# Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1.

## Presentation on theme: "Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1."— Presentation transcript:

Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1

3

 AES  Circuit Design  Statistics  Introduction to Power Analysis 4

PlaintextCiphertext Key AES 5

7

⇐ Low Variance High ⇒ Variance ⇐ Low Correlation High ⇒ Correlation 8

Power Vibration Timing Sound Heat EM PlaintextCiphertext Radiation Crypto Device Key Bad InputsErrors 9

 Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 10

q Power consumption V dd GND a q A P1 C1 C2 N1  The power consumption of a CMOS gate depends on the data: q: 0->0 virtually no power cons. q: 1->1 virtually no power cons. q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)

Source: DPA Book 12

Source: DPA Book 13

Source: DPA Book 14

AES Circuit Design Statistics 15

16

 Simple Power Analysis  Warm-up Correlation Power Analysis  Full Correlation Power Analysis 17

 Plaintexts and ciphertexts may be chosen, known or unknown Power PlaintextsCiphertexts Crypto Device Key 18

 Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 19

 Pros:  Small amount of traces  Cons:  Detailed reverse engineering  Long manual part 20

 Use statistical properties of traces to recover key  Pros:  Very limited reverse engineering  Harder to confuse  Cons:  Large amount of traces  Two main types of DPA:  Difference of means (traditional DPA)  Correlation power analysis (CPA) 21

 We want to discover the correct key value (c k ) and when it is used (c t )  Idea:  On the correct time, the power consumption of all traces is correlated with the correct key  On other times and other keys the traces should show low correlation 22

 Assume plaintext and correct key are known but correct time is unknown  Form hypothesis and test it  Good hypothesis:  Depends on known plaintext  Depends on small amount of key bits  Non-linear – sensitive to small changes  Maps to power consumption using a model 23

 1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  1 known key  Hypothesis is vector of 1000 hypothetical power values  Output of warm-up CPA: vector of 1 million correlation values with peak at c t 24

25

 Plaintext is known, but correct key and correct time unknown  Idea: run warm-up CPA many times in parallel  Create many competing hypotheses 26

 1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  Key is unknown – 256 guesses for first byte  Hypothesis is matrix of 1000X256 hypothetical power values  Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (c k,c t ) 27

28

Simple Power Analysis Warm-up Correlation Power Analysis Full Correlation Power Analysis 29

Download ppt "Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1."

Similar presentations