SPA and DPA attacks
description
Transcript of SPA and DPA attacks
![Page 1: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/1.jpg)
SPA and DPA attacks SPA and DPA attacks
Pascal Paillier
Gemplus ARSC/STD/CRY
![Page 2: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/2.jpg)
OutlineOutlineSide Channel CryptanalysisSide Channel CryptanalysisSPA – Simple Power AnalysisSPA – Simple Power AnalysisDPA – Differential Power AnalysisDPA – Differential Power Analysis– Acquisition procedureAcquisition procedure– Selection & predictionSelection & prediction– Differential operator and curvesDifferential operator and curves– Reverse engineering using the DPA indicatorReverse engineering using the DPA indicator
Attacking a Secret Key algorithm with DPAAttacking a Secret Key algorithm with DPA– Typical targetTypical target– Hypothesis testing (guesses management)Hypothesis testing (guesses management)
![Page 3: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/3.jpg)
Which are Side Channel AttacksWhich are Side Channel Attacks 1. Differential Fault Analysis (DFA)1. Differential Fault Analysis (DFA)
– Biham-Shamir (1997)Biham-Shamir (1997)
2. Timing Attacks2. Timing Attacks– Kocher (1996)Kocher (1996)
3. 3. Simple Power AnalysisSimple Power Analysis (SPA) (SPA)– Kocher, Jaffe, Jun (1998)Kocher, Jaffe, Jun (1998)
4. 4. Differential Power AnalysisDifferential Power Analysis (DPA) (DPA)– Kocher, Jaffe, Jun (1998)Kocher, Jaffe, Jun (1998)
![Page 4: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/4.jpg)
Side ChannelsSide Channels
Kocher et al., June 1998: Measure instantaneous Kocher et al., June 1998: Measure instantaneous power consumption of a device while it runs a power consumption of a device while it runs a cryptographic algorithmcryptographic algorithmDifferent power consumption when operating on Different power consumption when operating on logical ones vs. logical zeroes. logical ones vs. logical zeroes.
![Page 5: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/5.jpg)
Systems under ThreatSystems under Threat
Implementations of Cryptographic AlgorithmsImplementations of Cryptographic Algorithms
On smart cardsOn smart cards
On general/specific purpose hardwareOn general/specific purpose hardware
On softwareOn software
![Page 6: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/6.jpg)
Power AttacksPower AttacksPublished on the web by Paul KOCHER (1998)Published on the web by Paul KOCHER (1998)– Big noise in the cryptographic communityBig noise in the cryptographic community– Big fear in the smart card industry !Big fear in the smart card industry !
Power Attacks are powerful and genericPower Attacks are powerful and generic– Statistical & signal processingStatistical & signal processing– Known random messagesKnown random messages– Targetting a known algorithmTargetting a known algorithm– Running on a single smart cardRunning on a single smart card
Attack performed in 2 stepsAttack performed in 2 steps– Acquisition phase : on-line with the smart cardAcquisition phase : on-line with the smart card– Analysis phase : off-line on a PC (hypothesis testing)Analysis phase : off-line on a PC (hypothesis testing)
![Page 7: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/7.jpg)
What is a Power Analysis Attack ?What is a Power Analysis Attack ?Side-channel attacks Side-channel attacks exploit correlation exploit correlation between secret between secret parameters and parameters and variations in timing, variations in timing, power consumption, power consumption, and other emanations and other emanations from cryptographic from cryptographic devices to reveal secret devices to reveal secret keyskeys
CryptographicDevice
RCurrent
orPower
Measurement
Power Supply
Attacker’s Point
![Page 8: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/8.jpg)
Information LeakageInformation Leakage
![Page 9: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/9.jpg)
Acquisition procedureAcquisition procedure
Algorithm Output(sign/cipher Si)
Input data(messages Mi)
Power Consumption
Curves Ci (or other side channel
leakage like EM radiation)
Play the algorithm N times(100 < N < 100000)
![Page 10: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/10.jpg)
Acquisition procedureAcquisition procedure
Main PCruns Acquisition
software
Serverstores files
and runs Treatmentsoftware
Cardreader
Card extentionGCR
Oscilloscopefile transfer
command emission
Arm scoperetrieve file
Current waveformacquisition
Scope triggeron IO
Protection box
R
Monitoring equipment for iterated acquisitions
![Page 11: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/11.jpg)
POWER MEASUREMENT SETUPPOWER MEASUREMENT SETUP
• Oscilloscope
• Carefully choose resistors-
capacitors
• Reduce noise
• Collect power traces
FREQUENCY AND SUPPLY VOLTAGE:FREQUENCY AND SUPPLY VOLTAGE:
UNDER THE CONTROL OF THE ATTACKERUNDER THE CONTROL OF THE ATTACKER
-
![Page 12: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/12.jpg)
Acquisition procedureAcquisition procedureAfter data collection, what is available ?After data collection, what is available ?– N plain and/or cipher random textsN plain and/or cipher random texts
0000 B688EE57BB63E03EB688EE57BB63E03E0101 185D04D77509F36F185D04D77509F36F0202 C031A0392DC881E6 …C031A0392DC881E6 …
– N corresponding power consumption waveformsN corresponding power consumption waveforms
![Page 13: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/13.jpg)
What an Attacker KnowsWhat an Attacker Knows
Precise power measurementsPrecise power measurements
Which algorithm is computedWhich algorithm is computed
Ciphertexts and plaintextsCiphertexts and plaintexts
Any additional informationAny additional information
![Page 14: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/14.jpg)
Simple Power AnalysisSimple Power Analysis
(E.g., Kocher 1998) Attacker directly uses (E.g., Kocher 1998) Attacker directly uses power consumption to learn bits of secret power consumption to learn bits of secret key. Wave forms visually examined.key. Wave forms visually examined.Big features like rounds of DES, square Big features like rounds of DES, square vs. multiply in RSA exponentiation, and vs. multiply in RSA exponentiation, and small features, like bit value.small features, like bit value.Relatively easy to defend against. Relatively easy to defend against.
![Page 15: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/15.jpg)
Simple Power AnalysisSimple Power AnalysisSimple attack, needs a few secondsSimple attack, needs a few secondsDirect observation of a system‘s power consumptionDirect observation of a system‘s power consumptionCan gain very useful informationCan gain very useful information
![Page 16: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/16.jpg)
How SPA WorksHow SPA Works
0 1 0 1 1
Key = 101011
Double-and-Add Algorithm:
Power Trace =
With “Dummy” Operations:
Power Trace =0 1 0 1 1
![Page 17: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/17.jpg)
SPA result ExampleSPA result Example Interpret power consumption measurement What is learned: device’s operation, key material Base: power consumption variance of µP instructions DES operation by smart card
![Page 18: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/18.jpg)
Selection & predictionSelection & prediction
Assume the data are processed by a known deterministic Assume the data are processed by a known deterministic function function ff (transfer, permutation...) (transfer, permutation...)
Knowing the data, one can recompute off line its image through Knowing the data, one can recompute off line its image through ff
Si = f [Mi]fMi
Now Now selectselect a single bit among S bits (in S buffer) a single bit among S bits (in S buffer)
One can One can predictpredict the true story of its variations the true story of its variationsii MessageMessage bitbit00 B688EE57BB63E03EB688EE57BB63E03E 1111 185D04D77509F36F185D04D77509F36F 0 0 22 C031A0392DC881E6C031A0392DC881E6 11 … … for i = 0,N-1for i = 0,N-1
![Page 19: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/19.jpg)
DPA operator & curveDPA operator & curvePartition the data and related curves into two Partition the data and related curves into two packs according to selected bitpacks according to selected bit
fMi bit (Si) = 0
bit (Si) = 1
… … and assign and assign -1 to pack 0-1 to pack 0 and and +1 to pack 1+1 to pack 100 B688EE57BB63E03EB688EE57BB63E03E 11 +1+111 185D04D77509F36F185D04D77509F36F 0 0 -1-122 C031A0392DC881E6C031A0392DC881E6 11 +1+1 … … for i = 0, N-1for i = 0, N-1
Sum the signed consumption curves and normaliseSum the signed consumption curves and normalise<=> Difference of averages<=> Difference of averages(N(N0 0 + N+ N11 = N) = N)
0
0
1
1
NC
NC
DPA
![Page 20: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/20.jpg)
DPA operator & curveDPA operator & curve
DPA curve constructionDPA curve construction
Selection bit
N
C031A0...185D04D...
1
B688EE...M0
MNM1
W01
Average
0
-
DPAcurve
![Page 21: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/21.jpg)
DPA Result ExampleDPA Result Example
Average PowerConsumption
Power ConsumptionDifferential Curve
With Correct Key Guess
Power ConsumptionDifferential Curve
With Incorrect Key Guess
Power ConsumptionDifferential Curve
With Incorrect Key Guess
![Page 22: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/22.jpg)
DPA operator & curveDPA operator & curveSpikes explanation : Hamming Weight of the bit’s byteSpikes explanation : Hamming Weight of the bit’s byte
Average = E [HW0] = 0 + 3.5 Average = E [HW1] = 1 + 3.5
= E [HW1] - E [HW0 ] = 1
1 0 0 1 1 0 10 1 1 0 1 0 01 0 1 1 1 1 1
...
Contrast (peak height) proportional to NContrast (peak height) proportional to N1/2 1/2 (evaluation (evaluation criterion) criterion)
If prediction was wrong : selection bit would be random If prediction was wrong : selection bit would be random E E [HW0] = E [HW1] = 4 [HW0] = E [HW1] = 4 => => = 0 = 0
0 1 0 0 1 0 1 10 1 1 0 1 0 1 01 1 0 0 1 0 0 0
...
Selection bit
012...
![Page 23: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/23.jpg)
Reverse engineering using DPAReverse engineering using DPAUse DPA to locate when Use DPA to locate when predictiblepredictible things occur things occurExample : locate an algo trace by targetting its output Example : locate an algo trace by targetting its output (ciphertext transfer to RAM, ciphertext is given)(ciphertext transfer to RAM, ciphertext is given)
DPA curves
Consumption curve
![Page 24: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/24.jpg)
CONCLUSIONSCONCLUSIONSDPA vs. SPADPA vs. SPA
• Low amount of experiments
• Faster to launch
• Not many implementation details
• Noise is not so important
• Attacks even small features
![Page 25: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/25.jpg)
REFERENCESREFERENCES1.1. Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power
Analysis”, Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. Analysis”, Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. 1999, pp. 388-3971999, pp. 388-397
2.2. Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Countermeasure Based on the Masking Method”, ICICS 2001, LNCS Countermeasure Based on the Masking Method”, ICICS 2001, LNCS 2288, 2002, pp. 440-4562288, 2002, pp. 440-456
3.3. Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”, Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”, Proceedings of Workshop on Cryptographic Hardware and Embedded Proceedings of Workshop on Cryptographic Hardware and Embedded Systems, Aug. 1999, pp. 158-172Systems, Aug. 1999, pp. 158-172
4.4. Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Masking against Differential Power Analysis”, CHES 2000, LNCS 1965, Masking against Differential Power Analysis”, CHES 2000, LNCS 1965, 2000, pp. 231-2372000, pp. 231-237
5.5. Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES and AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, and AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, pp. 309-318pp. 309-318
6.6. D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to Foil DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38Foil DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38
![Page 26: SPA and DPA attacks](https://reader035.fdocuments.net/reader035/viewer/2022081507/568167fc550346895ddd7717/html5/thumbnails/26.jpg)
REFERENCESREFERENCES7. S. Almanei, “Protecting Smart Cards from Power Analysis Attacks”, http://
islab.oregonstate.edu/koc/ece679cahd/s2002/almanei.pdf, May. 20028. Adi Shamir, “Protecting Smart Cards from Passive Power Analysis with
Detached Power Supplies”, CHES 2000, LNCS 1965, 2000, pp. 71-779. P. Y. Liardet, N. P. Smart, “Preventing SPA/DPA in ECC Systems Using the
Jacobi Form”, CHES 2001, LNCS 2162, 2001, pp. 391-40110. Jean-Sebastien Coron. Resistance Against Differential Power Analysis
for Elliptic Curve Cryptosystems [Published in C_ .K. Ko_c and C. Paar, Eds., Cryptographic Hardware and Embedded Systems, vol. 1717 of Lecture Notes in Computer Science, pp. 292{302, Springer-Verlag, 1999.]
11. Marc Joye and Christophe Tymen. Protections against differential analysis for elliptic curve cryptography: An algebraic approach. In C¸ .K. Ko¸c, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 377–390. Springer-Verlag, 2001.