Showing papers on "Power analysis published in 2002"
TL;DR: In this paper, the authors examined the noise characteristics of the power signals and developed an approach to model the signal-to-noise ratio (SNR) using a multiple-bit attack.
Abstract: This paper examines how monitoring power consumption signals might breach smart-card security. Both simple power analysis and differential power analysis attacks are investigated. The theory behind these attacks is reviewed. Then, we concentrate on showing how power analysis theory can be applied to attack an actual smart card. We examine the noise characteristics of the power signals and develop an approach to model the signal-to-noise ratio (SNR). We show how this SNR can be significantly improved using a multiple-bit attack. Experimental results against a smart-card implementation of the Data Encryption Standard demonstrate the effectiveness of our multiple-bit attack. Potential countermeasures to these attacks are also discussed.
1,554 citations
13 Aug 2002
TL;DR: A technology to block a new class of attacks on secure microcontrollers and smartcards whereby a logical 1 or 0 is not encoded by a high or low voltage on a single line, but by (HL or (LH) on a pair of lines.
Abstract: We describe a new class of attacks on secure microcontrollers and smartcards. Illumination of a target transistor causes it to conduct, thereby inducing a transient fault. Such attacks are practical; they do not even require expensive laser equipment. We have carried them out using a flashgun bought second-hand from a camera store for $30 and with an $8 laser pointer. As an illustration of the power of this attack, we developed techniques to set or reset any individual bit of SRAM in a microcontroller. Unless suitable countermeasures are taken, optical probing may also be used to induce errors in cryptographic computations or protocols, and to disrupt the processor's control flow. It thus provides a powerful extension of existing glitching and fault analysis techniques. This vulnerability may pose a big problem for the industry, similar to those resulting from probing attacks in the mid-1990s and power analysis attacks in the late 1990s.We have therefore developed a technology to block these attacks. We use self-timed dual-rail circuit design techniques whereby a logical 1 or 0 is not encoded by a high or low voltage on a single line, but by (HL) or (LH) on a pair of lines. The combination (HH) signals an alarm, which will typically reset the processor. Circuits can be designed so that single-transistor failures do not lead to security failure. This technology may also make power analysis attacks very much harder too.
828 citations
IBM1
TL;DR: It is shown that not only can EM emanations be used to attack cryptographic devices where the power side-channel is unavailable, they can even beused to break power analysis countermeasures.
Abstract: We present results of a systematic investigation of leakage of compromising information via electromagnetic (EM) emanations from CMOS devices. These emanations are shown to consist of a multiplicity of signals, each leaking somewhat different information about the underlying computation. We show that not only can EM emanations be used to attack cryptographic devices where the power side-channel is unavailable, they can even be used to break power analysis countermeasures.
778 citations
13 Aug 2002
TL;DR: It is shown that the multiplicative masking method can be modified so as to provide resistance to differential power analysis of nonideal but controllable security level, at the expense of increased computational complexity.
Abstract: The recently proposed multiplicative masking countermeasure against power analysis attacks on AES is interesting as it does not require the costly recomputation and RAM storage of S-boxes for every run of AES. This is important for applications where the available space is very limited such as the smart card applications. Unfortunately, it is here shown that this method is in fact inherently vulnerable to differential power analysis. However, it is also shown that the multiplicative masking method can be modified so as to provide resistance to differential power analysis of nonideal but controllable security level, at the expense of increased computational complexity. Other possible random masking methods are also discussed.
304 citations
28 Nov 2002
TL;DR: In this article, a simple power analysis (SPA) attack on implementations of the AES key expansion is presented, which reveals the secret key of AES software implementations on smart cards by exploiting the fact that the power consumption of most smart-card processors leaks information during the key expansion.
Abstract: This article presents a simple power-analysis (SPA) attack on implementations of the AES key expansion. The attack reveals the secret key of AES software implementations on smart cards by exploiting the fact that the power consumption of most smart-card processors leaks information during the AES key expansion. The presented attack efficiently utilizes this information leakage to substantially reduce the key space that needs to be considered in a brute-force search for the secret key. The details of the attack are described on the basis of smart cards that leak the Hamming weight of intermediate results occurring during the AES key expansion.
189 citations
13 Aug 2002
TL;DR: This paper proposes an alternative DPA using the addresses of registers of elliptic curve based cryptosystems (ECC) implemented on smart cards that works against scalar exponentiations even if the implementation is resistant against the data-based DPA.
Abstract: The differential power analysis (DPA) is a powerful attack against the implementation of cryptographic schemes on mobile devices. This paper proposes an alternative DPA using the addresses of registers of elliptic curve based cryptosystems (ECC) implemented on smart cards. We call the analysis the address-bit DPA in this paper. The analysis was originally investigated by Messerges, Dabbish and Sloan, however it was thought to be of no effect if the intermediate data are randomized. We extend the analysis and show how the extended analysis works against scalar exponentiations even if the implementation is resistant against the data-based DPA. We show experimental results of our analysis of cryptographic schemes OK-ECDH and OK-ECDSA, which are candidates of the CRYPTREC project in Japan, and evidence of their weakness.
107 citations
12 Feb 2002
TL;DR: An adaptive chosen-ciphertext attack on a smart card implementation of the RSA decryption algorithm in the presence of side-channel information leakage is described and the findings can be used to eventually improve future implementations of fast RSA dec encryption.
Abstract: We describe an adaptive chosen-ciphertext attack on a smart card implementation of the RSA decryption algorithm in the presence of side-channel information leakage. We studied the information leakage through power consumption variation. Simple power analysis (SPA) of the smart card that is widely used for secure Internet banking, Web access and remote access to corporate networks, revealed macro characteristics caused by improper implementation of Chinese remaindering. The findings can be used to eventually improve future implementations of fast RSA decryption.
88 citations
13 Aug 2002
TL;DR: A DPA attack that uses byte-wise hypotheses on the remainder after the modular reduction with one of the primes, named MRED ("Modular Reduction on Equidistant Data"), which can protect the reduction modulo a secret prime against MRED.
Abstract: Published DPA attack scenarios against the RSA implementation exploit the possibility of predicting intermediate data during a straight-forward square-multiply exponentiation algorithm. An implementation of RSA using CRT (Chinese Remainder Theorem) prevents the pre-calculation of intermediate results during the exponentiation algorithm by an attacker. In this paper, we present a DPA attack that uses byte-wise hypotheses on the remainder after the modular reduction with one of the primes. Instead of using random input data this attack uses k series of input data with an equidistant step distance of 1, 256, (256)2,.., (256)k. The basic assumption of this DPA attack named MRED ("Modular Reduction on Equidistant Data") is that the distance of the input data equals the distance of the intermediate data after the modular reduction at least for a subgroup of single measurements. A function Fk that is composed of the k DPA results is used for the approximation of a multiple of the prime. Finally the gcd gives the prime. The number of DPA calculations increases linear to the number of bytes of the prime to be attacked. MRED is demonstrated using simulated measurement data. The practical efficiency is assessed. If the applicability of this attack is limited due to padding formats in RSA signature applications, the least significant bytes of the remainder after the modular reduction step can still be revealed. Multiplicative message blinding can protect the reduction modulo a secret prime against MRED.
84 citations
13 Aug 2002
TL;DR: A study of software counter measures against side channel attacks for elliptic curve cryptosystems is presented, and two new counter measures are introduced, namely, homogeneous group operations and a non-deterministic method of point exponentiation with precomputations.
Abstract: Many software implementations of public key cryptosystems have been concerned with efficiency. The advent of side channel attacks, such as timing and power analysis attacks, force us to reconsider the strategy of implementation of group arithmetic. This paper presents a study of software counter measures against side channel attacks for elliptic curve cryptosystems.We introduce two new counter measures. The first is a new implementation technique, namely, homogeneous group operations, which has the property that addition and doubling on elliptic curves cannot be distinguished from side channel analysis. Being inexpensive time-wise, this technique is an alternative to a well-known Montgomery ladder. The second is a non-deterministic method of point exponentiation with precomputations. Although requiring rather large ROM, it provides an effective resistance against high-order power analysis attacks for the price of index re-computations and ROM accesses.An experimental implementation of NIST-recommended elliptic curves over binary fields with a balanced suite of counter measures built-in in group arithmetic is presented, and the penalty paid is analyzed. The results of the implementation in C on an AMD Duron 600 MHz running Linux are included in the paper.
68 citations
13 Aug 2002
TL;DR: Exploration of power attack resistance is presented, using a statistical approach for identifying regions of the power trace which pose a possible security threat, and a new metric supporting small timing shifts and complex processor architectures is presented.
Abstract: With the popularity of wireless communication devices a growing new important dimension of embedded systems design is that of security. This paper presents exploration of power attack resistance, using a statistical approach for identifying regions of the power trace which pose a possible security threat. Unlike previous power analysis research, a new metric supporting small timing shifts and complex processor architectures is presented. This research helps to identify how to create secure implementations of software. Elliptic curve point multiplications using the Weierstrass curve and Jacobi form over 192-bit prime fields were implemented and analyzed. Over 60 real measured power traces of elliptic curve point multiplications running at 100MHz on a DSP VLIW processor core were analyzed. Modification of power traces through software design was performed to maximize resistance to power attacks in addition to improving energy dissipation and performance by 44% with a 31% increase in code size. This research is important for industry since efficient yet secure cryptography is crucial for wireless communication embedded system devices and future IP enabled smart cards.
62 citations
17 Jul 2002
TL;DR: This work describes the addition of a specialised processor pipeline stage which increases the level of potential non-determinism and hence guards against the revelation of secret information in differential power analysis.
Abstract: Differential power analysis (DPA) has become a real-world threat to the security of cryptographic hardware devices such as smart-cards. By using cheap and readily available equipment, attacks can easily compromise algorithms running on these devices in a non-invasive manner. Adding non-determinism to the execution of cryptographic algorithms has been proposed as a defence against these attacks. One way of achieving this non-determinism is to introduce random additional operations to the algorithm which produce noise in the power profile of the device. We describe the addition of a specialised processor pipeline stage which increases the level of potential non-determinism and hence guards against the revelation of secret information.
30 Sep 2002
TL;DR: This paper shows Moller's countermeasure is vulnerable to a second-order differential power analysis attack, and compares the original method and improvedcountermeasure in terms of the computational intractability and the computational cost of the scalar multiplication.
Abstract: Moller proposed a countermeasure using window method against side channel attacks. However, its immunity to side channel attacks is still controversial. In this paper, we show Moller's countermeasure is vulnerable to a second-order differential power analysis attack. A side channel attackis an attackthat takes advantage of information leaked during execution of a cryptographic procedure. An nth-order differential power analysis attackis the side channel attack which uses n different leaked data that correspond to n different intermediate values during the execution. Our proposed attackagainst Moller's countermeasure finds out the use of same elliptic points, and restricts candidates of the secret scalar value. In these circumstances, the attack completely detects the scalar value using Baby-Step-Giant-Step method as a direct-computational attack. For a 160-bit scalar value, the proposed attack restricts the number of candidates of the scalar to a 45-bit integer, and the direct-computational attackcan actually detect the scalar value. Besides, we improve Moller's countermeasure to prevent the proposed attack. We compare the original method and improved countermeasure in terms of the computational intractability and the computational cost of the scalar multiplication.
TL;DR: In this paper, Klarreich finds out how quantum cryptography made it from the lab to the marketplace, and how to use quantum cryptography in practical products from the weird world of quantum mechanics.
Abstract: Practical products are about to emerge from the weird world of quantum mechanics. Erica Klarreich finds out how quantum cryptography made it from the lab to the marketplace
Journal Article•
TL;DR: In this paper, a simulated annealing attack on Pointcheval's Permuted Perceptron Problem (PPP) identification scheme is presented, where fault injection and timing analysis are used to identify the PPP scheme.
Abstract: Attacks on cryptosystem implementations (e.g. security fault injection, timing analysis and differential power analysis) are amongst the most exciting developments in cryptanalysis of the past decade. Altering the internal state of a cryptosystem or profiling the system's computational dynamics can be used to gain a huge amount of information. This paper shows how fault injection and timing analysis can be interpreted for a simulated annealing attack on Pointcheval's Permuted Perceptron Problem (PPP) identification schemes. The work is unusual in that it concerns fault injection and timing analysis on an analysis technique. All recommended sizes of the PPP schemes are shown to be unsafe.
02 May 2002
TL;DR: This paper shows how fault injection and timing analysis can be interpreted for a simulated annealing attack on Pointcheval's Permuted Perceptron Problem (PPP) identification schemes.
Abstract: Attacks on cryptosystem implementations (e.g. security fault injection, timing analysis and differential power analysis) are amongst the most exciting developments in cryptanalysis of the past decade. Altering the internal state of a cryptosystem or profiling the system's computational dynamics can be used to gain a huge amount of information. This paper shows how fault injection and timing analysis can be interpreted for a simulated annealing attack on Pointcheval's Permuted Perceptron Problem (PPP) identification schemes. The work is unusual in that it concerns fault injection and timing analysis on an analysis technique. All recommended sizes of the PPP schemes are shown to be unsafe.
Patent•
03 May 2002TL;DR: A coding device for implementing a cryptographic encryption and/or access authorization includes a data processing unit, decoupling unit, a power supply interface, a main clock supply unit, and a power profile generator.
Abstract: A coding device for implementing a cryptographic encryption and/or access authorization includes a data processing unit, a decoupling unit, a power supply interface, a main clock supply unit, and a power profile generator generating a power profile and superimposing it on a power profile of the data processing unit to prevent an attack by correlation analysis of the power profile.
01 Jan 2002
TL;DR: It is proved that there exists a one-to-one correspondence between power trace and XTR operation sequence and it is shown how simple power analysis attack helps reduce the search space for two input exponents.
Abstract: A security analysis of XTR exponentiation algorithms against simple power analysis attack is presented. Under very reasonable assumptions, we prove that there exists a one-to-one correspondence between power trace and XTR operation sequence. With this result and our obser- vations on the behavior of the simultaneous XTR double exponentiation, we show how simple power analysis attack helps reduce the search space for two input exponents. Our experimental results show that it takes U 1.25 tries for determining both exponents where U = max(a, b) and a, b are the input exponents. Moreover we show that it takes U 0.625 tries for an adversary until he/she correctly finds the secret key used in two XTR single exponentiation algorithms presented in (16). We also point out a calculation error in (14) and discuss the effectiveness of the Markov method in the attack described here.
14 Oct 2002
TL;DR: It is shown that implementing addition in cryptographic devices must be done very carefully as it might leak secret keys used for encryption, and the simple key schedule of certain algorithms combined with the usage of addition might be a serious danger.
Abstract: It is believed that masking is an effective countermeasure against power analysis attacks: before a certain operation involving a key is performed in a cryptographic chip, the input to this operation is combined with a random value. This has to prevent leaking information since the input to the operation is random.We show that this belief might be wrong. We present a Hamming weight attack on an addition operation. It works with random inputs to the addition circuit, hence masking even helps in the case when we cannot control the plaintext. It can be applied to any round of the encryption. Even with moderate accuracy of measuring power consumption it determines explicitly subkey bits. The attack combines the classical power analysis (over Hamming weight) with the strategy of the saturation attack performed using a random sample.We conclude that implementing addition in cryptographic devices must be done very carefully as it might leak secret keys used for encryption. In particular, the simple key schedule of certain algorithms (such as IDEA and Twofish) combined with the usage of addition might be a serious danger.
01 Jan 2002
TL;DR: The presented methodologies have been implemented in the SYMTA tool suite which has been applied in a variety of experiments including path analysis, cache analysis and architecture modeling.
Abstract: The presented methodologies have been implemented in the SYMTA tool suite which has been applied in a variety of experiments including path analysis, cache analysis and architecture modeling. Experiments with the single tools as well as overall process-level analysis of running time, power consumption and communicated data intervals are presented in this chapter. The first part focuses on general behavioral interval analysis before detailed software power analysis results are presented in the second part.
15 May 2002
TL;DR: In this paper, a complete methodology to estimate power consumption at the Clevel for on-the-shelf processors is introduced, which relies on the functional-level power analysis, which results in a power model of the processor that describes the consumption variations relatively to algorithmic and configuration parameters.
Abstract: A complete methodology to estimate power consumption at the Clevel for on-the-shelf processors is introduced. It relies on the Functional-Level Power Analysis, which results in a power model of the processor that describes the consumption variations relatively to algorithmic and configuration parameters. Some parameters can be predicted directly from the C-algorithm with simple assumptions on the compilation. Maximum and minimum bounds for power consumption are obtained, together with a very accurate estimation; for the TI C6x, a maximum error of 6% against measurements is obtained for classical digital signal processing algorithms. Estimation results are summarized on a consumption map; the designer can compare the algorithm consumption, and its variations, with the application constraints.
Patent•
25 Apr 2002
TL;DR: In this article, a method for encrypting an elliptic curve to prevent a power analysis attack is provided to reduce the calculation amount of an existing power analysis method, simplify a structure of a circuit, and prevent the power analysis attacks by performing an encryption method using a selected binary code and an arbitrary point on an elliptical curve.
Abstract: PURPOSE: A method for encrypting an elliptic curve to prevent a power analysis attack is provided to reduce the calculation amount of an existing power analysis method, simplify a structure of a circuit, and prevent the power analysis attack by performing an encryption method using a selected binary code and an arbitrary point on an elliptic curve. CONSTITUTION: A random number generation process is performed to generate r as a random number(403). A predetermined binary code c is generated from plural binary codes having the same value as a secret key d(404). The predetermined binary code c is selected according to a value of the random number r. A calculation process for cP is performed by using the selected binary code c and an arbitrary point P on an elliptic curve(405-409).
12 Aug 2002
TL;DR: This paper proposes two techniques for improving the accuracy of gate-level power analysis for system-on-a-chip (SoC) with real-time constraints.
Abstract: This paper proposes two techniques for improving the accuracy of gate-level power analysis for system-on-a-chip (SoC) (1) The creation of custom wire load models for clock nets; and (2) the use of layout information (actual net capacitance and input signal transition time) The analysis time is reduced to less than one three-hundredth of the transistor-level power analysis time The error is within 5% of that of a real chip, (the same level in transistor-level power analysis) if technique (2) is used The analytical error between technique (1) and (2) is within 1%
TL;DR: The objective of the present work is to explore cryptographic techniques with the goal of raising the cost (in terms of time and money) of carrying out the EEPROM modification attack by class I attackers, at least to a point where it is as prohibitive as the cost of purchasing more expensive equipment.
Abstract: In 1997, Anderson and Kuhn described an attack against tamper-resistant devices wherein a secret key stored in EEPROM is compromised using a simple and low-cost attack. The attack consists of setting bits in the EEPROM using low-cost probes and observing the effect on the output of the device. These attacks are extremely general, as they apply to virtually any cryptosystem. The objective of the present work is to explore cryptographic techniques with the goal of raising the cost (in terms of time and money) of carrying out the EEPROM modification attack by class I attackers, at least to a point where it is as prohibitive as the cost of purchasing more expensive equipment. We propose the m-permutation protection scheme in which the key will be encoded in a special way and burned into the EEPROM of the device. To attack the scheme, the attacker needs to be able to solve for K in the equation KP, in which P's are unknown. It is observed that the -permutation protection scheme does not distribute the key K uniformly. However, analysis shows that or are already good enough practically to provide strong security if the encoding is done properly, and that may not give significant improvement to the security of the scheme. Copyright © 2002 John Wiley & Sons, Ltd.
TL;DR: An empirical algorithm applied to logic level power analysis in deep submicron VLSI designs is introduced and a new method for representing state-dependent power models is introduced to reduce the complexity of power modeling and to improve the performance of power analysis.
Abstract: An empirical algorithm applied to logic level power analysis in deep submicron VLSI designs is introduced in the paper. The method explores a static analysis strategy using unit functions to represent signal transitions. It can be extended to the use of a Register Transfer Level (RTL) power analysis after RTL codes are translated to Boolean equations. A new method for representing state-dependent power models is also introduced in the paper to reduce the complexity of power modeling and to improve the performance of power analysis. The modeling method supports not only the empirical power analysis, but also general simulation-based power analysis methods.
01 Jan 2002
25 Aug 2002
TL;DR: A new method to integrate low power analysis into high-level synthesis that allows the determination of dedicated turn-on and turn-off mechanism and the optimisation of power consumption is simultaneously improved with the design delay.
Abstract: This paper describes a new method to integrate low power analysis into high-level synthesis. We addressed especially a specific analysis technique within the scheduling task of high-level synthesis. The analysis technique allows the determination of dedicated turn-on and turn-off mechanism. Therefore, the optimisation of power consumption is simultaneously improved with the design delay.
Posted Content•
TL;DR: This paper contains a new side channel attack on a plaintext encrypted by EME-OAEP PKCS#1 v.2.1.5 and a general idea of fault-based attacks on the RSA-KEM scheme and presents two particular attacks as the examples.
Abstract: This paper contains three parts. In the first part we present a new side channel attack on plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Mangers attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher's and Manger's attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). This is a new threat for those implementations of PKI, in which the roles of signature and encryption keys are not strictly separated. This situation is often encountered in the SSL protocol used to secure access to web servers. In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant. Category / Keywords: public-key cryptography / side channel attack, confirmation oracle, RSA-KEM, RSAES-OAEP, PKCS#1 v.1.5, PKCS#1 v.2.1, Bleichenbacher's attack, Manger's attack, power analysis, fault analysis.