that Correlation-based on ElectroMagnetic Analysis (CEMA) on a hardware-based high-performance AES module is possible from a distance as far as 50 cm.
Far Correlation-based EMA with a Precharacterized Leakage Model Olivier Meynard1,2 , Sylvain Guilley1 , Jean-Luc Danger1 and Laurent Sauvage1
1 Institut
TELECOM, TELECOM ParisTech, CNRS LTCI, 46 rue Barrault 75 634 Paris, France. 2 DGA CELAR, La roche Marguerite, 35 170 Bruz, France.
Abstract—Electromagnetic analysis is an important class of attacks against cryptographic devices. In this article, we prove that Correlation-based on ElectroMagnetic Analysis (CEMA) on a hardware-based high-performance AES module is possible from a distance as far as 50 cm. First we show that the signal-to-noise ratio (SNR) tends to a non-zero limit when moving the antenna away from the cryptographic device. An analysis of the leakage structure shows that the Hamming distance model, although suitable for small distances gets more and more distorted when the antenna is displaced far from the device. As we cannot devise any physical model that would predict the observations, we instead pre-characterized it using a first order templates construction. With this model, we enhanced the CEMA by a factor up to ten. Therefore, we conclude that EMA at large distance is feasible with our amplification strategy coupled to an innovative training phase aiming at precharacterizing accurate coefficients of a parametric weighted distance leakage model.
Keywords: Side-Channel Attacks (SCA), ElectroMagnetic Analysis (EMA), Correlation EMA (CEMA), Leakage model. Template estimation. I. I NTRODUCTION Nowadays cryptographic components are widely used to secure digital transactions and exchanges. Although the faith in cryptographic algorithms is increasing and the design of mathematical cryptographic algorithms remains definitively robust, their hardware implementation are still vulnerable to physical attacks. In 1996, Kocher introduced the exploitation of side channels to break a cryptosystem. Side Channel Analysis (SCA) is a threat for cryptosystems as they disclose unintentionally some information about the internal process and the sensitive data. Secret data can be possibly reconstructed by eavesdropping through different side channels such as timingpower [4] or electromagnetic (EM) emanations.The EM radiation is an important source of leakage because it can be conducted at distance without tampering with the power supplies when the circuit under analysis is soldered on a printed circuit board (PCB). Gandolfi et al. in [3] observed the feasibility of EMA (ElectroMagnetic Attack) and compared them with power analysis attacks in favor of the former. Moreover, Agrawal et al. demonstrate in [1] that an EM probe can yield multiple EM signals via demodulation of different carriers in nearfield. Mangard showed in [5] that EM near-field attacks can be conducted with a simple hand-made coil. He also presents
978-3-9810801-6-2/DATE10 © 2010 EDAA
attacks in far-field against software implementation on an 8-bit micro-controller. On the contrary, in our work, we aim at mounting a successful Correlation Power Analysis (CPA [2]) and retrieve cryptographic elements. Additionally, we study a high-performance hardware implementation of the Advanced Encryption Standard (AES). This means that all operations are done in parallel, at the rate of one AES round per clock cycle. Thus, the number of bit transition during every clock cycle is multiplied (128 for the message and another 128 for the key state). Hence a much larger algorithmic noise than any software implementation. The rest of the paper is organized as follows. The section II presents the device used for our experiments and our overall methodology for SNR estimation. The section III applies the methodology experimentally and confirms that CEMA is possible at a large distance if the radiations are sufficiently and relevantly amplified. The section III describes a method to assess the number of traces to retrieve the key. Then we analyse the leakage model, show how distorted it can be, and characterize it. With this prior knowledge, we enhance the attack at 50 cm, that requires only one tenth of the traces previously needed to succeed an attack using a naive model. II. T EST B ENCH AND SNR I NDICATOR A. The Test Bench The device whose EM emanations are studied is cadenced by a clock running at 24 MHz. The material is placed on a plastic table that limits the reflection of EM radiation and avoids the conducted radiation. A plastic rod is placed perpendicularly to the board and is considered as a vertical axis to move the antenna by steps of 5 cm, as shown in the figure 1. For each position of the antenna, by steps of 5 cm, we performed the same encryption and stored in a database the set of measurements. We take care of keeping far away the supply power from the chip board, in order to avoid any coupling between the radiated waves and the power supply. We record the emanations on the side with the decoupling capacitors, because the signal on this part of the board has the best quality.
0.15
5cm 10cm 15cm 20cm 25cm
EMA probe 0.1
50 cm
Magnitude
0.05
0
-0.05
-0.1
PCB under attack FPGA on other side
-0.15
-0.2 1000
1100
1200
1300
1400
1500
Time
Figure 2. distances.
Figure 1.
EM measurement test bench with its antenna on a plastic rod.
B. The Cryptographic Implementation of AES The targeted device is an Field Programmable Gate Array (FPGA) Virtex II by Xilinx. It embeds one AES Rijndael supporting 128-bit keys. The attacked chip has no countermeasure against EMA.Moreover a trigger signal is output, each time an encryption is beginning. this helps avoid synchronisation problems. C. Leakage Indicator w.r.t. the Measurement Noise Like Mangard in [6], we assume that the EM radiation Ecapt of a device captured at the time tc by the antenna can be written as: Eleakage +N , Ecapt,tc = di where Eleakage corresponds to the useful part of the EM radiations caused by the attacked intermediate result and N is the environmental noise. In our case, we introduce an other parameter: the distance between the EM sensor and the FPGA. where i corresponds to the attenuation law (typically, i = 2 or 3) [8]. We use the SNR defined as E
SNR =
V ar( leakage ) di . V ar(N )
As a rule of thumb, the greater the SNR, the fewer number of traces to crack the secret [7]. As a cautionary notice, we mention that in general, a variance does not necessarily contain an information. For instance, if the variance was caused by a random number generator (RNG), it would not convey any single bit of information about the secrets. But given that we study a device without RNG, we can be assured that some information is present when there is a non-zero variance. The relationship between the variance and the informational contents of the signal is further analysed in Sec. IV.
Quasi-homothetic downscale of the raw curves at different
III. E XPERIMENTS AND M EASUREMENTS A. SNR Estimation with Chosen Plaintexts In order to estimate the SNR, we take advantage of the fact that we are able to choose the plaintexts and the key. This allows to forge chosen plaintexts that activate only one substitution box (sbox). More precisely, we recorded the EM dissipation of each sbox for all 256 inputs, while keeping the others at 0x00, repeating for each distance d ∈ {0, 5, 10, 15, 20, 25} cm. We averaged these measurements by 4 096 in a view to reduce the noise due to the other bits activity and to the environmental noise. To complete the characterization, it remains to determine the index tc of the sample, that corresponds to the moment when the data are manipulated. B. Measurement of the Activity as a Function of the Distance d Firstly we check that for different distances, the curves for the same plaintext are scaled down, according to an inverse power law. as illustrated in figure 2. On one hand, we notice, as expected, that the useful signal decreases following 1/di law of attenuation, plotted in figure. 3, and the noise reaches a limit when the distance increases: it stabilizes at 402 µV2 for d ≥ 5 . . . 25 cm. Indeed, the closer we get to the electronic board, the more the noise level increases, because we capture the perturbations from the board components in addition to the ambient noise. To confirm these observations, we have performed an attack on the AES, when the antenna was placed much further away, at 50 cm from the FPGA board. In practice, the signal was amplified of 60 dB and averaged by a factor of 4096. The attack needs 51,519 measurements to break the sbox #1, whereas only 1,000 are required at d = 0 cm. The correlation curve is represented in figure. 4. The correlation does not clearly stand out. We assume that the attack requires so many traces to fully disclose the key because the Hamming model is not holding anymore at this large distance. In the next section IV, we propose a method to build an improved model based on the construction of 256 templates.
-1260
Leakage
Estimated leakage magnitude
STD (Leakage) in µV
14 12 10 8 6 4 2 0 10 15 Distance in cm
240 220 200 180 160 140 120 100 80 60 40
20
-1320 -1340 -1360 -1380 -1400
25
Hamming Distance Model at 0 cm 0
1
-1800
Noise
Estimated leakage magnitude
STD (Noise) in µV
5
2
3 4 5 Hamming Distance
6
7
8
7
8
Hamming Distance Model at 15 cm
-1850 -1900 -1950 -2000 -2050
0
5
10 15 Distance in cm
20
25
Standard deviation of the signal and of the environmental noise. 0.03
0.02 0.015 0.01 0.005 0 -0.005 -0.01 -0.015 -0.02 0
500
1000
1500
2000
2500
3000
Sample
Figure 4.
0
Figure 5.
1
2
3 4 5 Hamming Distance
6
Hamming distance at 0 cm and at 15 cm.
confirmed at d = 0 cm, as attested by figure. 5, at 15 cm, the model is chaotic and not consistent with an identical amount of dissipation per bit making up the analyzed byte.
Sbox #1 attack
0.025
Correlation
-1300
-1420 0
Figure 3.
-1280
CEMA on sbox #1 at a distance d = 50 cm.
IV. ACCURATE S TUDY OF THE L EAKAGE M ODEL AT D ISTANCE It has already been noticed in the literature that the Hamming distance is not the best model in the case of very near-field analyses. For example, authors in [9] proves that under some circumstances, an ASIC can have a transitiondependent leakage. In this section, we show that the Hamming distance model is adequate for intermediate distance fields EM analyses, but that it distorts seriously in far-field analyses. We show that the success rate of an attack at high distance can be improved by selecting an adapted model. In our methodology, the model is pre-characterized by the statistical analysis of emanations for a known key. A. Methodology and First Observation In near-field the leakage obeys a Hamming distance model: it is an affine function of the number of bit transitions between two consecutive states. On one hand, the Hamming distance is
B. Deterioration of the Hamming distance Leakage Model at d = 50 cm We provide in this section a study about the leakage model at 50 cm from the chip board. We target the last round of the AES, and we intend to characterize the leakage of sbox #0. However, this sbox is left untouched by the ShiftRows operation on the last round of the encryption. Therefore, the set of the possible transitions is reduced to only #{x ⊕ SubBytes(x), for x ∈ [0x00, 0xff]} = 162 values out of the 256 expected1 Consequently we find that we have only 7 values for the Hamming distance available out of the 9 expected. Therefore we target the next sbox, namely sbox #1, which exercises all the 256 transitions. We search the index tc of the maximal correlation, that corresponds to the moment when the data are stored in the register on the last round. We compute for this index the average and the variance for the 256 possible Hamming distances, the key and the message being known. This pre-characterized leakage model is shown in figure 6. We observe that the standard deviation is almost independent of the byte distances. Therefore, most of the model information is contained in the mean leakage value. As a consequence, we adopt a tabulated leakage model consisting in a look-up to the corresponding estimated averages. C. Results and Discussion After this characterization, we launched a correlation attack on sbox #1 with the newly obtained model. The attack is 1 The reason for the reduction of transitions is that x 7→ x⊕SubBytes(x) is not necessarily bijective, even if SubBytes is.
0.08
900
0.06
880 Leakage value
0.04 Correlation
860 840
0 -0.02
820 linear regression
800
0 1 2 3 4 5 6 7 8 Hamming distance between two consecutive values of sbox #1 Leakage standard deviation at tc
0.02
-0.04 Sbox #1 attack with pre-characterized model
-0.06 0
500
1000
1500
2000
2500
3000
Sample
250
Figure 7. Correlation obtained on sbox #1 at 50 cm with the pre-characterized model.
200 150 100 50 0 0
Figure 6.
50 100 150 200 250 Distance between two consecutive values of sbox #1
Pre-characterized leakage model at 50 cm for the Sbox #1.
three regions: in near-field, the switching distance is the most suited, as initially observed in the article [9]; in mediumdistance (d ∈ [0, 5] cm), the Hamming model is adequate; in long-distance (d > 5 cm), the model becomes less relevant. Lastly we prove that an attack using weights determined by an off-line training allows to reduce the number of measurements to retrieve the key by a factor up to ten. VI. ACKNOWLEDGMENTS
Distance 0 cm 5 cm 25 cm 50 cm
CPA 183 2944 4869 47900
sbox #1 Pre-ch. CPA 146 401 916 5003
CPA 844 1751 3801 21035
sbox #5 Pre-ch. CPA 169 117 1269 8168
Table I R ESULTS CPA vs P RE - CHARACTERIZED MODEL .
considerably enhanced: the key byte entering this sbox is disclosed with as few as 5 003 traces. The correlation curve for the correct key guess is shown in figure. 7. The peak at t = tc is clearly visible, especially when contrasted with the correlation curve obtained with a classical CEMA in figure. 4. These experiments confirm that the leakage model based on the Hamming distance model is not optimal at distance (Refer to Tab. I for attacks figures). V. C ONCLUSIONS AND P ERSPECTIVES This paper reports the first systematic study of CEMA as a function of the distance. Our investigations have revealed that two steps in the attacks are critical: the adequate signal amplification and the relevance of the leakage model. First of all, with a simple indicator we are able to trace the SNR curve decreasing slowly with the distance. Hence an attack at 50 cm is possible provided the signal is amplified sufficiently. Second, we discover that the leakage model distorts more and more with the distance. Therefore, we show that the leakage models change according to thresholds. We identify
This work are funded by the French defense ministry. The authors would like to thank Denis R´eal for these advises. R EFERENCES [1] Dakshi Agrawal, Josyula R. Rao, and Pankaj Rohatgi. Multi-channel Attacks. In Burton S. Kaliski Jr., Cetin Kaya Ko, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems - CHES, volume 2779 of LNCS, pages 2–16. Springer, 2003. ´ [2] Eric Brier, Christophe Clavier, and Francis Olivier. Correlation Power Analysis with a Leakage Model. In CHES, volume 3156 of LNCS, pages 16–29. Springer, August 11–13 2004. Cambridge, MA, USA. [3] Karine Gandolfi, Christophe Mourtel, and Francis Olivier. Electromagnetic Analysis: Concrete Results. In C¸etin Kaya Koc¸, David Naccache, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2001, volume 2162 of LNCS, pages 251–261. Springer, 2001. [4] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential Power Analysis. In Proceedings of CRYPTO’99, volume 1666 of LNCS, pages 388–397. Springer-Verlag, 1999. (PDF). [5] Stefan Mangard. Exploiting Radiated Emissions – EM Attacks on Cryptographic ICs. In Lackner Ostermann, editor, Proceedings of Austrochip 2003, pages 13 – 16, 2003. [6] Stefan Mangard. Hardware Countermeasures against DPA – A Statistical Analysis of Their Effectiveness. In CT-RSA, volume 2964 of Lecture Notes in Computer Science, pages 222–235. Springer, 2004. San Francisco, CA, USA. [7] Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, December 2006. ISBN 0-387-30857-1, http://www.dpabook.org/. ´ [8] Eric Peeters. Towards Security Limits of Embedded Hardware Devices: from Practice to Theory. PhD thesis, Universit´e catholique de Louvain, November 2006. ´ [9] Eric Peeters, Franc¸ois-Xavier Standaert, and Jean-Jacques Quisquater. Power and electromagnetic analysis: Improved model, consequences and comparisons. Integration, The VLSI Journal, special issue on “Embedded Cryptographic Hardware”, 40:52–60, January 2007. DOI: 10.1016/j.vlsi.2005.12.013.
