Side-Channel Analysis of the Xilinx Zynq UltraScale+ Encryption Engine

The Xilinx Zynq UltraScale+ (ZU+) is a powerful and flexible System-on- Chip (SoC) computing platform for next generation applications such as autonomous driving or industrial Internet-of-Things (IoT) based on 16 nm production technology. The devices are equipped with a secure boot mechanism in order to provide confidentiality, integrity, and authenticity of the configuration files that are loaded during power-up. This includes a dedicated encryption engine which features a protocol-based countermeasure against passive Side-Channel Attacks (SCAs) called key rolling. The mechanism ensures that the same key is used only for a certain number of data blocks that has to be defined by the user. However, a suitable choice for the key rolling parameter depends on the power leakage behavior of the chip and is not published by the manufacturer. To close this gap, this paper presents the first publicly known side-channel analysis of the ZU+ encryption unit. We conduct a black-box reverse engineering of the internal hardware architecture of the encryption engine using Electromagnetic (EM) measurements from a decoupling capacitor of the power supply. Then, we illustrate a sophisticated methodology that involves the first five rounds of an AES encryption to attack the 256-bit secret key. We apply the elaborated attack strategy using several new Deep Learning (DL)-based evaluation methods for cryptographic implementations. Even though we are unable to recover all bytes of the secret key, the experimental results still allow us to provide concrete recommendations for the key rolling parameter under realistic conditions. This eventually helps to configure the secure boot mechanism of the ZU+ and similar devices appropriately.

Download Full-text

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis?

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i4.49-85 ◽

2020 ◽

pp. 49-85

Author(s):

Anh-Tuan Hoang ◽

Neil Hanley ◽

Maire O’Neill

Keyword(s):

Neural Networks ◽

Deep Learning ◽

Large Body ◽

Side Channel ◽

Secret Key ◽

Side Channel Analysis ◽

Filter Kernel ◽

Secret Keys ◽

Channel Analysis ◽

Template Attacks

Deep learning (DL) has proven to be very effective for image recognition tasks, with a large body of research on various model architectures for object classification. Straight-forward application of DL to side-channel analysis (SCA) has already shown promising success, with experimentation on open-source variable key datasets showing that secret keys can be revealed with 100s traces even in the presence of countermeasures. This paper aims to further improve the application of DL for SCA, by enhancing the power of DL when targeting the secret key of cryptographic algorithms when protected with SCA countermeasures. We propose a new model, CNN-based model with Plaintext feature extension (CNNP) together with multiple convolutional filter kernel sizes and structures with deeper and narrower neural networks, which has empirically proven its effectiveness by outperforming reference profiling attack methods such as template attacks (TAs), convolutional neural networks (CNNs) and multilayer perceptron (MLP) models. Our model generates state-of-the art results when attacking the ASCAD variable-key database, which has a restricted number of training traces per key, recovering the key within 40 attack traces in comparison with order of 100s traces required by straightforward machine learning (ML) application. During the profiling stage an attacker needs no additional knowledge on the implementation, such as the masking scheme or random mask values, only the ability to record the power consumption or electromagnetic field traces, plaintext/ciphertext and the key. Additionally, no heuristic pre-processing is required in order to break the high-order masking countermeasures of the target implementation.

Download Full-text

Countermeasures against physical security attacks on ICs utilizing on-chip wideband ADCs

Japanese Journal of Applied Physics ◽

10.35848/1347-4065/ac4823 ◽

2022 ◽

Author(s):

Takuji Miki ◽

Makoto Nagata

Keyword(s):

Active Fault ◽

Fault Injection ◽

Side Channel ◽

Security Attacks ◽

Input Buffer ◽

Analog To Digital ◽

Side Channel Analysis ◽

Measurement Results ◽

Channel Analysis ◽

On Chip

Abstract Cryptographic ICs on edge devices for internet-of-things (IoT) applications are exposed to an adversary and threatened by malicious side channel analysis. On-chip analog monitoring by sensor circuits embedded inside the chips is one of the possible countermeasures against such attacks. An on-chip monitor circuit consisting of a successive approximation register (SAR) analog-to-digital converter (ADC) and an input buffer acquires a wideband signal, which enables to detects an irregular noise due to an active fault injection and a passive side channel leakage analysis. In this paper, several countermeasures against security attacks utilizing wideband on-chip monitors are reviewed. Each technique is implemented on a prototype chip, and the measurement results prove they can effectively detect and diagnose the security attacks.

Download Full-text

A novel side-channel analysis for physical-domain security in cyber-physical systems

International Journal of Distributed Sensor Networks ◽

10.1177/1550147719867866 ◽

2019 ◽

Vol 15 (8) ◽

pp. 155014771986786 ◽

Cited By ~ 1

Author(s):

Min Wang ◽

Kama Huang ◽

Yi Wang ◽

Zhen Wu ◽

Zhibo Du

Keyword(s):

Information Leakage ◽

Cyber Physical Systems ◽

Cyber Attacks ◽

Side Channel ◽

Learning Technology ◽

Physical Domain ◽

Secret Key ◽

Side Channel Analysis ◽

Physical Systems ◽

Channel Analysis

Security of cyber-physical systems against cyber attacks is an important yet challenging problem. Cyber-physical systems are prone to information leakage from the physical domain. The analog emissions, such as magnetic and power, can turn into side channel revealing valuable data, even the crypto key of the system. Template attack is a popular type of side-channel analysis using machine learning technology. Malicious attackers can use template attack to profile the analog emission, then recover the secret key of the system. But conventional template attack requires that the adversary has access to an identical experiment device that he can program to his choice. This study proposes a novel side-channel analysis for physical-domain security in cyber-physical systems. Our contributions are the following three points: (1) Major peak region method for finding points of interests correctly is proposed. (2) A method for establishing templates on the basis of those points of interest still without requiring knowledge of the key is proposed. Several techniques are proposed to improve the quality of the templates as well. (3) A method for choosing attacking traces is proposed to significantly improve the attacking efficiency. Our experiments on three devices show that the proposed method is significantly more effective than conventional template attack. By doing so, we will highlight the importance of performing similar analysis during design time to secure the cyber-physical system.

Download Full-text

Make Some Noise. Unleashing the Power of Convolutional Neural Networks for Profiled Side-channel Analysis

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2019.i3.148-179 ◽

2019 ◽

pp. 148-179 ◽

Cited By ~ 4

Author(s):

Jaehun Kim ◽

Stjepan Picek ◽

Annelie Heuser ◽

Shivam Bhasin ◽

Alan Hanjalic

Keyword(s):

Neural Network ◽

Neural Networks ◽

Convolutional Neural Network ◽

Convolutional Neural Networks ◽

High Performance ◽

Artificial Noise ◽

Side Channel ◽

Secret Key ◽

Side Channel Analysis ◽

Channel Analysis

Profiled side-channel analysis based on deep learning, and more precisely Convolutional Neural Networks, is a paradigm showing significant potential. The results, although scarce for now, suggest that such techniques are even able to break cryptographic implementations protected with countermeasures. In this paper, we start by proposing a new Convolutional Neural Network instance able to reach high performance for a number of considered datasets. We compare our neural network with the one designed for a particular dataset with masking countermeasure and we show that both are good designs but also that neither can be considered as a superior to the other one.Next, we address how the addition of artificial noise to the input signal can be actually beneficial to the performance of the neural network. Such noise addition is equivalent to the regularization term in the objective function. By using this technique, we are able to reduce the number of measurements needed to reveal the secret key by orders of magnitude for both neural networks. Our new convolutional neural network instance with added noise is able to break the implementation protected with the random delay countermeasure by using only 3 traces in the attack phase. To further strengthen our experimental results, we investigate the performance with a varying number of training samples, noise levels, and epochs. Our findings show that adding noise is beneficial throughout all training set sizes and epochs.

Download Full-text

SITM: See-In-The-Middle Side-Channel Assisted Middle Round Differential Cryptanalysis on SPN Block Ciphers

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i1.95-122 ◽

2019 ◽

pp. 95-122

Author(s):

Shivam Bhasin ◽

Jakub Breier ◽

Xiaolu Hou ◽

Dirmanto Jap ◽

Romain Poussier ◽

...

Keyword(s):

Block Cipher ◽

State Of The Art ◽

Block Ciphers ◽

Differential Cryptanalysis ◽

Side Channel ◽

Secret Key ◽

Side Channel Analysis ◽

Cryptographic Algorithms ◽

Channel Analysis ◽

Symmetric Block

Side-channel analysis constitutes a powerful attack vector against cryptographic implementations. Techniques such as power and electromagnetic side-channel analysis have been extensively studied to provide an efficient way to recover the secret key used in cryptographic algorithms. To protect against such attacks, countermeasure designers have developed protection methods, such as masking and hiding, to make the attacks harder. However, due to significant overheads, these protections are sometimes deployed only at the beginning and the end of encryption, which are the main targets for side-channel attacks.In this paper, we present a methodology for side-channel assisted differential cryptanalysis attack to target middle rounds of block cipher implementations. Such method presents a powerful attack vector against designs that normally only protect the beginning and end rounds of ciphers. We generalize the attack to SPN based ciphers and calculate the effort the attacker needs to recover the secret key. We provide experimental results on 8-bit and 32-bit microcontrollers. We provide case studies on state-of-the-art symmetric block ciphers, such as AES, SKINNY, and PRESENT. Furthermore, we show how to attack shuffling-protected implementations.

Download Full-text

Balance power leakage to fight against side-channel analysis at gate level in FPGAs

2015 IEEE 26th International Conference on Application-specific Systems, Architectures and Processors (ASAP) ◽

10.1109/asap.2015.7245724 ◽

2015 ◽

Cited By ~ 2

Author(s):

Xin Fang ◽

Pei Luo ◽

Yunsi Fei ◽

Miriam Leeser

Keyword(s):

Side Channel ◽

Side Channel Analysis ◽

Channel Analysis ◽

Power Leakage

Download Full-text

Key Bit-Dependent Side-Channel Attacks on Protected Binary Scalar Multiplication †

Applied Sciences ◽

10.3390/app8112168 ◽

2018 ◽

Vol 8 (11) ◽

pp. 2168 ◽

Cited By ~ 2

Author(s):

Bo-Yeon Sim ◽

Junki Kang ◽

Dong-Guk Han

Keyword(s):

Success Rate ◽

Electromagnetic Emission ◽

Scalar Multiplication ◽

Statistical Characteristics ◽

Side Channel ◽

Secret Key ◽

Side Channel Analysis ◽

Software Implementations ◽

Channel Analysis ◽

Single Trace

Binary scalar multiplication, which is the main operation of elliptic curve cryptography, is vulnerable to side-channel analysis. It is especially vulnerable to side-channel analysis using power consumption and electromagnetic emission patterns. Thus, various countermeasures have been reported. However, they focused on eliminating patterns of conditional branches, statistical characteristics according to intermediate values, or data inter-relationships. Even though secret scalar bits are directly loaded during the check phase, countermeasures for this phase have not been considered. Therefore, in this paper, we show that there is side-channel leakage associated with secret scalar bit values. We experimented with hardware and software implementations, and experiments were focused on the Montgomery–López–Dahab ladder algorithm protected by scalar randomization in hardware implementations. We show that we could extract secret key bits with a 100% success rate using a single trace. Moreover, our attack did not require sophisticated preprocessing and could defeat existing countermeasures using a single trace. We focused on the key bit identification functions of mbedTLS and OpenSSL in software implementations. The success rate was over 94%, so brute-force attacks could still be able to recover the whole secret scalar bits. We propose a countermeasure and demonstrate experimentally that it can be effectively applied.

Download Full-text

Electromagnetic and Power Side-Channel Analysis: Advanced Attacks and Low-Overhead Generic Countermeasures through White-Box Approach

Cryptography ◽

10.3390/cryptography4040030 ◽

2020 ◽

Vol 4 (4) ◽

pp. 30

Author(s):

Debayan Das ◽

Shreyas Sen

Keyword(s):

Deep Learning ◽

State Of The Art ◽

Side Channel ◽

Secret Key ◽

Embedded Devices ◽

Side Channel Analysis ◽

Root Cause ◽

Channel Analysis ◽

Metal Layers ◽

A Current

Electromagnetic and power side-channel analysis (SCA) provides attackers a prominent tool to extract the secret key from the cryptographic engine. In this article, we present our cross-device deep learning (DL)-based side-channel attack (X-DeepSCA) which reduces the time to attack on embedded devices, thereby increasing the threat surface significantly. Consequently, with the knowledge of such advanced attacks, we performed a ground-up white-box analysis of the crypto IC to root-cause the source of the electromagnetic (EM) side-channel leakage. Equipped with the understanding that the higher-level metals significantly contribute to the EM leakage, we present STELLAR, which proposes to route the crypto core within the lower metals and then embed it within a current-domain signature attenuation (CDSA) hardware to ensure that the critical correlated signature gets suppressed before it reaches the top-level metal layers. CDSA-AES256 with local lower metal routing was fabricated in a TSMC 65 nm process and evaluated against different profiled and non-profiled attacks, showing protection beyond 1B encryptions, compared to ∼10K for the unprotected AES. Overall, the presented countermeasure achieved a 100× improvement over the state-of-the-art countermeasures available, with comparable power/area overheads and without any performance degradation. Moreover, it is a generic countermeasure and can be used to protect any crypto cores while preserving the legacy of the existing implementations.

Download Full-text