Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0...
Transcript of Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0...
![Page 1: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/1.jpg)
Advanced side-‐channel a.acks: DPA & Countermeasures
Lejla Batina
Digital Security Group Ins@tute for Compu@ng and Informa@on Sciences (ICIS)
Radboud University Nijmegen The Netherlands
Hardware Security May 26, 2014 Zagreb, Croa@a
![Page 2: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/2.jpg)
Security oTen fails in prac@ce
2
![Page 3: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/3.jpg)
Security disasters: keys stolen from smart devices
⇒ Rather obfusca.on than actual protec.on ⇒ User’s security and privacy at stake ⇒ No clear strategy for cer.fica.on
Secret-‐key safety is Achilles’ heel of modern cryptography
“Remote keyless entry system for cars and buildings is hacked” -‐ a few minutes to extract keys (Daewoo, Fiat, GM, Honda, Toyota, Volvo, VW, etc.) [EK+08]
3
![Page 4: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/4.jpg)
Outline • Recap: power analysis founda@ons • Differen@al Power Analysis (DPA)
– Principles – Power models – SCA Dis@nguishers
• Other side-‐channels • Countermeasures • Recent direc@ons in SCA research
4
![Page 5: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/5.jpg)
Intro to Sta@c CMOS
• Most popular circuit style! • Power consumed when an output signal switches is much higher (than when no switch happens)
=> Dynamic power consump@on is the dominant factor in the total power consump@on and it is data dependent!
5
“We don’t understand electricity. We use it.”
-‐ Maya Angelou
0-‐>0: sta@c (low) 0-‐>1: sta@c + dynamic (high) 1-‐>0: sta@c + dynamic (high) 1-‐>1: sta@c (low)
![Page 6: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/6.jpg)
What does it mean? • A power analysis a.ack explores the fact that the instantaneous power cons. depends on the data and instruc@ons being processed
• The more circuits change their state, the more power is dissipated
• Simple model for power consump@on:
power consump@on of gate g at the @me t
P (t) =X
g
f(g, t) +N(t)
f(g, t)
![Page 7: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/7.jpg)
Leakage models • Transi@on = Hamming distance model
– Counts number of 0-‐>1 and 1-‐>0 transi@ons – Assuming same power consumed for both, ignores sta@c power consump@on
– Typically for register outputs in ASIC’s – HD(v0, v1)=HW(v0 xor v1) – Requires knowledge of preceding or succeeding vi
• Hamming weight model – Typical for pre-‐charged busses
• Weighted Hamming weight/distance model • Signed Hamming distance (0-‐>1 neq 1-‐>0) • Dedicated models for combina@onal circuits
7
![Page 8: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/8.jpg)
Fact 2: Power consump@on is data dependent
![Page 9: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/9.jpg)
Differential Power Analysis (DPA)
9
![Page 10: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/10.jpg)
DES algorithm, standardized in 1977
J. L. Massey: Design and Analysis of Block Ciphers
10
![Page 11: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/11.jpg)
The f func@on
J. L. Massey: Design and Analysis of Block Ciphers
11
![Page 12: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/12.jpg)
Classical 1-‐bit DPA on DES using DoM
LSB = 0 Collect measurements
Compute Mean0
Obtain n measurements: e.g. 1000 plaintexts xi , power traces pi(t),
S-box
6 bits of plaintext
6 bits of key
4 output bits
DES impl.
LSB
)(( kxSBoxLSB i⊗Focus:
{ }63,,0…∈ʹ′kFor each key guess:
)(( kxSBoxLSB i !⊗Calculate:
LSB = 1 Collect measurements
Compute Mean1
1000 measurements * time window t * 64 key guesses
Mean0 – Mean1
Maximum difference = best key guess! [Kocher et al.]
12
![Page 13: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/13.jpg)
DPA steps -‐ summary 1. Collect measurements, known plaintext/
ciphertext, key guesses 2. Decide on power consump@on model 3. Predic@ons on power dissipa@on, use par@@on or
comparison => side-‐channel dis@nguisher 4. Find the correct key by sta@s@cal means
13
![Page 14: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/14.jpg)
DPA Result Example
average power consumption
• Δ with correct key guess
• Δ with incorrect key guess
• Δ with another incorrect key guess
[source Kocher, Jaffe and Jun, Differential Power Analysis]
14
![Page 15: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/15.jpg)
Correla@on-‐based DPA = CPA
Model of side-channel
Real key Key hypothesis Real side-channel
Input
Real output Hypothetical output
Statistical analysis
Hypothesis correct? [Brier et al.]
15
![Page 16: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/16.jpg)
Side-‐channel dis@nguishers: Pearson correla@on coefficient
-1 ≤ r ≤ 1
16
r =
Pni=1(Xi �X)(Yi � Y )qPn
i=1(Xi �X)2qPn
i=1(Yi � Y )2
Others: distance of means (DoM) test, t-‐test, variance, mutual informa@on, …
![Page 17: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/17.jpg)
CPA Example: AES, soTware • Take highest correla@on value achieved by each key hypothesis (0...255)
• The correct key leads to the highest value
17
![Page 18: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/18.jpg)
Ins:tute for Compu:ng and Informa:on Sciences Radboud University Nijmegen, The Netherlands
*[email protected] 8www.cs.ru.nl/B.Ege
power trace
correct key
2nd best key
64 keys
![Page 19: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/19.jpg)
Prac@cal a.acks: plaqorms • In the beginning mainly in-‐house made set-‐ups • A@acks on actual products:
– 2008: products employing KeeLoq: Remote Keyless Entry (RKE) systems (chip embedded in RFID transponders) [EK+08]
– 2009-‐2011: real-‐world contactless payment applica@ons based on MIFARE Classic cards, MIFARE DESFire cards (public transport etc.) [KK+09, KS+10]
– 2012: Atmel CryptoMemory devices (used for printers, gaming, laundromats, parkings etc.) [BG+09]
– 2013: system 3060 manufactured and marketed by SimonsVoss (wireless door openers)
19
![Page 20: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/20.jpg)
Prac@cal a.acks: algorithms & dis@nguishers
• All algorithms: secret-‐key, public-‐key, stream ciphers, MACs, proprietary algorithms, …
• Side-‐channel dis@nguishers: – Used as the selec@on func@on but also to assist other a.acks e.g. to
find “interes@ng points” in @me – DoM with single-‐bit or mul@-‐bit, Pearson correla@on coefficient,
student’s t-‐test, Principal Component Analysis (PCA), variance-‐based, Mutual Informa@on Analysis (MIA), etc.
• Advanced a.acks: – Template a.acks, known since 2002 – Stochas@c models – PCA-‐based techniques
20
![Page 21: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/21.jpg)
Template a.acks [CRR02] • Consist of 2 phases:
– Characteriza@on or Building templates – Template matching or Key recovery
• Assump@on that the same device (as the one under a.ack) is available
• Find templates for certain sequences of instruc@ons • Obtaining a template for every pair of data and key • Maximum-‐likelihood rule finds the right key
![Page 22: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/22.jpg)
Power consump@on of smartcard µC
22 22
![Page 23: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/23.jpg)
Other side-channels
23
![Page 24: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/24.jpg)
EM – side-‐channel • Known for a long @me as a source of side-‐channel leakage
• First publica@ons came in 2001 [QS01] and [GMO01] • EM field is propor@onal to current -‐ Maxwell • EM probe could be used to pick up the leakage:
– a small magne@c coil is used allowing precise posi@oning
• The near field distance is oTen more convenient • However, EMA is usually more difficult than PA – the issue of antenna posi@oning, the shape of antenna etc.
24
![Page 25: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/25.jpg)
DEMA – spectrum informa@on
25
![Page 26: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/26.jpg)
Also possible for contactless smartcards
26
![Page 27: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/27.jpg)
Countermeasures
27
![Page 28: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/28.jpg)
Countermeasures
Purpose: destroy the link between intermediate values and power consump@on – Masking
• A random mask concealing every intermediate value • Can be on all levels (arithme@c -‐> gate level)
– Hiding • Making power consump@on independent of the intermediate values and of the opera@ons
• Special logic styles, randomizing in @me domain, lowering SNR ra@o
28
![Page 29: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/29.jpg)
SoTware Countermeasures • Time randomiza@on: the opera@ons are randomly shiTed in @me – use of NOP – adding random delays – use of dummy variables and instruc@ons (sequence scrambling)
• Register renaming and nondeterminis@c processor – Processor selects an instruc@on and a memory access randomly
• Permuted execu@on – rearranged instruc@ons e.g. S-‐boxes
• Masking techniques
29
![Page 30: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/30.jpg)
Hardware countermeasures • Noise genera@on
– HW noise generator requires the use of RNG – total power is increased (problem for handheld devices)
• De-‐synchroniza@on – introducing some fake clock cycles during the computa@on or using a weak ji.er
• Power signal filtering – ex.: RLC filter (R-‐resistor, C-‐capacitor, L-‐inductor) smoothing the pow. cons. signal by removing high frequency components
– use ac@ve comp. (transistors) in order to keep pow. cons. rela@vely constant -‐ problem for mob. phones
– detached power supplies -‐ Shamir • Novel circuit designs
– special logic styles (using constant amount of power)
30
![Page 31: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/31.jpg)
Masking
• Random masks used to hide the correla@on between the power consump@on and the secret data
• Two types of masking – Boolean masking-‐ use ⊕, – Arithme@c masking -‐ use addi@on and subtrac@on modulo 2w (where w is the digit size), e.g.
– The conversion from one type to another • Costs for an example plaqorm
– SoTware e.g. 32-‐bit ARM processor: cycle count -‐ factor 1.96; RAM -‐ 6.27, ROM -‐ 1.36 [Mes00]
• Hardware, ASIC: overhead for masking triples the size of the S-‐box, from 234 gates (NAND equivalents) to 700 gates [CB08]
xrxx ⊕=ʹ′
wxrxx 2mod)( −=ʹ′
31
![Page 32: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/32.jpg)
Masking AES
• A masking func@on: – * addi@ve or mul@plica@ve masking
• AES includes all linear transforma@ons except S-‐boxes
• several solu@ons: – Re-‐computa@on of masked S-‐box s.t. – Mul@plica@ve masking – Masking in tower fields
f (x,m) = x∗m
S(x +m) = S(x)+ !m ≠ S(x)+ S(m)
Masked S(x +m) = S(x)+mS(x) = A× x−1 + b
32
![Page 33: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/33.jpg)
Issues with masking • A TRNG is required • Masked implementa@on leak due to glitches
• masked logic gate switches its output some@mes more than once per clock cycle [MPG05]
• Glitches in CMOS circuits are data dependent => impact on dynamic power consump@on
• Special schemes were designed to resist the leakage due to glitches
• Masking public-‐key algorithms – Many algorithmic/arithme@c op@ons
33
![Page 34: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/34.jpg)
Hardware countermeasures
• Dynamic and differen@al logic (pre-‐charged dual rail) • Duplicate logic • Bits are encoded as pairs, e.g. 0 = (1,0) and 1 = (0,1)
• Circuit is pre-‐charged, e.g. to all zero (0,0) • Each DRP gate toggles exactly once per evalua@on
– The number of bit flips is constant and data independent
34
![Page 35: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/35.jpg)
STD CELL WDDL
35
secure WDDL insecure
STD
Doesn’t work for small devices!
CMOS vs. WDDL (Tiri, Verbauwhede 2004)
![Page 36: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/36.jpg)
Conclusions and open problems
• Physical access allows many a.ack paths • Trade-‐offs between assump@ons and computa@onal complexity
• Requires knowledge in many different areas • Future direc@ons:
– Combining SCA with theore@cal cryptanalysis – SCA with reverse engineering
36
![Page 37: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/37.jpg)
References and further reading (1/3) • [AK96] R. Anderson and M. Kuhn. “Tamper resistance – a cau@onary
note”. USENIX 1996, h.p://www.cl.cam.ac.uk/~rja14/tamper.html • [Koc96] P. Kocher. “Timing A.acks on Implementa@ons of Diffie-‐Hellman,
RSA, DSS, and Other Systems”. CRYPTO 1996 • [RS01] T. Romer and J.-‐P. Seifert. “Informa@on Leakage A.acks against
Smart Card Implementa@ons of the Ellip@c Curve Digital Signature Algorithm”. E=Smart 2001
• [SW12] Skorobogatov and Woods. “Breakthrough silicon scanning discovers backdoor in military chip” h.p://www.cl.cam.ac.uk/~sps32/ches2012-‐backdoor.pdf CHES 2012.
• [EK+08] T. Eisenbarth et al. “On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme”. CRYPTO 2008.
• [KK+09] M. Kasper et al. “Breaking KeeLoq in a Flash: On Extrac@ng Keys at Lightning Speed.” AFRICACRYPT 2009.
![Page 38: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/38.jpg)
References and further reading (2/3) • [KS+10] T. Kasper et al. “All You Can Eat or Breaking a Real-‐World
Contactless Payment System.” Financial Cryptography 2010. • [BG+12] J. Balasch et al. “Power Analysis of Atmel CryptoMemory -‐
Recovering Keys from Secure EEPROMs.” CT-‐RSA 2012. • [KJJ99] P. Kocher, J. Jaffe, B. Jun. “Differen@al Power Analysis”. CRYPTO
1999. • [QS01] J. -‐J. Quisquater and D. Samyde. “ElectroMagne@c Analysis (EMA):
Measures and Counter-‐Measures for Smart Cards”mart 2001. • [GMO01] K. Gandolfi et al. “Electromagne@c Analysis: Concrete Results”.
CHES 2001. • [BK+09] J. Brouchier et al. “Temperature A.acks”. IEEE Security & Privacy
7(2): 79-‐82 (2009) • [SN+13] A. Schlösser et al. “Simple photonic emission analysis of AES. J.
Cryptogra-‐phic Engineering 3(1): 3-‐15 (2013)
![Page 39: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/39.jpg)
References and further reading (3/3) • [OS+13] D. Oswald et al.: When Reverse-‐Engineering Meets Side-‐Channel
Analysis-‐-‐Digital Lockpicking in Prac@ce. SAC 2013. • [CRR02] Charis, Rao and Rohatgi: Template a.acks. CHES 2002. • [Mes00] T. S. Messerges: Securing the AES Finalists Against Power Analysis
A.acks. FSE 2000. • [CB08] D. Canright, L. Ba@na: A Very Compact "Perfectly Masked" S-‐Box
for AES. ACNS 2008. • [MPG05] Stefan Mangard, Thomas Popp, Berndt M. Gammel: Side-‐
Channel Leakage of Masked CMOS Gates. CT-‐RSA 2005.
![Page 40: Lejla Ba na - FER...Classical(1+bitDPA(on(DES(using(DoM LSB = 0 Collect measurements Compute Mean0 Obtain n measurements: e.g. 1000 plaintexts x i, power traces p i(t), S-box 6 bits](https://reader034.fdocuments.us/reader034/viewer/2022051322/60385fcee02a9444b17c59df/html5/thumbnails/40.jpg)
Questions?
40