DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Overview of the 2008-2009 ‘DPA contest’

Sylvain GUILLEY, Laurent SAUVAGE, Florent FLAMENT,Maxime NASSAR, Nidhal SELMANE, Jean-Luc DANGER,

Tarik GRABA, Yves MATHIEU & Renaud PACALET.< contact@DPAcontest.org>

Institut TELECOM / TELECOM-ParisTechCNRS – LTCI (UMR 5141)

SECURE

CHES’09, September 7th, 2009,Lausanne, Switzerland.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

1/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Presentation Outline

1 DPA Contest: What is it?

2 Summary of the Worldwide InvolvementWeb AudienceParticipation Statistics

3 Best Attacks

4 Official Declaration of the 2008–2009 DPA contest Winner

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

2/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Presentation Outline

1 DPA Contest: What is it?

2 Summary of the Worldwide InvolvementWeb AudienceParticipation Statistics

3 Best Attacks

4 Official Declaration of the 2008–2009 DPA contest Winner

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

3/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

What is this http://www.DPAcontest.org/?

It is a key recover attack contest

80k+ side-channel measurements (traces) are freelyavailable worldwide from a PostGreSQL database.

They have been measured on a real circuit, but are somehowideal, hence suitable for academic studies:

Clock signal is stable.Traces synchronization is perfect.Power curves concern the DES crypto-processor alone.Measurement bandwidth is 5 GHz, and sampling rate is20 Gsample/s.Vertical resolution is 12.0 effective bits.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

4/24

RAM64(for AES)

4×

ROM2k

AES

CPU

DES2

(for DES)

DES1

RAM2563×

(for CPU)

SDES

RAM32k

Purpose Characterization and attack on the symmetric encryptionalgorithms DES (fips46-3) and AES (fips197)

Programmation C language, configuration via an RS232 or a USB port

Chip’s size 4.0 mm2, 2.0 million transistors

Power domains 5: pads (3.3 V), core + DES1 + DES2 + SDES (1.2 V)

Technology STMicroelectronics 130 nanometer low-leakage (high Vt)with 6 layers of metal process, founded at Crolles, FRANCE

Fabrication CMP run S12C5 1 (13/01/2005) with the help of ST/AST

More information online: http://cmp.imag.fr/aboutus/gallery/details.php?id_circ=63&y=2005.

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Motivation + Ethics

Advantages

Makes it possible for a laboratory w/o measurementfacilities to experiment security evaluation algorithms.

Allows a fair comparison of known attacks and tricks.

Stimulates the research for better power attacks.

Ethics

Such a contest on a commercial product would endanger allits users.

Thus only a public research group can safely share measuresfrom an home-made academic circuit.

Open source = danger?No = possibility to improve on top of others’ ideas!

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

6/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Example with the reference code

Demonstration of the contest simplicity:

> svn co https://svn.comelec.enst.fr/dpacontest/

> cd code/reference/

> python main.py

# Table: secmatv1_2006_04_0809

# Stability threshold: 100

# Iteration threshold: 1800

#

# Columns: Iteration Stability Subkey0 ... Subkey7

1

2

3

...

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

7/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Reference Attack: Difference-of-Means [P. Kocher, 1998]

-20

0

20

40

60

80

-8 0 8 16

Voltage [m

V]

Time [clock periods]

Average power trace

-0.5

0

0.5

1

1.5

2

2.5

3

-8 0 8 16V

oltage [m

V]

Time [clock periods]

Covariance result (zoomed)

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

8/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Rules

A valid attack shall:

Recover the correct key with a stability of additional 100traces usage.

Consist in source code, committed into an SVN repository.

The hall of fame is based on:

An eligibility that is verifiable on a peer-review basis.

Objective: use as few traces as possible.

The date of the commit, which must belong to:[Aug 12th 2008, Aug 30th 2009].

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

9/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Web AudienceParticipation Statistics

Presentation Outline

1 DPA Contest: What is it?

2 Summary of the Worldwide InvolvementWeb AudienceParticipation Statistics

3 Best Attacks

4 Official Declaration of the 2008–2009 DPA contest Winner

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

10/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Web AudienceParticipation Statistics

Two Kinds of Involvements

Internet

SVN(code)

SQL(curves)

Download Contribute&

Observers: download the tracesand/or the attack source code.

Key figure: 4,355 visits.

Players: upload attack source code.

Key figure: 44 submissions.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

11/24

DPA Contest Popularity Indicators

DPA Contest Map: 45 countries / territories

Riscure

GERMANY

Karlsruhe U.

NETHERLANDS

Toshiba

Tohoku U.

Mitsubishi

SOUTH KOREA

TELECOM ParisTech

LIRMM

3iL, Limoges U.

JAPAN

Korea U., CIST

FRANCE

BELGIUM

KUL

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Web AudienceParticipation Statistics

Hall of Fame Split in Four Categories

1 Order-independent: the attacks have been carried out onvarious significant sets of traces, ordered in a random way.

2 Chosen plaintext order: where the traces order is computedby an algorithm that is explicited in the attack source code.

3 Fixed order: that models an attack at known albeit notchosen plaintext or ciphertext. The order is either

that of the database without the SORT BY clause, orthat of the ZIP archive, orlexicographical (corresponding to acquisition order).

4 Custom order: left at the discretion of the attacker . . . ofcourse, an explanation of the sorting strategy is preferred.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

14/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Web AudienceParticipation Statistics

Events for each category

0

500

1000

1500

2000

2500

Au

g 1

2th

08

Se

p 1

st

08

Oct

1st

08

No

v 1

st

08

De

c 1

st

08

Ja

n 1

st

09

Fe

b 1

st

09

Ma

r 1

st

09

Ap

r 1

st

09

Ma

y 1

st

09

Ju

n 1

st

09

Ju

l 1

st

09

Au

g 1

st

09

Se

p 1

st

09

0

20

40

60

80

100

120

140

160

180

200

220

240

260

Nu

mb

er

of

tra

ce

s t

o b

rea

k D

ES

SV

N r

evis

ion

fo

r th

e s

ub

mis

sio

n

SVN revision for the submission# traces to break DES (category 1)# traces to break DES (category 3)# traces to break DES (category 4)

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

15/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Web AudienceParticipation Statistics

Category # Attacks Best attack

#1 17 141.42 traces, by Christophe Clavierof 3iL & U. of Limoges, FRANCE.

#2 0 No submission /.

#3 17 120 traces, by Daisuke Suzuki & Mi-noru Saeki of Mitsubishi, JAPAN.

#4 10 107 traces, by Hideo Shimizu ofToshiba, JAPAN.

Total 44 −→ winner chosen as the best sub-

mission in category #1.

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

16/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Presentation Outline

1 DPA Contest: What is it?

2 Summary of the Worldwide InvolvementWeb AudienceParticipation Statistics

3 Best Attacks

4 Official Declaration of the 2008–2009 DPA contest Winner

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

17/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Campaign Characteristics

Unprotected and little noisy traces.

Excellent linear and temporally localized leakage.

Hence:

The dominant strategy has been model-based attacks:

Differential Power Analysis orCorrelation Power Analysis,

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

18/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Overview of the State-of-the-Art Advance [1/4]

New attacks are based on one or more of these techniques:

Pre-filtering the traces (window filters, or cropping):

Victor LOMNE from LIRMM was the first to attack the lastround and to select a good temporal window

Choice of which round to attack:

Daisuke SUZUKI from Mitsubishi dual round attack byBS-CPA

Number of key bits attacked simultaneously:

Eloi SANFELIX from Riscure attacked two sboxessimultaneously

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

19/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Overview of the State-of-the-Art Advance [2/4]

New attacks are based on one or more of these techniques:

Number of unknown bits making up the selection function:

Most attacks were multi-bit, and Daisuke SUZUKI proposedan improved power modelAntonio SOBREIRA from Universitat Karlsruhe performed aclassical CPA considering the left side of the message register

Statistical test to distinguish the correct guess fromerroneous ones:

Benedikt GIERLICHS from KUL implemented a t-test;Yongdae KIM from Tohoku University tested Pearson, Kendalland Spearman correlations

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

20/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Overview of the State-of-the-Art Advance [3/4]

New attacks are based on one or more of these techniques:

Taking advantage of the knowledge of the already brokensboxes to improve the correlation of hard to break sboxes:

Hideo SHIMIZU from Toshiba coined the Built-in determinedSub-key Correlation Power Analysis (BS-CPA), described inhttp://eprint.iacr.org/2009/161.

Cooperation between hypotheses:

Renaud PACALET from TELECOM ParisTech finds the bestkey candidates by optimization algorithm based on the theoryintroduced by Xiaofei Huang

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

21/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Overview of the State-of-the-Art Advance [4/4]

New attacks are based on one or more of these techniques:

On-line model estimation:

Christophe CLAVIER estimated on-line a multi-variate linearmodel

Stochastic model attack:

contributed by Yongdae KIM from Tohoku university

Multi-DPA:

Jung HAE-IL from Korea University combined multi-bit DPAof Thomas MESSERGES and Regis BEVAN

Combined attacks:

e.g. BS-CPA on 2-sboxes by Laurent SAUVAGE, fromTELECOM ParisTech

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

22/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

Presentation Outline

1 DPA Contest: What is it?

2 Summary of the Worldwide InvolvementWeb AudienceParticipation Statistics

3 Best Attacks

4 Official Declaration of the 2008–2009 DPA contest Winner

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

23/24

DPA Contest: What is it?Summary of the Worldwide Involvement

Best AttacksOfficial Declaration of the 2008–2009 DPA contest Winner

2008–2009 Winner Congratulations!

Winner identity

Name Prof. Christophe CLAVIERAffiliation #1 Institut d’Ingenierie Informatique de Limoges

(3iL), 42 rue Sainte Anne, 87 000 Limoges.Affiliation #2 Universite de Limoges – Laboratoire XLIM,

83 rue d’Isle, 87 000 Limoges, FRANCE.

Winning attack

Attack algorithm Maximum likelihood method with a bi-variate known model

Number of traces 141.42 traces as an average success rate,estimated with 100 attacks

SVN tag Revision 197, 2009 August 18th

Sylvain GUILLEY < sylvain.guilley@TELECOM-ParisTech.fr > Overview of the ‘DPA Contest’SECURE

24/24