Smart-Card Security under the Threat of Power Analysis Attacks Robert Sloan, U. Illinois Chicago Joint work with Tom Messerges and Ezzy Dabbish, Motorola Labs
Old Puzzle/Joke • Employee daily takes 1 brick in wheelbarrow to his car at quitting time. • Bricks are very cheap. • Why is he doing this? • Side channel. . . .
Summary/Outline of Presentation • Review of Basic Concepts • Power analysis attacks • Smartcards • Review of Previous Power Analysis Work • Our Research • Initial results attacking smartcards • Modeling and strengthening DPA attacks • Power analysis attacks against public-key cryptosystems • A drop about countermeasures
Cryptography Review • Uses: Authentication, secrecy, integrity, nonrepudiation • Implementations: • Rotor machines: Hagelin, Enigma • Computers, special chips, smartcards
Modern Cryptography Review • Public algorithms • Security depends on secret key • Two main varieties (used for many things): • Public-key cryptography • Symmetric-key cryptography
Two kinds of Attacks • Traditional Mathematical Attacks • Algorithm modeled as ideal mathematical object • Attack would typically generalize • Attacks mostly theoretical rather than operational • Implementation Attacks • Physical implementation is attacked • Vulnerabilities are difficult to control • Attacks are often operational—historically used to crack ciphers • Attack strategies are specific and do not generalize
Power Analysis Attacks • Khokar et al., June 1998: Measure instantaneous power consumption of a device while it runs a cryptographic algorithm • Different power consumption when operating on logical ones vs. logical zeroes.
Smart Card Overview (1) • A smartcard is • credit-card size plastic with an embedded microprocessor (and memory) • “secure” against malicious tampering and monitoring
Smartcard Overview (2) • Typical Smartcard at time of our research • 8-bit CPU, 384 bytes RAM, 3–5 Mhz clock rate • Upcoming • 32-bit RISC CPU, 4 Kbytes RAM, 50 Mhz clock
Smartcard Applications • Loyalty, financial, healthcare, government • Identification, electronic money, computer access • Access to physical items (e.g., buildings, cell phones)
Cryptography on smartcards • Symmetric: DES, 3DES, AES • Public-key: RSA, El-Gamal, Elliptic Curves • Physically secure storage device: • Passwords or keys • Personal Information • All sometimes susceptible to leakage attacks
Previous work • P. Kocher et al., June 1998. White paper, announcing new “Differential Power Attack (DPA)”, a statistical analysis of power consumption and stating “all commercially available” smartcards examined vulnerable. • Very sketchy high-level idea of how to do DPA attack against DES on smartcard.
Goals of our research • Establish ability to monitor and analyze power consumption information • Examine the leaked information and determine the extent of the problem • Study and implement newly announced DPA • Document DPA against DES on smartcard
Simple Power Analysis • (E.g., Kocher 1998) Attacker directly uses power consumption to learn bits of secret key. Wave forms visually examined. • Big features like rounds of DES, square vs. multiply in RSA exponentiation, and small features, like bit value. • Relatively easy to defend against.
Experiment 1: SPA • Power trace of load instruction on an HC05-based smartcard. • Hope voltage consumed will track number of bit transitions, revealing Haming weight. • Averaged 500 runs to reduce noise.
Cracking DES w/Hamming Leak • Proposition If attacker knows Hamming weight of each of the kn-bit words of secret key, then brute-force search space is reduced from 2kn to DES example: 256 keys reduced to 240. (n = 8, k = 7).
New SPA attack on DES • (Half of) key is in C register and rotated on each round in deterministic way. • If we know when to measure the Hamming weights of the rotated key, we can solve set of equations to get entire key. • Similar algorithms with bigger keys (e.g., triple DES) also vulnerable to this attack.
Differential Power Analysis Definition Differential Power Analysis (DPA): Attacker uses statistical techniques to extract tiny differences in power consumption and extract the bits of the secret key. Attacker doesn’t need to know as many implementation details as for SPA.
DPA: Basic Idea • Attacker runs N encryptions on N randomly chosen plaintext inputs (PTIi, 1 ≤ i ≤ N). • Collects discrete time power signal Si(n). Sampled version of power consumption during portion of algorithm being attacked. • Also collect ciphertext output, CTOi • Partition the Si(n) by 0-1 function D.
Partition/Selection • Function D(C,KI) depends on key information KI and ciphertext C • D is some bit that software must compute. E.g., D(C,KI) = C1 SBOX1(C6 K16) • Computed by software in round 16 of DES: • C1 = 1 bit CTOi that is XORed with SBOX #1’s output; SBOX #1’s input is K16, 6 bits of round 16 subkey and 6 bits CTOi
Summary of initial results • (Messerges) designed and implemented power analysis equipment • Discovered that Hamming weight (or distance) information is leaking • Implemented and documented Kocher et al.’s DPA attack on an actual smartcard running DES. (N = 1,300, time ≈ 1 hour, equipment cost < $10K.)
Strengthening DPA attacks • Goal: Come up with stronger attack: use fewer signals to crack. • Idea: Filter noise from DPA bias signal • Math model first, then experimentally confirm!
Testing multiple-bit DPA • Ran 1, 4, and 8-bit DPA attacks, for 1 bit of SBOX output, all 4 bits of SBOX output, and 2 SBOX outputs. • Also tried partitioning S0 from S1 based on 8-bits used as address for SBOX lookup. • HC05-based smartcard, N = 1,000
Tradeoff on number of signals • As number of bits d used in multiple-bit DPA attack goes up, signal gets stronger, so need fewer signals. • But can use only those where D function outputs d 0’s or d 1’s, throwing away rest. I.e., only 2/2d are usable. • For same SNR as 1-bit Nd = 2d-1N/d2
Attacking Modular Exponentiation • Modular exponentiation is at heart of two-key, public-key cryptosystems • Square-and-multiply in RSA; analogous double-and-add in Elliptic Curve • Our Goal: Model, devise attacks, and implement attacks!
First Attempt: Just Correlation • Ran a simple correlation experiment: correlate power signal from one multiply operation with entire exponentiation’s power signal. • Averaged 5,000 exponentiations with same input value. • Revealed timing but not operation:
SEMD Attack • Single-Exponent Multiple-Data attack • Needs smartcard willing to do arbitrary number of exponentiations with both its secret key and supplied known key. E.g., supporting ISO 7816 “internal authenticate” and “external authenticate” commands. • Compare the two signals.
SEMD Attack (2) • Comparing the two signals hard, because square-and-multiply causes widely varying signal. • So average many trials and subtract one average from the other. • Parts of signals that are independent of exponent bits should have about same average so about 0 difference.
MESD Attack • Multiple-Exponent Single-Data (MESD) Attack: Requires Smartcard will exponentiate a constant value (not necessarily known to attacker) with exponents chosen by attacker. • Goal is to get better SNR than SEMD attack. • Learns bits one at a time.
MESD Attack Algorithm • Collect SM[j] for raising M to secret e • Put eg = 0 • For i = n-1 to 0 • Collect S0[j] with guess ith bit of eg = 0 • Collect S1[j] with guess ith bit of eg = 1 • Calculate 2 DPA bias signals: • D0[j] = SM[j] - S0[j] and D1[j] = SM[j] - S1[j] • Update 1 bit of eg to DPA’s answer
ZEMD Attack • Zero-Exponent, Multiple-Data (ZEMD) attack: Similar to MESD, but different assumptions. • Does not require adversary to know any exponents. • Instead, must know particular exponentiation algorithm being used (only a few common ones).
ZEMD attack (2) • Learn secret exponent one bit at a time. • Choose many arbitrary values Mand simulate i steps of exponentitation, guessing ith bit is 1. • Create DPA bias signal by comparing to first i steps of smartcard run on M, based on Hamming weight of answer.
Countermeasures for Power Analysis Attacks • Software Countermeasures • Time randomization: add random delays • Permuted execution • Data Masking Techniques • Hardware Countermeasures • Noise generation, power signal filtering, novel circuit designs • But must consume some energy to process data