Security of Embedded

Systems

Ibrahima DIOP,
Cryptologist and Smartcards Security Specialist
@STMicroelectronics, Rousset (France)
[email protected]
 Global Objective

Raise awareness of Security of Embedded Systems

 Objectives

• Present Vulnerabilities of Embedded System

• Overview of Classical Physical Attacks
• Classical Side channel
• Fault Attacks
• Reverse Engineering
• Present Advanced Side channel Attacks
• Horizontal Attacks on Asymmetric Crypto Algorithms
• Deep Learning based Side Channel Attacks
• Study the different countermeasures of physical Attacks
 Agenda

1 Context 2 General Intro

Classical Side Channel Advanced Side Channel

3 4
Attacks Attacks

5 Countermeasures 6 Faults Attacks

7 Invasive Attacks

4
Context
Embedded Systems are Everywhere…

6
 Smart Cards Key Players

Source: https://www.marketsandmarkets.com/Market-Reports/smart-card-285.html
 Smart Cards Market

Source: https://www.marketsandmarkets.com/Market-Reports/smart-card-285.html
Smart Card Architecture
Smart Cards
 Integrated Circuit Architecture
• Processor:
• 8, 16 or 32 bits
• CISC or RISC
• Harvard or Von Neumann

• ROM: Read Only Memory

• RAM: Random Access Memory
• EEPROM: Electrically Erasable Programmable Read Only Memory
• Flash: NOR or NAND – close to EEPROM
• RNG: Random Number Generator
• Coprocessors for:
• TDES, AES
• CRC, HASH
• Long Integer Arithmetic (RSA, ECDH, ECDSA)

• In/Out IPs
• MPU/MMU: Memory Management Unit
• Security sensors
 Standard Crypto Algorithms in Products
• Symmetric
• DES/TDES: NIST recommendation now TDES for 240 use of same key
• AES 128-192-256
• SM4,…

• Hash Functions
• SHA-1, SHA-256
• RIPEMD 160
• SHA-3: KECCAK
• HMAC Functions And also …
• SM3 • DRNG, example: AES-CTR
based i.e. NIST SP800-90
• Asymmetric
• Stream Ciphers
• CRT-RSA – RSA SFM (≥ 2048 bit)
• Lightweight crypto
• DSA / ECDSA (i.e. GF-P256)
• Post Quantum Cryptography
• DH / ECDH
• OBKG, Kgen
• SM2
Smart Card Manufacturing
 Product Conception Phases

OS CRYPTO
Integrated Circuit
Tests Definition/Dev Development
Design/Dev
Production
Applications
Securing
Preparation Development

Manufacturing
Photomasks
wafer
Final Product

Personalization

Pre- Initialization Tests 14

personalization
 Product Conception Phases

OS CRYPTO
Integrated Circuit
Tests Definition/Dev Development
Design/Dev
Production
Applications
Securing
Preparation Development

Manufacturing
Photomasks
wafer
Final Product

Personalization

Pre- Initialization Tests 15

personalization
 Different Phases
From User to End-Of-Life cycles

- Traitement des commandes

- Mises à jour (modifications données)
Mise en circulation

Gestion du Parc

- Désactivation, - Remplacements
- Usure fonctionnelle Fin de vie - Vols, oppositions, pertes
- Casse
16
 Classical Target of Hackers
• Payment
• Passports/Government IDs
• Trusted computing
• Brand protection: Printer cartridges, batteries
• IP protection: Source code, netlists, …
• Digital rights management (DRM)
• Transportation
• Car Immobilizers
• Hardware hacking

 Many scenarios, where the attacker is in possession or vicinity of the device.

• Attacker can be a regular user!
Some Historical Example of Physical
Attacks on Embedded Systems
 Historical Example
Tempest
• Earliest techniques: 1943
• Used for spying
• Protection via shielding
 Historical Example
Pay-TV
• Earlier 2000s
• Pirated cards bricked via remote firmware update
• Inserted infinite loop, otherwise unchanged
• Solution: Glitching! Increment IP, but no jump
• ‘’Unloopy’’ device
 Historical Example
Microsoft XBox I
• XBox360 reset hack
• Voltage glitching on reset line
• Execute untrusted code (modified firmware)
 Historical Example
Mifare Classic
• Contactless card (RFID) with Non-Volatile Memory and specific authentication
algorithm (with is secret) for Access protection
• Used for Access control and ticketing (London Subway)
• Henryk Plötz and Karsten Nohl show in [1] how to recover the algorithm using
invasive attack

[1] http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html
 Recent Example: A side Journey to Titan

• By Victor Lomne and Thomas Roche (NinjaLab)

• Side-channel attack on the Google Titan Security Key
• Two-factor authentication token device
• With NXP A7005 as Secure element

• Breaking NXP's P5x ECDSA implementation

• Allows, e.g., cloning of the device
 Recent Example: A side Journey to Titan

• By Victor Lomne and Thomas Roche (NinjaLab)

• Side-channel attack on the Google Titan Security Key
• Two-factor authentication token device
• With NXP A7005 as Secure element

• Breaking NXP's P5x ECDSA implementation

• Allows, e.g., cloning of the device
 Recent Example: A side Journey to Titan

• By Victor Lomne and Thomas Roche (NinjaLab)

• Side-channel attack on the Google Titan Security Key
• Two-factor authentication token device
• With NXP A7005 as Secure element

• Breaking NXP's P5x ECDSA implementation

• Allows, e.g., cloning of the device
 Recent Example: A side Journey to Titan

• By Victor Lomne and Thomas Roche (NinjaLab)

• Side-channel attack on the Google Titan Security Key
• Two-factor authentication token device
• With NXP A7005 as Secure element

• Breaking NXP's P5x ECDSA implementation

• Allows, e.g., cloning of the device
 But Also…

• Meltdown
• Spectre
• ROCA
• Rowhammer
• TPM Fails
• ….
Physical Attacks Categories
 Physical Attacks
Categorization
• Behavior of the attacker
• Active: Actively alter the functionality
• Passive: Only observes certain physical properties

• Degree of invasiveness
• Non-invasive: Device is not altered physically
• Semi-invasive: De-packaging, no electrical contact to internal signals
• Invasive: No limits
 Basic Idea of Active Attack

• Goal: Manipulate the device in order to compromise its security

• Changing the general behavior of the device

• Activation of test mode
• Deactivation of countermeasures or sensors
• Change of program code (e.g. skip PIN check, ...)
• ...

• Faults in a cryptographic algorithm

• Device calculates one or more faulty ciphertexts and the actual ciphertext
• Design properties of the algorithm are then used to reveal the key
 Basic Idea of Passive Attacks

• Goal: Observe physical properties of a device to compromise its security

• Any computation influences physical properties
• Computations depend on secret

• Problematic for cryptographic implementations

• Attacker knows what algorithm is used, e.g., AES
• Attacks can be tailored to specific algorithms, so they become more effective
 Physical Attacks Categories

Active (Fault Attacks) Passive(SCA)

Non-Invasive Temperature, Timing/Power
Under/Overvolting, ... Analysis, ...

Semi-Invasive Laser/Radiation EM Attacks,

Attacks, ... Optical Inspection, ...

Invasive Circuit modifications, ... Probing, ...

 Physical Attacks

• Attack paths are similar for all categories

• Different side-channels, but same exploitation techniques

• Differences mainly in laboratory setup
• Actual analysis very similar

• Different fault injection techniques, but same exploitation

• Different techniques can have different physical effects
• Once there is a fault, it doesn't matter how it was injected
Power Analysis Basic
 CMOS Circuit

• Complementary Metal Oxide Semiconductor

• High noise immunity Input Output Current
0 0 1 1 Low
• Low power consumption
0 1 1 0 Discharge
• Main reason for low power consumption: 1 0 0 1 Charge
1 1 0 0 Low
• Only switching draws power (kind of)
• Different instructions and different data cause different
switching activity
• CMOS instantaneous power consumption depends on
• Instruction/operation(code) executed
• Data that is being processed

Power consumption depends on activity of CMOS devices

 Common Power/Leakage Models

• Leakage models mostly considered in literature and practice

• Hamming weight: power consumption = HW(data)
• HW(x) is the amount of x's bits that are set to 1
• Example: Register is set to 0, then load new value, only 1 bit switches
• Often used for microcontrollers

• Hamming distance: HD(reference_state, data)=HW(reference_state XOR data)

• Example: Register is set to x, then updates to y
• Requires knowledge/guessing of 2 values
• Often used for hardware implementations (ASIC, FPGA)

• Single bit or multi-bit

• Direct value (Identity)
Introduction

37
 Introduction
Cryptography

DES, RSA,
AES, ECC
…
Symmetric Cryptography

Standard for Theorical Security

• Government • AES with Secret key 128 bits
• Bank • 149k billion of years to crack AES Cryptosystem
• Mobile security (3G), WIFI
• And most secure applications in the world
AES: Advanced Encryption Standard 38
 Introduction
Cryptography

DES, RSA,
AES, ECC
…
Asymmetric Cryptography

RSA/ECC: Standard for Theorical Security

• Government • RSA 3072 bits, ECC 256 bits
• Bank, ID, Crypto wallet (bitcoin), Signature,… • Based on big number theory &
• Mobile security, Brand Protection Factorization problem
• And most secure applications in the world • Today only Number of 768 bits can be factorized
• 50 million of years to crack RSA/ECC
Cryptosystems 39
 Side Channel

Theoretical Security

Power Consumption

Embedded  exposed to adversaries in a hostile environment;

full physical access, no time constraints
• Remark: the adversary might be a legitimate user!
Power consumption of a register wrt to the Hamming Weight40
 Side Channel

Power Consumption

Electro-Magnetic Radiation

Time

Acoustic Temperature

41
 SCA Materials
• Acquisition Bench Setup

Power consumption of some crypto algorithm

Schematic representation of Side-channel Setup

42
EM Bench

EM Probe
on IC

43
 EM Bench
cont.
• cc

44
 Power Consumption

• What can we see looking at a curve?

• Information in:
• Repetitive patterns: typically coarse, structure of algorithm and implementation (e.g. loops)

• Time: what happens when, program flow

• Amplitude: what happens at a given moment in time, data flow

• The same operation, executed with different operand values, consumes more or less power
Example of Power Consumption Trace
Zoom inside Power Consumption Trace
What is this?

48
 What is this?

Zooming you identify loop of

multiplications

 RSA exponentiation

49
These ones?

50
These ones?

51
Triple DES

52
From Visual Inspection to Side Channel
Attacks
 Timing Attack and
Simple Power Analysis

• 1996 – P. Kocher first publication at

Crypto conference
• Exploited timing analysis to recover
the secret key used in RSA
exponentiation thanks to several
executions timing measurements

• 1998 – P. Kocher, B. Jaffe and Jun

– SPA on RSA.
• Published on the CRI website.

54
 Side-channel History

• 1999 – P. Kocher, J. Jaffe and B. Jun – first DPA publication on DES

• Paper: Differential Power Analysis. Crypto 1999.
• 1999 – T.S. Messerges, E.A. Dabbish and R.H Sloan – DPA on RSA
• Power Analysis of Modular Exponentiation in Smartcards. CHES 1999.
• 2000 – T.S Messerges – Second Order Power Analysis
• Using Second-Order Power Analysis to Attack DPA Resistant Software. CHES 2000.
• 2003 – E. Brier, C .Clavier and F. Olivier: CPA
• Correlation Power Analysis with a Leakage Model CHES 2004 (IACR 2003).

• 2008 – B. Gierlichs, L. Batina, P. Tuyls and B. Preneel: MIA

• Mutual Information Analysis. CHES 2008

• 2010 – A. Moradi, O. Mischke, and T. Eisenbarth: Collision Correlation on AES

• Correlation-Enhanced Power Analysis Collision Attack. CHES 2010

55
 Types of SCA 56

• Timing Attack • Template Attack

• Simple Power Analysis • Machine Learning based Attack
• Differential Power Analysis • Deep Learning based Attack
• Correlation Power Analysis
• Mutual Information Analysis, …
Timing Attack
 SCA
Use Case
58

• Timing Attack on Password Verification

• It consists in retrieving sensitive information based on the duration of the verification.
• Depending on the value of the correct user Password, the code will execute more loops

• Test random PIN, measure time T

• Change first PIN digit, measure time T’
• If T == T’ both digit guesses are wrong
• If T > T’ the first digit guess was correct
• If T < T’ the new digit guess is correct

• Average 5 (worst case 10) attempts per digit

• Average 20 (worst case 40) attempts per PIN
• … but recall that only 3 attempts are allowed
Simple Power/EM Analysis
 Simple Power Analysis

• If sequence of patterns, timing or amplitude depends on secret values, power

analysis attacks can possibly reveal the secrets

• Taxonomy: attacks categorized according to approach, requirements, adversarial

power, etc.

• Categories and criteria not 100% clear, definitions vary, transitions are smooth

60
 Simple Power Analysis
• Anything but simple (except in examples ;) )

• Visual inspection of a few traces, worst/best case: single shot

• Often exploits direct key dependencies

• Input/output not need to be known, but useful for verification

• Require: expertise, experience, detailed knowledge about target device and

implementation

• Examples in following slides: patterns, amplitude, timing

 Simple Power Analysis

• Patterns (over many-cycle sequences) show, e.g.:

• Symmetric crypto algorithms

• Number of rounds (resp. key length), loops
• Memory accesses (sometimes higher power consumption)

• Asymmetric crypto algorithms

• Key length
• Implementation details (e.g. RSA with CRT)
• Key (if careless implementation, e.g. RSA/ECC)
 Simple Power Analysis

• Example of SPA based on Patterns

Unprotected software implementation of AES-128 on 8-bit μC

• Ten rounds, last round shorter, without MixColumns
 Simple Power Analysis

• Example of SPA based on Patterns

Unprotected software implementation of AES-128 on 8-bit μC

• Two rounds, four AES building blocks look different
 Simple Power Analysis

• Timing, e.g. when an operation is executed, can show:

• Data-dependent branches in software implementations
• Execution of additional operations

• Example: bad implementation of AES MixColumns

 Multiplications by 02 in GF(28):
 Shift one bit to the left
 If carry occurs, XOR the result with 1B
 Simple Power Analysis

• Timing
 Simple Power Analysis

• Amplitude of a certain cycle can show:

• Exact operand values (extreme case)

• Often: Hamming weight or Hamming distance of operand(s)

• Operation being executed in software scenarios

• Reverse-engineering of implementation details, and e.g. proprietary algorithms
 Simple Power Analysis
• Example: Load from Memory instruction (LD)
• Power consumption depends on HW of the read value
HW = 8

HW = 0

• Suppose we have a 'dictionary' that translates power consumption values into HW

• Example: SPA attack on the AES key schedule
• Extract HWs of round keys, generate list of suitable round keys
• Requires 1 plaintext/ciphertext pair to check remaining candidate keys
Practice Time…

69
Remember RSA

70
 • CRT RSA: modular exponentiation M d mod n is replaced by two exponentiations of
half size.

• As the complexity of this operation is in O(𝓵3) (with 𝓵 the bit-length of n) a half size
exponentiation is 8 times faster.

• The CRT-RSA is then theoretically about 4 times faster than the non-CRT
Implementing •
exponentiation.
In practice, the efficiency gain will be closer to 3 than 4 due to the reduction and the
RSA (and recombination operations.

ECC) • Most of the chip manufacturers include an arithmetic long integer accelerator, also
said public key coprocessor, to compute modular multiplication operations more
efficiently.

• Depending on the manufacturer, the choice of the modular arithmetic can vary (i.e.,
Montgomery, Barrett, Quisquater).

• It enables efficient implementations of RSA, CRT-RSA, DSA, DH schemes.

• This coprocessor is also useful to implement efficient elliptic curves operations in
ECDSA or ECDH schemes.
71
 Modular Exponentation
Target

𝒌 −𝟏
¿ ∏ (𝒎 )𝒅
𝒊
𝟐 𝒊

𝒊=𝟎
d fois

(( (( … (𝑚 ) × 𝑚 ) ² …×𝑚 ) …×𝑚 ) …×𝑚 mod N )

𝑛−1 2 2
𝑑𝑛−1 2 𝑑𝑛− 2 𝑑𝒊 𝑑𝟏 𝑑0
𝑑=∑ 2 ∙ 𝑑𝑖𝑖
¿
𝑖 =0

• Cible des attaques

72
 Classical Exponentiation
Square and Multiply

Left-to-right Square-and-Multiply Exponentiation Right-to-Left Square-and-Multiply Exponentiation

73
 Modular Arithmetic Methods
• The implementation of long integer efficient modular squaring and multiplication operations is of crucial importance for product makers.
• Heavy constraints lie on these operations, especially in the context of embedded devices.

• Several methods can be found in the literature. For instance, some common ones are the following:
• Montgomery method
• Barrett method
• Quisquater method
• Brickell method
• Sedlak method
• Scholar method (Knuth)

• In practice the Montgomery and Barrett methods are the most efficient and most commonly used in most of the products.

• Barrett, P. (1986). Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In Advances in Cryptology - CRYPTO '86, Santa Barbara, California, USA, 1986, Proceedings, pages 311-323.

• Brickell, E. F. (1982). A fast modular multiplication algorithm with application to two key cryptography. In Advances in Cryptology: Proceedings of CRYPTO '82, Santa Barbara, California, USA, August 23-25, 1982, pages 51-60.

• Knuth, D. E. (1997). The Art of Computer Programming, Volume 2 (3rd Ed.): Seminumerical Algorithms. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.

• Montgomery, P. L. (1985). Modular multiplication without trial division. Mathematics of computation, 44(170):519-521.

• Quisquater, J.-J. (1992). Encoding system according to the so-called RSA method, by means of a microcontroller and arrangement implementing this system. US Patent 5,166,978.

• Sedlak, H. (1987). The RSA cryptography processor. In Advances in Cryptology - EUROCRYPT '87, Workshop on the Theory and Application of Cryptographic Techniques, Amsterdam, The Netherlands, April 13-15, 1987, Proceedings_, pages 95-105.

74
 Demo on SSCA on RSA challenge

• See demo on RSA SSTIC challenge 2019

WITHOUT WITH
CLUSTERING CLUSTERING

75
https://scikit-leaxrn.org/stable/modules/clustering.html
Differential Power Attacks (DPA)
 Differential Side-Channel Analysis

• Run traces collection for cryptographic algorithm

• Run EK (encryption) of N plaintexts P0 .. PN-1 store related side-channel traces C0 .. CN-1.

…
C0 = EK(P0) CN-1 = EK(PN-1)

77
 Side-Channel Analysis

Plaintext0 Ciphertext0
Plaintext1 Ciphertext1
Plaintext2 Ciphertext2
Plaintext3 Ciphertext3

PlaintextN-1 CiphertextN-1

78
 Differential Side-Channel Analysis

• Apply Divide-and-Conquer method on the operations and involved key-bits

• Guess 𝛌 bit of key chunk: for instance, 6-bit for TDES SBoxes, 8-bit for AES SubByte
• Break down the problem = full key recovery to sub-problem = recover key per bit-chunk involved in sub
operations
• Define the computation targeted
• Selection function = KeyAddition Substitution …. In first or last rounds

79
 Selection Function
Key Byte 0

P0 P1 … P14 P15

⊕
Selection function output K0

K0 K1 … K14 K15 256

SuBbytes

n
plaintexts
P0 P1 … P14 P15

Guess Guess Guess 255 80

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext 0

⊕ 256
00 K1 … K14 K15

0x1C
SuBbytes

n
plaintexts
1C P1 … P14 P15

Guess Guess Guess 255 81

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext 1

⊕ 256
00 K1 … K14 K15

0x1C
SuBbytes
0x8A
n
plaintexts
8A P1 … P14 P15

Guess Guess Guess 255 82

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext n-1

⊕ 256
00 K1 … K14 K15

0x1C
SuBbytes
0x8A
n
plaintexts …
73 P1 … P14 P15

0x73

Guess Guess Guess 255 83

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext 0

⊕ 256
01 K1 … K14 K15

0x1C 0xAB
SuBbytes
0x8A
n
plaintexts …
AB P1 … P14 P15

0x73

Guess Guess … Guess 255 84

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext 1

⊕ 256
01 K1 … K14 K15

0x1C 0xAB
SuBbytes
0x8A 0x12
n
plaintexts …
12 P1 … P14 P15

0x73

Guess Guess … Guess 255 85

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext n-1

⊕ 256
01 K1 … K14 K15

0x1C 0xAB
SuBbytes
0x8A 0x12
n
plaintexts … …
F1 P1 … P14 P15

0x73 0xF1

Guess Guess … Guess 255 86

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15
Plaintext n-1

⊕ K1 K14 K15 256

FF …

0x1C 0xAB 0x23

SuBbytes
0x8A 0x12 0x9D
n
plaintexts … … …
87 P1 … P14 P15

0x73 0xF1 0x87

Guess Guess … Guess 255 87

0 1
 Selection Function

256

256 × n

Key byte 15

n 256 × n
plaintexts
Key byte 0

16

Guess Guess … Guess 255

0 1
88
 Now use a distinguisher …

256

n
plaintexts n traces
… … …

Simulated
Data from Guess Guess … Guess 255 Measurement
guesses 0 1 Data

89
 Differential Side-Channel Analysis
DPA for Differential Power Analysis
256

0x1C

n
plaintexts
… … …

Guess Guess … Guess 255

0 1

Model Set G0 Set G1

Monobi Partitioning 0
tMsb(0)
90
 Differential Side-Channel Analysis
DPA for Differential Power Analysis
256

0x1C
0x8A

n
plaintexts
… … …
… …

Guess Guess … Guess 255

0 1

Model Set G0 Set G1

Monobit Partitioning 1
Msb(0)
91
 Differential Side-Channel Analysis
DPA for Differential Power Analysis
256

0x1C
0x8A

n
plaintexts
… … …
… …

0x73
Guess Guess … Guess 255
0 1

Model Set G0 Set G1

Monobit Partitioning 0
Msb(0)
92
 Differential Side-Channel Analysis
DPA for Differential Power Analysis

Bit 0 Set Bit 1 Set

93
 Side-Channel Analysis

Bit 0 Set Bit 1 Set

Average traces

94
 Side-Channel Analysis

• Wrong assumption

,
• Good assumption

,
95
 Differential Side-Channel Analysis
Not always efficient technique

Correct Guess Wrong Guess

Here DPA is not efficient with this

number of traces !!!

HOW CAN WE
IMPROVE?
96
Correlation Analysis
the first break event …

97
 Correlation Power Analysis

• Bravais-Pearson Correlation Factor can be used to measure the statistical

dependency between two set of data
• Linear Regression
• Remember we have the following two sets: we want to evaluate if they are “closed”

Simulated
Measurement
Data from
Data
guesses

98
 Correlation Power Analysis

• Two variables (data sets) are linearly related

 the correlation coefficient will be high

• If the two data sets are not linearly related

 the correlation coefficient will be low.

• Most cases have shown Linear leakage model in Hamming weight is efficient
• Model:
W = a × HW(data) + b + noise

99
Correlation Power Analysis

100
 Now use Correlation Analysis

256

n
plaintexts n traces
… … …

Simulated
Data from Guess Guess … Guess 255 Measurement
guesses 0 1 Data

101
 Now use Correlation Analysis
256

n W Correlation
plaintexts
(W0 , C)
C
0

Guess Guess … Guess 255

0 1

102
 Now use Correlation Analysis
256

W Correlation
n
plaintexts 1
(W1 , C)
C

Guess Guess … Guess 255

0 1

103
 Now use Correlation Analysis
256

W
Correlation
n
plaintexts K (WK , C)
C

Guess Guess … Guess 255

0 1

104
 Now use Correlation Analysis
256

W255 Correlation
n
plaintexts
(W255 , C)
C

Guess Guess … Guess 255

0 1

105
Correlation Attack Result

106
 Correlation Power Analysis

• We can use information from all bits contrarily to DPA – no information loss
• All operand and values can be used with
• Mono-bit attacks
• Hamming weight attack
• Value itself to be correlated

• This model is linear in the HW or HD

• But it is close to the real behaviour of a circuit
• Indeed, the Hamming measures the number of bit flips entre between a state i and the next state i+1
• Example: writing in a register R0
• R0 = a
• R0  R0  K
• R0 = b Bit flip a  b  K

• Requires about 10 times less traces than DPA; no “ghost” peaks

107
 Tools

• Distinguisher
• Statistical tool used to compare simulated set (from guess) and real traces set (from DUT)
• DPA, CPA, SNR, NICV, MIA, ANOVA …

• Discriminant:
• Function to apply to sort the distinguisher resulting scores

108
Time to practice ?
 CPA demonstrations on DES and AES

• DPA vs CPA on XMEGA AES Traces

• DSCA on DES DPA contest V1

• DSCA on AES DPA contest V2

110
Profiled Side Channel Attacks
 Types of SCA 112

• Timing Attack • Template Attack

• Simple Power Analysis • Machine Learning based Attack
• Differential Power Analysis • Deep Learning based Attack
• Correlation Power Analysis
• Mutual Information Analysis, …
 Template Attack

• Objectif : retrouver la clé secrète d’un algorithme cryptographique à partir de la

consommation d’encryptions matérielles ou logicielles
• Hypothèse de base : la valeur de consommation d’un calcul un instant donné
dépend de la valeur du résultat du calcul
• Attaque basée sur un modèle de consommation d’énergie
• De même que pour la DPA et la CPA, l’attaque cible un point particulier dans le
temps au cours de l’exécution
• Contrairement à la DPA et à la CPA, cette attaque nécessite de pouvoir faire
changer la clé entre deux exécutions
 Template Attack

• Le principe de cette attaque est de construire un “profil” de consommation du

dispositif en fonction de la valeur de la clé
• Une fois le profil construit, il est possible de retrouver la valeur de la clé à partir
de mesures, en regardant à quel profil correspondent le mieux les valeurs
observées
• Attaque en deux phases :
• Phase d’acquisition : construction des profils, nécessite beaucoup de traces avec la clé qui
varie et qui est connue
• Phase d’exploitation : la clé est fixée et inconnue, le but de l’attaque est de la
retrouver ; cette phase requiert peu de traces
 Template Attack
Première phase
• Enregistrer beaucoup de traces (de l’ordre de 100 000) avec clé et plaintext connus et variables
• Choisir quelques instants d’intérêts (typiquement 5), qui correspondent aux instants qui
maximisent la variance inter-traces
• Classifier les traces selon un critère, qui peut être par exemple (pour l’attaque d’un octet de clé) :
• La valeur en sortie de la première SBox
• Le poids de Hamming de la valeur en sortie de la première SBox
• Pour chaque valeur du critère, reconstruire la loi normale multidimensionnelle
dont les paramètres sont ceux obtenus de manière empirique
• Le nombre N de dimensions est le nombre d’instants d’intérêt
• Les paramètres de la loi sont le vecteur des moyennes ս de taille N et la matrice de
covariance պ entre les dimensions (de taille N * N)
SCA Countermeasure
 Categories of Countermeasures

• Desynchronize
• Hardware de-synchronization: jitter, clock and frequency jitters, random delays
• Shuffling
• One amongst N techniques

• Protocol
• Paddings
• Session keys,
• Fresh re-keying
• Unknown input and/or output (partially): CTR mode, payment ATC

• De-correlate
• Hardware techniques to balance consumption (dual rail)
• Masking techniques

117
 Desynchronization

Synchronized curves Desynchronized curves

 Desynchronization

Synchronized curves Desynchronized curves with

Random Delay Insertion
 Desynchronization

Synchronized curves Desynchronized curves with

Clock-Jitters
 One among N countermeasure(s)

AES AES … AES AES AES AES … AES

AES AES … AES AES DES DES … AES

AES AES … AES AES DES DES … AES

AES AES AES … AES … AES AES

AES AES … AES AES AES AES … AES

 One among N countermeasure(s)

AES AES … AES AES AES AES … AES

AES AES … AES AES DES DES … AES

AES AES … AES AES DES DES … AES

AES AES AES … AES … AES AES

AES AES … AES AES AES AES … AES

• Same input message with fake keys

• Different (random fake input) messages for correct key: key is manipulated more (!!)
Attacking: one among N countermeasure(s)?

AES AES … AES AES AES AES … AES

AES AES … AES AES AES AES … AES

AES AES … AES AES AES AES … AES

AES AES AES … AES … AES AES

AES AES … AES AES AES AES … AES

• Same input message with random fake keys

• What attack do you recommend?

• Ghost peaks?
Attacking one among N countermeasure(s)?

AES AES … AES AES AES AES … AES

AES AES … AES AES DES DES … AES

AES AES … AES AES DES DES … AES

AES AES AES … AES … AES AES

AES AES … AES AES AES AES … AES

• Same input message with random fake keys

• What attack do you recommend? Ghost peaks?

Cipher texts attacks are more efficient

 Masking Techniques

• Data Masking with random values

• The idea
• Ai  K = Bi can be attacked with DPA..

• Use a random X and replace by

• Ai  X = Ci
• Ci  K = Di
• Di  …  Ei
• Ei  X = Bi
• The bit-flips and IC power consumption changes at each execution
• Several countermeasures based on this principle published
• Can be Boolean (TDES, AES) and/or arithmetic masking (HMAC)
 AES first operations

P0 P1 … P14 P15

⊕ K0 K1 … K14 K15

SuBbytes

A0 A1 … A14 A15
 Selection Function
Key Byte 0

P0 P1 … P14 P15

⊕
Selection function output K0

K0 K1 … K14 K15 256

SuBbytes

n
plaintexts
P0 P1 … P14 P15

Guess Guess Guess 255

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext 0

⊕ 256
00 K1 … K14 K15

0x1C
SuBbytes

n
plaintexts
1C P1 … P14 P15

Guess Guess Guess 255

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext 1

⊕ 256
00 K1 … K14 K15

0x1C
SuBbytes
0x8A
n
plaintexts
8A P1 … P14 P15

Guess Guess Guess 255

0 1
 Selection Function
Key Byte 0

P0 P1 … P14 P15 Plaintext n-

⊕
1

00 K1 … K14 K15 256

0x1C
SuBbytes
0x8A
n
plaintexts …
73 P1 … P14 P15

0x73

Guess Guess Guess 255

0 1
 AES

P0 P1 … P14 P15

⊕ K0 K1 … K14 K15

SubBytes

A0 A1 … A14 A15
 AES

P0 P1 … P14 P15

⊕ R R … R R

⊕ K0 K1 … K14 K15

SubBytes • Select random mask R

• SR, MixColumn are linear, easy to mask and unmask
• F(A ⊕ R ) = F(A) ⊕ F(R)

A0 ⊕ A1⊕
…
A14⊕ A15⊕ • SubBytes is not linear, more complex operation
? ? ? ? • SubBytes(A ⊕ R ) ≠ SubBytes(A) ⊕ SubBytes(R)

How to protect the SubBytes?

 AES

P0 P1 … P14 P15

⊕ R R … R R

⊕ K0 K1 … K14 K15

SuBbytes*

A0 ⊕ A1⊕
…
A14⊕ A15⊕
• for value from 0 to 255
R R R R
SubByte_Masked [value ⊕R] = SubByte[value ] ⊕ R
ShiftRow

MixColumn Repeat on all Rounds

…
B0 ⊕ B1⊕
…
B14⊕ B15⊕  then unmask!
R R R
 More …

• Can be done similarly on T table implementation of AES

• Bigger tables require more memory
• Faster
High-order Attacks
 Second (Higher) Order Attacks

Find two instants on the trace where:

• i1: the mask R is manipulated
• I2: target data D masked with R is manipulated

R ⊕ (D ⊕ R) = D

HW(R) ⊕ HW(D ⊕ R) ≠ HW(D)

HW(R) ⊕ HW(D ⊕ R) ≈ HW(D)

i1 : R i2 : D ⊕ R
 Reminder on Second order attacks

• 2nd Order Attack Principle:

- Find two instants i1 and i2 on the trace(s) where the mask R is manipulated
- Combine those two instants i1 and i2 to remove the mask influence
- Perform classical 1st order attack

• Method 1: Combine i1 and i2 with Absolute Difference :

• T* = abs(i1 – i2)
• Correlation (T*, guesses)

• Method 2: Combine i1 and i2 with Normalised (Centered) Product

- E1 the mean of i1 and E2 the mean of i2
- T* = (i1 - E1)*(i2 - E2)
- Correlate (T*, selection_function_values)
 More second order attacks

• Can be difficult to locate R

• Combine SubBytes(P0⊕R) with SubBytes(P1⊕R)
• Requires 216 guesses instead of 28
• Combine Round-1- SubBytes(P0⊕R) with Round-10-SubBytes(P0⊕R)
• Requires 216 guesses instead of 28

• …
 Second Order Attack Demonstration

• See notebook demonstration on second order attack.

139
Deep Learning Based Side Channel
Attack
 Profiled SCA
Target
• AES (Advanced Encryption Standard) Algorithm

AES Power Consumption

Target Input/Output of the initial

SubBytes of an AES 141
 Profiled SCA
Target
• AES 128 bits First Round SubBytes

S-BOX ()
142
 Profiled SCA
Example
• Template Attack

Training/Building
Phase

Attack/Matching
Phase

143
 Profiled SCA 144

Example
• Example of Template Attack Result on 128 Bits AES

The whole Key is recovery

with around 400 tests

Key Recovery
Countermeasures against Side
Channel Attack
 SCA
Coutermeasures
• Masking Data

S-BOX () S-BOX [( )]

random value

The leakages are no longer related to the real treated values

146
 SCA
Coutermeasures
• Jittering
• Add death cycles in random manner
• Shuffling Desynchronization
• Operation are executed in random Order
• Dummies Operations insertion

Curves AES without countermeasure Curves of AES with Jittering + Shuffling + Dummy
147
 SCA 148

Countermeasures
• Limit of Template Attack

Attack is successful without CM Attack Fails with CM

 Deep Learning SCA

Template SCA

S-BOX ()
S-BOX [() ( )]

Leakage model not adapted

Environmental CM render
curves is unknown
more difficult to process
149
(Features extraction)
 Deep Learning SCA

Template SCA

DL SCA

Neural Network
150
 Deep Learning SCA
• What model architecture to use ?
• We are going to use a Convolutional Network architecture
• Little or no invariance to shifting, scaling, and other forms of distortion
• Detect the features independently of their position.

151
 Deep Learning SCA
• How do I find Suitable model ?
• DL-SCA suitable models are hard to find by hand so instead it is best to use
hyperparameters-tuning to find the right model automatically.
• Training thousand of model using Keras Tuner or HyperOpt/Hyperas and GPU

Example of models proposed

in the literature of DL-SCA

152
 Deep Learning SCA
• Training Phase
Features Labels S-BOX ()

S = 43

S = 145

S = 228

S=5
153
 Deep Learning SCA
• How do I recover the key?
• Leverage all model predictions on many traces to carry out probabilistic attacks

154
 Deep Learning SCA 155

• How do I recover the key?

• Leverage all model predictions on many traces to carry out probabilistic attacks
• Probabilistic attack : Summing traces
 Deep Learning SCA
• Example of Result

Before (result of Template Attack) After (result with Deep Learning)

156
 Deep Learning SCA
• DL-SCA vs Classical SCA

Only DL-SCA has allow to

recover the secret key

157
Back to Countermeasure
 How to improve resistance

• Diversify the masks

• One random mask per byte on linear operations
• Change mask at each round
• Easy to handle for ShiftRow and MixColumn
• One random byte per SubByte operation in the round
• Requires 16 masked new SubBytes
• Add Shuffling: random order execution
• Mainly on SubBytes operations
• Add one AES among N countermeasure
• Implement SubBytes differently
• Can perform inversion in GF(16) instead of GF(256)
• Smaller table, more masks, more permutations
• Implement the inversion in GF(256) and mask the operation with a combination of multiplicative (additive and
Boolean masking)
• It will make the second order attack theoretically possible but more complex to perform in practice
 Obscurity

• Not Kerckhoffs’s principle:

• “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”
• Shannon
• ”one ought to design systems under the assumption that the enemy will immediately gain full familiarity with
them”
• Can help against side-channel if added on top of standard crypto algorithm

AES Key K

H
• Not a countermeasure “recommended”
 Infective Computation

• Add integrity or MAC

• If not correct execute but with fake key instead of correct one
• Make the attacker losing time on fake data
• Attacker must not detect the key is fake (you detected him)
 Multiplicative Masking Technique

• Several countermeasures (publication) involve multiplicative masking

• Boolean mask is now multiplicative

• Inversion gives:

• Not sensitive to high order attacks

• Sensitive to ZERO VALUE attacks

 dth order resistant implementations

• Split the data D and key K to be protected into d+1 random shares to prevent the
product from dth high order side-channel attacks.

• The principle is the following:

• Generate d random values r1, …, rd
• Generate d random values k1, …, kd
• Compute r0 = D  r1  … rd
• Compute s0 = K  s1  … sd

• D  K = (r0  s0)  (r1  s1)  …  (rd  sd)

 dth order resistant implementations

• ISW (Ishai – Sahai – Wager) scheme

• Y. Ishai, A. Sahai, and D. Wagner. Private Circuits: Securing Hardware against Probing Attacks. In
D. Boneh, editor, Advances in Cryptology – CRYPTO 2003,
• AND and NOT gates circuit

• M. Rivain and E. Prouff

• Provably Secure Higher-Order Masking of AES. CHES 2010

• L. Goubin and A. Martinelli

• Protecting AES with Shamir’s Secret Sharing Scheme. CHES 2011.
 Fresh Rekeying

• Provide side-channel resistance by

• limiting the side-channel attacks paths as different keys are used in the computations.
• Re-Keying can be done externally via the protocol or internally.
• We focus here on internal Re-Keying.

• designing a function g to re-key a block cipher f

• with a master and constant values with a random nonce r.
• Then each encryption of a plaintext block is performed with a fresh key k*
such that the ciphertext is c = fk*(p).
• It can also be decided to relax the model and to use a fresh key
• for a given number w of plaintext blocks encryptions
• ensuring the number L is small enough to prevent the TOE from profiled and not profiled attacks.

• Make use of functions more resistant to side-channel than others …

Tree Key
Real Example in Secure Boot
Side Channel Methodology
Tests
Plan
Analyse
and Measure
decide

Attack Observe

Characteri
ze Collect

Align

168
 Side Channel Attacks Methodology
Step 1: Tests Plan

• Evaluation mode
• Knowledge on the product is given for the evaluation
• Source code, IC design, cryptographic operations and IPs, etc.
information given

• Vulnerability Analysis
• Identify potential attack if information available

• Test Plan
• Define tests based on Vulnerability Analysis if it was performed.
169
 Side Channel Attacks Methodology
Step 2: Measurement

• Measurement set-up
• Setup the measurement
• Select probe, location
• Sampling rate,
• EM (preferably often)
• Triggering

• Identify the operation you are targeting

• Find the best signal for the operation

targeted,
• Cartography can help
170
 Side Channel Attacks Methodology
Step 3: Locate / Process with Few traces Observation

• What is the knowledge you can get to locate and identify?

• Observe the trace

• What can you identify?
• Seeing the algorithm rounds? rounds operation?

• Chosen input
• Depending on the leakage model of the device for the targeted operation, fixing a certain number of bytes to a
constant (i.e., 0) can make appear specific patterns in the trace to locate the interesting area in the trace or even
to recover secret.

• Signal Processing
• Apply signal processing techniques to observe potential loops, identify better the operations related to the
computations
• Investigate better signal processing that will be helpful for aligning the traces once collected 171
 Side Channel Attacks Methodology
Step 4: Collect traces

• Define setup
• Sampling to use
• Define Area to collect in the computation for the chosen attack path
(first or last rounds for example)
• Setup for trace collection

• Run the traces collection

• Collect traces and store
• 100K? 1M? 10M?
• Efficient equipment required (up to 1M per day)

172
 Side Channel Attacks Methodology
Step 5: Align

• Alignment
• Identify which signal processing techniques to combine to align traces
• Run the alignment(s)

• Critical Path
• Alignment can determine the success or failure of the attacks
• Major part of the global effort

173
 Example: observe then align

• See observation notebook on aligned and not aligned traces

174
 Side Channel Attacks Methodology
Step 5: Characterize
• What is the knowledge you can get to characterize?

• Input – Output
• Knowing the computation input and/or output (plaintext or ciphertext) can help
• Perform SCA tests on input to locate the beginning of the targeted operation in the trace(s)
• Perform SCA tests on output to locate the end of the targeted operation in the trace(s)
• Require a first traces collection to be done

• Chosen input  TVLA Test Vector Leakage Assessment i.e., T-test …

• You can select specific values as input to get more knowledge on the operations and find leakages points, T test
• Fixing a certain number of bytes to a constant (i.e., 0) can reduce the algorithmic noise from one operation on the
targeted one
• Depending on the leakage model of the device for the targeted operation, fixing a certain number of bytes to a
constant (i.e. 0) can make appear specific patterns in the trace to locate the interesting area in the trace or even to
recover secret.
175
 Side Channel Attacks Methodology
Step 6: Characterize

• What is the knowledge you can get to characterize?

• Key Knowledge  Leakage Detection on Data Computation with Key Knowledge

• Knowing the key means you can characterize your implementation (at each step, each round)
• You can test to correlate each intermediate value of the computation with the trace
• Answer: YES there is leakage in the implementation  might lead to an attack exploitation
• Answer: NO there is no obvious leakage in the implementation

• Chosen Key Leakage Detection on Key Manipulation with Key Knowledge

• Knowing the key allows to characterize the key schedule (T-test, reverse with varying keys)
• Can be used to build templates on the key manipulation

• Characterization results provide first test conclusion.

176
 Side Channel Attacks Methodology
Step 7: Attack

No characterization knowledge With characterization knowledge

• Run the attacks • Use characterization results to run

• Test different leakages models appropriate attacks
• Tests related attack paths
• Test all selection functions
(model, selection functions..)
• Log results • Log results
• Observe results • Observe results coherency with
• Can use thresholds to sort the result at a characterization
first stage
• score value higher to a threshold
• Ratio between best score and next higher ones.

177
 Side Channel Attacks Methodology
Step 8: Analyse and Decide

• Conclude on testing and evaluation

• Or relaunch different tests if there is a plan.

178
 Welsch t-test

• Most used test is the student T-test

• Requires the evaluator can send chosen messages

• Using random and fix plaintext sets
• Variance based test
• Identify 1st order leakages

• Can be turned to higher order leakages detection

179
 Welsch t test

• T-test examines the leakage of the Device Under Test (DUT) independent of its
underlying architecture.
• Gives a level of confidence to conclude that the DUT has an exploitable leakage or not.
• However, it provides no information
• about the easiness/hardness of an attack which can exploit the leakage,
• nor about an appropriate intermediate value and the hypothetical model.

• Can easily and rapidly report that the DUT fails to provide the desired security level:
• e.g., due to a mistake in the design engineering
• or a flaw in the countermeasure.

• T-test analysis requires to acquire two sets of traces:

• Set A provides random data
• Set B provides fix or semi-fix data
• The targeted data could be any of the algorithm inputs (plaintext, key, mask ...).

• [GJJR] G. Goodwill, B. Jun, J. Jaffe, P. Rohatji - A testing methodology for side-channel resistance validation. https://csrc.nist.gov/csrc/media/events/non-invasive-attack-testing-workshop/documents/08_goodwill.pdf

• [SM15] Tobias Schneider and Amir Moradi. Leakage Assessment Methodology - a clear roadmap for side-channel evaluations. CHES-2015 - https://eprint.iacr.org/2015/207.pdf

• [BCDJKKLMRS] G. Becker, J. Cooper, E. DeMulder, G. Goodwill, J. Jaffe, G. Kenworthy, T. Kouzminov, A. Leiserson, M. Marson, P.Rohatgi and S. Saa. Test Vector Leakage Assessment (TVLA) methodology in
practice

180
t test

181
 Example of t-test on AES

• See demo notebook on AES

182
 Example of
leakage analysis See demo notebook
with reverse on
AES

183
 Attack and Remaining Key Entropy

• How to evaluate the results of a side-channel attack

• Do we really need the full key to be recovered?
• Remaining entropy is the right cursor !
• https://eprint.iacr.org/2014/920.pdf

184
Back to the past…
Past: 90’s (before Kocher)

187
 (Designing) A Security Product

Invasive Attacks and Countermeasures

188
 Reverse Engineering

• Accessing to the circuit

• Remove plastic or open with a knife or cutter

• Use chemical products to remove (destroy) epoxy (resin) with nitric acid and acetone …
 We observe now the chip that we can analyze using microscope(s)
• Reconnect the circuit on another ‘’package’’
• In order to use it again we reconnect the IO pins, clock pins, VCC pads, etc.
• We can then analyze the IC when running with several tools
189
 Reverse Engineering
Reverse the IC Layout

• Re-assemble metal layers

• Integrated Circuit = SUM of metal layers interconnected each others

• Using an optical microscope we can observe and take a picture of each metal layer
• We start at the higher (upper) layer
• We remove chemically this layer with fluoric acid or a plasma machine
• We iterate until we reach the lowest layer (metal 1)

190
 Reverse Engineering
Reverse the Layout

View of top métal View of 1 metal lower after removal of top

metals

• We can the reconstitute the IC whole structure

• This operation is very complex and time consuming
• In real life it is faster to focus on area of interest with a precise attack path

191
 Reverse Engineering
Read Memories Content

• Extract (read) the not volatile memories content (data, code).

• RAM, EEPROM, FLASH : difficult but possible
• ROM:
• Easier
• Related to the kind of memory (diffused or not)
• Require different techniques
• Depend to the technological node:
• 90nm, 65nm
• 28nm (!)
• 7nm is the current best techno

192
 Read/Modify bits with Probing

• Require a probe station

193
Read/Modify bits with Probing
• We position one or more probes on a circuit area to ‘’read’’ or ‘’change/flip’’ a value (bits):
• For instance, the bit lines in a data bus, or code bus

• For instance, you can read a key value transferred on a bus to a memory or register
• You change the key bits ..
• Etc.
194
 Modify the Circuit
Focused Ion Beam (FIB)

• FIB (Focused Ion Beam ) stations are most often used to analyze (and
“debug”) failures in circuits

• FIB can
• ‘’remove’’ metal, and modify connections
• He can add metal and then create new connections

• Then an ATTACKER can

• Access to “hidden” signals at lower metal levels
• Modify the circuit (behavior)

• Very expensive .. But low cost for renting ! 195

 Modify the Circuit
Focused Ion Beam (FIB)
Cross Sections

• Very powerful tool

• Can defeat product security
• Expensive
• Can be rent
• Usage to be be monitored
196
Countermeasures
Vs.
Invasive Attacks

197
 IC Reverse Engineering
Countermeasures

• Make design more complex

• Embed sensitive lines in lower levels
• Use thinner technologies (< 65 nm)
• Make the structure more compact (i.e.. Glue logic)

• Glue Logic
• Makes the IP and block localization
difficult to the attacker

IP easy to locate IP more difficult to

locate
198
 Reverse Engineering on Memories
Countermeasures

• Use memory technology more difficult to reverse

• Apply Scrambling / Permutations on data (addresses)

• Apply secret permutation to the data bits to make difficult the bit assembly once the memory has been reversed
• Can be software or hardware dedicated IPs

• Hardware Data Encryption

• Data in memory are never in plain
• Encrypted with a cryptographic algorithm
• Must be very efficient as applied for each READ/WRITE access in memory
• Decryption for each memory read
• Encryption for each memory write
• Same for registers, etc.
• Difficult to design such algorithms (not a XOR with a hardcoded key please)
• Mandatory for serious products

• Software Encryption
199
• Is recommended to be added at software level for (very) sensitive assets
 Probing Countermeasures

• Passive Shield (insufficient)

• Full metal level on the top of the IC to “forbid” the access

• Active Shield/Mesh (efficient)

• Full metal on top of the shield
• Embed active lines interconnected
• Touch or Cut a line and you will be detected by the shield sensors connected to the active lines

• Be a Clever Designer
• place sensitive buses, registers (data or configuration) in area difficult to access to a probe

• Integrity Check on data flow

• Will detect a probe modification on data as integrity will not be coherent

• Memories/Buses/Registers Encryption
200
 Active Shield/Mesh (efficient)

• Full metal on top of the shield

• Embed active lines interconnected
• Touch or Cut a line and you will be detected by the
shield sensors connected to the active lines

FIB Be a Clever Designer

Countermeasures • place sensitive buses, registers (data or configuration)

in area difficult to access to a probe

Difficult

• With more and more efforts FIB can counterfeit most

of the protection
• Matter of time and money and techno used

201
Section title
Section title
Section title
 Find out more at www.st.com

© STMicroelectronics - All rights reserved.

ST logo is a trademark or a registered trademark of STMicroelectronics International NV or its affiliates in the EU and/or other countries.
For additional information about ST trademarks, please refer to www.st.com/trademarks.
All other product or service names are the property of their respective owners.