Lecture 3: Power Analysis
description
Transcript of Lecture 3: Power Analysis
![Page 1: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/1.jpg)
1
Lecture 3: Power Analysis
Information Security – Theory vs. Reality
0368-4474-01, Winter 2011
Guest Lecturer: Yossi Oren
![Page 2: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/2.jpg)
2
Required Reading
http://www.dpabook.orghttp://www.springerlink.com/content/g01q1k
![Page 3: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/3.jpg)
3
Fundamentals
![Page 4: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/4.jpg)
4
Fundamentals
AES Circuit Design Statistics Introduction to Power Analysis
![Page 5: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/5.jpg)
5
The AES Cipher
Plaintext Ciphertext
Key
AES
![Page 6: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/6.jpg)
6
The AES Cipher (2)
Source: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
![Page 7: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/7.jpg)
7
The AES Cipher (3)void RijndaelEncrypt( u8 input[16], u8 output[16] )
{[…] for (r=1; r<=9; r++) { ByteSub(state); ShiftRow(state); MixColumn(state); KeyAdd(state, roundKeys, r); }[…]
Source: http://users.ece.utexas.edu/~gerstl/ee382v-ics_f09/soc/tutorials/System_C_Code_Examples_2/date04_examples/cosimulate/sw_only/
![Page 8: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/8.jpg)
8
Statistics 101
⇐ Low Variance
High ⇒ Variance
⇐ Low Correlati
on
High ⇒ Correlati
on
![Page 9: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/9.jpg)
9
PowerVib
ratio n
Timing
Soun
dHeatEM
Side Channel Attacks
Plaintext Ciphertext
Radiation
Crypto Device
KeyBad Inputs Errors
![Page 10: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/10.jpg)
10
Theory of power analysis
Power consumption is variable Power consumption depends on
instruction Power consumption depends on
data
![Page 11: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/11.jpg)
q
Power consumption
Vdd
GND
a q
A
P1C1
C2N1
The power consumption of a CMOS gate depends on the data:
q: 0->0 virtually no power cons.q: 1->1 virtually no power cons.
q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)
Power Consumption is Variable?
![Page 12: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/12.jpg)
12
Power Consumption is Variable!
Source: DPA Book
![Page 13: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/13.jpg)
13
Power Depends on Instruction
Source: DPA Book
![Page 14: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/14.jpg)
14
Power Depends on Data
Source: DPA Book
![Page 15: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/15.jpg)
15
Q&A (Fundamentals)
•AES•Circuit Design•Statistics
![Page 16: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/16.jpg)
16
Correlation Power Analysis (CPA)
![Page 17: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/17.jpg)
17
Correlation Power Analysis Simple Power Analysis Warm-up Correlation Power Analysis Full Correlation Power Analysis
![Page 18: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/18.jpg)
18
Power Analysis Attack Scenario Plaintexts and ciphertexts may be
chosen, known or unknown
Power
Plaintexts CiphertextsCrypto Device
Key
![Page 19: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/19.jpg)
19
Theory of power analysis
Power consumption is variable Power consumption depends on
instruction Power consumption depends on
data
![Page 20: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/20.jpg)
20
Simple Power Analysis (SPA)
Pros: Small amount of traces
Cons: Detailed reverse engineering Long manual part
![Page 21: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/21.jpg)
21
Differential Power Analysis (DPA) Use statistical properties of traces to
recover key Pros:
Very limited reverse engineering Harder to confuse
Cons: Large amount of traces
Two main types of DPA: Difference of means (traditional DPA) Correlation power analysis (CPA)
![Page 22: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/22.jpg)
22
CPA Basics
We want to discover the correct key value (ck) and when it is used (ct)
Idea: On the correct time, the power
consumption of all traces is correlated with the correct key
On other times and other keys the traces should show low correlation
![Page 23: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/23.jpg)
23
Warm-up CPA
Assume plaintext and correct key are known but correct time is unknown
Form hypothesis and test it Good hypothesis:
Depends on known plaintext Depends on small amount of key bits Non-linear – sensitive to small
changes Maps to power consumption using a
model
![Page 24: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/24.jpg)
24
Warm-up CPA in Numbers1000 traces, each consisting of 1
million points Each trace uses a different known
plaintext – 1000 plaintexts1 known key Hypothesis is vector of 1000
hypothetical power values Output of warm-up CPA: vector of 1
million correlation values with peak at ct
![Page 25: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/25.jpg)
25
Warm-up CPA in Pictures
![Page 26: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/26.jpg)
26
Full CPA
Plaintext is known, but correct key and correct time unknown
Idea: run warm-up CPA many times in parallel
Create many competing hypotheses
![Page 27: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/27.jpg)
27
Full CPA in Numbers
1000 traces, each consisting of 1 million points
Each trace uses a different known plaintext – 1000 plaintexts
Key is unknown – 256 guesses for first byte
Hypothesis is matrix of 1000X256 hypothetical power values
Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (ck,ct)
![Page 28: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/28.jpg)
28
Full CPA in Pictures
![Page 29: Lecture 3: Power Analysis](https://reader036.fdocuments.in/reader036/viewer/2022062302/5681641a550346895dd5d3de/html5/thumbnails/29.jpg)
29
Q&A (CPA)
•Simple Power Analysis•Warm-up Correlation Power Analysis•Full Correlation Power Analysis