Differential Power Analysis attacks on AES
Kevin Meritt Agenda
• Side Channel Attacks o Background • Power Analysis Attacks o Background o Overview o SPA – Simple Power Analysis o AES o DPA – Differential Power Analysis o CPA – Correlation Power Analysis Side Channel Attacks
• Exploits information obtained from the physical implementation of a cryptosystem o power consumption, electromagnetic radiation, timing variations • If side channel data is related to operations involving secret information, that information is vulnerable to attack • May be used to break cryptosystems with no known weaknesses against attacks at the algorithmic or theoretical level, such as linear and differential cryptanalysis • Some attacks may require deeper understanding of the cryptosystem's underlying architecture, while others may treat it as a black box • Analysis of instantaneous power consumption will be the focus of this presentation Side Channel Information
Indirect outputs from block cipher implementation [1] Power Analysis Attacks
• Power Analysis Attacks are a type of Side Channel Attack in which an attacker measures the power consumption of a cryptographic device during normal execution • An attempt is then made to uncover a relationship between the instantaneous power consumption and secret key information • Statistical methods for power analysis attacks published by Paul Kocher in 1999 • Original research focused on vulnerability of DES-based smart cards, leading to the development of DPA-resistant devices o Not simply a theoretical attack o Successful attacks mounted on existing devices to reveal secret key information, creating a serious risk to security o Enables the creation of duplicate cards, fraudulent payments, identity theft, etc. Power Analysis Attack Basic Steps
• Identify o Determine a relationship between secret key information and instantaneous power consumption o Determine the required inputs to the system, the output values to be measured, and when to capture them • Extract o Develop method of extracting the state of the relationship information o Collection of measurements called traces can be made in a non-invasive manner while a system performs a cryptographic operation • Evaluate o Use extracted information to determine all or part of the secret key information Simple Power Analysis
• Attacker directly observes power trace waveform to identify large, noticeable features and mark regions of interest o Block cipher rounds, individual operations, instructions, etc. o Timing differences o Conditional branches o Example: RSA implementations may be broken by identifying differences between squaring and multiplication operations • SPA is relatively easy to deter o Avoid conditional execution that depends on secret information o High frequency, low power operation o Parallelization may obscure individual operations SPA Attack on RSA implementation RSA Conditional Branch Power Trace for Advanced Encryption Standard
10 rounds of AES-128 Differential Power Analysis (DPA)
• Uses statistical methods to find small variations that may be overshadowed by noise or measurement errors • Exploits information obtained from the physical implementation of a cryptosystem Differential Power Analysis Attack
• Selection function D(C, b, Ks) computes value of target bit b, given ciphertext C and key guess Ks • Collect m power traces of k samples each, T1:m[1:k] and corresponding ciphertext values C1:m • Sort data into two groups:
o D(C, b, Ks) = 0 o D(C, b, Ks) = 1
• If the key guess Ks is correct, the average power trace for D(C, b, Ks) = 1 will be slightly higher at the point of correlation and the average trace for D(C, b, Ks) = 0 will be slightly lower
• If the key guess Ks is incorrect, D(C, b, Ks) will equal the correct bit value with probability P = ½ , yielding average traces that are approximately equal “Difference of means” DPA Attack
• The differential trace ΔD[j] is computed as the difference between the two average traces
o For an incorrect key guess Ks the ΔD should approach zero
o For an correct key guess Ks the ΔD should approach the target bit's power contribution at the correlated sample(s) Advanced Encryption Standard
AES Round Transformations[5] Differential Power Analysis on AES • Select intermediate bit to analyze o Target the S-box in final round • Since SubBytes operates on each byte independently o XORed with final round key value • Collect power traces and corresponding ciphertext values • Compute intermediate value o Ciphertext value is known o Make a guess for key byte • Partition power traces into 2 sets o One set where computed bit is “1” and another where bit is “0” • Compute average of each set • Compute the difference between the averages o If the average depends on the selected bit, and the bit “leaks”, then a correlation will be seen • Repeat for other 255 key byte guesses using same power measurements DPA Evaluation Process
DPA with correct Key guess DPA Evaluation Process (cont’d)
DPA with incorrect Key guess Correlation Power Analysis on AES
• Extension of DPA where a model of the power consumption is created for use in the analysis phase of an attack • Model needs to approximate the power consumption of the target cryptographic device during an encryption operation. • The resulting power predicted by the model will then be correlated to the actual measured power consumption using a key hypothesis. • The highest peak of the correlation plot gives the correct key hypothesis Power Models
• Hamming weight model – assumes amount of power consumed is proportional to the number of bits that are logic '1' during an operation o the greater the number of bits that are set will result in a larger amount of power consumed • Hamming distance – assumes the number of logic transitions during a cryptographic operation is proportional to power consumption o If a bit is static during an operation, then it is assumed that it will not contribute to the power. o Assume that „0‟ to „1‟ and „1‟ to 0‟ transitions consume the same amount of power. CPA using Pearson’s Correlation Coefficient • ρ reflects the degree of linear relationship between two variables X and Y • covariance – measure of how much 2 random variables change together • coefficient value ranges from +1 to -1 o +1 indicates that there is a perfect positive linear relationship o -1 indicates there is a perfect negative linear relationship o 0 indicates there is no linear relationship Pearson’s Sample Correlation Coefficient
• For a series of n measurements of X and Y, Pearson correlation can be estimated by the sample correlation coefficient rxy • x-bar and y-bar – sample means of x and y
• sx and sy – sample standard deviations of x and y
• xi – measured power samples • yi – calculated power values from Hamming distance model • If a correlation occurs then there will be a spike in the graph for the correct key byte value Correlation Power Analysis on AES
• Identify sensitive data register for attack o Target the register in data path prior to SubBytes transformation • Use Hamming distance power model o Data transition of 8-bit register • Collect power traces and corresponding ciphertext values • Make a guess for key byte • Compute Hamming distance of data transition for each ciphertext value • Partition power traces into groups associated with calculated Hamming values • Use Pearson‟s sample correlation coefficient equation to determine the correlation between the power and the sensitive data o If a correlation occurs then there will be a spike in the graph for the correct key byte value • Repeat for other 255 key byte guesses using same power measurements CPA Attack
Typical AES Hardware implementation AES CPA Correlation
Showing correct key byte guess of 160 References
[1] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” proceedings of CRYPTO ‟99, Lecture Notes in Computer Science, vol. 1666, Springer, pp. 388–397, 1999. [2] F.-X. Standaert, “Introduction to Side-Channel Attacks,” in Secure Integrated Circuits and Systems, pp. 27–44, Springer, 2009 [3] W. Hnath, J. Pettengill, “Differential Power Analysis Side- Channel Attacks in Cryptography,” Major Qualifying Project, Worcester Polytechnic Institute, April 2010 [4] S. Shah, R. Velegalati, J. Kaps, D. Hwang, “Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs,” International Conference on Reconfigurable Computing and FPGAs (ReConFig) 2010, pp.274-279, Dec. 2010. [5] National Institute of Standards and Technology (NIST) of U.S. Department of Commerce, “FIPS 197: Advanced Encryption Standard,” Nov. 2001.