side channel analysis countermeasures
play

Side Channel Analysis & Countermeasures Begl Bilgin 27 Dec. - PowerPoint PPT Presentation

Sep 14, 2022 •268 likes •1.45k views

Side Channel Analysis & Countermeasures Begl Bilgin 27 Dec. 2014 - IAM Alumni Meeting Adversary Models 2 Adversary Models 2 Adversary Models Black-box Gray-box White-box 3 Adversary Models Black-box Gray-box White-box Key

  1. Differential Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 )&1 1234… 1 abcd… 0 8aef… 0 0354... 1 7791… 1 c80d… 0 7e9e... 1 11 [courtesy: B.Gierlichs]

  2. Differential Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 )&1 1234… 1 abcd… 0 8aef… 0 0354... 1 7791… 1 c80d… 0 7e9e... 1 11 [courtesy: B.Gierlichs]

  3. Differential Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 )&1 1234… 1 abcd… 0 8aef… 0 0354... 1 7791… 1 c80d… 0 7e9e... 1 Take means 11 [courtesy: B.Gierlichs]

  4. Differential Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 )&1 1234… 1 abcd… 0 8aef… 0 0354... 1 7791… 1 c80d… 0 7e9e... 1 Take means Take difference 11 [courtesy: B.Gierlichs]

  5. Differential Power Analysis pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... 12 [courtesy: B.Gierlichs]

  6. Differential Power Analysis key 1 =2b pt S(pt 1 ⊕ key 1 )&1 1234… 0 abcd… 1 8aef… 0 0354... 0 7791… 0 c80d… 1 7e9e... 1 12 [courtesy: B.Gierlichs]

  7. Differential Power Analysis key 1 =2b pt S(pt 1 ⊕ key 1 )&1 1234… 0 abcd… 1 8aef… 0 0354... 0 7791… 0 c80d… 1 7e9e... 1 12 [courtesy: B.Gierlichs]

  8. Differential Power Analysis key 1 =2b pt S(pt 1 ⊕ key 1 )&1 1234… 0 abcd… 1 8aef… 0 0354... 0 7791… 0 c80d… 1 7e9e... 1 Take means 12 [courtesy: B.Gierlichs]

  9. Differential Power Analysis key 1 =2b pt S(pt 1 ⊕ key 1 )&1 1234… 0 abcd… 1 8aef… 0 0354... 0 7791… 0 c80d… 1 7e9e... 1 Take means Take difference 12 [courtesy: B.Gierlichs]

  10. Differential Power Analysis key 1 =2b pt S(pt 1 ⊕ key 1 )&1 1234… 0 abcd… 1 8aef… 0 0354... 0 7791… 0 c80d… 1 7e9e... 1 Take means Take difference 12 [courtesy: B.Gierlichs]

  11. Differential Power Analysis key 1 =2b pt S(pt 1 ⊕ key 1 )&1 1234… 0 abcd… 1 s n a e M f 8aef… 0 o e c n e r e f f i 0354... 0 D 7791… 0 c80d… 1 7e9e... 1 Take means Take difference 12 [courtesy: B.Gierlichs]

  12. Differential Power Analysis Correlation Power Analysis pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... 13

  13. Differential Power Analysis Correlation Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 ) 1234… 82 abcd… 62 8aef… 7e 0354... 7b 7791… f6 c80d… e8 7e9e... f3 13

  14. Differential Power Analysis Correlation Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 ) 1234… 82 abcd… 62 8aef… 7e 0354... 7b 7791… f6 c80d… e8 7e9e... f3 Corr. 13

  15. Differential Power Analysis Correlation Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 ) 1234… 82 abcd… 62 8aef… 7e 0354... 7b 7791… f6 c80d… e8 7e9e... f3 Corr. 13

  16. Differential Power Analysis Correlation Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 ) 1234… 82 abcd… 62 8aef… 7e 0354... 7b 7791… f6 c80d… e8 7e9e... f3 Corr. 13

  17. Differential Power Analysis Correlation Power Analysis key 1 =00 pt S(pt 1 ⊕ key 1 ) 1234… 82 abcd… 62 8aef… 7e 0354... 7b 7791… f6 c80d… e8 7e9e... f3 13

  18. Differential Power Analysis Correlation Power Analysis key 1 =00 key 1 =2b pt S(pt 1 ⊕ key 1 ) S(pt 1 ⊕ key 1 ) 1234… 82 12 abcd… 62 cd 8aef… 7e 32 0354... 7b 34 7791… f6 4a c80d… e8 11 7e9e... f3 fc 13

  19. Differential Power Analysis Correlation Power Analysis key 1 =00 key 1 =2b pt S(pt 1 ⊕ key 1 ) S(pt 1 ⊕ key 1 ) 1234… HW(82) HW(12) abcd… HW(62) HW(cd) 8aef… HW(7e) HW(32) 0354... HW(7b) HW(34) 7791… HW(f6) HW(4a) c80d… HW(e8) HW(11) 7e9e... HW(f3) HW(fc) 13

  20. Differential Power Analysis Correlation Power Analysis key 1 =00 key 1 =2b pt S(pt 1 ⊕ key 1 ) S(pt 1 ⊕ key 1 ) 1234… HW(82) HW(12) abcd… HW(62) HW(cd) 8aef… HW(7e) HW(32) 0354... HW(7b) HW(34) 7791… HW(f6) HW(4a) c80d… HW(e8) HW(11) 7e9e... HW(f3) HW(fc) Better leakage model → better attack 13

  21. Differential Power Analysis (Notes & Assumptions) 14

  22. Differential Power Analysis (Notes & Assumptions) • Knowledge about the algorithm 14

  23. Differential Power Analysis (Notes & Assumptions) • Knowledge about the algorithm • Timing of the intermediate value computation 14

  24. Differential Power Analysis (Notes & Assumptions) • Knowledge about the algorithm • Timing of the intermediate value computation • Perfectly aligned traces 14

  25. Differential Power Analysis (Notes & Assumptions) • Knowledge about the algorithm • Timing of the intermediate value computation • Perfectly aligned traces • No countermeasures 14

  26. Differential Power Analysis (Notes & Assumptions) • Knowledge about the algorithm • Timing of the intermediate value computation • Perfectly aligned traces • No countermeasures • # of traces increase with noise 14

  27. Countermeasures Against DPA 15

  28. Countermeasures 16

  29. Countermeasures • Limit number of encryptions per key 16

  30. Countermeasures • Limit number of encryptions per key - Distribution of key is difficult 16

  31. Countermeasures • Limit number of encryptions per key - Distribution of key is difficult - Leakage resilient algorithms 16

  32. Countermeasures • Limit number of encryptions per key - Distribution of key is difficult - Leakage resilient algorithms - Performance drop 16

  33. Countermeasures • Limit number of encryptions per key - Distribution of key is difficult - Leakage resilient algorithms - Performance drop • Decrease Signal-to-Noise Ratio (SNR) 16

  34. Countermeasures • Limit number of encryptions per key - Distribution of key is difficult - Leakage resilient algorithms - Performance drop • Decrease Signal-to-Noise Ratio (SNR) - Decreasing signal (~constant power imp., special cells) 16

  35. Countermeasures • Limit number of encryptions per key - Distribution of key is difficult - Leakage resilient algorithms - Performance drop • Decrease Signal-to-Noise Ratio (SNR) - Decreasing signal (~constant power imp., special cells) - Increasing noise (dummy operations, shuffling) 16

  36. Countermeasures • Limit number of encryptions per key - Distribution of key is difficult - Leakage resilient algorithms - Performance drop • Decrease Signal-to-Noise Ratio (SNR) - Decreasing signal (~constant power imp., special cells) - Increasing noise (dummy operations, shuffling) • Breaking the correlation 16

  37. Countermeasures • Limit number of encryptions per key - Distribution of key is difficult - Leakage resilient algorithms - Performance drop • Decrease Signal-to-Noise Ratio (SNR) - Decreasing signal (~constant power imp., special cells) - Increasing noise (dummy operations, shuffling) • Breaking the correlation - Masking 16

  38. Boolean Masking S (x ,y ,z , ... ) (a ,b ,c , ... ) 17

  39. Boolean Masking 18

  40. Boolean Masking (x 1 ,y 1 ,z 1 , ... ) 18

  41. Boolean Masking (x 1 ,y 1 ,z 1 , ... ) ⊕ (x 2 ,y 2 ,z 2 , ... ) = (x, y, z , ... ) 18

  42. Boolean Masking S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) = (x, y, z , ... ) 18

  43. Boolean Masking S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) = = (x, y, z , ... ) (a, b, c , ... ) 18

  44. Boolean Masking S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) = = (x, y, z , ... ) (a, b, c , ... ) Random input/output shares ➡ Random intermediate values 18

  45. Boolean Masking S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) = = (x, y, z , ... ) (a, b, c , ... ) Random input/output shares ➡ Random intermediate values unshared shares mean var 0,0=0 0 0 1,5 1,5 1,5 1,5 1,1=3 0,1=1 1 1 1,5 1,5 0.5 0.5 1,0=2 18

  46. Boolean Masking S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) = = (x, y, z , ... ) (a, b, c , ... ) Random input/output shares ➡ Random intermediate values unshared shares mean var 0,0=0 0 0 1,5 1,5 1,5 1,5 1,1=3 0,1=1 1 1 1,5 1,5 0.5 0.5 1,0=2 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC February 21, 2008 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current

673 views • 42 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat Europe 2008 Black Hat Europe 2008 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

653 views • 42 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel Power Resistance for Encryption Algo- rithms using Dynamic Partial Reconfiguration or SPREAD As a countermeasure to DPA, CPA and other types of

689 views • 10 slides
Towards the Automatic Applications of Side Channel Countermeasures Francesco Regazzoni Francesco

Towards the Automatic Applications of Side Channel Countermeasures Francesco Regazzoni Francesco

Towards the Automatic Applications of Side Channel Countermeasures Francesco Regazzoni Francesco Regazzoni 23 October 2015, Chia, Italy P. 1 Contents 1 Motivations 2 DPA Resistant Synthesis 3 DPA Resistant Place and Route 4 DPA

1.01k views • 55 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system and ownership model guarantee memory-safety and thread-safety enabling you to eliminate many classes of bugs at compile-time. the

1.27k views • 89 slides
456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

In this module we would review a typical gate first, poly-Si gate CMOS process flow. 456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between individual devices in a CMSO chip. Typical process details and the

381 views • 8 slides
Current Capabilities of Material Test Reactors (MTRs) Frances Marshall, Danas Ridikas

Current Capabilities of Material Test Reactors (MTRs) Frances Marshall, Danas Ridikas

Current Capabilities of Material Test Reactors (MTRs) Frances Marshall, Danas Ridikas (F.Marshall@iaea.org) Research Reactor Section International Atomic Energy Agency November 2017 Outline Research Reactor Types Research Reactor

666 views • 32 slides
Overcoming Communication 1 0.5 Problems in the Anticoagulation Service at CHFT By Harry Crank

Overcoming Communication 1 0.5 Problems in the Anticoagulation Service at CHFT By Harry Crank

Overcoming Communication 1 0.5 Problems in the Anticoagulation Service at CHFT By Harry Crank Administrator 3 5 Brief overview of our Service 4600+ patients 2 x BMS (1 full-time & 1 part-time), 1 x Specialist Nurse, 1 x

630 views • 22 slides
SRF R&D status Fumio Furuta CLASSE, Cornell University May 30, 2014 Outline Muon

SRF R&D status Fumio Furuta CLASSE, Cornell University May 30, 2014 Outline Muon

SRF R&D status Fumio Furuta CLASSE, Cornell University May 30, 2014 Outline Muon activities at Cornell Nb-Cu clad cavity 500MHz Nb/Cu cavity at Cornell Next R&D items Summary F. Furuta, May 30 2014 MAP 2014

450 views • 23 slides
Coefficients in Binary Systems Binar Mass Diffsivities in Gases* Table J.l System T,K D ABP,

Coefficients in Binary Systems Binar Mass Diffsivities in Gases* Table J.l System T,K D ABP,

D'aprs Welty et al. 2001 Appendix J Mass- Transfer Diffusion Coefficients in Binary Systems Binar Mass Diffsivities in Gases* Table J.l System T,K D ABP, cm2 atms D ABP, m2 Pals Ai Amonia 273 0.198 2.006 Anline 298 0.0726 0.735

453 views • 8 slides
Implemen'ng Differen'al Privacy & Side-channel a8acks CompSci

Implemen'ng Differen'al Privacy & Side-channel a8acks CompSci

Implemen'ng Differen'al Privacy & Side-channel a8acks CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 17 : 590.03 Fall 13 1 Outline

482 views • 45 slides
Channel University of Toulouse Institut de Recherche en Informatique de Toulouse Razvan Stanica,

Channel University of Toulouse Institut de Recherche en Informatique de Toulouse Razvan Stanica,

Enhancements of IEEE 802.11p Protocol for Access Control on a VANET Control Channel University of Toulouse Institut de Recherche en Informatique de Toulouse Razvan Stanica, Emmanuel Chaput, Andr-Luc Beylot IEEE International Conference on

360 views • 25 slides

More recommend