A Stochastic Model for Differential Side Channel Cryptanalysis

Transcription

1 A Stochastic Model for Differential Side Channel Cryptanalysis Werner Schindler 1, Kerstin Lemke 2, Christof Paar 2 1 Bundesamt für Sicherheit in der Informationstechnik (BSI) Bonn, Germany 2 Horst Görtz Institute Ruhr University Bochum Bochum, Germany Edinburgh, August 30, 2005

2 Outline Introduction A new stochastic approach Fundamental ideas and benefits Experimental results Comparison with other attacks Generalizations Conclusion W. Schindler August 30, 2005 Slide 2

3 Comparison with other Techniques Method DPA/DEMA Template Attack New Stochastic Approach Profiling Step (Training Device) no yes yes (..., but can be skipped) Key Extraction Step (Target Device) yes yes yes W. Schindler August 30, 2005 Slide 3

4 Our new approach combines engineer s insight (Which properties / features of the physical device have (significant) impact on the side-channel signal? (qualitative assessment)) with efficient stochastic methods (exploiting this information in an optimal way) Profiling: much more efficient than template attacks Key Extraction: The efficiency is determined by the engineer s skills limited by the efficiency of template attacks W. Schindler August 30, 2005 Slide 4

5 The Stochastic Model target algorithm: block cipher (no masking) x {0,1} p (known) part or the plaintext or ciphertext k {0,1} s subkey t time I t (x,k) = h t (x,k) + R t Random variable (depends on x and k) deterministic part (depends on x and k) Random variable E(R t ) = 0 quantifies the randomness of the side-channel signal at time t Noise W. Schindler August 30, 2005 Slide 5

6 Profiling, Step 1: Approximating the Deterministic Part Task: Estimate the function h t for all t { t 1,t 2,,t m } (measurement times) Naïve Approach: Estimate h t (x,k) = E (I t (x,k)) independently for each (x,k) {0,1} p {0,1} s Drawback: Giantic number of measurements W. Schindler August 30, 2005 Slide 6

7 More favourable procedure (I) The unknown function h t is interpreted as an element in a real vector space F. Approximate h t by its orthogonal projection h* t onto a suitably chosen low-dimensional vector subspace F u;t h t F u;t. h t * geometric visualization W. Schindler August 30, 2005 Slide 7

8 More favourable procedure (II) The subspace is spanned by known functions g jt : {0,1} p {0,1} s IR Select functions g 0t,,g (u-1)t under consideration of the attacked device. The projection h* t is the best approximator of h t in F u;t (= nearest element of F u;t ). W. Schindler August 30, 2005 Slide 8

9 1 st Minimum Principle (I) Theorem: The image h* t of h t under the orthogonal projection meets a minimum property: For each subkey k and random plaintext X the expectation E ( ( I t (X,k) h (X,k) ) 2 ) attains its minimum on F u;t for h =h* t W. Schindler August 30, 2005 Slide 9

10 1 st Minimum Principle (II) Note: The image under the orthogonal projection, h* t F u;t, can be determined without the knowledge of h t! In other words: The estimation of h* t can completely be moved to the low-dimensional subspace F u;t. W. Schindler August 30, 2005 Slide 10

11 Example: AES (I) x 1, x 2,x 3,...,x 16 : Input (16 Byte) k 1, k 2,k 3,...,k 16 : Key (16 Byte) AddRoundKey() x 1 k 1,...,x 16 k 16 S S S S SubBytes() S(x 1 k 1 ),..., S(x 16 k 16 ) here: x, k { 0,1 } 8 h t (x,k) depends only on the sum x k fi It is sufficient to determine h t (x,k) for any single subkey k. W. Schindler August 30, 2005 Slide 11

12 Example: AES (II) Reasonable candidates for the functions g jt (x,k): g 0t (x,k) = 1 g jt (x,k) = j th bit of S(x k) for 1 j 8. interpreted as a real-valued function {0,1} 8 IR F 9;t = < g 0t,g 1t,,g 8t > vector subspace generated by g 0t,g 1t,,g 8t Note: dim(f 9;t ) = 9 while dim (F ) = 256 no information on h t W. Schindler August 30, 2005 Slide 12

13 Profiling, Step 1: Approximating the Deterministic Part Task: Estimate the coefficients β* 0t,,β* (u-1)t of h* t with respect to the base g 0t,,g (u-1)t for each t { t 1,..., t m } measurement times Procedure: 1. perform N 1 measurements (i.e. observe N 1 encryptions) at the training device 2. calculate the least-square-estimator (requires no more than elementary linear algebra) W. Schindler August 30, 2005 Slide 13

14 Profiling, Step 2: Modelling the noise Assumption: The random vector (R t1,, R tm ) is multi-variate normally distributed with covariance matrix C h t1,,h tm and C yield the conditional density f (. x,k) for (I t1 (x,k),, I tm (x,k)). Profiling, Step 2: Perform N 2 further measurements (i.e., observe N 2 further encryptions at the times t 1,, t m ) ~ ~ Determine estimators C and f (. x,k) for C and f (. x,k) W. Schindler August 30, 2005 Slide 14

15 Key Extraction: Maximum Likelihood Method The adversary performs N 3 measurements at the target device substitutes the measured data into the estimated ~ densities f (. x,k) for each subkey k decides for that subkey k that maximizes this term (maximum-likelihood principle) details: paper W. Schindler August 30, 2005 Slide 15

16 Key Extraction: Minimum Principle Alternative key extraction strategy: based on a 2 nd minimum property Properties: Key extraction efficiency: smaller than for the maximum-likelihood method Profiling: saves Step 2 (modelling the noise) details: paper W. Schindler August 30, 2005 Slide 16

17 Experimental Results (I) Power analysis at an unprotected AES implementation on an ATM163 microcontroller x 1, x 2,x 3,...,x 16 : Input (16 Byte) k 1, k 2,k 3,...,k 16 : Key (16 Byte) AddRoundKey() x 1 k 1,...,x 16 k 16 S S S S SubBytes() S(x 1 k 1 ),..., S(x 16 k 16 ) W. Schindler August 30, 2005 Slide 17

18 Experimental Results (II) coefficient ß 3,t in F 9;t coefficient ß 7,t in F 9;t Time t W. Schindler August 30, 2005 Slide 18

19 Empirical probabilities for the correctness of the rank 1-candidate For all instants t we used the vector subspace F 9;t = F 9 := < 1, j th bit of S(x k) for 1 j 8 > N 3 DPA Minimum Principle (N 1 =2000) Maximum-likelihood (N 1 =1000) (HW model) m=7 m=21 m=7(n 2 =1000) m=21(n 2 =5000) % % % % % % % % % % % % % % % % % % % % % % % % % % % % % > % W. Schindler August 30, 2005 Slide 19

20 Impact of Different Subspaces F 2;t = F 2 := < 1, HW (S(x k)) > F 10;t = F 10 := < F 9, most significant 2 nd order monomial > F 16;t = F 16 := < F 9, all consecutive 2 nd order monomials > Key Extraction: Minimum Principle N 3 N 1 = 2000 N 1 = 5000 F 2 F 9 F 10 F 16 F 9 F % % % % % % N 1 is too small W. Schindler August 30, 2005 Slide 20

21 Example AES No. of profiling series (exploiting symmetry): template attack: 256 new stochastic method: 1-2 W. Schindler August 30, 2005 Slide 21

22 Generalizations and Remarks Our approach can be generalized in a natural way to masking to multi-channel attacks (details: paper). Profiling: usually: known test key. also works with unknown test keys (additional computations) may completely be skipped (reduces the efficiency at key extraction) W. Schindler August 30, 2005 Slide 22

23 Conclusion We introduced a new methodology for differential side-channel attacks that combines engineer s insight with stochastic methods enables to determine those properties that have significant impact on the side-channel signal enables efficient assessment of the risk potential of a side-channel attack profiling: much more efficient than for template attacks key extraction efficiency: determined by the suitability of the chosen vector subspace F u;t W. Schindler August 30, 2005 Slide 23

24 Contact Werner Schindler Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany Kerstin Lemke Horst Görtz Institute Ruhr University Bochum, Germany Christof Paar Horst Görtz Institute Ruhr University Bochum, Germany W. Schindler August 30, 2005 Slide 24