Power analysis attacks

Power analysis attacks use the fact that the instantaneous power consumption of a hardware device is related to the instantaneous computed instructions and the manipulated data. The attacker could measure the power consumption during the execution of a cryptographic algorithm, store the waveform using a digital oscilloscope and process the information to learn the secret key. Kocher et al., in [4], first introduced this type of attack on smart cards performing the DES operation. Then Messerges et al. [10] augmented Kocher’s work by providing further analysis and detailed examples of actual attacks they mounted on smart cards. In general, SPA attacks are those based on retrieving valuable information about the secret key from a single leaked information power consumption or electromagnetic emanation trace. On the other hand, DPA attacks generally include all attacks that require more than one such trace along with some statistical analysis tools to extract the implicit information from those traces.

LEA is 128-bit lightweight block cipher introduced in WISA 2013. However, the authors investigated security evaluation of LEA on a theoretical basis only. LEA can be implemented in various platforms having throughput and a small size. We first investigated its security strength against power analysis attacks on a hardware implementation. Our results showed that LEA implementation reamins vulnerable to power analysis attacks. According to our research, this is the first experimental result of an LEA hardware implementation. Based on our results, implementing LEA with countermeasures is essential. For a future study, we plan to investigate other types of platforms and compare performance between countermeasure and non-countermeasure implementations.

Compared to masking, shuffling does not require modifica- tions of the algorithm. It is an algorithm-agnostic implemen- tation and can possibly be automated for any cryptographic algorithms. What’s more, it can be easily implemented after other countermeasures as an add-on protection for cryptogra- phyic systems. However, manual implementation of shuffling still requires knowledge of the specific algorithm and may not fully exploit the independence between operations in complex algorithms. Recent works [9], [10], [11], [12], [13] indicate a nascent trend towards automating the application of countermeasures to increase the security of the systems against power analysis attacks. They have focused on masking AES, including automatic instruction sensitivity quantification and local random precharging [9], a general code morphing engine design with alternative code segments that mitigate power leakage [10], compiler assisted masking implementation [11], and automatic security evaluation and verification [12], [13]. However, to the best of our knowledge, there is no automation work for operation shuffling/permutation yet.

Cryptographic devices often deal with secret information as well as privacy of the users. So-called Side-Channel Analysis (SCA) attacks target the implementation of cryptographic schemes and are independent of their mathematical security. For example, [3] exploits the response time of an RSA implementation to retrieve the used secret key. Introduction of Differential Power Analysis (DPA) attacks [16] resulted in extensive research in refining attacks and developing counter- measures. Although timing attacks might even work over the Internet, power analysis attacks are thought to require physical access to the device, i.e., to connect an oscilloscope to measure the power consumption or the electromagnetic emanation in the near proximity. Yet, in the following, we prove this assumption to be wrong. This falls well within the line what has been seen for fault attacks. Before Rowhammer [14], fault attacks were thought to require some sort of physical access to induce a fault into the target. Instead, the attack can lead to pure-software based privilege escalation from an underprivileged user. Furthermore, it can be introduced remotely as well, even at a very high abstraction level [11].

In practical scenarios the ability to capture a node, perform the attack, and return the node all within a short window reduces the risk of detection. The approach of [7] requires an attacker to passively wait for a transmissions to record power traces. While passively waiting is a reasonable approach for the 2060 traces required by [7] to break a software AES implementation, this could entail an unreasonably long wait period for the thousands of traces typically required to break a hardware AES peripherals [8]. Our work allows an attacker to rapidly force the operation to occur, and collecting 20 000 traces can be accomplished in 1560 minutes (depends on network stack and how much other trac node must process).

Since any capacitance is impeding high frequency components of the signal, it makes sense to consider what frequency range of signals are valuable for power analysis. It is not easy to determine an exact range of frequencies of interest. The architecture of the Cyclone III FPGA masks this information. The maximum frequency of the instantaneous power consumption is related to the fastest rise time of the hardware interconnects of the FPGA. This information isn’t publicly available from Altera for competitive reasons. Further com- plicating matters is the fact that exact implementation is determined by the Quartus II Fitter. Therefore, the final implementation is a combination of Logic Elements placed in certain locations with different length interconnects between them.

The simplest form of power attacks is Simple Power analysis (SPA). SPA directly analyzes the power consumption of a single execution of a cryptographic operation. The details of encryption algorithms such as DES and AES are fully exposed to the public so an at- tacker always knows the steps in the algorithm. Oftentimes these implementations are open-sourced as in the case of the popular program OpenSSL [46]. For example, precise current traces of an algorithm can be extracted and show if a branch in code was taken or not taken. This means algorithms where the execution path is data dependent can be easily broken with SPA. However, in most cases the small variation in power consumption is not enough to discover the exact instruction path in hardware implementations. Countermea- sures against SPA are also quite simple, the implementation should avoid using branches that depend on keys. This approach can incur significant penalties [29].

Compared to physical power extraction, circuit simulation significantly reduces the complexity of mounting a power analysis attack, and provides quicker feedback during the implementation and study of a cryptographic device. This ultimately reduces the cost of iterative testing and experimentation. The attacks evaluated as part of this research were performed on simulated trace data, building off of a design and simulation flow established in a previous research project that focused on attacking an ASIC implementation of the AES block cipher [10]. The existing methodology was altered to significantly reduce the time required to compile, simulate, and extract the power traces without sacrificing the quality of the results.

Abstract—The current practice in board-level integration is to incorporate chips and components from numerous vendors. A fully trusted supply chain for all used components and chipsets is an important, yet extremely difficult to achieve, prerequisite to validate a complete board-level system for safe and secure operation. An increasing risk is that most chips nowadays run software or firmware, typically updated throughout the system lifetime, making it practically impossible to validate the full system at every given point in the manufacturing, integration and operational life cycle. This risk is elevated in devices that run 3rd party firmware. In this paper we show that an FPGA used as a common accelerator in various boards can be reprogrammed by software to introduce a sensor, suitable as a remote power analysis side-channel attack vector at the board-level. We show successful power analysis attacks from one FPGA on the board to another chip implementing RSA and AES cryptographic modules. Since the sensor is only mapped through firmware, this threat is very hard to detect, because data can be exfiltrated without requiring inter-chip communication between victim and attacker. Our results also prove the potential vulnerability in which any untrusted chip on the board can launch such attacks on the remaining system.

In this paper we try to close the gap between theoretical considerations regarding the influence of measurement factors on the feasibility of static power analysis attacks and their practical verification on actual hardware. We answer the question whether an adversary can physically force a device to leak more information by controlling specific operating parameters and provide informative numbers in this regard based on more than two months of non-stop measurements. In particular we have acquired 19 distinct sets with a cardinality of at least 5 million measurements per set in a controlled environment, each for a different temperature- voltage-combination (-20 to 90 ◦ C, 1.62 to 1.98 V), which took roughly 2.7 days for each set. Afterwards, for the most effective temperature-voltage-combination (90 ◦ C and 1.98 V), we recorded another 8 sets of traces for different lengths of the measurement interval. Our results show very clearly that, in this case study, increasing the temperature exponentially increases the signal, that increasing the supply voltage only marginally increases the signal and finally that increasing the measurement interval exponentially decreases the noise. Additionally, it becomes obvious that all three measurement factors can effectively be combined to lower the number of measurements that are required for a successful key recovery to a minimum. Control over these parameters – in theory – allows to eliminate any source of noise except for the algorithmic noise, which highly depends on the particular implementation as well as the concrete attack scenario and will always be present in power measurements [40]. Setup-wise we have built upon [27], but (1) improved the construction of the DC amplifier to obtain stable results at extreme temperatures, (2) built a custom low-pass filter, and (3) employed a simple post-processing technique. All these modifications have been verified to be useful in diminishing

Abstract. A protection circuit can be added into cryptographic systems to detect both soft errors and injected faults required by Differential Fault Analysis (DFA) attacks. While such protection can improve the reliability of the target devices significantly and counteract DFA, they will also incur extra power consumption and other resource overhead. In this paper, we analyze the side- channel power leakage of AES protection methods against fault attacks and quantify the amount. We implement six different schemes and launch correlation power analysis attacks on them. The results show that the protection circuits have all increased the power leakage and therefore make the system more vulnerable to power analysis attacks. We further compare different protection schemes in terms of power consumption, area, fault coverage, and side-channel leakage. Our results demonstrate trade-offs among multiple design metrics, and suggest that reliability, security, and costs have to be all considered together in the design phase of cryptographic systems.

Abstract. By shrinking the technology and reducing the energy require- ments of integrated circuits, producing ultra-low-power devices has prac- tically become possible. Texas Instruments as a pioneer in developing FRAM-based products announced a couple of different microcontroller (MCU) families based on the low-power and fast Ferroelectric RAM tech- nology. Such MCUs come with embedded cryptographic module(s) as well as the assertion that – due to the underlying ultra-low-power tech- nology – mounting successful side-channel analysis (SCA) attacks has become very difficult. In this work we practically evaluate this claimed hardness by means of state-of-the-art power analysis attacks. The leak- age sources and corresponding attacks are presented in order to give an overview on the potential risks of making use of such platforms in security-related applications. In short, we partially confirm the given as- sertion. Some modules, e.g., the embedded cryptographic accelerator, can still be attacked but with slightly immoderate effort. On the contrary, the other leakage sources are easily exploitable leading to straightforward attacks being able to recover the secrets.

includes power consumption, electromagnetic radiation, system run times, acous- tic and etc. which are correlated with the secret values during data processing. Power-analysis attacks are a powerful type of side-channel attack originally de- scribed by Kocher. This class of attacks has been applied successfully against the implementations of popular public-key cryptosystems RSA and Elgamal (13) which make use of exponentiation algorithms. The primary side-channel attacks against modular exponentiation algorithms rely on certain physical phenomena, which allows one to distinguish between multiplication and squaring operations (12). Messerges et al. proposed three types of power-analysis attacks against RSA with multiple random plaintexts(14). To mitigate these attacks, the im- plementations of modular exponentiation utilize a same sequence of instructions for multiplication and squaring operations, which makes it challenging to dif- ferentiate between these two operations for random input messages in practice (11). In response, various methods have been proposed that use the leak of sen- sitive information during the decryption process of chosen messages (18; 20; 16). In particular, several chosen-message attacks have been applied on public key encryption in (1; 2; 6; 8; 7; 9; 10; 11; 15; 19).

zeros) thus |Y | = 3, or Y = “01” (i.e. the realization of the random variable Y consists of a zero and a one digit) thus |Y | = 2. Then the attacker’s goal is to calculate and exploit the conditional probability For many different realizations x of X and y and Y. Equation 1 is the mathematical definition for the conditional probability. Enhancing Simple Power-Analysis Attacks on Elliptic Curve Cryptosystems, It is an important observation that the calculation of the right hand side of (1) requires the knowledge of the probability to be in a specific state of the point multiplication algorithm (the terminology used here will be explained in the next section). This is because in order to calculate the probabilities P(X = x), one has to calculate the sum of the probabilities of all possible sequences of digits that lead to the pattern x. Since such a sequence can basically start from any state of the algorithm, the probabilities are dependent on the probability of the starting-state.

Countermeasures. One good solution to avoid these attacks is to propose ef- ficient and low power cryptographic implementations for the encryption algo- rithms [26]. To disturb DPA and RPA/ZPA, Binary Expansion algorithm that has random initial point is used [27]. The work in [28] suggested to use message masking prior exponentiation with a random value (r) to prevent MESD and ZESD and use exponent masking to prevent SEMD. The exponentiation can be masked by the addition of random multiple of Φ(N)= (p – 1)(q – 1). i.e., ê = e+ Φ(N). The computation of modular exponentiation proceeds from the random starting point towards the MSB using the right-to-left binary exponentiation al- gorithm, returns to the starting point and then moves towards the LSB using the left-to-right binary exponentiation algorithm [29]. The authors in [30] presented a randomized window-scanning RSA scheme resistant to power analysis attacks, specifically to the CPA that uses different inputs to the same algorithm and ana- lyze the power consumption traces. Even if the attacker was able to recover the bits, it will be difficult to put those key bits in the correct order.

The coupling model market power exchanges (PXS - power exchanges) allocates the available transmission capacity default in spot power exchange transactions. EU policy is the solution to achieve the single market in energy. Overall, average prices in the competitive market area reduced by coupling demonstrated CWE regions - France, Germany, the Netherlands and Belgium (price coupling) and Scandinavia (coupling volume). In Central Europe - Eastern (CEE), Hungary managed coupling Czech and Slovak markets and in parallel, coupling conducts Poland and Romania.

Liability Identification: Users of vehicles are liable for their deliberate or accidental actions that disrupt the operation of other nodes, or the transportation system. Several attacks are known which will be classified depending on the layer the attacker uses. At the physical layer and link layers the attacker will disturb the system either by jamming or overloading the channel with messages. Flooding false messages or rebroadcasting a recent message is also an attainable attack.

As a consequence, most countermeasures against fault attacks do not focus on such attacks, but on attacks exploiting changes of intermediate values and usually try to detect such a change (detection-based), or to destroy the exploitable information if a fault happens (infective countermeasures). Such countermeasures implicitly assume that the release of “fault-free” ciphertexts in the presence of a fault-inducing attacker does not reveal any exploitable information. In this work, we show that this assumption is not valid and we present novel fault attacks that work in the presence of detection-based and infective countermeasures. The attacks exploit the fact that intermediate values leading to “fault-free” ciphertexts show a non-uniform distribution, while they should be distributed uniformly. The presented attacks are entirely practical and are demonstrated to work for software implementations of AES and for a hardware co-processor. These practical attacks rely on fault induction by means of clock glitches and hence, are achieved using only low-cost equipment. This is feasible because our attack is very robust under noisy fault induction attempts and does not require the attacker to model or profile the exact fault effect. We target two types of countermeasures as examples: simple time redundancy with comparison and several infective countermeasures. However, our attacks can be applied to a wider range of countermeasures and are not restricted to these two countermeasures. Keywords: fault attack · infective countermeasure · fault detection · countermeasure · statistical ineffective fault attack · SIFA

Side-channel attacks are alarming for this world because every walk of our lives depends on the usage of technology and sharing information to it. Nowadays, our information is preserved in the cloud, and we have no idea about the security of this information. We all want our information to be private and safe. Manufacturers of electronic devices come forward to make their products secure from side-channel attacks. Security experts and cryptologists are trying to come up with a solution to prevent these types of attacks on cryptographic implementations or devices to protect an individuals private information from leaking or being abused. This field of research is not only of academic interest but also manufacturers of cryptographic devices demand it, because there have been many examples of attacks on real-world cryptographic devices such as the bit-stream encryption in Xilinx FPGAs [1], the KeeLoq remote entry system [2], the YubiKey multi-factor authentication token [3], Mifare DESFire contactless payment cards [4], etc. These attacks made the manu- facturers of these cryptographic devices and security experts aware of them.

In the elongation attacks,   an adversary constructs artificially extended routes, potentially traversing every node in the network. This is done to increase packet path lengths, causing packets to be processed by a number of nodes that is independent of hop count along the shortest path between the adversary and packet destination. A malicious insider has number of ways to induce topology change. For instance, it can falsely claim that a link is down or can even claim a new link to a non-existing node.