding Information Masking Encrypted Leakage

4 New Applications of DPA

On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE

5 Conclusions & Perspectives

The DPA Contest EveSoC: an eavesdropping SoC

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

7

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives DPA Oracles Study of the Power Leakage on ASICs & FPGAs

Power & Electro-Magnetic Traces Analysis

CMOS gate dissipation model

conducted dissipation ⇒ power side-channel radiated dissipation ⇒ electro-magnetic side-channel no change ⇒ no dissipation change ⇒ dissipation

Hence the law: dissipation = f (activity). CMOS circuits dissipation model Power = Σi∈nets ξ↑

i i(t − 1) · i(t) + ξ↓ i i(t − 1) · i(t)

Referred to as the Hamming Distance model, since ξ↑

i ≈ ξ↓ i .

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

8

Sample Encryptions With Hamming Distance Classes [1/3]

• 40
• 20

20 40 60 80 100 5000 10000 15000 20000 Average trace [mV] Time Hamming distance 24 Hamming distance 28 Hamming distance 32 Hamming distance 36 Hamming distance 40

Sample Encryptions With Hamming Distance Classes [2/3]

• 8
• 6
• 4
• 2

2 4 6 8 5000 10000 15000 20000 Average trace [mV] Time Hamming distance 24 Hamming distance 28 Hamming distance 32 Hamming distance 36 Hamming distance 40

Sample Encryptions With Hamming Distance Classes [3/3]

• 8
• 6
• 4
• 2

2 4 6 8 14000 14500 15000 15500 16000 16500 Average trace [mV] Time Hamming distance 24 Hamming distance 28 Hamming distance 32 Hamming distance 36 Hamming distance 40

DPAdiff, DPAcov and CPA Oracles

Amongst the many oracles that have been proposed, we focus on three of them, noted:

1 DPAdiff: Differential Power Analysis (difference of means), 2 DPAcov: Differential Power Analysis (covariance) and 3 CPA: Correlation Power Analysis,

defined in equations (1), (2) and (3).

DPAdiff

The idea behind the DPAdiff is to exhibit an asymptotic difference between the behaviors. The “difference of means” criterion introduced by Paul Kocher is: DPAdiff . = 1 m0

• i/Di=0

Ti − 1 m1

• i/Di=1

Ti , (1) where m0 and m1 denote the number of traces for each decision. More specifically, m0 . = #{i ∈ [0, m[/Di = 0} and, symmetrically, m1 . = m−1

i=0 Di, with the following complementation property

m0 + m1 = m.

DPAcov

A seemingly different approach consists in computing a covariance between the m traces and their associated decision functions. The DPA covariance estimator is: DPAcov . = 1 m

• i

Ti × Di − 1 m

• i

Ti × 1 m

• i

Di . (2) It extracts the contribution of Di: only the net i is selected out of the whole netlist j [5].

DPAdiff versus DPAcov

The two definitions of the DPA actually coincide, as far as the decision function is balanced: Proof. Assuming that m0 = m1 = m/2, DPAcov = 1 m

• i

Ti ×

• Di − 1

2

• =

1 2m

• i

Ti × (−1)Di    Covariance with the character function of D. = 1 4 DPAdiff .

Mono-bit versus Multi-bit DPA

Vectorial Decision Function D D ∈ {0, 1}n Dominant practice: assume bits are indiscernible Hence partition traces according to |D| ∈ [0, n] Several philosophies:

1

Thomas S. MESSERGES [9]: prune all but |D| = 0 or n, and continue ` a la mono-bit

2

´ Eric BRIER [2]: weight the partitions with |D|

3

Thanh-Ha LE [8,7]: weight the partitions with (−1, −2, 0, +2, +1)

500 1000 1500 2000 2500 1 2 3 4 5 6 7 8 # traces to break the partial key DES S-Box Mono-bit: (-1, +1) 4 bits: (-2, -1, 0, +1, +2)

CPA

By definition [2], CPA is a normalization of the DPA. It is defined as a correlation coefficient, estimated by: CPA . = DPAcov σT · σD ∈ [−1, +1] , (3) where σX is the standard deviation of the random variable X, for which an unbiased empirical estimator is

• 1

m−1

m−1

i=0

• Xi − 1

m

m−1

j=0 Xj

2 .

DPAcov versus CPA (1/2)

DPAcov after 1k traces

• 0.4
• 0.2

0.2 0.4 0.6 0.8 1 1.2 32 24 16 8 Difference of potential [mV] Time [clock cycles] Correct peaks Noisy peak (@ clock 38) DPA differential trace Averaging over 1k traces

CPA after 1k traces

• 30
• 20
• 10

10 20 30 32 24 16 8 Correlation factor [-100%:+100%] Time [clock cycles] Correct peaks CPA differential trace Estimation over 1k traces

DPAcov versus CPA (2/2)

DPAcov after 10k traces

• 0.4
• 0.2

0.2 0.4 0.6 0.8 1 1.2 32 24 16 8 Difference of potential [mV] Time [clock cycles] Correct peaks Noisy peak (@ clock 38) has vanished DPA differential trace Averaging over 10k traces

CPA after 10k traces

• 30
• 20
• 10

10 20 30 32 24 16 8 Correlation factor [-100%:+100%] Time [clock cycles] Correct peaks CPA differential trace Estimation over 10k traces

Comparison between SecMat v{1,3}[ASIC] & SecMat v3[FPGA] in terms of power leakage

1 SecMat v1[ASIC]:

Dedicated power supply for the DES module No clock tree (non-fatal bug)

2 SecMat v3[ASIC]:

Shared power supply between all modules Clock tree OK

3 SecMat v3[FPGA]:

SecMat v3[ASIC] VHDL code synthesized in an Altera Stratix EPS1S25 Global power supply 10,157 logic elements and 286,720 RAM bits for the whole SoC DES alone is 1,125 logic elements (LuT4)

NEW! The power traces acquired from those three circuits are available for download from http://www.dpacontest.org/.

SecMat v1[ASIC] – covariance with |LR[0] ⊕ LR[1]|

• 20

20 40 60 80

• 8

8 16 Voltage [mV] Time [clock periods] Average power trace

• 20

20 40 60 80

• 8

8 16 Voltage [mV] Time [clock periods] Covariance result (same scale as the average power trace)

SecMat v1[ASIC]: Typical trace: 92 mV Typical DPA: 3.0 mV ⇒ Side-channel leakage: 3.3 %

• 0.5

0.5 1 1.5 2 2.5 3

• 8

8 16 Voltage [mV] Time [clock periods] Covariance result (zoomed)

SecMat v3[ASIC] – covariance with |LR[0] ⊕ LR[1]|

5 10 15 20 25 30 35 40 8 16 24 Voltage [mV] Time [clock periods] Average power trace 5 10 15 20 25 30 35 40 8 16 24 Voltage [mV] Time [clock periods] Covariance result (same scale as the average power trace)

SecMat v3[ASIC]: Typical trace: 38 mV Typical DPA: 0.6 mV ⇒ Side-channel leakage: 1.5 %

0.1 0.2 0.3 0.4 0.5 0.6 8 16 24 Voltage [mV] Time [clock periods] Covariance result (zoomed)

SecMat v3[FPGA] – covariance with |LR[0] ⊕ LR[1]|

• 15
• 10
• 5

5 10 15 20 8 16 24 32 Voltage [mV] Time [clock periods] Average power trace

• 15
• 10
• 5

5 10 15 20 8 16 24 32 Voltage [mV] Time [clock periods] Covariance result (same scale as the average power trace)

SecMat v3[FPGA]: Typical trace: 19 mV Typical DPA: 0.19 mV ⇒ Side-channel leakage: 1.0 % 64/(2, 125 × 1 + (10, 157 − 2, 125) × 0.5) ≈ 1 % ⇒ OK

0.05 0.1 0.15 0.2 8 16 24 32 Voltage [mV] Time [clock periods] Covariance result (zoomed)

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Presentation Outline

1 Introduction 2 Attacks

DPA Oracles Study of the Power Leakage on ASICs & FPGAs

3 Counter-Measures

Information Hidding Information Masking Encrypted Leakage

4 New Applications of DPA

On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE

5 Conclusions & Perspectives

The DPA Contest EveSoC: an eavesdropping SoC

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

24

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Vulnerabilities in Unprotected Cryptographic Implementations

SCA Roots 0 → 0 and 1 → 1 transitions do not consume energy, whereas 0 → 1 and 1 → 0 transitions does consume energy. Combined with statistical tools (covariance, correlation, etc), this enables devastating side-channel attacks (SCAs). Types of Counter-Measures: Make the energy dissipation . . .

1 . . . constant:

Possible at the gate-level.

2 . . . random:

Many flaws at 2+ orders.

3 . . . encrypted:

Adaptation of a masking scheme.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

25

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Power-Constant Algorithms: WDDL [11]

SCA Roots 0 → 0 and 1 → 1 transitions do not consume energy, whereas 0 → 1 and 1 → 0 transitions does consume energy. Combined with statistical tools (covariance, correlation, etc), this enables devastating side-channel attacks (SCAs). WDDL Counter-Measure against SCAs Each data is represented as a couple (True, False), Every computation starts with a pre-(dis)-charge to (0, 0), This way, every evaluation yields a constant dissipation: (0, 0) → {(0, 1), (1, 0)}∗ is a constant dissipation process.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

26

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Secure Triple-Track Logic [1] (Optimized for FPGAs)

Example of the AND STTL gate

C C C BV V A1 B1 Y1 A0 B0 AV Y0 YV

Mapping in LuT4s Example of the first block: Y1 . = A1 · B1 · V + Y1 · (A1 · B1 + V ).

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

27

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Placement and Routing of Altera WDDL+ Netlists [4]

Fine-grain pairwise placement: Placement in LAB is dumped at X, Y & N levels. Reordering of cells within the LAB to have pairwise couples adjacent (N and N+1).

N=0 N=1 N=2 N=3 N=4 N=5 N=6 N=7 N=8 N=9 LAB (X+1, Y) LAB (X, Y)

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

28

DES eight substitution boxes

Early Evaluation in WDDL Illustrated

WDDL example and vulnerability:

A1 B1 C1 D1 Y1 A0 B0 C0 D0 Y0 |1 |2 ‘True’ half &1 &2 ‘False’ half

• 50

50 100 150 300 200 100 Instant power [µW] Time [ps]

• 50

50 100 150 300 200 100 Instant power [µW] Time [ps]

B1: A1: C1: A0: B0: C0: D1: D0: Y1: Y0: B1: A1: C1: A0: B0: C0: D1: D0: Y1: Y0:

SDF Simulation on Altera [3] ⇒ DES sbox #3

20 40 60 80 100 2 4 6 8 10 Bin count [%] Delay [ns] wire_c3b6_true wire_3c49_false

The 64 evaluation dates.

SecMat v1[ASIC] — Simulation of WDDL with 1 ns Early Evaluation

• 1.5
• 1
• 0.5

0.5 1 1.5 2 2.5 3

• 8

8 16 Voltage [mV] Time [clock periods] SecMat v1[ASIC] (@ 20 Gsample/s) Early Late Early-Late

• 1.5
• 1
• 0.5

0.5 1 1.5 2 2.5 3

• 2
• 1

1 2 3 4 5 6 7 8 9 10 11 12 Voltage [mV] Time [nanoseconds] SecMat v1[ASIC] (@ 20 Gsample/s) Early Late Early-Late

SecMat v3[ASIC] — Simulation of WDDL with 1 ns Early Evaluation

• 0.2
• 0.1

0.1 0.2 0.3 0.4 0.5 0.6 8 16 24 Voltage [mV] Time [clock periods] SecMat v3[ASIC] (@ 5 Gsample/s) Early Late Early-Late

• 0.2
• 0.1

0.1 0.2 0.3 0.4 0.5 0.6

• 2
• 1

1 2 3 4 5 6 7 8 9 10 11 12 Voltage [mV] Time [nanoseconds] SecMat v3[ASIC] (@ 5 Gsample/s) Early Late Early-Late

SecMat v3[FPGA] — Simulation of WDDL with 1 ns Early Evaluation

• 0.1
• 0.05

0.05 0.1 0.15 0.2 8 16 24 32 Voltage [mV] Time [clock periods] SecMat v3[FPGA] (@ 10 Gsample/s) Early Late Early-Late

• 0.1
• 0.05

0.05 0.1 0.15 0.2

• 2
• 1

1 2 3 4 5 6 7 8 9 10 11 12 Voltage [mV] Time [nanoseconds] SecMat v3[FPGA] (@ 10 Gsample/s) Early Late Early-Late

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Masking the Registers Against First-Order DPA

Rationale (state-of-the-art) Let x be a sensitive variable, that discloses a secret if leaked. Let’s protect x by splitting it into two shares (x ⊕ m, m). Thus the arithmetic sum A = |x ⊕ m| + |m| is leaked instead

• f the compromising |x| (if the leak is linear).

Now, the averaged value of A for a uniformly distributed mask m ∈ {0, 1}n is: A . = 1 2n

• m=0

A = 1 2n

2n−1

• m=0

|x ⊕ m| + |m| = 1 2n

• |m| + |m| = 2 × n/2 = n ,

which is independent of x.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

34

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Second-Order DPA Flow of Binary Masking

Statistics of A The second order statistics of A depends on x. There are n + 1 possible distributions, depending on the value

• f |x|:

1 8 7 6 5 4 3 2 1 |Delta(x)| = 0 1 8 7 6 5 4 3 2 1 |Delta(x)| = 1 1 8 7 6 5 4 3 2 1 |Delta(x)| = 2 1 8 7 6 5 4 3 2 1 |Delta(x)| = 3 1 8 7 6 5 4 3 2 1 |Delta(x)| = 4

An attack, qualified of “zero-offset”, is able to exploit this data-dependent variance (2nd order dispersion).

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

35

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Three Solutions to Reduce or Cancel the 2nd- and Higher-Order Biases

Claim Activity Leaked #0 A = |x ⊕ m| + |m| #1 A = |x ⊕ m| + |B(m)| #2 A = |x ⊕ m| + |m1| + |m2|, with m = m1 θ m2 #3 A = |x ⊕ m| + |m1| + |m2|, with |m2| constant Patent pending

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

36

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Rationale

y = DES(x, kc) Masked DFF ki x Encrypted bitstream Masked DES kb kc Side-channel: EMA, power FPGA

Three keys

1 kc: crypto-

graphic

2 ki: imple-

mentation

3 kb:

bitstream Patent pending

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

37

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

Realization: Re-using a Security Paradigm

Theorem Constant masking ⇒ leakage encrypted by Vernam (if the registers are targeted with a first-order attack). Unconditional Security Use of a constant secret mask ki (protected by the bitstream key kb) It happens that the leakage is exactly kc ⊕ ki. Knowing kc ⊕ ki discloses 0 bit of information on kc (Vernam).

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

38

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

How to Have the Leakages Encrypted [1/2]

Left masked data (Li) Left mask (MLi) FP Right mask (MRi) Right masked data (Ri) Ciphertext Message ki IP IP m′ S(x) ⊕ m′ P P S’ S E E kc m xm Feistel function f Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

39

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives Information Hidding Information Masking Encrypted Leakage

How to Have the Leakages Encrypted [2/2]

Left mask (MLi) Right mask (MRi) ki IP m S’ m′ P S(x) ⊕ m′ E Left masked data (Li) FP Right masked data (Ri) Ciphertext Message IP P S E kc xm Feistel function f Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

40

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE

Presentation Outline

1 Introduction 2 Attacks

DPA Oracles Study of the Power Leakage on ASICs & FPGAs

3 Counter-Measures

Information Hidding Information Masking Encrypted Leakage

4 New Applications of DPA

On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE

5 Conclusions & Perspectives

The DPA Contest EveSoC: an eavesdropping SoC

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

41

• 250
• 200
• 150
• 100
• 50

50 100 150 200 250 5 10 15 20 25 30 35 40 Power (mV) Time (ns) 0 transition 1 transition 2 transitions 3 transitions 4 transitions 5 transitions 6 transitions 7 transitions 8 transitions

RAMP PRNG [1:7] [1:7] Fault Generator FPGA data_out[7:0] sensor

• 0.3
• 0.2
• 0.1

0.1 0.2 0.3 5 10 15 20 25 30 35 40 Power [µV] Time [ns] Signatures comparison of rump_out_7 bit on two sane implementations rump_out_7 reference rump_out_7 sane noise level

• 0.3
• 0.2
• 0.1

0.1 0.2 0.3 5 10 15 20 25 30 35 40 Power [µV] Time [ns] Signatures comparison of rng_out_2 bit between rump bit0 stuck and reference implementation rng_out_2 reference rng_out_2 rump bit0 stuck noise level

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE

Sequential SCARE

Sequential SCARE consists in solving: arg maxS

• x (−1)S0(x)⊕S(x).

Under this form, it appears clearly that DPA is a particular case of SCARE, where the possible Sboxes to retrieve can be written S = τk ◦ S0. The space to explore for finding a maximum is of size: |k| = 2n, in the case of the DPA, to be contrasted with |S| = 22n two-input Boolean functions.

• 0.0001
• 5e-05

5e-05 0.0001 0.00015 0.0002 5000 10000 15000 20000 "secmatv1_2006_04_0809_hamming_dist_scare_WAVE_1.csv1bit_output_inversed" u 0:9 "" u 0:11

The correct function is 9 (see peaks at dates 5 228, 5 739 and 6 360), and the best concurrent function a (see peak at date 5 132).

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

47

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives The DPA Contest EveSoC: an eavesdropping SoC

Presentation Outline

1 Introduction 2 Attacks

DPA Oracles Study of the Power Leakage on ASICs & FPGAs

3 Counter-Measures

Information Hidding Information Masking Encrypted Leakage

4 New Applications of DPA

On-line Test of PCB or ASICs SCA for Reverse-Engineering: SCARE

5 Conclusions & Perspectives

The DPA Contest EveSoC: an eavesdropping SoC

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

48

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives The DPA Contest EveSoC: an eavesdropping SoC

Secure-IC: Innovation is at the Core of the Strategy

Secure-IC products http://www.Secure-IC.com/

1 High performance cryptographic IPs robust against

side-channel attacks (SCA) and faults injection (FI) for FPGAs or ASICs.

2 Generic CAD tools for SCA resistant circuits. 3 Evaluation of electronic circuit’s robustness against SCA and

FI.

4 Development of custom applications or circuits to secure

embedded systems.

5 Embedded systems securization Consulting. Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

49

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives The DPA Contest EveSoC: an eavesdropping SoC

The DPA Contest: http://www.DPAcontest.org/

500 1000 1500 2000 2500 Sep 1st 09 Aug 1st 09 Jul 1st 09 Jun 1st 09 May 1st 09 Apr 1st 09 Mar 1st 09 Feb 1st 09 Jan 1st 09 Dec 1st 08 Nov 1st 08 Oct 1st 08 Sep 1st 08 Aug 12th 08 160 140 120 100 80 60 40 20 Number of traces to break DES SVN revision for the submission SVN revision for the submission Number of traces to break DES Best attack at this date

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

50

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives The DPA Contest EveSoC: an eavesdropping SoC

A “System-on-Chip” Suitable for CryptoCore in SASEBO

CryptoCore (Cryptographic Hardware Project — Computer Structures Laboratory, Tohoku University, Japan).

SECURE

SecMat: a fully-fledged System-on-Chip enabling seemless CryptoCore programmation in SASEBO green/blue: portable VHDL; programmable in C. distributed in GPL under brand name EveSoC. SASEBO (Side-channel Attack Standard Evaluation Board).

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

51

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives The DPA Contest EveSoC: an eavesdropping SoC

References

[1] Evaluation on FPGA of Triple Rail Logic Robustness against DPA and DEMA. In DATE, track A4 (Secure embedded implementations), April 20–24 2009. Nice, France. [2] ´ Eric Brier, Christophe Clavier, and Francis Olivier. Correlation Power Analysis with a Leakage Model.

• Proc. of CHES’04, 3156:16–29, August 11–13 2004.

ISSN: 0302-9743; ISBN: 3-540-22666-4; DOI: 10.1007/b99451; Cambridge, MA, USA. [3] Sylvain Guilley, Sumanta Chaudhuri, Laurent Sauvage, Tarik Graba, Jean-Luc Danger, Philippe Hoogvorst, Ving-Nga Vong, and Maxime Nassar. Shall we trust WDDL? In Future of Trust in Computing, volume 2, Berlin, Germany, jun 2008. [4] Sylvain Guilley, Sumanta Chaudhuri, Laurent Sauvage, Tarik Graba, Jean-Luc Danger, Philippe Hoogvorst, Vinh-Nga Vong, and Maxime Nassar. Place-and-Route Impact on the Security of DPL Designs in FPGAs. In HOST, pages 29–35. IEEE Computer Society, 2008. June 9, Anaheim, USA. ISBN = 978-1-4244-2401-6. [5] Sylvain Guilley, Philippe Hoogvorst, Renaud Pacalet, and Johannes Schmidt. Improving Side-Channel Attacks by Exploiting Substitution Boxes Properties. In BFCA – http: // www. liafa. jussieu. fr/ bfca/ , pages 1–25, 2007. May 02–04, Paris, France. [6] Farouk Khelil, Mohamed Hamdi, Sylvain Guilley, Jean-Luc Danger, and Nidhal Selmane. Fault Attack on AES FPGA Encryption Platform. In NTMS, pages 1–5, Tangier, Morocco, nov 2008. [7] Thanh-Ha Le, C´ ecile Canovas, and Jessy Cl´ edi` ere. An overview of side channel analysis attacks. Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

52

Introduction Attacks Counter-Measures New Applications of DPA Conclusions & Perspectives The DPA Contest EveSoC: an eavesdropping SoC In ASIACCS, pages 33–43, 2008. [8] Thanh-Ha Le, Jessy Cl´ edi` ere, C´ ecile Canovas, Bruno Robisson, Christine Servi` ere, and Jean-Louis Lacoume. A Proposition for Correlation Power Analysis Enhancement. In CHES, volume 4249 of LNCS, pages 174–186. Springer, 2006. Yokohama, Japan. [9] Thomas S. Messerges, Ezzy A. Dabbish, and Robert H. Sloan. Investigations of Power Analysis Attacks on Smartcards. In USENIX — Smartcard’99, pages 151–162, May 10–11 1999. Chicago, Illinois, USA (Online PDF). [10] Nidhal Selmane, Sylvain Guilley, and Jean-Luc Danger. Setup Time Violation Attacks on AES. In EDCC, The seventh European Dependable Computing Conference, pages 91–96, Kaunas, Lithuania, may 2008. ISBN: 978-0-7695-3138-0, DOI: 10.1109/EDCC-7.2008.11. [11]

• K. Tiri and I. Verbauwhede.

A Logic Level Design Methodology for a Secure DPA Resistant ASIC or FPGA Implementation. In DATE’04, pages 246–251, February 2004. Paris, France. Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > On the Power of Power Analyses

SECURE

53