Re: Power analysis of AES candidates
Eli Brandt writes: If so, doubling the cap size halves the cutoff frequency (right?), halving the leaked power. Integrating runs gives signal voltage linear in n and noise voltage sqrt(n); voltage ratio is sqrt; power ratio is linear. So leaked-signal power is Theta( (attacker's number of runs) / (capacitor size) ). No asymptotic edge either way; attacker wins against bounded cap size. /handwave I don't quite understand your handwave analysis: if we use supercapacitors we can power the embedded unit for hours straight. A typical encryption round completes in milliseconds at best, I don't see how microsecond spike demands can ever leak out regardless whether we measure till the Big Crunch or the day after tomorrow. Apart from such crude-but-effective countermeasures we haven't even begun tackling lunatic fringe stuff like reversible computation.
Re: Power analysis of AES candidates
Andreas Bogk wrote on 1999-09-15 00:04 UTC: The usual setup for DPA involves a 10 Ohm resistor which sits in the power supply and measuring the voltage across that resistor. The countermeasure we're talking about is an on-chip capacitor that smoothes the power consumption, or a power supply inside an tamper-resistant package such as the Dallas iButton, which essentially serves the same purpose. The battery in the Dallas iButton is *NOT* there to power CPU operations. This battery acts only to provide the around 1 nA data retention current needed by the SRAM to keep its data reliably when external power is removed. As soon as external power is supplied, the internal Li battery is disconnected by the CPU power supply management system. The iButton does however have a power supply buffer capacitor on board. Its primary function is to maintain power in communications mode. The iButton can operate in two modes: communication and calculation. In communication mode, only a large shift register is operated that is connected to the serial port. Power is drawn from the interface pull-up resistor during the transmitted 1 bits. While a 0 bit is transmitted, the shift register draws its energy from the internal capacitor. In calculating mode, the interface shorts the pull-up resistor, such that the iButton CPU is now directly connected to the full power supply, but it can't communicate any more. By the way, one rather simple yet effective power analysis countermeasure is described in http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf http://www.cl.cam.ac.uk/~mgk25/sc99-tamper-slides.pdf Adding a random bit stream generator into the internal clock line that switches between genuine CPU cycles and realistic dummy loads at a clock-cycle level can help to add sufficient amounts of timing variation to make DPA infeasible. While software-based random-delay loops can usually be rather easily spotted with single-shot cross-correlation techniques and therefore be compensated by the power analyser before applying the usual algorithms, the time intervals between two clock cycles does usually not provide enough information to reliably resynchronize externally with the program flow. Another approach is to use asynchronous processors, which do not depend on an external clock at all, and whose power consumption spectrum tends to smooth itself out very nicely. Designing attacks and defenses against asynchronous smartcard processors promises to become a highly interesting area of work. (By the way, if you are seriously interested in working in this field, we have just received a substantial grant to develop invasive and non-invasive attacks on upcoming asynchronous high-security smartcard CPU technologies, and we will be offering very soon 2-3 research PhD student and post-doc positions for people with a strong interest in microelectronics, tamper resistance, digital signal processing and hardware security. Contact us me for details if you are interested. http://www.cl.cam.ac.uk/Research/Security/tamper/). At typical smartcard frequencies, the information leaking in the power signal is spread across the entire HF and VHF band. It does not seem to be too practical to place sufficiently good passive RC or LC filters onto a chip given the current CMOS processes commonly used for 8-bit microcontrollers. Another approach is to add a broadband OpAmp that implements a current regulator. Make the CPU draw a constant current and dissipate any power not needed by the CPU temporarily in an on-chip resistor. This works nicely for low frequencies, but is also rather difficult to do with normal CMOS processes in the VHF bands. It would be possible to add such an opamp as a separate second chip, but many customers are not likely to pay two dollars more for the entire smartcard just for power-analysis protection. The challenge is to get a really cheap countermeasure. Markus -- Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK Email: mkuhn at acm.org, WWW: http://www.cl.cam.ac.uk/~mgk25/
Re: Power analysis of AES candidates
Eugene Leitl wrote: I don't quite understand your handwave analysis: if we use supercapacitors we can power the embedded unit for hours straight. Okay, so you charge and then disconnect from the power source to execute. I got the impression we were talking about using the cap as you would in a power supply. -- Eli Brandt | [EMAIL PROTECTED] | http://www.cs.cmu.edu/~eli/
Re: Power analysis of AES candidates
At 1:35 PM -0700 9/14/99, John Gilmore wrote: At 10:32 AM -0700 9/13/99, Eugene Leitl wrote: Why don't you just erase flash when a pressure change (hull breach) is detected. Using double-walled hull, to look for shortcuts. You can also couple this to light detection, and whatnot. Arnold Reinhold said: in several places) that would monitor on-chip supply voltage and keep the program from executing sensitive code for some period if dV/dt were too high. If the cap or Li battery were disconnected, the What are you guys talking about? Differential power analysis doesn't require any physical attack, nor does it deal with voltage variations. (You are probably thinking of Shamir's fault-injection attacks.) Differential power analysis measures the current consumption of the part as it operates, completely outside the device. OK a recap of where we are: A suggestion was made that a large capacitor or Lithium battery be used to reduce the power fluctuations that DPA depends on. That was countered by pointing out that an attacker could physically disconnect the battery or cap (Maybe x-ray the package, find the relatively fat connection and drill it out). Mr. Leitl suggested pressure and light sensors to detect the drilling, which I find dubious, even if each smart card has a different pressure. I suggested that a simple on-chip circuit could inform on-board CPU that a disconnect may have occurred. This circuit would measure fluctuations in the supply voltage. Mr. Ohm has demonstrated that current variations usually imply voltage variations. Mr. Brandt now questions whether a cap can be large enough to defeat DPA, since the attacker can increase the number of runs and the required N varies linearly with C. I would like to point out that using one or more RC stages changes the equation considerably, and, in the extreme, the CPU could be powered entirely by a capacitor or battery during the sensitive computations, with all connection to the outside temporarily broken. Arnold Reinhold
Re: Power analysis of AES candidates
At 10:32 AM -0700 9/13/99, Eugene Leitl wrote: Why don't you just erase flash when a pressure change (hull breach) is detected. Using double-walled hull, to look for shortcuts. You can also couple this to light detection, and whatnot. Andreas Bogk writes: Russell Nelson [EMAIL PROTECTED] writes: There's some question about how hard it will be to design hardware that will be DPA-resistant for different algorithms. Big on-chip caps. Lithium batteries. Tamper-resistant housings. [...] A sophisticated attacker could measure the pressure in each compartment and work in a pressurized, darkened room. One thought I had is to include a circuit on chip (perhaps duplicated in several places) that would monitor on-chip supply voltage and keep the program from executing sensitive code for some period if dV/dt were too high. If the cap or Li battery were disconnected, the circuit would see continuous fluctuations and shut the processor down. A accidental power glitch would only cause a short delay in execution. If an attacker can get to the chip and disable these power monitor circuits, he can probably also put a logic analyzer on the memory lines and extract the key that way. Arnold Reinhold
Re: Power analysis of AES candidates
John Gilmore writes: What are you guys talking about? Differential power analysis doesn't require any physical attack, nor does it deal with voltage variations. (You are probably thinking of Shamir's fault-injection You can't do differential power analysis if you supply power photonically to an encapsulated unit. Power dissipated gets averaged out over time so you can't just monitor the temperature. attacks.) Differential power analysis measures the current consumption of the part as it operates, completely outside the device. 1) A self contained, sealed unit is immune to this 2) What prevents us from measuring the power fill out lacunes a la resistance heating? The unit would then show constant dissipation regardless of which computation it performs. It uses statistical techniques to confirm or reject hypotheses about the key values being operated on in the final rounds of encryption algorithms. Paul Kocher's team has developed some countermeasures, see the end of the technical discussion linked from: http://www.cryptography.com/dpa/index.html John
Re: Power analysis of AES candidates
At 01:35 PM 9/14/99 -0700, John Gilmore wrote: What are you guys talking about? Differential power analysis doesn't The power analysis thread mutated into a tamper-react thread without changing the Subject line. At 10:32 AM -0700 9/13/99, Eugene Leitl wrote: Why don't you just erase flash when a pressure change (hull breach) is Arnold Reinhold said: in several places) that would monitor on-chip supply voltage
Re: Power analysis of AES candidates
Andreas Bogk wrote: The usual setup for DPA involves a 10 Ohm resistor which sits in the power supply and measuring the voltage across that resistor. The countermeasure we're talking about is an on-chip capacitor that smoothes the power consumption, [...] Has this been analyzed? It's got to take the high-freqency information the attacker's looking for so far below the thermal noise floor that it can't recovered by averaging multiple runs. I do DSP, not EE, but I'd think this smoothing capacitor would effect a one-pole lowpass filter. If so, doubling the cap size halves the cutoff frequency (right?), halving the leaked power. Integrating runs gives signal voltage linear in n and noise voltage sqrt(n); voltage ratio is sqrt; power ratio is linear. So leaked-signal power is Theta( (attacker's number of runs) / (capacitor size) ). No asymptotic edge either way; attacker wins against bounded cap size. /handwave -- Eli Brandt | [EMAIL PROTECTED] | http://www.cs.cmu.edu/~eli/
Re: Power analysis of AES candidates
At 02:58 PM 9/14/99 -0700, Eugene Leitl wrote: You can't do differential power analysis if you supply power photonically to an encapsulated unit. Interesting. Such supplies have been proposed for medical gear, where you need absolute isolation. Intense light, reflector, Si cells. A few cm of air. Baroque and inefficient, yes..
Re: Power analysis of AES candidates
-BEGIN PGP SIGNED MESSAGE- [ To: Perry's Crypto List ## Date: 08/30/99 ## Subject: Re: Power analysis of AES candidates ] From: "William Whyte" [EMAIL PROTECTED] To: "Cryptography@C2. Net" [EMAIL PROTECTED] Subject: Power analysis of AES candidates Date: Wed, 11 Aug 1999 19:53:39 +0100 [ Discussion of vulnerability to power analysis of the finalists, claiming Serpent and Twofish to be the most resistant. ] These results look a little odd to me. On conventional hardware, every cipher I have heard of is vulnerable to DPA. (Essentially, that means do lots of encryptions under one unknown key, guess part of the key that would reveal some internal state, and look for power measurements correlated to that internal state taken during those encryptions.) A few people have worked on clever ways to resist DPA, especially Cryptography Research (Paul Kocher's company), which holds patents on some of them. I think several smartcard companies had considered less sophisticated power-consumption attacks and designed defenses to them before that. (I know *I* had considered much less sophisticated attacks, but not DPA, before hearing about Paul's work.) There's some question about how hard it will be to design hardware that will be DPA-resistant for different algorithms. My impression (but I am not a circuit designer or anything, so take it with a grain of salt) is that it's going to be easier to secure simpler hardware designs than more complex ones. This probably means Rijndael and Serpent are the easiest to secure (XORs, table lookups, and bit permutations only), while Twofish is somewhere in the middle (we use 32-bit adds) and MARS and RC6 are somewhat harder to secure (because they use multiplications and data-dependent rotations, as well as 32-bit adds.) It's important to emphasize that all the AES candidates are susceptible to DPA if they're implemented on normal hardware. DES (with nothing but XORs, table-lookups, and bit permutations) in normal hardware is very easy to attack. Cheers, William - --John Kelsey, [EMAIL PROTECTED] / [EMAIL PROTECTED] NEW PGP print = 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.5.3i for non-commercial use http://www.pgpi.com iQCVAwUBN8raKSZv+/Ry/LrBAQHNlgP/Z0cyYXBLqah/yH/1+wJQHwIULukYJiz/ z3e3WrtiVdromkONuXV/KA2RTM9sk1Do1V4yUKcqypht5JErSW5ITkKCgrbEvRs8 O8zzZiNZ/uWGk31TkerkdGFyi+TS05QrMuupj5PYR1D7UkNyb5GV5F9GuEmCFYpr ZEV+O8F8x5k= =LVJk -END PGP SIGNATURE-
Re: Power analysis of AES candidates
John Kelsey writes: There's some question about how hard it will be to design hardware that will be DPA-resistant for different algorithms. Big on-chip caps. Lithium batteries. Tamper-resistant housings. That's what Dallas Semiconductor uses for its 1-Wire devices, including the famous Java ring. It works to protect data, but not algorithms, because once you extract the algorithm, you've got it. With data, you have only to make extraction more expensive than the data is worth. You could also superglue the chip to something very hard, so that you can't probe the chip without getting the cover off, and if you try, you destroy the chip trying. -- -russ nelson [EMAIL PROTECTED] http://russnelson.com Crynwr sells support for free software | PGPok | Government schools are so 521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | can outdo them. Homeschool!