Lecture Notes in Computer Science 7275 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Werner Schindler Sorin A. Huss (Eds.) Constructive Side-Channel Analysis and Secure Design Third International Workshop, COSADE 2012 Darmstadt, Germany, May 3-4, 2012 Proceedings 1 3 VolumeEditors WernerSchindler BundesamtfürSicherheitinderInformationstechnik(BSI) GodesbergerAllee185–189 53175Bonn,Germany E-mail:[email protected] SorinA.Huss TechnischeUniversitätDarmstadt Hochschulstr.10 64289Darmstadt,Germany E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-642-29911-7 e-ISBN978-3-642-29912-4 DOI10.1007/978-3-642-29912-4 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2012936495 CRSubjectClassification(1998):E.3,D.4.6,K.6.5,C.2,J.1,G.2.1 LNCSSublibrary:SL4–SecurityandCryptology ©Springer-VerlagBerlinHeidelberg2012 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelaws andregulationsandthereforefreeforgeneraluse. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface COSADE 2012, the Third Workshop on Constructive Side-Channel Analysis and Secure Design, was held in Darmstadt, Germany, during May 3–4, 2012. COSADE 2012 was supported by CASED and its partners TU Darmstadt and FraunhoferSITaswellasbytheGermanFederalOfficeforInformationSecurity (Bundesamt fu¨r Sicherheit in der Informationstechnik, BSI). Forresearchersandexpertsfromacademia,industryandgovernmentwhoare interested in attacks on cryptographic implementations and/or secure design, COSADE workshops present a great opportunity to meet and enjoy intensive discussions. Theprogramprovidesplentyoftimeforinformationexchangeonthefurther developmentofexistingandfortheestablishmentofnewscientificcollaborations. This year 49 papers from several areas such as side-channel analysis, fault analysis, secure design, and architectures were submitted. Each paper was as- signedtothreereviewers.Thedecisionprocesswasverychallengingandresulted intheselectionof16interestingpapers.Theircarefullyrevisedversionsarecon- tained in the conference proceedings. The Program Committee consisted of 33 members from 12 countries. The members were carefully selected to represent both academia and industry, as well as to include high-profile experts with researchrelevant to COSADE 2012. TheProgramCommitteewassupportedby48externalreviewers.Wearedeeply grateful to the members of the Program Committee as well as to the external reviewers for their dedication and hard work. Besides 16 contributed presentations, two highly relevant invited talks were held. Mathias Wagner considered “700+ Attacks Published on Smart Cards: The Need for a Systematic Counter Strategy,” while Viktor Fischer gave “A Close Look at Security in Random Number Generators Design.” The workshop program included special sessions. The presentation “Using Multi-Area Diode Lasers and Developing EM FI Tools” considered fault injection attacks. More- over,theoutcomeofDPAcontestv3waspresentedatCOSADE2012,andDPA contest v4 was announced. COSADE 2012 also had a Work in Progress session where cutting-edge re- searchresults were presented.These contributions are notcontainedin this vol- ume since the submission deadline expired after the editorial deadline of these proceedings. WearealsoverygratefultoAnnelieHeuser,MichaelKasper,MarcSt¨ottinger and Michael Zohner for the local organization. Finally, we would like to pro- foundly thank and give our regards to all the authors who submitted their pa- pers to this workshop, and entrusted us with a fair and objective evaluation of their work. We appreciate their creativity, hard work, and interesting results. March 2012 Werner Schindler Sorin A. Huss Third International Workshop on Constructive Side-Channel Analysis and Secure Design Darmstadt, Germany, May 3–4, 2012 General Chairs and Program Chairs Werner Schindler Bundesamt fu¨r Sicherheit in der Informationstechnik (BSI), Germany Sorin A. Huss Integrated Circuits and Systems Lab (ICS), TechnischeUniversita¨tDarmstadt,Germany Local Organizers Annelie Heuser Technische Universita¨t Darmstadt, Germany Michael Kasper Fraunhofer SIT, Germany Marc Sto¨ttinger Technische Universita¨t Darmstadt, Germany Michael Zohner Technische Universita¨t Darmstadt, Germany Program Committee Onur Aciimez Samsung Electronics, USA Guido Bertoni ST Microelectronics, Italy Stanislav Bulygin TU Darmstadt, Germany Ray Cheung City University of Hong Kong, Hong Kong Jean-Luc Danger T´el´ecomParisTech,France Markus Dichtl Siemens AG, Germany Viktor Fischer Universit´e de Saint-Etienne, France Ernst-Gu¨nter Giessmann T-Systems International GmbH, Germany Tim Gu¨neysu Ruhr-Universita¨t Bochum, Germany Lars Hoffmann Giesecke & Devrient GmbH, Germany Naofumi Homma Tohoku University, Japan Marc Joye Technicolor, France Jens-Peter Kaps George Mason University, USA C¸etin Kaya Koc¸ University of California Santa Barbara, USA and Istanbul S¸ehir University, Turkey Arjen Lenstra EPFL, Switzerland Pierre-Yvan Liardet ST Microelectronics, France Stefan Mangard Infineon Technologies AG, Germany Sandra Marcello Thales, France David Naccache ENS Paris,France VIII Constructive Side-Channel Analysis and SecureDesign Elisabeth Oswald Universitiy of Bristol, UK Emmanuel Prouff Oberthur Technologies, France Anand Rajan Intel Corporation,USA Steffen Reith Hochschule RheinMain, Germany Akashi Satoh RCIS, Japan Patrick Schaumont Virginia Tech, Blacksburg, USA Abdulhadi Shoufan Khalifa University Abu-Dhabi, UAE Sergei Skorobogatov University of Cambridge, UK Georg Sigl Technische Universita¨t Mu¨nchen, Germany Francoi¸s-Xavier Standaert Universit´e Catholique de Louvain, Belgium Lionel Torres LIRMM, University of Montpellier 2, France Ingrid Verbauwhede Katholieke Universiteit Leuven, Belgium Marc Witteman Riscure, The Netherlands Michael Waidner Fraunhofer SIT, Germany External Reviewers Michel Agoyan Bernhard Jungk Mathieu Renauld Joppe Bos Markus Kasper Vladimir Rozic Lilian Boussuet Michael Kasper Fabrizio de Santis Pierre-Louis Cayrel Toshihiro Katashita Laurent Sauvage Guillaume Duc St´ephanie Kerckhof Hermann Seuscheck Junfeng Fan Chong Hee Kim Marc Sto¨ttinger Lubos Gaspar Jiangtao Li Daehyun Strobel Benedikt Gierlichs Marcel Medwed Mostafa Taha Christophe Giraud Filippo Melzani Junko Takahashi Sylvain Guilley Oliver Mischke Michael Tunstall Yu-Ichi Hayashi Amir Moradi Rajesh Velegalati Stefan Heyse Abdelaziz Moulay Markus Wamser Matthias Hiller Nadia El Mrabet Michael Weiss Phillipe Hoogvorst Jean Nicolai Carolyn Withnall Gabriel Hospodar David Oswald Meiyuan Zhao Dimitar Jetchev Gilles Piret Michael Zohner Table of Contents Practical Side-Channel Analysis Exploiting the Difference of Side-Channel Leakages................... 1 Michael Hutter, Mario Kirschbaum, Thomas Plos, J¨orn-Marc Schmidt, and Stefan Mangard Attacking an AES-Enabled NFC Tag: Implications from Design to a Real-World Scenario.............................................. 17 Thomas Korak, Thomas Plos, and Michael Hutter Invited Talk I 700+ Attacks Published on Smart Cards: The Need for a Systematic Counter Strategy ................................................ 33 Mathias Wagner Secure Design An Interleaved EPE-Immune PA-DPL Structure for Resisting Concentrated EM Side Channel Attacks on FPGA Implementation..... 39 Wei He, Eduardo de la Torre, and Teresa Riesgo An Architectural Countermeasure against Power Analysis Attacks for FSR-Based Stream Ciphers ....................................... 54 Shohreh Sharif Mansouri and Elena Dubrova Conversion of Security Proofs from One Leakage Model to Another: A New Issue..................................................... 69 Jean-S´ebastien Coron, Christophe Giraud, Emmanuel Prouff, Soline Renner, Matthieu Rivain, and Praveen Kumar Vadnala Side-Channel Attacks on RSA Attacking Exponent Blinding in RSA without CRT .................. 82 Sven Bauer A New Scan Attack on RSA in Presence of Industrial Countermeasures................................................. 89 Jean Da Rolt, Amitabh Das, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre, and Ingrid Verbauwhede RSA Key Generation: New Attacks ................................ 105 Camille Vuillaume, Takashi Endo, and Paul Wooderson X Table of Contents Fault Attacks A Fault Attack on the LED Block Cipher ........................... 120 Philipp Jovanovic, Martin Kreuzer, and Ilia Polian Differential Fault Analysis of Full LBlock ........................... 135 Liang Zhao, Takashi Nishide, and Kouichi Sakurai Contactless Electromagnetic Active Attack on Ring Oscillator Based True Random Number Generator .................................. 151 Pierre Bayon, Lilian Bossuet, Alain Aubert, Viktor Fischer, Franc¸ois Poucheret, Bruno Robisson, and Philippe Maurine Invited Talk II A Closer Look at Security in Random Number Generators Design...... 167 Viktor Fischer Side-Channel Attacks on ECC Same Values Power Analysis Using Special Points on Elliptic Curves ... 183 C´edric Murdica, Sylvain Guilley, Jean-Luc Danger, Philippe Hoogvorst, and David Naccache The Schindler-Itoh-attack in Case of Partial Information Leakage ...... 199 Alexander Kru¨ger Different Methods in Side-Channel Analysis Butterfly-Attack on Skein’s Modular Addition ....................... 215 Michael Zohner, Michael Kasper, and Marc Sto¨ttinger MDASCA: An Enhanced Algebraic Side-Channel Attack for Error Tolerance and New Leakage Model Exploitation ..................... 231 Xinjie Zhao, Fan Zhang, Shize Guo, Tao Wang, Zhijie Shi, Huiying Liu, and Keke Ji Intelligent Machine Homicide: Breaking Cryptographic Devices Using Support Vector Machines ......................................... 249 Annelie Heuser and Michael Zohner Author Index.................................................. 265 Exploiting the Difference of Side-Channel Leakages Michael Hutter1, Mario Kirschbaum1, Thomas Plos1, J¨orn-Marc Schmidt1, and Stefan Mangard2 1 Institutefor Applied Information Processing and Communications (IAIK), Graz Universityof Technology, Inffeldgasse 16a, 8010 Graz, Austria {mhutter,mkirschbaum,tplos,jschmidt}@iaik.tugraz.at 2 Infineon Technologies AG, Am Campeon 1-12, 85579 Neubiberg, Germany [email protected] Abstract. In this paper, we propose a setup that improves the perfor- mance of implementation attacks by exploiting the difference of side- channelleakages.Themainideaofoursetupistousetwocryptographic devicesandtomeasurethedifferenceoftheirphysicalleakages,e.g.,their power consumption. This increases the signal-to-noise ratio of the mea- surement and reduces the number of needed power-consumption traces inordertosucceedanattack.Thesetupcanefficientlybeapplied(butis notlimited)inscenarioswheretwosynchronousdevicesareavailablefor analysis. By applying template-based attacks, only a few power traces are required to successfully identify weak but data-dependent leakage differences. Inordertoquantify theefficiency of ourproposed setup,we performed practical experiments by designing three evaluation boards that assemble different cryptographic implementations. The results of ourinvestigationsshowthattheneedednumberoftracescanbereduced up to 90%. Keywords: Side-ChannelAttacks,PowerAnalysis,MeasurementSetup, DPA,SPA. 1 Introduction Side-channel attacks are among the most powerful attacks performed on cryp- tographicimplementations. They exploitsecretinformationthat physicallyleak outofadevice.Typicalsidechannelsarethepowerconsumption[11,12],theelec- tromagneticemanation[1],ortheexecutiontimeofcryptographicalgorithms[10]. The efficiency oreventhe successofanattackis largelydeterminedby the used measurementequipment.Thebettertheequipment,thelessnoiseandthehigher the side-channel leakage exploitation will be. Especially when countermeasure- enabled devices are analyzed, the setup is vital in order to limit the needed number of power-trace acquisitions to succeed an attack. In this paper, we present a setup that improves the efficiency of side-channel attacks by measuring the difference of two side-channel leakages. Our setup is W.SchindlerandS.A.Huss(Eds.):COSADE2012,LNCS7275,pp.1–16,2012. (cid:2)c Springer-VerlagBerlinHeidelberg2012 2 M. Hutteret al. basedonthe idea to use two cryptographicdevices (insteadofone)andto mea- surethedifferenceoftheirphysicalcharacteristics(e.g.,thepowerconsumption). If both modules perform the same cryptographic operation, their physical char- acteristicsarethesamesothatthedifferenceofbothside-channelmeasurements becomestheoreticallyzero.However,ifonemoduleprocessesdifferentdatathan the other module, a difference in both measurements can be observed at loca- tions in time when data-dependent information is processed. The difference of bothsidechannelsthereforeprovidesonlydata-dependentsignalsandeliminates staticand(nondata-dependent)dynamicsignals(i.e.,noise).Hence,thequality ofthe measurementscanbesignificantlyimprovedwhichresultsinthefactthat less power traces have to be acquired in practice. Inordertoperformside-channelanalysisattacksusingoursetup, anattacker can choose from two possible attacking scenarios: (1) one device is fed with constantinput data while the seconddevice is fed with randomdata, or(2) one deviceisfedinawaysuchthatthetargetedintermediatevalueiscomplementary totheintermediatevalueoftheseconddevice.Forbothscenarios,wequantified theefficiencybyperformingpracticalexperiments.Wedesignedthreeevaluation boards where each board uses two devices (an AT89S8253 microcontroller, an ATmega128, and a custom 8051 ASIC design). In our experiments, we applied the Pearson Correlation coefficient and performed a classical Differential (or Correlationbased)PowerAnalysis(DPA)attack[11,12]onthedifferentialpower trace. Our best results increased the correlation coefficient for the AT89S8253 from 0.64 to 0.99 (55%), for the ATmega128 from 0.61 to 0.96 (57%), and for the custom 8051 ASIC from 0.11 to 0.22 (100%). Furthermore, we evaluated our method on countermeasure-enabled devices and performed attacks on an implementation that uses randomization techniques as well as a masked AES implementation. In this scenario, it shows that the setup reduces the number of needed traces up to 90%. The rest of this paper is organized as follows. In Section2, we discuss re- lated work. Section3 gives a brief overview on side-channel measurements and describes how to improve the signal-to-noise ratio. After that, we present the new measurementsetupandhighlightthe benefits. InSection4, wedescribethe measurementprocessin detail and introduce two different measurementscenar- ios. The three evaluation boards are presented in Section5. Section6 describes the performedattacks. Results aregivenin Section7 and Section8. Conclusions are drawn in Section9. 2 Related Work There exist several side-channel analysis (SCA) measurement boards as well as SCA simulation tools and evaluation setups. SCA measurement boards aim at providingacommonattackplatformthat easesthe comparisonofmeasurement results.Well-knownattackplatformsforSCAevaluationaretheINSTACboards from the Tamper-resistance Standardization Research Committee (TSRC) [13] and the SASEBO boards from the Research Center for Information Security