Vol.3 No.1 2010

95/110

Research paper : Secure implementation of cryptographic modules (A. Satoh et al.)−92−Synthesiology - English edition Vol.3 No.1 (2010) The simplest and most basic SPA countermeasure for the RSA scheme is to insert a dummy multiplication operation after the squaring operation of every ‘0’ appearing in the secret-key bit pattern. However, some other attack methods with input-data manipulation techniques, which can determine such a dummy multiplication, have been proposed. We are exploring the effectiveness of various attack methods and countermeasures through experiments with the SASEBO, and also attempting to find and develop new attack methods and countermeasures. 4.4 Differential power analysis on an AES cipher circuitThis section explains the AES algorithm, which is the standard symmetric-key cipher that is most widely used today, and demonstrates the Differential Power Analysis (DPA)[22] attack, which processes a multitude of power traces.AES encrypts a 128-bit data block with a 128-, 192- or 256-bit key. Figure 7 illustrates the encryption algorithm with a 128-bit key. The 128-bit data is arranged into a 4 × 4 array of bytes to be processed in 10 rounds, each of which forms a round function and consists of four transforms: SubBytes, ShiftRows, MixColumns, and AddRoundKey, except for the last round excluding MixCoulumns. The 128-bit secret key will be transformed iteratively by a simple key scheduler into the 10 × 128 bits round keys to be provided to each round. Each of the round keys is used for the exclusive logical OR (XOR) with the corresponding data block in the AddRoundKey function. SubBytes is a collection of 16 S-boxes where the byte-wise non-linear transform for each byte of the 4 × 4 array is performed individually. In ShiftRows, the cyclic shift for each row of the 4 × 4 array is performed individually. MixColumns consists of 4 of the 4-byte linear transforms for each column.A typical circuit implementation of AES employs a loop architecture that iteratively uses one round function for 10 times. Figure 8 shows the power traces measured for the AES circuits implemented on the cryptographic LSI and FPGA mounted on the SASEBO-R and SASEBO-G, respectively, indicating the saw-teeth shaped peeks corresponding to each round. Unlike an SPA case on the RSA scheme where the secret-key bit sequence reads on the power trace as a form of geometric pattern, the key cannot be extracted in that way for AES because all the 128 key bits are XORed in a moment and the difference contributed by each bit on the power trace is too small to read. By contrast, DPA is the key extraction scheme that applies a statistical technique to thousands of or tens of thousands of power traces. It builds a set of power models each based on a different partial key estimation, examines the correlation between each model and the power traces acquired for different input data, and determines the most probable partial key corresponding to the power model that indicates the highest correlation with the measured data. Since SubBytes is a byte-oriented transform, ShiftRows has shift operations along with the byte boundaries, and AddRoundKey is a bit-wise XOR, an individual operation at every byte will be performed at the last round, which skips MixColumns. Therefore, the 128-bit key can be analyzed at every byte. Because an eight-bit value has possible 256 combinations from 0 to 255, the estimation for an eight-bit partial key requires one to build and to examine as few as 256 power models. Accordingly, for the whole 128-bit key, only 16 individual analyses have to be done. During the analysis for an 8-bit part of the key, the power consumption component based on the operations for the other 120 bits behaves as noise. Note that, however, since a cryptographic circuit is considered to be a sort of random number generator, the power consumption of the unrelated part will be uncorrelated with the part being analyzed. That is, the influence of random noise components can be reduced by a statistical process on a number of power traces.Figure 9 is a screen shot of the power analysis attack evaluation tool for AES circuits we developed. This instance is performing the CPA (Correlation Power Analysis)[25], focusing on the intermediate value register, with the power model based on the hypothesis that the power consumption will be proportional to the number of transitioning bits (Hamming distance) at the last round. The lower half of the Fig. 7 The AES encryption algorithm.CiphertextPlaintextSecretkeyKey scheduler10 RoundsNo shift3B Right circular shift2B Right circular shift1B Right circular shiftFig. 8 Power traces for AES circuit.(a) ASIC(b) FPGA

※このページを正しく表示するにはFlashPlayer9以上が必要です