September 27, 2017, anysilicon

There are many techniques available for hackers to gain access to a system and obtain secret keys or other proprietary information– from invasive methods, such as microprobing, to non-invasive methods, such as cryptoanalysis. However, one of the easiest and most effective ways to extract the contents of a chip is through a side-channel attack using power analysis.

Power analysis is a low-cost and effective way to extract the contents of a chip or smartcard without physically de-processing the part. With power analysis, the variation in power consumption of a device is used to determine the contents of the device. There are two types of power analysis: differential power analysis (DPA) and simple power analysis (SPA).

__SPA__

Simple power analysis is a method of side-channel attack that examines a chip’s current consumption over a period of time. Since different operations will exhibit different power profiles, one can determine what type of function is being performed at a given time. For example, one can distinguish a multiplication function from an addition function, since multiplication consumes more current than addition. Also, when reading data from a memory, the ratio of 1’s vs. 0’s will be reflected in the power profile.

Figure 1: Simplified diagram of SPA

With a standard oscilloscope, one can capture the resulting current signature and from it deduce the type of operation. Shown below is an SPA trace showing an entire Data Encryption Standard (DES) operation.

Figure 2: SPA trace showing a DES operation.

(From: Intro to Differential Power Analysis^{1})

Or in an RSA decryption key, one can decipher the key based on the fact that each ‘1’ bit appears as a taller bump, while a ‘0’ bit appears as a shorter bump.

Figure 3: SPA leaks from an RSA implementation.

(From: Intro to Differential Power Analysis^{1})

SPA is useful when data-dependent features in the power traces are apparent. It may not be practical if there is significant noise in the system. In which case, DPA would be more advantageous.

__DPA__

Differential power analysis is a statistical method for analyzing power consumption to identify data-dependent correlations. This approach takes multiple traces of two sets of data, then computes the difference of the average of these traces. If the difference is close to zero, then the two sets are not correlated. If the sets are correlated, then the difference will be a non-zero number. Given enough traces, even tiny correlations can be seen, regardless of how much noise is in the system, since the noise will effectively cancel out during the averaging.

Here is a typical DPA result showing the average of two sets of traces (A and B) on the first two lines. The difference of these two sets is shown on the third line. The fourth line shows the same trace magnified by a factor of 15. This shows that there is statistical correlation between the two sets. If there was no correlation, the difference would be zero, or close to zero.

Figure 4: Typical DPA result. This example shows correlation.

(From: Intro to Differential Power Analysis^{1})

To see how this can be used, take for example, the Advanced Encryption Standard (AES). This encryption algorithm displaced DES and has been adopted by the U.S. government, and worldwide, as the standard for securing Top Secret information. The equation for the encrypted data is given by:

Where *S* is a look-up table and ⊕ is the XOR of a known input X_{n} and the encryption key K_{n}. To determine the value for K_{n}, we make several guesses for the value of K_{n}. The first set of traces falls into the set where the LSB of the output is ‘0’; the second set of traces falls into the set where the LSB of the output is ‘1’. The difference of the average of the two sets is then examined. Here, we have a trace showing the results of five different K_{n} values, where the correct key corresponds to the third trace.

Figure 5: DPA result for different key values.

(From: Intro to Differential Power Analysis^{1})

Normally, the encryption key is a 128-bit value. In order to test every single value, it would take 2^{128} attempts, or 3.4028 x 10^{38}, which is pretty much impossible to do. However, the 128-bit AES key can be broken into 16 bytes, where each byte can be solved individually. Testing each byte requires only 2^{8}, or 256 attempts, which means it would only take 16 x 256 or 4,096 attempts to be able to decipher the entire encryption key.

__Countermeasures__

Side-channel attacks, such as DPA and SPA, are dangerous because they allow hackers to circumvent conventional hardware and software security measures. DPA can accomplish in minutes or days what cryptoanalysis and other brute force methods cannot. Also, since they are non-invasive, they do not leave a trace, allowing for attackers to steal confidential information without being detected. Therefore, measures must be taken to prevent such attacks.

It is relatively simple to prevent SPA. One can inject noise into the system by performing random operations to obscure the real operation. Also, the design should use consistent execution paths and avoid conditional branches.

Preventing DPA is more challenging. There have been numerous published attacks using DPA throughout the years. One method is to decrease the signal to noise ratio– the lower the ratio, the greater the number of traces needed to perform an attack. Temporal noise can be injected into the design by varying clocks, adding random wait states, random data or dummy operations. An example of this implementation is Kilopass’ Secretcode™ memory. When reading the contents of the memory, random data is injected into the bus so as to obscure the output data.

Another method is to balance the amount of power used for a given data value or operation. This can be achieved with complementary circuitry or using constant weight code. Balancing the power consumption would reduce the amplitude of the differential trace. Again, the Secretcode memory from Kilopass demonstrates an example of this. The contents of the memory are stored and read in complementary fashion — for each bit, there is a corresponding bit-bar. Therefore, when the contents of the memory are read out, there is always an equal number of 1’s and 0’s.

The most effective and least difficult way to prevent side-channel attacks is to design protocol that will limit the number of transactions that can be performed with a given key, similar to a password timeout. For example, a key can be used only 1,000 times before it is destroyed or replaced with a new key. This would eliminate most attempts at DPA, since DPA requires a statistically significant number of data points in order for it to work.

Power analysis is a powerful tool for side-channel attacks into a system. However, with some forethought and the right countermeasures, one can prevent such attacks.

__References__

^{1 }“Introduction to Differential Power Analysis,”Journal of Cryptographic Engineering, April 2011, Volume 1, Issue 1 Paul Kocher, Joshua Jaffe, Benjamin Jun, Pankaj Rohatgi

^{2 }“Differential Power Analysis,”Advances in Cryptology – CRYPTO ‘99 Paul Kocher, Joshua Jaffe, and Benjamin Jun

^{3} “Introduction to Side-Channel Power Analysis,” www.chipwhisperer.io Colin O’Flynn

This is a guest post by Lee Sun — Kilopass Technology