Upload
neola
View
45
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren. Lecture 3: Power Analysis. Required Reading. http://www.dpabook.org http://www.springerlink.com/content/g01q1k. Fundamentals. Fundamentals. AES Circuit Design Statistics - PowerPoint PPT Presentation
Citation preview
1
Lecture 3: Power Analysis
Information Security – Theory vs. Reality
0368-4474-01, Winter 2011
Guest Lecturer: Yossi Oren
2
Required Reading
http://www.dpabook.orghttp://www.springerlink.com/content/g01q1k
3
Fundamentals
4
Fundamentals
AES Circuit Design Statistics Introduction to Power Analysis
5
The AES Cipher
Plaintext Ciphertext
Key
AES
6
The AES Cipher (2)
Source: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
7
The AES Cipher (3)void RijndaelEncrypt( u8 input[16], u8 output[16] )
{[…] for (r=1; r<=9; r++) { ByteSub(state); ShiftRow(state); MixColumn(state); KeyAdd(state, roundKeys, r); }[…]
Source: http://users.ece.utexas.edu/~gerstl/ee382v-ics_f09/soc/tutorials/System_C_Code_Examples_2/date04_examples/cosimulate/sw_only/
8
Statistics 101
⇐ Low Variance
High ⇒ Variance
⇐ Low Correlati
on
High ⇒ Correlati
on
9
PowerVib
ratio n
Timing
Soun
dHeatEM
Side Channel Attacks
Plaintext Ciphertext
Radiation
Crypto Device
KeyBad Inputs Errors
10
Theory of power analysis
Power consumption is variable Power consumption depends on
instruction Power consumption depends on
data
q
Power consumption
Vdd
GND
a q
A
P1C1
C2N1
The power consumption of a CMOS gate depends on the data:
q: 0->0 virtually no power cons.q: 1->1 virtually no power cons.
q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)
Power Consumption is Variable?
12
Power Consumption is Variable!
Source: DPA Book
13
Power Depends on Instruction
Source: DPA Book
14
Power Depends on Data
Source: DPA Book
15
Q&A (Fundamentals)
•AES•Circuit Design•Statistics
16
Correlation Power Analysis (CPA)
17
Correlation Power Analysis Simple Power Analysis Warm-up Correlation Power Analysis Full Correlation Power Analysis
18
Power Analysis Attack Scenario Plaintexts and ciphertexts may be
chosen, known or unknown
Power
Plaintexts CiphertextsCrypto Device
Key
19
Theory of power analysis
Power consumption is variable Power consumption depends on
instruction Power consumption depends on
data
20
Simple Power Analysis (SPA)
Pros: Small amount of traces
Cons: Detailed reverse engineering Long manual part
21
Differential Power Analysis (DPA) Use statistical properties of traces to
recover key Pros:
Very limited reverse engineering Harder to confuse
Cons: Large amount of traces
Two main types of DPA: Difference of means (traditional DPA) Correlation power analysis (CPA)
22
CPA Basics
We want to discover the correct key value (ck) and when it is used (ct)
Idea: On the correct time, the power
consumption of all traces is correlated with the correct key
On other times and other keys the traces should show low correlation
23
Warm-up CPA
Assume plaintext and correct key are known but correct time is unknown
Form hypothesis and test it Good hypothesis:
Depends on known plaintext Depends on small amount of key bits Non-linear – sensitive to small
changes Maps to power consumption using a
model
24
Warm-up CPA in Numbers1000 traces, each consisting of 1
million points Each trace uses a different known
plaintext – 1000 plaintexts1 known key Hypothesis is vector of 1000
hypothetical power values Output of warm-up CPA: vector of 1
million correlation values with peak at ct
25
Warm-up CPA in Pictures
26
Full CPA
Plaintext is known, but correct key and correct time unknown
Idea: run warm-up CPA many times in parallel
Create many competing hypotheses
27
Full CPA in Numbers
1000 traces, each consisting of 1 million points
Each trace uses a different known plaintext – 1000 plaintexts
Key is unknown – 256 guesses for first byte
Hypothesis is matrix of 1000X256 hypothetical power values
Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (ck,ct)
28
Full CPA in Pictures
29
Q&A (CPA)
•Simple Power Analysis•Warm-up Correlation Power Analysis•Full Correlation Power Analysis