Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1.

Published byNestor Ginyard Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1."— Presentation transcript:

1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1

2 http://www.dpabook.org http://www.springerlink.com/content/g01q1k 2

3 3

4  AES  Circuit Design  Statistics  Introduction to Power Analysis 4

5 PlaintextCiphertext Key AES 5

6 Source: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html 6

7 7

8 ⇐ Low Variance High ⇒ Variance ⇐ Low Correlation High ⇒ Correlation 8

9 Power Vibration Timing Sound Heat EM PlaintextCiphertext Radiation Crypto Device Key Bad InputsErrors 9

10  Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 10

11 q Power consumption V dd GND a q A P1 C1 C2 N1  The power consumption of a CMOS gate depends on the data: q: 0->0 virtually no power cons. q: 1->1 virtually no power cons. q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)

12 Source: DPA Book 12

13 Source: DPA Book 13

14 Source: DPA Book 14

15 AES Circuit Design Statistics 15

16 16

17  Simple Power Analysis  Warm-up Correlation Power Analysis  Full Correlation Power Analysis 17

18  Plaintexts and ciphertexts may be chosen, known or unknown Power PlaintextsCiphertexts Crypto Device Key 18

19  Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data 19

20  Pros:  Small amount of traces  Cons:  Detailed reverse engineering  Long manual part 20

21  Use statistical properties of traces to recover key  Pros:  Very limited reverse engineering  Harder to confuse  Cons:  Large amount of traces  Two main types of DPA:  Difference of means (traditional DPA)  Correlation power analysis (CPA) 21

22  We want to discover the correct key value (c k ) and when it is used (c t )  Idea:  On the correct time, the power consumption of all traces is correlated with the correct key  On other times and other keys the traces should show low correlation 22

23  Assume plaintext and correct key are known but correct time is unknown  Form hypothesis and test it  Good hypothesis:  Depends on known plaintext  Depends on small amount of key bits  Non-linear – sensitive to small changes  Maps to power consumption using a model 23

24  1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  1 known key  Hypothesis is vector of 1000 hypothetical power values  Output of warm-up CPA: vector of 1 million correlation values with peak at c t 24

25 25

26  Plaintext is known, but correct key and correct time unknown  Idea: run warm-up CPA many times in parallel  Create many competing hypotheses 26

27  1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  Key is unknown – 256 guesses for first byte  Hypothesis is matrix of 1000X256 hypothetical power values  Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (c k,c t ) 27

28 28

29 Simple Power Analysis Warm-up Correlation Power Analysis Full Correlation Power Analysis 29

Download ppt "Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1."

Similar presentations

SADC Course in Statistics Modelling ideas in general – an appreciation (Session 20)

SADC Course in Statistics Modelling ideas in general – an appreciation (Session 20)
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1.

The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
Statistical Tools Flavor Side-Channel Collision Attacks

Statistical Tools Flavor Side-Channel Collision Attacks
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
State-variable method, standard-form state equations Seo Yeon Youn [Mathematical Circuit Theory and Analysis]

State-variable method, standard-form state equations Seo Yeon Youn [Mathematical Circuit Theory and Analysis]
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
FEAL FEAL 1.

FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Statistics 350 Lecture 16. Today Last Day: Introduction to Multiple Linear Regression Model Today: More Chapter 6.

Statistics 350 Lecture 16. Today Last Day: Introduction to Multiple Linear Regression Model Today: More Chapter 6.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

Similar presentations

Ads by Google