DPA : Attaques et Contre-mesures
Shivam BHASIN, Taoufik CHOUTA, Guillaume DUC, Jean-Luc DANGER,
Aziz EL AABID, Florent FLAMENT, Philippe HOOGVORST,
Tarik GRABA, Sylvain GUILLEY, Houssem MAGHR’EBI,
Olivier MEYNARD, Maxime NASSAR, Renaud PACALET,
Laurent SAUVAGE, Nidhal SELMANE and Youssef SOUISSI.
Institut TELECOM
/
TELECOM-ParisTech
CNRS
–
LTCI (UMR 5141)
SECURE
GDR SoC-SiP
14:00 – 14:45
AMPHI SAPHIR,
TELECOM ParisTech
,
PARIS
.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 1/42
Presentation Outline
1
Context
2
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
3
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
4
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
5
Conclusions and Perspectives
Conclusions
Perspectives
Presentation Outline
1
Context
2
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
3
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
4
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
5
Conclusions and Perspectives
Conclusions
Perspectives
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 3/42
Adversary’s goal
Secrets extraction.
Protection
Conceal the secrets in a device (ASIC) ...
... or in the bitstream of an FPGA.
Representativity of the study
Most problems come down to this...
Example:
Fetching a data in an encrypted memory
⇒
decrypt the memory,
⇒
attack the CPU,
There are other applications of SCA
SCARE: secret cryptography.
Test (virtual oscilloscope).
Subliminal channel for IPs watermarking.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 5/42
Presentation Outline
1
Context
2
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
3
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
4
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
5
Conclusions and Perspectives
Conclusions
Perspectives
Typical side-channels
TA
Attacked circuit
EMA
SPA, DPA, templates,etc.
Time
Timing
Attacks [
5
].
Power Analysis
Attacks [
6
].
Electro-magnetic
Attacks [
1
].
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 7/42
Are SCAs intrusive?
Side-Channel Attacks (SCA)
versus
Fault Injection Attacks (FIA)
SCA: passive
FIA: active
But what about the experimental setup?
Non-intrusive
Intrusive
Deportable IC
(smartcard)
Timing, power, EM
—
Soldered IC or BGA
(FPGA)
Timing, EM
power
The know-how in measurements is capital
.
→
The 3rd version (2010–2011) of the DPA contest
(
http://www.dpacontest.org/
) will have an acquisition
competition, based on SASEBO GII.
ALTERA Excalibur evaluation board “customized for DPA”
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 9/42
Parallax ALTERA Stratix board “customized for DPA” [
3
]
Pads and
board
supply
(5.0 V)Core
supply
(1.5 V)Serial
port
Side-channel measurement
FPGA
XCV800 home-made board suitable for
global
EMA
Antenna
Acquisition setup
Pictures are courtesy of ESAT, Katholieke Universiteit Leuven,
Belgium, (Elke De Mulder [
7
]).
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 11/42
In-house ALTERA Stratix “as is” suitable for
local
XILINX Virtex-5 evaluation board “customized for EMA”
FPGA
chip
Metallic
cover
FF324 (18
2
pins) socket
XC5VLX50 evaluation board
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 13/42
Modus operandi
Information known/unknown by the attacker
Known: Observations
O
;
Known: (usually) either the plaintext or the ciphertext.
Unknown: the encryption key (case of symmetric encryption).
Strategy: divide-and-conquer
Partition
observations according to a
sensitive
variable
S
:
depends on the secret
K
,
not too many bits of
K
, since attack = exhaustive search,
is computable from the plaintext / ciphertext.
Therefore:
attacks target the first or the last round (in general),
MixColumns
in AES hard to invert
⇒
attack the last round.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECUREUse the traces
O
to distinguishing between the
correct
partitioning from
wrong
ones
Distinguishers use a model
M
(
S
) is the
physical syndrome
related to the
manipulation
of the secret
S
. It is called the
leakage model
.
Examples of distinguishers
|
E
(
O
|
M
(
S
) = 0)
−
E
(
O
|
M
(
S
) = 1)
|
: . . . DoM
E
S
((
O
|
M
(
S
)
−
E
O
|
M
(
S
))(
M
(
S
)
−
E
M
(
S
))): . . . Covariance
ρ
s
(
O
|
S
=
s
;
M
(
s
)): . . . CPA
Models
M
(
S
)
(classification by [
10
])
Partition-based:
If unprotected:
M
(
s
) =
|
s
|
;
Hamming weight; Bus cleared in SW
M
(
s
) =
|
s
⊕
R
|
;
Hamming weight; Bus precharged in SW
M
(
s
) =
|
s
⊕
s
−
1
|
;
Hamming distance; typical of HW
M
(
s
) =
|
s
·
s
−
1
|
+ (1
−
δ
)
|
s
·
s
−
1
|
; Idem, but in near-field EMA
If protected:
M
(
s
) =
s
.
Warning
: 2
n
values!
Difficult to be more inventive if the countermeasure is sound...
but we’ll see
,
Comparison-based:
(profiled attacks)
M
(
S
) =
E
(
O
|
S
);
templates
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 17/42
Various leakage models for DES (iterative architecture)
L1
L0
R0
R1
Feistel
function:
f
t
= 1
32
model B
model C
t
= 0
32
32
model A
model D
K1
32
L16
R15
Feistel
function:
f
L15
R16
model D
32
model B
32
model A
K16
32
32
model C
t
= 16
t
= 15
Attack on the first round of DES
Attack on the last round of DES
Finding the best leakage models is not obvious
0 0.2 0.4 0.6 0.8 1 0 500 1000 1500 2000 2500 3000 3500 4000 0 100 200 300 400 500 600 0 0.2 0.4 0.6 0.8 1 Success rateTraces for online attack
Traces for profiling Success rate 0 0.1 0.2 0.3 0.4 0.5 0.6 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 0 0.2 0.4 0.6 0.8 1 Success rate
Traces for online attack
Traces for profiling Success rate
Success rate for model A.
Success rate for model B.
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 0 0.2 0.4 0.6 0.8 1 Success rate
Traces for online attack
Traces for profiling Success rate 0 0.2 0.4 0.6 0.8 1 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 0 0.2 0.4 0.6 0.8 1 Success rate
Traces for online attack
Traces for profiling Success rate
Success rate for model C.
Success rate for model D.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 19/42
-20 0 20 40 60 80 -8 0 8 16 Voltage [mV]
Time [clock periods] Average power trace
-20 0 20 40 60 80 -8 0 8 16 Voltage [mV]
Time [clock periods]
Covariance result (same scale as the average power trace)
SecMat v1[ASIC]
:
Typical trace: 92 mV
Typical DPA: 3.0 mV
⇒
Side-channel leakage:
3.3 %
See [
4
]
-0.5 0 0.5 1 1.5 2 2.5 3 -8 0 8 16 Voltage [mV]Time [clock periods] Covariance result (zoomed)
Combined attacks!
1
Various distinguishers for a same partitioning;
2
One distinguisher can be evaluated on various partitionings;
3The diversity can also come from the multiplicity of timing
samples usually garnered during an acquisition campaign;
4
It can also arise from multi-modal acquisitions;
5
There can be situations where the most suitable partitioning
can evolve from sample to sample in a side-channel capture.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 21/42
Presentation Outline
1
Context
2
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
3
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
4
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
5
Conclusions and Perspectives
Conclusions
Perspectives
Targeted strategies
Protocol-level:
Most wanted since provable
Register-Transfer Level:
Masking. Easiest to implement; Boolean or algorithmic.
Encrypted leakage
Glitch-full circuits
Netlist or implementation level:
Hiding (= DPL, Dual-rail with Precharge Logic)
Degenerated counter-measures / “Make difficult” strategies
DPL w/o precharge
Noise generator, Dummy instructions, Varying clock,
etc.
⇒
And as for attacks, countermeasures can be combined.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 23/42
Protocol level:
if
≈
1 bit is leaked per 100 encryptions...
AES
−1 k0hash
hash
AES
k0k
0k
0k
1k
1100
×
AES
−1 k1hash
hash
AES
k1k
1k
1k
2k
2100
×
Alice:
Bob:
Masking
Principle
Every variable
s
, potentially sensible, is represented as a share
{
s
0
,
s
1
,
· · ·
,
s
n
−
1
}
To reconstruct
s
, all the
s
i
are required.
Example:
n
= 2,
s
=
.
s
0
⊕
s
1
.
Leakage resistant since variables are never used plain;
Attractive but works only fine for registers.
Efforts done to protect also the combinational logic.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 25/42
Encrypted Leakage
y= DES(x,kc) Masked DFF ki x Encrypted bitstream Masked DES kb kc Side-channel: EMA, power FPGA y= DES(x,kc) Masked DFF x Masked DES Side-channel: EMA, power ASIC (tamper-proof) personalization NVM k i kcGlitch-full circuits
(a)
(b)
IP FP 1 2 0 0 1 2 3 FP 8 in p u t LS PC1◦FP 0 1 2 ou tp u t 8 64 56 Parity bits 8×1 ... ... ... “Normal” “IP” representation p u re ly co m b in a to ri a l lo g ic IF 3→1 MUX LR CD Key schedule Key schedule Round logic 3→1 MUX 4→1 MUX Round logic Key schedule Round logic Round logic Key schedule Round 2: Round 15: Round 16: ... Round 1: (1) (2)S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 27/42
Glitch-full circuits
(a)
(b)
IP FP 1 2 0 0 1 2 3 FP 8 in p u t LS PC1◦FP 0 1 2 ou tp u t 8 64 56 Parity bits 8×1 “Normal” “IP” representation p u re ly co m b in a to ri a l lo g ic ... ... ... IF 3→1 MUX LR CD Key schedule Key schedule Round logic 3→1 MUX 4→1 MUX Round logic Key schedule Round logic Round logic Key schedule ... Round 1: Round 2: Round 15: Round 16: (1) (2)(a)
(b)
0 5 10 15 20 25 30 35 0 200 400 600 800 1000Average +/- standard deviation [mV]
Time [ns]
Round #1 Round #2 Round #3 Round #4 Round #5 Round #6 Round #7 Round #8 ... 11 ns 0 20 40 60 80 100 120 140 160 180 200 220 0 50 100 150 200
Average +/- standard deviation [mV]
Time [ns] 35 ns
All 16 rounds
<1 ns >2 ns
(a)
Sequential iterative DES encryption signature, with the
average variation margin, for statistics collected on 10k
measurements.
(b)
Average combinatorial DES encryption signature, with
the average variation margin, for statistics collected on
100k measurements.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 28/42
Hiding: Placement and Routing of Xilinx WDDL+ Netlists.
P&R tools “naturally” separate true and false paths
Example with AES substitution box SUBBYTES with and
without placement constraints (2
×
2 LuT4 per slice)
Presentation Outline
1
Context
2
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
3
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
4
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
5
Conclusions and Perspectives
Conclusions
Perspectives
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 30/42
Left mask (M Li) Right mask (M Ri) ki IP m S’ m′ P S(x⊕kc) ⊕m′ E Left masked data (Li) FP Right masked data (Ri) Ciphertext Message IP P S E kc xm Feistel functionf
Left masked data (Li) Left mask (M Li) FP Right mask (M Ri) Right masked data (Ri) Ciphertext Message ki IP IP m′ S(x⊕kc) P P S’ S E E kc m xm Feistel functionf ⊕m′
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 32/42
Attacks on masking
(1/2)
0 1 2 3 4 O|L= 0 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 p(L= 0) = 1/16 p(L= 1) = 4/16 p(L= 2) = 6/16 p(L= 3) = 4/16 p(L= 4) = 1/16 H(O|L= 0) = 0 H(O|L= 1) = 0 H(O|L= 3) = 0 H(O|L= 3) = 0 H(O|L= 4) = 0 ⇒H(O|L) = 0 bit H(O|L= 0) = 2.03H(O|L= 1) = 2.03 H(O|L= 2) = 2.03 H(O|L= 3) = 2.03H(O|L= 4) = 2.03 ⇒H(O|L) = 2.03 bit In co rr ect key (i .e. ra n d om L ) 0 1 2 3 4 O|L= 4 0 1 2 3 4 O|L= 2 0 1 2 3 4 O|L= 1 0 1 2 3 4 O|L= 3 C or rect key (i .e. p h y si ca l L ) O|L= 0 O|L= 1 O|L= 2 O|L= 3 O|L= 4Attacks on masking
(2/2)
0 2 4 6 8 O|L= 0 0 2 4 6 8 O|L= 1 0 2 4 6 8 O|L= 4 0 2 4 6 8 O|L= 2 0 2 4 6 8 O|L= 3 C or rect key (i .e. p h y si ca l L ) 0 2 4 6 8 O|L= 0 0 2 4 6 8 O|L= 1 0 2 4 6 8 O|L= 2 0 2 4 6 8 O|L= 3 0 2 4 6 8 O|L= 4 p(L= 0) = 1/16 p(L= 1) = 4/16 p(L= 2) = 6/16 p(L= 3) = 4/16 p(L= 4) = 1/16 H(O|L= 0) = 2.03 H(O|L= 1) = 1.81 H(O|L= 3) = 1.5 H(O|L= 3) = 1 H(O|L= 4) = 0 ⇒H(O|L) = 1.39 bit H(O|L= 0) = 2.54H(O|L= 1) = 2.54 H(O|L= 2) = 2.54 H(O|L= 3) = 2.54H(O|L= 4) = 2.54 ⇒H(O|L) = 2.54 bit In co rr ect key (i .e. ra n d om L )S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 34/42
Models
M
(
S
)
(classification by [
10
])
Partition-based:
If unprotected:
M
(
s
) =
|
s
|
;
Hamming weight; Bus cleared in SW
M
(
s
) =
|
s
⊕
R
|
;
Hamming weight; Bus precharged in SW
M
(
s
) =
|
s
⊕
s
−
1
|
;
Hamming distance; typical of HW
M
(
s
) =
P
i
s
·
s
−
1
+ (1
−
δ
)
s
·
s
−
1
; Idem, but in near-field EMA
If protected:
M
(
s
) =
s
. WARNING: 2
n
values!
Difficult to be more inventive if the countermeasure is sound...
M
(
S
) =
S
1
+
S
2
;
Zero-offset
M
(
S
) = (
S
1
,
S
2
)
;
Multi-variate MIA (MMIA [
2
])
Comparison-based:
(profiled attacks)
Attacks on DPL
0 200 400 600 800 1000 1200 −0.01 0 0.01 0.02 0.03 0.04 0.05 0.06SAMPLES
MUTUAL INFORMATION
AES−WDDL−no−EE AES−WDDL−EEEv
al
u
at
io
n
Pr
ec
h
ar
ge
R
ou
n
d
9
R
ou
n
d
9
Ev
al
u
at
io
n
R
ou
n
d
10
Pr
ec
h
ar
ge
R
ou
n
d
10
sensitive not sensitive
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 36/42
Presentation Outline
1
Context
2
Side-Channel Attacks
Side-Channels
Side-Channels Acquisitions
Attack Algorithms
3
Counter-Measures to SCAs
Protocol-Level
Register Transfer Level
Netlist Level
4
Attacks on Counter-Measures
Attack on Information Masking
Attack on Information Hiding
5
Conclusions and Perspectives
Conclusions
Perspectives
Formal practice-oriented framework [
11
]
Attacks metric
Leakage metric
Reduction function
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 38/42
Counter-Measures are still
ad hoc
1
Multiplicative masking of AES (M.-L. Akkar and Ch. Giraud,
CHES 2001)
Zero Attack (Jovan Dj. Golic, Christophe Tymen, CHES 2002)
2Provable secure S-Box implementation based on FFT (E.
Prouff et al, CHES 2006)
Bias of the mask attack (S. Coron, CHES 2008)
3MDPL (Th. Popp and S. Mangard, CHES 2005)
Folding attack (P. Schaumont and K. Tiri, CHES 2007),
Subset attack (E. de Mulder et al, WIFS 2009)
4
DRSL (Z. Chen and Y. Zhou, CHES 2006)
Glitch on precharge (M. Nassar, DATE 2009)
Call for Further Researches
⇒
Open Issues
Need for formal proofs of security
Can be at protocol level (
work in progress
).
Could also be at implementation level (
new research area
).
Devise countermeasures globally ...
... taking into account all possible weaknesses:
Observation.
Perturbation.
Manipulation.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 40/42
[1] Karine Gandolfi, Christophe Mourtel, and Francis Olivier.
Electromagnetic Analysis: Concrete Results.
InCHES, volume 2162 ofLNCS, pages 251–261. Springer, May 14-16 2001. Paris, France.
[2] Benedikt Gierlichs, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede.
Revisiting Higher-Order DPA Attacks: Multivariate Mutual Information Analysis.
InCT-RSA, volume 5985 ofLNCS, pages 221–234. Springer, March 1-5 2010. San Francisco, CA, USA.
[3] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Tarik Graba, and Yves Mathieu.
Evaluation of Power-Constant Dual-Rail Logic as a Protection of Cryptographic Applications in FPGAs.
InSSIRI, pages 16–23, Yokohama, Japan, jul 2008. IEEE Computer Society. DOI: 10.1109/SSIRI.2008.31,http://hal.archives-ouvertes.fr/hal-00259153/en/.
[4] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Nidhal Selmane, and Renaud Pacalet.
Silicon-level solutions to counteract passive and active attacks.
InFDTC, 5th Workshop on Fault Detection and Tolerance in Cryptography, IEEE-CS, pages 3–17, Washington DC, USA, aug 2008.
(Up-to-date version onhttp://hal.archives-ouvertes.fr/HAL:
http://hal.archives-ouvertes.fr/hal-00311431/en/).
[5] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun.
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.
InProceedings of CRYPTO’96, volume 1109 ofLNCS, pages 104–113. Springer-Verlag, 1996. (http://www.cryptography.com/timingattack/paper.htmlPDF).
[6] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun.
Differential Power Analysis.
InProceedings of CRYPTO’99, volume 1666 ofLNCS, pages 388–397. Springer-Verlag, 1999. (PDF).
[7] Elke De Mulder, Pieter Buysschaert, Sıddıka Berna ¨Ors, Peter Delmotte, Bart Preneel, Guy Vandenbosch, and Ingrid Verbauwhede.
Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem.
InIEEE International Conference on Computer as a tool (http: // www. eurocon2005. org. yu/EUROCON), pages 1879–1882, November 2005.
Belgrade, Serbia & Montenegro.
[8] Laurent Sauvage, Sylvain Guilley, Jean-Luc Danger, Yves Mathieu, and Maxime Nassar.
Successful Attack on an FPGA-based Automatically Placed and Routed WDDL+ Crypto Processor.
InDATE, track A4 (Secure embedded implementations), April 20–24 2009.
Nice, France. Electronic version:http://hal.archives-ouvertes.fr/hal-00325417/en/.
[9] Laurent Sauvage, Sylvain Guilley, and Yves Mathieu.
ElectroMagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack of a Cryptographic Module.
ACM Trans. Reconfigurable Technol. Syst., 2(1):1–24, March 2009.
Full text in
http://hal.archives-ouvertes.fr/hal-00319164/en/
.[10] Fran¸cois-Xavier Standaert, Benedikt Gierlichs, and Ingrid Verbauwhede.
Partition vs. Comparison Side-Channel Distinguishers: An Empirical Evaluation of Statistical Tests for Univariate Side-Channel Attacks against Two Unprotected CMOS Devices.
InICISC, volume 5461 ofLNCS, pages 253–267. Springer, December 3-5 2008. Seoul, Korea.
[11] Fran¸cois-Xavier Standaert, Tal Malkin, and Moti Yung.
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks.
InEUROCRYPT, volume 5479 ofLecture Notes in Computer Science, pages 443–461. Springer, April 26-30 2009.
Cologne, Germany.
S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 42/42