0 оценок0% нашли этот документ полезным (0 голосов)

1 просмотров4 страницыOct 04, 2019

CRYPTACUS_2018_paper_32.pdf

© © All Rights Reserved

PDF, TXT или читайте онлайн в Scribd

© All Rights Reserved

0 оценок0% нашли этот документ полезным (0 голосов)

1 просмотров4 страницыCRYPTACUS_2018_paper_32.pdf

© All Rights Reserved

Вы находитесь на странице: 1из 4

INESC-ID INESC-ID INESC-ID

IST, Universidade de Lisboa IST, Universidade de Lisboa IST, Universidade de Lisboa

Lisboa, Portugal Lisboa, Portugal Lisboa, Portugal

ricardo.macas@tecnico.ulisboa.pt ricardo.chaves@inesc-id.pt goncalo.tavares@tecnico.ulisboa.pt

Abstract—The security of electronic devices is paramount to process leads to both the power consumption and the EM

our information society. Side-channel attacks enable a potential emanation, similar techniques can be used for both, and EM

attacker to stealthily compromise the devices by exploiting attacks are generally regarded as a particular instance of

their emanations, such as the electromagnetic (EM) radiation, power attacks [2].

resulting from the operation of the device. The objective of this In general, taking into account some model h, the leak-

article is to compare different attack methodologies empirically age signal L(t) can be described as a sum of the contri-

with respect to their signal processing techniques, in partic- butions of all the gates g in the circuit processing values

ular, trace filtering and a newly-proposed technique named at instant t, affected by some normally-distributed additive

correlation filtering. A methodology of analysis is defined for noise N [3]:

consistent and repeatable results. Finally, evaluations of the

X

L(t) = h(g, t) + N (t). (1)

effects of different signal processing techniques were conducted g

in attacks against a smartcard implementation of the AES

cipher, where the correlation filtering technique was found to There are several attack techniques that attempt to ex-

successfully improve the attack performance in randomized tract the most information from the available signals, such

trials.

as Correlation Attacks [4] and Template Attacks [5]. These

techniques focus on specific calculations being executed in

the target device that enable the attacker to effectively guess

1. Introduction the key. However, this means that the signals are affected

by intrinsic electronic noise caused by unrelated calculations

The information society is ever more pervasive in our that are not pertinent to the attack and that ultimately hinder

lives: it permeates into all aspects of society, replacing older its performance. Then, the usage of signal processing tech-

technology with connected, intelligent devices. More and niques, such as frequency filtering, to facilitate the attack

more devices are made smart, especially the ever more by rejecting reject unwanted noise sources is a compelling

popular Internet of Things (IoT) movement, consisting of strategy.

existing devices such as door locks that are made intelligent A brief description of this document’s structure follows.

with networking functionality. Even if such devices employ Section 2 presents a brief introduction of the existing attack

secure algorithms, side-channel attacks may still be able to methods, followed by Section 3, which describes the pro-

exploit their physical implementation, by taking advantage posed metrics to evaluate the performance of the attacks.

of information leaked by the emanations resulting from their Section 4 addresses the hardware and software used and

operation. their setup and configuration. An overview of the findings

Electronic systems developed in the 21st century use follows in Section 5. Finally, Future Work is presented in

complementary metal-oxide semiconductor transistor cells Section 6 and the Conclusions of the authors in Section 7.

(CMOS), desirable for producing devices with low idle

power consumption. CMOS cells implement a logic gate by 2. State of art

having a complementary pull-up and pull-down network that

alternate in insulating the path between the power source and A differential power attack proceeds by taking a working

the ground, only briefly consuming power during transitions hypothesis over a small part of the key and, using the same

when, momentarily, both networks conduct. At that moment, plaintexts as the physical device, it computes the interme-

a small current flows through the circuit, which in turn leads diate calculations of the cipher state. From the intermediate

to power consumption and the emanation of electromagnetic values, it models the expected power consumption for those

(EM) radiation [1]. Naturally, this implies that the emana- operations and contrasts them with the observed signals

tion is data-dependent. Since the aforementioned physical from the physical device. If the differences in the expected

power follow the actual power consumption, there’s evi- Success rate (SR). The sample success rate is calculated as

dence that the partial key hypothesis is correct. a ratio of N partial attacks, ran under the same conditions,

This process requires several time-aligned recordings that determined the correct candidate:

of the power consumption, called traces, and the usage

of a statistical test to quantify their agreement with the #Attacksp? =1

SR = P̃ (p? = 1) = . (3)

hypotheses. This is called the distinguisher, because it is N

the metric that allows the attack to distinguish the correct Note the success rate is an estimate of the probability

secret from the remaining (rejected) hypotheses. P̃ of having the correct value of the subkey as the best

candidate [7]. The success rate concept can be generalized

Correlation attacks to having the correct key in the first n hypotheses (instead

of just being the first) by computing the corresponding ratio.

An example of a differential power attack is the Cor-

relation Attack, first introduced by Eric Brier et al. [4]. It Average correct position. After collecting N partial attacks

uses the aforementioned framework for differential power ran under the same conditions, one may estimate what is the

attacks, where the distinguisher is the estimator of the mean position of the correct partial key in the candidate list.

Pearson correlation coefficient, which will indicate a linear The expected correct position is then defined as the product

dependency between the power hypotheses for each trace hi of each position i, times the probability of the correct subkey

and the power consumption Ti observed at some given time occupying such position, or mathematically,

instant t0 : X

E(p? ) = i · P (p? = i). (4)

i

PM

(hi − h̄) · (Ti [t0 ] − T [t0 ]) Standaert et al. [7] named this metric guessing entropy.

r(t0 ) = qPi=1 (2)

M 2 2 The estimator of the expected correct position can be

i=1 (hi − h̄) · (Ti [t0 ] − T [t0 ])

mathematically expressed as the average correct position

where the means are indicated by a bar. Ẽ(p? ), computed as

Depending on the device architecture and the experi- PN

mental setup, the leakage may correlate inversely with the j p(?,j)

Ẽ(p? ) = , (5)

power model. To maximize the information extracted from N

the attack, the absolute value of the correlation is used where j represents each attack out of N attacks to partial

instead, which is highest whether the model is directly or keys.

inversely correlated [6].

Should the t0 intermediate value calculation time not be 4. Experimental setup

known precisely, the correlation can be calculated for several

time samples across the traces and the best (highest) absolute

Correlation attacks were carried out against a smartcard

correlation |r| is recorded out of all the time samples and

powered by the Atmel AVR ATMega163 micro-controller,

partial keys considered. In a sense, a correlation trace r[t]

programmed with the AES 128 bit cipher. The attack used

is created which indicates the correlation over time for a

the SAKURA-W [8] platform to enable the communication

given key.

between the computer and the smartcard. The platform,

and in turn the smartcard placed in it, was powered by

3. Methodology of evaluation a laboratory bench power supply to provide a stable and

isolated power source.

The uncertainty associated with the signal variability and In order to avoid capturing the electronic emanations

the statistical tools used means that two attacks using signals from nearby components, a custom-built smartcard extender

captured in identical conditions do not necessarily have the was developed at the laboratory that enabled the smartcard

same results. Accordingly, each attack strategy is then tried to operate outside of the slot with its surface exposed. The

several times for a total of N partial attacks, on a random smallest magnetic field probe of the Beehive Electronics

sample taken from a pool of traces collected in the same 100 Series EMC probe set was used to capture the EM

session, and the metrics are presented with their average signal, amplified by the Beehive Electronics 150A EMC

across attacks to partial keys, m, and an error term e, the probe amplifier, and digitized by a PicoScope 6404D com-

standard error, in the form m ± e. puter oscilloscope. To enable the time-aligned capture of

Differential attacks return a distinguisher score for every the traces, a trigger signal function is programmed to the

candidate partial key tested. If these scores are sorted in smartcard that switches an auxiliary pin when the ciphering

increasing order, their position in the candidate list indi- algorithm starts.

cates their relative rank amid themselves. As such, every In order to find the optimal probe position, a manual

candidate has a score and position pair (di , pi ). The pair systematic analysis of the smartcard’s surface was carried

that corresponds to the correct secret key is denoted by a out. While performing ciphering operations, the magnetic

star, as (d? , p? ). probe was placed directly on top of the chip area and the

TABLE 1. E XTRACT OF THE BASELINE RESULTS IN ELECTROMAGNETIC

CORRELATION ATTACKS TO THE FIRST ROUND OF AES, FOR 50 TRIALS

800 traces 0.08 ± 0.01 91.45 ± 2.67

1 500 traces 0.25 ± 0.02 28.11 ± 1.57

2 000 traces 0.57 ± 0.02 8.36 ± 0.75

Figure 1. Diagram of the smartcard extender. A smartcard was placed 3 000 traces 0.92 ± 0.01 1.26 ± 0.06

in the extended slot, and the cutout reveals the surface under which the

microprocessor resides, exposed for probe access. 5 000 traces 1.00 ± 0.00 1.00 ± 0.00

different signals that could be found along the surface were correlation peaks. In essence, instead of selecting specific

identified, along with their positions. Several sample attacks points of interest in time, the correlation filtering technique

were carried out for the signals captured at each of these exploits time redundancy of points with similar information,

positions, and the final position chosen for the probe was in order to exclude wrong candidates.

the one that completed the attacks with the least amount of The attacker can determine the optimal cut-off frequency

traces. for this filter using a clone device in their possession,

The correlation attack was chosen to perform the side- by processing the correlation traces with decreasing cut-

channel attacks to the AES 128-bit cipher, using a Hamming off frequencies until they no longer improve the result. A

Weights model. The intermediate calculation targeted is the subjective visual evaluation of the filtered correlation trace

result of the SBOX operation in the first round. Each byte may suffice to determine a non-optimal cut-off frequency.

of the result is the sum of a key byte and plaintext byte, For this experiment, the filters were generated using

transformed by the SBOX. Since every byte is independent, MATLAB’s fir1 function, with a Hamming window and

targeting each of the 16 bytes individually is the simplest 2400 taps. The average out of the 50 trials was taken for

way to effectively divide the partial keys. the position of the correct partial key, illustrated in Figure 2.

The optimal −6 dB cut-off frequency was determined to be

16.25 MHz, corresponding to the minimum of the average

5. Results correct position.

A pool of 5 500 EM traces was continuously acquired

in a single session with a sampling rate of 1.25 GHz. The

probe was placed at the position previously determined

as optimal, and the plaintext input to the smartcard was

randomly generated and subsequently saved along with the

corresponding captured traces.

From this pool, a fixed number of traces was randomly

drawn by the computer to carry out each trial of the corre-

lation attack. In total, 50 trials were completed in order to

characterize the performance of the attack when constrained

to that number of traces, using the proposed metrics. This

corresponds to 16 · 50 = 800 attacks to every partial key.

The process was then repeated for other sizes of the attacked

trace set, in order to evaluate the progression of the attack

performance as the set of traces increases. This serves as

the baseline for contrasting with any improvement from

additional signal processing or changes in the experimental

setup, as laid in Table 1.

In particular, the correlation filtering technique was

Figure 2. Determination of optimal low pass cut-off frequency via minima

tested. It is based on the observation that, for high sampling of the average correct position metric.

rates, the instant when the targeted intermediate calculation

is executed spans a significant number of time samples. To evaluate the additional performance gained by ap-

Often, the correlation may spuriously peak in a time sample plying this technique, the same process was applied as

for a wrong key, due to noise, leading to an incorrect result. described previously for the baseline. Several trials were

By low-pass filtering the correlation trace |r(t)| for each conducted, constrained to increasing number of traces. Fig-

partial key candidate, the correlations of the neighbouring ure 3 shows the comparison between the success rate curves

time samples are taken into account to remove spurious of the baseline and the correlation filtered attack. The tech-

nique displays a consistent improvement in the success rate would enable an attacker to profile the locations of the

when controlling for number of traces, and converges in smartcard where the leakage is optimal. The usage of novel

approximately half the number of traces to a unitary success magnetic imaging sensors (to acquire emanations of multiple

rate. locations simultaneously), signal processing techniques (to

The technique presented consists in filtering after the isolate the signal of interest while reducing noise) and multi-

correlation is calculated, but one may ask if simply filtering channel attacks, is an interesting avenue of exploration to

the original traces leads to the same results. In fact, this improve the existing results for side-channel attacks.

hypothesis was tested by following an identical procedure as

described before, and the optimal cut-off frequency for con- 7. Conclusion

ventional trace filtering was determined to be 15.625MHz,

which is very similar to the one determined for correlation In summary, the proposed evaluation methodology suc-

filtering. Table 2 shows the metrics for 800 traces, where it cessfully allowed the direct comparison of different attacks

is clear that correlation filtering improves the results over using a detailed framework. In general, applying signal

trace filtering with an additional 0.02 increase in success processing techniques to electromagnetic attacks lead to sig-

rate and an improved average position with smaller standard nificant improvements characterized by faster convergence

error, indicating additional consistency. in the correct candidate and better success rates. This work

introduced the correlation filtering technique, which was

shown to improve the success of the electromagnetic attacks

for all metrics tested by exploiting the time redundancy

of high-sampling rate acquisition after calculation of the

correlation.

Acknowledgments

The authors would like to thank the laboratory colleague

Ruben Afonso for assisting with the design and construction

of the smartcard extender. This work was supported by na-

tional funds through Fundação para a Ciência e a Tecnologia

(FCT) with reference UID/CEC/50021/2013.

References

[1] F.-X. Standaert, “Introduction to side-channel attacks,” in Secure Inte-

grated Circuits and Systems. Springer, 2010, pp. 27–42.

Figure 3. Success rate curves for the baseline attack and the attack with

correlation filtering. [2] J. R. Rao and P. Rohatgi, “Empowering side-channel attacks,”

Cryptology ePrint Archive, Report 2001/037, 2001. [Online].

Available: http://eprint.iacr.org/2001/037

TABLE 2. C OMPARISON OF ELECTROMAGNETIC ATTACKS RESULTS [3] M. Aigner and E. Oswald, “Power analysis tutorial,” Institute for

USING DIFFERENT SIGNAL PROCESSING TECHNIQUES .

Applied Information Processing and Communication, Graz, Austria,

Tech. Rep., 2000.

SR E(p? )

Experiment [4] E. Brier, C. Clavier, and F. Olivier, Correlation Power Analysis with

(% improv.) (% improv.) a Leakage Model. Berlin, Heidelberg: Springer Berlin Heidelberg,

800 traces 2004, pp. 16–29.

0.08 ± 0.01 91.45 ± 2.67

Baseline [5] S. Chari, J. R. Rao, and P. Rohatgi, “Template attacks,” in Revised

Papers from the 4th International Workshop on Cryptographic

800 traces Hardware and Embedded Systems, ser. CHES ’02. London,

0.86 ± 0.01 1.74 ± 0.12

Traces Filtered UK, UK: Springer-Verlag, 2003, pp. 13–28. [Online]. Available:

(975.0%) (98.1%) http://dl.acm.org/citation.cfm?id=648255.752740

fc (−6dB) : 15.625 MHz

[6] S. Mangard, E. Oswald, and T. Popp, Power analysis attacks: Reveal-

800 traces ing the secrets of smart cards. Springer Science & Business Media,

0.88 ± 0.01 1.34 ± 0.05

Correlation Filtered 2008, vol. 31.

(1000.0%) (98.5%)

fc (−6dB) : 16.25 MHz [7] F.-X. Standaert, T. Malkin, and M. Yung, “A unified framework for

the analysis of side-channel key recovery attacks.” in Eurocrypt, vol.

5479. Springer, 2009, pp. 443–461.

6. Future work [8] M. Matsubayashi and A. Satoh, “Side-channel Attack user reference

architecture board SAKURA-W for security evaluation of IC card,” in

In the setup used, the probe position was derived using a 2015 IEEE 4th Global Conference on Consumer Electronics (GCCE),

manual systematic scan of the surface of the smartcard, how- 2015, pp. 565–569.

ever, an automated scan with computer-assisted positioning

## Гораздо больше, чем просто документы.

Откройте для себя все, что может предложить Scribd, включая книги и аудиокниги от крупных издательств.

Отменить можно в любой момент.