1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.

Slides:



Advertisements
Similar presentations
“Advanced Encryption Standard” & “Modes of Operation”
Advertisements

Information Security – Theory vs. Reality , Winter 2011 Guest Lecturer: Yossi Oren 1.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
White-Box Cryptography
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Full AES key extraction in 65 milliseconds using cache attacks
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Cryptanalysis through Cache Address Leakage Eran Tromer Adi Shamir Dag Arne Osvik.
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
ICS 454: Principles of Cryptography
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption
Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
Lecture 10: Robust fitting CS4670: Computer Vision Noah Snavely.
Computer Security CS 426 Lecture 3
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptanalysis. The Speaker  Chuck Easttom  
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.
H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 6: Striving for Confusion Structures.
Cryptography Team Presentation 2
Feb 17, 2003Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
“Implementation of a RC5 block cipher algorithm and implementing an attack on it” Cryptography Team Presentation 1.
Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Lecture 23 Symmetric Encryption
Cache Attacks and Countermeasures:
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer.
Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.
Click to edit Present’s Name Three Attacks, Many Process Variations and One Expansive Countermeasure International Workshop on Cybersecurity Darshana Jayasinghe,
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
Yossi Oren, yos strudel bgu.ac.il, yossioren System Security Engineering course, Dec
Attacks on Public Key Encryption Algorithms
Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser
Cryptography after DES
Cryptography This week we are going to use OpenSSL
Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.
Unit 2 “Implementation of a RC5 block cipher algorithm and implementing an attack on it”
ICS 454: Principles of Cryptography
ADVANCED ENCRYPTION STANDARDADVANCED ENCRYPTION STANDARD
Presentation Outline Introduction to Side Channel Attacks
Cryptography Lecture 16.
Florida State University
ICS 555: Block Ciphers & DES Sultan Almuhammadi.
Presentation transcript:

1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer

2 Power Analysis Simple Power Analysis Correlation Power Analysis Differential Power Analysis

3 Power analysis Power analysis: measure device’s power consumption.

The AES Cipher PlaintextCiphertext Key AES 4

AES symmetric cipher: Lookup-based implementation char p[16], k[16]; // plaintext and key int32 Col[4]; // intermediate state const int32 T0[256],T1[256],T2[256],T3[256]; // lookup tables... /* Round 1 */ Col[0]  T0[p[ 0]  k[ 0]]  T1[p[ 5]  k[ 5]]  T2[p[10]  k[10]]  T3[p[15]  k[15]]; Col[1]  T0[p[ 4]  k[ 4]]  T1[p[ 9]  k[ 9]]  T2[p[14]  k[14]]  T3[p[ 3]  k[ 3]]; Col[2]  T0[p[ 8]  k[ 8]]  T1[p[13]  k[13]]  T2[p[ 2]  k[ 2]]  T3[p[ 7]  k[ 7]]; Col[3]  T0[p[12]  k[12]]  T1[p[ 1]  k[ 1]]  T2[p[ 6]  k[ 6]]  T3[p[11]  k[11]];...

AES symmetric cipher: “Algebraic” implementation Source: 6

AES symmetric cipher: “Algebraic” implementation in code 7

Theory of power analysis  Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 8

q Power consumption V dd GND a q A P1 C1 C2 N1  The power consumption of a CMOS gate depends on the data: q: 0->0 almost no power consumption q: 1->1 almost no power consumption q: 0->1 high power consumption (proportional to C2) q: 1->0 high power consumption (proportional to C1) Data-dependent power consumption: gate capacitance

Data-dependent power consumption: wire capacitance Source: DPA Book 10 Capacitance of last cells in this inverter, outgoing wire, and first cells in next gate

Power Depends on Instruction, Locally Source: DPA Book 11

Power Depends on Instruction, Locally Source: DPA Book 12

Power Depends on Instruction, Globally 13 Example: AES [Joye Olivier 2011]

Power Depends on Data Source: DPA Book 14

Power Analysis  Simple Power Analysis  Differential Power Analysis  Warm-up Correlation Power Analysis  Full Correlation Power Analysis 15

Power Analysis Attack Scenario  Plaintexts and ciphertexts may be chosen, known or unknown Power PlaintextsCiphertexts Crypto Device Key 16

Theory of power analysis  Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 17

Simple Power Analysis (SPA)  Pros:  Single trace (or average of a few) may suffice  Cons:  Detailed reverse engineering  Long manual part  Hard to handle bad signal-to-noise ratio, especially for small events, (e.g., AES) 18 Example: square-and-multiply RSA exponentiation.

Differential Power Analysis (DPA)  Use statistical properties of traces to recover key  Pros:  Very limited reverse engineering  Harder to confuse  Cons:  Large amount of traces  Two main types of DPA:  Difference of means (traditional DPA)  Correlation power analysis (CPA) 19

Mean, variance, correlation ⇐ Low Variance High ⇒ Variance ⇐ Low Correlation High ⇒ Correlation 20

CPA Basics  We want to discover the correct key value (c k ) and when it is used (c t )  Idea:  On the correct time, the power consumption of all traces is correlated with the correct key  On other times and other keys the traces should show low correlation 21

Warm-up CPA  22

Warm-up CPA in Numbers  1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  1 known key  Hypothesis is vector of 1000 hypothetical power values  Output of warm-up CPA: vector of 1 million correlation values with peak at c t 23

Warm-up CPA in Pictures 24

Full CPA  Plaintext is known, but correct key and correct time unknown  Idea: run warm-up CPA many times in parallel  Create many competing hypotheses 25

Full CPA in Numbers  1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  Key is unknown – 256 guesses for first byte  Hypothesis is matrix of 1000X256 hypothetical power values  Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (c k,c t ) 26

Full CPA in Pictures 27

Full attack  Acquire traces  For every key fragment and corresponding hypothesis function:  Compute matrix of hypotheses  Compute correlation (score) matrix  Find maximum in correlation matrix and deduce value of key fragment 28

Discussion: effects and tradeoffs of parameters  Number of traces  Trace length  Number of hypotheses (i.e., number of relevant key bits affecting the hidden state being modeled) 29

Assumptions/complications/mitigation ASSUMPTIONS/BOTTLENECKS  Alignment (shifts, fragmentation)  Handling algorithmically (e.g., cross correlation, string alignment)  Physical synchronization via triggering  Data size: #traces, trace length  Assuming fixed over all traces:  Key  Computation progress and flow  Measurement quality  Physical access, noise, transmission  Equipment cost  Expertise MITIGATIONS  Timing  Unstable clock  Randomize control/instruction flow  Insert random/key/plaintext- dependent delays  Change protocol to roll keys often  Add power noise mm Example: probing an “decoupling capacitor” (SMD 0402) close to the microcontroller chip. [O’Flynn 2013]

Further Reading

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.