Higher Order and Algebraic Side-Channel Attacks on ...€¦ · In this thesis, two types of...

EMSEC

Higher Order and Algebraic Side-Channel Attacks onProtected AES Implementations

Carina Böttcher

Master’s Thesis. September 22, 2013.

Chair for Embedded Security – Prof. Dr.-Ing. Christof Paar

Advisor: Dipl.-Ing. David Oswald

Abstract

Side-channel attacks have become an interesting topic of cryptographic research. Besidesthe well known Differential Power Analysis (DPA) attacks, other approaches have beenintroduced, for example template attacks and algebraic side-channel attacks. All of theseattacks exploit side-channel information in different ways. To protect implementationsagainst these kind of analyses, numerous countermeasures have been proposed whichhowever can be attacked again. Not all attacks are feasible in the real-world becausemany of them require substantial computational power and hardware costs.

In this thesis, two types of side-channel attacks are considered, namely algebraic side-channel attacks and second order DPA attacks. First, a detailed introduction to thetheoretical background of the different attacks is given. Cipher-specific details are ex-plained by the example of AES since it is one of the most used block cipher. Theimplementation of the different attacks is described based on source code snippets. Ad-ditionally, two AES implementations are protected with a boolean masking scheme inthe first case and a combination of the masking scheme and shuffling in the second case.The implemented attacks are then used to analyse the countermeasures under real-worldassumptions.

As a result of this thesis, the boolean masking scheme is successfully attacked with asecond-order DPA attack. Furthermore, it is shown that the computational effort is toohigh to attack a combination of boolean masking and shuffling with the computationalpower which was available in this thesis. Both implementations are attacked using thealgebraic side-channel attack. While the unprotected implementation can be broken inless than one minute, it was found that the boolean masking scheme could not be brokenin a reasonable time. All performed experiments are then analysed and compared withregard to their cost.

As the AES implementation protected by the combination of boolean masking andshuffling could not be broken with any of the presented attacks, we finally state that itprovides a suitable protection level against side-channel attacks under the given condi-tions.

i

Declaration

I hereby declare that this submission is my own work and that, to the best of myknowledge and belief, it contains no material previously published or written by anotherperson nor material which to a substantial extent has been accepted for the award of anyother degree or diploma of the university or other institute of higher learning, exceptwhere due acknowledgment has been made in the text.

Erklärung

Hiermit versichere ich, dass ich die vorliegende Arbeit selbstständig verfasst und keineanderen als die angegebenen Quellen und Hilfsmittel benutzt habe, dass alle Stellen derArbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solchekenntlich gemacht sind und dass die Arbeit in gleicher oder ähnlicher Form noch keinerPrüfungsbehörde vorgelegt wurde.

Carina Böttcher

Contents

1 Introduction 1

1.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.3 Organisation of this Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Advanced Encryption Standard 3

2.1 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2 Key Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.3 Suitability as Attack Target . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Side-Channel Analysis 7

3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.2 Power Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.2.1 Differential Power Analysis . . . . . . . . . . . . . . . . . . . . . . 7

3.2.2 First Order DPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.2.3 Higher Order Differential Power Analysis . . . . . . . . . . . . . . 9

3.3 Algebraic Side-Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3.1 Offline Phase Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3.2 Online Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.3.3 Offline Phase Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.3.4 Adaptation for Attacking a Protected Implementation . . . . . . . 12

3.4 Template Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.4.1 Building Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.4.2 Matching Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.5 Physical Measurement Setup . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.6 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.6.1 Masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.6.2 Shuffling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4 Tools 17

4.1 Target Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.2 Oscilloscope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.3 CycurDPA Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.4 CryptoMiniSat - SAT Solver . . . . . . . . . . . . . . . . . . . . . . . . . . 21

iv Contents

5 Implementation 23

5.1 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235.1.1 Boolean Masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235.1.2 Shuffling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.2 HO-DPA Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.2.1 Preprocessing Step . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.2.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3 Algebraic Side-Channel Attack Plug-In . . . . . . . . . . . . . . . . . . . . 315.3.1 Software Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.3.2 GUI Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.3.3 Implementation Details . . . . . . . . . . . . . . . . . . . . . . . . 335.3.4 State Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

6 Security Analysis 45

6.1 Measurement Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456.2 Reference Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456.3 DPA Attacks on Protected AES implementations . . . . . . . . . . . . . . 47

6.3.1 Boolean Masking - First Order DPA . . . . . . . . . . . . . . . . . 476.3.2 Boolean Masking - Second Order DPA . . . . . . . . . . . . . . . . 496.3.3 Boolean Masking with Shuffling - Second Order DPA . . . . . . . . 50

6.4 ASCA Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516.4.1 Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526.4.2 Unprotected AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526.4.3 Protected AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

7 Results 59

7.1 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

8 Conclusion 65

8.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

A Acronyms 67

B Hamming Weights of AES Round 1 - 3 69

List of Figures 71

List of Tables 73

List of Listings 75

Bibliography 77

1 Introduction

After side-channel attacks were introduced in the late 90s by Kocher et al. [K+99], theyhave become a serious threat to embedded devices. A great interest in side-channel at-tacks as a topic of cryptographic research has emerged since then. Side-channel attacksreveal completely different weaknesses in ciphers than mathematical attacks do. Evenif the mathematical structure of a cipher is secure, weak points can be caused by itshardware or software implementation. These weaknesses can be exploited by analysingside channels like the power consumption or the electromagnetic radiation of a crypto-graphic device. Another approach was introduced in 2002 are Algebraic Side-ChannelAnalysis (ASCA), which combine the mathematical description with physical leakage in-formation. ASCA represents the cipher as a system of equations including side-channelinformation. Although the system increases in size, the additional side-channel informa-tion leads to it being solvable in reasonable time in contrast to the cipher’s equationonly.

Since embedded devices often fulfil security and safety-critical tasks, according attacksare a dangerous threat and need to be prevented. For that purpose secure and verifiedcountermeasures are necessary. Numerous researchers proposed countermeasures but insome cases corresponding attacks where presented after a short time which overcomethose protection mechanisms. Not all of these attacks are feasible and when protect-ing an implementation against real-world attacks, one has to trade-off the costs of thecountermeasures against the probability of an successful attack. Another point to beconsidered is the computational power which increases steadily and makes even morecomplex attacks possible, as for example higher order DPA attacks.

In this thesis, two types of side-channel attacks are studied in detail, namely ASCAand second order DPA attacks. These attacks are used to analyse protected AdvancedEncryption Standard (AES) implementations under real-world assumptions in order toevaluate the resulting improve in security.

1.1 Related Work

Several research areas are relevant for this thesis. The idea of algebraic attacks in generalwas proposed in 2002 and then adapted to ASCA in [RS09]. The main achievement ofASCA was to exploit side-channel information in order to effectively solve the system ofequations which represents the cipher. In [RSVC09], Renauld et al. adapted ASCA tothe AES and were able to successfully attack the cipher. This thesis is partially using themethods of this paper. [RSVC09] was improved by Mohamed et al. in [MSEMSBMZ+].Both papers simulated the attack by calculating the Hamming Weight (HW) with theknown key instead of extracting them from side-channel information. This was done in

2 1 Introduction

order to avoid the usage of incorrect values. Additionally, template attacks are utilisedto extract the HW of intermediate values. There are several paper dealing with templateattacks. The attack implemented in this thesis is based on [MOP07].The first proposal for power analysis was made in the late 90s by Kocher et al. in [K+99].After a short time, the first countermeasures were proposed to protect an implementationagainst DPA attacks. The implementation of the countermeasures and the second orderDPA attack in this thesis are based on [MOP07], [JPS05], and [EPMRRB09]. In orderto combine the traces, as a preprocessing step for the second order DPA attack weimplemented the absolute difference combining function which was presented in [Mes00].

1.2 Contribution

This thesis describes the implementation of two different side-channel attacks, a secondorder DPA and an acASCA attack. Additionally, an AES implementation is protectedusing the boolean masking countermeasure, which is also extended with shuffling. Theprotected AES implementations are attacked under real-world assumptions in order toevaluate the level of protection and the success rate of the tested attacks.

1.3 Organisation of this Thesis

This thesis is organised as follows: At first, an introduction to the theoretical back-ground of side-channel analysis is given. This helps to understand the analysed attacksand countermeasures. In Chapter 2, the AES is briefly described as the target blockcipher in this thesis. After that, side-channel attacks in general are explained in Chap-ter 3. A detailed description of power analysis attacks, especially first and second orderDPA attacks follows. Next, the second attack, the a ASCA attacks, are introduced indetail. It is shown how block ciphers are translated into a system of low-degree booleanequations. This system is again translated into a Satisfiability (Problem) (SAT) problem.Additionally, template attacks are presented as they are used to extract side-channel in-formation which can be added to the equation system. The last part of Chapter 3 dealswith the general measurement setup used to acquire and analyse the power consumptiontraces. Also, certain countermeasures are introduced. After explaining the theoreticalbackground, the tools and software which are used in this thesis in Chapter 4. Besides,the target platform and the measurement equipment, a DPA workstation environment,and the used SAT solver are described. Chapter 5 deals with the implementation of thepresented countermeasures and side-channel attacks. The different steps for designingthe software are explained in detail and source-code snippets are used to clarify thefunctionality.Next, the implemented countermeasures are analysed using the different attacks in Chap-ter 6. This is done in order to evaluate the level of protection and the power of the attackspresented previously. The steps and the results are summarised, compared, and evalu-ated in Chapter 7. Finally, the conclusion summarizes this thesis and gives an outlookfor future work in Chapter 8.

2 Advanced Encryption Standard

This chapter gives information on the theoretical background of this thesis. As the AESis the algorithm which is analysed and attacked throughout this thesis, an overview ofits structure is given. The AES is described in detail in [FIP]. The AES is a symmetricencryption algorithm and was announced as a standard by the National Institute ofStandards and Technology (NIST) in October 2000 [N+00]. The AES is the today mostcommonly used symmetric block cipher.

2.1 Structure

AES is a Substitution-Permutation Network (SPN) with several rounds. The number ofrounds depends on the key size which is 128 bits (10 rounds), 192 bits (12 rounds), or256 bits (14 rounds). This thesis focuses on the 128-bit version with 10 rounds. AESoperates on 128-bit data blocks which are called state. Usually, the state is arranged asa 4 x 4 matrix and during each round is subject to four operations:

1. SubBytes is a non-linear substitution of each byte of the state using a substitutiontable called S-box,

2. ShiftRows is a cyclic shift operation which operates on each row of the stateseparately,

3. MixColumns is a linear mixing function which operates on each column of the state.It is skipped in the last round because it does not add any cryptographic strengthat this point

4. AddRoundKey calculates a bit-wise Exclusive OR (XOR) of the state and a roundkey which is generated by the key schedule of Section 2.2.

Independent of the number of rounds, there is a pre-round, which is sometimes referredto as key whitening [PP10]. This pre-round calculates a bitwise XOR of the first roundkey ()which in fact is the secret key itself) and the plaintext.A high-level view on AES can be seen in Figure 2.1.

2.2 Key Schedule

AES uses a key expansion in order to derive the subkeys used for the AddRoundKey

operation. For AES-128, ten round keys are needed in addition to one key for the

4 2 Advanced Encryption Standard

Figure 2.1: Structure of the AES-128

AddRoundKey operation in the pre-round. This first subkey equals the secret key andhas not to be calculated. All subkeys are stored in 32-bit words W[i], where i = 0,. . . , 43. The key schedule for 128-bit keys is presented in Figure 2.2. The computationof the most significant word of a subkey involves the nonlinear function g(), whereasthe remaining words are calculated by a bitwise XOR addition of two previous words.The function g() consists of three steps. First, the input bytes are rotated left by oneposition and then substituted with the help of the Substitution Box (S-box). The mostsignificant byte is then XORed with a round constant which is given as RC[i] = 2i−1 inthe Galois Field GF (28).

Figure 2.2: Key schedule for the AES-128

2.3 Suitability as Attack Target 5

2.3 Suitability as Attack Target

In 1949 Claude Shannon identified the method of confusion as an important goal forencryption systems [Sha49]. It helps to increase the complexity of the relationship be-tween the key and the ciphertext. A common way to ensure confusion is the usage ofsubstitution, as it is the case in AES. AES uses a substitution table in the SubBytes op-eration. This S-box was designed to be resistant to linear and differential cryptanalysisand consists of 256 fixed 8-bit values.Although AES is a cryptographically strong algorithm specific implementations can beattacked by side-channel attacks. This is caused by the fact that the intermediate valuesare dependent on the secret key and the input, which helps to detect the influence ofthe key. Other block ciphers, for example the Data Encryption Standard (DES), can beattacked in the same way as the AES, but due to the fact that the AES is the today mostcommonly used symmetric block cipher, it was selected as the target for this thesis.

3 Side-Channel Analysis

This chapter explains side-channel attacks in general and DPA attacks in particular.With regard to power analysis, the main focus is on first order DPA, Higher Order Dif-ferential Power Analysis (HO-DPA) and ASCA. Additionally, the physical measurementset-up is explained. As a last step, a detailed description of the implemented side-channelcountermeasures is given.

3.1 Overview

Side-channel attacks in general deal with the extraction of secret data over side-channelleakage. The most common types of side-channels are timing information, the powerconsumption, and electro-magnetic radiation. Also attacks which exploit the sound ortemperature are possible.Due to the fact that the field of side-channel attacks has become very complex over theyears, the main focus of this thesis are ">standard"< power analysis attacks and ASCAwhich also utilises the power consumption of the target device.

3.2 Power Analysis

The power consumption of a cryptographic embedded device can be acquired during theexecution of cryptographic calculations. The power consumption waveform of a singlerun is called power trace or trace. Usually, one or more power traces are subject to apower analysis attack. An attacker evaluates the traces to gain secret information likecryptographic keys.Due to the fact that power analysis is non-invasive and does not need expensive equip-ment, it is a serious security threat for many widely spread cryptographic devices liketamper-resistant black boxes or smart cards.

3.2.1 Differential Power Analysis

The most straightforward method of power analysis is the Simple Power Analysis (SPA).SPA deals with the visual examination of the traces over time in order to find noticeablepoints, for example, peaks. One might be able to identify conditional branches dependingon the secret key or to distinguish operations on a micro controller.A more powerful method is the DPA that deals with the statistical analysis of multipletraces. With a DPA, it is possible to analyse traces even if they are not suitable for aSPA, for example if there are no conditional branches.

8 3 Side-Channel Analysis

For a DPA, the attacker tries to compute the degree of dependence of the power traceson some intermediate values. To this end, a key-dependent leakage model is used. Sincethere are many mathematical tests and leakage models, only those used for the attacksperformed in this thesis are explained in detail here.

Pearson’s Correlation Coefficient

Pearson’s correlation coefficient test as presented in [RN88] is a statistical test used tocalculate the relation between the measured power traces ti = (ti,1, ti,2, ..., ti,T ) and theprediction values hi,k representing a hypothetical power consumption for a key hypoth-esis k. T in this case denotes the number of sample points per measurement and iindicates the corresponding run from 0 to D-1. The correlation coefficient is calculatedby dividing the covariance of the two values by the product of their standard deviation.It is calculated as

~ρk (hi,k, ti) =

∑D−1i=0

(

~ti − m~t

) (

~hi,k − m ~hk

)

√

σ2~tσ2

h(k)

(3.1)

with m representing the pointwise mean and σ representing the pointwise variance. Theresulting correlation coefficient is a value between -1 and 1. As it approaches zero, thevariables are likely linearly independent, while 1 or -1 indicates a perfect or inverseperfect linear relationship.

Hypothetical Power Consumption Model

In order to leave out the time-consuming step of a detailed analysis of the logic level tosimulate the power consumption, usually simplified models are used. The main advan-tage of these models is the relatively low knowledge necessary to calculate a hypotheticalpower consumption: an attacker only needs to know relative differences in the power con-sumption. To estimate the relation between the power consumption and the intermediatevalues, a suitable power model has to be found. There are numerous models which canfulfil this tasks [MOP07], but in this case, the HW power model is employed to map theintermediate values to their hypothetical power consumption. The HW power modelassumes that the power consumption of a cryptographic device is proportional to thenumber of bits set in the current data word. When using the HW the hypothetical powerconsumption hi,k for the intermediate value vi,k is calculated as

hi,k = HW (vi,k) . (3.2)

3.2.2 First Order DPA

A first order DPA attack targets only one intermediate value that depends on the secretkey. In the case of AES, the best point of attack is the S-box. The hypotheticalintermediate value has to be based on the known values, either plaintext or ciphertext,and a key hypothesis. This is given by the S-box as well as a non-linearity. Due to the

3.2 Power Analysis 9

fact that the correlation coefficient is a linear function it only correlates in a linear waywith a linear output value. To avoid the problem that a similar key hypothesis leads toa similar correlation coefficient, it is desirable to correlate with non-linear output values,as it is the case with the S-box output which has a non-linear relation to the input value.Two points within a full AES encryption or decryption are particularly vulnerable toside-channel attacks, namely the first S-box after the AddRoundKey operation or the lastS-box in last round of the AES. Depending on whether input or output values of theAES device are available, one of these points has to be chosen. For the first order DPAattacks in this thesis, the first round is attacked given the AES input value, i.e., casethe plaintext. Thus, the hypothetical intermediate values are represented by the outputof the first S-box:

vi,k = SBOX [di ⊕ k] (3.3)

where di represents the known input plaintext bytes with i from 0 to D-1.Consequently, the hypothetical power consumption is calculated as

hi,k = HW (SBOX [di ⊕ k]) . (3.4)

3.2.3 Higher Order Differential Power Analysis

As presented in Section 3.2.2, a first order DPA targets only one intermediate value, whilea HO-DPA attack exploits the joint leakage of several intermediate values [MOP07]. Thisthesis focuses on attacks which exploit two intermediate values and are therefore calledsecond order DPA attacks. The choice of the two intermediate values depends on thecountermeasures protecting an algorithm. Proposals for suitable intermediate values arepresented in Section 3.6.Usually, the leakage of the two intermediate values occurs in different operations ofthe algorithm and thus, a preprocessing of the power traces is necessary in order tocombine the two values. This means that not only the acquired power traces have to bepreprocessed, but also the hypothetical power consumption values have to be combinedwith a combining function. In this thesis, only symmetric preprocessing functions areused and due to the fact that only pairs of points (tx, ty) with x 6= y are considered,

the length of the preprocessed traces is (l − 1) + (l − 2) + ... + 2 + 1 = l·(l−1)2 . There

are different preprocessing functions. A common one is known as the absolute differencecombining function proposed in [Mes00]. This function calculates the absolute value ofthe difference of two points in time within the same trace as:

pre (tx, ty) = |tx − ty|. (3.5)

Since the cryptographic device used in this thesis leaks the HW the absolute differencepreprocessing function is used for the second-order DPA attack. A detailed proof onwhy this is a suitable choice can be found in [MOP07, Section 10.3.2] .


3.3 Algebraic Side-Channel Attacks

Typical side channel attacks as presented in the previous section use a divide-and-conquerstrategy in order to recover the secret key. Divide-and-conquer is a technique which isused in computer science. The main idea is to split a problem up into several smallerproblems that can be solved easier. After all small problems have been solved thesolutions are combined in order to find the solution of the original problem [DPV06].This technique is transferred to common side channel attacks by splitting up the secretkey into smaller pieces. Additionally, they attack only one intermediate value per tracewhich is typically a non-linear value with weak diffusion, as for example a S-box outputin the first or last round of a block cipher. In order to clearly identify the correct valueone has to combine the leakage traces of several plaintexts.In contrast to that, ASCA exploit several intermediate values of all cipher rounds withina single leakage trace and recovers the whole secret key at once [RS09].The attack consists of two phases, the online phase and the offline phase, which areexplained in detail in the following subsections.

3.3.1 Offline Phase Step 1

First, the targeted block cipher has to be transformed into a set of polynomial equationscontaining the key bits as variables. Recovering the key is equal to solving the systemof equations. It is straightforward to transform linear operations into equations. Sincethe calculation of round key 1 is one of the first operations in an AES encryption thecalculation of the Most Significant Bit (MSB) is used as a small example to explain thetransformation.As shown in Figure 2.2, the MSB of round key 1 is part of the key word W[4] which iscomputed as

W [4] = W [0] ⊕ g(W [3]). (3.6)

The function g is known, so it can be inserted into the equation. Since each bit isdescribed as separate variable, the equation has to be transferred on a bitwise levelwhich leads to

b0,W [4] = b0,W [0] ⊕ b0,S(VW 3,1) ⊕ b0,RC[1], (3.7)

with b0 representing the first bit of each value and VW 3,1 representing the second byte ofW[3]. Since the calculation formula for the round constant is publicly known, its valuescan also be added to the equation. The MSB of RC[1] is 0, so the corresponding partof the equation can simply be skipped as an XOR with 0 has no impact on the result.This transformation has to be done analogously for the whole block cipher.As presented before, transforming linear operations into equations is very easy. In con-trast, transforming non-linear operations like the S-box is a complex task since high-degree polynomials increase the computing time significantly. Therefore, it is desirableto create low-degree equations. Biryukov and De Cannière have shown in [BC03] howS-boxes can be converted to such a system in a systematic manner. In the appendix of[BC03], an example on how to build such a system is given. In the following, the number

3.3 Algebraic Side-Channel Attacks 11

of variables for each part of the cipher and the total number of variables are presented,where each variable represents a bit.

Key Schedule: 1728 variables10 round keys + 1 pre-round key with 128 bit each → 11 · 128 = 1408 variables32 non-linear bits per round due to the S-box during the g function → 10 · 32 = 320variables

Cipher: 6304 variablesS-box input and output bits with 128 bit each in 10 rounds → 10·2·128 = 2560 variablesThe MixColumns step was implemented as recommended in the standard [FIP]. Eachstep is done four times in nine rounds: 9 · 4 · (8 + 32 + 32 + 32) = 3744 variables

Total: 8032 variablesAll variables during the key schedule and all variables in the cipher → 1728+6304 = 8032variables

3.3.2 Online Phase

Since solving a big system of equations is generally hard, the main idea behind ASCAattacks is to add additional information which help to solve to the system. A heuristicchoice for this information is to use any kind of physical leakage and recover informa-tion about intermediate operations. The choice of this intermediate operations heavilydepends on the block cipher itself and its implementation. According to the AES imple-mentation used for this thesis, there are 84 potential intermediate values in round oneto nine to target. Due to the missing MixColumn operation there are only 32 values inthe last round.Since the SubBytes operation is implemented as a 256-byte Lookup table (LUT), theS-box input and the S-box output bytes can be exploited which leads to 32 leakages perround. The implementation of the MixColumn operation consists of four steps and usesfour 256-byte LUTs and nine XOR operations as recommended in [FIP]. The first stepis

T mp = a0 ⊕ a1 ⊕ a2 ⊕ a3 (3.8)

which leads to one intermediate value. As there are four MixColumn operations perround, one can extract four potential intermediate values per round in this step. Thenext three steps lead to 16 leakages per round. The second step containing four XORoperations and is calculated as

T m0 = a0 ⊕ a1 (3.9)

T m1 = a1 ⊕ a2 (3.10)

T m2 = a2 ⊕ a3 (3.11)

T m3 = a3 ⊕ a0. (3.12)


Then, the xtime() function is applied to each value T mi. In the last step, the previouslycalculated values and the input values ai are combined to

a0 = a0 ⊕ T m ⊕ T mp (3.13)

a1 = a1 ⊕ T m ⊕ T mp (3.14)

a2 = a2 ⊕ T m ⊕ T mp (3.15)

a3 = a3 ⊕ T m ⊕ T mp (3.16)

In total an adversary can extract 32 S-box leakages in each round and 52 MixColumn

leakages in nine rounds, which leads to a total of 10 ·32+9 ·52 = 788 leakages. Note thatit is not always necessary and/or possible to extract all leakage values. The intermediatesvalues can be extracted by a so called template attack which is explained in Section 3.4.

3.3.3 Offline Phase Step 2

The second step of the offline phase is to combine the recovered side-channel informa-tion with the system of equations. Finally, the combined system has to be solved inorder to obtain the secret key. In the literature many solutions have been proposed forthis purpose. We follow the solution presented in [CB06], which uses SAT solvers andtherefore the system of equations has to be converted to a SAT problem. Solving theproblem with linearisation techniques [CP02] and Gröbner Basis approaches [BPW05]is also possible.As mentioned, in order to solve the system of equations with a SAT solver the systemhas to be translated into a set of clauses constituting a SAT problem. For detailedinformation on the format of the clauses see Section 4.4.

3.3.4 Adaptation for Attacking a Protected Implementation

For attacking a protected implementation of AES the system of equations has to beadapted. The masks are also represented by variables and have therefore to be addedto the system. Further details on the masking scheme can be found in Section 3.6. Theadaptation of the system is described in Section 5.3.3.

3.4 Template Attacks

A different type of side-channel attacks are the so-called template attacks. The mainpart of an template attack is to describe the recorded power traces by a multivariatenormal distribution which consists of a covariance matrix C and a mean vector ~m. Thecovariances cij = Cov(Xi, Xj) are stored in the covariance matrix C, while ~m containsthe mean values for all points in the trace [MOP07]. The pair of these two values(~m, C) is called a template, as it fully describes the multivariate normal distributionof a set of power traces. Now, the main idea of template attacks is to characterize adevice by estimating templates for certain values processed on the device. Then, thischaracterisation can be used to extract corresponding values from a single side-channel

3.5 Physical Measurement Setup 13

trace by evaluating the probability density function for every template. It is importantto note that the covariance matrix grows exponentially with the number of points in atrace. It is therefore common to look only at small parts of the traces. Template attacksconsists of two phases, the building phase and the matching phase.

3.4.1 Building Phase

During the building phase the characterisation is performed. First, one has to decidewhat kind of templates should be built. This heavily depends on the values an attackerwants to extract. It is for example possible to build templates for different pairs of dataand key or for intermediate values. As we want to find the HW of different intermediatevalues to the system of equations, this thesis concentrates on templates for intermediatevalues. Since the covariance matrix grows exponentially with the number of consideredpoints, the parts which contain the most information about the intermediate values haveto be identified. As the ASCA requires only the hamming weight of those intermediatevalues it is sufficient to build nine templates per value, one for each possible HW.

3.4.2 Matching Phase

After the templates have been built they have to be evaluated for a given side-channeltrace by calculating the probability density function as

p(~t; (~m, C)di,kj) =

exp(−12 · (~t − ~m)′ · C−1 · (~t − ~m))√

(2 · π)T · det(C). (3.17)

The template with the highest probability indicates the most likely HW. Evaluatingthese probabilities one has to be careful. In some cases, numerical problems might occurwhich affect the results.

3.5 Physical Measurement Setup

This section describes the physical measurement setup to record the power consumptionof a device while it is calculating some cryptographic operation. In the following therecording and the digitalisation is referred to as acquiring traces. A typical physicalmeasurement setup for acquiring power traces is shown in Figure 3.1. The resistorR in the ground path allows to measure the power consumption via the voltage drop∆V (t) = I(t) · R [Paa09]. In Figure 3.2, the physical measurement setup as used in forthesis is shown.

3.6 Countermeasures

In order to protect implementations against side-channel attacks different countermea-sures have been developed since these attacks were proposed. An effective countermea-sure is to ensure that the device’s power consumption does not contain any information


Figure 3.1: Physical measurement setup for side-channel analysis

on secret keys or other confidential data at all, which implies making the power con-sumption and the respective data independent of each other. Since this is not alwayspossible, the main goal is to reduce these dependencies as much as possible.

3.6.1 Masking

One approach to make the power consumption and the intermediate values independentfrom each other is to randomize these values during the processing. To archive this,the processed intermediate values are combined with random value m which is calledmask. Since m has to be random a Pseudo Random Number Generator (PRNG) isnecessary in order to get numbers with sufficient statistical random characteristics. Thedevelopment of PRNGs is discussed in several scientific papers and is therefore not thetopic of this thesis. The resultant hidden value called masked intermediate value vm

is calculated as vm = f(v, m). As there are many different types of masking schemes,the masking function f() varies. It is usually defined according to the cryptographicalgorithm running on the cryptographic device. After all cryptographic operations arefinished, the mask has to be removed in order to obtain the correct ciphertext. The powerconsumption of the cryptographic device is now dependent on the masked values, but noton the intermediate values themselves. Since an attacker does not know the correct maskhe is not able to find dependencies. This holds only if the masked value vm is pairwiseindependent of the mask m and the intermediate value v. In order to reduce the memoryusage and/or calculation time, masks are often reused for different intermediate valuesin practice. This leads to values which are not pairwise independent and can therefore

3.6 Countermeasures 15

Figure 3.2: Measurement setup used for this thesis

be attacked by combining several intermediate values. The corresponding attack ispresented in Section 3.2.3.One advantage of masking schemes is that they can be implemented at different levels,for example on the algorithm level, the architecture level, and the cell level. This thesisfocuses on implementing masking schemes on the algorithm level.

Boolean Masking

The simplest masking scheme is the boolean masking also called additive masking. Theintermediate value is hidden by XORing it with a random mask, i.e. vm = v ⊕ m. Then,v can only be computed if vm and m are known. If none or only one value is known, vcannot be obtained. Therefore, boolean masking can be seen as a secret sharing schemewith two shares.Applying boolean masking to AES is straightforward because the cipher mainly consistsof linear functions. Regarding to XOR linear functions satisfy f(x ⊕ m) = f(x) ⊕ f(m).For that reason, it is very easy to compute the changes to the mask during all linearfunctions within AES, i.e. AddRoundKey, ShiftRows, and MixColumns.Since SubBytes is a nonlinear function, it applies accordingly SBox(x⊕m) 6= SBox(x)⊕SBox(m). In order to mask this value, a new S-box has to be generated which is com-puted as SBox′(x ⊕ m) = SBox(x) ⊕ m′. Each time a new mask is generated, a newS-box has to be computed. If all computations are done, the mask has to be removed inorder to receive the cipher text.Suitable intermediate values for boolean masking are for instance the S-box input byte ofthe first AES encryption round and the corresponding S-box output byte. The combina-tion of these two values fits if the input mask for the S-box equals the output mask and


SBox(x ⊕ m) = SBox(x) ⊕ m′ with m = m′. If the two masks are not equal (m 6= m′)the S-box output bytes of the first encryption round of two adjacent key bytes are agood choice. This in fact results in a longer attacking time because two key bytes areattacked simultaneously. In both cases, the two intermediate values are combined usingthe XOR.Computational time can be saved if the masks are reused for more than one block cipherrun. This weakens the level of protection of this countermeasure, so the reuse intervalshould be selected with (extreme) care.

3.6.2 Shuffling

Shuffling is a countermeasure which tries to hide the dependencies between the powerconsumption of the target device and the intermediate values. An important characteris-tic on hiding countermeasures is that the calculated intermediate values are the same asin the unprotected implementation are ">made"< to ">look random"< [MOP07]. In thecase of shuffling, the operations are not executed in the specified order, but the sequenceis randomly mixed. In the case of the AES, the following operations can be executed ina random order:

• SubBytes During each round, 16 S-box look-ups need to be done. Since this is abyte-wise operation it is independent from all other bytes and can be performedin a random order.

• MixColumns is a word-wise operation, which means that each word is processedindependently of the other words. Therefore, the four words during one AES roundcan be calculated in a random order.

• At the end of each round, the AddRoundKey operation is executed. As it is thecase with the SubBytes operation, this is a byte-wise operation and can thereforebe executed randomly.

Since the presented masking scheme does not change the execution order during anAES run, it can be combined with the shuffling countermeasure, increasing the level ofprotection.

4 Tools

This chapter gives an overview over the tools and software used during this thesis. Thetarget platform and the measurement equipment are described, as well as the cycurDPAworkstation and the used SAT solver.

4.1 Target Platform

The target platform is an ATmega32 microcontroller on the ESCRYPT target boardv1.0, which can be seen in Figure 4.1. The connection module is a pure software im-

Figure 4.1: Escrypt Target Board v1.0

plementation running on the ATmega32. It communicates with the host PC via anUniversal Asynchronous Receiver Transmitter (UART). The UART is configured by theconnection module as follows:

• Baudrate: 115200

• Data bits: 8

• Stop bits: 1

• Parity: none

• Flow control: off

18 4 Tools

Port B of the ATmega is used for the trigger signals. The main trigger pin is defined aspin 2 on port B (PB2). It is set to 1 on the system start and then changed to 0 rightbefore the AES encryption starts (falling edge). After the first round (in the case ofDPA) or after the fourth round (in the case of ASCA) the trigger is reset to logical 1again (rising edge).Additionally, a second trigger signal was implemented in order to identify the differentoperations during the AES encryption. The pin used for this trigger is defined as pin 1on port B (PB1). It is cleared on system start and set to 1 right before the first round.After the SubBytes it is cleared again and set 1 right before MixColumns. As a lastoperation, the AddRoundKey operation is identified with an identical sequence.

4.2 Oscilloscope

For acquiring the traces, a LeCroy WaveRunner 610Zi oscilloscope was used connectedto the host computer via Local Area Network (LAN). The oscilloscope is depicted inFigure 4.2. It provides the following key features [Lec]:

Figure 4.2: Lecroy WaveRunner 610Zi oscilloscope

• 1 GHz bandwidth

• 4 input channels

• 20 GS/s sample rate

Additionally, an active and two passive probes are used in order to connect the oscil-loscope to the target board. The active probe is the AP033 active differential probefrom LeCroy and was used to measure the power consumption. It has the following keyfeatures [Pro]:

• 500 MHz bandwidth

4.3 CycurDPA Workstation 19

• 1:1 / 10:1 attenuation ratio

• 1x / 10x gain

• 10 MΩ input resistance

The passive probes are PP008 probes from LeCroy and were used to connect to bothtrigger signals. They have the following key features [Pas]:

• 500 MHz bandwidth

• 10:1 attenuation ratio

• 10 MΩ input resistance

Both probes are shown in Figure 4.3

(a) Active Probe (b) Passive Probe

Figure 4.3: Active (a) and passive (b) probes used for this thesis

4.3 CycurDPA Workstation

As a working environment for the side-channel attacks, the CycurDPA Workstation[DPA], was used. The CycurDPA Workstation was designed by ESCRYPT [ESCa], andsupports the typical work flow of a side-channel attack, which consists of acquiring side-channel data from a target device, pre-processing the traces and analysing them withdifferent methods and tests. The current version of the workstation is based on [CB10].The workstation framework is programmed in C++ using the Qt libraries and imple-ments the work flow and the data management as the basic functionalities as well asa plug-in structure which allows to integrate new functions. To add new functionality,four plug-in types are provided:

• Target plug-ins control the target device,

• Scope plug-ins control the measurement equipment, e.g. an oscilloscope,

20 4 Tools

• Filter plug-ins pre-process the measured traces and

• Analysis plug-ins analyse the measured traces or the pre-processed traces in atarget-specific way.

Available Plug-ins

The following sections shortly describe the available plug-ins used during the analysis inthis thesis.

LeCroy WaveRunner Oscilloscope Plug-in

As mentioned, the LeCroy WaveRunner 610Zi oscilloscope is used for the measurement.The corresponding scope plug-in manages the connection via LAN. Since the oscilloscopehas numerous configuration options, the plug-in only offers the possibility to select theactive channels and assign unique identifiers to them. These identifiers are importantfor the management of the data. All other configuration is done directly using on theoscilloscope’s controls.

Escrypt Target Board v1.0 Plug-in

The plug-in to communicate with the ATMega32 microcontroller establishes the connec-tion from the host computer’s serial port to the UART on the target platform. For thispurpose, the plugin uses the QextSerialPort extension for the Qt libraries. The plug-inwas designed to be used with AES-128 implementation and offers the possibility to setthe plaintext and the key randomly or to a fixed user-defined value. To speed up theacquisition of the traces, a block mode was implemented for this thesis. The block modeallows to perform more than one encryption per run. This functionality can only beused if the oscilloscope is able to handle sequences of multiple encryption runs which isthe case for the LeCroy WaveRunner 610Zi oscilloscope.

Correlation Analysis Plug-in

This plug-in is used to attack the AES-128 according to the attack presented in Section3.2.2. The plugin can use the HW power model or the Hamming Distance (HD) powermodel in order to calculate the hypothetical power consumption and employs the corre-lation coefficient to analyse the traces (see also Section 3.2.1). The calculation itself ismulti-threaded to improve the performance.After the attack has finished the best candidate with the maximum correlation for eachkey byte can be displayed.

Trace Evaluation Plug-in

This plug-in plots the development of the correlation coefficients for all 256 key hypoth-esis over the number of used traces for a single point of time. This allows to estimatethe number of required traces in order to get a significant result.

4.4 CryptoMiniSat - SAT Solver 21

4.4 CryptoMiniSat - SAT Solver

In a SAT problem it is determined if the variables of a boolean formula can be assignedvalues so that the whole formula evaluates to true. If such a solution can be found theproblem is called satisfiable. Otherwise it is called unsatisfiable.To evaluate the SAT problems, in this thesis the CryptoMiniSat SAT solver in version2.9.4 [Soo] is used. It is based in the MiniSat SAT solver and uses the Davis-Putnam-Logemann-Loveland (DPLL) algorithm for solving instances of SAT cf. [DP60] and[DLL62] for further information on the algorithm.

Format of SAT Expressions

In general, SAT solvers only accept the Conjunctive Normal Form (CNF). Additionally,CryptoMiniSat can deal with XOR functions, but this functionality was not used withinthis thesis in order to guarantee the compatibility with other SAT solvers. This decisionmakes it easy to exchange the used SAT solver later. The exact format is called DIMACSCNF. In a CNF expression, several clauses are connected with a conjunction (booleanAND) and each clause describes a disjunction (boolean OR) of a number of variables.A file in the DIMACS CNF format starts with one or more comment lines, which aremarked with a c at the beginning. The problem itself starts with a p, followed by thespecified format, the number of variables, and the number of clauses, whereas each valueis separated by a space. The format should always be cnf. After the problem line thedescription of the clauses is presented. The unique variables are enumerated from 1 to n,where n represents the number of variables. A negation is represented by a minus sign.Again the variables are separated by a space and a 0 indicates the end of the clause.This results in one clause per line. In the following an example DIMACS CNF file ispresented.

c This is an example file

c The presented expression is: (A OR -B OR -C) AND (B OR -D) AND (A OR D OR E)

c The expression consists of 3 clauses

c The variables are represented be the following numbers:

c A = 1, B = 2, C = 3, D = 4, E = 5

p cnf 5 3

1 -2 3 0

2 -4 0

1 4 5 0

The SAT solver outputs the result on the console. The result is formatted similar tothe input file. At the beginning, some configuration and calculation specific values areprinted as a comment, i.e. each of these lines starts with a c. Then, a line startingwith s follows. This line indicates if the given SAT problem is satisfiable or not. If it issatisfiable the corresponding results are printed on the following line that starts with av. On the last line, the result for each variable is printed. The whole equation is trueif variables 1 and 2 are positive (= 1) and variables 3, 4 and 5 are negative (= 0). Theresult file of the small example presented above is:

22 4 Tools

c Outputting solution to console

c This is CryptoMiniSat May 8 2012

c compiled with non-gcc compiler

c Reading file ’sat_example.txt’

c -- header says num vars: 5

c -- header says num clauses: 3

[...]

c Memory used : 0.00 MB

c CPU time : 0.01 s

s SATISFIABLE

v 1 2 -3 -4 -5 0

5 Implementation

This chapter describes the implemented countermeasures and plug-ins for the Cycur-DPA workstation environment. A detailed description of the functions and the sourcecode is given. The implementation of the countermeasures is described, followed by theimplementation of the different attacks.

5.1 Countermeasures

This section gives details on the implementation of the countermeasures. The coun-termeasures were added to the already existing AES implementation which is part ofthe CycurLIB by ESCRYPT[escb]. Since the AES implementation is written in C thecountermeasures were implemented in C as well.

5.1.1 Boolean Masking

A boolean masking scheme according to [MOP07] is implemented. It uses three masksin total in order to mask the different operations. Two masks m and m’ are single bytevalues used to mask the S-box input and output. The third mask m1_m2_m3_m4is a 4-byte value used to mask the columns of the state matrix row-wise during theMixColumns operation.

In the first step, before each en- or decryption, the masks are generated randomly. Forthis purpose a random seed for the PRNG is needed. The underlying target device allowsto use uninitialised Static Random-Access Memory (SRAM) for the seed generation. Theget_seed() function interprets the SRAM content as unsigned 8-bit integer values andgenerates the seed by calculating the XOR of several values.

/* get random seed for PRNG */

UINT8 get_seed()

UINT8 seed = 0;

UINT8 *p = (UINT8*) (RAMEND+1);

extern UINT8 __heap_start;

while (p >= &__heap_start + 1)

seed ^= * (--p);

return seed;

Listing 5.1: get_seed() function for ATMega32

24 5 Implementation

After the seed is generated, the randoms are calculated based on a Linear CongruentialGenerator (LCG). The used parameters are taken from the glibc[gnu] implementation.

/* Generate new random values. Constants are taken from glibc implementation. */

UINT32 randVal;

randVal = seed = 1103515245U * seed + 12345U;

Before each run the new masks are generated and pre-calculations are done. Thisincludes the calculation of the masked round keys, which are masked with m and(m1_m2_m3_m4)’. The latter is the 4-byte mask changed by the MixColumns oper-ation. Additionally, the masked S-box and the correction mask, which is used to changethe mask from the S-box output mask m’ to the input mask m1_m2_m3_m4 for theMixColumns operation, are pre-calculated. Since the secret key is masked immediately,the key schedule is also protected by masking and can not be attacked with a SPA attack.

During an AES round, the AddRoundKey operation changes the mask from the MixColumns

mask (m1_m2_m3_m4)’ used before to the S-box input mask m , which is necessaryafter the AddRoundKey operation. At the beginning of an encryption run, the plain-text has to be masked with the modified 4-byte mask such that the state is maskedwith m after the first AddRoundKey operation. Next, the masked S-box operation isperformed, which changes the mask m to m’, since the S-box was precomputed asSboxm(x ⊕ m) = Sbox(x) ⊕ m′. For the MixColumns step a remasking step is nec-essary in order to change the mask from the S-box output mask m’ to the row-wisemask m1_m2_m3_m4. The mask used for the remasking step is precomputed asm′ ⊕ m1_m2_m3_m4. The following AddRoundKey operation again changes the mask(m1_m2_m3_m4)’ to m, which allows to calculate an arbitrary number of maskedrounds. For a better understanding, Figure 5.1 gives an overview aver the masked AESencryption and how the masks change during the computation.

5.1.2 Shuffling

As presented in Section 3.6.2, three operations in the AES can be internally executed ina random order. These three operations are SubBytes, MixColumns and AddRoundKey.All operate on either independent bytes or words, which means that the calculation ofthe specific values can be mixed randomly within one operation.

The SubBytes operation consists of 16 byte-wise substitutions and can be performedin a random order. Two random values are needed, which are generated with the samePRNG as the masks values. Since the internal block structure is a state matrix, the cal-culation is done in two for-loops iterating over the columns and the bytes of the currentcolumn. Since the PRNG returns 8-bit values only the two Least Significant Bits (LSBs)are used to indicate the current column/row. Before the random number is added to theloop iteration variable to make sure that all four columns/rows are selected during thecomputation. The rows are selected according to the same principle. The two for-loopsand the random selection of the columns and rows is

5.1 Countermeasures 25

Figure 5.1: High-level view on masked AES-128

UINT8 randomValues[2] = getRandomValues(randomValues, sizeof(randomValues));

/* random column selection */

for (i=0 to i<4)

randomCol = (i + randomValues[0]) & 0x3U;

/* random row selection */

for (j=0 to j<4U)

randomRow = (j + randomValues[1]) & 0x3U;

/* do SBox and ShiftRows according to unprotected implementation

* but replace fixed columns and rows by randomCol and randomRow */

[...]

The MixColumns operation is a word-wise operation, which means that the four wordscan be calculated in a random order. For that, another random number is needed inorder to randomly select the current word. To ensure that all four words are selected, thecorresponding variable is incremented by one after each word-wise MixColumns operation.Then, again only the two LSBs are selected by a bitwise AND with 0x3.

26 5 Implementation

The internal functions of MixColumns are implemented according to the standard [FIP].Therefore the 32-bit word is internally split up in four 8-bit values which are processedindependently from each other. Again, the two LSBs of a new random number determinethe order in which the bytes are processed.

The last operation executed in a random order is the AddRoundKey operation, sinceit operates on 16 independent bytes. In the used implementation, the AES state isstored as an array containing four 32-bit values, which simulates the 4 x 4 state matrix.Therefore, the AddRoundKey operation is split up into only four XOR operations eachprocessing 32 bits. The procedure for this operation is similar to the procedure for theSubBytes operation presented previously. The corresponding pseudocode is.

UINT8 randomValue = getRandomValues(randomValue, sizeof(randomValue));

/* random column selection */

for (i=0 to i<4)

randomCol = (i + randomValue) & 0x3U;

State[randomCol] = State[randomCol] ^ currentRoundKey[randomCol];

First, a new random number is obtained. Then, the current column is selected. Afterthat, the XOR with the current round key is calculated. During all these steps, theprocessed values are masked.

5.2 HO-DPA Attack

In order to determine if the implemented countermeasures provide a sufficient protectionagainst higher order DPA attacks, a second order DPA attack was implemented. Thissection describes the two corresponding CycurDPA workstation plug-ins, i.e. the filterplug-in (which pre-processes the traces) and the analysis plug-in.In order to load one of the plug-ins, a base experiment has to be selected in the mainapplication. This experiment is the one which is filtered and attacked. The plug-in isthen loaded by following the filter/analysis workflow of the CycurDPA workstation.

5.2.1 Preprocessing Step

A higher order DPA attack consists of two steps. First the traces have to be preprocessed.The best way to realize a preprocessing step is to use the filter plug-in structure of theCycurDPA workstation.

As explained in Section 3.2.3, a masking scheme can be defeated by analysing morethan one sampled value within the same power consumption trace. In order to achievethis, the leakage signals have to be combined. Since the preprocessing step is realized asa filter plug-in, both the original traces and the processed traces are saved in differentexperiments. This means that the same data can be used for different preprocessingsteps and analyses which makes the results comparable.

5.2 HO-DPA Attack 27

Software Design

The following requirements are specified in order to clarify which functionality the filterplug-in should provide:

• It should be possible to select the type of traces to be preprocessed.

• The plug-in should support different trace representations (e.g. one-byte traces,two-byte traces etc.). For this thesis it was sufficient to support one-byte tracesonly. Never-the-less, the possibility to add the support for other representations isprovided.

• It is useful to specify a time range within the traces. If the attacker has detailedknowledge about the execution of the algorithm, this can reduce the calculationtime, and/or the memory usage.

• It should be possible to add different combining functions.

• For usability, a progress bar should be implemented.

GUI Design

The main class of the implemented filter plug-in is SndOrderFilter, with the corre-sponding Graphical User Interface (GUI) shown in Figure 5.2.The plug-in provides several configuration options. First, the trace type can be selected.

Figure 5.2: Filter plug-in GUI for second order DPA

Until know the plug-in only supports 1-byte values. Since some oscilloscopes provide 4-byte values, a radio button was added to add 4-byte support etc. as well. Additionally,there are combining functions needing other representations, for example the productcombining results in 2-byte traces. In order to speed up the pre-processing step, tworanges can be specified if the attacker has a more detailed knowledge about the timerange during which the two samples correlate. These two ranges are combined with

28 5 Implementation

each other, while the other points are skipped. If no ranges are specified, all points arecombined with each other which takes longer and needs more memory space comparedto limited ranges.

The filter plug-in currently supports one combining function although a second combin-ing function is already prepared. Due to the radio button and corresponding selectionswithin the source code other combining functions can easily be added.

Implementation Details

The implemented combining function is the absolute difference combining function ac-cording to [Mes00]. It calculates the absolute value of the difference of two points withinthe same trace. More detailed information can be found in Section 3.2.3, while ourimplementation is ficen in Listing 5.2..

// combining function: absolute difference

for(int i=0; i<numberOfTraces; i++)

// Get trace

[...]

if(useRange)

from1 = traceRange1From;

from2 = traceRange2From;

to1 = traceRange1To;

to2 = traceRange2To;

else

from1 = 0;

from2 = 1;

to1 = trace.length();

to2 = trace.length();

//combine traces

for(int j = from1; j < to1; ++j)

int8_t left = int8_t(trace[j]);

for(int k = from2; k < to2; ++k)

int8_t right = int8_t(trace[k]);

if(absDiff)

sndOrderTrace.append(abs(left-right));

//else

//other combining functions may be added

//

Listing 5.2: Absolute difference combining function

The plug-in uses all available traces. If less traces are to be used, the experiment has tobe adapted in a previous step. After the current trace has been loaded, the boundaries forthe loops are set. If some ranges are specified the boundaries are set to the correspondingrange value, otherwise all two are combined once.

5.2 HO-DPA Attack 29

5.2.2 Analysis

The next step of a second order DPA attack is the evaluation itself which was im-plemented using the analysis plug-in structure of the CycurDPA workstation. A baseexperiment has to be selected to be attacked. After that the analysis plug-in is loadedfollowing the workflow of the CycrDPA workstation.

Software Design

For the analysis plug-in certain requirements were specified.

• It should be possible to select the trace type that is analysed.

• The plug-in should support different trace representations (e.g. one-byte traces,two-byte traces etc.). It is sufficient to support only one-byte traces for this thesis.Additiobally, the possibility to easily add the support for other representations isprepared.

• It might be useful to specify a key range if the attacker has some detailed knowledgeabout the key.

• It should be possible to add different power models.

• If some key bytes are already known, it should be possible to set specific key bytesto a fixed value, which makes it easier to attack the neighbouring key byte.

• For usability a progress bar and a log window should be implemented.

GUI Design

The main class of the implemented analysis plug-in is called 2ndOrderAttack. The cor-responding GUI is presented in Figure 5.3. The trace types and the trace representationare selected similar as for the preprocessing plug-in. Since the traces consist of manypoints the analysis of two key bytes with the whole key space takes very long. If theattacker has additional information on the secret key or on some of its bytes the analysiscan be sped up. Depending on the knowledge, either the key space for the correspondingbytes can be limited or the neighbouring key byte can be set to a fixed value. This isuseful since the power model is currently fixed to the HW of the output of two neigh-bouring bytes. Nevertheless, a selection opportunity of the power model is provided forfuture extensions.

Implementation Details

The internal structure of the analysis plug-in is based on the Correlation Analysis plug-inpresented in Section 4.3, since both attacks are similar. The second order DPA plug-in copies the traces to one large file. Loading the data on the fly for several smallexperiments increased the analysis time significantly. The average calculation time for

30 5 Implementation

Figure 5.3: 2nd Order Attack plug-in GUI

experiments using the single trace file was 1.5 times faster than for analyses using severalfiles. The disadvantage of one large file is that the required HDD memory space is twiceas large as for the original experiment. It was decided to accept a higher memoryconsumption for a shorter calculation time. Especially for the second order analyses,this was useful because the computation took several hours. Considering that the usagein HDD memory increases (which is quite cheap) this is a suitable trade-off. The increasein calculation time for loading the data on the fly can be explained with the time neededto open and load the small files. As the data is needed several times during one attack,this requires a lot of additional time.

Since the calculations for the different key bytes are independent of each other, theattack can be split up into different threads. This significantly speeds up the analysis.The number of used threads is set according to the host computer. If more than twothreads are available, one thread is reserved for other tasks. All threads apart from thereserved one are used for the calculation.

Due to the implemented masking scheme it was suitable for this thesis to implementone hypothetical power model only, namely the XOR of the S-box outputs of two neigh-bouring bytes. Nevertheless, a selector is implemented to allow adding other powermodels in the future:

5.3 Algebraic Side-Channel Attack Plug-In 31

if (useHW)

hyp = getHW(getSboxValue(plaintextByte1 ^ (uint8_t) k) ^ getSboxValue(plaintextByte2 ^ k2));

//else

// implement other power model

//

The calculation of the correlation coefficient and the selection of the five best guessesis based on the first order DPA plug-in presented in Section 4.3. Hence, these steps arenot described in detail here.

5.3 Algebraic Side-Channel Attack Plug-In

As a second attack, the algebraic side-channel attack as introduced in Section 3.3 wasimplemented. This section describes the corresponding CycurDPA workstation plug-inand the development process. In order to load the plug-in a base experiment has tobe selected in the main application. This experiment is the one for which the attack isperformed. The plug-in is loaded by following the analysis workflow of the CycurDPAworkstation.

5.3.1 Software Design

First the functions of the plug-in are specified with the following minimal requirements:

• The plug-in should be able to generate a SAT problem.

• In order to generate a satisfiable SAT problem intermediate values have to beextracted. Therefore, it should be possible to load or build templates.

• For building templates, it is necessary to specify the number of Points of Interests(POIs) which are used to generate the template.

• Additionally, it should be possible to select the intermediate values for which atemplate is built.

• It should be possible to match the templates with the base experiment and addthe extracted values to the SAT problem.

• The generated SAT problem should be solved.

To increase the usability optional requirements were specified, which are not relevant forthe main tasks of the plug-in but provide additional features.

• It is helpful to display some information about the selected base experiment. Es-pecially the plaintext and the ciphertext are important values as they are used asinput values for the SAT problem.

32 5 Implementation

• As there are different algorithms and techniques to transform the S-box to a systemof boolean equations, it should be loaded from a file. This makes it possible to usedifferent S-box representations.

• It is helpful to start the SAT solver from the plug-in in order to avoid the appear-ance of a second (external) program.

• There are reasons for simulating an attack, e.g. in order to test a new S-boxrepresentation.

• To show which template is used for an attack it is helpful to display the currentlyloaded template.

• In order to optimize the template, it is helpful to specify a minimal differencebetween the selected POI.

• Additionally, it is useful to specify a range of points for different intermediatevalues. This helps to increase the quality of the templates.

• To show what the plug-in is currently doing and the progress of the calculations,a log window and a progress bar are needed.

5.3.2 GUI Design

Based on the requirements previously presented the GUI was designed with the mainfocus on clear arrangement and usability. As shown in Figure 5.4 the dialogue consistsof four different parts, which are explained in the following.

The first part is marked with the headline Information and displays all relevant infor-mation about the base experiment. Especially the plain and ciphertext are interestingvalues since they are used as input for the system of equations. If the key is known it isalso displayed which helps to check the result of the SAT solver.

The second part provides different settings for the ASCA attack. Besides the possi-bility to specify paths for the S-box file, the used SAT Solver and the SAT problem,the attack can either be simulated or the intermediate values be extracted by matchingthe templates with the base experiment. If Simulate Attack is checked no templates arematched with the base experiment and the corresponding GUI elements are disabled.

The third part deals with the configuration for the templates. On the one hand,previously acquired templates can be loaded. The user has the possibility to either loadone single template or all available templates. On the other hand, new templates canbe built. Therefore, the user has to specify the experiment which should be used forcharacterizing the target device and the specific trace type. Additionally, the number ofPOI and the difference between them has to be specified. The button Select IntermediateValues opens a new dialogue presented in Figure 5.5. The design of this dialogue isbased on the ASCAtoCNF tool by Mathieu Renauld 1 because it was found that thispresentation is a user-friendly possibility to select the intermediate values. The user can

1http://www.ecrypt.eu.org/tools/ascatocnf, last seen on 16.05.2013

http://www.ecrypt.eu.org/tools/ascatocnf


Figure 5.4: Algebraic Attack Plug-in GUI

select the intermediates values for which a template should be built by simply clicking onthe corresponding button. If the colour is green, a template for this value will be build. Incontrast to the dialogue by Renauld the possibility to specify a range is implemented aswell. Note that the POI in a trace contain the most information about the intermediatevalue. Therefore, the range where the intermediate value is processed can be specified.If Load existing Templates is checked all GUI elements which are necessary for buildinga template are disabled and vice versa.

The last part of the plug-in GUI provides a log window and a progress bar. Addition-ally, the user has the possibility to cancel the current step and to close the plug-in.

5.3.3 Implementation Details

This section gives some detailed information on the implementation of the different stepsfor the ASCA attack.

34 5 Implementation

Figure 5.5: Dialogue to select intermediate values

Transforming the S-box

An ASCA consists of three steps, the first and second offline phases and the online phase,which do not have to be processed in a strict order. The first offline phase deals withthe transformation of the cipher into a system of polynomial equations. For the linearpart of the cipher this step is done shortly before translating the equations into a SATproblem. The non-linear part of the cipher, respective the S-box is transformed in aprevious step with the help of the open source mathematics software tool SAGE [sag]and stored in a text file. The file-based representation of the S-box was chosen in orderto allow the usage of different S-box transformation algorithms and compare them easily.Therefore, the plug-in allows to specify the path to the S-box file to be used.

The following SAGE commands are used to transform the S-box into boolean equa-tions in CNF:

Sr = mq.SR(10,4,4,8,allow_zero_inversions=True)

S = Sr.sbox();

cnf = S.cnf();

Listing 5.3: SAGE commands to transform the S-box


The first line initialises a small-scale variant of the AES with the following conditions:the first input parameter indicates the number of rounds, in this case 10 rounds. Thesecond and third input parameters describe the dimension of the state array matrixwhich has 4 rows and 4 columns. The fourth input parameters specifies the degree ofthe underlying finite extension field which is 8 in the case of the regular AES.On the second line, the S-box object for the initialised AES is constructed and translatedinto an alternative polynomial representation, namely to CNF, on the third line.

With the commands described above, random S-boxes can be transformed into poly-nomial representation in CNF as well. Instead of defining the AES S-box, one can definean own S-box by filling S = mq.SBox() with random values. The following commandsare later used to transform a masked S-box to CNF.

sr = mq.SBox([195,187,...]);

sr.cnf();

Listing 5.4: SAGE commands to transform a random S-box

After the algebraic attack plug-in has been loaded, the user can specify a file whichcontains a valid S-box representation. This file is loaded during the transformation ofthe linear system of equations to CNF.In order to use another S-box file the variables have to be denoted as 1 to 16, wherethe variables 1 to 8 represent the input and 9 to 16 the output bits. In order to obtainDIMACS CNF which is required by the SAT-solver each line of the S-box file has to containone clause with an arbitrary number of variables. Again negative variables are markedwith a minus sign. Each clause describes a disjunction of several variables. The clausesare connected with a conjunction.

Transforming the Linear Part of the AES

As presented in Section 3.3.1, it is straight forward to transform the linear part of theAES into low degree boolean equations. This section deals with transforming the linearpart of an unprotected AES into a system of equations. Transforming the protectedAES is nearly the same. Therefore, only the differences are described in a later section.

The equations are stored as a sparse matrix M which has the advantage that thiskind of matrix can be stored efficiently. Since many entries are equal to zero only theposition of the non-zero entries are stored. The matrix M is implemented with the helpof a vector which contains vectors itself. This has the big advantage that the matrix cangrow dynamically. For the unprotected algorithm, the system of equations has 6432 rowsand 8033 columns at maximum, where the rows represent the equations and the columnsrepresent each variable. Additionally, a vector Msize is added which holds the numberof variables for each equation. This makes it easy to track the size of the columns ofthe sparse matrix. M[r][i] holds the specific entries (namely the variables from 0 to r)that describe the corresponding equation, while i goes from 0 to Msize[r]. Due to thealgebraic structure of AES, all variables are combined using the bitwise XOR functionwhich makes it unnecessary to store any mathematical calculations.

36 5 Implementation

First the variables have to be assigned to the values during an AES run. Since the SATsolver operates in an ascending order the secret key is assigned to variable 1 to 128. Thismakes it easier to read out the key after the SAT problem is solved. According to theoccurrence in the block cipher and in the used implementation the variables are assignedto the intermediate values as presented in Table 5.1. It is not necessary to assign the

Variables Values

1 - 128 Secret Key129 - 1408 round key 1 - 101409 -1728 S-box for round key 1 - 101729 - 1856 AddRoundKey, round 01857 - 1984 S-box output, round 11985 - 2016 MixColumns step 1, round 12017 - 2144 MixColumns step 2, round 12145 - 2272 MixColumns step 3, round 12273 - 2400 MixColumns step 4, round 12401 - 2528 AddRoundKey, round 12529 - 3200 round 23201 - 3872 round 33873 - 4544 round 44545 - 5216 round 55217 - 5888 round 65889 - 6560 round 76561 - 7232 round 87233 - 7904 round 97905 - 8032 S-box, round 10

Table 5.1: Assignment of variables to intermediate values

last key addition step, because the result of this step is equal to the ciphertext. If theciphertext is known, its value can be added to the equation for the last round key. Theplaintext is treated similarly. If it is known, it is added to the equation for the firstAddRoundKey operation. If it is unknown, this addition is skipped.The following source code implements the example presented in Section 3.3.1, i.e., thecalculation of the MSB of round key 1.

int equCnt = 0; //counts the equations

[...]

for(int r = 0; r<rounds; ++r)

/* the first 32 bit of each key schedule round contain

nonlinear elements (sbox) and are therefore separated */

for(int i = 0; i<32; ++i)

/* RC is known, add to equation*/

if(i<8)


equations->set(equCnt, 0, rcTemp[i]); //rcon

equations->set(equCnt, 1+(rounds+1)*128+r*32+i, 1); // S[r]

equations->set(equCnt, 1+r*128+i, 1); // round key r

equations->set(equCnt, 1+(r+1)*128+i, 1); // round key r+1

equCnt++;

As a reminder, the MSB of round key 1 is calculated as b0,W [4] = b0,W [0] ⊕ b0,S(VW 3,1) ⊕b0,RC[1], with b0 representing the first bit of each value. Since the SAT solver needs theequations in DIMACS CNF format, the equations are solved to 0. This leads to the factthat the MSBs of round key 0 XOR round key 1 XOR SBox(round key 0) is equal to0. When the for loop is evaluated for the first bit, which means for i=0, and r=0, andequCnt=0, we get the following equation

/* rcTemp = 0b 00000001*/

equations->set(0, 0, rcTemp[0]); //rcTemp[0] = 0

equations->set(0, 1409, 1); // SBox for round key 1

equations->set(0, 1, 1); // round key 0 = secret key

equations->set(0, 129, 1); // round key 1

// equation 0 --> 0 = 1 XOR 129 XOR 1409

Transforming the rest of the AES into the system of boolean equations is done accordingto the procedure described above. Only the nonlinear parts, meaning the S-box equa-tions, are skipped and added from the specified S-box file before generating the SATproblem.

Adaptations for the Masked AES

In order to analyse a protected implementation of the AES the system of equations hasto be adapted. The masks are also part of the different equations and have therefore tobe added as variables. This means that the number of predefined variables raise from8032 to 9680 since 48 random bits were used as masks in the applied masking scheme:two 8-bit values for the input and output mask of the S-box step and four 8-bit valuesto mask the MixColumns operation. The remaining variables are added to simplify theremasking step after the ShiftRows operation and for the last round key word whichhas to be remasked for the S-box operation in the g() function. The assignment ofintermediate values to variables presented in Table 5.1 now has to be extended with thevariables shown in Table 5.2.

Adding the masks is straightforward. The following source code shows the remaskingstep after the ShiftRows operation as an example.

//remask after shift rows

for(int r=0; r<rounds; r++)

for(int i=0; i<128; ++i)

equations->set(equCnt, 1+nrvar_key+nrvar_allrounds+48+320+r*128+i,1); //remasked value

equations->set(equCnt, 1+nvar_key+r*nvar_round+128+aesPtr->ShiftRows(i),1); //shift value

38 5 Implementation

Variables Values

8033 - 8040 mask m8041 - 8048 mask m’8049 - 8080 mask m1_m2_m3_m48081 - 8400 10 · 32 bit for remasking the last word of the round key8401 - 9552 9 · 128 bit for remasking after ShiftRows operation9553 - 9680 masked secret key

Table 5.2: Assignment of additional variables

//remove m’ from sbox

equations->set(equCnt, 1+nvar_key+nvar_allrounds+8+(i\%8), 1);

//add M14 for MC step

equations->set(equCnt, 1+nvar_key+nvar_allrounds+2*8+(i\%32), 1);

equCnt++;

Since the SAT problem could not be solves while attacking a masked implementation anew S-box file was generated for testing purposes. This file describes a S-box which isalready masked and satisfies SBox′(x ⊕ m) = SBox(x) ⊕ m′. This is done to eliminatepotential mistakes in the S-box equations. The used masks are generated with theimplemented PRNG and then used to mask the AES S-box and translate it to equationsin CNF with the help of SAGE.

Building and Matching the Templates

In order to solve the system of equations, it is necessary to add additional information.As presented in Section 3.3 the HW of intermediate values can be extracted from side-channel information with the help of template attacks. The template attack is integratedinto the ASCA plug-in in order to avoid the usage of two different analysis plug-ins. Theattack was implemented according to the description in [MOP07].

Before the analysis begins the user has to select an experiment from which the tem-plates should be built. Additionally, a number of POI and the difference between thesepoints has to be specified. Since the power consumption depends on the value that isbeing processed, a range selection is implemented which speeds up the analysis.

During the template building phase, the traces are sorted by their HW for the attackedintermediate value as a first step. To this end, an AES encryption was implemented.Since the key and the plaintexts are known in the building phase, the intermediatevalues can simply be calculated and their HW determined. After the traces are sorted,the corresponding mean traces are calculated.

for(int i=0; i<numTotalTraces; i++)

aesPtr->setRunValues(rV.input, rV.output, rV.key);

aesPtr->encrypt();


//hamming weight for leakage value

uint8_t hw = getHammingWeight(leak);

//increase counter for hamming weight

numTracesHW[hw] += 1;

//calculate mean of traces

for(int t = rangeFrom; t<=rangeTo; ++t)

double power = trace.at(t);

mean[hw][t] += power;

//end for all traces

for(int i=0; i<numHW; ++i)

if(numTracesHW[i] != 0)

for(int j=rangeFrom; j<=rangeTo; ++j)

mean[i][j] = mean[i][j] / (double)numTracesHW[i];

In order to find the POI, the difference of means is calculated with the help of themean traces. The points with the highest difference are the most relevant points andare stored in a vector. The mean trace of this new vector is part of the multivariatenormal distribution. The covariance matrix is calculated as well in order to completethe template.

During the matching phase, the pre-built templates are used to evaluate one singletrace using the maximum-likelihood decision rule. This rule computes the probabilitydensity function to indicate how likely the corresponding template fits to the given trace.

The results for the nine possible hamming weights are ordered in descending order andpresented in a dialogue. This dialogue allows to select the best results of all attackedintermediate values at once or the user can manually select the hamming weights. Amanual selection might be necessary if numerical problems occurred during the compu-tation. The dialogue is shown in Figure 5.6. The user has to select the results, otherwisethe system of equations can not be generated.

Generating the SAT problem

After the AES has been transformed to a system of XOR equations, it has to be trans-lated into a SAT solver problem. This step is based on the Java code from MathieuRenauld which is used by the ASCAtoCNF tool [asc] and which is also used by otherresearchers (for example, [MSEMSBMZ+]). Bard et. al presented efficient methods toconvert a system of equations to a SAT problem in their paper [BCJ07] which is alsothe basis for Renauld’s code.

Due to the structure of AES, only XOR operations have to be translated into CNF.This is a very challenging part since the number of new clauses grows exponentially tothe number of variables in the corresponding equation [RS09]. Therefore it is proposedto insert dummy variables to the equations in order to limit the number of clauses.The number of terms for the new equation is arbitrary, but Renauld et. al obtained

40 5 Implementation

Figure 5.6: Matching results dialog

satisfying result by limiting the size to four. Therefore this number is also used in ourimplementation. Reducing each equation to only four terms is done in the following way[BCJ07]:

x1 ⊕ x2 ⊕ x3 ⊕ ... ⊕ xl = 0 (5.1)

is equivalent to

x1 ⊕ x2 ⊕ x3 ⊕ y1 = 0

y1 ⊕ x4 ⊕ x5 ⊕ y2 = 0

...

yn(⊕xl−2) ⊕ xl−1 ⊕ xl = 0

(5.2)

Depending on whether l is even or odd, the last equation has four or three terms respec-tively. By limiting the number of terms per equation to four, the exponential growthcan be traded off against ⌈n

2 ⌉ − 1 smaller equations and the same amount of dummyvariables.

The translation is done with the help of a LUT. This LUT consists of the positive andnegative value 1 and is used as a factor to give a value its sign. Each XOR operation withx variables can be described in a normal form with the help of 2x−1 equations parts. Thetable is used to translate equations with a different number of variables. A maximum offour variables is supported as the number of variables per equation is limited to four. Ifthe equation consists of more than four variables, it is split up as presented before. The


base for the LUT is the CNF representation of a four term XOR equation:

a ⊕ b ⊕ c ⊕ d

= (a ∨ b ∨ c ∨ d) ∧ (a ∨ b ∨ c ∨ d)∧

(a ∨ b ∨ c ∨ d) ∧ (a ∨ b ∨ c ∨ d)∧

(a ∨ b ∨ c ∨ d) ∧ (a ∨ b ∨ c ∨ d)∧

(a ∨ b ∨ c ∨ d) ∧ (a ∨ b ∨ c ∨ d)

(5.3)

After the equations have been translated and added to the SAT problem, the S-boxclauses are added using the same procedure. For this purpose, they are read from thespecified file and translated to the DIMACS CNF format with the help of limiting thenumber of variables per equation and the LUT.

As the last step, the extracted side-channel information is added to the new system.An additional file is used which describes all possible HW in CNF format. To transforma known leakage value to CNF format one simply has to load the corresponding setof equations and replace the predefined variables by the variables which describe theintermediate value. The following listing presents the CNF representation of all possible8-bit values with hamming weight 0.

-1

-2

-3

-4

-5

-6

-7

-8

In the typical notation, a corresponding equation looks like this: 1∧2∧3∧4∧5∧6∧7∧8.Table 5.3 presents the different HW and the number of equations needed to fully describethem. After each part of the system has been translated, the complete SAT problem is

Hamming Weight Number of Equations

0 81 292 643 984 1125 986 647 298 8

Table 5.3: Hamming weights in CNF format

written to a simple .txt file which is then used as the input for the SAT solver.

42 5 Implementation

Solving the SAT Problem

The last step of an ASCA attack is to solve the SAT problem. The user has two differentpossibilities. If he only generated a SAT problem he can to start a suitable SAT solvermanually. The other possibility is to generate and solve the system in one step. This isdone by starting the selected SAT solver with the help of the QProcess class which isprovided by the Qt libraries.

QProcess *satProcess = new QProcess();

QStringList list;

list << pathSATFile;

satProcess->setStandardOutputFile(pathResultFile, QIODevice::Append);

satProcess->start("\"" + pathSATSolver + "\"", list);

satProcess->waitForFinished();

The output is redirected to a .txt file which makes it easier to parse the file for thecorrect key value. Additionally, the output can directly be stored as a result by theCycurDPA workstation.After the SAT solver has finished, the created file is parsed, checking for a line startingwith s. This line indicated the status of the problem and can either be SATISFIABLE orUNSATISFIABLE. If the problem could not be solved, a QMessageBox is opened to informthe user. Otherwise the solutions for the first 128 variables are read out, as they containthe key. Again, a QMessageBox appears which presents the extracted key and the SATproblem file together with the extracted key is then stored in the data managementsystem of the CycurDPA workstation.

5.3.4 State Diagram

The attack itself can be described by a finite number of states. The behaviour of thesystem is presented in Figure 5.7. In this figure, the user has two possibilities after the

Figure 5.7: ASCA plug-in state diagram


plug-in is loaded. Either new templates can be acquired or old ones be loaded. Afterthat, the templates are matched to the acquired power traces. When this step is doneone generates a SAT problem that is then solved. Therefore again two ways are possible.If both steps are combined which means that the SAT problem is generated and solvedin one step the specified SAT-solver (CryptoMiniSat) is used. In contrast, the user canchoose to generate only the problem and solve it in an different way, e.g. by usinganother SAT solver.

6 Security Analysis

In this chapter different security analyses using the previously presented attacks andcountermeasures are described. The steps and the results are described to make theattacks comparable. The following key, which is the key used for examples in the AESstandard [FIP], is used as a reference key during the different analyses.Reference Key = 0x 2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C

6.1 Measurement Setup

This section describes the measurement setup used to acquire the power consumptiontraces. As is shown in Figure 3.2 the active differential probe of the oscilloscope isdirectly connected to the shunt resistor which has a value of 3.3 Ω. The passive probeinstead is connected to pin 2 of port B. For the ASCA preprocessing step, a secondpassive probe was added to the setup and connected to pin 1 of port B.

All experiments were performded on a desktop PC with a Pentium Dual-Core CPUE6700 ( 3.20 GHZ) and 4 GB RAM. Additionally an external Universal Serial Bus (USB)hard drive with 1 TB memory capacity was connected to the host PC via USB 2.0 tostore the traces.The target device communicates with the host PC via a virtual COM port. The oscillo-scope was connected to the host PC via LAN.

6.2 Reference Experiment

In order to compare the presented higher order and ASCA a reference experiment isneeded. Ftp, an unprotected AES implementation was analysed with a first order DPAas presented in Section 3.2.2.

The first order DPA in this experiment focused on the first round of AES, so it wasnot necessary to acquire more than the power consumption of the first round. Thiswas achieved with the trigger signal set to 0 (falling edge) before the first round andset to 1 right after the round computation has finished. The part of the first AESround for a single trace can be seen in Figure 6.1. The yellow trace corresponds to themeasured voltage, while the light blue graph shows the trigger signal. The three mainoperation of the AES, namely SubBytes combined with ShiftRows, MixColumns andAddRoundKey, can be recognized (for clarity they are here separated through the redlines). First the SubBytes operation combined with the ShiftRows operation is seen.This pattern is followed by four larger patterns which correspond to each invocation ofthe MixColumns operation. At the end the pattern for the AddRoundKey operation is

46 6 Security Analysis

0 1 2 3 4 5 6 7 8 9

x 104

−60

−40

−20

0

20

40

60

80Single power consumption trace for unprotected AES implementation

Figure 6.1: Single power consumption trace for unprotected AES implementation

shown. For this reference experiment, the reference key was used and the plaintextswere chosen randomly. A total of 5,000 traces were acquired with a sample rate of 500MS/s and each trace consisting of 86,000 sample points. This leads to approximately410 MB of data in total.

The reference experiment was analysed with the CPA plug-in presented in Section 4.3.The HW was used as a power model. As a result we are able to guess all key bytescorrectly in 35 minutesusing 5000 traces. Table 6.1 shows the five best guesses for eachkey byte. The correct values are marked in green.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3cde 8b 2b e3 dd 5b 27 53 5e 02 e0 7d fc f1 ba 0320 f7 e0 28 5d 90 75 98 0c 6e 2b 83 7c 3a e8 c9df d9 b2 63 23 fe ec ad 5b c9 2a fd 36 46 70 c814 c6 60 1d 16 5e d9 99 de 5e 57 b7 70 68 09 49

Table 6.1: Five best guesses for CPA on unprotected AES

The corresponding correlation coefficients are presented in Figure 6.2 together with agraphic presentation of these values. It is shown that all correct guesses can be clearlyidentified as their correlation coefficient is much higher than the coefficients of wrongkey guesses.

This attack was also successful with less than 5,000 acquired traces. When the numberof traces was reduced to only 500, all key bytes still were guessed correctly. In order toget a better idea on how many traces are needed for a successful attack, the traces wereevaluated with the Trace Evaluation plug-in described in Section 4.3. It was found thata minimum of 80 traces is needed in order to extract all key bytes correctly. The graphfor key byte 0 is presented in Figure 6.3.

6.3 DPA Attacks on Protected AES implementations 47

Figure 6.2: CPA results on unprotected AES

6.3 DPA Attacks on Protected AES implementations

In this section, different DPAs on protected AES implementations are presented. Theboolean masking scheme with a mask reuse interval of 1 and 5 is examined, as well asin combination with shuffling of operations.

6.3.1 Boolean Masking - First Order DPA

As introduced in the previous Section 6.2, an unprotected AES implementation canbe broken with first order DPA. In order to protect the implementation, the booleanmasking scheme was implemented and analysed. The mask was changed after everyencryption which is a mask reuse interval of 1.

First, the protected implementation was attacked with the same first order attack usedfor the unprotected AES implementation. To get a comparable result, the configurationwas kept identical as for the reference experiment which means that 5,000 traces wereacquired with 86,000 points each. The sample rate was again set to 500 MS/s. Then thedata was analysed with CPA. Analysing all key bytes took approximately 35 minutes sothe costs for time and memory are the same for both experiments since the attack andthe amount of data is the same. With this attack configuration no key byte was guessedcorrectly. This means that 5,000 traces are not enough to successfully attack a maskedimplementation. As presented in Figure 6.4 there was no significant difference betweenthe correlation coefficients of the best five results. In general, the values are very lowcompared to the results of the unprotected implementation.

Since the costs of this attack, in terms of the memory usage and the short calculationtime, are low the results do not imply a sufficient protection against first order DPA


Figure 6.3: Corr. coeff, vs. number of traces for key byte 0 of an unprotected AESimplementation

attacks. Thus, the result is verified by repeating the same experiment with 50,000traces. This leads to approximately 4 GB of data in total. First the raw traces weredirectly analysed which means that no compression technique was used. Analysing onekey byte takes approximately four hours and no key byte is revealed correctly.Because the calculation time increased significantly, the traces were compressed in anext step by finding the maximum of each 5 points. Compressing the traces reducesthe total amount of data to approximately 820 MB. Analysing the compressed tracestakes approximately 1:30 hour in total and it was still impossible to guess any key bytecorrectly. Hence, we state that boolean masking with a mask reuse interval of 1 offers asuitable protection against first order side-channel attacks, using approximately 50,000traces.

In order to quantify the impact of the reuse interval on the protection level, theexperiment was repeated with a mask reuse interval of 5. In total 20,000 traces wererecorded, but this time the sampling rate was reduced to only 250 MS/s in order tocompress the data. As each trace consists of 43,000 points this leads to approximately820 MB of data in total.The analysis took about 2 hours and we were able to guess all key bytes correctly.Figure 6.5 shows the correlation coefficients of the five best guesses for each key byte.The correlation coefficient values are lower compared to the values for the unprotectedimplementation. Nevertheless, the correct key bytes can be clearly identified as theircorrelation coefficient is significantly higher than the coefficients of wrong guesses. Onlyfor key byte 13 and 14 the difference between the five best values was very small, whichmakes it harder to identify the correct key byte value. Since this only affects two keybytes, the correct value can be revealed by a brute force attack if those two key byteare guessed wrong. Furthermore, it is likely that analysing more traces leads to moresignificant results.

6.3 DPA Attacks on Protected AES implementations 49

Figure 6.4: CPA results for the protected AES

When attempting to explain why the countermeasure can be broken when the maskis reused, two ideas come into mind. On the one hand, the information leakages mightbe to strong for the given target device. One reason which is indicative for this is thatthe correlation coefficients for the correct key guesses are very low compared to the onesfrom the unprotected implementation. This shows that the masks make the intermediatevalues mostly independent of the power consumption, but since the masks are reused,this effect is only achieved to a certain extent.

On the other hand, the pseudo random numbers might be bad. In order to testthis idea another experiment was done to analyses the masks’ distribution. We usedthe implemented PRNG to generate 200,000 pseudorandom values. The distribution ofthese values was evaluated and is shown in Figure 6.6. As it can be seen, the distributionis very even so a weak point due to the pseudorandom values can, likely, be excluded.

6.3.2 Boolean Masking - Second Order DPA

Next, an AES implementation protected by the boolean masking scheme was attackedwith a second order DPA attack. For this attack a mask reuse interval of 1 was chosen.Since the countermeasure with a mask reuse interval of 5 can be broken with a first orderDPA this case was not further analysed.As the second order DPA attack requires a preprocessing step - which increases theamount of data - new traces were recorded with a lower sampling rate. Therefore, asampling rate of 100 MS/s was used. The first AES round then consists of approximately20,000 points in time. Acquiring 3,000 power traces leads to 123 MB of data in total.In this scenario the attacker has no further information about the time range whenan operation is processed which implies, that all points of the power trace have to be


Figure 6.5: CPA results on protected AES with a mask reuse interval of 5

combined. If the traces would be combined without any compression this would leadto almost 560 GB of data in total. Thus the traces were preprocessed in order to keepthe amount of data low. Therefore the traces are compressed by finding the maximumvalue of each 5 points. Using the absolute difference combining function to combine thecompressed traces leads to approximately 23 GB of data in total in about 30 minutes.

Analysing one value for one key byte takes approximately 5 minutes on the used PC.Since the implemented attack plug-in attacks two key byte at the same time the numberof possible key byte combinations is 2562 = 65536. This leads to an overall calculationtime of about 220 days for checking the whole key space for only one keybyte. It istherefore not feasible to run this analysis on a standard PC as used for this thesis in apractical scenario. Thus, it is assumed that the last key byte was recovered previouslyand could be successfully revealed. The CycurDPA workstation offers the possibilityto set the directly following key byte to a fixed values. This means that it is feasibleto attack the key bytes backwards. If the 16th key byte has been revealed, the 15thkeybyte is attacked. According to this scheme all other keybytes are then be extractedin a reasonable time using a normal PC.

With this attack, all key bytes were guessed correctly under the specified assump-tion. The corresponding correlation coefficients were still significantly lower than for theunprotected implementation but the correct value can be clearly identified. Figure 6.7shows the corresponding correlation coefficients for the first six key bytes.

6.3.3 Boolean Masking with Shuffling - Second Order DPA

As presented in Section 6.3.2 an AES implementation protected by a boolean maskingscheme can be broken with a second order DPA although the costs for this attack are

6.4 ASCA Attacks 51

Figure 6.6: Histogram of 200,000 pseudo random values

very high. In order to increase the resistance against DPA attacks Shuffling was addedto protect the implementation. For the masking countermeasure again a mask reuseinterval of 1 is chosen for a good comparison to the last experiment.

In order to keep the attack costs at the same level as for the previous experimentagain 3,000 power traces were recorded with 20,000 points each. This leads to 123 MBof data in total. After compressing the data and combining the traces using the absolutedifference method this results in 23 GB of data.Since the preprocessed traces are again very large the calculation time was similar tothe previous experiment. Again, it was assumed that the last key byte is either knownor was revealed in an other attack in order to reduce the possible key byte values to 256per each neighboured key byte pair. Analysing one key byte takes about 20 hours.The second order DPA attack was not able to guess any key bytes correctly. The corre-lation coefficients of the first six key bytes and their graphical presentation are shown inFigure 6.8.

Boolean masking in combination with shuffling leads to a protection against thoseattacks with less than 3000 traces. It is assumed that the countermeasures can bebroken if more traces are analysed, but due to the high costs of this attack consideringmemory and calculation time it was not feasible to repeat the analysis with more traces.Additionally, note that the memory requirements grow exponentially which makes thecosts grow exponentially, too.

6.4 ASCA Attacks

As presented in Section 3.3, another kind of side-channel attack exploit algebraic tech-niques. These attacks are practically tested in this section.

In order to attack an implementation with an ASCA attack two sets of traces areneeded. The first set is used to characterise the device to build the templates. Sincethe templates can be reused for all attacks on the used target device the building step


Figure 6.7: Second order DPA results on protected AES

is described in a separate section.

6.4.1 Templates

The ASCA uses side-channel information forthe whole AES. In order to reduce theamount of data, our experiments focused on the first four rounds.

A trigger signal is used in order to mark the time instant of the first four rounds. Thetrigger is set to 0 (falling edge) before the first round and reset to 1 right after the fourthround. A total of 10,000 traces with 184,570 points each were recorded. This leads toapproximately 1.71 GB of data. Since the templates consist of operation-dependent POIs,the plug-in allows to specify a range for the corresponding operation. To identify thisrange, a second trigger signal was implemented, which indicates the different operationswithin each round. The time instant of the first four AES rounds for a single trace (lightblue signal) and the corresponding function trigger signal (pink signal) can be identifiedin Figure 6.9.

With the help of the second trigger signal, the corresponding ranges were be identifiedand are given in Table 6.2. The first AddRoundKey operation is done in a pre-encryptionstep for the used implementation, but since the resulting value is also processed in thefirst SubBytes operation the corresponding HWs can be revealed.

In due consideration of numerical problems for estimating the covariance matrix, thetemplates were built with 30 to 33 POI and two to five points difference. With thespecified range, building one template took about five to ten minutes.

6.4.2 Unprotected AES

At first the unprotected implementation of the AES was analysed. Therefore the pre-built templates are matched with a second set of traces in order to extract the hamming

6.4 ASCA Attacks 53

Figure 6.8: Second order DPA results on protected AES with shuffling

weights of the intermediate values. This set is directly used in order to reveal the secretkey. Theoretically, it is sufficient to acquire only one single trace, but due to noise itturned out to be useful to acquire several traces with the same plaintext, and calculatea mean trace. For this purpose, a total of 100 traces were recorded with 184,567 pointseach. The used, fixed plaintext was from the AES standard 0x 32 43 f6 a8 88 5a 30

8d 31 31 98 a2 e0 37 07 34.

The matching results are analysed in order to extract the correct HWs. In most cases,the correct value was clearly identified and its probability significantly higher than forother values. If no HW could be assigned or if the probabilities show an unclear behaviour(which might occur due to numerical problems), the corresponding intermediate valuewas simply skipped. In Figure 6.10, the probabilities of the three best guesses for theS-box output of the first round are shown. Since the plaintext and the secret key areknown for this thesis, the correct values could be identified. For the given example,all correct HW values have the highest probability and are therefore revealed correctly.In order to simulate a realistic attack, some values were skipped nevertheless. If forexample the sixth output byte is considered, the difference between the best (and in thiscase correct) guess and the second best guess is significantly high. Therefore, one canassume that the extracted HW is correct. In contrast to that, the difference betweenthose two values is insignificant for byte 15. Thus, an adversary cannot be sure if theextracted HW is correct. In this case, the intermediate values is skipped and not addedto the system of equations.

For some matchings, numerical problems occured due to the covariance matrix. Nev-ertheless in some cases the correct HW value could be extracted. Figure 6.11 shows allnine HW probabilities for the eighth S-box output byte of the third round. One cansee that there are numerical problems, since the highest probability is greater than 1,namely 19.53·1026 , which is undefined in this case. A closer look at the second and third


0 0.5 1 1.5 2 2.5 3 3.5

x 105

−60

−40

−20

0

20

40

60

80

100

120Single power consumption trace for unprotected AES implementation, 1st to 4th round

Figure 6.9: Single power consumption trace for unprotected AES implementation, 1st to4th round

Round Operation Range

1 SubBytes 1400 - 17,1861 MixColumns 17,186 - 41,2471 AddRoundKey 41,247 - 46,9762 SubBytes 46,976 - 63,3992 MixColumns 63,399 - 87,3322 AddRoundKey 87,332 - 93,1893 SubBytes 93,189 - 109,3573 MixColumns 109,357 - 133,4183 AddRoundKey 133,418 - 139,0194 SubBytes 139,019 - 155,0604 MixColumns 155,060 - 179,2484 AddRoundKey 179,248 - 184,213

Table 6.2: Operations in the first 4 AES rounds

best probability reveals that there is a significant difference between them (3.54 · 10−23

and 3.48 · 10−25). Therefore, the second best value is added to the system. In orderto attack an unprotected implementation where the plain and ciphertext is known, weneeded approximately 70 correct intermediate values to solve the system in less than oneminute.

Following the guidelines presented above the HW of 68 intermediate values were ex-tracted successfully and added to the system of equations. After generating the SATproblem, it was solved by the CryptoMiniSat solver in about 20 seconds. The followingextract shows parts of the corresponding SAT solver output file.

[...]

c CPU time : 16.99 s

s SATISFIABLE

v -1 -2 3 -4 5 -6 7 8 -9 10 11 12 13 14 15 -16 -17 -18 -19 20 -21 22 -23 24 -25 -26 -27 28 -29 30

6.4 ASCA Attacks 55

Figure 6.10: Three best HW guesses for S-box in first round

Figure 6.11: Best HW guesses for 8th output byte of third S-box round

31 -32 -33 -34 35 -36 37 -38 -39 -40 41 -42 43 -44 45 46 47 -48 49 50 -51 52 -53 -54 55 -56

57 -58 59 -60 -61 62 63 -64 65 -66 67 -68 69 -70 71 72 73 74 75 76 -77 78 79 80 -81 -82 -83

84 -85 86 -87 88 89 -90 -91 -92 93 -94 -95 -96 -97 -98 -99 -100 101 -102 -103 104 105 106

-107 -108 109 110 111 112 -113 114 -115 -116 117 118 119 120 -121 -122 123 124 125 126 -127

-128 [...]

As shown in Figure 6.12, (which presents the evaluated result of the SAT solver) thesecret key was successfully revealed.

6.4.3 Protected AES

As presented in the previous section, an unprotected AES implementation can be brokenwith the ASCA attack. In order to find out if the boolean masking scheme offers sat-isfiable protection against this type of attack, the protected implementation of AES isanalysed. Since shuffling randomly mixes the processing of the different intermediate val-ues, we can not find out which HW belongs to which intermediate value. As the neededside-channel information for an ASCA attack cannot be extracted, this countermeasurewas not analysed.


Figure 6.12: Extracted Key by ASCA Attack on unprotected AES

In order to analyse the masking countermeasure, the pre-built templates were reused,so only one new set of traces was needed. The mask reuse interval was set to 100 inorder to acquire 100 traces with the same plaintext and the same mask. These traceswere used to calculate a mean trace and reduce the noise. The traces had again 184,567points each and the fixed plaintext 0x 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37

07 34 is used. Additionally, the masks were returned from the target device to the hostPC in order to check the revealed HWs. The following masks were generated by theimplemented PRNG and then used as fixed values for all 100 traces:

• S-box input mask m: 0xA6

• S-box output mask m’ : 0xE7

• MixColums mask m1m2m3m4: 0x8F7B6E94

Additionally, an already masked S-box was generated with SAGE in order to excludeerrors within the S-box equations since they are the most complicated to find ones.

After matching the mean trace with the previously built templates, 96 intermediatevalues were added to the system. Unfortunately, the generated SAT problem was notsolvable. Even with 150 intermediate values the system could not be solved. To find thereason, the following approaches were tested:

6.4 ASCA Attacks 57

Simulating the Intermediate Values

At first, the intermediate values that are added to the system of equations were calculated.This ensures that all HWs are correct, so errors caused by wrong extracted values can beexcluded. Up to 3.5 full rounds of intermediate values were added to the system, but itwas still unsatisfiable. As a last step, a system with 5 full rounds of intermediate valueswas generated and analysed with the SAT solver. After 2.5 days the experiment wascancelled because there was still no result.

Assuming That All Masks Are 0

Another approach is to assume that all masks are zero. This was done by using theunmasked S-box file and by adding the HWs to the system as for the unprotected im-plementation. The system of equations still contains the equations corresponding tothe masks, because their values were not added to the SAT problem. Nevertheless, theproblem was solved by the SAT solver in about 40 seconds. This leads to the assumptionthat there are no mistakes in the system of equations and that the problem has to dowith the random masks values.

Adding the Masks Values to the System

In order to verify the assumption that the system of equations is correct, the wholeattack was simulated. This means that the masks were added as known values to thesystem as well as all intermediate values. Again, the SAT solver was able to solve thesystem in less than a minute. This shows that the adaptations we made in order todescribe a masked AES by a system of boolean equations were correct.

The presented experiments lead to the assumption that the implemented maskingscheme offers a suitable protection against ASCA. Nevertheless, the result was unex-pected, since in theory, this attack should be possible. The adapted system of equationshas only 48 additional unknown variables and should therefore be solvable if an appro-priate number of intermediate values is added. In [RSVC09] Renauld et. al observedsimilar problems while attacking this specific masking scheme. They are able to solveonly 20% of their instances in less than 24 hours.

7 Results

This chapter summarises and compares the results of the different security analyses pre-sented in this thesis. As the main values for comparison, the attack time and the mem-ory usage are considered. Additionally, the implemented countermeasures, i.e. booleanmasking and shuffling are evaluated. The countermeasures are compared with respectto their additional costs, for example, necessary pre-computations and the number ofrandom values. These costs are called security costs in the following.

7.1 Comparison

Before the protected AES implementations were attacked an unprotected AES was anal-ysed to have reference values used to evaluate the different attacks and countermeasures.The implementation was attacked with a first order DPA using the Pearson’s CorrelationCoefficient as statistical test. At first 5000 traces were recorded with 86,000 points each.This leads to a memory size of approximately 410 MB. The attack took about 35 minutesand was able to reveal all key bytes correctly. It was found that the attack was successfulwith only 80 traces, which leads to a minimum of approximately 6,6 MB memory costsand a calculation time of less than one minute. Attacking an unprotected AES imple-mentation with a first order DPA attack is very easy compared to attacking protectedimplementations and the costs for this attack is very low. Table 7.1 summarises thecosts for an CPA attack on an unprotected AES implementation.

Attack Memory Costs Calculation Costs Security Costs

CPA, unprotected 410 MB 0:35 h -6.6 MB <0:01 h -

Table 7.1: Attack costs for CPA on unprotected AES

As a next step AES was protected with the boolean masking scheme. This coun-termeasure comes with additional costs concerning execution time and six random 8-bitvalues for the masks per encryption. Additionally, the masked S-box has to be computednewly each time.The first experiment was repeated with the active countermeasure in order to check theprotection level of the countermeasure. The attack was not successful with 5000 tracesso the costs were increased by analysing 50,000 traces, which leads to approximately 4GB of data in total. Analysing this data took four hours per key byte, which leads toan overall analysing time of 64 hours. Even with ten times more traces, no key bytewas guessed correctly. Since the calculation time increases significantly, the traces were

60 7 Results

compressed by finding the maximum of each five points. 820 MB of data were analysedin 1:20 h. Again, no key byte could be revealed. Table 7.2 summarises the costs fora CPA on an implementation protected by the boolean masking scheme (with a maskreuse interval of 1). The security costs for the boolean masking scheme are high. Sincethe attack costs increase rapidly, one can say that this countermeasure offers a suitableprotection against first order DPA attacks.

Attack Memory costs Calculation costs Security costs

CPA, unprotected 410 MB 0:35 h -6.6 MB <0:01 h -

CPA, booleanmasking, reuse=1

410 MB 0:35 h 6 PRN · 5000 = 30,000 PRN,5000 new S-boxes

4 GB 64:00 h 6 PRN · 50,000 = 300,000PRN, 50,000 new S-boxes

820 MB 1:20 h 6 PRN · 50,000 = 300,000PRN, 50,000 new S-boxes

CPA, booleanmasking, reuse=5

820 MB 2:00 h 6 PRN ·20,0005 = 24,000 PRN,

4000 new S-boxes

Table 7.2: Attack costs for CPA on protected AES

In order to reduce the additional cost for random values and S-box remasking, wetried to reuse the masking values for five encryption runs. 20,000 traces with 43,000points each were analysed, which yields a memory usage of 820 MB. After two hours ofcalculation time all key bytes were guessed correctly.Therefore, we state that this masking scheme offers a suitable protection against firstorder DPA attacks if the masking values are not reused. Trying to save some randomnumbers and reducing the execution time of the block cipher by reusing the maskingvalues leads to a significant reduction in security and is not recommended.

As a next step, the boolean masking scheme with a mask reuse interval of 1 was furtheranalysed with a second order DPA. Since the amount of data grows exponentially in thepreprocessing step, we tried to reduce the number and size of the traces. 3000 traces wereacquired with 20,000 measurement points each. After compression and combining thepoints with the absolute difference function, approximately 23 GB of data were analysed.As we did not have the computational power to test all 216 possible combinations forthe first key byte pair, it was assumed that one key byte is already known. Finally, allremaining key bytes were successfully revealed in 300 hours (12,5 days). This attack isvery expensive but if one key byte is known or if the adversary has more computationalpower, it is feasible. Table 7.3 shows the costs for a first order and a second order DPAon AES protected by the boolean masking scheme (with a mask reuse interval of 1).One can see that the attack costs rise significantly until the protection can be broken.Nevertheless, the second order DPA is still feasible.

Since the implemented boolean masking scheme can still be broken with a second order

7.1 Comparison 61

Attack Memory costs Calculation costs Additional costs

CPA, booleanmasking

410 MB 0:35 h 6 PRN · 5000 = 30,000 PRN,5000 new S-boxes

4 GB 64:00 h 6 PRN · 50,000 = 300,000PRN, 50,000 new S-boxes

820 MB 1:20 h 6 PRN · 50,000 = 300,000PRN, 50,000 new S-boxes

2nd order DPA,boolean masking

23 GB 300 h 6 PRN · 3000 = 18,000 PRN,3000 new S-boxes

2nd order DPA,boolean masking+ shuffling

23 GB 300 h 6 PRN · 3000 + 5 · 3000= 33,000 PRN, 3000 newS-boxes

Table 7.3: Attack costs for 1st order DPA and 2nd order DPA on protected AES

DPA the protection was extended by Shuffling and the analyses were repeated. The costwas the same, which means that approximately 23 GB of data had to be analysed afterthe preprocessing step. Again it was assumed that one key byte is already known. Theanalyse time did not change, because the assumptions and amount of data were thesame. After 12.5 days, all remaining key bytes were tested and no value was guessedcorrectly. As this attack already has a high cost with respect to memory usage andespecially calculation time, the number of traces was not increased but it is assumedthat the combination of masking and shuffling can also be broken with an adequatenumber of traces. Nevertheless, the combined countermeasures cannot be broken by asecond order DPA attack under the given conditions. Therefore, the countermeasureoffers a suitable protection against side-channel attacks.

The second method used to analyse the AES implementations was an ASCA. At first,the unprotected AES implementation was analysed. In order to characterise the powerconsumption of the used target device 10,000 traces were recorded with 184,570 pointseach. This resulted in approximately 1.71 GB of data. All possible intermediate valuesof the first two rounds and the S-box input and output of the third round were describedas a template. Building the 200 templates took about 40 hours.In order to analyse the implementation, a second set of traces was measured. Thisresults in a total of approximately 17 MB of data. The traces were matched with thepreviously built templates, which took about 1:30 minutes. The 68 HWs were added tothe system of equations, which was then solved in less than one minute. It was foundthat the unprotected version of AES is vulnerable to ASCA attacks. Comparing onlythe attack steps of both methods, the first order DPA and the ASCA had a similarcost. With both attacks, the secret key was revealed in less than one minute. The onlydifference is the memory usage, as the DPA attacks needs at least 6.6 MB of data whilethe ASCA attack would be successful with only 0.17 MB of data. In order to improvethe results in the matching phase, 17 MB were analysed. The main difference of bothattacks concerning their costs is the preprocessing step which is necessary in order to be

62 7 Results

able to extract the HWs of the intermediate values. If there already are correspondingtemplates, both attacks cost the nearly same. Otherwise the costs for the ASCA attackincrease by 1.71 GB of data and 40 hours of computation time for the template buildingphase. Nevertheless, there might be scenarios where a DPA cannot succeed, for example,if the secret key is changed after a certain amount of encryption runs. In such a case,the ASCA is a suitable alternative.Next, the implementation protected by the boolean masking scheme was analysed. Thecosts for this attack did not change, since the templates could be reused and one tracewas still sufficient in order to match the templates. To reduce the noise, 100 traces wereacquired. After the matching phase the HW of 96 intermediate values were added to thesystem of equations, however, the SAT problem could not be solved in a reasonable time.Increasing the number of HWs did not help to solve the problem. We initially assumedthat the ASCA would be a suitable method to break the masking countermeasure, butit seems that the scheme offers a suitable protection against ASCA.Table 7.4 compares the different ASCAs and the costs. Once the templates have beenbuilt the attacks have a very low complexity. One trace is enough to extract the HWsand to attack an unprotected implementation in less than one minute. Compared toa second order DPA attack, on the boolean masking scheme, the ASCA is cheap withregard to the memory usage. After 60 hours the SAT solver was cancelled because weassumed that the problem is not solvable in reasonable time.

Attack Memory costs Calculation costs Security costs

ASCA, buildingstep

1.71 GB 40:00 h -

ASCA, unpro-tected

17 MB <0:01 h -

ASCA, booleanmasking

17 MB > 60:00 h 6 PRN

Table 7.4: Attack costs for ASCA attacks

The combination of boolean masking and shuffling as protection was not analysedwith the algebraic side-channel analysis as ASCA is not suitable in this case. Theprocessed intermediate value is hidden because of the random execution order caused bythe shuffling. This means that the HWs can be extracted but it is not possible to assignthem to the correct intermediate values. Since only one incorrect values would cause theSAT solver to fail, guessing is no option at this point.

7.2 Evaluation

The presented results were all outcomes of practical attacks, with the assumptions kept asnear to a real-world attack as possible. In general, it was assumed that the plaintext andthe ciphertext of all encryption runs are known for every experiment. This is a typicalblack box scenario which is common when attacking cryptographic implementations.

7.2 Evaluation 63

Additionally, for the second order DPA attack it was assumed that one key byte is known.Nevertheless with greater computational power the known value can easily be revealedwith the presented attack. The assumption was only made to save computational time inorder to be able to compare different attacks. For the ASCA only the intermediate valueswere used for which the HW could be clearly assigned. If the HW was correctly extractedby the template attack but the assignment was not significant, the intermediate valuewas skipped in order to simulate an attack.It was found that an unprotected AES implementation can be attacked by both firstorder DPA and ASCA. Even the boolean masking scheme can be broken in a reasonabletime with a second order DPA. Although we were not able to successfully attack themasking scheme with an ASCA attack under realistic conditions, it can be possiblybroken as can be seen for example in [RSVC09].After adding shuffling to the masking scheme no key byte could be revealed correctly.As the intermediate values are processed in a random order an ASCA attack is notrealisable. We assume that the combination can be broken with a suitable number oftraces with a second order DPA attack. Since the costs are too high when consideringthe used equipment for this thesis, it was not feasible to analyse more traces.

Therefore, we state that the combination of boolean masking and shuffling offers asuitable protection against both second order DPA and ASCA under the given condi-tions.

8 Conclusion

This section summarises the results of this thesis. Furthermore, ideas for future workare proposed.

8.1 Summary

In this thesis, two different side-channel attacks against various implementations of theAES were presented. The first attack group is DPA (Section 3.2), which exploits thefirst encryption round. An unprotected implementation of AES was analysed to havereference values which were used to evaluate the second order attack and the protectionlevel of the implemented countermeasures (Section 6.2). After that, the boolean maskingscheme was implemented in order to protect the AES implementation against first orderside-channel attacks. Since the first order DPA was not successful (Section 6.3.1) asecond order DPA was used to break the protected implementation (Section 6.3.2). Inorder to increase the protection level, the boolean masking scheme was extended withshuffling. Repeating the second order DPA attack showed that the combination of bothcountermeasures cannot be broken under the given conditions (Section 6.3.3).

The second group of side-channel attack is ASCA (Section 3.3). The implementationsof AES were analysed with ASCA. While the unprotected implementation was brokenin less than a minute, we were not able to successfully attack the protected implementa-tion. The shuffling countermeasure was not analysed, since the random execution orderprevents the extraction of the correct HWs for the intermediate values. As the AESimplementation protected by the combination of boolean masking and shuffling couldnot be broken with any of the presented attacks we state that it provides a suitableprotection level against side-channel attacks under the given conditions. Finally, thedifferent attacks were compared due to their costs in Chapter 7.

8.2 Future Work

There are several interesting ideas to improve the attacks that where presented in thisthesis. Some of them are presented below. These method might lead to better resultsor reveal other attack vectors.In the preprocessing step for the second order DPA attack, the absolute difference com-bining function was used for this thesis. There are other combining functions, for exam-ple, the product combining and the improved product combining [EPMRRB09]. Onecould compare the different combining functions under the given conditions.

66 8 Conclusion

Other points for future work exist for the implemented ASCA attack. The templatebuilding phase is implemented as a single-threading task and could be improved to usemulti-threading. This would speed up the preprocessing step.

Another improvement would be an automatic error detection for the matching phase.Currently, the extracted HWs are selected manually. If the correct values could beidentified automatically, this would simplify the attack.

Another improvement of this step would be to restrict the HW range instead of as-signing a concrete hamming weight to the intermediate value.

This means that if it is clear if an intermediate value corresponds either to the HWof 2 or 3, it might be possible to state that it corresponds to a HW lower than 4. Thismeans that five HWs (namely 4, 5, 6, 7, and 8) are definitely excluded from the system.The intermediate value does not have to be skipped but can be described in more detail.

Furthermore, an automatic error correction technique can be implemented. The gen-erated SAT problem automatically fails, if only one intermediate value has the wrongHWs. To prevent such a failure, it would be useful to correct the errors on-the-fly.

A Acronyms

AES Advanced Encryption Standard

ASCA Algebraic Side-Channel Analysis

CNF Conjunctive Normal Form

DES Data Encryption Standard

DPA Differential Power Analysis

DPLL Davis-Putnam-Logemann-Loveland

GUI Graphical User Interface

HD Hamming Distance

HO-DPA Higher Order Differential Power Analysis

HW Hamming Weight

LAN Local Area Network

LCG Linear Congruential Generator

LSB Least Significant Bit

LUT Lookup table

MSB Most Significant Bit

NIST National Institute of Standards and Technology

POI Points of Interest

PRNG Pseudo Random Number Generator

SAT Satisfiability (Problem)

S-box Substitution Box

SPA Simple Power Analysis

SPN Substitution-Permutation Network

SRAM Static Random-Access Memory

UART Universal Asynchronous Receiver Transmitter

USB Universal Serial Bus

XOR Exclusive OR

B Hamming Weights of AES Round 1 - 3

This section gives the HWs of the first three AES rounds for the given run values.Plaintext: 0x 32 43 F6 A8 88 5A 30 8D 31 31 98 A2 E0 37 07 34

Key: 0x 2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C

Figure B.1: Hamming weights of AES encryption

List of Figures

2.1 Structure of the AES-128 . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2 Key schedule for the AES-128 . . . . . . . . . . . . . . . . . . . . . . . . . 4

3.1 Physical measurement setup for side-channel analysis . . . . . . . . . . . . 143.2 Measurement setup used for this thesis . . . . . . . . . . . . . . . . . . . . 15

4.1 Escrypt Target Board v1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.2 Lecroy WaveRunner 610Zi oscilloscope . . . . . . . . . . . . . . . . . . . . 184.3 Active (a) and passive (b) probes used for this thesis . . . . . . . . . . . . 19

5.1 High-level view on masked AES-128 . . . . . . . . . . . . . . . . . . . . . 255.2 Filter plug-in GUI for second order DPA . . . . . . . . . . . . . . . . . . . 275.3 2nd Order Attack plug-in GUI . . . . . . . . . . . . . . . . . . . . . . . . 305.4 Algebraic Attack Plug-in GUI . . . . . . . . . . . . . . . . . . . . . . . . . 335.5 Dialogue to select intermediate values . . . . . . . . . . . . . . . . . . . . 345.6 Matching results dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405.7 ASCA plug-in state diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 42

6.1 Single power consumption trace for unprotected AES implementation . . 466.2 CPA results on unprotected AES . . . . . . . . . . . . . . . . . . . . . . . 476.3 Corr. coeff, vs. number of traces for key byte 0 of an unprotected AES

implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486.4 CPA results for the protected AES . . . . . . . . . . . . . . . . . . . . . . 496.5 CPA results on protected AES with a mask reuse interval of 5 . . . . . . . 506.6 Histogram of 200,000 pseudo random values . . . . . . . . . . . . . . . . . 516.7 Second order DPA results on protected AES . . . . . . . . . . . . . . . . . 526.8 Second order DPA results on protected AES with shuffling . . . . . . . . . 536.9 Single power consumption trace for unprotected AES implementation, 1st

to 4th round . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546.10 Three best HW guesses for S-box in first round . . . . . . . . . . . . . . . 556.11 Best HW guesses for 8th output byte of third S-box round . . . . . . . . . 556.12 Extracted Key by ASCA Attack on unprotected AES . . . . . . . . . . . 56

B.1 Hamming weights of AES encryption . . . . . . . . . . . . . . . . . . . . . 69

List of Tables

5.1 Assignment of variables to intermediate values . . . . . . . . . . . . . . . 365.2 Assignment of additional variables . . . . . . . . . . . . . . . . . . . . . . 385.3 Hamming weights in CNF format . . . . . . . . . . . . . . . . . . . . . . . 41

6.1 Five best guesses for CPA on unprotected AES . . . . . . . . . . . . . . . 466.2 Operations in the first 4 AES rounds . . . . . . . . . . . . . . . . . . . . . 54

7.1 Attack costs for CPA on unprotected AES . . . . . . . . . . . . . . . . . . 597.2 Attack costs for CPA on protected AES . . . . . . . . . . . . . . . . . . . 607.3 Attack costs for 1st order DPA and 2nd order DPA on protected AES . . 617.4 Attack costs for ASCA attacks . . . . . . . . . . . . . . . . . . . . . . . . 62

List of Listings

5.1 get_seed() function for ATMega32 . . . . . . . . . . . . . . . . . . . . . . 235.2 Absolute difference combining function . . . . . . . . . . . . . . . . . . . . 285.3 SAGE commands to transform the S-box . . . . . . . . . . . . . . . . . . 345.4 SAGE commands to transform a random S-box . . . . . . . . . . . . . . . 35

Bibliography

[asc] Ascatocnf tool. http://www.ecrypt.eu.org/tools/ascatocnf, lastseen on 16.05.2013.

[BC03] Alex Biryukov and Christophe De Canniere. Block ciphers and systemsof quadratic equations. In Fast Software Encryption, 10th InternationalWorkshop, FSE 2003, Lund, Sweden, February 24-26, 2003, RevisedPapers, volume 2887 of Lecture Notes in Computer Science, pages 274–289. Springer, 2003.

[BCJ07] Gregory V. Bard, Nicolas T. Courtois, and Chris Jefferson. EfficientMethods for Conversion and Solution of Sparse Systems of Low-DegreeMultivariate Polynomials over GF(2) via SAT-Solvers. CryptologyePrint Archive, 024, 2007.

[BPW05] Johannes Buchmann, Andrei Pychkine, and Ralf-Philipp Weinmann.Block ciphers sensitive to gröbner basis attacks, 2005.

[CB06] Nicolas T. Courtois and Gregory V. Bard. Algebraic cryptanalysisof the data encryption standard. Cryptology ePrint Archive, Report2006/402, 2006. http://eprint.iacr.org/.

[CB10] Carina Boettcher. Design and Development of a Databased-based Side-Channel Workstation. 2010.

[CP02] Nicolas T. Courtois and Josef Pieprzyk. Cryptanalysis of block cipherswith overdefined systems of equations. pages 267–287. Springer, 2002.

[DLL62] Martin Davis, George Logemann, and Donald Loveland. A machineprogram for theorem-proving. Communications of the ACM, 5:394 –397, 1962.

[DP60] Martin Davis and Hilary Putnam. A computing prodecure for quantifi-cation theory. JACM, 7:201 – 215, 1960.

[DPA] Escrypt cycurdpa workstation. https://www.escrypt.com/

products/cycurdpa/overview, last seen in 16.05.2013.

[DPV06] S. Dasgupta, C.H. Papadimitriou, and U.V. Vazirani. Algorithms.Mcgraw-Hill Higher Education, 2006.

http://www.ecrypt.eu.org/tools/ascatocnf

http://eprint.iacr.org/

https://www.escrypt.com/products/cycurdpa/overview

https://www.escrypt.com/products/cycurdpa/overview

78 Bibliography

[EPMRRB09] Emmanuel Prouff, Matthieu Rivain, and Regis Bevan. Statistical Anal-ysis of Second Order Differential Power Analysis. IEEE Transactionson Computers, 58/6:799–811, 2009.

[ESCa] Escrypt. https://www.escrypt.com.

[escb] Escrypt gmbh - embedded security. http://www.escrypt.com, lastseen on 16.05.2013.

[FIP] Advanced Encryption Standard (AES).

[gnu] Gnu glib c implementation. http://www.gnu.org/software/libc/,last seen on 16.05.2013.

[JPS05] M. Joye, P. Paillier, and B. Schoenmakers. On Second Order Differen-tial Power Analysis. CHES, pages 293–308, 2005.

[K+99] Paul Kocher et al. Differential Power Analysis. In Advances in Cryp-tology - CRYPTO’99, 1999.

[Lec] Lecroy waverunner 610zi technical details. http://teledynelecroy.

com/oscilloscope/oscilloscopemodel.aspx?modelid=4781&

capid=102&mid=504, last seen on 16.05.2013.

[Mes00] Thomas Messerges. Using Second-Order Power Analysis to AttackDPA Resistant Software. In CHES 2000 - Lecture Notes in ComputerScience, pages 238–251. Springer, 2000.

[MOP07] Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power AnalysisAttacks: Revealing the Secrets of Smart-Cards. Springer Verlag, 2007.

[MSEMSBMZ+] Mohamed Saied Emem Mohamed, Stanislav Bulygin, Michael Zohner,Annelie Heuser, and Michael Walter. Improved Algebraic Side-ChannelAttack on Aes.

[N+00] James Nechvatal et al. Report on the Development of the AdvancedEncryption Standard (AES). Technical report, National Institute ofStandards and Technology, October 2000.

[Paa09] Christof Paar. Implementation of Cryptographic Schemes 1. Technicalreport, 2009.

[Pas] Lecroy passive probe technical details. http://teledynelecroy.

com/options/default.aspx?categoryid=3&groupid=4, last seen on16.05.2013.

[PP10] Christof Paar and Jan Pelzl. Understanding Cryptography. Springer,2010.

https://www.escrypt.com

http://www.escrypt.com

http://www.gnu.org/software/libc/

http://teledynelecroy.com/oscilloscope/oscilloscopemodel.aspx?modelid=4781&capid=102&mid=504



http://teledynelecroy.com/options/default.aspx?categoryid=3&groupid=4

http://teledynelecroy.com/options/default.aspx?categoryid=3&groupid=4

Bibliography 79

[Pro] Lecroy active probe technical details. http://teledynelecroy.

com/options/productdetails.aspx?modelid=26&categoryid=3&

groupid=213&capid=102&mid=508, last seen on 16.05.2013.

[RN88] Joseph Lee Rodgers and W. Alan Nicewander. Thirteen Ways to Lookat the Correlation Coefficient. The American Statistician, 42:59–66,1988.

[RS09] M. Renauld and F.-X. Standaert. Algebraic Side-Channel Attacks.(179), 2009.

[RSVC09] Mathieu Renauld, François-Xavier Standaert, and Nicolas Veyrat-Charvillon. Algebraic Side-Channel Attacks on the AES: Why Timealso Matters in DPA. In Workshop on Cryptographic Hardware and Em-bedded Systems (CHES 2009), volume 5747 of Lecture Notes in Com-puter Science, pages 97–111. Springer, 9 2009.

[sag] Sage. http://www.sagemath.org/, last seen on 16.05.2013.

[Sha49] Claude E. Shannon. Communication Theory of Secrecy Systems. BellSystems Technical Hournal, 28:656–715, 1949.

[Soo] Mate Soos. Cryptominisat. http://www.msoos.org/wordpress/wp-

content/uploads/2010/08/cryptominisat-2.5.1.pdf.

http://teledynelecroy.com/options/productdetails.aspx?modelid=26&categoryid=3&groupid= 213&capid=102&mid=508



http://www.sagemath.org/

http://www.msoos.org/wordpress/wp-content/uploads/2010/08/cryptominisat-2.5.1.pdf

http://www.msoos.org/wordpress/wp-content/uploads/2010/08/cryptominisat-2.5.1.pdf

Higher Order and Algebraic Side-Channel Attacks on ...€¦ · In this thesis, two types of...

Documents

Transcript of Higher Order and Algebraic Side-Channel Attacks on ...€¦ · In this thesis, two types of...