Real-World Snapshots vs. Theory: Questioning the t-Probing Security Model

Due to its sound theoretical basis and practical efficiency, masking has become the most prominent countermeasure to protect cryptographic implementations against physical side-channel attacks (SCAs). The core idea of masking is to randomly split every sensitive intermediate variable during computation into at least t+1 shares, where t denotes the maximum number of shares that are allowed to be observed by an adversary without learning any sensitive information. In other words, it is assumed that the adversary is bounded either by the possessed number of probes (e.g., microprobe needles) or by the order of statistical analyses while conducting higher-order SCA attacks (e.g., differential power analysis). Such bounded models are employed to prove the SCA security of the corresponding implementations. Consequently, it is believed that given a sufficiently large number of shares, the vast majority of known SCA attacks are mitigated. In this work, we present a novel laser-assisted SCA technique, called Laser Logic State Imaging (LLSI), which offers an unlimited number of contactless probes, and therefore, violates the probing security model assumption. This technique enables us to take snapshots of hardware implementations, i.e., extract the logical state of all registers at any arbitrary clock cycle with a single measurement. To validate this, we mount our attack on masked AES hardware implementations and practically demonstrate the extraction of the full-length key in two different scenarios. First, we assume that the location of the registers (key and/or state) is known, and hence, their content can be directly read by a single snapshot. Second, we consider an implementation with unknown register locations, where we make use of multiple snapshots and a SAT solver to reveal the secrets.

[1]  Alessandro Barenghi,et al.  On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs , 2011, CCS '11.

[2]  Stefan Mangard,et al.  Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order , 2016, IACR Cryptol. ePrint Arch..

[3]  Amir Moradi,et al.  Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version , 2018, Journal of Cryptology.

[4]  Jorge Herbert de Lira,et al.  Two-Dimensional Signal and Image Processing , 1989 .

[5]  Maciej Skorski,et al.  Noisy Leakage Revisited , 2015, EUROCRYPT.

[6]  Vincent Rijmen,et al.  VerMI: Verification Tool for Masked Implementations , 2018, 2018 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS).

[7]  Jean-Pierre Seifert,et al.  On the Power of Optical Contactless Probing: Attacking Bitstream Encryption of FPGAs , 2017, CCS.

[8]  Benjamin Grégoire,et al.  Verified Proofs of Higher-Order Masking , 2015, EUROCRYPT.

[9]  Christian Boit,et al.  Assessment of a Chip Backside Protection , 2018, J. Hardw. Syst. Secur..

[10]  François-Xavier Standaert,et al.  Leakage Certification Revisited: Bounding Model Errors in Side-Channel Security Evaluations , 2019, IACR Cryptol. ePrint Arch..

[11]  Benjamin Grégoire,et al.  maskVerif: Automated Verification of Higher-Order Masking in Presence of Physical Defaults , 2019, ESORICS.

[12]  Avishai Wool,et al.  Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model , 2012, CHES.

[13]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[14]  Baohua Niu,et al.  Laser Logic State Imaging (LLSI) , 2014 .

[15]  François-Xavier Standaert,et al.  Algebraic Side-Channel Attacks , 2009, Inscrypt.

[16]  C. Boit,et al.  Quantitative Investigation of Laser Beam Modulation in Electrically Active Devices as Used in Laser Voltage Probing , 2007, IEEE Transactions on Device and Materials Reliability.

[17]  Mark Mohammad Tehranipoor,et al.  Physical Inspection & Attacks: New Frontier in Hardware Security , 2018, 2018 IEEE 3rd International Verification and Security Workshop (IVSW).

[18]  Ho-Ming Tong,et al.  Advanced Flip Chip Packaging , 2013 .

[19]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[20]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[21]  Heiko Lohrke Automated Detection of Fault Sensitive Locations for Reconfiguration Attacks on Programmable Logic , 2016 .

[22]  Vincent Rijmen,et al.  Masking AES With d+1 Shares in Hardware , 2016, CHES.

[23]  Milos Prvulovic,et al.  One&Done: A Single-Decryption EM-Based Attack on OpenSSL's Constant-Time Blinded RSA , 2018, USENIX Security Symposium.

[24]  Jean-Pierre Seifert,et al.  Photonic side channel attacks against RSA , 2017, 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[25]  Robert Chivas,et al.  Visible Light LVP on Bulk Silicon Devices , 2015 .

[26]  Stefan Mangard,et al.  Formal Verification of Masked Hardware Implementations in the Presence of Glitches , 2018, IACR Cryptol. ePrint Arch..

[27]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[28]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[29]  Romain Poussier,et al.  Template Attacks vs. Machine Learning Revisited (and the Curse of Dimensionality in Side-Channel Analysis) , 2015, COSADE.

[30]  Christof Paar,et al.  The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs , 2021, USENIX Security Symposium.

[31]  Heiko Lohrke,et al.  Contactless visible light probing for nanoscale ICs through 10 μm bulk silicon , 2015 .

[32]  Fernand Meyer,et al.  Topographic distance and watershed lines , 1994, Signal Process..

[33]  Roderick Bloem,et al.  Generic Low-Latency Masking in Hardware , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[34]  Josep Balasch,et al.  Inner Product Masking Revisited , 2015, EUROCRYPT.

[35]  Tao Zhang,et al.  A Comprehensive FPGA Reverse Engineering Tool-Chain: From Bitstream to RTL Code , 2019, IEEE Access.

[36]  Monodeep Kar,et al.  Reducing Power Side-Channel Information Leakage of AES Engines Using Fully Integrated Inductive Voltage Regulator , 2018, IEEE Journal of Solid-State Circuits.

[37]  Amir Moradi,et al.  A First-Order SCA Resistant AES without Fresh Randomness , 2018, IACR Cryptol. ePrint Arch..

[38]  Georg Sigl,et al.  Dividing the threshold: Multi-probe localized EM analysis on threshold implementations , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[39]  Amir Moradi,et al.  Side-Channel Resistant Crypto for Less than 2,300 GE , 2011, Journal of Cryptology.

[40]  C. Boit,et al.  From IC debug to hardware security risk: The power of backside access and optical interaction , 2016, 2016 IEEE 23rd International Symposium on the Physical and Failure Analysis of Integrated Circuits (IPFA).

[41]  J. Sarvaiya,et al.  Image Registration by Template Matching Using Normalized Cross-Correlation , 2009, 2009 International Conference on Advances in Computing, Control, and Telecommunication Technologies.

[42]  Jacob Couch,et al.  Direct read of idle block RAM from FPGAs utilizing photon emission microscopy , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[43]  Martin von Haartman,et al.  Optical Fault Isolation and Nanoprobing Techniques for the 10nm Technology Node and Beyond , 2015 .

[44]  Stefan Mangard,et al.  A unified masking approach , 2018, Journal of Cryptographic Engineering.

[45]  Julie Ferrigno,et al.  When AES blinks: introducing optical side channel , 2008, IET Inf. Secur..

[46]  Jean-Pierre Seifert,et al.  Simple photonic emission analysis of AES , 2013, Journal of Cryptographic Engineering.

[47]  Christof Paar,et al.  Insights into the Mind of a Trojan Designer The Challenge to Integrate a Trojan into the Bitstream , 2019, 2019 24th Asia and South Pacific Design Automation Conference (ASP-DAC).

[48]  Jean-Pierre Seifert,et al.  Laser Fault Attack on Physically Unclonable Functions , 2015, 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[49]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[50]  Jean-Pierre Seifert,et al.  No Place to Hide: Contactless Probing of Secret Data on FPGAs , 2016, CHES.

[51]  Thorben Moos,et al.  Static Power SCA of Sub-100 nm CMOS ASICs and the Insecurity of Masking Schemes in Low-Noise Environments , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[52]  Jean-Pierre Seifert,et al.  Breaking and entering through the silicon , 2013, CCS.

[53]  Jean-Pierre Seifert,et al.  PUFMon: Security monitoring of FPGAs using physically unclonable functions , 2017, 2017 IEEE 23rd International Symposium on On-Line Testing and Robust System Design (IOLTS).

[54]  Syed Kareem Uddin Trade-OFFS For Threshold Implementations Illustrated on AES , 2017 .

[55]  William V. Huott,et al.  PICA: Backside failure analysis of CMOS circuits using Picosecond Imaging Circuit Analysis , 2000 .

[56]  Stefan Mangard,et al.  Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption , 2017, CHES.

[57]  Christof Paar,et al.  Side-channel attacks on the bitstream encryption mechanism of Altera Stratix II: facilitating black-box analysis using software reverse-engineering , 2013, FPGA '13.

[58]  Kimmo Järvinen,et al.  Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations , 2016, CARDIS.

[59]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[60]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[61]  Franco Stellari,et al.  Revealing SRAM memory content using spontaneous photon emission , 2016, 2016 IEEE 34th VLSI Test Symposium (VTS).

[62]  Vincent Rijmen,et al.  Higher-Order Threshold Implementations , 2014, ASIACRYPT.

[63]  Benjamin Grégoire,et al.  Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model , 2017, EUROCRYPT.

[64]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[65]  Claude Castelluccia,et al.  Extending SAT Solvers to Cryptographic Problems , 2009, SAT.

[66]  Stefan Mangard,et al.  An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order , 2017, CT-RSA.

[67]  Benjamin Grégoire,et al.  Strong Non-Interference and Type-Directed Higher-Order Masking , 2016, CCS.

[68]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[69]  Amir Moradi,et al.  Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series , 2016, COSADE.

[70]  Dirk Koch,et al.  BITMAN: A tool and API for FPGA bitstream manipulations , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[71]  Mathias Wagner,et al.  Brute-Force Search Strategies for Single-Trace and Few - Traces Template Attacks on the DES Round Keys of a Recent Smart Card , 2017, IACR Cryptol. ePrint Arch..

[72]  François-Xavier Standaert,et al.  Making Masking Security Proofs Concrete - Or How to Evaluate the Security of Any Leaking Device , 2015, EUROCRYPT.

[73]  Jean-Pierre Seifert,et al.  Key Extraction using Thermal Laser Stimulation: A Case Study on Xilinx Ultrascale FPGAs , 2018, IACR Cryptol. ePrint Arch..

[74]  Matlab Matlab (the language of technical computing): using matlab graphics ver.5 , 2014 .