Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1.

Similar presentations


Presentation on theme: "Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1."— Presentation transcript:

1 Information Security – Theory vs. Reality , Winter 2011 Guest Lecturer: Yossi Oren 1

2 2

3 3

4  AES  Circuit Design  Statistics  Introduction to Power Analysis 4

5 PlaintextCiphertext Key AES 5

6 Source: 6

7 7

8 ⇐ Low Variance High ⇒ Variance ⇐ Low Correlation High ⇒ Correlation 8

9 Power Vibration Timing Sound Heat EM PlaintextCiphertext Radiation Crypto Device Key Bad InputsErrors 9

10  Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 10

11 q Power consumption V dd GND a q A P1 C1 C2 N1  The power consumption of a CMOS gate depends on the data: q: 0->0 virtually no power cons. q: 1->1 virtually no power cons. q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)

12 Source: DPA Book 12

13 Source: DPA Book 13

14 Source: DPA Book 14

15 AES Circuit Design Statistics 15

16 16

17  Simple Power Analysis  Warm-up Correlation Power Analysis  Full Correlation Power Analysis 17

18  Plaintexts and ciphertexts may be chosen, known or unknown Power PlaintextsCiphertexts Crypto Device Key 18

19  Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 19

20  Pros:  Small amount of traces  Cons:  Detailed reverse engineering  Long manual part 20

21  Use statistical properties of traces to recover key  Pros:  Very limited reverse engineering  Harder to confuse  Cons:  Large amount of traces  Two main types of DPA:  Difference of means (traditional DPA)  Correlation power analysis (CPA) 21

22  We want to discover the correct key value (c k ) and when it is used (c t )  Idea:  On the correct time, the power consumption of all traces is correlated with the correct key  On other times and other keys the traces should show low correlation 22

23  Assume plaintext and correct key are known but correct time is unknown  Form hypothesis and test it  Good hypothesis:  Depends on known plaintext  Depends on small amount of key bits  Non-linear – sensitive to small changes  Maps to power consumption using a model 23

24  1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  1 known key  Hypothesis is vector of 1000 hypothetical power values  Output of warm-up CPA: vector of 1 million correlation values with peak at c t 24

25 25

26  Plaintext is known, but correct key and correct time unknown  Idea: run warm-up CPA many times in parallel  Create many competing hypotheses 26

27  1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  Key is unknown – 256 guesses for first byte  Hypothesis is matrix of 1000X256 hypothetical power values  Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (c k,c t ) 27

28 28

29 Simple Power Analysis Warm-up Correlation Power Analysis Full Correlation Power Analysis 29


Download ppt "Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1."

Similar presentations


Ads by Google