September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee1 TSRC and Side Channel Security Requirement Shinichi Kawamura Tamper-resistance Standardization Research Committee (TSRC) Toshiba Corporation Japanese Standards Association (JSA) Information Technology Research and Standardization Center (INSTAC)

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee2 Members of TSRC WG1 Tsutomu Matsumoto (Chair, Yokohama National University) Shinichi Kawamura (Secretary, Toshiba Corp.) Koichi Fujisaki (Toshiba Corp.) Naoya Torii (Fujitsu Laboratories Ltd.) Shuichi Ishida (Hitachi, Ltd.) Yukiyasu Tsunoo (NEC Corp.) Minoru Saeki (Mitsubishi Electric Corp.) Atsuhiro Yamagishi (IPA)

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee3 Overview 1.Introduction –Relationship among the Committees –The Goal and Plan 2.Systematic Study of Tamper-resistance –Difficulties of Systematic Study –Side Channel Attacks –Attack vs. Target Matrix 3.Development of Specification of Platforms to Evaluate Security of Embedded Software and FPGA Configuration Data Against Side Channel Attacks –INSTAC-8 (8-bit CPU) –INSTAC-32 (32-bit CPU and FPGA) 4.Study of Methods to Describe Security Requirements of Cryptographic Module with Respect to Side Channel Attacks –Attack vs. Countermeasure –Requirement focusing on attacks –Requirement focusing on countermeasures –Requirement focusing on metrics

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee4 Part 1. Introduction Relationship among the Committees The Goal and Plan

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee5 Organizational Structure 1 Bureau of Industrial Technology Environment Standardization Section Japanese Standardization Association Information Technology Research and Standardization Center (INSTAC) Tamper-resistance Standardization Research Committee (TSRC) Research TeamWG1 (Technical Committee) Ministry of Economy, Trade and Industry

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee6 Purpose of Establishment Establishing the foundations of secure implementation of information technologies from a point of view of standardization by carrying out the following study and research items: 1.Systematic study of various tampering techniques 2.Developing the method to describe requirements to tamper-resistance 3.Contributing to the international standardization with respect to tamper-resistance

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee7 Plan FY2003: –Established in September 2003 –Decide direction and start building platforms for experiments FY2004: –Study tamper-resistance deeply, based on theoretical and experimental analysis –Discuss how to describe requirements to tamper-resistance FY2005: –Make a proposal on tamper-resistance

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee8 TSRC Vision Attacks Counter- measure Module Methodology & Metrics Vendor Attacker Tester User Security Reliability Academia & Industry Standard platform Research literature Part 2Part 3 Part 4 State of the art

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee9 Part 2. Systematic Study of Tamper-resistance Difficulties of Systematic Study Side Channel Attacks Attack vs. Target Matrix

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee10 Difficulties in Studying Tamper-resistance Not all attack methods and countermeasure can be discussed openly Development of temper-resistant technique requires a physical target module A few literatures discussed evaluation methods of tamper- resistance Systematic study is a challenge to overcome these difficulties TSRC have been focusing on Side Channel Attacks due to its urgency, timeliness, and limitation of resources

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee11 Examples of Tampering Techniques Invasive Analysis Non-invasive Analysis Side Channel Attacks Probing Fault-based Analysis Timing AnalysisPower Analysis A technique to probe signal after exposing surface of chips and removing protective coating A technique to derive internal confidential information using the difference between normal output and faulty output caused artificially A technique to estimate confidential information by analyzing processing time A technique to estimate confidential information by observing power consumption

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee12 Survey of Literatures: Attack vs. Target 1 Target Ciphers Symmetric CiphersAsymmetric Ciphers Digital Signatur e Elliptic Curve DES Triple- DES AESRSA Diffie- Hellman DSS Elliptic Curve Cryptosy stem EC-DSA FIPS46- 3 FIPS81FIPS197 FIPS category of attacks Invasive Attack Invasive Analysis2 2 Fault AttackFault Analysis7, , 6, 8, 40, 49 Timing Attack 16, 18, 37, 39, 44, 48, 91, 92, , 88 Cache Attack 77, 81, Power Analysis Simple Power Analysis 21, 22, , 44, 47, 48, , 53, 60, 102, 205 Differential Power Analysis 21, 22, 23, 27 25, 26, 30, 33, , 37, 45, 95 50, 51, 53, 56, 63, correlation power analysis201 Hybrids Multi-channel Attack101 collision attack 203 Template Attacks14

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee13 Survey of Literatures: Attack vs. Target 2 Matrix has blank cells which should be examined if attacks in other cells could be applied to the cells Besides completing matrix, essence of each attacks should be extracted and categorized Ultimate goal of this work would be to make a comprehensive map or dictionary of side channel attacks

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee14 Part 3. Development of Specification of Platforms to Evaluate Security of Embedded Software and FPGA Configuration Data Against Side Channel Attacks INSTAC-8 (8-bit CPU) INSTAC-32 (32-bit CPU and FPGA)

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee15 Needs for Standard Evaluation Platform Development of tamper-resistant techniques requires a physical target module. Although many papers reported experimental results, the specification of target module is not necessarily clear It is quite rare for a vendor to publish attack results against their own cryptographic module. It is also rare for a researcher to report attack results against cryptographic module of a particular vendor, because such reports would not be constructive. Lack of standard plat form seems to hinder the development of tamper-resistance technology. It will change the situation if there is a standard platform whose specification is publicly available and non-proprietary.

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee16 Standard Evaluation Platform INSTAC-8 is a specification which has 8bit CPU. Its target is a low-end embedded system. We also develop another specification INSTAC-32 for 32-bit CPU and FPGA. Its target is a middle to high-end system as well as semi-hardware implementation. It is not the purpose of INSTAC-8 and -32 to emulate a particular cryptographic module. Rather it is the goal to provide a platform, where anyone con compare the data of side channel attacks. Therefore, we made the specification as simple as possible.

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee17 The specification outline of INSTAC-8 CPUZilog Z80 (CMOS technology) 8MHz Memory256KB SRAM/32KB EEPROM Peripheral IC16Bit Programmable Counter Communicate PortRS232C ClockBuilt-in Crystal Oscillator Supply Voltage+5.0V Board Size18cm * 15cm / 2 layer Number of layers2 Board MaterialFR-4(Glass board material epoxy resin)

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee18 An INSTAC-8 Compliant Evaluation Platform

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee19 Environment of Experiment

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee20 Voltage Waveform at DES Operation time voltage Round 15 Round 16 DES: Round 15 and Round 16 In order to investigate whether a repetition of F function can be checked from a voltage waveform using the INSTAC-8, we acquired a voltage waveform at the time of DES execution. There are repetitions of DES round 15 and round 16 in the voltage waveform.

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee21 Result of DPA for DES (without countermeasure) Time Correlation Correlation of reference data and power consumption (3000 samples) This reference data has the largest correlation value. The difference in a color expresses the difference in reference data. There are all reference data(64 pattern) in this graph. Attack point is L15 bit0.

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee22 INSTAC-32 (Specification) CPU Freescale MPC852T 100MHz (PowerPC) Memory8MB SDRAM 512KB Flash Memory 8MB Flash Memory*2 FPGAXilinx Virtex II XC2V1000-5FG456C (for Cryptographic Function) Xilinx Spartan II 100 (for I/O Controller) Communication Port 10/100Base-TX Ethernet RS232C ClockBuilt-in Crystal Oscillator Supply Voltage+3.3V Board Size30 cm * 20 cm Number of layers6 Board MaterialFR-4

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee23 INSTAC-32 (Appearance)

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee24 Some Results Reported K. Fujisaki, et al. ISEC2004-No.55, 2004 –Proposal of INSTAC-8 and self-evaluation H. Miyake, et al. SCIS2005, January 2005 –DPA evaluation on INSTAC-8 Y. Takahashi, et al. ISEC2004-No.114, March 2005 –EM analysis on INSTAC-8 K. Fujisaki, et al. ISEC2005-No.19, July 2005 –Proposal of INSTAC-32 and self-evaluation Y. Tsunoo, et al. This conference, Sept –Analysis report on INSTAC-8 Notes) ISEC : IEICE Tech. Rep. on Information Security (Bi-monthly) SCIS: Symp. on Cryptography and Information Security (Annual)

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee25 Lessons Learned from INSTAC-8 and -32 Present spec. is not in detail enough to make boards supplied by different manufacturer have the same property Standardization of measurement conditions is necessary Stable supply route should be established More user friendly interface and manuals should be provided Feedbacks from users should be reflected to the latest version

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee26 Part 4. Study of Methods to Describe Security Requirements of Cryptographic Module with Respect to Side Channel Attacks Attack vs. Countermeasure Requirement focusing on attacks Requirement focusing on countermeasures Requirement focusing on metrics

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee27 Attack vs. Countermeasure Core of Cryptographic Module Attack Countermeasures Attack Cryptographic Module

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee28 Approach Focusing on Attacks Core of Cryptographic Module Timing Attack SPA DPA EMA Fault-based Attack Other attacks Concrete attack is focused ---Natural approach Appropriate listing up of attacks is necessary Adapting to emerging attack is an issue since more attacks seem still to come Concrete attack is focused ---Natural approach Appropriate listing up of attacks is necessary Adapting to emerging attack is an issue since more attacks seem still to come Example: “Cryptographic module is required to be resistant to Timing Attack” Cryptographic Module

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee29 Approach Focusing on Countermeasures Other Measures Data Masking Randomized Timing Core of Cryptographic Module Timing Attack SPA DPA EMA Fault-based Attack Other attacks Countermeasure to prevent attacks is specified Appropriate listing up of countermeasures is necessary Adapting emerging attack is an issue since more attacks seem still to come Vender would not like to explicitly describe countermeasures because they are sometimes vendor know-how Countermeasure to prevent attacks is specified Appropriate listing up of countermeasures is necessary Adapting emerging attack is an issue since more attacks seem still to come Vender would not like to explicitly describe countermeasures because they are sometimes vendor know-how Example: “Cryptographic module is required to implement Data Masking” or “Documentation shall specify countermeasures employed” Cryptographic Module

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee30 Approach Focusing on Metrics Countermeasures Core of Cryptographic Module Ideal approach -- if appropriate metrics and test method are defined Searching for appropriate metrics is a big issue --- Intensive research is required Good metrics may cover some emerging attacks Ideal approach -- if appropriate metrics and test method are defined Searching for appropriate metrics is a big issue --- Intensive research is required Good metrics may cover some emerging attacks Example: “Cryptographic module is required to have metric A within a given range B with a given test method C” Test Method 1 Metric 1 Test Method 2 Other Test Methods Metric 2 Metric x Cryptographic Module Presently, A, B, and C is not established.

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee31 Attack based Approach as Metric based Approach Cryptographic Module Timing Attack SPA DPA EMA Fault-based Attack Other Measures Data Masking Randomized Timing Metric II Metric I Other attacks First candidate of the metrics is whether attack is successful or not.

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee32 Relationship among three approaches Attack based and countermeasure based approaches are conventional. But even in these cases, it would be very convenient if such objective metrics be provided, because such metrics would be an evidence of the evaluation. Thus, the metric based approach is not exclusive with other approaches, rather complementary. The problem is that there is no metrics specified so far. It is our expectation such metrics will be found out, if we limit the attacks categories to side channel attacks.

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee33 Candidate for Metrics Development Steps 1.Investigate the attack methods 2.Determine physical quantity to measure 3.Determine conditions for measurement 4.Determine how to process the measured quantity –Screening, alignment, and filtering to reduce noise –Main procedure to derive metric for evaluation Auto- or cross correlation, Differences for different conditions will be a candidates Selection or integration of metrics should be considered 5.Scoring –Judgment standard for mapping the metrics to some score is necessary –Function to integrate plural scores to a total score is necessary 6.Optimization of total testing cost –Sampling test should be employed

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee34 Summary TSRC has been focusing on Side Channel Attacks by –Studying literatures and categorizing them –Developing standard platform of evaluation –Proposing metrics based approach and possible steps for metrics development Comments and suggestions for TSRC’s approach are welcome

September 2005JSA/INSTAC/Tamper-resistance Standardization Research Committee35 Thank you for your attention!