Abstract: Cryptanalysis is the science which evaluates the security of a cryptosystem and detects its weaknesses and flaws. Initially confined to the black-box model, where only the input and output data were considered, cryptanalysis is now broadened to the security evaluation of the physical implementation of a cryptosystem. The implementation attacks which compose physical cryptanalysis are divided into fault attacks, exploiting the effect of disruption of the normal functioning of the device, and side-channel attacks, exploiting the dependency between the instructions and data (including key bits) processed by a device and its physical characteristics (e.g. execution time, power consumption, electromagnetic (EM) radiations). In the scope of this thesis, we particularly focus on the latter attacks. “Every computation leaks information” and lowering the physical leakages of an implementation is indeed a complex task both from cryptographic and engineering viewpoints, especially when performance and cost enter the equation. The development of adequate countermeasures necessitates a thorough knowledge of the various vulnerabilities that the microcontroller induces. Although generic side-channel attacks such as Differential Power Analysis (DPA) can generally retrieve the key with weak assumptions on a cryptographic implementation, we show in this thesis that the focus on specific components and properties from the architecture of the target device may allow an adversary to yield better success in a key recovery and sometimes to thwart DPA countermeasures. First, we elaborate on attacks which deduce the cache activity of a device from single side-channel traces and algebraically exploit this information to recover the key. We propose different attacks against embedded software implementations of the Advanced Encryption Standard (AES) in the chosenand known-plaintext scenarios and make them tolerant to environments where high noise or a partially preloaded cache would normally introduce errors in the key recovery. Second, we discuss the failure of standard DPA against the modular addition and propose a practical and generic approach to circumvent it. Third, we show that microarchitectural leakages and fault inductions can be exploited in a constructive way when induced by hardware Trojans implemented on general-purpose microprocessors. Such Trojans can either provide an adversary with a backdoor access to the trojanized device executing an arbitrary cryptographic software or serve to protect the Intellectual Property (IP) of the chip designer through digital watermarking. The last part concerns divide and conquer side-channel attacks such as DPA. Testing different combinations of key chunk candidates turns out to be very complex when the individual chunk recoveries are bounded in measurement complexity or performed in noisy environments. We address the so-called key enumeration problem with an efficient sorting method.
Publication Year: 2013
Publication Date: 2013-02-05
Language: en
Type: article
Access and Citation
AI Researcher Chatbot
Get quick answers to your questions about the article from our AI researcher chatbot