Side-channel based Collision Att k Th tAttacks, Theory too ... · Amir Moradi EbdddS itG RhUi itB...

Side-channel basAtt k Th tAttacks, Theory to3. December 2010Amir Moradi

E b dd d S it G R h U i it B hEmbedded Security Group, Ruhr University Bochum

ed Collision P tio Practice

Gm, Germany

Embedded Security Group

Outline Classical side‐channel attac What is a side‐channel bas Implementation platforms A newly introduced side‐chA newly introduced side chcollision attack

Some hints when impleme Some hints when impleme

WAC 2010 | Singapore | 3. December 2010

ckssed collision attack?and problemshannel based correlationhannel based correlation

entingenting

2 Amir Moradi


Classical Side‐Channel At Collecting the side‐channe

– Using an oscilloscope fo• and an electromagnetic analysis attacks

– Using a timer for timing


ttacksl leakageor power analysis attacksprobe for electromagnetic

g attacks

3 Amir Moradi


Classical Side‐Channel AtD fi h h h i l Define the hypothetical po– In differential power an– In correlation power an

Define the distinguisher– In mutual information a

Examine the relation betweand the real measurement– difference of means– correlation coefficient– entropyentropy


ttacksd lower model

nalysisnalysis

analysiseen the (hypothetical) model( yp )ts using statistical tools

4 Amir Moradi


What is a Side‐Channel B avoids any model to predic

– Independent of the lea Examines the similarity of tdifferent processed valuesp– when a collision is founof the secret is revealedof the secret is revealed


Based Collision Attack?ct the power consumptionkage typethe measurements for

nd, a relation between parts dd

5 Amir Moradi


Side‐Channel Based Coll Implementation platform: Target algorithm: the AES e Strategy of the attack: lookconsumption traces for diffp

b ( ) b ( ) Sbox(P1+K1) = Sbox(P2+K2) =WAC 2010 | Singapore | 3. December 2010

ision Attack [example 1]a micro‐controllerencryptionking at the similar power ferent Sbox outputsp

6

=> P1+K1=P2+K2 => K1+K2 = C Amir Moradi


Side‐Channel Based Coll Presence of countermeasu

– Masking: wait till a collmasks and Sbox outputmasking order

– Shuffling: extending theclock cycles, may lead ty , y

– Masking and Shuffling: drastically reduced!drastically reduced!


ision Attack [example 1]uresision may occur on both ts, depends strongly on the

e search area to consider all to false positive resultspefficiency of the attack is

7 Amir Moradi


Side‐Channel Based Coll Implementation platform: Target algorithm: the AES e Strategy of the attack: cannknowing the architectureg


ision Attack [example 2]an FPGA/ASICencryptionnot be decided without

8 Amir Moradi


An Overview of the Arch


hitecture

9 Amir Moradi


How do the power trace 8‐bit architecture

32‐bit architecture32 bit architecture


es look like?

10 Amir Moradi


Side‐Channel Based CollI l i l f Implementation platform: an

Target algorithm: the AES enSt t f th tt k Strategy of the attack: – 8‐bit architecture: rough32 bi hi– 32‐bit architecture: not eprobability of collision

The attack does not work eff The attack does not work eff– Switching noise is addedP ti d– Power consumption depprocessed values

Worse situation in the prese Worse situation in the preseWAC 2010 | Singapore | 3. December 2010

ision Attack [example 2]FPGA/ASICn FPGA/ASICcryption

hly the same as μC caseb f h leasy because of the low

ficientlyficiently in comparison to the μCd l th l tends also on the last

nce of countermeasures11

nce of countermeasures Amir Moradi


What can we do?[Usually a DPA/CPA using HD/ Before developing an attac

– First, averaging based o• 256 mean traces for eac• Variance over mean trac


/HW model works + MIA]ckon plaintext bytes (32‐bit arch.)h plaintext bytep yces (each plaintext byte separately)

12 Amir Moradi


Designing an Attack Supposing knowing a key byte,

corresponding Sbox input byte

For another plaintext byte (unk

How are these mean traces rel


we get mean traces for the

known key), we get mean traces

ated to each other?

13 Amir Moradi


Designing an Attack The mean traces for the unk

generated for each key byte The correct key byte can be f

traces at each time instancel h l h– Correlation helps here!

• Correlation of two sets of m(is almost 1 for right key (du(is almost 1 for right key (du


nown key bytes can be hypothesisfound comparing the mean

mean traces based on key hypothesis ue to equal power consumption))ue to equal power consumption))

14 Amir Moradi


Extending the Attack If the first key byte (for the

known, what we recover is tk b k k btwo key bytes: k1+k2 , beca

– The same attack shownpossible collisions!


e first mean traces) is not the linear difference between

f dd dk f AESause of addroundkey of AESn on μC but using all

15 Amir Moradi


Why does it work? There are four instances of

– The power consumption cinstance of the S‐box is us

– Power consumption of ancompared to itself in diffe

What does happen for larg– The same netlist for the Splacement and routing, b

• Small differences on powerdifferent instances of the S‐

Th i t f th– The same instances of theWAC 2010 | Singapore | 3. December 2010

f S‐box in the 32‐bit arch.characteristics of the same sed in mean tracesn instance of the S‐box is erent clock cyclesger architecture?S‐boxes, even the same ut still process variations existsr consumption characteristics of ‐box

S b h ld b d16

e S‐box should be compared Amir Moradi


The gain of the attack Relation between key byte

– 8‐bit arch. → 15 rela onskey

– 32‐bit arch. → 12 rela onbit key

How to get the correct key– A pair of plain‐/ciphertext– Continue the attack on theach key candidate


ss, 28 candidates for the 128‐bit

ns, 232 candidates for the 128‐

?the second round of the AES for

17 Amir Moradi


How about Shuffling? Shuffling is done on the orde

Using combing [what’s combg g [


er of Sbox runs

bing?]g ]

18 Amir Moradi


How about Masking? Looking into the literatures

smallest masked AES S‐box by Canright and Batina

1st order leakage is obvious because of glitches

WAC 2010 | Singapore | 3. December 2010 19 Amir Moradi


Results when masking is


implemented

20 Amir Moradi


Masking combined with

Using combing


Shuffling?

21 Amir Moradi


First Hints The attack works when an shared for a computation o

Try to avoid Sbox [hardwar– going through round‐bag g g

• 128‐bit architectures• even unrolled architectu


instance of the Sbox is of a roundre] sharingased implementationp

ures

22 Amir Moradi


Results of on 128‐bit arc

t hi d f ll k b t not achieved for all key byt– because of difference binstances of Sbox


ch. [unmasked]

ttesbetween netlist of different

23 Amir Moradi


How about unrolled imp two rounds per clock cycle

th d l k l three rounds per clock cycl


plementations?

lle

24 Amir Moradi


Second Hints The attack still works on sounrolled implementations

To avoid such an attack it isdifferent netlists for differe– the result will avoid simconsumption of differep

The world still is not enoug– at the end of the day a– at the end of the day, awill recover the secret!


ome key bytes even on

s recommended to used ent instances of the Sboxmilarity of the power nt instances of the Sboxgha statistical tool e g MIAa statistical tool, e.g., MIA,

25 Amir Moradi

Thanks!Any questions?Thanks to my colleagues:

Oliver Mischke

Embedded Security Group, Ruhr University Bochum, Germ

Thomas Eisenbarth

many

Side-channel based Collision Att k Th tAttacks, Theory too ... · Amir Moradi EbdddS itG RhUi itB...

Documents

Transcript of Side-channel based Collision Att k Th tAttacks, Theory too ... · Amir Moradi EbdddS itG RhUi itB...