frequency domain. This allows a time-invariant analysis of side-channel leakages across the overall signal spectrum. This analysis is also referred as Differential Frequency Analysis (DFA) [72]. DFA reduces the effect of misalignment, or time-shifts. The frequency analysis may reveal loops and other repeating structures in an algorithm. It is mainly used to detect the region of interest in real power traces.
In Chapter 3 we describe the evaluation framework used in this Ph.D. thesis. We consider an expert attacker with great knowledge about the implementation. Therefore, we use completely aligned traces obtained from the execution of the encryption algorithm, ignoring any other executed code in the target device. This information could be obtained by the attacker using DFA.
2.3
SCA in FSR-based Ciphers
This Ph.D. thesis focuses on countermeasures on FSR-based algorithms against SCA. This section provides an overview of existing FSR-based algorithms and attacks that have been applied to them. Some countermeasures suggested and applied to protect these implementations are presented. Both the attacks and countermeasures are concrete cases of the attacks and countermeasures presented in Sections 2.1 and 2.2.
The FSR-based encryption algorithms combine FSR structures, that generate pseudo- random sequences, with input data, which need to be secured, and a key, known by trans- mitter and receiver, to generate a ciphertext. Section 1.4 provides an introduction to these algorithms. They can be classified in two groups according to the relation between input data and the FSR structure: “a priori” and “a posteriori”. DSCA require the knowledge of some data that is operated with the unknown secret, in order to make hypothesis on the possible intermediate values that result from operating the known value with all pos- sible values of the secret data. The “a priori” implementations provide this information, as the input data is manipulated in the FSR. On the other hand, “a posteriori” algorithms obtain a value from the pseudorandom sequence generator and combines it with the in- put data. The keystream is computed independently from the plaintext to be encrypted and the input data is not involved in the FSR, so it is not possible to apply DSCA to these algorithms.
However, several FSR-based algorithms require frequent resynchronization of the FSR state, to prevent synchronization loss between sender and receiver. In this case, the state is frequently reinitialized with the same secret key and with a different IV. They are FSR- based stream encryption algorithms. It is the case of GSM using A5/1 or Bluetooth using E0. DSCA attacks are applied to this phase in “a posterior” algorithms to obtain the secret key used for synchronization. The same approach was first applied to RC4, the stream cipher used in WEP and WPA protocols of IEEE 802.11, which is not a FSR-based algorithm.
The state registers of FSR between two consecutive cycles differs only in the new calculated bit. In hardware implementations, the power consumed by the FSR depends on the number of bit toggles of the state registers. Cycles with the same power consumption correspond to the same amount of toggles. Two consecutive cycles have always similar
Chapter 2. Related work
amount of toggles. If the power consumption is the same, it provides information about the new calculated bit and the output bit.
In [39] they theoretically exploit this property in a n-bit LFSR using the Berlekamp- Massey algorithm [120] with only n power traces. In [104] they propose to use parallel FSRs to avoid this information leakage, as well as using dual-rail logic. When using parallel FSRs, they recommend not to use clock-controlled generators, as the lack of operation can be detected analyzing the power consumption. Another recommendation is to avoid a bit-wise key loading that exposes each bit individually, preferring parallel key loading.
A5/1 is the stream cipher used in GSM cellular telephone standard to provide privacy in wireless communications, reverse engineered in [35]. It is an irregular clocking combination of 3 LFSRs in an “a priori” implementation. E0 is the stream cipher used in Bluetooth, the wireless technology standard for exchanging data over short distances, as described in the Bluetooth Specification [161]. It is an “a posteriori” algorithm that generates a sequence of pseudorandom numbers that are combined with a shrinking generator.
In [105] theoretical DPA attacks on A5/1 and E0 are presented. In both cases, they detect an intermediate value that manipulates key-dependent operands. In [188] practical CPA were performed on A5/1 and E0 using a simulator, following the methodology described in [105].
In [47] the A3/8 algorithm of GSM is reverse engineered using SCARE.
eSTREAM is a project of the EU ECRYPT network to identify new stream ciphers suitable for widespread adoption. The results of the project include four software implementations and three hardware candidates, including Trivium and Grain.
Grain includes a LFSR and NLFSR and several combinatorial logic block. It has an initialization phase and a clocking phase, controlled by a switch named δ. Trivium includes three FSR connected. The bit shifted into each FSR is a non-linear combination of register values from the three. In the initialization phase, one of the FSR starts with a fixed pattern while the key and IV is shifted into the other two. In [70] they perform DSCA on both algorithms using chosen initial values.
KeeLoq is a block cipher that uses a NLFSR, used in many RKE systems of the automotive sector and parkings. It was hardware oriented in conception, although an implementation in software is provided by Microchip and its use is extended in the industry. Both hardware and software implementations have been target of SCA.
After the first cryptanalysis of the cipher in [30], more analytical attacks were proposed [57, 91], revealing mathematical weaknesses of the cipher.
In [65] the first SCA applied on KeeLoq is published. They obtain the secret key from hardware and software implementations applying CPA. The target intermediate value is the value of the state at round 6.
In [97], a SPA is performed characterizing the time needed by a software implemen- tation to complete a round for different input bits and key values. The method described in [97] can break a KeeLoq software implementation with only one trace measured.
2.3. SCA in FSR-based Ciphers
In Chapter 3 we describe the evaluation framework used in this Ph.D. thesis. We evaluate KeeLoq implementations, as it has been attacked with different SCA on real devices and it is widely used. In Section 3.1 we describe in more detail the algorithm and the attacks.
2.3.1 Countermeasures on FSR-based Algorithms
For hardware implementations, using secured logic is the most suggested countermea- sure since SABL was recommended in [151] for stream ciphers. This logic has been im- proved with other dual-rail logic technologies for ASICs and FPGA. Dual-rail logic gates have lower power variations, but an overhead on power consumption and area compared to standard digital cells.
In [39] they propose to implement a complementary LFSR, that toggles when the original toggle does not and vice versa. The countermeasure requires to balance gate delay and clock path to avoid skews. It is the same concept than secured logic gates but more complicated to be implemented correctly.
In [117], they also propose a countermeasure using standard cells. The basic concept is to predict the power consumption of the FSR online. The switching activity is the main cause of FSR power consumption. The switching activity of an n-bit FSR is typically in a small range around n/2. They measure the switching activity and divide the possible values in three groups. For each group, a different power supply level is applied to the circuit, homogenizing the power consumption. This countermeasure is intended to difficult the attack, not to avoid it.
In [118], authors propose an alternative method to modify the switching activity, which is complementary to the previous countermeasure. A fault injected in one register is not spread until its value reaches an output register. If its corrected before the value reaches an output register, the fault value does not affect the global output, although it affects the switching activity. Inserting pairs of injecting/correcting faults between output registers, that operate intermittently and synchronized, known as “modification points”. A first-order DPA and MIA on a protected Grain implementation is not possible. More complex attacks, supposing the use of masks (randomly picked) show the feasibility of the attack with 105traces, depending on the selected mask. Changing the mask (operative “modification points”) between executions would avoid this weakness.
For software countermeasures, in [151] authors recommend the use of random delays and masking mechanisms, if possible. In order to facilitate masking countermeasures, it is recommended to keep the number of different operations as small as possible, avoiding operations that require switching between different types of masking when feasible.
In [97], authors evaluate a deployed software implementation of KeeLoq with random delay inserted with interrupts. In order to reduce the effect of the countermeasure, they perform a profiling on a similar device, with the same implementation, that was not the target of the attack. Performing the SPA, they include in the preprocessing phase a correlation with the pattern of the dummy instructions. The samples corresponding to the dummy instructions are successfully detected and removed, and the key is obtained from
Chapter 2. Related work
just one trace.
In this Ph.D. thesis we propose a set of countermeasures at different levels that introduce randomness using different implementations of the encryption algorithm. Our proposals include duplication of the algorithm, dummy execution of rounds and automatic time delay insertion using compiler optimizations.