Download presentation

Presentation is loading. Please wait.

Published byNestor Ginyard Modified over 2 years ago

1
Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1

2
http://www.dpabook.org http://www.springerlink.com/content/g01q1k 2

3
3

4
AES Circuit Design Statistics Introduction to Power Analysis 4

5
PlaintextCiphertext Key AES 5

6
Source: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html 6

7
7

8
⇐ Low Variance High ⇒ Variance ⇐ Low Correlation High ⇒ Correlation 8

9
Power Vibration Timing Sound Heat EM PlaintextCiphertext Radiation Crypto Device Key Bad InputsErrors 9

10
Power consumption is variable Power consumption depends on instruction Power consumption depends on data 10

11
q Power consumption V dd GND a q A P1 C1 C2 N1 The power consumption of a CMOS gate depends on the data: q: 0->0 virtually no power cons. q: 1->1 virtually no power cons. q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)

12
Source: DPA Book 12

13
Source: DPA Book 13

14
Source: DPA Book 14

15
AES Circuit Design Statistics 15

16
16

17
Simple Power Analysis Warm-up Correlation Power Analysis Full Correlation Power Analysis 17

18
Plaintexts and ciphertexts may be chosen, known or unknown Power PlaintextsCiphertexts Crypto Device Key 18

19
Power consumption is variable Power consumption depends on instruction Power consumption depends on data 19

20
Pros: Small amount of traces Cons: Detailed reverse engineering Long manual part 20

21
Use statistical properties of traces to recover key Pros: Very limited reverse engineering Harder to confuse Cons: Large amount of traces Two main types of DPA: Difference of means (traditional DPA) Correlation power analysis (CPA) 21

22
We want to discover the correct key value (c k ) and when it is used (c t ) Idea: On the correct time, the power consumption of all traces is correlated with the correct key On other times and other keys the traces should show low correlation 22

23
Assume plaintext and correct key are known but correct time is unknown Form hypothesis and test it Good hypothesis: Depends on known plaintext Depends on small amount of key bits Non-linear – sensitive to small changes Maps to power consumption using a model 23

24
1000 traces, each consisting of 1 million points Each trace uses a different known plaintext – 1000 plaintexts 1 known key Hypothesis is vector of 1000 hypothetical power values Output of warm-up CPA: vector of 1 million correlation values with peak at c t 24

25
25

26
Plaintext is known, but correct key and correct time unknown Idea: run warm-up CPA many times in parallel Create many competing hypotheses 26

27
1000 traces, each consisting of 1 million points Each trace uses a different known plaintext – 1000 plaintexts Key is unknown – 256 guesses for first byte Hypothesis is matrix of 1000X256 hypothetical power values Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (c k,c t ) 27

28
28

29
Simple Power Analysis Warm-up Correlation Power Analysis Full Correlation Power Analysis 29

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google