### A Unified Metric for Quantifying Information Leakage of Cryptographic Devices under Power Analysis Attacks [pdf ]

Liwei Zhang, A. Adam Ding, Yunsi Fei, and Pei Luo
November 2015
Asiacrypt 2015 -- 21st Annual International Conference on the Theory and Application of Cryptology and Information Security
Abstract:
To design effective countermeasures for cryptosystems against side-channel power analysis attacks, the evaluation of the system leakage has to be lightweight and often times at the early stage like on cryptographic algorithm or source code. When real implementations and power leakage measurements are not available, security evaluation has to be through metrics for the information leakage of algorithms. In this work, we propose such a general and unified metric, information leakage amount - ILA. ILA has several distinct advantages over existing metrics. It unifies the measure of information leakage to various attacks: first-order and higher-order DPA and CPA attacks. It works on algorithms with no mask protection or perfect/imperfect masking countermeasure. It is explicitly connected to the success rates of attacks, the ultimate security metric on physical implementations. Therefore, we believe ILA is an accurate indicator of the side-channel security level of the physical system, and can be used during the countermeasure design stage effectively and efficiently for choosing the best countermeasure.

### Side-Channel Power Analysis of a GPU AES Implementation [pdf ]

Chao Luo, Yunsi Fei, Pei Luo, Saoni Mukherjee, David Kaeli
October 2015
The 33rd IEEE International Conference on Computer Design
Abstract:
Graphics Processing Units (GPUs) have been used to run a range of cryptographic algorithms. The main reason to choose a GPU is to accelerate the encryption/decryption speed. Since GPUs are mainly used for graphics rendering, and only recently have they become a fully-programmable parallel computing device, there has been little attention paid to their vulnerability to side-channel attacks. In this paper we present a study of side-channel vulnerability on a state-of-the-art graphics processor. To the best of our knowledge, this is the first work that attempts to extract the secret key of a block cipher implemented to run on a GPU. We present a side-channel power analysis methodology to extract all of the last round key bytes of a CUDA AES (Advanced Encryption Standard) implementation run on an NVIDIA TESLA GPU. We describe how we capture power traces and evaluate the power consumption of a GPU. We then construct an appropriate power model for the GPU. We propose effective methods to sample and process the GPU power traces so that we can recover the secret key of AES. Our results show that parallel computing hardware systems such as a GPU are highly vulnerable targets to power-based side-channel attacks, and need to be hardened against side-channel threats.

### Leakage Evaluation on Power Balance Countermeasure Against Side-Channel Attack on FPGAs [pdf ]

Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser
September 2015
2015 IEEE High Performance Extreme Computing Conference(HPEC ‘15)
Abstract:
Leakages through side-channels have been utilized by attackers to recover secret information in embedded cryptographic systems, and various countermeasures have been devised to mitigate these leakages. In hardware systems, examples of such countermeasures include power balance circuits and masked gates. Power balance technologies such as wave dynamic differential logic (WDDL) aim to balance the power by introducing differential logic. However, early evaluation effect, which can take advantage of the possible different arrival time for a pair of differential input signal, hampers the strength of the power balance countermeasure. In this paper, we provide a method to further balance the power of differential signals by manipulating the lower level primitives on a Field Programmable Gate Array (FPGA). We use AES as an example in this work to demonstrate the amount of leakage for different implementations. Results show that our method not only efficiently mitigates the side-channel leakages but also saves FPGA logic block resources and dynamic power consumption.

### Towards Secure Cryptographic Software Implementation Against Side-Channel Power Analysis Attacks [pdf ] [ppt ]

Pei Luo, Liwei Zhang, Yunsi Fei, A. Adam Ding
July 2015
The 26th IEEE International Conference on Application-specific Systems, Architectures and Processors 2015 -- ASAP2015
Abstract:
Side-channel attacks have been a real threat against many critical embedded systems that rely on cryptographic algorithms as their security engines. The algorithm-level countermeasure, random masking, incurs large execution delay and resource overhead. The other countermeasure, operation shuffling or permutation, can mitigate side-channel leakage effectively with minimal overhead. In this paper, we propose to fully utilize the independence among operations in cryptographic algorithms and randomize their execution order. We design a tool to automatically detect such independence between statements at the source code level and devise an algorithm for automatic operation shuffling. We test our algorithm on AES and the new SHA3 standard, Keccak, and results show that the shuffling method can reduce the side-channel leakage significantly, and the tool can be utilized to guide automatic secure cryptographic software implementations against differential power analysis attacks.

### Balance Power Leakage to Fight Against Side-Channel Analysis at Gate Level in FPGAs [pdf ]

Xin Fang, Pei Luo, Yunsi Fei, Miriam Leeser
July 2015
The 26th IEEE International Conference on Application-specific Systems, Architectures and Processors 2015 -- ASAP2015
Abstract:
Leakage through side-channels have been utilized by attackers to recover secret information in embedded cryptographic systems, and various countermeasures have been devised to mitigate these leakage. In hardware systems, examples of such countermeasures include power balance circuits and masked gates. Power balance technologies such as wave dynamic differential logic (WDDL) aim to balance the power by introducing differential logic. However, early evaluation effect, which can take advantage of the possible different arrival time for a pair of differential input signal, hampers the strength of the power balance countermeasure. In this paper, we provide a method to further balance the power of differential signals by manipulating the lower level primitives on a Field Programmable Gate Array (FPGA). We use AES as an example in this work to demonstrate the amount of leakage for different implementations. Results show that our method not only efficiently mitigates the side-channel leakage but also saves FPGA logic block resources and dynamic power consumption.

### Side-Channel Analysis of MAC-Keccak Hardware Implementations [pdf ] [ppt ]

Pei Luo, Yunsi Fei, A. Adam Ding, Xin Fang, David R. Kaeli, Miriam Leeser
June 2015
Hardware and Architectural Support for Security and Privacy (HASP) 2015
Abstract:
As Keccak has been selected as the new SHA-3 standard, Message Authentication Code (MAC) (MAC-Keccak) using a secret key will be widely used for integrity checking and authenticity assurance. Recent work have shown the feasibility of side-channel attacks against software implementations of MAC-Keccak to retrieve the key, with the security assessment of hardware implementations remaining an open problem. In this paper, we present a comprehensive and practical side-channel analysis of a hardware implementation of MAC-Keccak on FPGA. Different from previous work, we propose a new attack method targeting the first round output of MAC-Keccak rather than the linear operation $\theta$ only. The results on sampled power traces show that the unprotected hardware implementation of MAC-Keccak is vulnerable to side-channel attacks, and attacking the nonlinear operation of MAC-Keccak is very effective. We further discuss countermeasures against side-channel analysis on hardware MAC-Keccak. Finally, we discuss the impact of the key length on side-channel analysis and compare the attack complexity between MAC-Keccak and other cryptographic algorithms.

### Efficient 2nd-order Power Analysis on Masked Devices Utilizing Multiple Leakage [pdf ] [ppt ]

Liwei Zhang, A. Adam Ding, Yunsi Fei, Pei Luo
May 2015
2015 IEEE Int. Symposium on Hardware-Oriented Security and Trust (HOST)
Abstract:
A common effective countermeasure against side-channel attacks at the algorithm level is random masking. Second-order attack can break first-order masked devices by utilizing power values at two time points. However, normally 2nd-order attacks require the exact temporal locations of the two leakage points. Without profiling, the attacker may only have an educated guessing window of size $n_w$ for each potential leakage point. An attack with exhaustive search over combinations of the two leakage points will lead to computational complexity of $\mathcal{O}(n_w^2)$. Waddle and Wagner introduced FFT-based attack with a complexity of $\mathcal{O}(n_w\log(n_w))$ in CHES 2004. Belgarric et al.~used time-frequency conversion tools basing on FFT to propose five preprocessing techniques. We improve upon these attacks by preprocessing power traces with FFT and IFFT to find multiple candidate leakage point pairs, and combine the attacks at multiple candidate pairs into one single attack. We derive the theoretical conditions for two combination attacks to be successful. The resulting attack retains computational complexity of $\mathcal{O}(n_w\log(n_w))$ and is applied on two data sets, one set of power measurements on an FPGA implementation of masked AES scheme and the other set of measurements from DPA Contest V4 for a software implementation of masked AES. The two attacks improve over the previous FFT-based attacks, particularly when the window size $n_w$ is large. Each of the two attacks works better respectively on the software and hardware implementations, confirming the theoretical conditions.