Side-channel bas ed Collision Attacks, Theory to Att k Th t o - - PowerPoint PPT Presentation

side channel bas ed collision attacks theory to att k th
SMART_READER_LITE
LIVE PREVIEW

Side-channel bas ed Collision Attacks, Theory to Att k Th t o - - PowerPoint PPT Presentation

Mar 05, 2024 222 likes •497 views

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

slide-1
SLIDE 1

Side-channel bas Att k Th t Attacks, Theory to

  • 3. December 2010

Amir Moradi

E b dd d S it G R h U i it B h Embedded Security Group, Ruhr University Bochum

ed Collision P ti

  • Practice

G m, Germany

slide-2
SLIDE 2

Embedded Security Group

Outline

  • Classical side‐channel attac
  • What is a side‐channel bas
  • Implementation platforms
  • A newly introduced side‐ch

A newly introduced side ch collision attack

  • Some hints when impleme
  • Some hints when impleme

WAC 2010 | Singapore | 3. December 2010

cks sed collision attack? and problems hannel based correlation hannel based correlation enting enting

2

Amir Moradi

slide-3
SLIDE 3

Embedded Security Group

Classical Side‐Channel At

  • Collecting the side‐channe

– Using an oscilloscope fo

  • and an electromagnetic

analysis attacks

– Using a timer for timing

WAC 2010 | Singapore | 3. December 2010

ttacks

l leakage

  • r power analysis attacks

probe for electromagnetic

g attacks

3

Amir Moradi

slide-4
SLIDE 4

Embedded Security Group

Classical Side‐Channel At

D fi h h h i l

  • Define the hypothetical po

– In differential power an – In correlation power an

  • Define the distinguisher

– In mutual information a

  • Examine the relation betwe

and the real measurement

– difference of means – correlation coefficient – entropy entropy

WAC 2010 | Singapore | 3. December 2010

ttacks

d l

  • wer model

nalysis nalysis analysis

een the (hypothetical) model ( yp ) ts using statistical tools

4

Amir Moradi

slide-5
SLIDE 5

Embedded Security Group

What is a Side‐Channel B

  • avoids any model to predic

– Independent of the lea

  • Examines the similarity of t

different processed values p

– when a collision is foun

  • f the secret is revealed
  • f the secret is revealed

WAC 2010 | Singapore | 3. December 2010

Based Collision Attack?

ct the power consumption

kage type

the measurements for

nd, a relation between parts d

5

Amir Moradi

slide-6
SLIDE 6

Embedded Security Group

Side‐Channel Based Coll

  • Implementation platform:
  • Target algorithm: the AES e
  • Strategy of the attack: look

consumption traces for diff p b ( ) b ( )

  • Sbox(P1+K1) = Sbox(P2+K2) =

WAC 2010 | Singapore | 3. December 2010

ision Attack [example 1]

a micro‐controller encryption king at the similar power ferent Sbox outputs p

6

=> P1+K1=P2+K2 => K1+K2 = C

Amir Moradi

slide-7
SLIDE 7

Embedded Security Group

Side‐Channel Based Coll

  • Presence of countermeasu

– Masking: wait till a coll masks and Sbox output masking order – Shuffling: extending the clock cycles, may lead t y , y – Masking and Shuffling: drastically reduced! drastically reduced!

WAC 2010 | Singapore | 3. December 2010

ision Attack [example 1]

ures

ision may occur on both ts, depends strongly on the e search area to consider all to false positive results p efficiency of the attack is

7

Amir Moradi

slide-8
SLIDE 8

Embedded Security Group

Side‐Channel Based Coll

  • Implementation platform:
  • Target algorithm: the AES e
  • Strategy of the attack: cann

knowing the architecture g

WAC 2010 | Singapore | 3. December 2010

ision Attack [example 2]

an FPGA/ASIC encryption not be decided without

8

Amir Moradi

slide-9
SLIDE 9

Embedded Security Group

An Overview of the Arch

WAC 2010 | Singapore | 3. December 2010

hitecture

9

Amir Moradi

slide-10
SLIDE 10

Embedded Security Group

How do the power trace

  • 8‐bit architecture
  • 32‐bit architecture

32 bit architecture

WAC 2010 | Singapore | 3. December 2010

es look like?

10

Amir Moradi

slide-11
SLIDE 11

Embedded Security Group

Side‐Channel Based Coll

I l i l f

  • Implementation platform: an
  • Target algorithm: the AES en

St t f th tt k

  • Strategy of the attack:

– 8‐bit architecture: rough 32 bi hi – 32‐bit architecture: not e probability of collision

  • The attack does not work eff
  • The attack does not work eff

– Switching noise is added P ti d – Power consumption dep processed values

  • Worse situation in the prese
  • Worse situation in the prese

WAC 2010 | Singapore | 3. December 2010

ision Attack [example 2]

FPGA/ASIC n FPGA/ASIC cryption

hly the same as μC case b f h l easy because of the low

ficiently ficiently

in comparison to the μC d l th l t ends also on the last

nce of countermeasures

11

nce of countermeasures

Amir Moradi

slide-12
SLIDE 12

Embedded Security Group

What can we do?

[Usually a DPA/CPA using HD/

  • Before developing an attac

– First, averaging based o

  • 256 mean traces for eac
  • Variance over mean trac

WAC 2010 | Singapore | 3. December 2010

/HW model works + MIA] ck

  • n plaintext bytes (32‐bit arch.)

h plaintext byte p y ces (each plaintext byte separately)

12

Amir Moradi

slide-13
SLIDE 13

Embedded Security Group

Designing an Attack

  • Supposing knowing a key byte,

corresponding Sbox input byte

  • For another plaintext byte (unk
  • How are these mean traces rel

WAC 2010 | Singapore | 3. December 2010

we get mean traces for the known key), we get mean traces ated to each other?

13

Amir Moradi

slide-14
SLIDE 14

Embedded Security Group

Designing an Attack

  • The mean traces for the unk

generated for each key byte

  • The correct key byte can be f

traces at each time instance l h l h – Correlation helps here!

  • Correlation of two sets of m

(is almost 1 for right key (du (is almost 1 for right key (du

WAC 2010 | Singapore | 3. December 2010

nown key bytes can be hypothesis found comparing the mean

mean traces based on key hypothesis ue to equal power consumption)) ue to equal power consumption))

14

Amir Moradi

slide-15
SLIDE 15

Embedded Security Group

Extending the Attack

  • If the first key byte (for the

known, what we recover is t

k b k k b two key bytes: k1+k2 , beca

– The same attack shown possible collisions!

WAC 2010 | Singapore | 3. December 2010

e first mean traces) is not

the linear difference between

f dd dk f AES ause of addroundkey of AES

n on μC but using all

15

Amir Moradi

slide-16
SLIDE 16

Embedded Security Group

Why does it work?

  • There are four instances of

– The power consumption c instance of the S‐box is us – Power consumption of an compared to itself in diffe

  • What does happen for larg

– The same netlist for the S placement and routing, b

  • Small differences on power

different instances of the S‐

Th i t f th – The same instances of the

WAC 2010 | Singapore | 3. December 2010

f S‐box in the 32‐bit arch.

characteristics of the same sed in mean traces n instance of the S‐box is erent clock cycles

ger architecture?

S‐boxes, even the same ut still process variations exists

r consumption characteristics of ‐box

S b h ld b d

16

e S‐box should be compared

Amir Moradi

slide-17
SLIDE 17

Embedded Security Group

The gain of the attack

  • Relation between key byte

– 8‐bit arch. → 15 relaons key – 32‐bit arch. → 12 relaon bit key

  • How to get the correct key

– A pair of plain‐/ciphertext – Continue the attack on th each key candidate

WAC 2010 | Singapore | 3. December 2010

s

s, 28 candidates for the 128‐bit ns, 232 candidates for the 128‐

?

t he second round of the AES for

17

Amir Moradi

slide-18
SLIDE 18

Embedded Security Group

How about Shuffling?

  • Shuffling is done on the orde
  • Using combing [what’s comb

g g [

WAC 2010 | Singapore | 3. December 2010

er of Sbox runs bing?] g ]

18

Amir Moradi

slide-19
SLIDE 19

Embedded Security Group

How about Masking?

  • Looking into the

literatures

  • smallest masked AES

S‐box by Canright and Batina

  • 1st order leakage is
  • bvious because of

glitches

WAC 2010 | Singapore | 3. December 2010

19

Amir Moradi

slide-20
SLIDE 20

Embedded Security Group

Results when masking is

WAC 2010 | Singapore | 3. December 2010

implemented

20

Amir Moradi

slide-21
SLIDE 21

Embedded Security Group

Masking combined with

  • Using combing

WAC 2010 | Singapore | 3. December 2010

Shuffling?

21

Amir Moradi

slide-22
SLIDE 22

Embedded Security Group

First Hints

  • The attack works when an

shared for a computation o

  • Try to avoid Sbox [hardwar

– going through round‐ba g g g

  • 128‐bit architectures
  • even unrolled architectu

WAC 2010 | Singapore | 3. December 2010

instance of the Sbox is

  • f a round

re] sharing

ased implementation p

ures

22

Amir Moradi

slide-23
SLIDE 23

Embedded Security Group

Results of on 128‐bit arc

  • t

hi d f ll k b t

  • not achieved for all key byt

– because of difference b instances of Sbox

WAC 2010 | Singapore | 3. December 2010

  • ch. [unmasked]

tes

between netlist of different

23

Amir Moradi

slide-24
SLIDE 24

Embedded Security Group

How about unrolled imp

  • two rounds per clock cycle
  • th

d l k l

  • three rounds per clock cycl

WAC 2010 | Singapore | 3. December 2010

plementations?

le

24

Amir Moradi

slide-25
SLIDE 25

Embedded Security Group

Second Hints

  • The attack still works on so

unrolled implementations

  • To avoid such an attack it is

different netlists for differe

– the result will avoid sim consumption of differe p

  • The world still is not enoug

– at the end of the day a – at the end of the day, a will recover the secret!

WAC 2010 | Singapore | 3. December 2010

  • me key bytes even on

s recommended to used ent instances of the Sbox

milarity of the power nt instances of the Sbox

gh

a statistical tool e g MIA a statistical tool, e.g., MIA,

25

Amir Moradi

slide-26
SLIDE 26

Thanks! Any questions?

Thanks to my colleagues: Oliver Mischke

Embedded Security Group, Ruhr University Bochum, Germ

Thomas Eisenbarth

many