Transmission gate based dual rail logic for differential power analysis resistant circuits

Cryptographic devices with hardware implementation of the algorithms are increasingly being used in various applications. As a consequence, there is an increased need for security against the attacks on the cryptographic system. Among various attack techniques, side channel attacks pose a significant threat to the hardware implementation. Power analysis attacks are a type of side channel attack where the power leakage from the underlying hardware is used to eavesdrop on the hardware operation. Wave pipelined differential and dynamic logic (WDDL) has been found to be an effective countermeasure to power analysis. This thesis studies the use of transmission gate based WDDL implementation for the differential and dynamic logic. Although WDDL is an effective defense against power analysis, the number of gates needed for the design of a secure implementation is double the number of gates used for non-secure operations. In this thesis we propose transmission gate based structures for implementation of wave pipelined dynamic and differential logic to minimize the overhead of this defense against power analysis attacks. A transmission gate WDDL design methodology is presented, and the design and analysis of a secure multiplier is given. The adder structures are compared in terms of security effectiveness and silicon area overhead for three cases: unsecured logic implementation, standard gate WDDL, and transmission gate WDDL. In simulation, the transmission gate WDDL design is seen to have similar power consumption results compared to the standard gate WDDL; however, the transmission gate based circuit uses 10-50% fewer gates compared to the static WDDL

On the security of embedded systems against side-channel attacks

Side-Channel Analysis (SCA) represents a serious threat to the security of millions of smart devices that form part of the so-called Internet of Things (IoT). On the other hand, perform the "right- fitting" cryptographic code for the IoT is a highly challenging task due to the reduced resource constraints of must of the IoT devices and the variety of cryptographic algorithms on disposal. An important criterion to assess the suitability of a light-weight cipher implementation, with respect to the SCA point of view, is the amount of energy leakage available to an adversary. In this thesis, the efficiency of a selected function that is commonly used in AES implementations in the perspective of Correlation Power Analysis (CPA) attacks are analyzed, leading to focus on the very common situation where the exact time of the sensitive processing is drowned in a large number of leakage points. In the particular case of statistical attacks, much of the existing literature essentially develop the theory under the assumption that the exact sensitive time is known and cannot be directly applied when the latter assumption is relaxed, being such a particular aspect for the simple Differential Power Analysis (DPA) in contrast with the CPA. To deal with this issue, an improvement that makes the statistical attack a real alternative compared with the simple DPA has been proposed. For the power consumption model (Hamming Weight model), and by rewriting the simple DPA attacks in terms of correlation coefficients between Boolean functions. Exhibiting properties of S-boxes relied on CPA attacks and showing that these properties are opposite to the non-linearity criterion and to the propagation criterion assumed for the former DPA. In order to achieve this goal, the study has been illustrated by various attack experiments performed on several copies implementations of the light-weight AES chipper in a well-known micro-controller educative platform within an 8-bit processor architecture deployed on a 350 nanometers CMOS technology. The Side-channel attacks presented in this work have been set in ideal conditions to capture the full complexity of an attack performed in real-world conditions, showing that certain implementation aspects can influence the leakage levels. On the other side, practical improvements are proposed for specific contexts by exploring the relationship between the non-linearity of the studied selection function and the measured leakages, with the only pretension to bridge the gap between the theory and the practice. The results point to new enlightenment on the resilience of basic operations executed by common light-weight ciphers implementations against CPA attacks

Exploitation of Unintentional Information Leakage from Integrated Circuits

Unintentional electromagnetic emissions are used to recognize or verify the identity of a unique integrated circuit (IC) based on fabrication process-induced variations in a manner analogous to biometric human identification. The effectiveness of the technique is demonstrated through an extensive empirical study, with results presented indicating correct device identification success rates of greater than 99:5%, and average verification equal error rates (EERs) of less than 0:05% for 40 near-identical devices. The proposed approach is suitable for security applications involving commodity commercial ICs, with substantial cost and scalability advantages over existing approaches. A systematic leakage mapping methodology is also proposed to comprehensively assess the information leakage of arbitrary block cipher implementations, and to quantitatively bound an arbitrary implementation\u27s resistance to the general class of differential side channel analysis techniques. The framework is demonstrated using the well-known Hamming Weight and Hamming Distance leakage models, and approach\u27s effectiveness is demonstrated through the empirical assessment of two typical unprotected implementations of the Advanced Encryption Standard. The assessment results are empirically validated against correlation-based differential power and electromagnetic analysis attacks

Side Channel Leakage Analysis - Detection, Exploitation and Quantification

Nearly twenty years ago the discovery of side channel attacks has warned the world that security is more than just a mathematical problem. Serious considerations need to be placed on the implementation and its physical media. Nowadays the ever-growing ubiquitous computing calls for in-pace development of security solutions. Although the physical security has attracted increasing public attention, side channel security remains as a problem that is far from being completely solved. An important problem is how much expertise is required by a side channel adversary. The essential interest is to explore whether detailed knowledge about implementation and leakage model are indispensable for a successful side channel attack. If such knowledge is not a prerequisite, attacks can be mounted by even inexperienced adversaries. Hence the threat from physical observables may be underestimated. Another urgent problem is how to secure a cryptographic system in the exposure of unavoidable leakage. Although many countermeasures have been developed, their effectiveness pends empirical verification and the side channel security needs to be evaluated systematically. The research in this dissertation focuses on two topics, leakage-model independent side channel analysis and security evaluation, which are described from three perspectives: leakage detection, exploitation and quantification. To free side channel analysis from the complicated procedure of leakage modeling, an observation to observation comparison approach is proposed. Several attacks presented in this work follow this approach. They exhibit efficient leakage detection and exploitation under various leakage models and implementations. More importantly, this achievement no longer relies on or even requires precise leakage modeling. For the security evaluation, a weak maximum likelihood approach is proposed. It provides a quantification of the loss of full key security due to the presence of side channel leakage. A constructive algorithm is developed following this approach. The algorithm can be used by security lab to measure the leakage resilience. It can also be used by a side channel adversary to determine whether limited side channel information suffices the full key recovery at affordable expense

From Improved Leakage Detection to the Detection of Points of Interests in Leakage Traces

Leakage detection usually refers to the task of identifying data-dependent information in side-channel measurements, independent of whether this information can be exploited. Detecting Points-Of-Interest (POIs) in leakage traces is a complementary task that is a necessary first step in most side-channel attacks, where the adversary wants to turn this information into (e.g.) a key recovery. In this paper, we discuss the differences between these tasks, by investigating a popular solution to leakage detection based on a t-test, and an alternative method exploiting Pearson\u27s correlation coefficient. We first show that the simpler t-test has better sampling complexity, and that its gain over the correlation-based test can be predicted by looking at the Signal-to-Noise Ratio (SNR) of the leakage partitions used in these tests. This implies that the sampling complexity of both tests relates more to their implicit leakage assumptions than to the actual statistics exploited. We also put forward that this gain comes at the cost of some intuition loss regarding the localization of the exploitable leakage samples in the traces, and their informativeness. Next, and more importantly, we highlight that our reasoning based on the SNR allows defining an improved t-test with significantly faster detection speed (with approximately 5 times less measurements in our experiments), which is therefore highly relevant for evaluation laboratories. We finally conclude that whereas t-tests are the method of choice for leakage detection only, correlation-based tests exploiting larger partitions are preferable for detecting POIs. We confirm this intuition by improving automated tools for the detection of POIs in the leakage measurements of a masked implementation, in a black box manner and without key knowledge, thanks to a correlation-based leakage detection test

Countermeasure implementation and effectiveness analysis for AES resistance against side channel attacks

Side Channel Analysis (SCA) is composed of a bunch of techniques employed to extract secret information from hardware operations through statistical analyses of execution data. For instance, the secret key of a crypto-algorithmic implementation could be targeted and its value could be retrieved. The data is obtained by measuring the power consumption or electromagnetic radiation of a device while performing an operation due to the linear relationship between the currents flowing through the circuitry during the execution of chip operations. Side channel is one of the most widely used attack methods in cryptanalysis. In order to avoid such attacks, the algorithmic implementations can be protected from side channel leakage with the use of different countermeasures. These countermeasures can be built on either software or hardware. The objective is to reduce, or even completely eliminate, the leakage of the device related to confidential data. Generally speaking, there are two main approaches to do so. The first aims to reduce the side channel observability, while the second intends to undermine the predictability of the data. This project focuses on designing and implementing different countermeasures that protect cryptographic implementations from side channel attacks, and test and analyze them afterwards. The countermeasures will be implemented in software and then tested though Correlation Power Analysis in a hardware device. The Advanced Encryption Standard (AES) algorithm will be used as a base structure, in order to improve its cryptographic security with the different countermeasures designed. However, the election of AES does not reduce the scope of this project since the implemented countermeasures could be applied to other cryptographic algorithms as well

LeakyOhm: Secret Bits Extraction using Impedance Analysis

The threats of physical side-channel attacks and their countermeasures have been widely researched. Most physical side-channel attacks rely on the unavoidable influence of computation or storage on current consumption or voltage drop on a chip. Such data-dependent influence can be exploited by, for instance, power or electromagnetic analysis. In this work, we introduce a novel non-invasive physical side-channel attack, which exploits the data-dependent changes in the impedance of the chip. Our attack relies on the fact that the temporarily stored contents in registers alter the physical characteristics of the circuit, which results in changes in the die's impedance. To sense such impedance variations, we deploy a well-known RF/microwave method called scattering parameter analysis, in which we inject sine wave signals with high frequencies into the system's power distribution network (PDN) and measure the echo of the signals. We demonstrate that according to the content bits and physical location of a register, the reflected signal is modulated differently at various frequency points enabling the simultaneous and independent probing of individual registers. Such side-channel leakage challenges the $t$-probing security model assumption used in masking, which is a prominent side-channel countermeasure. To validate our claims, we mount non-profiled and profiled impedance analysis attacks on hardware implementations of unprotected and high-order masked AES. We show that in the case of the profiled attack, only a single trace is required to recover the secret key. Finally, we discuss how a specific class of hiding countermeasures might be effective against impedance leakage

Evaluation of the Single Keybit Template Attack

Side Channel leakage is a serious threat to secure devices. Cryptographic information extraction is possible after examining any one of the various side channels, including electromagnetic. This work contributes a new method to achieve such a purpose. The Single Keybit Template Attack (SKTA) is introduced as a means to extract encryption keys from embedded processors and other integrated circuit devices performing DES encryptions by passively monitoring and exploiting unintentional RF emissions. Key extraction is accomplished by creating two templates for each bit value of the key based on instantaneous amplitude responses as a device executes DES operations. The resultant templates are input to a Maximum Likelihood processor for subsequent template discrimination with RF emissions captured from a target device. Plaintext and ciphertext are not necessary for SKTA to function. Using 8-bit microcontroller devices and experimentally collected side channel signals, key extraction is possible after examination of approximately 300 RF emission traces. After consideration of SKTA\u27s capabilities, embedded processors using DES to process sensitive data warrants reconsideration