Template Attacks, Optimal Distinguishers & Perceived Information Metric

Size: px

Start display at page:

Download "Template Attacks, Optimal Distinguishers & Perceived Information Metric"

Phyllis Patrick
5 years ago
Views:

1 Template Attacs, Optimal Distinguishers & Perceived Information Metric Cryptarchi June 29-30, 2015 Leuven Sylvain Guilley*, Annelie Heuser*, Olivier Rioul* and François-Xavier Standaert** *Telecom ParisTech, **UCL

2 Overview Introduction Motivation Notations Perceived Information Derivations Maximum a posteriori probability Maximum Lielihood Conclusion 2 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

3 Outlines Introduction Motivation Notations Perceived Information Derivations Maximum a posteriori probability Maximum Lielihood Conclusion 3 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

4 Motivation Consolidate state-of-the-art about optimal distinguishers with a deeper loo on the probability estimation 4 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

5 Motivation Consolidate state-of-the-art about optimal distinguishers with a deeper loo on the probability estimation Perceived Information (PI): information-theoretic metric quantifying the amount of leaage Show that PI is related to maximizing the success rate through the Maximum a posteriori probability (MAP) 4 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

6 Motivation Consolidate state-of-the-art about optimal distinguishers with a deeper loo on the probability estimation Perceived Information (PI): information-theoretic metric quantifying the amount of leaage Show that PI is related to maximizing the success rate through the Maximum a posteriori probability (MAP) Use the maximum lielihood (ML) to derive MIA and the (experimental) template attac in case of profiling 4 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

7 Motivation Profiling device Attacing device ˆP for an estimation offline P estimated online on-the-fly P exact probability 5 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

8 Motivation Profiling device Attacing device ˆP for an estimation offline P estimated online on-the-fly P exact probability 5 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

10 Notations secret ey deterministic but unnown m independent measurements x = (x 1,..., x m ) and independent and uniformly distributed inputs t = (t 1,..., t m ) leaage model y() = ϕ(f(, t)), where ϕ is a device specific leaage function and f maps the inputs to an intermediate algorithmic state x = y( ) + n with independent noise n 7 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

11 Perceived information Idea [Renauld et al., 2011] Metric quantifying degraded leaage models Testing models against each other, e.g., from the true distribution against estimations Generalization of mutual information 8 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

12 Perceived information Idea [Renauld et al., 2011] Metric quantifying degraded leaage models Testing models against each other, e.g., from the true distribution against estimations Generalization of mutual information Ideal case the distribution P is nown PI is MI MI(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log 2 P( t, x) 8 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

13 Perceived information Profiled case the distribution P is nown test a profiled model ˆP against P P I(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log ˆP( t, 2 x) 9 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

14 Profiled case Perceived information the distribution P is nown test a profiled model ˆP against P P I(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log 2 ˆP( t, x) Real case the distribution P is unnown test a profiled model ˆP against an online estimated model P ˆ P I(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log 2 ˆP( t, x) ( P estimated with non-parametric estimators, e.g. each x has P= 1 m ) 9 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

15 Outlines Introduction Motivation Notations Perceived Information Derivations Maximum a posteriori probability Maximum Lielihood Conclusion 10 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

16 MAP Maximum a posteriori probability The optimal distinguishing rule is given by the maximum a posteriori probability (MAP) rule D(x, t) = arg max P( x, t) 11 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

17 MAP Maximum a posteriori probability The optimal distinguishing rule is given by the maximum a posteriori probability (MAP) rule D(x, t) = arg max P( x, t) With the help of Bayes rule... P( x, t) = P(x, t) P() P(x t) = P(x, t) P() P()P(x t, ) 11 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

18 Relation between MAP and PI Profiling scenario Profiled model ˆP, model P estimated online on-the-fly 12 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

19 Relation between MAP and PI Profiling scenario Profiled model ˆP, model P estimated online on-the-fly ˆP( x, t) m i=1 ˆP( x i, t i ) 12 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

20 Relation between MAP and PI Profiling scenario Profiled model ˆP, model P estimated online on-the-fly ˆP( x, t) m i=1 ˆP( x i, t i ) We start by maximizing MAP: arg max ˆP( x, t) = arg max = arg max m ˆP( x i, t i ) 12 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015 i=1 ˆP( x, t) m P (x,t) where P (x, t) = P(x, t ) is the "counting" estimation (online) of x and t that depends on. Now taing the log 2 gives: = arg max P (x, t) log 2 ˆP( x, t) x,t x,t

21 Relation between MAP and PI (cont d) = arg max = arg max = arg max P (x, t) log 2 ˆP( x, t) x,t P(x, t ) log 2 ˆP( x, t) x,t P(t) P(x t, ) log 2 ˆP( x, t) x t 13 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

22 Relation between MAP and PI (cont d) = arg max = arg max = arg max P (x, t) log 2 ˆP( x, t) x,t P(x, t ) log 2 ˆP( x, t) x,t P(t) x t P(x t, ) log 2 ˆP( x, t) Taing the average over and adding H(K) gives ˆ P I(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log 2 ˆP( x, t) 13 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

23 Relation between MAP and PI (cont d) PI MAP ˆ P I (real case) is the expectation of the MAP over the eys 14 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

24 Relation between MAP and PI (cont d) PI MAP ˆ P I (real case) is the expectation of the MAP over the eys Profiled case If we have an infinite number of traces to estimate P P then we recover PI(K;X,T) 14 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

25 Relation between MAP and PI (cont d) PI MAP ˆ P I (real case) is the expectation of the MAP over the eys Profiled case If we have an infinite number of traces to estimate P P then we recover PI(K;X,T) Ideal case If we have an infinite number of traces to estimate P P and ˆP P then we recover MI(K;X,T) 14 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

26 Assumptions for ML The leaage model follows the... Marov condition The leaage x depends on the secret ey only through the computed model y(). Thus, we have the Marov chain (, t) y = ϕ(f(t, )) x Related to the EIS [Schindler et al., 2005] assumption. Marov condition: invariance of conditional probabilities EIS assumption: invariance of images under different subeys 15 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

27 Maximum Lielihood Attac Maximum Lielihood Attac Assuming we have y() = ϕ(f(t, )) that follows the Marov condition, then the optimal distinguishing rule is given by the maximum lielihood (ML) rule D(x, t) = arg max P(x y) Proven and investigated in [Heuser et al., 2014] 16 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

28 Maximum Lielihood Attac Similarly, as in the previous derivation we have: m arg max P(x y) = arg max P(x i y i ) = arg max Taing the log 2 gives us: arg max i=1 P(x, y) log 2 P(x y) x,y x,y P(x y) m P(x,y) Now we add the cross entropy term that does not depend on a ey guess : x,y P(x, y) log 2 P(x). 17 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

29 Maximum Lielihood Attac This results into: arg max x,y P(x, y) log 2 P(y x) P(y) 18 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

30 Maximum Lielihood Attac This results into: arg max x,y P(x, y) log 2 P(y x) P(y) In practice... P is most liely not nown perfectly by the attacer So it is either estimated offline (leading to ˆP) Or it is estimated online on-the-fly" (leading to P) 18 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

31 Profiled Maximum Lielihood Attac If ˆP is estimated offline on a training device, we get ˆP(y x) arg max P(x, y) log 2 ˆP(y) Which is the template attac [Chari et al., 2002] x,y i.e. a distinguisher resulting from the MAP with A priori nowledge on the ey distribution & assumting the Marov condition 19 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

32 Profiled Maximum Lielihood Attac If ˆP is estimated offline on a training device, we get ˆP(y x) arg max P(x, y) log 2 ˆP(y) Which is the template attac [Chari et al., 2002] Non-Profiled x,y If P is estimated online on a the device under attac, we get arg max x,y P(x, y) log 2 P(y x) P(y) Which is the Mutual Information Analysis [Gierlichs et al., 2008] 19 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

33 Outlines Introduction Motivation Notations Perceived Information Derivations Maximum a posteriori probability Maximum Lielihood Conclusion 20 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

34 Conclusion Maximizing the PI = optimizing the MAP attacs (on average over the eys) ML is a alternative to MAP (no penalty if eys are uniform) Maximum lielihood attacs correspond to template attacs when probabilities are estimated offline (ˆP) MIA when probabilities are estimated online on-the-fly" ( P) All attacs wor by "testing" a model (estimated offline or online "on-the-fly") against fresh samples For profiled attacs, a (well estimated) more accurate model always help / for non-profiled ones, simpler (easier to estimate online on-the-fly") models can be better 21 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

35 Than you! Questions? 22 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

36 References I Chari, S., Rao, J. R., and Rohatgi, P. (2002). Template Attacs. In CHES, volume 2523 of LNCS, pages Springer. San Francisco Bay (Redwood City), USA. Gierlichs, B., Batina, L., Tuyls, P., and Preneel, B. (2008). Mutual information analysis. In CHES, 10th International Worshop, volume 5154 of Lecture Notes in Computer Science, pages Springer. Washington, D.C., USA. 23 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

37 References II Heuser, A., Rioul, O., and Guilley, S. (2014). Good Is Not Good Enough - Deriving Optimal Distinguishers from Communication Theory. In Batina, L. and Robshaw, M., editors, Cryptographic Hardware and Embedded Systems - CHES th International Worshop, Busan, South Korea, September 23-26, Proceedings, volume 8731 of Lecture Notes in Computer Science, pages Springer. 24 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

38 References III Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N., Kamel, D., and Flandre, D. (2011). A Formal Study of Power Variability Issues and Side-Channel Attacs for Nanoscale Devices. In EUROCRYPT, volume 6632 of LNCS, pages Springer. Tallinn, Estonia. Schindler, W., Leme, K., and Paar, C. (2005). A Stochastic Model for Differential Side Channel Cryptanalysis. In LNCS, editor, CHES, volume 3659 of LNCS, pages Springer. Edinburgh, Scotland, UK. 25 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015

Defining Perceived Information based on Shannon s Communication Theory

Defining Perceived Information based on Shannon s Communication Theory Cryptarchi 2016 June 21-24, 2016 La Grande Motte, France Eloi de Chérisey, Sylvain Guilley, & Olivier Rioul Télécom ParisTech, Université