Stefan Mangard

The World Is Not Enough: Another Look on Second-Order DPA

In a recent work, Mangard et al. showed that under certain assumptions, the (so-called) standard univariate side-channel attacks using a distance-of-means test, correlation analysis and Gaussian templates are essentially equivalent. In this paper, we show that in the context of multivariate attacks against masked implementations, this conclusion does not hold anymore. While a single distinguisher can be used to compare the susceptibility of different unprotected devices to first-order DPA, understanding second-order attacks requires to carefully investigate the information leakages and the adversaries exploiting these leakages, separately. Using a framework put forward by Standaert et al. at Eurocrypt 2009, we provide the first analysis that explores these two topics in the case of a masked implementation exhibiting a Hamming weight leakage model. Our results lead to refined intuitions regarding the efficiency of various practically-relevant distinguishers. Further, we also investigate the case of second- and third-order masking (i.e. using three and four shares to represent one value). This evaluation confirms that higher-order masking only leads to significant security improvements if the secret sharing is combined with a sufficient amount of noise. Eventually, we show that an information theoretic analysis allows determining this necessary noise level, for different masking schemes and target security levels, with high accuracy and smaller data complexity than previous methods.

Evaluation of the Masked Logic Style MDPL on a Prototype Chip

MDPL has been proposed as a masked logic style that counteracts DPA attacks. Recently, it has been shown that the so-called early propagation effect might reduce the security of this logic style significantly. In the light of these findings, a 0.13 μmprototype chip that includes the implementation of an 8051-compatible microcontroller in MDPL has been analyzed. Attacks on the measured power traces of this implementation show a severe DPA leakage. In this paper, the results of a detailed analysis of the reasons for this leakage are presented. Furthermore, a proposal is made on how to improve MDPL with respect to the identified problems.

Localized electromagnetic analysis of cryptographic implementations

High resolution inductive probes enable precise measurements of the electromagnetic field of small regions on integrated circuits. These precise measurements allow to distinguish the activity of registers on the circuit that are located at different distances to the probe. This location-dependent information can be exploited in side-channel analyses of cryptographic implementations. In particular, cryptographic algorithms where the usage of registers depends on secret information are affected by side-channel attacks using localized electromagnetic analysis. Binary exponentiation algorithms which are used in public key cryptography are typical examples for such algorithms. This article introduces the concept of localized electromagnetic analysis in general. Furthermore, we present a case study where we employ a template attack on an FPGA implementation of the elliptic curve scalar multiplication to prove that location-dependent leakage can be successfully exploited. Conventional countermeasures against side-channel attacks are ineffective against location-dependent side-channel leakage. As an effective general countermeasure, we promote that the assignment of registers to physical locations should be repeatedly randomized during execution.

Power Analysis Attacks and Countermeasures

This article focuses on power analysis attacks because they have received by far the most attention in recent years. They are powerful and can be executed relatively easily. This article provides an introduction to these attacks and discusses countermeasures against them. In particular, we focus on countermeasures that can be implemented at the cell level. This article presents an overview of power analysis attacks, which are based on the measurement of the power consumed by cryptographic ICs, and countermeasures against them.

Power and EM Attacks on Passive

During the last years, more and more security applications have been developed that are based on passive 13.56 MHz RFID devices. Among the most prominent applications are electronic passports and contactless payment systems. This article discusses the effectiveness of power and EM attacks on this kind of devices. It provides an overview of different measurement setups and it presents concrete results of power and EM attacks on two RFID prototype devices. The first device performs AES encryptions in software, while the second one performs AES encryptions in hardware. Both devices have been successfully attacked with less than 1 000 EM traces. These results emphasize the need to include countermeasures into RFID devices.

13.56\,\textrm{MHz}

In this paper we analyze recently introduced questions for masked logic styles in general and for one such logic style called MDPL in particular. The DPA resistance of MDPL suffers significantly from a problem called early propagation, which denotes a data-dependent time of evaluation of logic cells depending on input signal-delay differences. Experiments on a prototype chip show that in case of specific MDPL modules like the analyzed AES coprocessor, early propagation does not unconditionally break the DPA resistance of MDPL. Investigations indicate that this might be due to the regular structure of the particular MDPL circuit, which is assumed to cause only relatively small signal delay differences. Furthermore, in this article it is shown that the recently proposed, so-called PDF-attack could not be turned into a successful practical attack in our environment. Finally, the recently raised question whether MDPL has special requirements in terms of the generation of random mask bits or not is discussed theoretically.

RFID Devices

In this paper, we propose a setup that improves the performance of implementation attacks by exploiting the difference of side-channel leakages. The main idea of our setup is to use two cryptographic devices and to measure the difference of their physical leakages, e.g., their power consumption. This increases the signal-to-noise ratio of the measurement and reduces the number of needed power-consumption traces in order to succeed an attack. The setup can efficiently be applied (but is not limited) in scenarios where two synchronous devices are available for analysis. By applying template-based attacks, only a few power traces are required to successfully identify weak but data-dependent leakage differences. In order to quantify the efficiency of our proposed setup, we performed practical experiments by designing three evaluation boards that assemble different cryptographic implementations. The results of our investigations show that the needed number of traces can be reduced up to 90%.

Practical Attacks on Masked Hardware

Modern security-aware embedded systems need protection against fault attacks. These attacks rely on intentionally induced faults. Such intentional faults have not only a different origin, but also a different nature than errors that fault-tolerant systems usually have to face. For instance an adversary who attacks the circuit with two lasers can potentially induce two errors at different positions. Such errors can not only defeat simple double modular redundancy schemes, but as we show, also naive schemes based on any linear code over GF(2). In this article, we describe arithmetic logic units (ALUs) which provide high error detection rates even in the presence of such errors. The contribution in this article is threefold. First, we show that the minimum weight of an undetected error is no longer defined by the code distance when certain arithmetic and logic operations are applied to the codewords. As a result, additional hardware is needed to preserve the minimum error weight for a given code. Second, we show that for multi-residue codes, these delicate operations are rare in typical smart card applications. This allows for an efficient time-area trade-off for checking the codewords and thus to significantly reduce the hardware costs for such a protected ALU. Third, we implement the proposed architectures and study the influence of the register file and a multiplier on the area and on the critical path.

Exploiting the difference of side-channel leakages

In this work we investigate the problem of simultaneous privacy and integrity protection in cryptographic circuits. We consider a white-box scenario with a powerful, yet limited attacker. A concise metric for the level of probing and fault security is introduced, which is directly related to the capabilities of a realistic attacker. In order to investigate the interrelation of probing and fault security we introduce a common mathematical framework based on the formalism of information and coding theory. The framework unifies the known linear masking schemes. We proof a central theorem about the properties of linear codes which leads to optimal secret sharing schemes. These schemes provide the lower bound for the number of masks needed to counteract an attacker with a given strength. The new formalism reveals an intriguing duality principle between the problems of probing and fault security, and provides a unified view on privacy and integrity protection using error detecting codes. Finally, we introduce a new class of linear tamper-resistant codes. These are eligible to preserve security against an attacker mounting simultaneous probing and fault attacks.

Arithmetic logic units with high error detection rates to counteract fault attacks

The design and the security verification of side-channel resistant cryptographic hardware often represent an iterative process. This process essentially consists of a detection phase (