Revealing AES Encryption Device Key on 328P Microcontrollers with Differential Power Analysis

ABSTRACT


INTRODUCTION
The increasing number of complex systems in computer applications increases the need for a secure data exchange inside them. Those applications use the internet as the media for the private exchange of information or data. Cryptology is a science about data safety. The use of the cryptographic application is increasing over the year. This increasing number is followed by the need for data movement in the internet, among mobile systems, andamong the Internet of Things (IoT). The improvement of cryptographic functionsis not limited to the confidentiality and the concealment of information by unauthorized parties. Cryptographic functions advance itself in becoming the instrument for verifying the authenticity, integrity, and digital signature of a data or information. The advancement in cryptographic functions is considered as an interesting research object whether from the application side, the strength, or the technique of attacking the said cryptographic application on hardware or software.
In the past, the attack on a cryptographic system is viewed only theoretically. A conventional cryptanalyst generally uses linear, differential, and brute force technique to analyze and obtain the vulnerabilities of an encryption algorithm [1], [2]. The cryptanalyst represents the cryptographic algorithm as a mathematical object.
The attacking technique of cryptography on hardware or embedded platform is a very interesting topic and very important matter to be researched especially in this modern day. According to statistics in 2018, the number of IoT devices or pervasive hardware computing is projected to hit as high as 75. 4  problem with the error model is that IoT is a new object so that the security of such objects is not much considered in the design phase. IoT products that are available now, such as a microprocessor or microcontroller with embedded software, are very vulnerable to become an attack surface. IoT is very dependent on the development of a microcontroller unit (MCU) technology. MCU with low power and cost will be massively used especially as the main component in IoT devices. These MCUs contain a flash memory that carries a relatively-sized program (at least 64 kB). But, the shortfall of the usage of MCU is that there is no special peripheral such as true random number generator (TRNGs) or cryptographic coprocessors that is needed to improve the security. By that reason, we see a need of an examination on the vulnerabilities and the points of attacks of the MCU devices which will be used on the IoT devices. However, in fact, when a cryptographic algorithm implemented in hardware will produce high performance, it can be mass produced and low costly [1], [2], [3]. Common forms of cryptographic devices are universal serial bus (USB) tokens, smart card [4], chips, field programmable gate array FPGA [5], [6], and micro-controllers [7]. These cryptographic devices have small dimensions and low power consumption. However, unnoticed by IC cryptanalyst and IC designers, cryptographic devices are more vulnerable and easily accessible by physical attack techniques [8]. So, the underlying assumption of classical cryptanalysis is no longer possible to be adapted.
The existence of a side channel attack (SCA) attacks on the security of cryptographic devices needs in-depth research. Some concrete characteristic leaks are occurring. Some side channel information, such as time [9] [10], sound [11], electromagnetic fields [12] and power consumption [13] can be used by an adversary to obtain the masterkey stored in the device. These leaks are unavoidable, and it is easy for an attacker to measure the value of such side information such as a probe and a high-frequency oscilloscope. Side channel analysis is an innovative new research area and very different from the classical cryptanalysis approach. Therefore, now, it not only focuses on the security of cryptographic algorithms but also on the security of the whole system that is a cryptographic device that implements a cryptographic algorithm [13].
This attacking technique has shown the overall result of simple power analysis (SPA) and DPA [14]. The result produced from DPA revealed correct 48 bit from 64 bit of the overall key (75%). The SPA and DPA have proved that both of them can recover 75% of the secret key and the rest could be obtained by using bruteforce. The second technique has been proposed in many articles that is by using the correlation factor between the traces and the hamming weight of the processed data [15], [16]. In some previous research, subkey and a secret key of AES and data encryption standard (DES) have been recovered by using a quite large number of traces [17][18][19]. Previous DPA attacking pattern used a large quantity of traces (>1000 traces) to get 75% correct bit of the master key. There are some improvements from the previous attacking model by calculating the correlation coefficient of the trace and the hamming weight of the processed data. However, when calculating the correlation coefficient, the attack must have the capability to fully control the value of the plaintext that is to be encrypted by the cryptographic device [20], [21]. The DPA flowis is shown in Figure 1. Unlike traditional cryptanalysis, SCA targets physical cryptographic system implementation. Power analysis attacks are one type of SCA that exploit power information changes. Power analysis attacks can be launched with simple equipment and attacks in a short time. Power analysis is a potent and useful attack against the actual implementation of the cryptographic algorithm on the hardware. From the various sources of the side channel information mentioned earlier, such as time measurement, electromagnetic radiation, error message; information derived from power consumption may be the most difficult matter to be controlled by the cryptographic designer. All calculations performed by encryption devices operate on zero and one logic gates. The process of computing encryption and decryption will lead to changes in power form and more specifically the logic gate. Attacker encryption devices can monitor power differences and get useful side channel information in key space searches. (DPA), introduced by Kocher et al. is a statistical approach to monitorsuch power signals.
Specific DPA attack forms against encryption devices running DES algorithms are contained in their DPA study [19]. Based on the results of the study, it was confirmed that DPA attacks are very potent and can even be used to monitor thedifference of every single bit of transistors in encryption devices. The paper will show how this attack can be used against the AES encryption algorithm and what factors cause the vulnerability to occur.
The purpose of this research is to investigate SCA and to develop a DPA based attack on an MCU target that applies AES-128. In this article, readers will be introduced to the idea of SCA in searching for the key. Next, we will introduce the power analysis technique with DPA-DoM (difference of means) on an MCU. The least significant bit (LSB) model of intermediate value is introduced as a partial means in executing DPA. Finally, we made some conclusions about thersefindings and comments about some future worksbased on the research results. One topic regarding the future works is about finding the best approach in mitigating DPA attack on an MCU.

RESEARCH METHOD
This section introduces the performed and lab setup for DPA attacks in this research. Figure 2 as shown the research steps used in this paper. The research steps used in this paperwas done by setting them in a systematic meansfor reviewing the SCA technique on an encryption device. The test will make a DPA attack on an AES encryption device by using a laboratory-testing environment. The environment itself is shown in Figure 3. The expected main result of this research is to recover the secret key after the encryption process is finished. More comprehensively, the design step ofencryption device will produce an AES128 device that runs on an ATMEGA328P microcontroller. After the encryption device is obtained, the method of measurement is designed by making a circuit with a series resistor on the V ground . The next step is to generate the clock by sending ciphertext to the encryption device previously obtained. The last part of the second test is to do a DPA attack so the characteristics and the model can be obtained and be further analyzed. Table 1 lists the main components and setting for the testing. To run and simulate this attack technique we build the device under test (DUT). The system's design architecture is shown in Figure 3. This DUT environmentisconsisted ofat least three connected components: AES crypto processor, a personal computer (PC), and digital sampling oscilloscope (DSO). The crypto processor is the DUT from which side channel information would be harvested by the DSO, creating a traces curve. The PC collects the traces and The differential power analysis attack was used in this study is a difference of means approach (DoM) was proposed by Kocher at 1999 [19]. However, the Kocher publication implements the attack on a DES algorithm that is located in an FPGA. In this research, we focused on a DPA attack on an AES encryption device. Specifically, the device is an AES encryption system implemented in a microcontroller device. The basic idea of DPA is to make one hypothesis one by one bit of the whole key bits. Next, we select a function known as function selection. The selection function gets the input value of the key guess k g , where k g = (k g1 , k g2 , ..... k g255 ).
This technique will divide several curves of traces (encryption device measurement result) into two sets S δ ≡ m i (t) |L k 0 ,i = 0 and S ψ ≡ m i (t) |L k 0 , I =1 , and the traces are adjusted to the leakage values of hypothetical keys L k 0 ,i . The adversarywill focus on one LSB bit (a least significant bit) L k 0 ,i =∈ {0,1} then the output of the bit determines where the position of the traces curve is placed. Laying the traces done by looking at if LSB = 0 will be placed on set 0 ( L k 0 ,i = 0)or otherwise set 1 (L k 0 ,i = 1) [18], [22]. Furthermore, both sets of traces are mutually reduced or to obtain the difference between the two curves calculated. In the correct hypothetical key that is k 0 = k, then the true predictive value will be separated from the shape of the whole curve. At the technical end of this attack produces a peak on the differential trace curve and the point in time when the targeted operation is calculated ∆k 0 (t). In other hypotheses the k 0 , k curve traces will look flat. The correct k g values can be identified by looking at the different peaks on the curves of the table (DoM traces). Formally, DoM calculations are indicated by: In this paper, DPA attack techniques use the DPA AES128 bit attack. The number of traces data is 500 curve traces with information about the plaintext and the resulting cipher-text. The stages in carrying out the DPA attack on this report are to observe the first round of the AES-128 encryption protocol. The DPA attacks targetis outbreak from AddRoundKey and SubBytes on AES round operations. The key value used in the first round is denoted as K, andthe value of n of each byte will be denoted by Kn. The plaintext used on each trace is denoted as Xi,n. Therefore, the mathematical model of the first round observation can be: From the equation, the value of X i ,n is a known variable: one byte of plain-text. K n is the secret key constants. The S variable is the default value of the AES substitution table. While the output of the S function is I ( i,n) an unknown variable whose value depends on a 1-byte secret key and a known variable such as plaintext, use of tough tests can crack AES passwords easily if found the value of a key guess is correct. More specifically K n is an 8-bit value, so at least 256 tests will be performed to confirm the correct K n value. In the 16 bytes of K n that make up all AES-128 keys can be found only by splitting for each byte separately. The flowchart DPA-DOM on AES as shown in Figure 4.

RESULTS AND DISCUSSION
MCUs vulnerability with DPA attack is proved in this work. In our test, we have succeeded in designing an attacking environment that runs on an ATMEGA328P microcontrolleras shown in Figure 5. The DPA technique needs an input of some power trace and public data such as the ciphertext to carry the recovering key algorithm. The researchers made a correlation between secret key, public data, and measurement traces to recover the secret key. The calculation is made for every key guess. If the key guess is correct, it will be shownin the form of a graph similar to the one in Figure 6.

Figure 5. AES DUT and Traces
DPA is a practical way of testing whether the value of the Kn guessing process is closer to the truth. The Kn candidate is used with the equation above to obtain the value I(i,n) for each X(i,n) trace. A selection function can be made based on the process of calculating the value I(i,n). In this study, the one-bit value of I(i,n) (LSB) is used as the output of the selection function. Each trace is searching the value of one bit LSB then divided into two groups based on the output of the selection function. The average difference between each subset is then observed. If the output value of the S-boxes estimated by the selection function has a small correlation value for the traces, the DPA technique will show the spikes of the traces average indicating that the guess value of Kn is true. For every wrong Kn, the prediction of I(i,n) values would not be related to the data being processed by the target device. Figure 6 shows the distribution of key guessing for the the16 th state. It is visible that the key guesses index number 61 has a significant difference in data distribution compared to key guess index number 50 to 60. The large difference is assumed as the correct key guess. The test result shows that the attack has succeeded in recovering the whole 128-bit key (100% key recovery). The attacking simulation test is done by using 1,050 traces and takes 16 minutes of execution. The key can be directly recovered because of the AES algorithm vulnerability in initial AddRoundKeyoperation, which is, basically, an XOR operation of plaintext and masterkey. The result produced the key used, and the key guesses from the simulation correspond the sequence of the simulated states (43 126 21   The same analysis can be repeated for all 16-byte states (n = 0,..., 15) in obtaining all of 128-bit AES cipher keys from the encryption device. The value of the success of this attack is shown in Figure 7. The xaxis shows the number of traces and the y-axis indicates the key obtained.  Table 2 represent the attack succeeds in an overall 128-bit key (100% key acquisition). Testing of attack simulation used 500 traces and ittook 120 seconds. The key can be directly obtained because of the weakness of the AES algorithm found in the initial AddRoundKey operation which is basically the XOR plaintext operation against the master key directly. Execution time 120 seconds 3.
Some missing key bits 0bits

CONCLUDING REMARKS
The implementation of an AES encryption system in anMCU has a high vulnerability to the master key of the AES encryption device itself. A DPA attack is a statistical attack based on the power usage analysis required by the encryption device. We already get the main problem of this power-based attack. After analysing the DPA on the DUT, we obtained an attack surface on the AES encryption device. The main susceptibility of AES128 lies in a predictable power estimation value after the SubBytes function in each round. We have succeeded demonstrating it by using a minimum trace and timenamely, only 500 traces and it took 120 seconds. The main vulnerability of AES to DPA is in the first roundof attack (after SBOX operation). The vulnerability is when the XOR of plaintext and the master key followed by a non-linear substitution of SubBytes function (SBOX). The attacker can easily make the empirical computation in determining the intermediate value. This value is essential in recovering the secret key. We believe that this vulnerability can be solvedby hiding and masking the intermediate value. As Figure 8 shows, we could obtain the intermediate value modelled as haming weight (8 bit) for every message. In future research, we will try to randomize the intermediate value by using information fusion [23][24][25][26][27][28][29][30][31] and constant weight encoding [27], [32] approach. Those approaches could deceive attackers in recovering AES encryption device's secret key. We proposed that method called as cognitive-masking. Cognitive-masking is built on the most significant power usage analysis affecting a single message encryption process. Cognitive-masking is a concept developed from information fusion. The concept of information fusion is to combine two information quickly and accurately to get the best value of masking decisions.