Statistical Tools Flavor Side-Channel Collision Attacks

Slides:

Advertisements

Similar presentations

Toward Practical Public Key Anti- Counterfeiting for Low-Cost EPC Tags Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April

Advertisements

AES Side Channel Attacks

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Information Security – Theory vs. Reality , Winter 2011 Guest Lecturer: Yossi Oren 1.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

Detection Theory Chapter 12 Model Change Detection Xiang Gao January 18, 2011.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Block Ciphers and the Data Encryption Standard

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Lecture 23 Symmetric Encryption

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Study of AES Encryption/Decription Optimizations Nathan Windels.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Remote Control of a Furby Toy with Bluetooth

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.

GSM CLONING. GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.

LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.

Centro de Electrónica Industrial (CEI) | Universidad Politécnica de Madrid | | Side Channel Attack (SCA) is a special attak method.

H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)

Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.

Midterm Review Cryptography & Network Security

Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.

Cracking DES Cryptosystem A cryptosystem is made of these parts: Two parties who want to communicate over an insecure channel An encryption algorithm that.

The Latest Attacks on AES Mehrdad Abdi 1 بسم الله الرحمن الرحیم.

CS555Spring 2012/Topic 101 Cryptography CS 555 Topic 10: Block Cipher Security & AES.

CHES 2015 Finding the AES Bits in the Haystack:

TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.

Possible Testing Solutions and Associated Costs

Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.

Kouichi Itoh, Tetsuya Izu and Masahiko Takenaka Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Address-bit Differential.

Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.

An EDA-Friendly Protection Scheme against Side-Channel Attacks Ali Galip Bayrak 1 Nikola Velickovic 1, Francesco Regazzoni 2, David Novo 1, Philip Brisk.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

Lecture 23 Symmetric Encryption

A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay.

FPGA Implementation of RC6 including key schedule Hunar Qadir Fouad Ramia.

Linear Cryptanalysis of DES

New Methods for Cost-Effective Side- Channel Attacks on Cryptographic RFIDs Chair for Embedded Security Ruhr University Bochum David Oswald Timo Kasper.

1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.

September 28, 2000 Improved Simultaneous Data Reconciliation, Bias Detection and Identification Using Mixed Integer Optimization Methods Presented by:

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick.

Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.

Reut Caspi & Moriah Stern Advisors: Dr. Osnat Keren & Mr. Itamar Levi.

Click to edit Present’s Name Three Attacks, Many Process Variations and One Expansive Countermeasure International Workshop on Cybersecurity Darshana Jayasinghe,

A Low Cost Hardware Birthday Attack on DES Mike Bond, Richard Clayton University of Cambridge Computer Laboratory 5 th June 2001.

Advanced Information Security 6 Side Channel Attacks

Automatic Application of Power Analysis Countermeasures

Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser

Ali Galip Bayrak EPFL, Switzerland June 7th, 2011

On The Feasibility of Internal-Nodes Power Analysis

Hardware Masking, Revisited

December 4--8, Nonlinear Invariant Attack Practical Attack on Full SCREAM, iSCREAM, and Midori64 Name: Position: My research topics.

Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.

High-Level Synthesis for Side-Channel Defense

Protect Your Hardware from Hacking and Theft

Presentation Outline Introduction to Side Channel Attacks

Maria Méndez Real, Vincent Migliore, Vianney Lapotre, Guy Gogniat

Presentation transcript:

Statistical Tools Flavor Side-Channel Collision Attacks 17. April 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany

Outline Side-Channel Attacks (SCA) Collision SCA Challenges Side-Channel Attacks (SCA) Collision SCA Problems and our solution What is new in this paper Some experimental results EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

What is the story? SCA (implementation attacks) recovering the key of crypto devices hypothetical model for power consumption compare the model with side-channel leakage (power) How? Sbox k p p 12 3d 78 … f9 ab Correlation power 0.12 0.01 0.14 … 0.20 0.06 0.02 0.011 0.060 … 0.231 0.095 [k=00] S c9 27 bc … 99 62 4 5 … 3 [k=01] S 7d eb b6 … 41 ac 6 5 … 2 4 … [k=ff] S 55 25 17 … 6f 20 4 3 … 6 1 EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Side-Channel Collision when the circuit uses a module (Sbox) more than once (in e.g., a round) once a collision found? false positive collision detections a couple of heuristic and systematic ways to handle Sbox k1 p1 p2 k2 p1 12 3d 78 … f9 ab power … ? ? ? ? power … p2 45 9a cf … 04 17 e2 known as linear collision attack EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Our Solution at CHES 2010 (Correlation-Enhanced) Sbox k1 p1 p2 k2 ( p1 12 3d 78 … f9 ab ) power 0.01 0.15 0.12 … 0.24 0.05 0.11 p1 00 01 02 … fd fe ff average 0.23 0.12 0.21 … 0.06 0.09 0.14 ( p2 45 9a cf … 04 17 e2 ) power 0.32 0.20 0.05 … 0.19 0.27 0.26 Correlation 00 01 02 … fd fe ff average 0.230 0.408 … 0.839 0.312 0.32 0.20 0.05 … 0.19 0.27 0.26 average 00 01 02 … fd fe ff 0.20 0.32 0.17 … 0.09 0.26 0.27 … average 00 01 02 … fd fe ff 0.26 0.27 0.19 … 0.05 0.20 0.32 EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi 00 01 02 … fd fe ff

Problems computations on all shares at the same time (Threshold Imp.) having a countermeasure (secret sharing) computations on all shares at the same time (Threshold Imp.) a univariate leakage a MIA might be applicable a CE collision might NOT averaging... how about higher-order statistical moments skewness kurtosis Variance EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Solution (applying higher-order moments) Sbox k1 p1 p2 k2 ( p1 12 3d 78 … f9 ab ) power 0.01 0.15 0.12 … 0.24 0.05 0.11 p1 00 01 02 … fd fe ff variance 𝜎 2 1.70 2.05 0.70 … 3.12 1.96 1.79 ( p2 45 9a cf … 04 17 e2 ) power 0.32 0.20 0.05 … 0.19 0.27 0.26 Correlation 00 01 02 … fd fe ff variance 0.305 0.412 … 0.780 0.309 𝜎 2 2.67 3.96 0.84 … 3.04 1.64 4.78 variance 00 01 02 … fd fe ff 𝜎 2 3.96 2.67 2.09 … 1.83 4.78 1.64 … variance 00 01 02 … fd fe ff 𝜎 2 4.78 1.64 3.04 … 0.84 3.96 2.67 EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi 00 01 02 … fd fe ff

Solution (applying higher-order moments) Sbox k1 p1 p2 k2 ( p1 12 3d 78 … f9 ab ) power 0.01 0.15 0.12 … 0.24 0.05 0.11 p1 00 01 02 … fd fe ff skewness 𝛾 1.70 2.05 0.70 … 3.12 1.96 1.79 ( p2 45 9a cf … 04 17 e2 ) power 0.32 0.20 0.05 … 0.19 0.27 0.26 Correlation 00 01 02 … fd fe ff skewness 0.305 0.412 … 0.780 0.309 𝛾 2.67 3.96 0.84 … 3.04 1.64 4.78 skewness 00 01 02 … fd fe ff 𝛾 3.96 2.67 2.09 … 1.83 4.78 1.64 … skewness 00 01 02 … fd fe ff 𝛾 4.78 1.64 3.04 … 0.84 3.96 2.67 EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

General Form (no specific moment) Sbox k1 p1 p2 k2 𝑝()−𝑞() log 𝑝() 𝑞() ( p1 12 3d 78 … f9 ab ) power 0.01 0.15 0.12 … 0.24 0.05 0.11 p1 00 01 02 … fd fe ff pdf Pr … ( p2 45 9a cf … 04 17 e2 ) Jeffreys Divergence power 0.32 0.20 0.05 … 0.19 0.27 0.26 00 01 02 … fd fe ff pdf 0.104 0.094 … 0.006 0.143 Pr … pdf 00 01 02 … fd fe ff Pr … … pdf 00 01 02 … fd fe ff Pr … EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi 00 01 02 … fd fe ff

Practical Issues more traces (measurements) required higher statistical moments, lower estimation accuracy more traces (measurements) required estimating pdf by e.g., histogram reducing accuracy as well Jeffreys divergence based on Kullback-Leibler divergence symmetric Experimental Platforms Virtex II-pro FPGA (SASEBO) Atmel uC (smartcard) EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Experimental Results (PRESENT TI) J. Cryptology 24(2) EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Experimental Results (PRESENT TI) Average Variance Skewness pdf EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Experimental Results (AES TI) EC 2011 EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Experimental Results (AES TI) Average Variance Skewness pdf EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Experimental Results (masked software) time to move toward multivariate case joint pdfs can be estimated joint statistical moments also can be estimated the same as doing a preprocess (by multiplication) step prior to a univariate attack EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

Thanks! Any questions? amir.moradi@rub.de Embedded Security Group, Ruhr University Bochum, Germany

Measurement Speed? (Threshold) Speed of the measurement depends on the length of each trace In this case, 2000 points, 100M traces in 11 hours! UART PC sends a small number of bytes (~20) Control FPGA communicates with the Target FPGA sending/receiving ~10K plaintext/ciphertext while the oscilloscope measures

Experimental Results (masked software) EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi