1 CHAPTER - 1 1.1 INTRODUCTION Power analysis attacks have attracted significant attention within the cryptographic community. So far, they have been successfully applied to different kinds of (unprotected) implementations of symmetric and public-key encryption schemes. Although less general than classical cryptanalysis (because they target one specific implementation), power analysis attacks usually present a very serious threat for practical cryptosystems implemented on various platforms. Among the different countermeasures proposed to protect an implementation from such attacks, one of the most popular is the Boolean masking method. In this proposal, the cryptographic algorithm is modified in such a way that the intermediate data never appears as such, but is always “masked” with random Boolean vectors. The masking has been successfully applied to smart card implementations of the DES and the AES Rijndael. However, recent works have shown that power analysis attacks are also practical against ASIC and FPGA implementations of cryptographic algorithms. A practical problem is therefore to protect these devices. In this context, one important concern is the implementation cost of the countermeasure. In particular, the protected algorithms usually have much higher memory requirements than the unmasked ones. For this reason, it is often assumed that masking is not a practical solution for the protection of hardware implementations. On the opposite, it is demonstrated in this project that FPGA implementations of the DES offer very simple and interesting opportunities to implement the Boolean masking method. In practice a secure cryptographic design based on the use of large embedded memories available inside certain recent FPGAs. As the efficiency of the proposal highly depends on the size of the substitution tables used in the encryption algorithm, it was particularly well-fitted to the DES (and, for example, could not be applied as such to the AES Rijndael). Therefore, resulting protected DES implementation only requires a moderate additional hardware cost. It is observed that, most of the present counter measures against side-channel attacks; the masking does not provide any perfect security and only makes the attack more difficult.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
CHAPTER - 1
1.1 INTRODUCTION
Power analysis attacks have attracted significant attention within the
cryptographic community. So far, they have been successfully applied to different kinds
of (unprotected) implementations of symmetric and public-key encryption schemes.
Although less general than classical cryptanalysis (because they target one specific
implementation), power analysis attacks usually present a very serious threat for practical
cryptosystems implemented on various platforms. Among the different countermeasures
proposed to protect an implementation from such attacks, one of the most popular is the
Boolean masking method. In this proposal, the cryptographic algorithm is modified in
such a way that the intermediate data never appears as such, but is always “masked” with
random Boolean vectors. The masking has been successfully applied to smart card
implementations of the DES and the AES Rijndael. However, recent works have shown
that power analysis attacks are also practical against ASIC and FPGA implementations of
cryptographic algorithms. A practical problem is therefore to protect these devices.
In this context, one important concern is the implementation cost of the
countermeasure. In particular, the protected algorithms usually have much higher memory
requirements than the unmasked ones. For this reason, it is often assumed that masking is
not a practical solution for the protection of hardware implementations. On the opposite,
it is demonstrated in this project that FPGA implementations of the DES offer very
simple and interesting opportunities to implement the Boolean masking method. In
practice a secure cryptographic design based on the use of large embedded memories
available inside certain recent FPGAs. As the efficiency of the proposal highly depends on
the size of the substitution tables used in the encryption algorithm, it was particularly
well-fitted to the DES (and, for example, could not be applied as such to the AES
Rijndael). Therefore, resulting protected DES implementation only requires a moderate
additional hardware cost. It is observed that, most of the present counter measures against
side-channel attacks; the masking does not provide any perfect security and only makes
the attack more difficult.
2
1.2 POWER ANALYSIS
In Cryptography, power analysis is a form of side channel attack in which the
attacker studies the power consumption of cryptographic hardware device (such as a
smart card, tamperproof,”blackbox”, microchip, etc.).It can yield information about what
the device is doing, and including key and other secrets.
Since increasingly confidential data are being exchanged on electronic way an
ever greater importance is attached to the protection of the data. Where cryptosystems
are being used in real applications attacks have to be taken into account. Hard and
software implementations themselves present a vast field of attacks. Side-channel-
Attacks exploit information that leaks from a cryptographic device. Especially one of
these new attacks has attracted much attention since it has been announced. This method
is called Differential Power Analysis (DPA) and was presented in 1998 by Cryptography
Research. DPA uses the information that naturally leaks from a cryptographic hardware
device, namely the power consumption. A less powerful variant, the Simple Power
Analysis (SPA) was also announced by Cryptography Research. What does a DPA
attack require? First, an attacker must be able to precisely measure the power
consumption. Second, the attacker needs to know what algorithm is computed, and third
an attacker needs the plain or ciphertext. The strategy of the attacker is to make a lot of
measurements, and then divide them with the aid of some oracle into two or more
different sets. Then, statistical methods are used to verify the oracle. If and only if the
oracle was right, one can see noticeable peaks in the statistics.
1.2.1 Differential Power Analysis: is an extension of power analysis that can allow an
attacker to compute the intermediate values of data blocks and key blocks by statistically
analyzing data collected from multiple cryptographic operations.
1.2.2 Basics (Simple power Analysis)
Examining graphs of time against current used by a device can often show exactly
what the device is doing at a given point. For example, on a graph of smartcard
performing a DES encryption, the sixteen rounds can be seen clearly.
3
The currents passing through a device are usually small, but standard digital
oscilloscopes equipment is precious and accurate enough to measure data –induced
variations. It is reasonable for a cryptosystem designer to assume that an adversary will
have access to such equipment.
Power analysis does not seek to find weaknesses in algorithm or protocols so
much as in their implementations. It provides a way to “see inside” otherwise
„tamperproof‟ hardware. For example, DES‟s key schedule involves rotating 28 – bit key
register. In order to save time, most implementations simply check the least significant
bit to see if it is a 1 . If so, divides the register by two and prepends the 1 at the left end.
Power analysis can show the difference between a register with a 1 and a register with a 0
at the end when this happens. This can leak information about key material. DES‟s
permutations, usually clumsily implemented in software, reveal even more information
through conditional branches.
1.3 Differential Power analysis
Differential Power analysis (DPA) is a side – channel attack which involves
statistically analyzing power consumption measurements from a cryptosystem. The
attacks exploits biases varying power consumptions of microprocessors or other hardware
while performing operations using secrete keys. DPA attacks have signal processing and
error correction properties which can extract secrets from measurements which contain
too much noise to be analyzed using simple power analysis. Using DPA, an adversary
can obtain secret keys by analyzing power consumption measurements from multiple
cryptographic operations performed by vulnerable smart card or other device.
1.4 Preventing simple and differential power analysis attacks
Simple power analysis can most easily distinguish conditional branches in the
execution of the cryptographic program since a device does different things (requiring
different power) depending on which conditional branch is executed. For this reason, care
should be taken to ensure there should no differences (from a power perspective) in the
conditionals branches within cryptographic software implementations. All rotations,
4
permutations and logic operations (such as XOR) should take the same time and draw
equivalent power, no matter what the input.
There are, however, some algorithms with inherently significant branching to
eliminate information leakage from these, software engineers may have to be very
creative. This Creative engineering may cause of performance reduction (in speed
typically), and will almost always required greater development, which must be weighed
against possibility of power analysis. An alternative, some cases is to use hardwired
hardware cryptographic device. Their power consumption can vary very little, due to
their construction. However, in the case of smart cards for example, it is not always
possible to place software implementations with hardware implementations.
Differential power analysis is more difficult to prevent, since even small biases in
the power consumption can lead to exploitable weaknesses. Some countermeasure
strategies involve algorithmic modifications such that the cryptographic operations occur
on data that is related to the actual value by some mathematical relationship that survives
the cryptographic operation. This is called blinding, and usually implies an algorithm
that is based on number theory, such as factoring or discrete algorithms.
1.5 Power Analysis Foundations
Almost every digital circuit built today is based on Complementary Metal Oxide
Semiconductor (CMOS) technology. Therefore it is necessary to understand the power
consumption characteristics of this technology. If a CMOS gate changes its state, this
change can be measured at the Vdd (Vss) pin. The more circuits change their state, the
more power is dissipated. In a synchronous design, gates are clocked which means that
all gates change their state at the same time. Power dissipated by the circuit can be
monitored by using a small resistor Rm in series between Vdd (or Vss) and the true source
(or ground). The two most essential parts of the power consumption during a change of a
state are the dynamic charge respective discharge (appr. 85%) and the dynamic short
circuit current (appr. 15%). This is sketched on the example of an inverter shown in
figure 1.1. The output of each gate has a capacitive load, consisting of the parasitic
capacity of the connected wires and gates of the following stages. An input transition
5
results in an output transition, which discharges or charges this parasitic capacity, causing
a current flow to Vdd (or Vss). This current is the dynamic charge is the dynamic charge
resp. discharge current. By measuring current Flow on Vdd we can detect whether the
output changed from 0 to 1 or not.
Figure 1.1Inverter
1.6 Differential Power Analysis of DES
In the DES the subkey splits up in eight blocks, one for every sbox. Therefore we
specify one target sbox for which we list all possible (=26) input values. We will refer to
such an input value as subkey block. As assumed above we know the ciphertext, and so
we can calculate the value of some of the bits in L15 for every possible subkey block. We
select one of these bits as our target bit. The value of the target bit is our selection
function D. If D=1 the corresponding power measurement will be put in sample set S1, if
D-0 it is classified to S0. This procedure is repeated for a lot of measurement, so at the
end we have, for every ciphertext and all subkey blocks, a classification of the
corresponding measurement. Let n denote the amount of ciphertext, respective
measurements. Then we can write all our classifications in a 26 x n matrix. So every line
represents a possible key for the target sbox, and every column represents the
classification of one ciphertext resp. measurement.
For the DPA attack go through all lines and build the two sample sets S0 and S1.
Then compute the mean (point wise) of the samples in the sets, M0 and M1, and compute
the difference. For the correct subkey block there must be a peak in the trace of the
difference.
6
1.7 ROM DESIGN AND EVALUATION AGAINST POWER ANALYSIS ATTACK
1.7.1 Power Simulation on an 8 x 8 ROM
The ROM of 3-bit input, 8-bit output is as shown in figure 2.2. It consists of two
main components: a 3 to 8 decoder and a memory array. The decoder is made up of
eight 3-input AND gates each driven by a min-term of the 3 input signals. The memory
array is an array of pull-down N-type transistors, on each intersection of a horizontal
address line and a vertical data line. Increase the Hamming weight (the number of “1”s)
of the ROM content one by one.
Figure 1.2 8 x 8 ROM
For each Hamming weight, randomly distribute the locations of “1”s (N-type
transistors) and run power simulations around 10 times. The power consumption versus
Hamming weight information is leaked, as average power increases linearly with it.
1.7.2 Inserting randomness in to ROM
These are two dimensions of freedom which cause power consumption variation
given a certain Hamming weight:
7
i. Duty cycle of address lines
ii. N-type transistors distribution
The duty cycle of address lines are not identical to each other, due to inverter
delay in the address decoder. When one address line is selected and the N-type
transistors on it are turned on, the power dissipation caused by short-circuit current is
approximately proportional to the duty cycle of selected address line. As a result, the
power consumption differs when locations of N-type transistors change between different
address lines.
The power consumption variation caused by duty cycle nuance can be exploited
to mask the linearity between the power and the Hamming weight. One may consider
increasing the duty cycle nuances in address lines. But the influence would be slight
since differences of some duty cycles are very small. Moreover, it increases the risk of
timing analysis attack which in turn cancels the improvement on power information
leakage.
An alternative is to modify the N-type transistor distribution by using extra
dummy bit line, i.e. to increase the scope of N-type transistor distribution over a larger
ROM whose circuit is shown in Figure 1.3.
Figure 1.3 8 x 8 ROM with extra bit lines, for random insertion
8
1.7.3 Dual-rail ROM design
It is observed that a dual-rail ROM design may be a better countermeasure. Dual-
rail refers to an encoding system where two-bit value “01” stands for Logic-0,”10” for
logic-1. The dual rail ROM has a double numbers of bit lines, which in pairs represent
logic words. With this encoding technique, a constant number (half the number of
bilieness) of N-type transistors will be turned on no matter which address line is selected.
Figure 1.4 shows a dual-rail 8 x 8 ROM example which has 16 bit lines to output
8-bit words. Run power simulation on it similar to its bundle-data version, but
increasing the number of logic-1 instead of increasing the number of “1”s, which is
consistently equal to half of the total intersections of address lines and bit lines.
Figure 1.4 Dual-rail 8 x 8 ROM, 16 bit lines representing 80bit word
9
1.8 RANDOM NUMBER GENERATOR
1.8.1 INTRODUCTION
The need for random numbers in cryptographic processes is ubiquitous.
Initialization vectors block padding, challenges, nonce‟s, and, of course, keys are some of
the cryptographic objects where a string of unpredictable bits is required. Often the same
Random Number Generator (RNG) supplies bits for all of the above uses in a
cryptographic system. Many of the bits generated by the RNG are transmitted in the clear
and thus a passive attacker has ample opportunity to analyze the output of the RNG and
can leverage any weaknesses found there.
The random number generator (RNG) is an important cryptographic primitive
widely used for one time pads, key generation and authentication protocols. The securities
of such systems rely on the assumption that future values in the random number sequence
cannot be predicted from the observed sequence. There are two types of random number
generators commonly used for cryptographic applications. The true random number
generator (TRNG) derives its output from a physical noise source whereas a
pseudorandom number generator (PRNG) expands a relatively short key (possibly from a
TRNG) into a long sequence of seemingly random bits based on a deterministic algorithm.
A cryptographically secure random bit generator (CSRBG) is one which produces
sequences for which there is no polynomial time algorithm which, on input of the first l
bits of the output sequence s, can predict the (l + 1 )st bit of s with a probability
significantly greater than I.
Field programmable gate array (FPGA) devices have been successfully used for
the implementation of cryptographic hardware, some examples being the data encryption
standard (DES), advanced encryption standard (AES) candidate finalists, IDEA and RSA
cryptography. In these and other implementations, FPGAs had ad-vantages in
performance, design time, power consumption, flexibility, cost or area over comparable
microprocessor and very large scale integration (VLSI) based systems.
These designs are intended for integration with other FPGA based cryptographic
hardware to produce embedded cryptosystems on a single FPGA. Apart from achieving a
higher level of integration, keeping the critical random number generation operations
10
internal to the device achieves better security since these data do not need to be passed to
the FPGA via the pins.
In many applications, highly secure random numbers are required only at very low
bit rates, perhaps to generate a single key for the lifetime of the application. An example
is public key cryptography where, once a key pair is generated, the same key is used for
subsequent applications. The TRNG and PRNG reported in this paper are designed for
low bit rate applications and both are able to generate highly secure random numbers
while occupying minimal resources. They are particularly suitable for applications where
integration of the RNG and other cryptographic algorithms on the same FPGA is
required.
Given the importance of random number generation, surprisingly few hardware
implementations of TRNGs have been reported. There are three commonly used
techniques namely oscillator sampling, direct amplification and discrete time chaos. In
the oscillator sampling approach, period variation (i.e. oscillator jitter) in a low frequency
clock of low quality factor (Q) is exploited by using it to sample a high frequency clock.
The direct amplification technique digitizes thermal or shot noise, using a amplifier and
comparator. Finally, chaotic systems can be used to produce TRNGs.
1.9 Kinds of Random Number Generators
RNGs can be separated into two general categories:
1.9.1 Pseudo Random Number Generators (PRNGs):
These generators are algorithms, which are initialized with an externally
generated sequence and produce a much longer sequence that appears to be random.
After being initialized with a seed value the internal state of the generator completely
determines the next bit to be generated. Given the same seed value a PRNG will always
produce the same sequence.
11
1.9.2 True Random Number Generators (TRNGs):
These generators base their output entirely on an underlying random physical
process. Unlike their deterministic cousins there is no internal state kept in the generator
and the output is based only on the physical process and not any previously produced bits.
Often the raw bits generated by the physical source are biased (the probability of a '1' is
not 0.5), and thus some bias reduction is necessary.
12
CHAPTER – 2
CRYPTOGRAPHY
Cryptography is the study of mathematical techniques related to aspects of information
security such as confidentiality, data integrity, entity authentication, and origin authentication.
2.1 Basic terminology and concepts
Cryptanalysis is the study of mathematical techniques for attempting to defeat
cryptographic techniques, and, more generally, information security services.
A cryptanalysts is someone who engages in cryptanalysis.
Cryptology is the study of cryptography and cryptanalysis.
Cryptosystem is a general term referring to a set of cryptography primitives used to
provide information security services. Most often the term is used in conjunction with
primitives providing confidentiality, i.e. Encryption.
It is an art of science that conveys message from source to destination in a secured
basis. There are two kinds of cryptosystems: symmetric and asymmetric. Symmetric
cryptosystems use the same key (the secret key) to encrypt and decrypt a message, and
asymmetric cryptosystems use one key (the public key) to encrypt a message and a
different key (the private key) to decrypt it. Asymmetric cryptosystems are also called
public key cryptosystems.
2.2 Need for security
Steps involved in secured communication:
1. Design an algorithm for performing the security related transformation such that the
opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Specify the protocol to be used by the two principles that make use of the security
algorithm.
13
2.3 Threats in communication
2.3.1 Information access threat:
Modification of the data without the knowledge of sender and then transmit the data.
2.3.2 Service threat:
Exploit these flaws in the services available in computer to inhibit the use by legitimate
users.
2.3.3 Types of intruders
Masquerader: An individual who isn‟t authorized to use the computer and who
penetrates a system occurs controls to exploit legitimate users account.
Misfeasor: A legitimate user who access data, programs or resources for which access
isn‟t authorized for such access.
2.4 SYMMETRIC CIPHER MODEL
Symmetric encryption also referred to as conventional encryption or single-key
encryption was the only type of encryption in use prior to the development of public-key
encryption. The most widely used symmetric cipher is TDES.
Plaintext: This is the original intelligible message or data that is fed into the algorithm as
input.
Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plaintext.
Secret key: The secret key is also input to the encryption algorithm. The key is a value
independent of the plaintext. The algorithm will produce a different output depending on
the specific key being used at the time. The exact substitutions and transformations