Evaluating Side-Channel Vulnerabilities

How to determine whether side-channel countermeasures are effective with Test Vector Leakage Assessment.


By Bart Stevens and Gary Kenworthy

In a book chapter titled “Security of Crypto IP Core: Issues and Countermeasures,” authors Debapriya Basu Roy and Debdeep Mukhopadhyay recently explored various side-channel vulnerabilities that can be exploited by an attacker.

“An adversary can observe the power consumption, timing performance, electromagnetic radiation or even acoustic behavior of [a] circuit,” writes Roy and Mukhopadhyay. “[A] leak of the internal state of the circuit threatens compromise of sensitive information and defeats the very purpose of a cryptosystem.”

According to the authors, Test Vector Leakage Assessment (TVLA) is an efficient method of testing for side-channel vulnerabilities.

“[TVLA testing] provides yes-no answers to the question whether the device is side channel secure or not,” the two explain. “This testing method is fast and can be used in high speed commercial testing of crypto-chips.”

Understanding the basics of TVLA
Rather than mounting a time-consuming attack to recover secret key information, TVLA instead seeks to detect and analyze leakage directly in a device under test. For its core statistical test, TVLA specifies and compares two subsets (A&B) of collected traces, with the subsets selected according to known sensitive intermediate bits. Differences will be immediately apparent between subsets A and B if the algorithm implementation not properly protected. This core statistical test employs Welch’s t-test for evaluating the significance of the “difference of means.”

The specific test vectors are standardized to focus on common leakage modes for a particular algorithm. For example, TVLA testing for the AES algorithm targets S-box outputs, round output, XOR of round input and output, and the values of 1st and 2nd byte of round output.

Another mode of TVLA testing is the non-specific leakage test. This method looks for differences in the collected traces between operations on fixed vs. varying data. This is a powerful technique that can amplify leakages and identify vulnerabilities even when specific attacks that might exploit that leakage have not been discovered yet.

When gauging the level of side-channel resistance, testers may also want to follow TVLA assessment with a key extraction attack to verify the real-world significance of said leakage. The leakage profile identified by TVLA will greatly simplify the key extraction attack.

DPAWS: A TVLA testing platform
Because side-channel attacks are so effective, even well-planned resistance strategies may still leak sensitive information. Therefore, it is critical to verify the actual performance of side-channel countermeasures. The Rambus DPA workstation (DPAWS), for example, is a powerful tool for testing and evaluating the results of hardware or software implementations.

More specifically, the TVLA-capable Rambus DPA Workstation Platform (DPAWS) measures a range of side-channel leakages across a wide spectrum of devices and platforms including smart phones, tablets, POS terminals, CPUs, TVs, set-top boxes, FPGAs, smart cards and NFC tech. DPAWS also provides users with a highly-intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis.

Both flexible and scalable, DPAWS supports multiple side-channel sensors, device protocols and form factors, with out-of-the-box support for SASEBO and additional third-party hardware. Moreover, DPAWS easily integrates with a wide range of industry tools including Matlab, Python and other scripting languages. In addition, the Rambus DPA Workstation supports cipher coverage across many standard algorithms (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces. Source code is also available to facilitate increased flexibility.

Rambus DPAWS comprises a custom-configured workstation with an oscilloscope; a DPAD FPGA testing platform; a smart card test fixture; support for PCI high-speed sampling cards; a signal amplifier; EM probes, filters and a power supply. On the software and firmware side, DPAWS includes a device interface and data collection environment; signal processing; hypothesis and prediction generation; as well as optimized DPA analysis utilities and tools.

Side-channel attacks conducted against electronic systems are relatively simple and inexpensive to execute. An attacker does not need to know specific implementation details of the cryptographic device to perform these attacks and extract keys. As all physical electronic systems routinely leak information, effective side-channel countermeasures such as Rambus’ DPA Resistant Hardware Cores (DPARC) or DPA Software Library (DPASL) should be implemented at the design stage to ensure protection of sensitive keys and data. After the implementation of hardware or software countermeasures, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage.

Gary Kenworthy is a senior principal engineer at Rambus Cryptography Research.

Leave a Reply