Differential Power Analysis Attack on Smart Card 2002. 10. 8. ICE615 Network Security 20022122 Hwasun Chang Index 1. Introduction 2. Simple Power Analysis 3. DPA Overview 4. DPA Procedure for DES 5. DPA Result Example 6. Other Power Attacks 7. DPA Countermeasures 8. Future Works Reference 2 1. Introduction - Attack techniques for cryptographic algorithms Algorithm in isolation Differential Cryptoanalysis, Linear Cryptoanalysis Side channel attacks 3 2. Simple Power Analysis Interpret power consumption measurement What is learned: device’s operation, key material Base: power consumption variance of uP instructions DES operation by smart card 4 3. DPA Overview Introduced by P. Kocher and colleagues More powerful and more difficult to prevent than SPA Base: semiconductor logic ← transistor ← different power consumption for different state (0 or 1) Data collection phase and data analysis phase Procedure 1. Gather many power consumption curves 2. Assume a key value 3. Divide data into two groups(0 and 1 for chosen bit) 4. Calculate mean value curve of each group 5. Correct key assumption → not negligible difference 5 4. DPA Procedure for DES 1. Make power consumption measurement of about 1000 2. 3. 4. 5. 6. 7. 8. 9. DES operations, 100000 data points / curve, (Plaintexti, Curvei) Assume a key for a S-box of first round Calculate first S-box first bit output for each plaintext using the assumed key Divide the measurement into 2 groups (output 0 and 1) Calculate the average curve of each group Calculate the difference of two curves Assumed correct key → spikes in the differential curve Repeat 2-7 for other S-boxes Exhaustive search for 8 bits of key 6 5. DPA Result Example Average Power Consumption Power Consumption Differential Curve With Correct Key Guess Power Consumption Differential Curve With Incorrect Key Guess Power Consumption Differential Curve With Incorrect Key Guess 7 6. Other Power Attacks 1. Binary power analysis (by ABDM) 2. Direct power anlaysis (by ABDM) 3. Higer-order DPA (by Kocher) : combine one or more samples within a single power trace 8 7. DPA Countermeasures (1) By Adi Shamir Two capacitors as the power isolation element Disadvantage: difficulty in manufacturing 9 7. DPA Countermeasures (2) By S. Almanei Another processor working on parallel with the actual processor Disadvantage: increase in production cost, more memory and power 10 7. DPA Countermeasures (3) By Hardware • Random register renaming - MMS • 1-of-n encoded circuits - Moore By Software for Symmetric Algorithm • Replacing each intermediate variable depending on input or output by k variables - GP, Willich • Masking before processing, unmasking after processing – ITT, CG, • Transformed S-box and masking – AG By Software for Asymmetric Algorithm • Transforming the curve in ECC - JT • Using the Jacobi Form in ECC - LS 11 8. Future Works More study • Higher Order DPA • Software Countermeasure for Symmetric Algorithm Mount DPA on Commercial Smart Cards Make an idea • Software countermeasure • For symmetric algorithm • Efficient and Easy to Implement 12 References 1. 2. 3. 4. 5. 6. Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power Analysis”, Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. 1999, pp. 388397 Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Countermeasure Based on the Masking Method”, ICICS 2001, LNCS 2288, 2002, pp. 440-456 Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”, Proceedings of Workshop on Cryptographic Hardware and Embedded Systems, Aug. 1999, pp. 158-172 Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Masking against Differential Power Analysis”, CHES 2000, LNCS 1965, 2000, pp. 231-237 Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES and AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, pp. 309-318 D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to Foil DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38 13 References S. Almanei, “Protecting Smart Cards from Power Analysis Attacks”, http://islab.oregonstate.edu/koc/ece679cahd/s2002/almanei.pdf, May. 2002 8. Adi Shamir, “Protecting Smart Cards from Passive Power Analysis with Detached Power Supplies”, CHES 2000, LNCS 1965, 2000, pp. 71-77 9. P. Y. Liardet, N. P. Smart, “Preventing SPA/DPA in ECC Systems Using the Jacobi Form”, CHES 2001, LNCS 2162, 2001, pp. 391-401 10. Marc Joye, Christophe Tymen, “Protections against Differential Analysis for Elliptic Curve Cryptography”, CHES 2001, LNCS 2162, 2001, pp. 377-390 7. 14 Q&A Thank you! 15