Architecture Support for Countermeasures against Side-Channel Analysis and Fault Attack

Kiaei, Pantea

January 2019

The cryptographic algorithms are designed to be mathematically secure; however, side-channel analysis attacks go beyond mathematics by taking measurements of the device’s electrical activity to reveal the secret data of a cipher. These attacks also go hand in hand with fault analysis techniques to disclose the secret key used in cryptographic ciphers with even fewer measurements. This is of practical concern due to the ubiquity of embedded systems that allow physical access to the adversary such as smart cards, ATMs, etc.. Researchers through the years have come up with techniques to block physical attacks to the hardware or make such attacks less likely to succeed. Most of the conducted research consider one or the other of side-channel analysis and fault injection attacks whereas, in a real setting, the adversary can simultaneously take advantage of both to retrieve the secret data with less effort. Furthermore, very little work considers a software implementation of these ciphers although, with the availability of small and affordable or free microarchitectures, and flexibility and simplicity of software implementations, it is at times more practical to have a software implementation of ciphers instead of dedicated hardware chips. In this project, we come up with a modular presentation, suitable for software implementation of ciphers, to allow having simultaneous resistance against side-channel and fault analysis attacks. We also present an extension at the microarchitecture level to make our proposed countermeasures more intact and efficient. / M.S. / Ciphers are algorithms designed by mathematicians. They protect data by encrypting them. In one of the main categories of these ciphers, called symmetric-key ciphers, a secret key is used to both encrypt and decrypt the data. Once the secret key of a cipher is retrieved, anyone can find the decoded data and thereby access the original data. Cryptographers traditionally sought to design ciphers in such a way that no adversary could reveal the secret key by finding holes in the algorithm. However, this has been shown insufficient for a specific implementation of a cryptographic algorithm to be considered as “unbreakable” since the physical properties of the implementation, can help an adversary find the secret key and break the encryption. Analyzing these physical properties can be either active; by making controlled changes in the normal progress of its execution, or passive; by merely measuring the physical properties during normal execution. Designers try to take these analyses into account when implementing a cryptographic function and so, in this project, we aim to present architectural support for a combination of some of the countermeasures.

Side-channel attacks

Fault attacks

Custom-instruction extensions

Bitslicing

Software countermeasures

On the Resistance of RSA Countermeasures at Algorithmic, Arithmetic and Hardware Levels Against Chosen-Message, Correlation and Single-Execution Side-Channel Attacks / Sur la résistance de contre-mesures RSA aux niveaux algorithmique, l'arithmétique et de matériel contre les attaques par canaux cachées par message choisi, de corrélation et de simple exécution

Perin, Guilherme

28 May 2014

De nos jours, les concepteurs de dispositifs cryptographiques doivent non seulement mettre en œuvre des algorithmes robustes, mais ils doivent également s'assurer qu'il n'y ait pas de fuites d'informations à travers plusieurs canaux latéraux lors de l'exécution d'un algorithme. En effet, si ce n'est pas le cas, les implémentations cryptographiques, tant symétriques qu'asymétriques, seront vulnérables aux attaques par canaux auxiliaires. Pour les algorithmes à clé publique tels que le RSA, l'opération principale que doit être rendue robuste est l'exponentiation modulaire sur un anneau fini. Les principales solutions (contremesures) permettant de rendre robuste l'exponentiation modulaire à ces attaques par canaux auxiliaires sont basées sur la randomisation des données traitées. La randomisation de l'exposant et celle des messages sont en effet des techniques particulièrement efficaces pour contrecarrer les attaques par collision et par analyse des corrélations verticales. Toutefois, ces solutions éculées montrent leurs limites par rapport aux attaques dites horizontales qui n'exploitent qu'une exponentiation. Dans ce contexte, ce document relate le travail de conception, tant matériel que logiciel, d'un chiffreur RSA basé sur les systèmes modulaires de représentation des nombres (RNS). Ce chiffreur incorpore différentes contremesures définies à divers niveaux d'abstraction. L'évaluation de sa robustesse aux attaques par canaux cachés tant horizontales que verticales a démontré sa pertinence. / Not only designers of cryptographic devices have to implement the algorithmsefficiently, they also have to ensure that sensible information that leaks throughseveral side-channels (time, temperature, power consumption, electromagneticemanations, etc.) during the execution of an algorithm, remains unexploitedby an attacker. If not sufficiently protected, both symmetric and asymmetriccryptographic implementations are vulnerable to these so-called side-channelattacks (SCA). For public-key algorithms such as RSA, the main operation to bearmoured consists of a multi-digit exponentiation over a finite ring.Countermeasures to defeat most of side-channel attacks onexponentiations are based on randomization of processed data. The exponentand the message blinding are particular techniques to thwartsimple, collisions, differential and correlation analyses. Attacks based ona single (trace) execution of exponentiations, like horizontal correlationanalysis and profiled template attacks, have shown to be efficient againstmost of popular countermeasures.This work proposes a hardware and software implementations of RSA based on Residue Number System (RNS). Different countermeasures are implemented on different abstraction levels. Then, chosen-message and correlation attacks, based on both multi-trace and single-trace attacks are applied to evaluate the robustness of adopted countermeasures. Finally, we propose an improved single-execution attack based on unsupervised learning and multi-resolution analysis using the wavelet transform.

Microélectronique

Sécurité

Attaques par canaux cachés

Protections matérielles

Protections logicielles

Microelectronics

Security

Side Channel Attacks

Hardware Countermeasures

Software Countermeasures