SPA and DPA attacks

SPA and DPA attacks SPA and DPA attacks

Pascal Paillier

Gemplus ARSC/STD/CRY

OutlineOutlineSide Channel CryptanalysisSide Channel CryptanalysisSPA – Simple Power AnalysisSPA – Simple Power AnalysisDPA – Differential Power AnalysisDPA – Differential Power Analysis– Acquisition procedureAcquisition procedure– Selection & predictionSelection & prediction– Differential operator and curvesDifferential operator and curves– Reverse engineering using the DPA indicatorReverse engineering using the DPA indicator

Attacking a Secret Key algorithm with DPAAttacking a Secret Key algorithm with DPA– Typical targetTypical target– Hypothesis testing (guesses management)Hypothesis testing (guesses management)

Which are Side Channel AttacksWhich are Side Channel Attacks 1. Differential Fault Analysis (DFA)1. Differential Fault Analysis (DFA)

– Biham-Shamir (1997)Biham-Shamir (1997)

2. Timing Attacks2. Timing Attacks– Kocher (1996)Kocher (1996)

3. 3. Simple Power AnalysisSimple Power Analysis (SPA) (SPA)– Kocher, Jaffe, Jun (1998)Kocher, Jaffe, Jun (1998)

4. 4. Differential Power AnalysisDifferential Power Analysis (DPA) (DPA)– Kocher, Jaffe, Jun (1998)Kocher, Jaffe, Jun (1998)

Side ChannelsSide Channels

Kocher et al., June 1998: Measure instantaneous Kocher et al., June 1998: Measure instantaneous power consumption of a device while it runs a power consumption of a device while it runs a cryptographic algorithmcryptographic algorithmDifferent power consumption when operating on Different power consumption when operating on logical ones vs. logical zeroes. logical ones vs. logical zeroes.

Systems under ThreatSystems under Threat

Implementations of Cryptographic AlgorithmsImplementations of Cryptographic Algorithms

On smart cardsOn smart cards

On general/specific purpose hardwareOn general/specific purpose hardware

On softwareOn software

Power AttacksPower AttacksPublished on the web by Paul KOCHER (1998)Published on the web by Paul KOCHER (1998)– Big noise in the cryptographic communityBig noise in the cryptographic community– Big fear in the smart card industry !Big fear in the smart card industry !

Power Attacks are powerful and genericPower Attacks are powerful and generic– Statistical & signal processingStatistical & signal processing– Known random messagesKnown random messages– Targetting a known algorithmTargetting a known algorithm– Running on a single smart cardRunning on a single smart card

Attack performed in 2 stepsAttack performed in 2 steps– Acquisition phase : on-line with the smart cardAcquisition phase : on-line with the smart card– Analysis phase : off-line on a PC (hypothesis testing)Analysis phase : off-line on a PC (hypothesis testing)

What is a Power Analysis Attack ?What is a Power Analysis Attack ?Side-channel attacks Side-channel attacks exploit correlation exploit correlation between secret between secret parameters and parameters and variations in timing, variations in timing, power consumption, power consumption, and other emanations and other emanations from cryptographic from cryptographic devices to reveal secret devices to reveal secret keyskeys

CryptographicDevice

RCurrent

orPower

Measurement

Power Supply

Attacker’s Point

Information LeakageInformation Leakage

Acquisition procedureAcquisition procedure

Algorithm Output(sign/cipher Si)

Input data(messages Mi)

Power Consumption

Curves Ci (or other side channel

leakage like EM radiation)

Play the algorithm N times(100 < N < 100000)

Acquisition procedureAcquisition procedure

Main PCruns Acquisition

software

Serverstores files

and runs Treatmentsoftware

Cardreader

Card extentionGCR

Oscilloscopefile transfer

command emission

Arm scoperetrieve file

Current waveformacquisition

Scope triggeron IO

Protection box

R

Monitoring equipment for iterated acquisitions

POWER MEASUREMENT SETUPPOWER MEASUREMENT SETUP

• Oscilloscope

• Carefully choose resistors-

capacitors

• Reduce noise

• Collect power traces

FREQUENCY AND SUPPLY VOLTAGE:FREQUENCY AND SUPPLY VOLTAGE:

UNDER THE CONTROL OF THE ATTACKERUNDER THE CONTROL OF THE ATTACKER

-

Acquisition procedureAcquisition procedureAfter data collection, what is available ?After data collection, what is available ?– N plain and/or cipher random textsN plain and/or cipher random texts

0000 B688EE57BB63E03EB688EE57BB63E03E0101 185D04D77509F36F185D04D77509F36F0202 C031A0392DC881E6 …C031A0392DC881E6 …

– N corresponding power consumption waveformsN corresponding power consumption waveforms

What an Attacker KnowsWhat an Attacker Knows

Precise power measurementsPrecise power measurements

Which algorithm is computedWhich algorithm is computed

Ciphertexts and plaintextsCiphertexts and plaintexts

Any additional informationAny additional information

Simple Power AnalysisSimple Power Analysis

(E.g., Kocher 1998) Attacker directly uses (E.g., Kocher 1998) Attacker directly uses power consumption to learn bits of secret power consumption to learn bits of secret key. Wave forms visually examined.key. Wave forms visually examined.Big features like rounds of DES, square Big features like rounds of DES, square vs. multiply in RSA exponentiation, and vs. multiply in RSA exponentiation, and small features, like bit value.small features, like bit value.Relatively easy to defend against. Relatively easy to defend against.

Simple Power AnalysisSimple Power AnalysisSimple attack, needs a few secondsSimple attack, needs a few secondsDirect observation of a system‘s power consumptionDirect observation of a system‘s power consumptionCan gain very useful informationCan gain very useful information

How SPA WorksHow SPA Works

0 1 0 1 1

Key = 101011

Double-and-Add Algorithm:

Power Trace =

With “Dummy” Operations:

Power Trace =0 1 0 1 1

SPA result ExampleSPA result Example Interpret power consumption measurement What is learned: device’s operation, key material Base: power consumption variance of µP instructions DES operation by smart card

Selection & predictionSelection & prediction

Assume the data are processed by a known deterministic Assume the data are processed by a known deterministic function function ff (transfer, permutation...) (transfer, permutation...)

Knowing the data, one can recompute off line its image through Knowing the data, one can recompute off line its image through ff

Si = f [Mi]fMi

Now Now selectselect a single bit among S bits (in S buffer) a single bit among S bits (in S buffer)

One can One can predictpredict the true story of its variations the true story of its variationsii MessageMessage bitbit00 B688EE57BB63E03EB688EE57BB63E03E 1111 185D04D77509F36F185D04D77509F36F 0 0 22 C031A0392DC881E6C031A0392DC881E6 11 … … for i = 0,N-1for i = 0,N-1

DPA operator & curveDPA operator & curvePartition the data and related curves into two Partition the data and related curves into two packs according to selected bitpacks according to selected bit

fMi bit (Si) = 0

bit (Si) = 1

… … and assign and assign -1 to pack 0-1 to pack 0 and and +1 to pack 1+1 to pack 100 B688EE57BB63E03EB688EE57BB63E03E 11 +1+111 185D04D77509F36F185D04D77509F36F 0 0 -1-122 C031A0392DC881E6C031A0392DC881E6 11 +1+1 … … for i = 0, N-1for i = 0, N-1

Sum the signed consumption curves and normaliseSum the signed consumption curves and normalise<=> Difference of averages<=> Difference of averages(N(N0 0 + N+ N11 = N) = N)

0

0

1

1

NC

NC

DPA

DPA operator & curveDPA operator & curve

DPA curve constructionDPA curve construction

Selection bit

N

C031A0...185D04D...

1

B688EE...M0

MNM1

W01

Average

0

-

DPAcurve

DPA Result ExampleDPA Result Example

Average PowerConsumption

Power ConsumptionDifferential Curve

With Correct Key Guess

Power ConsumptionDifferential Curve

With Incorrect Key Guess

Power ConsumptionDifferential Curve

With Incorrect Key Guess

DPA operator & curveDPA operator & curveSpikes explanation : Hamming Weight of the bit’s byteSpikes explanation : Hamming Weight of the bit’s byte

Average = E [HW0] = 0 + 3.5 Average = E [HW1] = 1 + 3.5

= E [HW1] - E [HW0 ] = 1

1 0 0 1 1 0 10 1 1 0 1 0 01 0 1 1 1 1 1

...

Contrast (peak height) proportional to NContrast (peak height) proportional to N1/2 1/2 (evaluation (evaluation criterion) criterion)

If prediction was wrong : selection bit would be random If prediction was wrong : selection bit would be random E E [HW0] = E [HW1] = 4 [HW0] = E [HW1] = 4 => => = 0 = 0

0 1 0 0 1 0 1 10 1 1 0 1 0 1 01 1 0 0 1 0 0 0

...

Selection bit

012...

Reverse engineering using DPAReverse engineering using DPAUse DPA to locate when Use DPA to locate when predictiblepredictible things occur things occurExample : locate an algo trace by targetting its output Example : locate an algo trace by targetting its output (ciphertext transfer to RAM, ciphertext is given)(ciphertext transfer to RAM, ciphertext is given)

DPA curves

Consumption curve

CONCLUSIONSCONCLUSIONSDPA vs. SPADPA vs. SPA

• Low amount of experiments

• Faster to launch

• Not many implementation details

• Noise is not so important

• Attacks even small features

REFERENCESREFERENCES1.1. Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power

Analysis”, Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. Analysis”, Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. 1999, pp. 388-3971999, pp. 388-397

2.2. Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Countermeasure Based on the Masking Method”, ICICS 2001, LNCS Countermeasure Based on the Masking Method”, ICICS 2001, LNCS 2288, 2002, pp. 440-4562288, 2002, pp. 440-456

3.3. Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”, Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”, Proceedings of Workshop on Cryptographic Hardware and Embedded Proceedings of Workshop on Cryptographic Hardware and Embedded Systems, Aug. 1999, pp. 158-172Systems, Aug. 1999, pp. 158-172

4.4. Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Masking against Differential Power Analysis”, CHES 2000, LNCS 1965, Masking against Differential Power Analysis”, CHES 2000, LNCS 1965, 2000, pp. 231-2372000, pp. 231-237

5.5. Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES and AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, and AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, pp. 309-318pp. 309-318

6.6. D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to Foil DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38Foil DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38

REFERENCESREFERENCES7. S. Almanei, “Protecting Smart Cards from Power Analysis Attacks”, http://

islab.oregonstate.edu/koc/ece679cahd/s2002/almanei.pdf, May. 20028. Adi Shamir, “Protecting Smart Cards from Passive Power Analysis with

Detached Power Supplies”, CHES 2000, LNCS 1965, 2000, pp. 71-779. P. Y. Liardet, N. P. Smart, “Preventing SPA/DPA in ECC Systems Using the

Jacobi Form”, CHES 2001, LNCS 2162, 2001, pp. 391-40110. Jean-Sebastien Coron. Resistance Against Differential Power Analysis

for Elliptic Curve Cryptosystems [Published in C_ .K. Ko_c and C. Paar, Eds., Cryptographic Hardware and Embedded Systems, vol. 1717 of Lecture Notes in Computer Science, pp. 292{302, Springer-Verlag, 1999.]

11. Marc Joye and Christophe Tymen. Protections against differential analysis for elliptic curve cryptography: An algebraic approach. In C¸ .K. Ko¸c, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 377–390. Springer-Verlag, 2001.