Key Update Countermeasure for Correlation-Based Side-Channel Attacks Yutian Gui, Suyash Mohan Tamore, Ali Shuja Siddiqui & Fareena Saqib Journal of Hardware and Systems Security ISSN 2509-3428 J Hardw Syst Secur DOI 10.1007/s41635-020-00094-x 1 23 Your article is protected by copyright and all rights are held exclusively by Springer Nature Switzerland AG. This e-offprint is for personal use only and shall not be self- archived in electronic repositories. If you wish to self-archive your article, please use the accepted manuscript version for posting on your own website. You may further deposit the accepted manuscript version in any repository, provided it is only made publicly available 12 months after official publication or later and provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: "The final publication is available at link.springer.com”. 1 23 Author's personal copy Journal of Hardware and Systems Security https://doi.org/10.1007/s41635-020-00094-x Key Update Countermeasure for Correlation-Based Side-Channel Attacks Yutian Gui1 · Suyash Mohan Tamore1 · Ali Shuja Siddiqui1 · Fareena Saqib1 Received: 14 January 2020 / Accepted: 13 April 2020 © Springer Nature Switzerland AG 2020 Abstract Side-channel analysis is a non-invasive form of attack that reveals the secret key of the cryptographic circuit by analyzing the leaked physical information. The traditional brute-force and cryptanalysis attacks target the weakness in the encryption algorithm, whereas side-channel attacks use statistical models such as differential analysis and correlation analysis on the leaked information gained from the cryptographic device during the run-time. As a non-invasive and passive attack, the side-channel attack brings a lot of difficulties for detection and defense. In this work, we propose a key update scheme as a countermeasure for power and electromagnetic analysis-based attacks on the cryptographic device. The proposed countermeasure utilizes a secure coprocessor to provide secure key generation and storage in a trusted environment. The experimental results show that the proposed key update scheme can mitigate side-channel attacks significantly. Keywords Hardware security · Side-channel attack · Correlation power analysis · Electromagnetic analysis · Trusted Platform Module 1 Introduction external leaked information, such as power consumption, electromagnetic radiation, and time delay. Besides, the side- The side-channel attacks can steal the secret key used in channel attack is passive which has become a critical threat the encryption engine [1]. During execution, the leakage to the security of cryptographic chips and devices. of physical information (a.k.a. side-channel) is inevitable To mitigate the risk of side-channel attacks, countermea- and can be utilized to reveal the information based on the sures such as message hiding [2] and masking technique fundamental principle that there is a correlation between the [3, 4] are presented in the literature. The objective of such side-channel leakage and the internal state of the processing techniques is to increase the time required to reveal the device, which is related to the secret information. In contrast secret key thereby protect cryptographic implementations to invasive attacks which require direct access to the internal from different side-channel attacks. components in the chip, the side-channel attack exploits In this work, we propose a key update scheme with the integration of a secure coprocessor on the hardware- based implementation of the Advanced Encryption Standard (AES) to increase the resilience to different side-channel Yutian Gui attacks. [email protected] Contributions This paper makes the following contribu- Suyash Mohan Tamore tions: [email protected] 1. We have applied the correlation power analysis (CPA) Ali Shuja Siddiqui [email protected] attack and the correlation electromagnetic analysis (CEMA) attack on hardware-based AES-128 and Fareena Saqib revealed the secret key successfully to show the [email protected] effectiveness of side-channel attacks. 2. We present a flexible key update scheme and prove 1 The University of North Carolina at Charlotte, that the proposed scheme makes the design resilient to Charlotte, NC 28223, USA side-channel attacks by experiments. Author's personal copy J Hardw Syst Secur 3. We integrate the Trusted Platform Module (TPM) chip supports three key lengths (128, 192, and 256) to meet with the FPGA fabric to generate and store secret keys different requirements of security strength, using 10, 12, in a secure environment for protecting the keys used for and 14 rounds of transformations respectively. AES is encryption. widely used in many areas, such as communication and data storage. In this paper, AES-128 is used as the target for exploring the resilience to side-channel attacks and the Paper organization The paper is organized as follows. effectiveness of proposed countermeasures. Section 2 introduces related work, and Section 3 describes Figure 1 shows the encryption process of AES-128. the attack model. Section 4 explains the proposed coun- Firstly, the key is expanded to a unique pseudo-random termeasure. The experimental setup and the result are key for each round. There are four operations in the AES presented in Sections 5 and 6. The security analysis is fur- algorithm that adds to confusion and diffusion to make the nished in Sections 7 and 8 discusses limitations. Finally, algorithm resilient to linear and differential cryptanalysis: conclusions are drawn in Section 9. – SubBytes: Byte-by-byte substitution with a 16x16 lookup table name S-box. 2 Related Works – ShiftRows: A cyclic shifting in each row by a certain offset. 2.1 AES Encryption – MixColumns: A mix-up of the bytes in each column separately. AES is a US National Institute of Standards and Technology – AddRoundkey: Add the round key to the output of the (NIST) standard for symmetric encryption [5]. AES previous step. Fig. 1 AES-128 encryption process Author's personal copy JHardwSystSecur In AES encryption, each round performs all four steps attack on a smart card chip implementing DES encryption. except the last round which only performs SubBytes, Bu et al. [12] modify the EM attack to decrease the number ShiftRows, and AddRoundKey operations. of total traces required to extract key information using a pre-processing technique which reduces noise levels. 2.2 Side-Channel Attack Countermeasures for side-channel attacks are classified as hiding technique and masking technique that eliminate or The side-channel attack (SCA) targets physical leaked reduce the correlation of side-channel and the bit switches. information. The device during execution leaks physical The hiding technique aims at reducing the signal-to-noise information, which can be used for revealing the internal ratio (SNR) for leaked information [13] which can be real- operation processed on the device thereby stealing the ized by randomization or equalization. Madlener et al. [14] secret non-invasively, including power consumption [6, 7], apply shuffling techniques to GF(2n) and propose a ran- electromagnetic radiation [7, 8], time delay [1, 9], and domized multiplication scheme by rescheduling algorithm. temperature [10]. In [15], Huss et al. propose a new countermeasure based on Power consumption side-channel information can be the nature of reconfiguration of FPGA for SCA mitigation. used for attacking the encryption engine during computing The physical architecture of the implementation is reconfig- extensive operations that produce power transients for urable so that the dynamic power variation is randomized each encryption round. The power consumption of a along with the change of data path. For equalization tech- device depends on the processed data and the executed niques, the core idea is to achieve equal power consumption instructions. The power analysis collects the real-time at each moment for SCA mitigation. By using dual-rail power consumption of encryption and builds different pre-charge logic [16], the glitch will be remove; therefore, mathematical models to find the correlation between the the dynamic power consumption is equalized to a constant variation of power and hardware operations on the victim value. This technique is also applied in sense amplifier- device thereby reveal the secret key. There are several power based logic (SABL) [17] and wave dynamic differential analysis attacks, including: logic (WDDL) [18]. Applying key update scheme on cryptographic imple- – Simple power analysis (SPA): A power analysis me- mentation has also been explored by existing works. Instead thod which extracts the secret key by looking at of relying on one, [19] demonstrates a security model that the variation of power consumption directly. SPA is switches the secret key randomly to increase the leakage inefficient when the noise is huge or on the hardware- resiliency. However, the proposed framework is imple- based implementation because of its parallel nature mented on the software level and the strength of resilience [6]. is not provided. In [20], Medwed et al. propose a re-keying – Differential power analysis (DPA): An advanced power scheme that uses a key derivation function to generate ran- analysis which uses statistical analysis to reduce the dom session keys for every block of the message to prevent noise and find the correlation between the power the DPA attack. To meet the demand for multi-party com- consumption and the key information even the power munication, this scheme is modified in [21] which presents variation is very small [6]. a multi-party key generation process for all the nodes in the – Correlation power analysis (CPA): A more efficient network. In [22], Xi et al. replace the arithmetic key update attack which uses hamming weight to build the model function with a strong physically unclonable function (PUF) and Pearson coefficient to evaluate the correlation to provide the resilience to power analysis. between the hypothetical model and the actual power In contrast to hiding techniques, masking techniques consumption.