Differential Power Analysis attacks on AES

Kevin Meritt

Agenda

• Side Channel Attackso Background

• Power Analysis Attackso Background

o Overview

o SPA – Simple Power Analysis

o AES

o DPA – Differential Power Analysis

o CPA – Correlation Power Analysis

Side Channel Attacks

• Exploits information obtained from the physical implementation of a cryptosystemo power consumption, electromagnetic radiation, timing variations

• If side channel data is related to operations involving secret information, that information is vulnerable to attack

• May be used to break cryptosystems with no known weaknesses against attacks at the algorithmic or theoretical level, such as linear and differential cryptanalysis

• Some attacks may require deeper understanding of the cryptosystem's underlying architecture, while others may treat it as a black box

• Analysis of instantaneous power consumption will be the focus of this presentation

Side Channel Information

Indirect outputs from block cipher implementation [1]

Power Analysis Attacks

• Power Analysis Attacks are a type of Side Channel Attack in which an attacker measures the power consumption of a cryptographic device during normal execution

• An attempt is then made to uncover a relationship between the instantaneous power consumption and secret key information

• Statistical methods for power analysis attacks published by Paul Kocher in 1999

• Original research focused on vulnerability of DES-based smart cards, leading to the development of DPA-resistant deviceso Not simply a theoretical attack

o Successful attacks mounted on existing devices to reveal secret key information, creating a serious risk to security

o Enables the creation of duplicate cards, fraudulent payments, identity theft, etc.

Power Analysis Attack Basic Steps

• Identify o Determine a relationship between secret key information and

instantaneous power consumption

o Determine the required inputs to the system, the output values to be

measured, and when to capture them

• Extracto Develop method of extracting the state of the relationship information

o Collection of measurements called traces can be made in a non-invasive

manner while a system performs a cryptographic operation

• Evaluateo Use extracted information to determine all or part of the secret key

information

Simple Power Analysis

• Attacker directly observes power trace waveform

to identify large, noticeable features and mark

regions of interesto Block cipher rounds, individual operations, instructions, etc.

o Timing differences

o Conditional branches

o Example: RSA implementations may be broken by identifying differences

between squaring and multiplication operations

• SPA is relatively easy to detero Avoid conditional execution that depends on secret information

o High frequency, low power operation

o Parallelization may obscure individual operations

SPA Attack on RSA implementation

RSA Conditional Branch

Power Trace for Advanced Encryption Standard

10 rounds of AES-128

Differential Power Analysis (DPA)

• Uses statistical methods to find small variations that

may be overshadowed by noise or measurement

errors

• Exploits information obtained from the physical

implementation of a cryptosystem

Differential Power Analysis Attack

• Selection function D(C, b, Ks) computes value of target bit b, given ciphertext C and key guess Ks

• Collect m power traces of k samples each, T1:m[1:k] and corresponding ciphertext values C1:m

• Sort data into two groups: o D(C, b, Ks) = 0

o D(C, b, Ks) = 1

• If the key guess Ks is correct, the average power trace for D(C, b, Ks) = 1 will be slightly higher at the point of correlation and the average trace for D(C, b, Ks) = 0 will be slightly lower

• If the key guess Ks is incorrect, D(C, b, Ks) will equal the correct bit value with probability P = ½ , yielding average traces that are approximately equal

“Difference of means” DPA Attack

• The differential trace ΔD[j] is computed as the

difference between the two average traceso For an incorrect key guess Ks the ΔD should approach zero

o For an correct key guess Ks the ΔD should approach the target bit's power

contribution at the correlated sample(s)

Advanced Encryption Standard

AES Round Transformations[5]

Differential Power Analysis on AES

• Select intermediate bit to analyzeo Target the S-box in final round

• Since SubBytes operates on each byte independentlyo XORed with final round key value

• Collect power traces and corresponding ciphertext values • Compute intermediate value

o Ciphertext value is knowno Make a guess for key byte

• Partition power traces into 2 setso One set where computed bit is “1” and another where bit is “0”

• Compute average of each set

• Compute the difference between the averageso If the average depends on the selected bit, and the bit “leaks”, then a correlation

will be seen

• Repeat for other 255 key byte guesses using same power measurements

DPA Evaluation Process

DPA with correct Key guess

DPA Evaluation Process (cont’d)

DPA with incorrect Key guess

Correlation Power Analysis on AES

• Extension of DPA where a model of the power

consumption is created for use in the analysis phase

of an attack

• Model needs to approximate the power

consumption of the target cryptographic device

during an encryption operation.

• The resulting power predicted by the model will

then be correlated to the actual measured power

consumption using a key hypothesis.

• The highest peak of the correlation plot gives the

correct key hypothesis

Power Models

• Hamming weight model – assumes amount of

power consumed is proportional to the number of

bits that are logic '1' during an operationo the greater the number of bits that are set will result in a larger amount of

power consumed

• Hamming distance – assumes the number of logic

transitions during a cryptographic operation is

proportional to power consumptiono If a bit is static during an operation, then it is assumed that it will not

contribute to the power.

o Assume that „0‟ to „1‟ and „1‟ to 0‟ transitions consume the same amount

of power.

CPA using Pearson’s Correlation Coefficient

• ρ reflects the degree of linear relationship between two variables X and Y

• covariance – measure of how much 2 random variables change together

• coefficient value ranges from +1 to -1o +1 indicates that there is a

perfect positive linear relationship

o -1 indicates there is a perfect negative linear relationship

o 0 indicates there is no linear relationship

Pearson’s Sample Correlation Coefficient

• For a series of n measurements of X and Y, Pearson correlation can be estimated by the sample correlation coefficient rxy

• x-bar and y-bar – sample means of x and y

• sx and sy – sample standard deviations of x and y

• xi – measured power samples

• yi – calculated power values from Hamming distance model

• If a correlation occurs then there will be a spike in the graph for the correct key byte value

Correlation Power Analysis on AES

• Identify sensitive data register for attacko Target the register in data path prior to SubBytes transformation

• Use Hamming distance power modelo Data transition of 8-bit register

• Collect power traces and corresponding ciphertext values

• Make a guess for key byte

• Compute Hamming distance of data transition for each ciphertext value

• Partition power traces into groups associated with calculated Hamming values

• Use Pearson‟s sample correlation coefficient equation to determine the correlation between the power and the sensitive datao If a correlation occurs then there will be a spike in the graph for the correct key byte

value

• Repeat for other 255 key byte guesses using same power measurements

CPA Attack

Typical AES Hardware implementation

AES CPA Correlation

Showing correct key byte guess of 160

References

[1] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” proceedings of CRYPTO ‟99, Lecture Notes in Computer Science, vol. 1666, Springer, pp. 388–397, 1999.

[2] F.-X. Standaert, “Introduction to Side-Channel Attacks,” in Secure Integrated Circuits and Systems, pp. 27–44, Springer, 2009

[3] W. Hnath, J. Pettengill, “Differential Power Analysis Side-Channel Attacks in Cryptography,” Major Qualifying Project, Worcester Polytechnic Institute, April 2010

[4] S. Shah, R. Velegalati, J. Kaps, D. Hwang, “Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs,” International Conference on Reconfigurable Computing and FPGAs (ReConFig) 2010, pp.274-279, Dec. 2010.

[5] National Institute of Standards and Technology (NIST) of U.S. Department of Commerce, “FIPS 197: Advanced Encryption Standard,” Nov. 2001.