FREE ELECTRONIC LIBRARY - Abstract, dissertation, book

Pages:   || 2 | 3 | 4 | 5 |   ...   | 20 |

«Impact of Localized Electromagnetic Field Measurements on Implementations of Asymmetric Cryptography Johann Heyszl Vollst¨ndiger Abdruck der von der ...»

-- [ Page 1 ] --

¨ ¨

Technische Universitat Munchen

Lehrstuhl f¨r Sicherheit in der Informationstechnik


an der Fakult¨t f¨r Elektrotechnik und Informationstechnik


Impact of Localized Electromagnetic Field

Measurements on Implementations of

Asymmetric Cryptography

Johann Heyszl

Vollst¨ndiger Abdruck der von der Fakult¨t f¨r Elektrotechnik und Infora au

mationstechnik der Technischen Universit¨t M¨nchen zur Erlangung des

a u

akademischen Grades eines Doktor-Ingenieurs (Dr.-Ing.) genehmigten Dissertation.

Vorsitzender der Kommission: Univ.-Prof. Dr.-Ing. Ulf Schlichtmann

Pr¨fer der Dissertation:


1. Univ.-Prof. Dr.-Ing. Georg Sigl

2. Univ.-Prof. Dr.-Ing. Christof Paar, Ruhr-Universit¨t Bochum a Die Dissertation wurde am 23. Januar 2013 bei der Technischen Universit¨t a M¨nchen eingereicht und durch die Fakult¨t f¨r Elektrotechnik und Inforu au mationstechnik am 16. Juli 2013 angenommen.

Abstract Implementations of cryptographic algorithms are threatened by side-channel analysis, which denotes the recovery of secret keys through observations of e.g., the current consumption of a device during cryptographic operations.

In this thesis, I investigate the use of high-resolution electromagnetic field measurements for side-channel analysis. Contrary to previous contributions about precise electromagnetic field measurements in side-channel analysis, I specifically concentrate on localized aspects of such measurements, which means that the measurements are restricted to a certain spatial extent. Previous publications either conclude that localized measurements of electromagnetic fields are impossible, or show unconvincing, coarse localizations without dedicated exploitation of such localized measurements. In this thesis, I improve the current state of research by investigating the feasibility, quality and dedicated use of localized electromagnetic field measurements.

In a first effort, I performed an extensive study about the strengths and limitations of such measurements. For this, I designed a test setup including a tailored hardware design configured into a depackaged Field Programmable Gate Array (FPGA) and used state-of-the-art high-resolution magnetic field measurement equipment. The measurements are processed in several different ways using statistical analysis to extract the relevant information. From this I am able to clearly demonstrate the feasibility and quality of localized measurements which yields two main results impacting implementations of cryptographic algorithms. First, the side-channel-signal quality can be significantly improved at eligible measurement positions, and second, dedicated side-channel attacks become possible. Additionally, I derive important conclusions about the measurement setup and processing of such traces in sidechannel scenarios. Measurements from the frontside of an integrated circuit die using a magnetic sensor coil in the horizontal plane lead to the highest signal-to-noise ratios. High sampling rates are required and no trace compression should be applied. Finally, localized electromagnetic field measurements suffer from fewer parasitics than current consumption measurements using a resistor in the ground or supply voltage.


After establishing the feasibility of localized measurements, I continue to describe how such localized measurements can be used to extract dedicated location-based side-channel information leakage from certain cryptographic algorithms. In integrated circuits, logic is located at different distances to a high-precision measurement probe. The location of the side-channel leakage allows to recover information about the secret during a cryptographic computation if the different locations are used in a way that depends on secret information. I describe, how popular exponentiation algorithms, which are e.g., used in elliptic curve cryptography fall into this category and exhibit location-based side-channel leakage. Attacks based on localized measurements are possible even if countermeasures such as exponent blinding are included or protocols restrict adversaries to single observations. To demonstrate this, I use an FPGA-based hardware implementation of an elliptic curve scalar point multiplication algorithm for a practical evaluation. Proling of the leakage of the device using multiple measurements leads to an eligible measurement position. A profiled template attack exploiting a single localized measurement is able to recover the scalar almost entirely. I suggest a countermeasure which randomizes storage locations and demonstrate how it prevents the described attack.

As an improvement, I present a non-profiled side-channel attack to exploit location-based side-channel leakage of exponentiation algorithms. This attack applies well-researched unsupervised cluster classification algorithms to recover the secret scalar and does not require profiling, hence, the generation of templates. This clustering-based attack can be used to exploit arbitrary single-execution side-channel leakage. In this way I extend previous work by Walter who, contrarily, used an individual algorithm. I practically demonstrate a successful and complete recovery of the scalar from the previous setup which includes the FPGA-based elliptic curve cryptography implementation and a localized measurement at an eligible position.

The success probability of such single-execution attacks depends on the quality of the side-channel measurements. It follows directly from the localization property, that different measurement positions lead to different observed side-channel information. A concurrent measurement of side-channel leakage at different positions during a single execution leads to more recovered information. The combination of measurements has already been described for other side-channel attacks. I improve the clustering based side-channel attack on exponentiations by combining multiple simultaneous measurements.

During a practical study, I use a regular array of measurement positions on the surface of the FPGA from the previous evaluation. The case study shows that three measurements of the same execution from different positions lead to a full recovery of the secret scalar, even though the positions are chosen iii without prior profiling of the spatial leakage distribution. Hence, no prior profiling to find the best measurement position is necessary. Instead, multiple measurement probes and a combination of measurements is sufficient. This is a significant threat and might equally apply to other implementations.

To summarize, I contribute results regarding the strengths and limitations of high-resolution EM measurements for side-channel analysis and describe how location-based single-execution information leakage of cryptographic algorithms can be exploited in dedicated attacks on implementations of asymmetric cryptography. Furthermore, I introduce unsupervised cluster classification algorithms as an attack to exploit such single-execution leakage and as a means to combine simultaneous measurements in such attacks.

iv Kurzfassung

–  –  –

I sincerely appreciate the past years of supervision and promotion by my dissertation adviser Prof. Dr.-Ing. Georg Sigl. I would like to thank my second examiner Prof. Dr.-Ing. Christof Paar.

I would also like to thank my highly appreciated colleagues from Fraunhofer AISEC, Technische Universit¨t M¨nchen, a u and Infineon Technologies AG for collaboration on scientific publications, support and opportunities. Especially so, I would like to thank Dr. techn. Stefan Mangard for his valuable scientific supervision and guidance, Dr. rer. nat. Frederic Stumpf for supervising my scientific work from the very beginning, Dr.-Ing. Andreas Ibing for introducing me to the field of pattern classification, Benedikt Heinz, Dominik Merli and Fabrizio De Santis for discussions, collaboration on publications and support, Gerald Holweg, Walter Kargl and Prof. Dr. rer. nat. Claudia Eckert for giving me opportunities, Dr. rer. nat. Guido Stromberg and G¨nter Hofer for u encouraging me to pursue a doctorate, and Robert Hesselbarth as well as Konstantin B¨ttinger for proof-reading my dissertation.


–  –  –

CPA......... Correlation-based Power Analysis DCA......... Differential Cluster Analysis DFA......... Differential Fault Attack DLP......... Discrete Logarithm Problem DPA......... Differential Power Analysis DSA......... Digital Signature Algorithm ECC......... Elliptic Curve Cryptography ECDLP...... Elliptic Curve Discrete Logarithm Problem ECSM....... Elliptic Curve Scalar Multiplication ITMIA....... Itoh-Tsujii Multiplicative Inverse Algorithm LDA......... Linear Discriminant Analysis

–  –  –

MIA......... Mutual Information Analysis PCA......... Principal Component Analysis RSA......... Rivest Shamir Adleman SNR......... Signal-to-Noise Ratio SPA.......... Simple Power Analysis

–  –  –

7.1 FPGA die surface area as dashed rectangle with regular grid of marked measurement positions (dashed circles around dot) and measurement position from previous Chap. 6 as green cross128

7.2 BER after clustering for individual measurements at different positions.............................. 129

7.3 FPGA die surface area as dashed rectangle with marked and numbered measurement positions................ 130

7.4 SNR after unsupervised clustering of incrementally joint measurements............................. 131

7.5 SNR gain in cluster separation through joint measurements.. 132

7.6 BER after unsupervised classification of incrementally joint measurements........................... 133 xvi LIST OF FIGURES List of Tables

4.1 Passive attacks and countermeasures for ECSMs according to Fan et al. [FGDM+ 10]...................... 77

4.2 Active attacks and countermeasures for ECSMs according to Fan et al. [FGDM+ 10]...................... 78

4.3 EC processing unit hardware configuration features. Influence on computation time in clock cycles and implementation complexity in Flip-Flops (FFs) and four-input Look-Up Tables (LUTs) compared to the basic functionality version as a reference.............................. 89

xviixviii LIST OF TABLESList of Algorithms

1 L´pez-Dahab elliptic curve scalar multiplication algorithm o [LD99a] using the Montgomery powering ladder [Mon87, JY03] 83 2 Main loop of an


pseudo-algorithm. Computation sequence and timing are uniform while register usage depends on secret d............................. 95 3 Countermeasure for Alg. 1.................... 108 4 Unsupervised k-means clustering algorithm [DHS01]...... 118

–  –  –

Introduction The need for information security in daily life is increasing continuously. We rely on electronic information systems for monetary transactions, identification purposes and communication and many other purposes. We buy goods via internet portals, access our bank accounts to authorize transactions via internet, and perform daily payments using electronic bank cards or credit cards. We use electronic passports which are safer against counterfeit and use electronic car keys and building access tokens. We communicate using mobile handsets and voice over IP. In all such applications, information security is crucial and established through information security engineering and, ultimately, cryptography.

Information security denotes among other properties the confidentiality, integrity and availability of information. In most of the mentioned applications, the communication channels, or devices, are accessible to people who shall not be able access our personal information either constantly, or during a certain time. This personal information may be our bank account number, authorization codes, or identification information which could be of value to opponents. In case of communication over the internet for instance, a third party could eavesdrop at every single routing node on a connection between two communicating parties.

Cryptography, or more specifically, cryptographic algorithms are used to ensure confidentiality as well as integrity of information. Early cryptographic algorithms date back to ancient times. The Caesar cipher [PHS03] is a simple substitution cipher where the letters in the alphabet are substituted. It could provide confidentiality against simple adversaries from ancient times when a message was carried by a herald over long distances and interception had to be expected. A long history of improvements, cryptanalysis and defeats of cryptographic algorithms followed. Decades of research in cryptography during the late 20th century lead to a selection of algorithms, which are


cryptanalytically secure. But this is not the end of the story.

Cryptanalytic security was exclusively important until the 90s, when sidechannel analysis, or more general, physical cryptanalysis emerged as a major threat. Physical cryptanalysis refers to analyzing and breaking cryptographic security by using physical, or implementation aspects of secure devices. The reason why this emerged is that devices which are used for information security started to be increasingly embedded, pervasive and, thus, accessible.

Think of electronic passports, credit cards, and mobile phones for instance where it is obvious that such devices may get into the hands of adversaries.

Pages:   || 2 | 3 | 4 | 5 |   ...   | 20 |

Similar works:

«NOTE CONGRESS’S TAX BOMB: INCOME-BASED REPAYMENT AND DISARMING A PROBLEM FACING STUDENT LOAN BORROWERS Jonathan A. LaPlante † INTRODUCTION: THE SCALE OF STUDENT LOANS AND THE NEED FOR A SOLUTION........................................ 704 I. BACKGROUND: INCOME-BASED REPAYMENT AND ISSUES WITH ITS MECHANICS.................................... 707 A. Existing Solutions to Prevent Default and Allow Repayment.........»

«EBA/CP/2013/21 25.06.2013 Consultation Paper Draft Implementing Technical Standards On closely correlated currencies under Article 354(3) of the draft Capital Requirements Regulation (CRR). Consultation Paper on Draft Implementing Technical Standards on closely correlated currencies under Article 354(3) of the draft Capital Requirements Regulation (CRR). Table of contents 1. Responding to this Consultation 1 2. Executive Summary 2 3. Background and rationale 3 4. Draft implementing TS on...»

«RUNDBRIEF DER GESELLSCHAFT FÜR ANGEWANDTE MATHEMATIK UND MECHANIK Herausgegeben vom Sekretär der GAMM V. Ulbricht, Dresden Redaktion M. Gründer, Dresden 2005 – Brief 2 RUNDBRIEF DER GESELLSCHAFT FÜR ANGEWANDTE MATHEMATIK UND MECHANIK Herausgegeben vom Sekretär der GAMM V. Ulbricht, Dresden Redaktion M. Gründer, Dresden 2005 – Brief 2 GAMM-Vorstandsrat Präsident: Prof. Dr. R. Jeltsch Seminar für Angewandte Mathematik, ETH Zentrum Zürich HG G 57.3, Rämistr. 101, CH-8092 Zürich,...»

«Computersimulationen zum Löseverhalten von Cellulose in aliphatischen Amin-N-oxiden Vom Fachbereich Chemie der Technischen Universität Darmstadt zur Erlangung des akademischen Grades eines Doktor-Ingenieurs (Dr.-Ing.) genehmigte Dissertation vorgelegt von Dipl.-Ing. Richard J. Marhöfer aus Worms Berichterstatter: Prof. Dr. J. Brickmann Mitberichterstatter: Prof. Dr. H. J. Lindner Tag der Einreichung: 06. April 2004 Tag der mündlichen Prüfung: 24. Mai 2004 Darmstadt 2004 D17 Meinen Eltern...»

«Strategy Programme for innovation in regional policies in the Baltic Sea Region Strategy proramme for innovation in regional policies in the Baltic Sea Region Published by Baltic Sea Academy e.V. Dr. Max Hogeforster Blankeneser Landstraße 7, 22587 Hamburg, Germany Editorial Board: Prof. Dr. Romualdas Ginevičius, Vilnius Gediminas Technical University, Lithuania Dr. Jürgen Hogeforster, Hanseatic Parliament, Germany Dr. Max Hogeforster, Baltic Sea Academy, Germany Philipp Jarke, Scientifc...»

«THE EFFECT OF POST TYPE AND LENGTH ON THE FRACTURE RESISTANCE OF ENDODONTICALLY TREATED TEETH By John Duncan McLaren, D.D.S. A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Restorative Dentistry The University of Michigan School of Dentistry Ann Arbor, MI Thesis Committee: Dr. Peter Yaman, D.D.S., M.S.; Chairman Dr. Joseph Dennison, D.D.S., M.S. Dr. Neville McDonald, D.D.S., M.S. Dr. Warren Wagner, M.S., Ph.D. DEDICATION This thesis is...»

«ABSTRACTS Study of Cellular Migration on Patterned PEG-based Biomaterials using the FillMolding in Capillaries (FIMIC) method Anne Bannuscher and Marga C. Lensen Technische Universität Berlin, Institut für Chemie, Nanostrukturierte Biomaterialien, Sekr. TC 1, Straße des 17. Juni 124, 10623 Berlin, Germany Nowadays humans are able to replace harmed tissues with synthetic materials called biomaterials. According to their application their features must be similar to the surrounding tissue and...»

«1 CHAPTER General introduction Verbs play a key role in a sentence and thereby in daily communication. They express the event and carry information on the relationship between the constituents in a sentence. Part of this information concerns the temporal characteristics of the situation being described: both about the point in time in which an event takes place and about the order of events. In aphasia — an acquired language disorder due to focal brain damage — verbs are a vulnerable...»

«84000 Guidelines for Translators v 4.2 (May 2011)   84000 Guidelines for Translators CONTENTS I. ORIENTATION A. Goals and methods B. Source text C. Text comparison and critical editions D. Target readership II. GENERAL ELEMENTS AND APPROACH TO TRANSLATION A. Guiding principles B. Style and syntax C. Terminology III. TECHNICAL AND FORMATTING ISSUES A. Word processor B. Fonts C. Formatting IV. STYLE AND STRUCTURE SPECIFICATIONS A. Spelling B. Proper names C. Capitalization D. Text titles E....»

«Online Amnesic Summarization of Streaming Locations Michalis Potamias1, Kostas Patroumpas2, and Timos Sellis2 Computer Science Department, Boston University, MA, USA School of Electrical and Computer Engineering National Technical University of Athens, Hellas mp@cs.bu.edu, {kpatro, timos}@dbnet.ece.ntua.gr Abstract. Massive data streams of positional updates become increasingly difficult to manage under limited memory resources, especially in terms of providing near real-time response to...»

«Lehrstuhl für Betriebswissenschaften und Montagetechnik der Technischen Universität München Methode zur Anwendung der berührungslosen Handhabung mittels Ultraschall im automatisierten Montageprozess Thomas Bernhard Kirchmeier Vollständiger Abdruck der von der Fakultät für Maschinenwesen der Technischen Universität München zur Erlangung des akademischen Grades eines Doktor-Ingenieurs (Dr.-Ing.) genehmigten Dissertation. Vorsitzender: Univ.-Prof. Dr.-Ing. M. Zäh Prüfer der...»

«Proc. 39th International Conference and Exhibition on Technology of Object-Oriented Languages and Systems (TOOLS-USA 2001). O2BC: a Technique for the Design of Component-Based Applications Rajeshwari Ganesan and Shubhashis Sengupta Software Concept Laboratory, Infosys Technologies Ltd., Bangalore, India { rajeshwari, shubhashis_sengupta } @infy.com Abstract Component-based development (CBD) has become a much talked-about subject today. While the technology of CBDas exemplified by environments...»

<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.