DPA ATTACKS SECURITY (Differential Power Analysis) Presented by- Piyush Mittal (211CS2281) Information Security Computer Science and01/24/13 Engineering Department 1
2 National Institute of Technology, Rourkela 01/24/13Overview Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. There exists methods for analyzing power consumption measurements to find secret keys from devices.
3 National Institute of Technology, Rourkela 01/24/13Introduction to Power Analysis Most modern cryptographic devices are implemented using semiconductor logic gates, which are constructed out of transistors. Electrons flow across the silicon substrate when charge is applied to (or removed from) a transistors gate, consuming power and produces electromagnetic radiation.
4 National Institute of Technology, Rourkela 01/24/13Simple Power Analysis (SPA) SPA is a technique that involves directly interpreting power consumption measurements collected during cryptographic operations. SPA can yield information about a devices operation as well as key material. A trace refers to a set of power consumption measurements taken across a cryptographic operation. For example, a 1 millisecond operation sampled at 5 MHz yields a trace containing 5000 points.
5 National Institute of 01/24/13 Technology, RourkelaFigure 1 shows an SPA trace from a typical smart card asit performs a DES operation. Note that the 16 DESrounds are clearly visible. Figure 1: SPA trace showing an entire DES operation.
6 National Institute of Technology, Rourkela 01/24/13Figure 2 is a more detailed view of the same trace showing the second andthird rounds of a DES encryption operation. Many details of the DESoperation are now visible. For example, the 28-bit DES key registers C andD are rotated once in round 2 (lef t arrow) and twice in round 3 (rightarrows). In Figure 2, small variations between the rounds just can beperceived. Figure 2: SPA trace showing DES rounds 2 and 3.
7 National Institute of Technology, Rourkela 01/24/13 Figure 3 shows even higher resolution views of the traceshowing power consumption through two regions, each ofseven clock cycles at 3.5714 MHz. The visible variationsbetween clock cycles result primarily from differences in thepower consumption of different microprocessor instructions. The upper trace in Figure 3 shows the execution paththrough an SPA feature where a jump instruction isperformed, and the lower trace shows a case where the jumpis not taken. The point of divergence is at clock cycle 6 and isclearly visible.
8 National Institute of 01/24/13 Technology, RourkelaFigure 3: SPA trace showing individual clock cycles.
9 National Institute of Technology, Rourkela 01/24/13Differential Power Analysis(DPA) of DES In addition to large-scale power variations due to the instruction sequence, there are effects correlated to data values being manipulated. These variations tend to be smaller and are sometimes overshadowed by measurement errors and other noise. But even in such cases, it is still often possible to break the system using statistical functions tailored to the target algorithm.
10 National Institute of Technology, Rourkela 01/24/13Example : The DPA selection function D(C, b,Ks) is defined as computing the value of bit 0≤ b ≤ 32 of the DES intermediate L at the beginning of the 16th round for ciphertext C, where the 6 key bits entering the S box corresponding to bit b are represented by 0 ≤ Ks ≤ 26. To implement the DPA attack, an attacker first observes m encryption operations and captures power traces T1…m[1..k] containing k samples each. In addition, the attacker records the ciphertexts C1..m. No knowledge of the plaintext is required.
11 National Institute of Technology, Rourkela 01/24/13DPA analysis uses power consumption measurements todetermine whether a key block guess Ks is correct.The attacker computes a k-sample differential trace ∆D[1..k]by finding the difference between the average of the traces forwhich D(C, b,Ks) is one and the average of the traces for whichD(C, b,Ks) is zero.Thus D[j] is the average over C1..m of the effect due to the valuerepresented by the selection function D on the powerconsumption measurements at point j.
12 National Institute of 01/24/13 Technology, RourkelaIf Ks Is incorrect, If Ks incorrect, the bit computed using D will differ from the actual target bit for about half of the ciphertexts Ci. The selection function D(C, b,Ks) is thus effectively uncorrelated to what was actually computed by the target device. If KS is correct, however, the computed value for D(C, b,Ks) will equal the actual value of target bit b with probability 1. The selection function is thus correlated to the value of the bit manipulated in the 16th round.
13 01/24/13 National Institute of Technology, Rourkela• The correct value of Ks can be identified from the spikes in its differential trace.• Four values of b correspond to each S box, providing conformation of key block guesses. Finding all eight Ks yields the entire 48-bit round sub key. The remaining 8 key bits can be found easily using exhaustive search .
14 National Institute of 01/24/13 Technology, RourkelaFigure 4 shows four traces prepared using known plaintexts entering aDES encryption function on smart card. On top is the reference powertrace showing the average power consumption during DES operations.Below are three differential traces, where the first was produced usinga correct guess for Ks. The lower two traces were produced usingincorrect values for Ks. Figure 4: DPA traces, one correct and two incorrect, with power reference.
15 National Institute of 01/24/13 Technology, RourkelaPreventing DPA A first approach is to reduce signal sizes, such as by using constant execution path code, choosing operations that leak less information in their power consumption. A second approach involves introducing noise into power consumption measurements. Like signal size reductions, adding noise increases the number of samples required for an attack, possibly to an infeasible-large number. In addition, execution timing and order can be randomized.
16 National Institute of Technology, Rourkela 01/24/13CONCLUSIONS AND FUTURE WORKS Power analysis techniques are of great concern because a very large number of vulnerable products are deployed. The attacks are easy to implement, have a very low cost per device. DPA automatically locates correlated regions in a devices power consumption, the attack can be automated and little or no information about the target implementation is required. DPA highlights the need for people who design algorithms, protocols, software, and hardware to work closely together when producing security products.
17 National Institute of Technology, Rourkela 01/24/13REFERENCES Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power Analysis” , http://www.cryptography.com National Bureau of Standards, Data Encryption Standard," Federal Information Processing Standards Publication 46, January 1977.
18 National Institute of Technology, Rourkela 01/24/13 Any Suggestions?For more information please visit- www.piyushmittal.in