Slide 1

Slide 2 A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson Slide 3 Power Analysis Introduction Simple Power Analysis (SPA) Theory Experimental Results Prevention Differential Power Analysis (DPA) Theory Experimental Results Prevention Comments Slide 4 Introduction About the paper Written by Paul Kocher, Joshua Jaffe, and Benjamin Jun of Cryptography Research, Inc in 1998 This was the first introduction of power analysis based side channel attacks on cryptographic systems All analysis and experimentation was performed on a DES implementation Slide 5 Introduction Power Analysis Power Analysis is a form of side channel attack in which operation and key material can be exposed through the measurement of a cryptographic devices power consumption To measure a circuits power consumption A small resistor (e.g. 50) is placed in series with the power or ground input An oscilloscope or other sampling device captures voltage drop across the resistor Data is transferred to a PC for analysis Slide 6 Simple Power Analysis Theory This technique directly interprets power consumption measurements to expose information about an encryptor/decryptor A trace refers to a set of power consumption measurements taken across a cryptographic operation Higher resolution traces reveal more information about the circuits operation Claim SPA traces can reveal the sequence of instructions and can therefore be used to break cryptographic implementations in which execution path depends on the data being processed Slide 7 Simple Power Analysis Experimental Results The figure below clearly shows the 16 rounds of a DES operation Slide 8 Simple Power Analysis Experimental Results A more detailed view shows small variations between the rounds 28-bit DES key registers C & D are rotated once in round 2 and twice in round 3 Discernable features typically caused by conditional jumps based on key bits and computational intermediates Slide 9 Simple Power Analysis Experimental Results An even higher resolution view shows details of a single clock cycle Comparison of trace through two regions shows visible variations between clock cycles caused by different processor instructions Upper trace shows where a jump instruction is performed Lower trace shows where a jump instruction is not performed Slide 10 Simple Power Analysis Motivation for Prevention Because SPA can reveal the sequence of instructions executed, it can be used to break cryptographic implementations in which the execution path depends on the data being processed, such as DES key schedule computations DES permutations Comparisons Multipliers Exponentiators Prevention Techniques Avoid procedures that use secret intermediates or keys for conditional branching operations Creative coding, performance penalty Implement hard-wired symmetric cryptographic algorithms in hardware Small power consumption variations Slide 11 Differential Power Analysis Theory In addition to large-scale power variations addressed by SPA, there are effects correlated to the specific data values that are being manipulated Using statistical functions tailored to the target algorithm, these much smaller variations can be detected Slide 12 Differential Power Analysis Detailed Theory A DPA selection function, D(C,b,Ks), computes the value of bit 0 b < 32 of the DES intermediate L at the beginning of the 16 th round C is ciphertext Ks is the 6 key bits entering the S box corresponding to bit b To implement, an attacker Observes m encryption operations Captures m traces, each with k samples Records m ciphertext values Slide 13 Differential Power Analysis Detailed Theory Using the observation, the attacker computes a k-sample differential trace [1..k] by finding the difference between the average of the traces for which D(C,b,Ks) is one and the average of the traces for which D(C,b,Ks) is zero For each sample, the differential trace [j] is the average over the measured ciphertexts of the effect caused by the selector function D(C,b,Ks) on the power consumption measurement at the sample point If Ks is incorrect, the probability that D will yield the correct bit b is , so the trace components and D are uncorrelated. The result is that [j] approaches zero for large m. If Ks is correct, the computed value for D will equal the actual value of the target bit b with probability 1, making the selection function correlated to the bit. The result will be spikes in the differential trace where D is correlated to the value being processed. Slide 14 Differential Power Analysis Claim The correct Ks can be identified from the spikes in the differential trace. Four values of b correspond to each S box, providing confirmation of key block guesses. Finding all 8 key block guesses yields the entire 48-bit round subkey. The remaining 8 key bits can be found by trial-and-error or by analyzing an additional round. Slide 15 Differential Power Analysis Experimental Results The figure shows 4 traces prepared using known plaintexts entering a DES encryption function The top trace is power reference Next trace is a correct key block guess Last two traces are incorrect key block guesses m = 1000 samples Slide 16 Differential Power Analysis Experimental Results A more detailed view shows the average effect of a single bit on detailed power consumption measurements Reference power consumption trace is on top Standard deviation of power consumption measurements is next Differential trace is last m = 10,000 Slide 17 Differential Power Analysis Prevention Reduce signal sizes (still vulnerable to attacker with infinite samples) Constant execution path code Choose operations that leak less information in their power consumption Balance hamming weights and state transitions Physically shielding the device Introduce noise into power consumption measurements Randomize execution timing and order Design cryptosystems with realistic assumptions about the underlying hardware Nonlinear key update procedures can be employed to ensure that power traces cannot be correlated between transactions Hashing Aggressive use of exponent and modulus multiplication processes Prevent attacker from gathering large numbers of samples Slide 18 Comments Pros Innovative concepts, given the timeframe of the paper The authors successfully demonstrate that power analysis attacks are a real security vulnerability that must be considered in new designs and fielded devices Cons The authors claim that the attacks are (or can be) effective even if nothing is known about the encryption implementation; however, no evidence of this is presented Likely due to the pioneering nature of the paper, it lacked the level of detail I would have desired Discussion of how to come up with a selection function? Quantitative comparisons for hardware vs. software implementations? Demonstration of performance improvement for suggested prevention methods? Slide 19 Questions? Contact information: Michelle Dickson michelle.k.dickson@lmco.com mkdickso@iastate.edu michelle.k.dickson@lmco.com mkdickso@iastate.edu