Yannick Teglia

Leak Resistant Arithmetic

In this paper we show how the usage of Residue Number Systems (RNS) can easily be turned into a natural defense against many side-channel attacks (SCA). We introduce a Leak Resistant Arithmetic (LRA), and present its capacities to defeat timing, power (SPA, DPA) and electromagnetic (EMA) attacks.

Improving first order differential power attacks through digital signal processing

Side-channel attacks pose a critical threat to the deployment of secure embedded systems. Differential-power analysis is a technique relying on measuring the power consumption of device while it computes a cryptographic primitive, and extracting the secret information from it exploiting the knowledge of the operations involving the key. There is no open literature describing how to properly employ Digital Signal Processing (DSP) techniques in order to improve the effectiveness of the attacks. This paper presents a pre-processing technique based on DSP, reducing the number of traces needed to perform an attack by an order of magnitude with respect to the results obtained with raw datasets, and puts it into practical use attacking a commercial 32-bit software implementation of AES running on a Cortex-M3 CPU. The main contribution of this paper is proposing a leakage model for software implemented cryptographic primitives and an effective framework to extract it.

Information leakage discovery techniques to enhance secure chip design

Side channel attacks analyzing both power consumption and electromagnetic (EM) radiations are a well known threat to the security of devices dealing with sensitive data. Whilst it is well known that the EM emissions of a chip represent an information leakage stronger than the overall dynamic power consumption, the actual relation between the emissions and the computations is still a subject under exploration. It is important for the chip designer to be able to distinguish which portions of the measured EM emissions are actually correlated with the sensitive information. Our technique obtains a detailed profile of the information leakage, identifying which harmonic components carry the largest part of the it on the measured signals. It may be successfully integrated in a design workflow as a post-testing feedback from the prototype chip, in the form of additional constraints aimed at reducing the local wires congestion up to a point where the emissions are no longer sufficient to conduct an attack. The analysis allows the design of ad-hoc countermeasures (shields and/or EM jammers), which do not require architectural changes to the chip. We provide a validation of the proposed technique on a commercial grade ARM Cortex-M3 based System on Chip (SoC), executing a software implementation of AES-128. The proposed approach is more efficient than a search of the whole frequency spectrum, allowing to conduct a deeper analysis with the same timing constraints.

A model of the leakage in the frequency domain and its application to CPA and DPA

This paper introduces a leakage model in the frequency domain to enhance the efficiency of side channel attacks of CMOS circuits. While usual techniques are focused on noise removal around clock harmonics, we show that the actual leakage is not necessary located in those expected bandwidths as experimentally observed by Mateos and Gebotys (A new correlation frequency analysis of the side channel, p 4, 2010). We start by building a theoretical modeling of power consumption and electromagnetic emanations before deriving from it a criterion to guide standard attacks. This criterion is then validated on real experiments, both on FPGA and ASIC, showing an impressive increase of the yield of SCA.

Random Euclidean Addition Chain Generation and Its Application to Point Multiplication

Efficiency and security are the two main objectives of every elliptic curve scalar multiplication implementations. Many schemes have been proposed in order to speed up or secure its computation, usually thanks to efficient scalar representation [30,10,24], faster point operation formulae [8,25,13] or new curve shapes [2]. As an alternative to those general methods, authors have suggested to use scalar belonging to some subset with good computational properties [15,14,36,41,42], leading to faster but usually cryptographically weaker systems. In this paper, we use a similar approach. We propose to modify the key generation process using a small Euclidean addition chain c instead of a scalar k. This allows us to use a previous scheme, secure against side channel attacks, but whose efficiency relies on the computation of small chains computing the scalar. We propose two different ways to generate short Euclidean addition chains and give a first theoretical analysis of the size and distribution of the obtained keys. We also propose a new scheme in the context of fixed base point scalar multiplication.

Reverse engineering of embedded software using syntactic pattern recognition

When a secure component executes sensitive operations, the information carried by the power consumption can be used to recover secret information Many different techniques have been developped to recover this secret, but only few of them focus on the recovering of the executed code itself Indeed, the code knowledge acquired through this step of Simple Power Analysis (SPA) can help to identify implementation weaknesses and to improve further kinds of attacks In this paper we present a new approach improving the SPA based on a pattern recognition methodology, that can be used to automatically identify the processed instructions that leak through power consumption We firstly process a geometrical classification with chosen instructions to enable the automatic identification of any sequence of instructions Such an analysis is used to reverse general purpose code executions of a recent secure component.

On Adaptive Bandwidth Selection for Efficient MIA

Recently, a generic DPA attack using the mutual information index as the side channel distinguisher has been introduced. Mutual Information Analysis’s (MIA) main interest is its claimed genericity. However, it requires the estimation of various probability density functions (PDF), which is a task that involves the complicated problem of selecting tuning parameters. This problem could be the cause of the lower efficiency of MIA that has been reported. In this paper, we introduce an approach that selects the tuning parameters with the goal of optimizing the performance of MIA. Our approach differs from previous works in that it maximizes the ability of MIA to discriminate one key among all guesses rather than optimizing the accuracy of PDF estimates. Application of this approach to various leakage traces confirms the soundness of our proposal.

Mutual information analysis: higher-order statistical moments, efficiency and efficacy

The wide attention given to the mutual information analysis (MIA) is often connected to its statistical genericity, denoted flexibility in this paper. Indeed, MIA is expected to lead to successful key recoveries with no reliance on a priori knowledge about the implementation (impacted by the error modeling made by the attacker. and with as minimum assumptions as possible about the leakage distribution, i.e. able to exploit information lying in any statistical moment and to detect all types of functional dependencies), up to the error modeling which impacts its efficiency (and even its effectiveness). However, emphasis is put on the powerful generality of the concept behind the MIA, as well as on the significance of adequate probability density functions (PDF) estimation which seriously impacts its performance. By contrast to its theoretical advantages, MIA suffers from underperformance in practice limiting its usage. Considering that this underperformance could be explained by suboptimal estimation procedures, we studied in-depth MIA by analyzing the link between the setting of tuning parameters involved in the commonly used nonparametric density estimation, namely kernel density estimation, with respect to three criteria: the statistical moment where the leakage prevails, MIA’s efficiency and its flexibility according to the classical Hamming weight model. The goal of this paper was, therefore, to cast some interesting light on the field of PDF estimation issues in MIA for which much work has been devoted to finding improved estimators having their pros and cons, while little attempt has been made to identify whether existing classical methods can be practically improved or not according to the degree of freedom offered by hyperparameters (when available). We show that some ‘optimal’ estimation procedures following a problem-based approach rather than the systemic use of heuristics following an accuracy-based approach can make MIA more efficient and flexible and a practical guideline for tuning the hyperparameters involved in MIA should be designed. The results of this analysis allowed us defining a guideline based on a detailed comparison of MIA’s results across various simulations and real-world datasets (including publicly available ones such as DPA contest V2 and V4.1).

Taking into account indirect jumps or calls in continuous control-flow checking

Control-flow checking (CFC) is one of the main approaches to monitor the behavior of a microprocessor-based system without specific assumptions on error models (e.g., single bit flips). Many approaches have been proposed and evaluated, but none takes explicitly into account the possibility of indirect jumps or calls for which destination addresses are not hard-coded. This paper discusses first the need for an approach taking care of such sequence breaks. Then an approach is proposed to enhance current control-flow checking schemes.

Interest of MIA in frequency domain

Mutual Information Analysis (MIA) has a main advantage over Pearsons correlation Analysis (CPA): its ability in detecting any kind of leakage within traces. However, it remains rarely used and less popular than CPA; probably because of two reasons. The first one is related to the appropriate choice of hyperparameters involved in MIA, choice that determines its efficiency and genericity. The second one is surely the high computational burden associated to MIA. The interests of applying MIA in the frequency domain rather than in the time domain are discussed. It is shown that MIA running into the frequency domain is really effective and fast when combined with the use of an accurate frequency leakage model.