Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1.

Slides:

Advertisements

Similar presentations

SADC Course in Statistics Modelling ideas in general – an appreciation (Session 20)

Advertisements

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1.

“Advanced Encryption Standard” & “Modes of Operation”

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Statistical Tools Flavor Side-Channel Collision Attacks

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

State-variable method, standard-form state equations Seo Yeon Youn [Mathematical Circuit Theory and Analysis]

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Statistics 350 Lecture 16. Today Last Day: Introduction to Multiple Linear Regression Model Today: More Chapter 6.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Lecture 23 Symmetric Encryption

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Informatics and Control Systems Faculty. Student: Levan Julakidze Informatics and Control Systems Faculty Doctorate II year Leader: Zurab Kochladze TSU.

Cryptography Week-6.

Cryptanalysis. The Speaker  Chuck Easttom  

History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.

Cryptography and Network Security

Diffusion and Confusion Two properties that a good cryptosystem should have: Diffusion: change of one character in the plaintext results in several characters.

QBM117 - Business Statistics Estimating the population mean , when the population variance  2, is unknown.

Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.

1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.

CHES 2015 Finding the AES Bits in the Haystack:

Kouichi Itoh, Tetsuya Izu and Masahiko Takenaka Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Address-bit Differential.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

Lecture 23 Symmetric Encryption

Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.

The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.

New Methods for Cost-Effective Side- Channel Attacks on Cryptographic RFIDs Chair for Embedded Security Ruhr University Bochum David Oswald Timo Kasper.

1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer.

1 Chapter 8: Model Inference and Averaging Presented by Hui Fang.

Lecture Slides Elementary Statistics Twelfth Edition

RC6: The Simple Cipher Presenter: Morgan Monger. RC6 Cipher Created by Ronald Rivest et al. for AES submission Follows the evolution of RC5 cipher –Parameterized.

Cipher Transmission and Storage Modes Part 2: Stream Cipher Modes CSCI 5857: Encoding and Encryption.

Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.

Click to edit Present’s Name Three Attacks, Many Process Variations and One Expansive Countermeasure International Workshop on Cybersecurity Darshana Jayasinghe,

Marshall University School of Medicine Department of Biochemistry and Microbiology BMS 617 Lecture 16 : Summary Marshall University Genomics Core Facility.

Yossi Oren, yos strudel bgu.ac.il, yossioren System Security Engineering course, Dec

Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser

Ali Galip Bayrak EPFL, Switzerland June 7th, 2011

STRATEGIC ENCRYPTION

Cryptography after DES

ADVANCED ENCRYPTION STANDARD

Hardware Masking, Revisited

CHAPTER 29: Multiple Regression*

مروري برالگوريتمهاي رمز متقارن(كليد پنهان)

Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.

I. Statistical Tests: Why do we use them? What do they involve?

Chapter 1 Introduction.

ADVANCED ENCRYPTION STANDARDADVANCED ENCRYPTION STANDARD

Linear Algebra Lecture 3.

Block Ciphers (Crypto 2)

Presentation Outline Introduction to Side Channel Attacks

Presentation transcript:

Information Security – Theory vs. Reality , Winter 2011 Guest Lecturer: Yossi Oren 1

2

3

 AES  Circuit Design  Statistics  Introduction to Power Analysis 4

PlaintextCiphertext Key AES 5

Source: 6

7

⇐ Low Variance High ⇒ Variance ⇐ Low Correlation High ⇒ Correlation 8

Power Vibration Timing Sound Heat EM PlaintextCiphertext Radiation Crypto Device Key Bad InputsErrors 9

 Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 10

q Power consumption V dd GND a q A P1 C1 C2 N1  The power consumption of a CMOS gate depends on the data: q: 0->0 virtually no power cons. q: 1->1 virtually no power cons. q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)

Source: DPA Book 12

Source: DPA Book 13

Source: DPA Book 14

AES Circuit Design Statistics 15

16

 Simple Power Analysis  Warm-up Correlation Power Analysis  Full Correlation Power Analysis 17

 Plaintexts and ciphertexts may be chosen, known or unknown Power PlaintextsCiphertexts Crypto Device Key 18

 Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 19

 Pros:  Small amount of traces  Cons:  Detailed reverse engineering  Long manual part 20

 Use statistical properties of traces to recover key  Pros:  Very limited reverse engineering  Harder to confuse  Cons:  Large amount of traces  Two main types of DPA:  Difference of means (traditional DPA)  Correlation power analysis (CPA) 21

 We want to discover the correct key value (c k ) and when it is used (c t )  Idea:  On the correct time, the power consumption of all traces is correlated with the correct key  On other times and other keys the traces should show low correlation 22

 Assume plaintext and correct key are known but correct time is unknown  Form hypothesis and test it  Good hypothesis:  Depends on known plaintext  Depends on small amount of key bits  Non-linear – sensitive to small changes  Maps to power consumption using a model 23

 1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  1 known key  Hypothesis is vector of 1000 hypothetical power values  Output of warm-up CPA: vector of 1 million correlation values with peak at c t 24

25

 Plaintext is known, but correct key and correct time unknown  Idea: run warm-up CPA many times in parallel  Create many competing hypotheses 26

 1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  Key is unknown – 256 guesses for first byte  Hypothesis is matrix of 1000X256 hypothetical power values  Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (c k,c t ) 27

28

Simple Power Analysis Warm-up Correlation Power Analysis Full Correlation Power Analysis 29