DPA : Attaques et Contre-mesures

(1)

DPA : Attaques et Contre-mesures

Shivam BHASIN, Taoufik CHOUTA, Guillaume DUC, Jean-Luc DANGER,

Aziz EL AABID, Florent FLAMENT, Philippe HOOGVORST,

Tarik GRABA, Sylvain GUILLEY, Houssem MAGHR’EBI,

Olivier MEYNARD, Maxime NASSAR, Renaud PACALET,

Laurent SAUVAGE, Nidhal SELMANE and Youssef SOUISSI.

Institut TELECOM

/

TELECOM-ParisTech

CNRS

–

LTCI (UMR 5141)

SECURE

GDR SoC-SiP

14:00 – 14:45

AMPHI SAPHIR,

TELECOM ParisTech

,

PARIS

.

S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE 1/42

(2)

Presentation Outline

1

Context

2

Side-Channel Attacks

Side-Channels

Side-Channels Acquisitions

Attack Algorithms

3

Counter-Measures to SCAs

Protocol-Level

Register Transfer Level

Netlist Level

4

Attacks on Counter-Measures

Attack on Information Masking

Attack on Information Hiding

5

Conclusions and Perspectives

Conclusions

Perspectives

(3)

1

Context

2

Side-Channels

Attack Algorithms

3

Counter-Measures to SCAs

Protocol-Level

Netlist Level

4

5

Conclusions

Perspectives

(4)

Adversary’s goal

Secrets extraction.

Protection

Conceal the secrets in a device (ASIC) ...

... or in the bitstream of an FPGA.

Representativity of the study

Most problems come down to this...

Example:

Fetching a data in an encrypted memory

⇒

decrypt the memory,

⇒

attack the CPU,

(5)

There are other applications of SCA

SCARE: secret cryptography.

Test (virtual oscilloscope).

Subliminal channel for IPs watermarking.

(6)

1

Context

2

Side-Channels

Attack Algorithms

3

Protocol-Level

Netlist Level

4

5

Conclusions

Perspectives

(7)

Typical side-channels

TA

Attacked circuit

EMA

SPA, DPA, templates,etc.

Time

Timing

Attacks [

5

].

Power Analysis

Attacks [

6

].

Electro-magnetic

Attacks [

1

].

(8)

Are SCAs intrusive?

Side-Channel Attacks (SCA)

versus

Fault Injection Attacks (FIA)

SCA: passive

FIA: active

But what about the experimental setup?

Non-intrusive

Intrusive

Deportable IC

(smartcard)

Timing, power, EM

—

Soldered IC or BGA

(FPGA)

Timing, EM

power

The know-how in measurements is capital

.

→

The 3rd version (2010–2011) of the DPA contest

(

http://www.dpacontest.org/

) will have an acquisition

competition, based on SASEBO GII.

(9)

ALTERA Excalibur evaluation board “customized for DPA”

(10)

Parallax ALTERA Stratix board “customized for DPA” [

3

]

Pads and

board

supply

(5.0 V)

Core

supply

(1.5 V)

Serial

port

Side-channel measurement

FPGA

(11)

XCV800 home-made board suitable for

global

EMA

Antenna

Acquisition setup

Pictures are courtesy of ESAT, Katholieke Universiteit Leuven,

Belgium, (Elke De Mulder [

7

]).

(12)

In-house ALTERA Stratix “as is” suitable for

local

(13)

XILINX Virtex-5 evaluation board “customized for EMA”

FPGA

chip

Metallic

cover

FF324 (18

2

pins) socket

XC5VLX50 evaluation board

(14)

(15)

Modus operandi

Information known/unknown by the attacker

Known: Observations

O

;

Known: (usually) either the plaintext or the ciphertext.

Unknown: the encryption key (case of symmetric encryption).

Strategy: divide-and-conquer

Partition

observations according to a

sensitive

variable

S

:

depends on the secret

K

,

not too many bits of

K

, since attack = exhaustive search,

is computable from the plaintext / ciphertext.

Therefore:

attacks target the first or the last round (in general),

MixColumns

in AES hard to invert

⇒

attack the last round.

S. Guilley,<sylvain.guilley@TELECOM-ParisTech.fr> DPA attacks & counter-measures SECURE

(16)

Use the traces

O

to distinguishing between the

correct

partitioning from

wrong

ones

Distinguishers use a model

M

(

S

) is the

physical syndrome

related to the

manipulation

of the secret

S

. It is called the

leakage model

.

Examples of distinguishers

|

E

(

O

|

M

(

S

) = 0)

−

E

(

O

|

M

(

S

) = 1)

|

: . . . DoM

E

S

((

O

|

M

(

S

)

−

E

O

|

M

(

S

))(

M

(

S

)

−

E

M

(

S

))): . . . Covariance

ρ

s

(

O

|

S

=

s

;

M

(

s

)): . . . CPA

(17)

Models

M

(

S

)

(classification by [

10

])

Partition-based:

If unprotected:

M

(

s

) =

|

s

|

;

Hamming weight; Bus cleared in SW

M

(

s

) =

|

s

⊕

R

|

;

Hamming weight; Bus precharged in SW

M

(

s

) =

|

s

⊕

s

−

1

|

;

Hamming distance; typical of HW

M

(

s

) =

|

s

·

s

−

1

|

+ (1

−

δ

)

|

s

·

s

−

1

|

; Idem, but in near-field EMA

If protected:

M

(

s

) =

s

.

Warning

: 2

n

values!

Difficult to be more inventive if the countermeasure is sound...

but we’ll see

,

Comparison-based:

(profiled attacks)

M

(

S

) =

E

(

O

|

S

);

templates

(18)

Various leakage models for DES (iterative architecture)

L1

L0

R0

R1

Feistel

function:

f

t

= 1

32

model B

model C

t

= 0

32

model A

model D

K1

32

L16

R15

Feistel

function:

f

L15

R16

model D

32

model B

32

model A

K16

32

model C

t

= 16

t

= 15

Attack on the first round of DES

Attack on the last round of DES

(19)

Finding the best leakage models is not obvious

0 0.2 0.4 0.6 0.8 1 0 500 1000 1500 2000 2500 3000 3500 4000 0 100 200 300 400 500 600 0 0.2 0.4 0.6 0.8 1 Success rate

Traces for online attack

Traces for profiling Success rate 0 0.1 0.2 0.3 0.4 0.5 0.6 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 0 0.2 0.4 0.6 0.8 1 Success rate

Traces for profiling Success rate

Success rate for model A.

Success rate for model B.

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 0 0.2 0.4 0.6 0.8 1 Success rate

Traces for profiling Success rate 0 0.2 0.4 0.6 0.8 1 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 0 0.2 0.4 0.6 0.8 1 Success rate

Traces for profiling Success rate

Success rate for model C.

Success rate for model D.

(20)

-20 0 20 40 60 80 -8 0 8 16 Voltage [mV]

Time [clock periods] Average power trace

-20 0 20 40 60 80 -8 0 8 16 Voltage [mV]

Time [clock periods]

Covariance result (same scale as the average power trace)

SecMat v1[ASIC]

:

Typical trace: 92 mV

Typical DPA: 3.0 mV

⇒

Side-channel leakage:

3.3 %

See [

4

]

-0.5 0 0.5 1 1.5 2 2.5 3 -8 0 8 16 Voltage [mV]

Time [clock periods] Covariance result (zoomed)

(21)

Combined attacks!

1

Various distinguishers for a same partitioning;

2

One distinguisher can be evaluated on various partitionings;

3

The diversity can also come from the multiplicity of timing

samples usually garnered during an acquisition campaign;

4

It can also arise from multi-modal acquisitions;

5

There can be situations where the most suitable partitioning

can evolve from sample to sample in a side-channel capture.

(22)

Presentation Outline

1

Context

2

Side-Channels

Attack Algorithms

3

Protocol-Level

Netlist Level

4

5

Conclusions

Perspectives

(23)

Targeted strategies

Protocol-level:

Most wanted since provable

Register-Transfer Level:

Masking. Easiest to implement; Boolean or algorithmic.

Encrypted leakage

Glitch-full circuits

Netlist or implementation level:

Hiding (= DPL, Dual-rail with Precharge Logic)

Degenerated counter-measures / “Make difficult” strategies

DPL w/o precharge

Noise generator, Dummy instructions, Varying clock,

etc.

⇒

And as for attacks, countermeasures can be combined.

(24)

Protocol level:

if

≈

1 bit is leaked per 100 encryptions...

AES

−1 k0

hash

AES

k0

k

0

k

0

k

1

k

1

100

×

AES

−1 k1

hash

AES

k1

k

1

k

1

k

2

k

2

100

×

Alice:

Bob:

(25)

Masking

Principle

Every variable

s

, potentially sensible, is represented as a share

{

s

0

,

s

1

,

· · ·

,

s

n

−

1

}

To reconstruct

s

, all the

s

i

are required.

Example:

n

= 2,

s

=

.

s

0

⊕

s

1

.

Leakage resistant since variables are never used plain;

Attractive but works only fine for registers.

Efforts done to protect also the combinational logic.

(26)

Encrypted Leakage

y= DES(x,kc) Masked DFF ki x Encrypted bitstream Masked DES kb kc Side-channel: EMA, power FPGA y= DES(x,kc) Masked DFF x Masked DES Side-channel: EMA, power ASIC (tamper-proof) personalization NVM k i kc

(27)

(a)

(b)

IP FP 1 2 0 0 1 2 3 FP 8 in p u t LS PC1◦FP 0 1 2 ou tp u t 8 64 56 Parity bits 8×1 ... ... ... “Normal” “IP” representation p u re ly co m b in a to ri a l lo g ic IF 3→1 MUX LR CD Key schedule Key schedule Round logic 3→1 MUX 4→1 MUX Round logic Key schedule Round logic Round logic Key schedule Round 2: Round 15: Round 16: ... Round 1: (1) (2)

(28)

(a)

(b)

IP FP 1 2 0 0 1 2 3 FP 8 in p u t LS PC1◦FP 0 1 2 ou tp u t 8 64 56 Parity bits 8×1 “Normal” “IP” representation p u re ly co m b in a to ri a l lo g ic ... ... ... IF 3→1 MUX LR CD Key schedule Key schedule Round logic 3→1 MUX 4→1 MUX Round logic Key schedule Round logic Round logic Key schedule ... Round 1: Round 2: Round 15: Round 16: (1) (2)

(29)

(a)

(b)

0 5 10 15 20 25 30 35 0 200 400 600 800 1000

Average +/- standard deviation [mV]

Time [ns]

Round #1 Round #2 Round #3 Round #4 Round #5 Round #6 Round #7 Round #8 ... 11 ns 0 20 40 60 80 100 120 140 160 180 200 220 0 50 100 150 200

Average +/- standard deviation [mV]

Time [ns] 35 ns

All 16 rounds

<1 ns >2 ns

(a)

Sequential iterative DES encryption signature, with the

average variation margin, for statistics collected on 10k

measurements.

(b)

Average combinatorial DES encryption signature, with

the average variation margin, for statistics collected on

100k measurements.

(30)

Hiding: Placement and Routing of Xilinx WDDL+ Netlists.

P&R tools “naturally” separate true and false paths

Example with AES substitution box SUBBYTES with and

without placement constraints (2

×

2 LuT4 per slice)

(31)

1

Context

2

Side-Channels

Attack Algorithms

3

Protocol-Level

Register Transfer Level

Netlist Level

4

5

Conclusions

Perspectives

(32)

Left mask (M Li) Right mask (M Ri) ki IP m S’ m′ P S(x⊕kc) ⊕m′ E Left masked data (Li) FP Right masked data (Ri) Ciphertext Message IP P S E kc xm Feistel functionf

(33)

Left masked data (Li) Left mask (M Li) FP Right mask (M Ri) Right masked data (Ri) Ciphertext Message ki IP IP m′ S(x⊕kc) P P S’ S E E kc m xm Feistel functionf ⊕m′

(34)

Attacks on masking

(1/2)

0 1 2 3 4 O|L= 0 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 p(L= 0) = 1/16 p(L= 1) = 4/16 p(L= 2) = 6/16 p(L= 3) = 4/16 p(L= 4) = 1/16 H(O|L= 0) = 0 H(O|L= 1) = 0 H(O|L= 3) = 0 H(O|L= 3) = 0 H(O|L= 4) = 0 ⇒H(O|L) = 0 bit H(O|L= 0) = 2.03H(O|L= 1) = 2.03 H(O|L= 2) = 2.03 H(O|L= 3) = 2.03H(O|L= 4) = 2.03 ⇒H(O|L) = 2.03 bit In co rr ect key (i .e. ra n d om L ) 0 1 2 3 4 O|L= 4 0 1 2 3 4 O|L= 2 0 1 2 3 4 O|L= 1 0 1 2 3 4 O|L= 3 C or rect key (i .e. p h y si ca l L ) O|L= 0 O|L= 1 O|L= 2 O|L= 3 O|L= 4

(35)

Attacks on masking

(2/2)

0 2 4 6 8 O|L= 0 0 2 4 6 8 O|L= 1 0 2 4 6 8 O|L= 4 0 2 4 6 8 O|L= 2 0 2 4 6 8 O|L= 3 C or rect key (i .e. p h y si ca l L ) 0 2 4 6 8 O|L= 0 0 2 4 6 8 O|L= 1 0 2 4 6 8 O|L= 2 0 2 4 6 8 O|L= 3 0 2 4 6 8 O|L= 4 p(L= 0) = 1/16 p(L= 1) = 4/16 p(L= 2) = 6/16 p(L= 3) = 4/16 p(L= 4) = 1/16 H(O|L= 0) = 2.03 H(O|L= 1) = 1.81 H(O|L= 3) = 1.5 H(O|L= 3) = 1 H(O|L= 4) = 0 ⇒H(O|L) = 1.39 bit H(O|L= 0) = 2.54H(O|L= 1) = 2.54 H(O|L= 2) = 2.54 H(O|L= 3) = 2.54H(O|L= 4) = 2.54 ⇒H(O|L) = 2.54 bit In co rr ect key (i .e. ra n d om L )

(36)

Models

M

(

S

)

(classification by [

10

])

Partition-based:

If unprotected:

M

(

s

) =

|

s

|

;

Hamming weight; Bus cleared in SW

M

(

s

) =

|

s

⊕

R

|

;

Hamming weight; Bus precharged in SW

M

(

s

) =

|

s

⊕

s

−

1

|

;

Hamming distance; typical of HW

M

(

s

) =

P

i

s

·

s

−

1

+ (1

−

δ

)

s

·

s

−

1

; Idem, but in near-field EMA

If protected:

M

(

s

) =

s

. WARNING: 2

n

values!

Difficult to be more inventive if the countermeasure is sound...

M

(

S

) =

S

1

+

S

2

;

Zero-offset

M

(

S

) = (

S

1

,

S

2

)

;

Multi-variate MIA (MMIA [

2

])

Comparison-based:

(profiled attacks)

(37)

Attacks on DPL

0 200 400 600 800 1000 1200 −0.01 0 0.01 0.02 0.03 0.04 0.05 0.06

SAMPLES

MUTUAL INFORMATION

AES−WDDL−no−EE AES−WDDL−EE

Ev

al

u

at

io

n

Pr

ec

h

ar

ge

R

ou

n

d

9

R

ou

n

d

9

Ev

al

u

at

io

n

R

ou

n

d

10

Pr

ec

h

ar

ge

R

ou

n

d

10

sensitive not sensitive

(38)

Presentation Outline

1

Context

2

Side-Channels

Attack Algorithms

3

Protocol-Level

Netlist Level

4

5

Conclusions

Perspectives

(39)

Formal practice-oriented framework [

11

]

Attacks metric

Leakage metric

Reduction function

(40)

Counter-Measures are still

ad hoc

1

Multiplicative masking of AES (M.-L. Akkar and Ch. Giraud,

CHES 2001)

Zero Attack (Jovan Dj. Golic, Christophe Tymen, CHES 2002)

2

Provable secure S-Box implementation based on FFT (E.

Prouff et al, CHES 2006)

Bias of the mask attack (S. Coron, CHES 2008)

3

MDPL (Th. Popp and S. Mangard, CHES 2005)

Folding attack (P. Schaumont and K. Tiri, CHES 2007),

Subset attack (E. de Mulder et al, WIFS 2009)

4

DRSL (Z. Chen and Y. Zhou, CHES 2006)

Glitch on precharge (M. Nassar, DATE 2009)

(41)

Call for Further Researches

⇒

Open Issues

Need for formal proofs of security

Can be at protocol level (

work in progress

).

Could also be at implementation level (

new research area

).

Devise countermeasures globally ...

... taking into account all possible weaknesses:

Observation.

Perturbation.

Manipulation.

(42)

[1] Karine Gandolfi, Christophe Mourtel, and Francis Olivier.

Electromagnetic Analysis: Concrete Results.

InCHES, volume 2162 ofLNCS, pages 251–261. Springer, May 14-16 2001. Paris, France.

[2] Benedikt Gierlichs, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede.

Revisiting Higher-Order DPA Attacks: Multivariate Mutual Information Analysis.

InCT-RSA, volume 5985 ofLNCS, pages 221–234. Springer, March 1-5 2010. San Francisco, CA, USA.

[3] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Tarik Graba, and Yves Mathieu.

Evaluation of Power-Constant Dual-Rail Logic as a Protection of Cryptographic Applications in FPGAs.

InSSIRI, pages 16–23, Yokohama, Japan, jul 2008. IEEE Computer Society. DOI: 10.1109/SSIRI.2008.31,http://hal.archives-ouvertes.fr/hal-00259153/en/.

[4] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Nidhal Selmane, and Renaud Pacalet.

Silicon-level solutions to counteract passive and active attacks.

InFDTC, 5th Workshop on Fault Detection and Tolerance in Cryptography, IEEE-CS, pages 3–17, Washington DC, USA, aug 2008.

(Up-to-date version onhttp://hal.archives-ouvertes.fr/HAL:

http://hal.archives-ouvertes.fr/hal-00311431/en/).

[5] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun.

Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.

InProceedings of CRYPTO’96, volume 1109 ofLNCS, pages 104–113. Springer-Verlag, 1996. (http://www.cryptography.com/timingattack/paper.htmlPDF).

[6] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun.

Differential Power Analysis.

InProceedings of CRYPTO’99, volume 1666 ofLNCS, pages 388–397. Springer-Verlag, 1999. (PDF).

(43)

[7] Elke De Mulder, Pieter Buysschaert, Sıddıka Berna ¨Ors, Peter Delmotte, Bart Preneel, Guy Vandenbosch, and Ingrid Verbauwhede.

Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem.

InIEEE International Conference on Computer as a tool (http: // www. eurocon2005. org. yu/EUROCON), pages 1879–1882, November 2005.

Belgrade, Serbia & Montenegro.

[8] Laurent Sauvage, Sylvain Guilley, Jean-Luc Danger, Yves Mathieu, and Maxime Nassar.

Successful Attack on an FPGA-based Automatically Placed and Routed WDDL+ Crypto Processor.

InDATE, track A4 (Secure embedded implementations), April 20–24 2009.

Nice, France. Electronic version:http://hal.archives-ouvertes.fr/hal-00325417/en/.

[9] Laurent Sauvage, Sylvain Guilley, and Yves Mathieu.

ElectroMagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack of a Cryptographic Module.

ACM Trans. Reconfigurable Technol. Syst., 2(1):1–24, March 2009.

Full text in

http://hal.archives-ouvertes.fr/hal-00319164/en/

.

[10] Fran¸cois-Xavier Standaert, Benedikt Gierlichs, and Ingrid Verbauwhede.

Partition vs. Comparison Side-Channel Distinguishers: An Empirical Evaluation of Statistical Tests for Univariate Side-Channel Attacks against Two Unprotected CMOS Devices.

InICISC, volume 5461 ofLNCS, pages 253–267. Springer, December 3-5 2008. Seoul, Korea.

[11] Fran¸cois-Xavier Standaert, Tal Malkin, and Moti Yung.

A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks.

InEUROCRYPT, volume 5479 ofLecture Notes in Computer Science, pages 443–461. Springer, April 26-30 2009.

Cologne, Germany.

Institut TELECOM

TELECOM-ParisTech

CNRS

LTCI (UMR 5141)

SECURE

(http://www.dpacontest.org/

http://hal.archives-ouvertes.fr/hal-00259153/en/.

http://hal.archives-ouvertes.fr/H

http://hal.archives-ouvertes.fr/hal-00311431/en/)

(http://www.cryptography.com/timingattack/paper.html

(PDF

(