SECURE DPA : Attaques et Contre-mesures Shivam BHASIN, Taoufik CHOUTA, Guillaume DUC, Jean-Luc DANGER, Aziz EL AABID, Florent FLAMENT, Philippe HOOGVORST, Tarik GRABA, Sylvain GUILLEY, Houssem MAGHR EBI, Olivier MEYNARD, Maxime NASSAR, Renaud PACALET, Laurent SAUVAGE, Nidhal SELMANE and Youssef SOUISSI. Institut TELECOM / TELECOM-ParisTech CNRS LTCI (UMR 5141) SECURE GDR SoC-SiP 14:00 14:45 AMPHI SAPHIR, TELECOM ParisTech, PARIS. 1/42
Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives 2/42
Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives 3/42
SECURE Adversary s goal Secrets extraction. Protection Conceal the secrets in a device (ASIC)...... or in the bitstream of an FPGA. Representativity of the study Most problems come down to this... Example: Fetching a data in an encrypted memory decrypt the memory, attack the CPU, use side-channel attacks = SCA (for instance). 4/42
SECURE There are other applications of SCA SCARE: secret cryptography. Test (virtual oscilloscope). Subliminal channel for IPs watermarking. 5/42
Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives Side-Channels Side-Channels Acquisitions Attack Algorithms 6/42
Typical side-channels Side-Channels Side-Channels Acquisitions Attack Algorithms EMA SPA, DPA, templates, etc. Timing Attacks [5]. TA Attacked circuit Time Power Analysis Attacks [6]. Electro-magnetic Attacks [1]. 7/42
Are SCAs intrusive? Side-Channels Side-Channels Acquisitions Attack Algorithms (SCA) versus Fault Injection Attacks (FIA) SCA: passive FIA: active But what about the experimental setup? Non-intrusive Intrusive Deportable IC (smartcard) Timing, power, EM Soldered IC or BGA (FPGA) Timing, EM power The know-how in measurements is capital. The 3rd version (2010 2011) of the DPA contest (http://www.dpacontest.org/) will have an acquisition competition, based on SASEBO GII. 8/42
Side-Channels Side-Channels Acquisitions Attack Algorithms ALTERA Excalibur evaluation board customized for DPA 9/42
Side-Channels Side-Channels Acquisitions Attack Algorithms Parallax ALTERA Stratix board customized for DPA [3] Serial port Pads and board supply (5.0 V) FPGA Side-channel measurement Core supply (1.5 V) 10/42
Side-Channels Side-Channels Acquisitions Attack Algorithms XCV800 home-made board suitable for global EMA Antenna Acquisition setup Pictures are courtesy of ESAT, Katholieke Universiteit Leuven, Belgium, (Elke De Mulder [7]). 11/42
Side-Channels Side-Channels Acquisitions Attack Algorithms In-house ALTERA Stratix as is suitable for local EMA [9,8] 12/42
Side-Channels Side-Channels Acquisitions Attack Algorithms XILINX Virtex-5 evaluation board customized for EMA Metallic cover FPGA chip FF324 (18 2 pins) socket XC5VLX50 evaluation board 13/42
Side-Channels Side-Channels Acquisitions Attack Algorithms ALTERA Stratix with chemical preparation for EMA 14/42
Modus operandi Side-Channels Side-Channels Acquisitions Attack Algorithms Information known/unknown by the attacker Known: Observations O; Known: (usually) either the plaintext or the ciphertext. Unknown: the encryption key (case of symmetric encryption). Strategy: divide-and-conquer Partition observations according to a sensitive variable S: depends on the secret K, not too many bits of K, since attack = exhaustive search, is computable from the plaintext / ciphertext. Therefore: attacks target the first or the last round (in general), MixColumns in AES hard to invert attack the last round. 15/42
Side-Channels Side-Channels Acquisitions Attack Algorithms Use the traces O to distinguishing between the correct partitioning from wrong ones Distinguishers use a model M(S) is the physical syndrome related to the manipulation of the secret S. It is called the leakage model. Examples of distinguishers E(O M(S) = 0) E(O M(S) = 1) :...DoM E S ((O M(S) EO M(S))(M(S) EM(S))):... Covariance ρ s (O S = s; M(s)):...CPA E s H (O M(S) = M(s)) or I(O; M(S)):...MIA 16/42
Side-Channels Side-Channels Acquisitions Attack Algorithms Models M(S) (classification by [10]) Partition-based: If unprotected: M(s) = s ; Hamming weight; Bus cleared in SW M(s) = s R ; Hamming weight; Bus precharged in SW M(s) = s s 1 ; Hamming distance; typical of HW M(s) = s s 1 + (1 δ) s s 1 ; Idem, but in near-field EMA If protected: M(s) = s. Warning: 2 n values! Difficult to be more inventive if the countermeasure is sound... but we ll see Comparison-based: M(S) = E(O S); (profiled attacks) templates 17/42
Side-Channels Side-Channels Acquisitions Attack Algorithms Various leakage models for DES (iterative architecture) Attack on the first round of DES Attack on the last round of DES 32 32 32 32 t = 0 L0 R0 L15 R15 t = 15 model C K1 model A K16 model A Feistel function: f model D model D Feistel function: f model B model B model C t = 1 L1 R1 L16 R16 t = 16 32 32 32 32 Caption: black = known values; red = unknown sensitive values 18/42
Side-Channels Side-Channels Acquisitions Attack Algorithms Finding the best leakage models is not obvious 1 0.8 Success rate 0.6 0.4 0.2 0 1 0.8 1 0.6 0.8 0.4 Success rate 0.6 0.2 0.4 0 0.2 0 0.6 0.5 0.4 0.3 0.2 0.1 0 600 500 3500 4000 400 0 500 300 0 500 2000 25003000 1000 1500 200 Traces for profiling 1000 1500 Traces for profiling 2000 2000 2500 3000 100 2500 Traces for online attack 3000 3500 4000 0 Traces for online attack 3500 4000 0 50010001500 Success rate for model A. Success rate for model B. 1 0.8 Success rate 0.6 0.4 0.2 0 0.9 0.8 0.7 1 0.6 0.5 0.8 0.4 Success rate 0.6 0.3 0.2 0.4 0.1 0 0.2 0 1 0.8 0.6 0.4 0.2 0 3500 4000 3500 4000 0 500 1000 1500 2000 2000 25003000 Traces for profiling 0 500 1000 1500 2000 2000 25003000 Traces for profiling 2500 Traces for online attack 3000 3500 4000 0 50010001500 2500 Traces for online attack 3000 3500 4000 0 50010001500 Success rate for model C. Success rate for model D. 19/42
So, shall we conclude the Hamming distance (HD) model D is the ultimate model for HW? Average power trace Covariance result (same scale as the average power trace) 80 80 60 60 Voltage [mv] 40 20 Voltage [mv] 40 20 0 0-20 -20-8 0 8 16 Time [clock periods] -8 0 8 16 Time [clock periods] SecMat v1[asic]: Typical trace: 92 mv Typical DPA: 3.0 mv Side-channel leakage: 3.3 % See [4] Voltage [mv] Covariance result (zoomed) 3 2.5 2 1.5 1 0.5 0-0.5-8 0 8 16 Time [clock periods]
Combined attacks! Side-Channels Side-Channels Acquisitions Attack Algorithms 1 Various distinguishers for a same partitioning; 2 One distinguisher can be evaluated on various partitionings; 3 The diversity can also come from the multiplicity of timing samples usually garnered during an acquisition campaign; 4 It can also arise from multi-modal acquisitions; 5 There can be situations where the most suitable partitioning can evolve from sample to sample in a side-channel capture. 21/42
Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives Protocol-Level Register Transfer Level Netlist Level 22/42
Protocol-Level Register Transfer Level Netlist Level Targeted strategies Protocol-level: Most wanted since provable Register-Transfer Level: Masking. Easiest to implement; Boolean or algorithmic. Encrypted leakage Glitch-full circuits Netlist or implementation level: Hiding (= DPL, Dual-rail with Precharge Logic) Degenerated counter-measures / Make difficult strategies DPL w/o precharge Noise generator, Dummy instructions, Varying clock, etc. And as for attacks, countermeasures can be combined. 23/42
Protocol level: Protocol-Level Register Transfer Level Netlist Level if 1 bit is leaked per 100 encryptions... Alice: AES k0 Bob: AES 1 k 0 100 k 0 k 0 hash hash k 1 AES k1 k 1 AES 1 k 1 100 k 1 k 1 hash hash k 2 k 2 24/42
Masking Protocol-Level Register Transfer Level Netlist Level Principle Every variable s, potentially sensible, is represented as a share {s 0, s 1,, s n 1 } To reconstruct s, all the s i are required. Example: n = 2, s. = s 0 s 1. Leakage resistant since variables are never used plain; Attractive but works only fine for registers. Efforts done to protect also the combinational logic. 25/42
Encrypted Leakage Protocol-Level Register Transfer Level Netlist Level FPGA x ASIC (tamper-proof) x Encrypted bitstream kb kc Masked DES Masked DFF Side-channel: EMA, power Trusted Platform Module Masked DES Masked DFF kc Side-channel: EMA, power ki personalization NVM ki y = DES(x, kc) y = DES(x, kc) 26/42
Glitch-full circuits Protocol-Level Register Transfer Level Netlist Level (a) (b) input 8 FP FP 64 IP 0 1 2 0 1 2 3 3 1 MUX 4 1 MUX PC1 FP 8 1 Parity bits LS 0 1 2 3 1 MUX IF LR CD 56 output 8 Round 1: Round 2:... Round 15: Round 16: Round logic Round logic Key schedule Key schedule......... Round logic Round logic Key schedule Key schedule purely combinatorial logic (1) (2) Normal IP representation 27/42
Glitch-full circuits Protocol-Level Register Transfer Level Netlist Level (a) (b) input 8 FP FP 64 IP 0 1 2 0 1 2 3 3 1 MUX 4 1 MUX PC1 FP 8 1 Parity bits LS 0 1 2 3 1 MUX IF LR CD 56 output 8 Round 1: Round 2:... Round 15: Round 16: Round logic Round logic Key schedule Key schedule......... Round logic Round logic Key schedule Key schedule purely combinatorial logic (1) (2) Normal IP representation 27/42
Protocol-Level Register Transfer Level Netlist Level (a) (b) Average +/- standard deviation [mv] 35 30 25 20 15 10 5 Round #1 0 0 200 400 600 800 1000 Time [ns] (a) (b) Round #2 Round #3 Round #4 11 ns Round #5 Round #6 Round #7 Round #8... Average +/- standard deviation [mv] 220 200 180 160 140 120 100 80 60 40 20 35 ns <1 ns >2 ns All 16 rounds 0 0 50 100 150 200 Time [ns] Sequential iterative DES encryption signature, with the average variation margin, for statistics collected on 10k measurements. Average combinatorial DES encryption signature, with the average variation margin, for statistics collected on 100k measurements. 28/42
Protocol-Level Register Transfer Level Netlist Level Hiding: Placement and Routing of Xilinx WDDL+ Netlists. P&R tools naturally separate true and false paths Example with AES substitution box SUBBYTES with and without placement constraints (2 2 LuT4 per slice) Unconstrained placement Constrained placement 29/42
Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives Attack on Information Masking Attack on Information Hiding 30/42
Attack on Information Masking Attack on Information Hiding Message ki IP IP Left masked data (Li) Left mask (MLi) Feistel function f m m P S E S(x kc) xm P m S E Right mask (MRi) Right masked data (Ri) kc FP Ciphertext 31/42
Attack on Information Masking Attack on Information Hiding Message ki IP IP Left masked data (Li) Left mask (MLi) Feistel function f Right mask (MRi) Right masked data (Ri) P m S m E P S(x kc) m S xm E kc FP Ciphertext 32/42
Attack on Information Masking Attack on Information Hiding Attacks on masking (1/2) p(l=0)=1/16 p(l=1)=4/16 p(l=2)=6/16 p(l=3)=4/16 p(l=4)=1/16 Correct key (i.e. physical L) O L=0 O L=1 O L=2 O L=3 O L=4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 H(O L=0)=0 H(O L=1)=0 H(O L=3)=0 H(O L=3)=0 H(O L=4)=0 H(O L)=0 bit Incorrect key (i.e. random L) O L=0 0 1 2 3 4 O L=1 0 1 2 3 4 O L=2 0 1 2 3 4 O L=3 0 1 2 3 4 O L=4 0 1 2 3 4 H(O L=0)=2.03 H(O L=1)=2.03 H(O L=2)=2.03 H(O L=3)=2.03 H(O L=4)=2.03 H(O L)=2.03 bit 33/42
Attack on Information Masking Attack on Information Hiding Attacks on masking (2/2) p(l=0)=1/16 p(l=1)=4/16 p(l=2)=6/16 p(l=3)=4/16 p(l=4)=1/16 O L=0 O L=1 O L=2 O L=3 O L=4 Correct key (i.e. physical L) 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 H(O L=0)=2.03 H(O L=1)=1.81 H(O L=3)=1.5 H(O L=3)=1 H(O L=4)=0 H(O L)=1.39 bit Incorrect key (i.e. random L) O L=0 0 2 4 6 8 O L=1 0 2 4 6 8 O L=2 0 2 4 6 8 O L=3 0 2 4 6 8 O L=4 0 2 4 6 8 H(O L=0)=2.54 H(O L=1)=2.54 H(O L=2)=2.54 H(O L=3)=2.54 H(O L=4)=2.54 H(O L)=2.54 bit 34/42
Attack on Information Masking Attack on Information Hiding Models M(S) (classification by [10]) Partition-based: If unprotected: M(s) = s ; Hamming weight; Bus cleared in SW M(s) = s R ; Hamming weight; Bus precharged in SW M(s) = s s 1 ; Hamming distance; typical of HW M(s) = i s s 1 + (1 δ)s s 1 ; Idem, but in near-field EMA If protected: M(s) = s. WARNING: 2 n values! Difficult to be more inventive if the countermeasure is sound... M(S) = S 1 + S 2 ; Zero-offset M(S) = (S 1,S 2 ) ; Multi-variate MIA (MMIA [2]) Comparison-based: M(S) = E(O S); (profiled attacks) templates 35/42
Attacks on DPL Attack on Information Masking Attack on Information Hiding 0.06 0.05 AES WDDL no EE AES WDDL EE Evaluation Round 9 MUTUAL INFORMATION 0.04 0.03 0.02 0.01 Precharge Round 9 Evaluation Round 10 Precharge Round 10 0 sensitive not sensitive 0.01 0 200 400 600 800 1000 1200 SAMPLES 36/42
Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives Conclusions Perspectives 37/42
Conclusions Perspectives Formal practice-oriented framework [11] Attacks metric Leakage metric Reduction function 38/42
Conclusions Perspectives Counter-Measures are still ad hoc 1 Multiplicative masking of AES (M.-L. Akkar and Ch. Giraud, CHES 2001) Zero Attack (Jovan Dj. Golic, Christophe Tymen, CHES 2002) 2 Provable secure S-Box implementation based on FFT (E. Prouff et al, CHES 2006) Bias of the mask attack (S. Coron, CHES 2008) 3 MDPL (Th. Popp and S. Mangard, CHES 2005) Folding attack (P. Schaumont and K. Tiri, CHES 2007), Subset attack (E. de Mulder et al, WIFS 2009) 4 DRSL (Z. Chen and Y. Zhou, CHES 2006) Glitch on precharge (M. Nassar, DATE 2009) 39/42
Call for Further Researches Conclusions Perspectives Open Issues Need for formal proofs of security Can be at protocol level (work in progress). Could also be at implementation level (new research area). Devise countermeasures globally...... taking into account all possible weaknesses: Observation. Perturbation. Manipulation. 40/42
Conclusions Perspectives [1] Karine Gandolfi, Christophe Mourtel, and Francis Olivier. Electromagnetic Analysis: Concrete Results. In CHES, volume 2162 of LNCS, pages 251 261. Springer, May 14-16 2001. Paris, France. [2] Benedikt Gierlichs, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede. Revisiting Higher-Order DPA Attacks: Multivariate Mutual Information Analysis. In CT-RSA, volume 5985 of LNCS, pages 221 234. Springer, March 1-5 2010. San Francisco, CA, USA. [3] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Tarik Graba, and Yves Mathieu. Evaluation of Power-Constant Dual-Rail Logic as a Protection of Cryptographic Applications in FPGAs. In SSIRI, pages 16 23, Yokohama, Japan, jul 2008. IEEE Computer Society. DOI: 10.1109/SSIRI.2008.31, http://hal.archives-ouvertes.fr/hal-00259153/en/. [4] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Nidhal Selmane, and Renaud Pacalet. Silicon-level solutions to counteract passive and active attacks. In FDTC, 5th Workshop on Fault Detection and Tolerance in Cryptography, IEEE-CS, pages 3 17, Washington DC, USA, aug 2008. (Up-to-date version on http://hal.archives-ouvertes.fr/hal: http://hal.archives-ouvertes.fr/hal-00311431/en/). [5] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Proceedings of CRYPTO 96, volume 1109 of LNCS, pages 104 113. Springer-Verlag, 1996. (http://www.cryptography.com/timingattack/paper.htmlpdf). [6] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential Power Analysis. In Proceedings of CRYPTO 99, volume 1666 of LNCS, pages 388 397. Springer-Verlag, 1999. (PDF). 41/42
Conclusions Perspectives [7] Elke De Mulder, Pieter Buysschaert, Sıddıka Berna Örs, Peter Delmotte, Bart Preneel, Guy Vandenbosch, and Ingrid Verbauwhede. Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem. In IEEE International Conference on Computer as a tool (http://www.eurocon2005.org.yu/eurocon), pages 1879 1882, November 2005. Belgrade, Serbia & Montenegro. [8] Laurent Sauvage, Sylvain Guilley, Jean-Luc Danger, Yves Mathieu, and Maxime Nassar. Successful Attack on an FPGA-based Automatically Placed and Routed WDDL+ Crypto Processor. In DATE, track A4 (Secure embedded implementations), April 20 24 2009. Nice, France. Electronic version: http://hal.archives-ouvertes.fr/hal-00325417/en/. [9] Laurent Sauvage, Sylvain Guilley, and Yves Mathieu. ElectroMagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack of a Cryptographic Module. ACM Trans. Reconfigurable Technol. Syst., 2(1):1 24, March 2009. Full text inhttp://hal.archives-ouvertes.fr/hal-00319164/en/. [10] François-Xavier Standaert, Benedikt Gierlichs, and Ingrid Verbauwhede. Partition vs. Comparison Side-Channel Distinguishers: An Empirical Evaluation of Statistical Tests for Univariate against Two Unprotected CMOS Devices. In ICISC, volume 5461 of LNCS, pages 253 267. Springer, December 3-5 2008. Seoul, Korea. [11] François-Xavier Standaert, Tal Malkin, and Moti Yung. A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. In EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages 443 461. Springer, April 26-30 2009. Cologne, Germany. 42/42