Presentation is loading. Please wait.

Presentation is loading. Please wait.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Published byMarjorie Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R."— Presentation transcript:

1 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R. Muresan, C. Gebotys Presentation By: Radu Muresan

2 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden2 Outline  Introduction  Power analysis attacks (PAAs) Definitions, examples, countermeasures  Current flattening technique Definition, methodology, implementations Current flattening as a countermeasure against PAAs  Results and conclusions

3 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden3 Introduction  Embedded systems are increasingly used in security applications  The software and the hardware components must be secure against all threats  Current flattening is a potential countermeasure against PAAs Secret-key Cryptosystem: ke = kd Public – key Cryptosystem: ke ≠ kd Encryption Decryption Ciphertext Message Channel Plaintext Key Generation kd ke Key Channel

4 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden4 What is a Power Analysis Attack ?  Side-channel attacks exploit correlation between secret parameters and variations in timing, power consumption, and other emanations from cryptographic devices to reveal secret keys Cryptographic Device R Current or Power Measurement Power Supply Attacker’s Point

5 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden5 Example, DPA Attack on a Scalar Multiplication Algorithm for EC Protocols  DPA, uses correlation between power consumption and specific key-dependent bits  kP, scalar multiplication Double-and-add approach, binary k (2) = (k n-1,...,k 0 )  kP 1,kP 2,...,kP n => C i (t) = power  k n-1 = 1; After the first iteration => Q[0] = 2Pi  Second iteration If k n-2 =1 => Q[1] = 4P If k n-2 =0 => Q[1] = 5P  g(t)= i=1,...,k|si=1 - i=1,...,k|si=0

6 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden6 Example, DPA Attack on a Scalar Multiplication Algorithm for EC Protocols  A peak is observed when 4P i are computed by the card  No peak is observed when 4P i are never computed by the card Simulated correlation function between the points 4P i and power consumption C i (t) when k n-2 = 0.

7 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden7 Countermeasures Against PAAs  Against timing attacks Equalizing; Randomizing; Blinding  Against simple power analysis attacks Avoiding; Creating; Symmetric  Against differential power analysis attacks Randomization; Blinding Hardware: non-deterministic techniques  Against all PAAs Proposed: current flattening technique

8 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden8 What is Current Flattening?  Current flattening targets a flat (emission free) current consumption measured at an attacker’s point of a cryptographic device Cryptographic Device Attacker’s Point Current Flattening (internal) External Current Filtering Devices

9 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden9 Behind Current Flattening  Current consumption in a processor is a function of: The hardware architecture The instruction type The instruction sequencing Data manipulated Examples of current dynamics

10 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden10 Software Method  Program execution is composed of two types of cycles charging; discharging  Code transformations are generated for classes of instructions Current measurements used for determining code transformations Class FLATTEN0 [ALU Units] FLATTENi [ALU Units] ALU11 NOP00 CONTROL43 Example

11 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden11 Hardware Method  Pipeline current flattening module

12 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden12 Hardware Method  Feedback current module

13 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden13 Does Current Flattening Protect Against PAAs?  Software method does not support DPA due to the fact that the program to data dependencies are not covered  Hardware method has potential to cover all PAAs Supports real-time current adjustment at the clock frequency Covers both current to data and to instruction dependencies

14 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden14 Results of Software Flattening  The experiments used the polymulNIST.asm implementation of an EC scalar multiplication (kP), where: P a fixed point on a known elliptic curve k a secret key  Target processor: Motorola SC140 DSP Real current measurements

15 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden15 Results of Software Flattening  Pk-Pk current variation reduced by 70 to 78%  Energy consumption increased by 71 to 74%  Execution time increased by up to 135% Ver- sion Start Time [μs] End Time [μs] Energy Prog. [μJ] Mean [mA] S [mA] Pk-Pk [mA] M125681209.90.16818.8567.7 M2251569363.20.1241.6020.3 M4251545359.90.1251.9116.8 M7251569365.50.1251.9814.3 Data analysis for software flattening

16 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden16 Results of Hardware Flattening  Instantaneous current simulation for polymul.asm polymul.asm is a subroutine of polymulNIST.asm polymul.asm is a target of PAAs  Target system Motorola SC140 DSP plus the Feedback Current Module Current simulation and real current measurement

17 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden17 Results of Hardware Flattening  Pk-Pk current variation reduced by 94 to 97%  Energy consumption increased by up to 16%  Execution time increased by up to 29% Wave- form Run Time [μs] Energy [μJ] Max [mA] S [mA] Pk- Pk [mA] blue21.36.04167.72.4722.4 red21.36.14168.51.8719.2 mag.23.76.47144.00.381.2 black27.57.01134.00.130.6 Data analysis for hardware flattening

18 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden18 Conclusions  The paper presented the mechanisms of the internal current flattening technique (ICF)  ICF controls power consumption and current variation Countermeasure against PAAs  Limitations Increased execution time and energy consumption

19 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden19 Future Work  Investigate an ASIC implementation of the PAAR architecture  Methods to improve the performance and energy consumption of implementations using ICF

20 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden20 References Used for the Presentation  Slides 3 and 4 W. Mao, “Modern Cryptography”, Prentice Hall, 2004 O. Kommerling, M. G. Kuhn, “Design principles for tamper-resistant smartcard processors”, In Workshop on Smartcard Technology 1999  Slides 5, 6 and 7 J-S. Coron, “Resistance against dpa for elliptic curve cryptosystems”, CHES’99 P. Kocher, et al., “Differential power analysis”, In CRYPTO’99  Slide 9 R. Muresan, C. Gebotys, “Instantaneous current modeling in a complex vliw processor core”, In ACM TECS, 2004

21 Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden21 THANK YOU! Questions?

Download ppt "Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
1 SECURE-PARTIAL RECONFIGURATION OF FPGAs MSc.Fisnik KRAJA Computer Engineering Department, Faculty Of Information Technology, Polytechnic University of.

1 SECURE-PARTIAL RECONFIGURATION OF FPGAs MSc.Fisnik KRAJA Computer Engineering Department, Faculty Of Information Technology, Polytechnic University of.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
White-Box Cryptography

White-Box Cryptography
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
1 Authors: MILENA STANOJLOVIĆ PREDRAG PETKOVIĆ LABORATORY FOR ELECTRONIC DESIGN AUTOMATION Faculty of Electronic Engineering University of Nis.

1 Authors: MILENA STANOJLOVIĆ PREDRAG PETKOVIĆ LABORATORY FOR ELECTRONIC DESIGN AUTOMATION Faculty of Electronic Engineering University of Nis.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Side-Channel Attack: timing attack Hiroki Morimoto.

Side-Channel Attack: timing attack Hiroki Morimoto.
Decryption Algorithms Characterization Project ECE 526 spring 2007 Ravimohan Boggula,Rajesh reddy Bandala Southern Illinois University Carbondale.

Decryption Algorithms Characterization Project ECE 526 spring 2007 Ravimohan Boggula,Rajesh reddy Bandala Southern Illinois University Carbondale.
Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak Francesco Regazzoni David Novo Philip Brisk François-Xavier Standaert Paolo Ienne.

Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak Francesco Regazzoni David Novo Philip Brisk François-Xavier Standaert Paolo Ienne.
SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.
Network Security Chapter

Network Security Chapter
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
RRB/STS ORNL Workshop Integrated Hardware/Software Security Support R. R. BrooksSam T. Sander Associate ProfessorAssistant Professor Holcombe Department.

RRB/STS ORNL Workshop Integrated Hardware/Software Security Support R. R. BrooksSam T. Sander Associate ProfessorAssistant Professor Holcombe Department.

Similar presentations

Ads by Google