Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi

Transcription

1 Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015

2 Motivation Security Evaluation

3 Motivation Security Evaluation 3

4 Motivation Security Evaluation 4

5 Motivation Security Evaluation Does the chip leak information? Problem: Evaluation is not trivial. 5

6 Motivation Security Evaluation Does the chip leak information? Problem: Evaluation is not trivial. Non-Invasive Attack Testing Workshop, 011 Goal: Establish testing methodology capable of robustly assessing the physical vulnerability of cryptographic devices. 6

7 Motivation Attack-based Testing Perform state-of-the-art attacks on the device under test (DUT) Attacks Types: DPA CPA MIA Intermediate Values: Sbox In Sbox Out Sbox In/Out Leakage Models: HW HD Bit 7

8 Motivation Attack-based Testing Perform state-of-the-art attacks on the device under test (DUT) Attacks Types: DPA CPA MIA Intermediate Values: Sbox In Sbox Out Sbox In/Out Leakage Models: HW HD Bit Problems: High computational complexity Requires lot of expertise Does not cover all possible attack vectors 8

9 Motivation Testing based on t-test Tries to detect any type of leakage at a certain order Proposed by CRI at NIST workshop Advantages: Independent of architecture Independent of attack model Fast & simple Versatile 9

10 Motivation Testing based on t-test Tries to detect any type of leakage at a certain order Proposed by CRI at NIST workshop Advantages: Independent of architecture Independent of attack model Fast & simple Versatile Problems: No information about hardness of attack Possible false positives if no care about evaluation setup 10

11 Contribution 1. Explain statistical background in a (hopefully) more understandable way. More detailed discussion of higher-order testing 3. Hints how to design fast & correct measurement setup 4. Optimization of analysis phase 11

12 Statistical Background t-test 1

13 Statistical Background t-test 13

14 Statistical Background t-test Sample Q 0 Sample Q 1 14

15 Statistical Background t-test Sample Q 0 Sample Q 1 Null Hypothesis: Two population means are equal. 15

16 Statistical Background t-test Sample Q 0 Sample Q 1 16

17 Statistical Background t-test Sample Q 0 Sample Q 1 Sample mean: Sample variance: Sample size: μ 0 s 0 n 0 μ 1 s 1 n 1 17

18 Statistical Background t-test Sample Q 0 Sample Q 1 Sample mean: Sample variance: Sample size: μ 0 s 0 n 0 μ 1 s 1 n 1 Degree of freedom v = s 0 n 0 s 0 n 0 + s 1 n 1 s 1 n 1 n n 1 1 t = μ 0 μ 1 s 0 n 0 + s 1 n 1 t-test statistic 18

19 Statistical Background t-test t v Estimate the probability to accept null hypothesis with Student s t distribution: f t, v = Γ v + 1 πv Γ v 1 + t v v+1 Compute: p = t f t, v dt 19

20 Statistical Background t-test t v Estimate the probability to accept null hypothesis with Student s t distribution: f t, v = Γ v + 1 πv Γ v 1 + t v v+1 Compute: p = t f t, v dt Small p values give evidence to reject the null hypothesis 0

21 Statistical Background t-test For testing usually only the t-value is estimated Compared to a threshold of t > 4.5 p = F 4.5, v > 1000 < Confidence of > to reject the null hypothesis 1

22 Testing Methodology Specific t-test Non-Specific t-test

23 Testing Methodology Specific t-test Measurements T i With Associated Data D i Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 3

24 Testing Methodology Specific t-test target bit D i = 0 Measurements T i With Associated Data D i Q 0 Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 4

25 Testing Methodology Specific t-test target bit D i = 0 Measurements T i With Associated Data D i target bit D i = 1 Q 0 Q 1 Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 5

26 Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases 6

27 Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases Measurements T j With Fixed Associated Data D Q 0 7

28 Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases Measurements T j With Fixed Associated Data D Measurements T i With Random Associated Data D i Q 0 Q 1 8

29 Higher-Order Testing Multivariate Univariate 9

30 Higher-Order Testing Multivariate Multivariate: Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 30

31 Higher-Order Testing Multivariate Multivariate: S 1 Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 31

32 Higher-Order Testing Multivariate Multivariate: S 1 S Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 3

33 Higher-Order Testing Multivariate Multivariate: S 1 S Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first Centered Product: x = x 1 μ 1 x μ 33

34 Higher-Order Testing Univariate Univariate: S 1 S Shares are processed in parallel (HW) Leakages at the same time instance need to be combined first 34

35 Higher-Order Testing Univariate Univariate: S 1 S Shares are processed in parallel (HW) Leakages at the same time instance need to be combined first Variance: x = x μ In some cases: x = x μ s d In general: x = x μ d 35

36 Correct Measurement Setup Case Study: Microcontroller Case Study: FPGA 36

37 Correct Measurement Setup PC Control Plaintext Ciphertext Target Pitfalls: Order of fixed and random inputs should be random as well Communication between Control and Target should be masked (if possible) Measure Oscilloscope Trigger 37

38 Correct Measurement Setup PC Control Plaintext Ciphertext Target Pitfalls: Order of fixed and random inputs should be random as well Communication between Control and Target should be masked (if possible) Measure Oscilloscope Trigger 38

39 Correct Measurement CS: Microcontroller AES with masking & shuffling (DPA contest v4.) No shared communication First-order test 39

40 Correct Measurement CS: Microcontroller AES with masking & shuffling (DPA contest v4.) No shared communication First-order test Leakage associated to unmasked plaintext 40

41 Correct Measurement CS: Microcontroller Detectable first order leakage 41

42 Correct Measurement CS: FPGA First Order Second Order A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 4

43 Correct Measurement CS: FPGA First Order Second Order A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 43

44 Correct Measurement CS: FPGA First Order Second Order Fifth Order Second Order (bivariate) A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 44

45 Efficient Computation Classical Approach Incremental Multivariate Parallelization 45

46 Efficient Computation Classical Approach Time Measurement Phase T 0 46

47 Efficient Computation Classical Approach Time Measurement Phase T 0 T 1 47

48 Efficient Computation Classical Approach Time Measurement Phase T 0 T 1 T T n 1 48

49 Efficient Computation Classical Approach Time Measurement Phase Analysis Phase T 0 T 1 T t-test T n 1 49

50 Efficient Computation Classical Approach Time Measurement Phase Analysis Phase T 0 T 1 T t-test Result T n 1 50

51 Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ 51

52 Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ T 0 T 1 T n 1 5

53 Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 T 0 T 1 μ = E T T n 1 53

54 Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 Pass T 0 T 1 μ = E T s = E T μ T n 1 54

55 Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 Pass Pass 3 T 0 T 1 μ = E T s = E T μ Required for certain higher-order tests T n 1 55

56 Efficient Computation Classical Approach Problems: 1) Measurement phase need to be completed ) All measurements need to be stored 3) Traces need to be loaded multiple times Solution: Incremental Computation 56

57 Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 57

58 Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 μ, s 58

59 Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 μ, s μ, s 59

60 Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 T n 1 μ, s μ, s μ, s μ, s Higher-order tests require the computation of additional values 60

61 Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 T n 1 μ, s μ, s μ, s μ, s Higher-order tests require the computation of additional values Advantages: 1) Can be run in parallel to measurement phase ) Does not require that all measurements are stored 3) Loads each trace only once 61

62 Efficient Computation Incremental Problem: Computation of intermediate values 6

63 Efficient Computation Incremental Problem: Computation of intermediate values Approach 1: Use raw moments d th -order raw moment: M d = E T d Given: M 1 M Compute: μ = M 1 s = M M 1 63

64 Efficient Computation Incremental Problem: Computation of intermediate values Approach 1: Use raw moments d th -order raw moment: M d = E T d Given: M 1 M Compute: μ = M 1 s = M M 1 Higher-order test require additional moments Example: Univariate 1 st -5 th order tests require M 1 M 10 64

65 Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 65

66 Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 t-test Result 66

67 Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 t-test t-test Result Result 67

68 Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 Easy to find update formulas for: M d = n 1 i=0 Ti d n Problem: Numerical unstable for large number of traces t-test Result 68

69 Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 Easy to find update formulas for: M d = n 1 i=0 Ti d n Problem: Numerical unstable for large number of traces Example: Computation of variance based on simulations (100M traces ) with N 100,5 t-test Result Method Order 1 Order Order 3 Order 4 Order 5 3-Pass Raw

70 Efficient Computation Incremental Approach : Use central moments (and M 1 ) d th -order central moment: CM d = E (T μ) d Given: M 1 CM Compute: μ = M 1 s = CM 70

71 Efficient Computation Incremental Approach : Use central moments (and M 1 ) d th -order central moment: CM d = E (T μ) d Given: M 1 CM Compute: μ = M 1 s = CM Not that easy to find update formulas for: CM d = n 1 i=0 Ti μ d n Multivariate tests require adjusted formulas 71

72 Efficient Computation Incremental Incremental formulas for tests at arbitrary orders can be found in the paper. Comparison to the raw moments approach: Slightly higher computational effort Less numerical problems, higher accuracy Method Order 1 Order Order 3 Order 4 Order 5 3-Pass Raw Ours

73 Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 73

74 Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 0 Thread 1 Thread Thread 3 Thread 4 74

75 Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 0 Thread 1 Thread Thread 3 Thread 4 Trace n t n,0 t n,1 t n, t n,3 t n,4 Thread 0 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 1 75

76 Efficient Computation Parallelization Trace n Thread 0 Thread t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 1 Thread 3 Example: 1 st -5 th order t-test 100,000,000 traces (each with 3,000 sample points) 9h on x Intel Xeon X5670 GHz (4 hyper-threading cores) 76

77 Conclusion Recommendations Summary Future Work 77

78 Conclusion Recommendations Fixed vs. random: DUT with masking countermeasure With masked communication Semi-fixed vs. random: DUT with hiding countermeasure Without masked communication Specific t-test: DUT with no countermeasures Failed in former non-specific tests Identify suitable intermediate values for key recovery 78

79 Conclusion Summary Testing based on the t-test is simple and fast Has become popular in recent years Things to consider: Correct measurement phase is critical Analysis phase can be strongly optimized Higher-order testing easily possible Additional important aspects: Alignment and signal processing is necessary Finding of points of interest 79

80 Conclusion Future Work Incremental computing for other attacks/evaluation techniques Robust and One-Pass Parallel Computation of Correlation-Based Attacks at Arbitrary Order Tobias Schneider, Amir Moradi, Tim Güneysu, eprint Report 015/571 CPA MCP-DPA MCC-DPA 80

81 Thanks for Listening! Any Questions? 81