Mario Kirschbaum

Algebraic side-channel analysis in the presence of errors

Measurement errors make power analysis attacks difficult to mount when only a single power trace is available: the statistical methods that make DPA attacks so successful are not applicable since they require many (typically thousands) of traces. Recently it was suggested by [18] to use algebraic methods for the single-trace scenario, converting the key recovery problem into a Boolean satisfiability (SAT) problem, then using a SAT solver. However, this approach is extremely sensitive to noise (allowing an error rate of well under 1% at most), and the question of its practicality remained open. In this work we show how a single-trace side-channel analysis problem can be transformed into a pseudo-Boolean optimization (PBOPT) problem, which takes errors into consideration. The PBOPT instance can then be solved using a suitable optimization problem solver. The PBOPT syntax provides for a more expressive input specification which allows a very natural representation of measurement errors. Most importantly, we show that using our approach we are able to mount successful and efficient single-trace attacks even in the presence of realistic error rates of 10%-20%. We call our new attack methodology Tolerant Algebraic Side-Channel Analysis (TASCA). We show practical attacks on two real ciphers: Keeloq and AES.

Masked Dual-Rail Precharge Logic Encounters State-of-the-Art Power Analysis Methods

Latest evaluation of the state-of-the-art iMDPL logic style has shown small information leakage compared to its predecessor version MDPL. Concurrently, new advanced power analysis attacks specifically targeting iMDPL have been proposed. Up to now, these attacks are purely theoretic and have not been applied to an implementation. We present a comprehensive analysis of iMDPL, backed by real measurements collected from a 180 nm iMDPL prototype chip. We thoroughly study the extent of remaining information leakage of iMDPL by applying all relevant attacks. Our investigation shows the vulnerability of the target device, a standalone AES core, to several of the advanced attack methods. In comparison to conventional power analysis attacks, the advanced attacks need less power measurements to obtain meaningful results. With the help of logic level simulations routing imbalances between complementary mask trees are identified as a major source of leakage.

Side-Channel leakage across borders

More and more embedded devices store sensitive information that is protected by means of cryptography. The confidentiality of this data is threatened by information leakage via side channels like the power consumption or the electromagnetic radiation. In this paper, we show that the side-channel leakage in the power consumption is not limited to the power-supply lines and that any input/output (I/O) pin can comprise secret information. The amount of leakage depends on the design and on the state of the I/O pin. All devices that we examined leaked secret information through their I/O pins. This implies that any I/O pin that is accessible for an adversary could be a security hole. Moreover, we demonstrate that the leakage is neither prevented by transmitter/receiver circuits as they are used in serial interfaces, nor by a galvanic isolation of a chip and its output signals via optocouplers. An adversary that is able to manipulate, for example, the pins of a PCs I/O port, can attack any device that is connected to this port without being detected from outside.

SCA-resistant embedded processors: the next generation

Resistance against side-channel analysis (SCA) attacks is an important requirement for many secure embedded systems. Microprocessors and microcontrollers which include suitable countermeasures can be a vital building block for such systems. In this paper, we present a detailed concept for building embedded processors with SCA countermeasures. Our concept is based on ideas for the secure implementation of cryptographic instruction set extensions. On the one hand, it draws from known SCA countermeasures like DPA-resistant logic styles. On the other hand, our protection scheme is geared towards use in modern embedded applications like PDAs and smart phones. It supports multitasking and a separation of secure system software and (potentially insecure) user applications. Furthermore, our concept affords support for a wide range of cryptographic algorithms. Based on this concept, embedded processor cores with support for a selected set of cryptographic algorithms can be built using a fully automated design flow.

Exploiting the difference of side-channel leakages

In this paper, we propose a setup that improves the performance of implementation attacks by exploiting the difference of side-channel leakages. The main idea of our setup is to use two cryptographic devices and to measure the difference of their physical leakages, e.g., their power consumption. This increases the signal-to-noise ratio of the measurement and reduces the number of needed power-consumption traces in order to succeed an attack. The setup can efficiently be applied (but is not limited) in scenarios where two synchronous devices are available for analysis. By applying template-based attacks, only a few power traces are required to successfully identify weak but data-dependent leakage differences. In order to quantify the efficiency of our proposed setup, we performed practical experiments by designing three evaluation boards that assemble different cryptographic implementations. The results of our investigations show that the needed number of traces can be reduced up to 90%.

Analyzing Side-Channel Leakage of RFID-Suitable Lightweight ECC Hardware

Using RFID tags for security critical applications requires the integration of cryptographic primitives, e.g., Elliptic Curve Cryptography (ECC). It is specially important to consider that RFID tags are easily accessible to perform practical side-channel attacks due to their fields of applications. In this paper, we investigate a practical attack scenario on a randomized ECC hardware implementation suitable for RFID tags. This implementation uses a Montgomery Ladder, Randomized Projective Coordinates (RPC), and a digit-serial hardware multiplier. By using different analysis techniques, we are able to recover the secret scalar while using only a single power trace. One attack correlates two consecutive Montgomery ladder rounds, while another attack directly recovers intermediate operands processed within the digit-serial multiplier. All attacks are verified using a simulated ASIC model and an FPGA implementation.

On Secure Multi-party Computation in Bandwidth-Limited Smart-Meter Systems

The emergence of decentralized energy production pushes the deployment of smart-grid solutions. While the availability of fine-grained consumption data via smart-meter measurements provides several advantages for energy providers (e.g., grid automation, accurate forecasts), they also raise concerns about the privacy of the users. In this paper we present an efficient and privacy-aware communication protocol for future smart-grid solutions. The protocol is based on secure multi-party computation (SMC) and allows deducing the aggregated consumption data of a group of smart meters without disclosing the consumption data of individual smart meters. Moreover, by using a special initialization phase the communication effort is significantly reduced compared to classical SMC-based approaches. For aggregating the consumption data of 100 smart meters, our proposed protocol requires less than one second when assuming a communication bandwidth of 100, kbits/s.

Hardware and VLSI Designs

Efficient and secure hardware implementations have become a very popular topic during the last decades. In this chapter, we discuss the fundamental design approaches to successfully implement integrated circuits (ICs) as well as testing methods and optimization techniques to achieve an adequate solution for various application scenarios. A major topic handled in this chapter is security in the context of hardware implementations. We elaborate on the characteristics of modern CMOS circuits with regard to side-channel attacks and we discuss possible countermeasure approaches against such attacks. Furthermore, we describe a comprehensive practical example of combining cryptographic instruction set extensions with hardware countermeasures on a modern 32-bit processor platform. In the last section of this chapter, we argue about the assets and drawbacks of implementing test structures in digital circuits with regard to unintentionally opening security holes as well as about intentionally introducing malicious hardware structures, also called hardware Trojans.