PB173 Domain specific
development: side-channel
analysis
Course organization
Łukasz Chmielewski
chmiel@fi.muni.cz, Consultation: A406 Friday 9:00-11:00
| PB173 Org. & Introduction1
Course info
• First seminar of this type
• Practical focus (hands-on):
1. Learning what side-channel analysis is
2. Working with ready tools and libraries
3. Implementing your own tooling/scripts
• Style of seminars is usually:
– small intro at the beginning of every seminar with materials
and tasks
– individual (Step 1-2)/team work (Step 3)
• Discussion:
– ask (me) when stucked (within the seminar),
– IS discussion group if everybody might be interested
| PB173 Org. & Introduction2
Course info cont’d
• Today is different, lecture called:
“Introduction to side-channel analysis“
• Look at one trace set (if we do not manage to do it
today – look at that at home and give me an answer
on the next seminar)
• We have to start somewhere
| PB173 Org. & Introduction3
Seminars overview (12 seminars)
• First 1-3/4 seminars: “Introduction to side-channel analysis”:
– Lecture
– Inspecting Traces
– Exercises with ChipWhisperer Acquisition
– Implementing CPA and DPA
– Inspecting More Traces
• Seminar 4/5 – choosing project topic and the team
– Which kind of side-channel tool you would like to implement?
• Seminar 5/6-12 – implementing tooling
• Seminars 11-12 - utilization
| PB173 Org. & Introduction4
Project
• Second part of the semester
– 3 people, 5 teams
• Implementing on your own or using existing tools (+10 points)
– Present your tool script and its usefulness (+2 points)
• For your code:
– Github repository + individual commits
• Trace sets:
– From me or
– Find on your own
• Possible Topics:
– Trace Alignment
– Manual Analysis of Traces: displaying, zooming, etc.
– Implementing Classical Attacks: Differential/Correlation Power Analysis, Mutual Information
Analysis, etc.
– Filtering techniques: bandpass filters, etc.
– Compression Techniques: windowed compression, frequency-based compression
– More difficult, dimension reductions: Linear Regression and Principal Component Analysis
– …
| PB173 Org. & Introduction5
Assignments
• Homeworks/assignments
– 10 points maximum
– 10 assignments (100 points)
• There will be some extra points
– 65 % required (i.e. 65 points or 50 points)
– Submit files into is.muni.cz:
• code + write-ups (word, pdf, or txt with markups)
– Points for your HW within one week in is.muni.cz
– Deadline: usually until the next seminar (approx. 1 week)
– plagiarism is strictly forbidden:
• The source of the copied code must be cited
| PB173 Org. & Introduction6
Colloquium
• To get the colloquium
– You must be present at seminars (2 absences OK)
– You must be active at seminars (+2 points given by me at
the end)
– You must submit and get:
• 50%: 7 points in total
(projects + presentation + activity = 14 points)
| PB173 Org. & Introduction7
People
• Main contact: Łukasz Chmielewski (CRoCS@FI MU)
– Office hours (consultation): Friday 9:00-11:00, A406
– chmiel@fi.muni.cz,
– https://keybase.io/grasshoppper
| PB173 Org. & Introduction8
Exercise: SPA on RSA
9 | PB173 Org. & Introduction
RSA
• Two primes 𝒑 and 𝒒
• 𝑵 = 𝒑𝒒
• 𝝋 𝑵 = 𝒑 − 𝟏 𝒒 − 𝟏
• 𝒆 = 𝟑, 𝟓, 𝟕, 𝟏𝟕, 𝟐𝟓𝟕, 𝟔𝟓𝟓𝟑𝟕 → 𝐠𝐜𝐝 𝒆, 𝝋 𝑵 = 𝟏
• 𝒅 = 𝒆−𝟏 𝒎𝒐𝒅 𝝋(𝑵)
• Encryption / Verification: 𝒄 = 𝒎 𝒆 𝒎𝒐𝒅 𝑵
• Decryption / Signature: 𝒎 = 𝒄 𝒅 𝒎𝒐𝒅 𝑵
𝒆 𝒅
𝒄/𝒎 𝒎/cModExp()
Modular Exponentiation:
| PB173 Org. & Introduction10
RSA Exponentiation (1)
A = 1
for ( i = n-1; i≥0; i--)
A = A2 mod N
if (di = =1)
A = A*c mod N
end if
end for
return A = cd mod N
ModExp(c){
}
d=(101)=5
A = 1,
d2=1
A = A2 mod N=1
A = A*c mod N=c
d1=0
A = A2 mod N=c2
d0=1
A = A2 mod N=c4
A = A*c mod N=c5
| PB173 Org. & Introduction11
Simple Power Analysis on RSA
1996.
A = 1
for ( i = n-1; i≥0; i− −)
A = A2 mod N
if (di = =1)
A = A*c mod N
end if
end for
return A = cd mod N
ModExp(c){
}
M M M MS S S …
S
M
… S S S S S S S S S
1 0 1 0 0 0 1 0 0 1 0
Probe
“By carefully measuring the amount of time required to perform
private key operations, attackers may be able to find […] RSA
keys.”
| PB173 Org. & Introduction12
Simple Power Analysis on RSA
A = 1
for ( i = n-1; i≥0; i− −)
A = A2 mod N
if (di = =1)
A = A*c mod N
end if
end for
return A = cd mod N
ModExp(c){
}
S
M
Probe
This SPA matching does not always need to look this way!
One pattern might correspond multiple operations etc.
| PB173 Org. & Introduction13
RSA Exponentiation (2)
A = c
j=-1
for ( i = n-1; i≥0; i--)
if (di ==1):
j = i
break
end if
if j==-1:
return 1
end if
…
ModExp(c){
}
…
for ( i = j-1; i≥0; i--)
A = A2 mod N
if (di = =1):
A = A*c mod N
end if
end for
return A = cd mod N
d=(0101)=5
j-1 = 1
A = c
d1=0
A = A2 mod N=c2
d0=1
A = A2 mod N=c4
A = A*c mod N=c5
| PB173 Org. & Introduction14
Excercise
• RSA_unprotected.trs
• visualize.py
– python3
– Install matplotlib (e.g., pip)
– Install trsfile (available on pip)
– Feel free to modify the code and ask me questions about
that.
• Three different traces
– Tell me first 20 most significant bits of each exponent.
• Take your time, good luck!
– I will give some hints during the exercise ☺
| PB173 Org. & Introduction15
Exercise
• SPA with operation leakage
| PB173 Org. & Introduction16
Exercise
• Try to zoom in and find the RSA exponentiation and
then get the exponent!
| PB173 Org. & Introduction17
Exercise
• How the visualization script works?
| PB173 Org. & Introduction18
Homework
• TODOs before the next seminar:
– Install ChipWhisperer:
https://chipwhisperer.readthedocs.io/en/latest/linux-
install.html
– Read the website in general. I am using CW in a linux
VM under Windows but do as you prefer ☺
• Watch
– “PV204 Security technologies: Trust, trusted element,
usage scenarios, side-channel attacks”
– I will provide you with a link in a separate email in the
coming days.
19 | PB173 Org. & Introduction
Reading
• For interested people
• Side-Channel Analysis – blue book:
– http://dpabook.iaik.tugraz.at/
– The books is available at the uni.
– Look online
• The Hardware Hacking Handbook:
– https://nostarch.com/hardwarehacking
– I have an epub version.
20 | PB173 Org. & Introduction
21
| PB173 Org. & Introduction
Questions