correlation power analysis of aes-256 on atmega328p pdf · cpa on one round of aes encryption 12 96...
TRANSCRIPT
Correlation Power Analysis of AES-256 on ATmega328P
1
游世群 JPChen 許遠哲
Outlines• SCA/DPA/CPA
• Hardware Implementation
• Demo Video
• CPA Implementation on AES Rounds
• Countermeasures
• Conclusion
2
hidden in an encryption algorithm.
Hardware
key
Side-Channel Analysis
Plaintext Ciphertext
• There is a key
• We need a hardware to implement this system.
• This hardware may leak information about the key.
• By analyzing the leakages, we can rebuild the key.
3
Encryption Algorithm
Differential Power AnalysisCompare two power traces from two different encryptions:
Differential Power Analysis (DPA) • By analyzing the difference
between traces from different encryptions.
• Use statistical tools to recover the key.
4
• AES is a block cipher.
• 1 byte as a unit.
• Plaintexts, Round Keys, Ciphertexts and Intermediate values can be regarded as 16 independent bytes.
Divide and Conquer12 43 F5 6877 26 54 87A3 B3 7E FF9B 4A AF E8
A Block of AES
Search Space: reduced from to
5
Power Consumption in Register
0x000 0 0 0 0 0 0 0
0xc31 1 0 0 0 0 1 1
4 bits change
A register.
Assume that each bit changes costs the same value b, the overall power consumption y will be:
y = a + HD(0x00, 0xc3)·b + N
Hamming Distance of these 2 hex-numbers
6
0x000 0 0 0 0 0 0 0
Power Consumption in Register0x6d
0 1 1 0 1 1 0 1
0xc31 1 0 0 0 0 1 1
0 1 1 0 1 1 0 1
1 1 0 0 0 0 1 1
• Hamming Distance model: y = a + HD(0x6c, 0xc3)·b + N
0xc31 1 0 0 0 0 1 1
• Hamming Weight model: y = a + HW(0xc3)·b + N
7
Leakages from AES
T0: y0 = a + H( f5(p0,k) )·b + NT1: y1 = a + H( f5(p1,k) )·b + NT2: y2 = a + H( f5(p2,k) )·b + N
⋮︙
Tn: yn = a + H( f5(pn,k) )·b + N
y = a + HD(0x00, 0xc3)·b + N
8
Leakages from AES
T0: y0 = a + H( f5(p0,k) )·b + NT1: y1 = a + H( f5(p1,k) )·b + NT2: y2 = a + H( f5(p2,k) )·b + N
⋮︙
Tn: yn = a + H( f5(pn,k) )·b + N
k: key pi : known plaintext fi : the i-th Intermediate value function H: Hamming Distance or Hamming Weight
9
Correlation Power AnalysisT0: y0 = a + H( f5(p0,k) )·b + NT1: y1 = a + H( f5(p1,k) )·b + NT2: y2 = a + H( f5(p2,k) )·b + N
⋮︙
Tn: yn = a + H( f5(pn,k) )·b + N
If our key guessing is right, Cor(y, x) will be significant.If it is wrong, Cor(y, x) will be close to 0.
Pearson Correlation Coefficient:
10
Outlines• SCA/DPA/CPA
• Hardware Implementation
• Demo Video
• CPA Implementation on AES Rounds
• Countermeasures
• Conclusion
11
ATMega328P
https://www.arduino.cc/en/Main/ArduinoBoardUno
12
ChipWhispererChipWhisperer board 1. control FPGA 2. OpenADC
MultiTarget board 1. micro controller 2. card socket 3. FPGA
13
Hardware Implementation
14
Outlines• SCA/DPA/CPA
• Hardware Implementation
• Demo Video
• CPA Implementation on AES Rounds
• Countermeasures
• Conclusion
15
Demo Video
16
3a cd 58 34 26 59 74 95 17 98 8a 73 44 77 52 54 73 45 f7 ee ec bb ae 67 98 87 07 45 00 37 42 66
Demo Video
17
3a cd 58 34 26 59 74 95 17 98 8a 73 44 77 52 54 73 45 f7 ee ec bb ae 67 98 87 07 45 00 37 42 66
Outlines• SCA/DPA/CPA
• Hardware Implementation
• Demo Video
• CPA Implementation on AES Rounds
• Countermeasures
• Conclusion
18
CPA on One Round of AES Encryption
12 43 F5 6877 26 54 87A3 B3 7E FF9B 4A AF E8
Known Input00010203
FF⋮
Key Guess
12 00
Choose a byte
Choose a key guessing
19
5A 0C 6C FC67 BE AF 6042 FF C3 516E 23 0A A9
12
96
CPA on One Round of AES Encryption
⨁ 00
45⋮
5A
5A
Input N
20
6E
BE
C990
CPA on One Round of AES Encryption
129645
5Asubstitution box
⋮
S-box
compute their Hamming Weight
425
6⋮
intermediate values X
⋮
power leakages Y
Compute their correlation coefficient of every point
• If there are any points with a significant Correlation Coefficient value, the guessing key might be correct.
11001001
21
⋮
CPA on One Round of AES Encryption
12 43 F5 6877 26 54 87A3 B3 7E FF9B 4A AF E8
Known Input00010203
FF⋮
Key Guess
01
Repeat 16 times for each bytes!
00
02
7B
FF
Choose another key
We should try every key
There will be a guess key with a significantcorrelation coefficient
22
Compare AES-256 with AES-128Similarities: • Block size is 128 bits, so as Round Key size.
Differences: • 256-bit Master Key. • 14 rounds while 10 rounds in AES-128.
k0: the first half (128 bits) of master key.k1: the second half (128 bits) of master key.
23
2b 28 ab 09 a0 88 23 2a f2 7a 59 73 3d 47 1e 6d
7e ae f7 cf fa 54 a3 6c c2 96 35 59 80 16 23 7a
15 de 15 4f fe 2c 39 76 95 b9 80 f6 47 fe 7e 88
16 a6 88 3c 17 b1 39 05 f2 43 7a 7f 7d 3e 44 3b
Key Schedule of AES-128
2b 28 ab 09 11 7a 44 4a f6 de 75 7c 01 7b 3f 75
7e ae f7 cf 02 93 8f 93 03 ad 5a 95 28 bb 34 a7
15 de 15 4f 4e 0c ee 13 51 83 96 d9 7b 77 99 8a
16 a6 88 3c f6 be 27 86 c0 66 ee d2 43 fd da 5c
Key Schedule of AES-256
First Round is enough
Needs 2 Rounds
2b 28 ab 09
7e ae f7 cf
15 de 15 4f
16 a6 88 3c
2b 28 ab 09 11 7a 44 4a
7e ae f7 cf 02 93 8f 93
15 de 15 4f 4e 0c ee 13
16 a6 88 3c f6 be 27 86
24
Compare AES-256 with AES-128
45 67 2A C478 CF AE 7ABE 87 69 93FF 0B 00 2C
12 43 F5 6877 26 54 87A3 B3 7E FF9B 4A AF E8
45 67 2A C478 CF AE 7ABE 87 69 93FF 0B 00 2C
Plaintexts
Compute the Intermediate Values
X
traces
Y
CPA
Attacks on AES-128
25
Compare AES-256 with AES-12845 67 2A C4
78 C A 7BE 8 6 9FF 0 0 2
12 43 F5 68
77 265487A3 B 7 F9B 4 A E
45 67 2A C4
78 CF AE 7A
BE 87 69 93
FF 0B 00 2C
This round key is the first-half key Use it to compute the input of the next round
45 67 2A C4
78 C A 7BE 8 6 9FF 0 0 2
12 43 F5 68
77 265487A3 B 7 F9B 4 A E
45 67 2A C4
78 CF AE 7A
BE 87 69 93
FF 0B 00 2C
33 26 EE 6432 CF AE 7A6C 87 69 93C3 0B 00 2C
22 43 C3 6854 26 54 87EA B3 7E FF89 4A AF E8
76 28 9A 530C EF B3 4A56 54 00 967E C0 EE 2C
X
traces
Y
1 Round Encryption ResultsThis round key is the second-half key
26
Resynchronization and Alignment
• The variables we concern change vertically.
• Those horizontal shifts could be disturbances.27
Resynchronization and Alignment• Use some special pattern to align.
Call this special signal h[n]28
Resynchronization and Alignment• Method 1: Sum of Absolute Difference (SAD).
• If two N-points signals are similar, SAD will be small.
• Align the traces by minimizing the SAD.
29
Resynchronization and Alignment• Method 2: Correlation based method.
• If two N-points signals are similar, correlation coefficient will near to 1.
• Align the traces by maximizing the correlation coefficient.
30
Resynchronization and Alignment
Before resynchronization
After resynchronization
31
Outlines• SCA/DPA/CPA
• Hardware Implementation
• Demo Video
• CPA Implementation on AES Rounds
• Countermeasures
• Conclusion
32
CHES 2016 CTF
http://www.chesworkshop.org/ches2016/start.php
• Shuffling:
related to byte 0
35
Countermeasure (1)
related to byte 0
For trace 1:
related to byte 0
For trace 2:
36
• Adding Dummy:
byte 0 byte 1 byte 2 byte 3 byte 4 byte 5 byte 6
37
Countermeasure (2)
byte 0
byte 0 byte 1 byte 2 byte 3 byte 4
byte 1 byte 2 byte 3
Trace 1
Trace 2
38
Countermeasure (2)
Outlines• SCA/DPA/CPA
• Hardware Implementation
• Demo Video
• CPA Implementation on AES Rounds
• Countermeasures
• Conclusion
39
Conclusion• With more statistical techniques applied, SCA is more
powerful than ever.
40
• Encryption systems could be insecure without any protections from SCA.
• SCA protections should be taken into account when using microcontrollers like ATmega328P and their applications in IoT.
Reference• S.Mangard et al. Power Analysis Attacks.• Colin O’flynn ChipWhisperer.
http://www.newae.com/sidechannel/cwdocs/ • CHES CTF 2016
https://ctf.newae.com • Papers from CHES, Eurocrypt, Crypto and Asiacrypt• Arduino
https://www.arduino.cc • Atmel
http://www.atmel.com
41