Figure 1- - uploaded by Fernando Gehm Moraes
Content may be subject to copyright.
A DPA attack platform Because it's widespread use, the DES algorithm is used to explain a DPA attack. DES executes in 16 steps, called rounds. In each round, a transformation F is performed on 32 bits. This F function uses eight nonlinear transformations from 6 bits to 4 bits. Each of such transformations is called S-Box. First, it is needed to make some measures (1000 samples, for instance) from the first (or the last) round of DES computation. After that the 1000 curves are stocked, and an average curve (AC) is calculated. Secondly, the first output bit (b) of the attacked Sbox is observed. This b bit depends only of the 6 bits from the secret key. Then, the attacker can make an
Source publication
This work addresses the leakage information problem concerning cryptographic circuits. Physical implementations of cryptographic
algorithms may let escape some side channel information, like electromagnetic emanations, temperature, computing time, and
power consumption. With this information, an attacker can retrieve the data that is being computed...
Context in source publication
Context 1
... attacks use statistical techniques to determine secret keys from complex, noisy power consumption measurements [4]. For a typical attack, an adversary repeatedly samples the target device's power consumption through each of several thousand cryptographic computations with the same key. These power traces can be collected using high-speed analogical-to-digital converters, using digital storage oscilloscopes. Figure 1 illustrates this method. First, it is needed to make some measures (1000 samples, for instance) from the first (or the last) round of DES computation. After that the 1000 curves are stocked, and an average curve (AC) is ...
Similar publications
We present experimental results proving that a Time-Reversal Electromagnetic Chamber allows studying the susceptibility of a device to external radiated interference. The technique here proposed is based on the generation of wavefronts focusing over an arbitrary position in space, leading to a spatial resolution of a half-wavelength. By monitoring...
Citations
... For example, if the FPGA is used to encrypt written data to a hard disk drive, the attacker could build a system that does not cipher data. Another threat is fault injection into the bitstream [11]. Even without knowledge of the architecture, small modifications can seriously modify the system. ...
... In this way, the power consumption would differ for each type of S-Box implementation. • Random noise addition-A lot of countermeasures have been proposed, from clock randomization, power consumption randomization, or compensation [11] to tamper detection. However, longer differential power analysis generally leads to recovery of the secret key. ...
Security is becoming since several years a major issue in the domain of embedded systems. Fine grain reconfigurable architectures like FPGAs are provid-ing many interesting features to be selected as an efficient target for embedded sys-tems when security is an important concern. In this chapter we propose an overview of some existing attacks, a classification of attackers and the different levels of secu-rity as promoted by the FIPS 140-2 standard. We identify the main vulnerabilities of FPGAs to tackle the security requirements based on the security pyramid concept. We propose a presentation of some existing countermeasures at the different levels of the security pyramid to guarantee a defense-in-depth approach.
... ; for i to 8 doextQ i := (α 1 + vetM1 1 * (α 2 + vetM1 2 * (α 3 + vetM1 3 * (α 4 + vetM1 4 * (α 5 + vetM1 5 * (α 6 + vetM1 6 * (α 7 + vetM1 7 * α 8 )))) )))mod vetM2 i end do; return [seq(extQ i , i = 1. Convertion of the numbers that will be multiplicated from Decimal to RNS in both Beta1 and Beta2 > xRNS1 := convDECtoRNS(X,mBase1); > yRNS1 := convDECtoRNS(Y,mBase1); > xRNS2 := convDECtoRNS(X,mBase2); > yRNS2 := convDECtoRNS(Y,mBase2); xRNS1 := [97,96,94,92,88,86,82,80] yRNS1 := [28,28,28,28,28,28,28,28] xRNS2 := [76,74,68,62,58,52,46,44] yRNS2 := [28,28,28,28,28,28,28,28] [90,101,135,110,102,102,139,39] Compute the modular Inverses needed to the base extensions in MRS > vetInvBase1 := geraImMRS(mBase1); > vetInvBase2 := geraImMRS(mBase2); vetInvBase1 := [128, 87,53,76,101,19,17,65,33,17,125,51,9,66,114,52,131,31,34,23,100,12,69,119,18,107,24,72] vetInvBase2 := [75,98,128,102,36,173,164,26,95,73,55,147,6,27,50,54,122,98,125,121,123,10,144,164,168,149,113,90] 225, [97,96,94,92,88,86,82,80], [76,74,68,62,58,52,46,44] 28, [28,28,28,28,28,28,28,28], [28,28,28,28,28,28,28,28] sRNS1 := [28,108,12,49,135,45,8,65] sRNS2 := [42,109,20,106,121,72,35,146] sExpected := 6300 sFinal1 := 6300 sFinal2 := 6300 We need this value in both basis > mFin1 := convDECtoRNS(mFinal,mBase1); > mFin2 := convDECtoRNS(mFinal,mBase2); ...
... ; for i to 8 doextQ i := (α 1 + vetM1 1 * (α 2 + vetM1 2 * (α 3 + vetM1 3 * (α 4 + vetM1 4 * (α 5 + vetM1 5 * (α 6 + vetM1 6 * (α 7 + vetM1 7 * α 8 )))) )))mod vetM2 i end do; return [seq(extQ i , i = 1. Convertion of the numbers that will be multiplicated from Decimal to RNS in both Beta1 and Beta2 > xRNS1 := convDECtoRNS(X,mBase1); > yRNS1 := convDECtoRNS(Y,mBase1); > xRNS2 := convDECtoRNS(X,mBase2); > yRNS2 := convDECtoRNS(Y,mBase2); xRNS1 := [97,96,94,92,88,86,82,80] yRNS1 := [28,28,28,28,28,28,28,28] xRNS2 := [76,74,68,62,58,52,46,44] yRNS2 := [28,28,28,28,28,28,28,28] [90,101,135,110,102,102,139,39] Compute the modular Inverses needed to the base extensions in MRS > vetInvBase1 := geraImMRS(mBase1); > vetInvBase2 := geraImMRS(mBase2); vetInvBase1 := [128, 87,53,76,101,19,17,65,33,17,125,51,9,66,114,52,131,31,34,23,100,12,69,119,18,107,24,72] vetInvBase2 := [75,98,128,102,36,173,164,26,95,73,55,147,6,27,50,54,122,98,125,121,123,10,144,164,168,149,113,90] 225, [97,96,94,92,88,86,82,80], [76,74,68,62,58,52,46,44] 28, [28,28,28,28,28,28,28,28], [28,28,28,28,28,28,28,28] sRNS1 := [28,108,12,49,135,45,8,65] sRNS2 := [42,109,20,106,121,72,35,146] sExpected := 6300 sFinal1 := 6300 sFinal2 := 6300 We need this value in both basis > mFin1 := convDECtoRNS(mFinal,mBase1); > mFin2 := convDECtoRNS(mFinal,mBase2); ...
This work addresses the reconfigurable architectures for cryptographic
applications theme, emphasizing the robustness issue. Some mathematical
background is reviewed, as well some side channel attacks are studied,
specially the DPA and SPA attacks.
To counteract these attacks, an architectural countermeasure is shown. A
new parallel reconfigurable architecture is proposed to implement the Leak
Resistant Arithmetic.
This new architecture outperforms most of state of art circuits for
modular exponentiation, but the main feature of this architecture is the
robustness against DPA attacks.
Introduction Embedded systems and their security issues Security of the system and its data Secured hardware architectures for embedded systems Conclusion Bibliography
Side-channel attacks are one of the major concerns for security-enabled applications as they make use of information leaked by the physical implementation of the underlying cryptographic algorithm. Hence, reducing the side-channel leakage of the circuits realizing the cryptographic primitives is amongst the main goals of circuit designers. In this paper, we present a novel circuit concept, which decouples the main power supply from an internal power supply that is used to drive a single logic gate. The decoupling is done with the help of buffering capacitances integrated into semiconductor. We also introduce—compared to the previously known schemes—an improved decoupling circuit which reduces the crosstalk from the internal to the external power supply. The result of practical side-channel evaluation on a prototype chip fabricated in a 150nm CMOS technology shows a high potential of our proposed technique to reduce the side-channel leakages.
