Side Channel Leakage Exploitation, Mitigation and Detection of Emerging Cryptosystems

Chen, Cong

26 March 2018

With the emerging computing technologies and applications in the past decades, cryptography is facing tremendous challenges in its position of guarding our digital world. The advent of quantum computers is potentially going to cease the dominance of RSA and other public key algorithms based on hard problems of factorization and discrete logarithm. In order to protect the Internet at post-quantum era, great efforts have been dedicated to the design of RSA substitutions. One of them is code- based McEliece public key schemes which are immune to quantum attacks. Meanwhile, new infrastructures like Internet of Things are bringing the world enormous benefits but, due to the resource-constrained nature, require compact and still reliable cryptographic solutions. Motivated by this, many lightweight cryptographic algorithms are introduced. Nevertheless, side channel attack is still a practical threat for implementations of these new algorithms if no countermeasures are employed. In the past decades two major categories of side channel countermeasures, namely masking and hiding, have been studied to mitigate the threat of such attacks. As a masking countermeasure, Threshold Implementation becomes popular in recent years. It is sound in providing provable side channel resistance for hardware-based cryptosystems but meanwhile it also incurs significant overheads which need further optimization for constrained applications. Masking, especially for higher order masking schemes, requires low signal-to-noise ratio to be effective which can be achieved by applying hiding countermeasures. In order to evaluate side channel resistance of countermeasures, several tools have been introduced. Due to its simplicity, TVLA is being accepted by academy and industry as a one-size-fit-all leakage detection methodolgy that can be used by non-experts. However, its effectiveness can be negatively impacted by environmental factors such as temperature variations. Thus, a robust and simple evaluation method is desired. In this dissertation, we first show how differential power analysis can efficiently exploit the power consumption of a McEliece implementation to recover the private key. Then, we apply Threshold Implementation scheme in order to protect from the proposed attack. This is, to the best of our knowledge, the first time of applying Threshold Implementation in a public key cryptosystem. Next, we investigate the reduction of shares in Threshold Implementation so as to bring down its overhead for constrained applications. Our study shows that Threshold Implementation using only two shares reduces the overheads while still provides reliable first-order resistance but in the meantime it also leaks a strong second-order leakage. We also propose a hiding countermeasure, namely balanced encoding scheme based on the idea of Dual- Rail Pre-charge logic style in hardwares. We show that it is effective to mitigate the leakage and can be combined with masking schemes to achieve better resistance. Finally, we study paired t-test versus Welch's t-test in the original TVLA and show its robustness against environmental noises. We also found that using moving average in computing t statistics can detect higher-order leakage faster.

post-quantum crypto

t-test

Threshold Implementations

Side channel attack

On the Applicability of a Cache Side-Channel Attack on ECDSA Signatures : The Flush+Reload attack on the point multiplication in ECDSA signature generation process

Josyula, Sai Prashanth

January 2015

Context. Digital counterparts of handwritten signatures are known as Digital Signatures. The Elliptic Curve Digital Signature Algorithm (ECDSA) is an Elliptic Curve Cryptography (ECC) primitive, which is used for generating and verifying digital signatures. The attacks that target an implementation of a cryptosystem are known as side-channel attacks. The Flush+Reload attack is a cache side-channel attack that relies on cache hits/misses to recover secret information from the target program execution. In elliptic curve cryptosystems, side-channel attacks are particularly targeted towards the point multiplication step. The Gallant-Lambert-Vanstone (GLV) method for point multiplication is a special method that speeds up the computation for elliptic curves with certain properties. Objectives. In this study, we investigate the applicability of the Flush+Reload attack on ECDSA signatures that employ the GLV method to protect point multiplication. Methods. We demonstrate the attack through an experiment using the curve secp256k1. We perform a pair of experiments to estimate both the applicability and the detection rate of the attack in capturing side-channel information. Results. Through our attack, we capture side-channel information about the decomposed GLV scalars. Conclusions. Based on an analysis of the results, we conclude that for certain implementation choices, the Flush+Reload attack is applicable on ECDSA signature generation process that employs the GLV method. The practitioner should be aware of the implementation choices which introduce vulnerabilities, and avoid the usage of such ECDSA implementations.

Digital signatures

Elliptic curve cryptography

GLV method

Side-channel attack

Side-Channel-Attack Resistant AES Design Based on Finite Field Construction Variation

Shvartsman, Phillip

29 August 2019

No description available.

Engineering

AES

cryptography

side channel attack

power analysis

finite field

A Model Extraction Attack on Deep Neural Networks Running on GPUs

O'Brien Weiss, Jonah G

09 August 2023

Deep Neural Networks (DNNs) have become ubiquitous due to their performance on prediction and classification problems. However, they face a variety of threats as their usage spreads. Model extraction attacks, which steal DNN models, endanger intellectual property, data privacy, and security. Previous research has shown that system-level side channels can be used to leak the architecture of a victim DNN, exacerbating these risks. We propose a novel DNN architecture extraction attack, called EZClone, which uses aggregate rather than time-series GPU profiles as a side-channel to predict DNN architecture. This approach is not only simpler, but also requires less adversary capability than earlier works. We investigate the effectiveness of EZClone under various scenarios including reduction of attack complexity, against pruned models, and across GPUs with varied resources. We find that EZClone correctly predicts DNN architectures for the entire set of PyTorch vision architectures with 100\% accuracy. No other work has shown this degree of architecture prediction accuracy with the same adversarial constraints or using aggregate side-channel information. Prior work has shown that, once a DNN has been successfully cloned, further attacks such as model evasion or model inversion can be accelerated significantly. Then, we evaluate several mitigation techniques against EZClone, showing that carefully inserted dummy computation reduces the success rate of the attack.

model extraction

adversarial machine learning

machine learning

side-channel attack

Side Channels in the Frequency Domain / Méthodes d'attaques avancées de systèmes cryptographiques par analyse des émissions EM

Tiran, Sébastien

11 December 2013

De nos jours, l'emploi de la cryptographie est largement répandu et les circuits intègrent des primitives cryptographiques pour répondre à des besoins d'identification, de confidentialité, ... dans de nombreux domaines comme la communication, la PayTV, ...La sécurisation de ces circuits est donc un enjeu majeur. Les attaques par canaux cachés consistent à espionner ces circuits par différents biais comme le temps de calcul, la consommation en courant ou les émanations électromagnétiques pour obtenir des informations sur les calculs effectués et retrouver des secrets comme les clefs de chiffrement. Ces attaques ont l'avantage d'être indétectables, peu couteuses et ont fait l'objet des nombreuses études. Dans le cadre des attaques par analyse de la consommation en courant ou des émanations électromagnétiques l'acquisition de bonnes courbes est un point crucial. Malgré la forte utilisation de techniques de prétraitement dans la littérature, personne n'a tenté d'établir un modèle de fuite dans le domaine fréquentiel. Les travaux effectués durant cette thèse se concentrent donc sur cet aspect avec pour intérêt d'améliorer l'efficacité des attaques. De plus, de nouvelles attaques dans le domaine fréquentiel sont proposées, sujet peu étudié malgré l'intérêt de pouvoir exploiter plus efficacement la fuite éparpillée dans le temps. / Nowadays, the use of cryptography is widely spread, and a lot of devices provide cryptographic functions to satisfy needs such as identification, confidentiality, ... in several fields like communication, PayTV, ...Security of these devices is thus a major issue.Side Channel Attacks consist in spying a circuit through different means like the computation time, power consumption or electromagnetic emissions to get information on the performed calculus and discover secrets such as the cipher keys.These attacks have the advantage to be cheap and undetectable, and have been studied a lot.In the context of attacks analysing the power consumption or the electromagnetic emissions, the acquisition of good traces is a crucial point.Despite the high use of preprocessing techniques in the literature, nobody has attempted to model the leakage in the frequency domain.The works performed during this thesis are focusing on this topic with the motivation of improving the efficiency of attacks.What's more, new frequency domain attacks are proposed, subject poorly studied despite the advantage of better exploiting the leakage spread in time.

Cryptographie

Em

Canaux cachés

Carte à puce

Cryptography

Em

Side channel Attack

Smartcard

CROSSTALK BASED SIDE CHANNEL ATTACKS IN FPGAs

Ramesh, Chethan

10 April 2020

As FPGA use becomes more diverse, the shared use of these devices becomes a security concern. Multi-tenant FPGAs that contain circuits from multiple independent sources or users will soon be prevalent in cloud and embedded computing environments. The recent discovery of a new attack vector using neighboring long wires in Xilinx SRAM FPGAs presents the possibility of covert information leakage from an unsuspecting user's circuit. The work makes two contributions that extend this finding. First, we rigorously evaluate several Intel SRAM FPGAs and confirm that long wire information leakage is also prevalent in these devices. Second, we present the first successful attack on an unsuspecting circuit in an FPGA using information passively obtained from neighboring long-lines. Information obtained from a single AES S-box input wire combined with analysis of encrypted output is used to rapidly expose an AES key. This attack is performed remotely without modifying the victim circuit, using electromagnetic probes or power measurements, or modifying the FPGA in any way. We show that our approach is effective for three different FPGA devices. Our results demonstrate that the attack can recover encryption keys from AES circuits running at 50MHz. Finally, we present results from the AES attack performed using a cloud FPGA in a Microsoft Project Catapult cluster. These experiments show the effect can be used to attack a remotely-accessed cloud FPGA.

FPGA security

crosstalk

Side channel attack

AES

Microsoft Catapult

Electrical and Computer Engineering

Differential Power Analysis In-Practice for Hardware Implementations of the Keccak Sponge Function

Graff, Nathaniel

01 June 2018

The Keccak Sponge Function is the winner of the National Institute of Standards and Technology (NIST) competition to develop the Secure Hash Algorithm-3 Standard (SHA-3). Prior work has developed reference implementations of the algorithm and described the structures necessary to harden the algorithm against power analysis attacks which can weaken the cryptographic properties of the hash algorithm. This work demonstrates the architectural changes to the reference implementation necessary to achieve the theoretical side channel-resistant structures, compare their efficiency and performance characteristics after synthesis and place-and-route when implementing them on Field Programmable Gate Arrays (FPGAs), publish the resulting implementations under the Massachusetts Institute of Technology (MIT) open source license, and show that the resulting implementations demonstrably harden the sponge function against power analysis attacks.

power analysis

hash function

VHDL

cryptography

side-channel attack

Side-Channel Analysis of AES Based on Deep Learning

Wang, Huanyu

January 2019

Side-channel attacks avoid complex analysis of cryptographic algorithms, instead they use side-channel signals captured from a software or a hardware implementation of the algorithm to recover its secret key. Recently, deep learning models, especially Convolutional Neural Networks (CNN), have been shown successful in assisting side-channel analysis. The attacker first trains a CNN model on a large set of power traces captured from a device with a known key. The trained model is then used to recover the unknown key from a few power traces captured from a victim device. However, previous work had three important limitations: (1) little attention is paid to the effects of training and testing on traces captured from different devices; (2) the effect of different power models on the attack’s efficiency has not been thoroughly evaluated; (3) it is believed that, in order to recover all bytes of a key, the CNN model must be trained as many times as the number of bytes in the key.This thesis aims to address these limitations. First, we show that it is easy to overestimate the attack’s efficiency if the CNN model is trained and tested on the same device. Second, we evaluate the effect of two common power models, identity and Hamming weight, on CNN-based side-channel attack’s efficiency. The results show that the identity power model is more effective under the same training conditions. Finally, we show that it is possible to recover all key bytes using the CNN model trained only once. / Sidokanalattacker undviker komplex analys av kryptografiska algoritmer, utan använder sig av sidokanalssignaler som tagits från en mjukvara eller en hårdvaruimplementering av algoritmen för att återställa sin hemliga nyckel. Nyligen har djupa inlärningsmodeller, särskilt konvolutionella neurala nätverk (CNN), visats framgångsrika för att bistå sidokanalanalys. Anfallaren tränar först en CNN-modell på en stor uppsättning strömspår som tagits från en enhet med en känd nyckel. Den utbildade modellen används sedan för att återställa den okända nyckeln från några kraftspår som fångats från en offeranordning. Tidigare arbete hade dock tre viktiga begränsningar: (1) Liten uppmärksamhet ägnas åt effekterna av träning och testning på spår som fångats från olika enheter; (2) Effekten av olika kraftmodeller på attackerens effektivitet har inte utvärderats noggrant. (3) man tror att CNN-modellen måste utbildas så många gånger som antalet byte i nyckeln för att återställa alla bitgrupper av en nyckel.Denna avhandling syftar till att hantera dessa begränsningar. Först visar vi att det är lätt att överskatta attackens effektivitet om CNN-modellen är utbildad och testad på samma enhet. För det andra utvärderar vi effekten av två gemensamma kraftmodeller, identitet och Hamming-vikt, på CNN-baserad sidokanalangrepps effektivitet. Resultaten visar att identitetsmaktmodellen är effektivare under samma träningsförhållanden. Slutligen visar vi att det är möjligt att återställa alla nyckelbyte med hjälp av CNN-modellen som utbildats en gång.

Side-Channel Attack

Deep Learning

Convolutional Neural Network

Computer and Information Sciences

Data- och informationsvetenskap

Deep-Learning Side-Channel Attacks on AES

Brisfors, Martin, Forsmark, Sebastian

January 2019

Nyligen har stora framsteg gjorts i att tillämpa djupinlärning på sidokanalat- tacker. Detta medför ett hot mot säkerheten för implementationer av kryp- tografiska algoritmer. Konceptuellt är tanken att övervaka ett chip medan det kör kryptering för informationsläckage av ett visst slag, t.ex. Energiförbrukning. Man använder då kunskap om den underliggande krypteringsalgoritmen för att träna en modell för att känna igen nyckeln som används för kryptering. Modellen appliceras sedan på mätningar som samlats in från ett chip under attack för att återskapa krypteringsnyckeln. Vi försökte förbättra modeller från ett tidigare arbete som kan finna en byte av en 16-bytes krypteringsnyckel för Advanced Advanced Standard (AES)-128 från över 250 mätningar. Vår modell kan finna en byte av nyckeln från en enda mätning. Vi har även tränat ytterligare modeller som kan finna inte bara en enda nyckelbyte, men hela nyckeln. Vi uppnådde detta genom att ställa in vissa parametrar för bättre modellprecision. Vi samlade vår egen tränings- data genom att fånga en stor mängd strömmätningar från ett Xmega 128D4 mikrokontrollerchip. Vi samlade också mätningar från ett annat chip - som vi inte tränade på - för att fungera som en opartisk referens för testning. När vi uppnådde förbättrad precision märkte vi också ett intressant fenomen: vissa labels var mycket enklare att identifiera än andra. Vi fann också en stor varians i modellprecision och undersökte dess orsak. / Recently, substantial progress has been made in applying deep learning to side channel attacks. This imposes a threat to the security of implementations of cryptographic algorithms. Conceptually, the idea is to monitor a chip while it’s running encryption for information leakage of a certain kind, e.g. power consumption. One then uses knowledge of the underlying encryption algorithm to train a model to recognize the key used for encryption. The model is then applied to traces gathered from a victim chip in order to recover the encryption key.We sought to improve upon models from previous work that can recover one byte of the 16-byte encryption key of Advanced Encryption Standard (AES)-128 from over 250 traces. Our model can recover one byte of the key from a single trace. We also trained additional models that can recover not only a single keybyte, but the entire key. We accomplished this by tuning certain parameters for better model accuracy. We gathered our own training data by capturing a large amount of power traces from an Xmega 128D4 microcontroller chip. We also gathered traces from a second chip - that we did not train on - to serve as an unbiased set for testing. Upon achieving improved accuracy we also noticed an interesting phenomenon: certain labels were much easier to identify than others. We also found large variance in model accuracy and investigated its cause.

AES

Machine Learning

Side Channel Attack

Encryption

AES

maskinlarning

sidokanalattack

kryptering

Computer and Information Sciences

Data- och informationsvetenskap

Determining the Optimal Frequencies for a Duplicated Randomized Clock SCA Countermeasure / Att bestämma optimala frekvenser för en duplicerad och randomiserad clocka för att motverka SCA

Klasson Landin, Gabriel, Julborg, Truls

January 2023

Side-channel attacks pose significant challenges to the security of embedded systems, often allowing attackers to circumvent encryption algorithms in minutes compared to the trillions of years required for brute-force attacks. To mitigate these vulnerabilities, various countermeasures have been developed. This study focuses on two specific countermeasures: randomization of the encryption algorithm’s clock and the incorporation of a dummy core to disguise power traces. The objective of this research is to identify the optimal frequencies that yield the highest level of randomness when these two countermeasures are combined. By investigating the interplay between clock randomization and the presence of dummy cores, we aim to enhance the overall security of embedded systems. The insights gained from this study will contribute to the development of more robust countermeasures against side-channel attacks, bolstering the protection of sensitive information and systems. To achieve this, we conduct simulations and perform side-channel attacks on an FPGA to establish the relationship between frequencies and the resulting protection. We break the encryption on a non-duplicated circuit and note the least amount of measured power traces necessary and the timing overhead. We do this for all sets of frequencies considered which gives a good indication of which sets of frequencies give good protection. By comparing the frequencies generated with those from the duplicated circuit we use similar conclusions to prove whether a frequency set is secure or not. Based on our results we argue that having one frequency lower than half of the base frequency and the other frequencies being close but not higher than the base gives the highest security compared to the timing overhead measured. / Sido-kanal attacker utgör betydande utmaningar för säkerheten hos integrerade system och möjliggör ofta för angripare att kringgå krypteringsalgoritmer på minuter jämfört med de miljarder år som krävs för brute-force attacker. För att minska dessa sårbarheter har olika motåtgärder utvecklats. Denna studie fokuserar på två specifika motåtgärder: slumpmässig anpassning av krypteringsalgoritmens klocka och användningen av en dummykärna för att maskera strömsignaler. Syftet med denna forskning är att identifiera optimala frekvenser som ger högsta grad av slumpmässighet när dessa två motåtgärder kombineras. Genom att undersöka samverkan mellan slumpmässig anpassning av klockan och närvaron av dummykärnor strävar vi efter att förbättra den övergripande säkerheten hos integrerade system. De insikter som erhålls från denna studie kommer att bidra till utvecklingen av mer robusta motåtgärder mot sido-kanals attacker och stärka skyddet av känsliga system och information. För att uppnå detta genomför vi simuleringar och utför sido-kanals attacker på en FPGA för att etablera sambandet mellan frekvenser och det resulterande skyddet. Vi knäcker krypteringen på en icke-duplicerad krets och noterar den minsta mängden mätta strömsignaler som krävs samt tids fördröjning. Vi gör detta för alla uppsättningar av frekvenser som övervägs, vilket ger en god indikation på vilka frekvensuppsättningar som ger ett bra skydd. Genom att jämföra de genererade frekvenserna med dem från den duplicerade kretsen drar vi slutsatser för att bevisa om en frekvensuppsättning är säker eller inte. Baserat på våra resultat argumenterar vi för att ha en frekvens som är lägre än hälften av basfrekvensen och att de andra frekvenserna är nära men inte högre ger högsta säkerhet jämfört med den uppmätta tids fördröjningen.

Side channel attack

Cryptography

Correlation power analysis

Chipwhisperer

Frequency

Hardware security

Computer and Information Sciences

Data- och informationsvetenskap