Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1.

Published byGrady Brunson Modified over 9 years ago

Similar presentations

Presentation on theme: "The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1."— Presentation transcript:

1 The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1

2 Why is this so hard? 2 AES Plaintext Ciphertext Key

3 So why are block ciphers secure? The ciphertext is a function of the plaintext and the key The plaintext is a function of the ciphertext and the key The key is a function of the plaintext and the ciphertext Where’s the catch? 3 AES P C K

4 So why are block ciphers secure? The ciphertext is an efficiently representable function of the plaintext and the key The key cannot be efficiently represented as a function of the plaintext and the ciphertext Inefficiently representable functions take either a huge space or a long time to evaluate 4

5 5 Solver Set of m logical statements over n variables x 1, …,x n Satisfying assignment (or proof of unsatisfiability)

6 Cryptanalysis with Solvers Idea: Use solvers to perform cryptanalysis [MM ‘00]: – Given a description of a crypto algorithm and a set of plaintext and ciphertext pairs, find the cryptographic key Result: Modern crypto is strong enough to resist solvers 6 Massacci and Marraro, Journal of Automated Reasoning 2000

7 From Cryptanalysis to Power Analysis Cryptanalysis: Given a description of a cryptographic algorithm and a set of plaintext and ciphertext pairs, find the cryptographic key 7 AES Plaintext Ciphertext Key

8 8 AES Plaintext Ciphertext Key Power Trace AES Device

9 From Cryptanalysis to Power Analysis Power Analysis: Given a description of a crypto device, plaintexts, ciphertexts and a set of power traces, find the cryptographic key 9 AES Plaintext Ciphertext Key Power Trace AES Device

10 Theory of power analysis Power consumption is variable Different instructions ⇒ different power consumption Different data ⇒ different power consumption Analysing power consumption ⇒ learn about instructions and data 10 Reverse Engineering Key Recovery

11 Power Consumption is Variable? Photo credit: Sergey Peterman, http://sergeypeterman.com/en/portfolio/objects.html

12 Side-Channel Analysis with Solvers Idea: Use solvers to perform side-channel analysis [PRR+ ’07 & RSV-C‘09] Result: key can be recovered from side channel data if there are no errors in the side-channel trace but… 12 Potlapally, Raghunathan, Ravi, Jha, Lee IEEE Trans. VLSI 2007 Renauld, Standaert, Veyrat-Charvillon CHES 2009

13 The Harsh Reality of Power Analysis Measurement Noise V dd GND a A P1 C1 C2 N1 Switching Noise Electronic Noise Output Power Trace

14 The Information-Robustness Tradeoff 14

15 Measurement Space 15 Precise measurement Actual measurement

16 The Harsh Reality of Power Analysis The side channel traces have errors Equation set with errors causes unsatisfiability Compensating for errors causes intractability 16

17 From solvers to optimizers Basic idea: Some mistakes are more expensive than others In our context: Given a description of a crypto device, plaintexts, ciphertexts and a set of power traces, find the cryptographic key that minimizes the estimated error Solver Set of m logical statements over n variables x 1, …,x n Satisfying assignment Optimizer Goal function Optimal

18 Measurement Space 18 Point is #680 most probable out of 65,536

19 Pseudo-Boolean Optimizers Linear PBOPT: (all coefficients are signed integers) Non-linear PBOPT allows NL constraints 19

20 Sample OPB Instance 20 min: x1 +3 x2 + x3 ; x1 +2 x2 + x3 >= 2 ; min: x1 +3 x2 + x3 ; x1 +2 x2 + x3 >= 2 ;

21 PBOPT is Great for Side-Channels The variables (=flipflops) are pseudo-Boolean The constraints(=measurements) are integers NL notation rich enough to represent arbitrary functions (such as XORs) 21 NOR: -out + ~x 1 ~x 2 = 0 XOR: -out + x 1 + x 2 -2 x 1 x 2 = 0 Keeloq NLF: -~out +x 1 x 5 -x 5 -x 1 x 3 -x 2 x 3 -x 4 +x 2 x 5 +x 3 x 4 +x 4 x 5 +x 1 x 2 x 3 +x 1 x 2 x 4 -2x 1 x 2 x 5 +x 1 x 3 x 5 -x 1 x 4 x 5 = -1 NOR: -out + ~x 1 ~x 2 = 0 XOR: -out + x 1 + x 2 -2 x 1 x 2 = 0 Keeloq NLF: -~out +x 1 x 5 -x 5 -x 1 x 3 -x 2 x 3 -x 4 +x 2 x 5 +x 3 x 4 +x 4 x 5 +x 1 x 2 x 3 +x 1 x 2 x 4 -2x 1 x 2 x 5 +x 1 x 3 x 5 -x 1 x 4 x 5 = -1

22 PBOPT has a good goal function Max product of aposteriori probabilities becomes min sum of log probabilities: 22 min: +6 x_is_00 +10 x_is_01 +24 x_is_02 +24 x_is_03; +1 ˜ x_is_00 +1 ˜ x0 ˜ x1 ˜ x2 ˜ x3 ˜ x4 ˜ x5 ˜ x6 ˜ x7 = 1; +1 ˜ x_is_01 +1 x0 ˜ x1 ˜ x2 ˜ x3 ˜ x4 ˜ x5 ˜ x6 ˜ x7 = 1; +1 ˜ x_is_02 +1 ˜ x0 x1 ˜ x2 ˜ x3 ˜ x4 ˜ x5 ˜ x6 ˜ x7 = 1; +1 ˜ x_is_03 +1 x0 x1 ˜ x2 ˜ x3 ˜ x4 ˜ x5 ˜ x6 ˜ x7 = 1; +1 x_is_00 +1 x_is_01 +1 x_is_02 +1 x_is_03 = 1; min: +6 x_is_00 +10 x_is_01 +24 x_is_02 +24 x_is_03; +1 ˜ x_is_00 +1 ˜ x0 ˜ x1 ˜ x2 ˜ x3 ˜ x4 ˜ x5 ˜ x6 ˜ x7 = 1; +1 ˜ x_is_01 +1 x0 ˜ x1 ˜ x2 ˜ x3 ˜ x4 ˜ x5 ˜ x6 ˜ x7 = 1; +1 ˜ x_is_02 +1 ˜ x0 x1 ˜ x2 ˜ x3 ˜ x4 ˜ x5 ˜ x6 ˜ x7 = 1; +1 ˜ x_is_03 +1 x0 x1 ˜ x2 ˜ x3 ˜ x4 ˜ x5 ˜ x6 ˜ x7 = 1; +1 x_is_00 +1 x_is_01 +1 x_is_02 +1 x_is_03 = 1;

23 The TASCA Workflow 23 DUT Secret Key Optimizer Aposteriori Probs. Traces Decoder Power Model Reverse Eng.

24 An Attack on AES Solver: SCIP Cryptosystem: AES-128 on 8-bit platform Number of measurements: 100 Noise SNR: approx. 10dB Median solving time: 342 seconds Key recovery success rate: 100% 24

25 Conclusions Using optimizers, crypto devices can be attacked with very low data complexity Any leak can be used, as long as a “soft decoder” exists for it This calls into question the security of previously “safe” devices 25

26 Future Work Investigate different decoders Investigate different leakage models Establish limits for data/computation tradeoffs for successful key extraction 26

27 Thank you! http://iss.oy.ne.ro/Template-TASCA 27

Download ppt "The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1."

Similar presentations

CLASSICAL ENCRYPTION TECHNIQUES

CLASSICAL ENCRYPTION TECHNIQUES
1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Evaluation and Validation

Evaluation and Validation
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
Symmetric Encryption Prof. Ravi Sandhu.

Symmetric Encryption Prof. Ravi Sandhu.
Numeric Integration Methods Jim Van Verth Red Storm Entertainment

Numeric Integration Methods Jim Van Verth Red Storm Entertainment
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Analysis of Algorithms

Analysis of Algorithms
Iterative Equalization and Decoding

Iterative Equalization and Decoding
February 21, 2002 Simplex Method Continued

February 21, 2002 Simplex Method Continued
1 15.053 Thursday, March 7 Duality 2 – The dual problem, in general – illustrating duality with 2-person 0-sum game theory Handouts: Lecture Notes.

Thursday, March 7 Duality 2 – The dual problem, in general – illustrating duality with 2-person 0-sum game theory Handouts: Lecture Notes.
1 15.053 Tuesday, March 5 Duality – The art of obtaining bounds – weak and strong duality Handouts: Lecture Notes.

Tuesday, March 5 Duality – The art of obtaining bounds – weak and strong duality Handouts: Lecture Notes.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
My Alphabet Book abcdefghijklm nopqrstuvwxyz.

My Alphabet Book abcdefghijklm nopqrstuvwxyz.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures

Similar presentations

Ads by Google