Professional Documents
Culture Documents
mécanismes cryptographiques
Adrian THILLARD
UPMC, 2019
Paris, France
1/ 1
Part I
Introduction
Outline
Outline
Statistical Tools
Implementation
AES Adversary
Channel
Secrets
Side Channel
Chip Model
Optionnal
Outline
A brief History
1956 : MI5 breaks the encryption system used by the Egyptian Embassy
at London.
Encryption system: machine with rotors from Hagelin family.
Peter Wright suggests to put a microphone in the cipher room.
The sound produced by the machine when the 7 rotors are
initialized indeed gives information on its initial state, then enabling
to get the key and to decipher.
prologue
I 1996: Timing Attacks.
I 1998: Power Analysis.
I 1998: Get the smart card industry aware.
,→ countermeasures implementations.
I 1998: CRI Starts writing patents on countermeasures.
tale
I 2004: Set of patents ready ,→ CRI asks VISA to pay fees
I 2004-2009: court battle
I Sept. 2009: CRI/VISA agreement ,→ VISA agrees to pay
I 2009-20xx: MasterCard, NXP, Infineon, etc. agree to pay
epilogue: in 2020 patents will start to fall...
prologue
I 1996: Timing Attacks.
I 1998: Power Analysis.
I 1998: Get the smart card industry aware.
,→ countermeasures implementations.
I 1998: CRI Starts writing patents on countermeasures.
tale
I 2004: Set of patents ready ,→ CRI asks VISA to pay fees
I 2004-2009: court battle
I Sept. 2009: CRI/VISA agreement ,→ VISA agrees to pay
I 2009-20xx: MasterCard, NXP, Infineon, etc. agree to pay
epilogue: in 2020 patents will start to fall...
prologue
I 1996: Timing Attacks.
I 1998: Power Analysis.
I 1998: Get the smart card industry aware.
,→ countermeasures implementations.
I 1998: CRI Starts writing patents on countermeasures.
tale
I 2004: Set of patents ready ,→ CRI asks VISA to pay fees
I 2004-2009: court battle
I Sept. 2009: CRI/VISA agreement ,→ VISA agrees to pay
I 2009-20xx: MasterCard, NXP, Infineon, etc. agree to pay
epilogue: in 2020 patents will start to fall...
prologue
I 1996: Timing Attacks.
I 1998: Power Analysis.
I 1998: Get the smart card industry aware.
,→ countermeasures implementations.
I 1998: CRI Starts writing patents on countermeasures.
tale
I 2004: Set of patents ready ,→ CRI asks VISA to pay fees
I 2004-2009: court battle
I Sept. 2009: CRI/VISA agreement ,→ VISA agrees to pay
I 2009-20xx: MasterCard, NXP, Infineon, etc. agree to pay
epilogue: in 2020 patents will start to fall...
prologue
I 1996: Timing Attacks.
I 1998: Power Analysis.
I 1998: Get the smart card industry aware.
,→ countermeasures implementations.
I 1998: CRI Starts writing patents on countermeasures.
tale
I 2004: Set of patents ready ,→ CRI asks VISA to pay fees
I 2004-2009: court battle
I Sept. 2009: CRI/VISA agreement ,→ VISA agrees to pay
I 2009-20xx: MasterCard, NXP, Infineon, etc. agree to pay
epilogue: in 2020 patents will start to fall...
prologue
I 1996: Timing Attacks.
I 1998: Power Analysis.
I 1998: Get the smart card industry aware.
,→ countermeasures implementations.
I 1998: CRI Starts writing patents on countermeasures.
tale
I 2004: Set of patents ready ,→ CRI asks VISA to pay fees
I 2004-2009: court battle
I Sept. 2009: CRI/VISA agreement ,→ VISA agrees to pay
I 2009-20xx: MasterCard, NXP, Infineon, etc. agree to pay
epilogue: in 2020 patents will start to fall...
Outline
Practical Issues
Side Channel Analysis: Measurement Setup
Practical Issues
Side Channel Analysis: Measurement Step in details.
1 Which kind of measure (power consumption, electromagnetic
emanations, timing, temperature)?
Practical Issues
Side Channel Analysis: Find points of interest.
Practical Issues
Side Channel Analysis: Find points of interest.
Practical Issues
Side Channel Analysis: Find points of interest.
Outline
Statistics
set of techniques for extracting useful information from data.
References
Fundamentals of Probability and Statistics For Engineers, by
T.T. Song.
Introduction to probability theory and its applications, by W.
Feller.
Mathematical Statistics, by Jun Shao.
pX (x) = Pr(X = x)
Mean X
E [X ] = xPr(X = x)
x
Variance
X X
V [X ] = x 2 Pr(X = x) − ( xPr(X = x))2
x x
Notion of Entropy
Entropy
X
H(X ) = − Pr(X = xi ) log(Pr(X = xi ))
i
Conditional Entropy
X Pr(Y = yj )
H(X | Y ) = Pr(X = xi and Y = yj ) log
Pr(X = xi and Y = yj )
i,j
Mutual Information
MI(X , Y ) = H(Y ) − H(Y | X )
= H(X ) − H(X | Y )
Normal distribution
Normal distribution
Linear Correlation
cov(X ,Y )
Linear correlation between X and Y : ρ(X , Y ) = √ .
Var(X )Var(Y )
It also called Pearson Coefficient.
ρ(X , Y ) = ρ(Y , X ) and ρ(X , Y ) ∈ [−1, 1].
ρ(X , Y ) = 1 implies that X and Y are dependent.
Linear Correlation
cov(X ,Y )
Linear correlation between X and Y : ρ(X , Y ) = √ .
Var(X )Var(Y )
It also called Pearson Coefficient.
ρ(X , Y ) = ρ(Y , X ) and ρ(X , Y ) ∈ [−1, 1].
ρ(X , Y ) = 1 implies that X and Y are dependent.
Part II
Timing
Outline
2 Timing attacks
Timing attack
PIN verification
PIN verification
PIN verification
AES: details
MixColumns
Based on a Permutation/Substitution b1,0 b1,1 b1,2 b1,3
network. Each round is composed of: b2,0 b2,1 b2,2 b2,3
I A byte substitution (SubBytes). b3,0 b3,1 b3,2 b3,3
I A shifting of the bytes (ShiftRows)
ShiftRows
I A matrix product (MixColumns).
I A bitwise addition with the round
key (AddRoundKey).
AES
SubBytes
S-BOX
AES
ShiftRows
AES
MixColumns
AES
AddRoundKey
c
c0,0 0,1 b0,2 c0,3 k0,0 k0,1 k0,2 k0,3 c0,1 ⊕ k0,1 a0
0,3
Mixcolumns Implementation
Implementation method
Logtable
Quickest?
K = 2924BE 84E 16CD6AE 529049F 1F 1BBE 9EB
P = 00555555555555555555555555555555
P = 07555555555555555555555555555555
P = 00555555555555555555555555555555
P = 07555555555555555555555555555555
Conclusion
Part III
Outline
Outline
First Example
Modular exponentiation
RSA algorithm
Mathematical level
RSA primitive
Let p, q be two prime numbers and let N = pq.
Let e, d ∈ Zφ(N) be such that ed = 1 mod φ(N).
Public key PK = (N, e) modulus N, public exponent e
Private key SK = (N, d) private exponent d
Encryption Decryption
c = me mod N m = c d mod N
Signature Verification
?
s = md mod N m = s e mod N
RSA algorithm
Algorithmic level, e.g. Square-and-Multiply
Observation :
i=n
X
d= di 2i = d0 + 2(d1 + 2(d2 + . . . + 2(dn−1 + 2(dn ))) . . .)
i=0
RSA algorithm
Algorithmic level, e.g. Square-and-Multiply
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. 8-bit Software Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. Hardware Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. Hardware Implementation
ByteSub S S S S S S S S S S S S S S S S
Shift Row
MixColumns
AES algorithm
Algorithmic level, e.g. Hardware Implementation
ByteSub S S S S S SS S S S S S S S SS S S
Shift Row
MixColumns
Quick Recap
Sensitive Variables
Outline
Leakage Function
The link b/w side-channel traces and sensitive variables
http://hackaday.io/project/956/log/
10108-aes256-is-not-enough-breaking-a-bootloader
Leakage Function
The link b/w side-channel traces and sensitive variables
http://hackaday.io/project/956/log/
10108-aes256-is-not-enough-breaking-a-bootloader
L[?] = `(Sbox(P ⊕ K ))
A. Thillard Sécurité des implémentations
Sensitive Variables
Sensitive Variables, Leakage Function and Model Inference Leakage Functions
Model Inference
Leakage Function
The link b/w side-channel traces and sensitive variables
http://hackaday.io/project/956/log/
10108-aes256-is-not-enough-breaking-a-bootloader
L[i] = `(Sbox(P ⊕ K ))
A. Thillard Sécurité des implémentations
Sensitive Variables
Sensitive Variables, Leakage Function and Model Inference Leakage Functions
Model Inference
Leakage Function
A simple case: Unprotected Square-and-Multiply Algorithm
Leakage Function
Formalism
Leakage Function
Formalism
ti
Si
Li = `i (Si , · · · )
Leakage Function
Formalism
ti
Bi
Si Li = `i (Si , Bi , · · · )
Bi follows an unknown distri-
bution law BSi .
A. Thillard Sécurité des implémentations
Sensitive Variables
Sensitive Variables, Leakage Function and Model Inference Leakage Functions
Model Inference
Leakage Function
Formalism
ti
Bi
Leakage Function
Only Computation Leaks Assumption MicaliReyzin2004
Li = `i (V , Bi )
Leakage Function
Only Computation Leaks Assumption MicaliReyzin2004
Li = `i (V , Bi )
Leakage Function
Independent additive Gaussian Noise Assumption
Li = ϕi (V ) + Bi
with Bi ←- N (µi , σi ).
ϕ() denotes the deterministic part of `()
Quick Recap
Leakage Functions
Quick Recap
Leakage Functions
Outline
Z = S(M + k) Assumption
z1 z2 z3 z4 z5 z6 z7 z8
circuit
register ? ? ? ? ? ? ? ?
Z = O(M + k) Assumption
z1 z2 z3 z4 z5 z6 z7 z8
circuit
register 0 0 0 0 0 0 0 0 0 Precharge
Z = O(M + k) Assumption
z1 z2 z3 z4 z5 z6 z7 z8
circuit
register z?1 z?2 z?3 z?4 z?5 z?6 z?7 z?8 0 Precharge
Linear Regression
energy ε1 ε2 ε3 ε4 ε5 ε6 ε7 ε8 the εi ’s are indep.
Z = O(M + k) Assumption
z1 z2 z3 z4 z5 z6 z7 z8
circuit
register 0 Precharge
z?1 z?2 z?3 z?4 z?5 z?6 z?7 z?8
Linear Regression
energy ε1 ε2 ε3 ε4 ε5 ε6 ε7 ε8 the εi ’s are indep.
Model Inference
Through Side-Channel Observations
Pr [L = x] ∼ pdf L (x)
Model Inference
Through Side-Channel Observations
Pr [L = x] ∼ pdf L (x)
Model Inference
Through Side-Channel Observations
Pr [L = x] ∼ pdf L (x)
Model Inference
Through Side-Channel Observations
Pr [L = x] ∼ pdf L (x)
Model Inference
Through Side-Channel Observations
Ms = E [Ls ]
Model Inference
Through Side-Channel Observations: Examples on real SCA traces
−35
−40
50 100 150 200 250
1st SBox Input Value
Univariate Mean Repartition −− Correlation Peak
−15
Side−Channel Mean
−20
−25
50 100 150 200 250
1st SBox Output Value
Hamming Weight −− Theoretical
8
6
HW(X)
0
50 100 150 200 250
X
A. Thillard Sécurité des implémentations
Sensitive Variables
Sensitive Variables, Leakage Function and Model Inference Leakage Functions
Model Inference
Model Inference
Through Side-Channel Observations
Model Inference
Linear Regression
Model Inference
Through Side-Channel Observations: Examples on real SCA traces
1
0.4
0.3
0.5
0.2
0
0.1
0
−0.5
−0.1
−1
−0.2
0.5 1 1.5 2 2.5 3 3.5 4 4.5 0.5 1 1.5 2 2.5 3 3.5 4 4.5
Model Inference
Through Side-Channel Observations
Quick Recap
Leakage Functions and Leakage Model
L ←- ϕ(V ) + N (µ, σ)
Hypothesis
Hypothesis
For each key candidate k̂, evaluate {predi }i = {m(vi = f (pi , k̂))}i .
For each key candidate k̂, estimate a statistical distance between
{`pi }i and {predi }i .
Output the closest key candidate k̂.
A. Thillard Sécurité des implémentations
Sensitive Variables
Sensitive Variables, Leakage Function and Model Inference Leakage Functions
Model Inference
Hypothesis
For each key candidate k̂, evaluate {predi }i = {m(vi = f (pi , k̂))}i .
For each key candidate k̂, estimate a statistical distance between
{`pi }i and {predi }i .
Output the closest key candidate k̂.
A. Thillard Sécurité des implémentations
Distinguishers
Part IV
Distinguishers
Outline
4 Distinguishers
Perfect Leakage Model
Partly Known Leakage Model
Distinguishers
Introduction
Distinguishers
Introduction
Outline
4 Distinguishers
Perfect Leakage Model
Partly Known Leakage Model
Maximum likelihood
Optimal... when the model is perfectly known
Hypothesis
We have, for any value v = f (p, k) taken by the sensitive variable
Pr[Lp = x | K = k]
Maximum likelihood
Optimal... when the model is perfectly known
In practice:
P
the log-likelihood is used: i≤n log(F (`pi | k)).
the leakage is often assumed to follow a multivariate gaussian
distribution:
1 1
F (`p | k) = p exp − (`p − µv ) · Σ−1v · (`p − µv )T
,
(2π)t/2 det(Σv ) 2
where v = f (p, k) and (µv , Σv ) are respectively the mean vector
and covariance matrix of dimension t.
A. Thillard Sécurité des implémentations
Perfect Leakage Model
Distinguishers
Partly Known Leakage Model
Maximum likelihood
Optimal... when the model is perfectly known
In practice:
P
the log-likelihood is used: i≤n log(F (`pi | k)).
the leakage is often assumed to follow a multivariate gaussian
distribution:
1 1
F (`p | k) = p exp − (`p − µv ) · Σ−1v · (`p − µv )T
,
(2π)t/2 det(Σv ) 2
where v = f (p, k) and (µv , Σv ) are respectively the mean vector
and covariance matrix of dimension t.
A. Thillard Sécurité des implémentations
Perfect Leakage Model
Distinguishers
Partly Known Leakage Model
Maximum likelihood
Optimal... when the model is perfectly known
Remarks
This approach works even when intermediate variables are
secret-only.
F (` | k) for all k ∈ K must be known.
Outline
4 Distinguishers
Perfect Leakage Model
Partly Known Leakage Model
For instance
The leakage model comes from the study of the
technology/design.
The leakage model comes from a linear regression leakage
inference.
Quick Recap
Distinguishers
In practice:
Difference of Means and Correlation are still the most
common distinguishers.
Techniques based on model inference are rising as the attacker
model becomes more and more realistic.
Part V
Side-Channel Attacks
Outline
5 Side-Channel Attacks
Simple Attacks
Advanced Attacks
Side-Channel Attacks
Introduction
Outline
5 Side-Channel Attacks
Simple Attacks
Advanced Attacks
Outline
5 Side-Channel Attacks
Simple Attacks
Advanced Attacks
Collisions-Based attacks:
SchrammWollingerPaar2003, MoradiMischkeEisenbarth2010,
Moradi2012.
I Good alternative when no leakage information is provided.
Kolmogorov-Smirnov Based attacks:
WhitnallOswaldMather2011.
I Good alternative to the MIA.
PPA, EPA, VPA, etc: other attacks exist but are often very ad
hoc ones with no clear advantage to the ”classical” ones.
Evaluation
AVA_VAN.1-2
AVA_VAN.1-2
AVA_VAN.3
AVA_VAN.1-2
AVA_VAN.3
AVA_VAN.4
AVA_VAN.1-2
AVA_VAN.3
AVA_VAN.4
AVA_VAN.5
AVA_VAN.1-2
AVA_VAN.3
AVA_VAN.4
AVA_VAN.5
TOTAL = 15 points !
Vulnérabilité potentielle
Réalisation de l’attaque
dans l’environnement d’exploitation prévue