Template Attacks, Optimal Distinguishers & Perceived Information Metric
|
|
- Phyllis Patrick
- 5 years ago
- Views:
Transcription
1 Template Attacs, Optimal Distinguishers & Perceived Information Metric Cryptarchi June 29-30, 2015 Leuven Sylvain Guilley*, Annelie Heuser*, Olivier Rioul* and François-Xavier Standaert** *Telecom ParisTech, **UCL
2 Overview Introduction Motivation Notations Perceived Information Derivations Maximum a posteriori probability Maximum Lielihood Conclusion 2 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
3 Outlines Introduction Motivation Notations Perceived Information Derivations Maximum a posteriori probability Maximum Lielihood Conclusion 3 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
4 Motivation Consolidate state-of-the-art about optimal distinguishers with a deeper loo on the probability estimation 4 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
5 Motivation Consolidate state-of-the-art about optimal distinguishers with a deeper loo on the probability estimation Perceived Information (PI): information-theoretic metric quantifying the amount of leaage Show that PI is related to maximizing the success rate through the Maximum a posteriori probability (MAP) 4 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
6 Motivation Consolidate state-of-the-art about optimal distinguishers with a deeper loo on the probability estimation Perceived Information (PI): information-theoretic metric quantifying the amount of leaage Show that PI is related to maximizing the success rate through the Maximum a posteriori probability (MAP) Use the maximum lielihood (ML) to derive MIA and the (experimental) template attac in case of profiling 4 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
7 Motivation Profiling device Attacing device ˆP for an estimation offline P estimated online on-the-fly P exact probability 5 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
8 Motivation Profiling device Attacing device ˆP for an estimation offline P estimated online on-the-fly P exact probability 5 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
9
10 Notations secret ey deterministic but unnown m independent measurements x = (x 1,..., x m ) and independent and uniformly distributed inputs t = (t 1,..., t m ) leaage model y() = ϕ(f(, t)), where ϕ is a device specific leaage function and f maps the inputs to an intermediate algorithmic state x = y( ) + n with independent noise n 7 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
11 Perceived information Idea [Renauld et al., 2011] Metric quantifying degraded leaage models Testing models against each other, e.g., from the true distribution against estimations Generalization of mutual information 8 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
12 Perceived information Idea [Renauld et al., 2011] Metric quantifying degraded leaage models Testing models against each other, e.g., from the true distribution against estimations Generalization of mutual information Ideal case the distribution P is nown PI is MI MI(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log 2 P( t, x) 8 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
13 Perceived information Profiled case the distribution P is nown test a profiled model ˆP against P P I(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log ˆP( t, 2 x) 9 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
14 Profiled case Perceived information the distribution P is nown test a profiled model ˆP against P P I(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log 2 ˆP( t, x) Real case the distribution P is unnown test a profiled model ˆP against an online estimated model P ˆ P I(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log 2 ˆP( t, x) ( P estimated with non-parametric estimators, e.g. each x has P= 1 m ) 9 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
15 Outlines Introduction Motivation Notations Perceived Information Derivations Maximum a posteriori probability Maximum Lielihood Conclusion 10 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
16 MAP Maximum a posteriori probability The optimal distinguishing rule is given by the maximum a posteriori probability (MAP) rule D(x, t) = arg max P( x, t) 11 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
17 MAP Maximum a posteriori probability The optimal distinguishing rule is given by the maximum a posteriori probability (MAP) rule D(x, t) = arg max P( x, t) With the help of Bayes rule... P( x, t) = P(x, t) P() P(x t) = P(x, t) P() P()P(x t, ) 11 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
18 Relation between MAP and PI Profiling scenario Profiled model ˆP, model P estimated online on-the-fly 12 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
19 Relation between MAP and PI Profiling scenario Profiled model ˆP, model P estimated online on-the-fly ˆP( x, t) m i=1 ˆP( x i, t i ) 12 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
20 Relation between MAP and PI Profiling scenario Profiled model ˆP, model P estimated online on-the-fly ˆP( x, t) m i=1 ˆP( x i, t i ) We start by maximizing MAP: arg max ˆP( x, t) = arg max = arg max m ˆP( x i, t i ) 12 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015 i=1 ˆP( x, t) m P (x,t) where P (x, t) = P(x, t ) is the "counting" estimation (online) of x and t that depends on. Now taing the log 2 gives: = arg max P (x, t) log 2 ˆP( x, t) x,t x,t
21 Relation between MAP and PI (cont d) = arg max = arg max = arg max P (x, t) log 2 ˆP( x, t) x,t P(x, t ) log 2 ˆP( x, t) x,t P(t) P(x t, ) log 2 ˆP( x, t) x t 13 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
22 Relation between MAP and PI (cont d) = arg max = arg max = arg max P (x, t) log 2 ˆP( x, t) x,t P(x, t ) log 2 ˆP( x, t) x,t P(t) x t P(x t, ) log 2 ˆP( x, t) Taing the average over and adding H(K) gives ˆ P I(K; X, T ) = H(K) + P() t P(t) x P(x t, ) log 2 ˆP( x, t) 13 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
23 Relation between MAP and PI (cont d) PI MAP ˆ P I (real case) is the expectation of the MAP over the eys 14 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
24 Relation between MAP and PI (cont d) PI MAP ˆ P I (real case) is the expectation of the MAP over the eys Profiled case If we have an infinite number of traces to estimate P P then we recover PI(K;X,T) 14 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
25 Relation between MAP and PI (cont d) PI MAP ˆ P I (real case) is the expectation of the MAP over the eys Profiled case If we have an infinite number of traces to estimate P P then we recover PI(K;X,T) Ideal case If we have an infinite number of traces to estimate P P and ˆP P then we recover MI(K;X,T) 14 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
26 Assumptions for ML The leaage model follows the... Marov condition The leaage x depends on the secret ey only through the computed model y(). Thus, we have the Marov chain (, t) y = ϕ(f(t, )) x Related to the EIS [Schindler et al., 2005] assumption. Marov condition: invariance of conditional probabilities EIS assumption: invariance of images under different subeys 15 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
27 Maximum Lielihood Attac Maximum Lielihood Attac Assuming we have y() = ϕ(f(t, )) that follows the Marov condition, then the optimal distinguishing rule is given by the maximum lielihood (ML) rule D(x, t) = arg max P(x y) Proven and investigated in [Heuser et al., 2014] 16 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
28 Maximum Lielihood Attac Similarly, as in the previous derivation we have: m arg max P(x y) = arg max P(x i y i ) = arg max Taing the log 2 gives us: arg max i=1 P(x, y) log 2 P(x y) x,y x,y P(x y) m P(x,y) Now we add the cross entropy term that does not depend on a ey guess : x,y P(x, y) log 2 P(x). 17 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
29 Maximum Lielihood Attac This results into: arg max x,y P(x, y) log 2 P(y x) P(y) 18 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
30 Maximum Lielihood Attac This results into: arg max x,y P(x, y) log 2 P(y x) P(y) In practice... P is most liely not nown perfectly by the attacer So it is either estimated offline (leading to ˆP) Or it is estimated online on-the-fly" (leading to P) 18 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
31 Profiled Maximum Lielihood Attac If ˆP is estimated offline on a training device, we get ˆP(y x) arg max P(x, y) log 2 ˆP(y) Which is the template attac [Chari et al., 2002] x,y i.e. a distinguisher resulting from the MAP with A priori nowledge on the ey distribution & assumting the Marov condition 19 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
32 Profiled Maximum Lielihood Attac If ˆP is estimated offline on a training device, we get ˆP(y x) arg max P(x, y) log 2 ˆP(y) Which is the template attac [Chari et al., 2002] Non-Profiled x,y If P is estimated online on a the device under attac, we get arg max x,y P(x, y) log 2 P(y x) P(y) Which is the Mutual Information Analysis [Gierlichs et al., 2008] 19 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
33 Outlines Introduction Motivation Notations Perceived Information Derivations Maximum a posteriori probability Maximum Lielihood Conclusion 20 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
34 Conclusion Maximizing the PI = optimizing the MAP attacs (on average over the eys) ML is a alternative to MAP (no penalty if eys are uniform) Maximum lielihood attacs correspond to template attacs when probabilities are estimated offline (ˆP) MIA when probabilities are estimated online on-the-fly" ( P) All attacs wor by "testing" a model (estimated offline or online "on-the-fly") against fresh samples For profiled attacs, a (well estimated) more accurate model always help / for non-profiled ones, simpler (easier to estimate online on-the-fly") models can be better 21 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
35 Than you! Questions? 22 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
36 References I Chari, S., Rao, J. R., and Rohatgi, P. (2002). Template Attacs. In CHES, volume 2523 of LNCS, pages Springer. San Francisco Bay (Redwood City), USA. Gierlichs, B., Batina, L., Tuyls, P., and Preneel, B. (2008). Mutual information analysis. In CHES, 10th International Worshop, volume 5154 of Lecture Notes in Computer Science, pages Springer. Washington, D.C., USA. 23 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
37 References II Heuser, A., Rioul, O., and Guilley, S. (2014). Good Is Not Good Enough - Deriving Optimal Distinguishers from Communication Theory. In Batina, L. and Robshaw, M., editors, Cryptographic Hardware and Embedded Systems - CHES th International Worshop, Busan, South Korea, September 23-26, Proceedings, volume 8731 of Lecture Notes in Computer Science, pages Springer. 24 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
38 References III Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N., Kamel, D., and Flandre, D. (2011). A Formal Study of Power Variability Issues and Side-Channel Attacs for Nanoscale Devices. In EUROCRYPT, volume 6632 of LNCS, pages Springer. Tallinn, Estonia. Schindler, W., Leme, K., and Paar, C. (2005). A Stochastic Model for Differential Side Channel Cryptanalysis. In LNCS, editor, CHES, volume 3659 of LNCS, pages Springer. Edinburgh, Scotland, UK. 25 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
Defining Perceived Information based on Shannon s Communication Theory
Defining Perceived Information based on Shannon s Communication Theory Cryptarchi 2016 June 21-24, 2016 La Grande Motte, France Eloi de Chérisey, Sylvain Guilley, & Olivier Rioul Télécom ParisTech, Université
More informationTemplate Attacks with Partial Profiles and Dirichlet Priors: Application to Timing Attacks June 18, 2016
Template Attacks with Partial Profiles and Dirichlet Priors: Application to Timing Attacks June 18, 2016 Eloi de Chérisey, Sylvain Guilley, Darshana Jayasinghe and Olivier Rioul Contents Introduction Motivations
More informationEfficient 2nd-order Power Analysis on Masked Devices Utilizing Multiple Leakage
Efficient 2nd-order Power Analysis on Mased Devices Utilizing Multiple Leaage Liwei Zhang, A. Adam Ding, Yunsi Fei and Pei Luo Email: zhang.liw@husy.neu.edu, a.ding@neu.edu, yfei@ece.neu.edu, silenceluo@gmail.com
More informationLess is More. Dimensionality Reduction from a Theoretical Perspective. CHES 2015 Saint-Malo, France Sept 13-16
Less is More Dimensionality Reduction from a Theoretical Perspective CHES 2015 Saint-Malo, France Sept 13-16 Nicolas Bruneau, Sylvain Guilley, Annelie Heuser, Damien Marion, and Olivier Rioul About us...
More informationA Theoretical Study of Kolmogorov-Smirnov Distinguishers Side-Channel Analysis vs Differential Cryptanalysis
A Theoretical Study of Kolmogorov-Smirnov Distinguishers Side-Channel Analysis vs Differential Cryptanalysis COSADE 2014 Annelie Heuser, Olivier Rioul, Sylvain Guilley 1 Problem statement The distinguishing
More informationTemplate Attacks with Partial Profiles and Dirichlet Priors: Application to Timing Attacks
Template Attacks with Partial Profiles and Dirichlet Priors: Application to Timing Attacks Eloi de Chérisey, Sylvain Guilley,2, Olivier Rioul, and Darshana Jayasinghe Télécom ParisTech, LTCI, CNRS, Université
More informationBack to Massey: Impressively fast, scalable and tight security evaluation tools
Bac to Massey: Impressively fast, scalable and tight security evaluation tools Marios O. Choudary and P. G. Popescu University Politehnica of Bucharest marios.choudary@cs.pub.ro,pgpopescu@yahoo.com Abstract.
More informationLecture 8: Bayesian Estimation of Parameters in State Space Models
in State Space Models March 30, 2016 Contents 1 Bayesian estimation of parameters in state space models 2 Computational methods for parameter estimation 3 Practical parameter estimation in state space
More informationImproving Side-Channel Analysis with Optimal Pre-Processing
Improving Side-Channel Analysis with Optimal Pre-Processing David Oswald and Christof Paar Horst Görtz Institute for IT Security Ruhr-University Bochum, Germany {david.oswald, christof.paar}@rub.de Abstract.
More informationAn Exploration of the Kolmogorov-Smirnov Test as Competitor to Mutual Information Analysis
An Exploration of the Kolmogorov-Smirnov Test as Competitor to Mutual Information Analysis Carolyn Whitnall, Elisabeth Oswald, and Luke Mather University of Bristol, Department of Computer Science, Merchant
More informationAuthor's personal copy
DOI 0.007/s3389-07-070-9 SPECIAL SECTION ON PROOFS 06 Optimal side-channel attacks for multivariate leakages and multiple models Nicolas Bruneau, Sylvain Guilley,3 Annelie Heuser Damien Marion,3 Olivier
More informationAn Exploration of the Kolmogorov-Smirnov Test as a Competitor to Mutual Information Analysis
An Exploration of the Kolmogorov-Smirnov Test as a Competitor to Mutual Information Analysis Carolyn Whitnall, Elisabeth Oswald, and Luke Mather University of Bristol, Department of Computer Science, Merchant
More informationSide-channel Analysis of Lightweight Ciphers: Does Lightweight Equal Easy?
Side-channel Analysis of Lightweight Ciphers: Does Lightweight Equal Easy? Annelie Heuser 1, Stjepan Picek 2, Sylvain Guilley 3, and Nele Mentens 2 1 IRISA/CNRS, Rennes, France 2 KU Leuven, ESAT/COSIC
More informationSystematic Construction and Comprehensive Evaluation of Kolmogorov-Smirnov Test Based Side-Channel Distinguishers
Systematic Construction and Comprehensive Evaluation of Kolmogorov-Smirnov Test Based Side-Channel Distinguishers Hui Zhao, Yongbin Zhou,,François-Xavier Standaert 2, and Hailong Zhang State Key Laboratory
More informationModule 1. Introduction to Digital Communications and Information Theory. Version 2 ECE IIT, Kharagpur
Module ntroduction to Digital Communications and nformation Theory Lesson 3 nformation Theoretic Approach to Digital Communications After reading this lesson, you will learn about Scope of nformation Theory
More informationLDA-Based Clustering as a Side-Channel Distinguisher
LDA-Based Clustering as a Side-Channel Distinguisher Rauf Mahmudlu 1,2, Valentina Banciu 1, Lejla Batina 2, and Ileana Buhan 1 1 Riscure BV, Delftechpark 49, 2628 XJ Delft, The Netherlands lastname@riscure.com
More informationPartition vs. Comparison Side-Channel Distinguishers
Partition vs. Comparison Side-Channel Distinguishers An Empirical Evaluation of Statistical Tests for Univariate Side-Channel Attacks against Two Unprotected CMOS Devices François-Xavier Standaert, Benedikt
More informationUsing Subspace-Based Template Attacks to Compare and Combine Power and Electromagnetic Information Leakages
Using Subspace-Based Template Attacks to Compare and Combine Power and Electromagnetic Information Leakages F.-X. Standaert 1 C. Archambeau 2 1 UCL Crypto Group, Université catholique de Louvain, 2 Centre
More informationAn Exploration of the Kolmogorov-Smirnov Test as a Competitor to Mutual Information Analysis
An Exploration of the Kolmogorov-Smirnov Test as a Competitor to Mutual Information Analysis Carolyn Whitnall, Elisabeth Oswald, and Luke Mather University of Bristol, Department of Computer Science, Merchant
More informationMachine Learning Lecture Notes
Machine Learning Lecture Notes Predrag Radivojac January 25, 205 Basic Principles of Parameter Estimation In probabilistic modeling, we are typically presented with a set of observations and the objective
More informationGeneric Side-Channel Distinguishers: Improvements and Limitations
Generic Side-Channel Distinguishers: Improvements and Limitations Nicolas Veyrat-Charvillon, François-Xavier Standaert UCL Crypto Group, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationLecture 4: Probabilistic Learning. Estimation Theory. Classification with Probability Distributions
DD2431 Autumn, 2014 1 2 3 Classification with Probability Distributions Estimation Theory Classification in the last lecture we assumed we new: P(y) Prior P(x y) Lielihood x2 x features y {ω 1,..., ω K
More informationNICV: Normalized Inter-Class Variance for Detection of Side-Channel Leakage
NICV: Normalized Inter-Class Variance for Detection of Side-Channel Leakage Shivam Bhasin 1 Jean-Luc Danger 1,2 Sylvain Guilley 1,2 Zakaria Najm 1 1 Institut MINES-TELECOM, TELECOM ParisTech, Department
More informationTiming attacks on OpenSSL and mbedtls
1/60 Timing attacks on OpenSSL and mbedtls Sylvain GUILLEY sylvain.guilley@telecom-paristech.fr sylvain.guilley@secure-ic.com Thursday September 15, 2016 Addr: QualSec cryptography and computer security
More informationMutual Information Coefficient Analysis
Mutual Information Coefficient Analysis Yanis Linge 1,2, Cécile Dumas 1, and Sophie Lambert-Lacroix 2 1 CEA-LETI/MINATEC, 17 rue des Martyrs, 38054 Grenoble Cedex 9, France yanis.linge@emse.fr,cecile.dumas@cea.fr
More informationStart Simple and then Refine: Bias-Variance Decomposition as a Diagnosis Tool for Leakage Profiling
IEEE TRANSACTIONS ON COMPUTERS, VOL.?, NO.?,?? 1 Start Simple and then Refine: Bias-Variance Decomposition as a Diagnosis Tool for Leakage Profiling Liran Lerman, Nikita Veshchikov, Olivier Markowitch,
More informationMaking Masking Security Proofs Concrete
Making Masking Security Proofs Concrete Or How to Evaluate the Security of any Leaking Device Extended Version Alexandre Duc 1, Sebastian Faust 1,2, François-Xavier Standaert 3 1 HEIG-VD, Lausanne, Switzerland
More informationTemplate Attacks vs. Machine Learning Revisited
Template Attacks vs. Machine Learning Revisited (and the Curse of Dimensionality in Side-Channel Analysis) Liran Lerman 1, Romain Poussier 2, Gianluca Bontempi 1, Olivier Markowitch 1 and François-Xavier
More informationMulti-Variate High-Order Attacks of Shuffled Tables Recomputation
Multi-Variate High-Order Attacks of Shuffled Tables Recomputation Nicolas BRUNEAU,2, Sylvain GUILLEY,3, Zakaria NAJM, Yannick TEGLIA 2, TELECOM-ParisTech, Crypto Group, Paris, FRANCE 2 STMicroelectronics,
More informationGeneric Side-Channel Distinguishers: Improvements and Limitations
Generic Side-Channel Distinguishers: Improvements and Limitations Nicolas Veyrat-Charvillon, François-Xavier Standaert UCL Crypto Group, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationThe bias variance decomposition in profiled attacks
DOI 10.1007/s13389-015-0106-1 REGULAR PAPER The bias variance decomposition in profiled attacks Liran Lerman 1,2 Gianluca Bontempi 2 Olivier Markowitch 1 Received: 9 July 2014 / Accepted: 13 June 2015
More informationEase of Side-Channel Attacks on AES-192/256 by Targeting Extreme Keys
Ease of Side-Channel Attacks on AES-192/256 by Targeting Extreme Keys Antoine Wurcker eshard, France, antoine.wurcker@eshard.com Abstract. Concerning the side-channel attacks on Advanced Encryption Standard,
More informationGood is Not Good Enough
Good is Not Good Enough Deriving Optimal Distinguishers from Communication Theory Annelie Heuser 1, Olivier Rioul 1, and Sylvain Guilley 1,2 1 Télécom ParisTech, Institut Mines-Télécom, CNRS LTCI Department
More informationAffine Masking against Higher-Order Side Channel Analysis
Affine Masking against Higher-Order Side Channel Analysis Guillaume Fumaroli 1, Ange Martinelli 1, Emmanuel Prouff 2, and Matthieu Rivain 3 1 Thales Communications {guillaume.fumaroli, jean.martinelli}@fr.thalesgroup.com
More informationChannel Equalization for Side Channel Attacks
Channel Equalization for Side Channel Attacks Colin O Flynn and Zhizhang (David) Chen Dalhousie University, Halifax, Canada {coflynn, z.chen}@dal.ca Revised: July 10, 2014 Abstract. This paper introduces
More informationSide-Channel Leakage Evaluation and Detection Based on Communication Theory
Side-Channel Leakage Evaluation and Detection Based on Communication Theory Wei Yang, Yuchen Cao, Ke Ma, and Hailong Zhang University of Chinese Academy of Sciences, Beijing, China generalyzy@gmail.com
More informationA New Framework for Constraint-Based Probabilistic Template Side Channel Attacks
A New Framework for Constraint-Based Probabilistic Template Side Channel Attacks Yossef Oren 1, Ofir Weisse 2, Avishai Wool 3 yos@cs.columbia.edu, ofirweisse@gmail.com, yash@eng.tau.ac.il 1 Network Security
More informationMutual Information Analysis: a Comprehensive Study
Mutual Information Analysis: a Comprehensive Study Lejla Batina 1,2, Benedikt Gierlichs 1, Emmanuel Prouff 3, Matthieu Rivain 4, François-Xavier Standaert 5 and Nicolas Veyrat-Charvillon 5 1 K.U.Leuven,
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationSIDE Channel Analysis (SCA in short) exploits information. Statistical Analysis of Second Order Differential Power Analysis
1 Statistical Analysis of Second Order Differential Power Analysis Emmanuel Prouff 1, Matthieu Rivain and Régis Bévan 3 Abstract Second Order Differential Power Analysis O- DPA is a powerful side channel
More informationMutual Information Analysis: a Comprehensive Study
J. Cryptol. (2011) 24: 269 291 DOI: 10.1007/s00145-010-9084-8 Mutual Information Analysis: a Comprehensive Study Lejla Batina ESAT/SCD-COSIC and IBBT, K.U.Leuven, Kasteelpark Arenberg 10, 3001 Leuven-Heverlee,
More informationPower Analysis of Hardware Implementations Protected with Secret Sharing
Power Analysis of Hardware Implementations Protected with Secret Sharing Guido Bertoni, Joan Daemen, Nicolas Debande, Thanh-Ha Le, Michaël Peeters and Gilles Van Assche, STMicroelectronics, Morpho, TELECOM
More informationA Statistics-based Fundamental Model for Side-channel Attack Analysis
A Statistics-based Fundamental Model for Side-channel Attack Analysis Yunsi Fei, A. Adam Ding, Jian Lao, and Liwei Zhang 1 Yunsi Fei Department of Electrical and Computer Engineering Northeastern University,
More informationEntropy Reduction for the Correlation-Enhanced Power Analysis Collision Attack
Entropy Reduction for the Correlation-Enhanced Power Analysis Collision Attack Andreas Wiemers, Dominik Klein Bundesamt für Sicherheit in der Informationstechnik (BSI) {firstname.lastname}@bsi.bund.de
More informationBasic concepts in estimation
Basic concepts in estimation Random and nonrandom parameters Definitions of estimates ML Maimum Lielihood MAP Maimum A Posteriori LS Least Squares MMS Minimum Mean square rror Measures of quality of estimates
More informationPARAMETER ESTIMATION AND ORDER SELECTION FOR LINEAR REGRESSION PROBLEMS. Yngve Selén and Erik G. Larsson
PARAMETER ESTIMATION AND ORDER SELECTION FOR LINEAR REGRESSION PROBLEMS Yngve Selén and Eri G Larsson Dept of Information Technology Uppsala University, PO Box 337 SE-71 Uppsala, Sweden email: yngveselen@ituuse
More informationLinear Regression Side Channel Attack Applied on Constant XOR
Linear Regression Side Channel Attack Applied on Constant XOR Shan Fu ab, Zongyue Wang c, Fanxing Wei b, Guoai Xu a, An Wang d a National Engineering Laboratory of Mobile Internet Security, Beijing University
More informationPattern Recognition and Machine Learning. Learning and Evaluation of Pattern Recognition Processes
Pattern Recognition and Machine Learning James L. Crowley ENSIMAG 3 - MMIS Fall Semester 2016 Lesson 1 5 October 2016 Learning and Evaluation of Pattern Recognition Processes Outline Notation...2 1. The
More informationMulti-target DPA attacks: Pushing DPA beyond the limits of a desktop computer
Multi-target DPA attacks: Pushing DPA beyond the limits of a desktop computer Luke Mather, Elisabeth Oswald, and Carolyn Whitnall Department of Computer Science, University of Bristol, Merchant Venturers
More informationLess is More Dimensionality Reduction from a Theoretical Perspective
Less is More Dimensionality Reduction from a Theoretical Perspective Nicolas Bruneau,, Sylvain Guilley,3, Annelie Heuser, Damien Marion,3, and Olivier Rioul,4 Telecom ParisTech, Institut Mines-Télécom,
More informationSome Concepts of Probability (Review) Volker Tresp Summer 2018
Some Concepts of Probability (Review) Volker Tresp Summer 2018 1 Definition There are different way to define what a probability stands for Mathematically, the most rigorous definition is based on Kolmogorov
More informationExtended Object and Group Tracking with Elliptic Random Hypersurface Models
Extended Object and Group Tracing with Elliptic Random Hypersurface Models Marcus Baum Benjamin Noac and Uwe D. Hanebec Intelligent Sensor-Actuator-Systems Laboratory ISAS Institute for Anthropomatics
More informationEstimating Gaussian Mixture Densities with EM A Tutorial
Estimating Gaussian Mixture Densities with EM A Tutorial Carlo Tomasi Due University Expectation Maximization (EM) [4, 3, 6] is a numerical algorithm for the maximization of functions of several variables
More informationHow to Estimate the Success Rate of Higher-Order Side-Channel Attacks
How to Estimate the Success Rate of Higher-Order Side-Channel Attacks Victor Lomné 1, Emmanuel Prouff 1, Matthieu Rivain 2, Thomas Roche 1, and Adrian Thillard 1,3 1 ANSSI firstname.name@ssi.gouv.fr 2
More informationFormal Verification of Side-Channel Countermeasures
Formal Verification of Side-Channel Countermeasures Sonia Belaïd June 5th 2018 1 / 35 1 Side-Channel Attacks 2 Masking 3 Formal Tools Verification of Masked Implementations at Fixed Order Verification
More information10-701/15-781, Machine Learning: Homework 4
10-701/15-781, Machine Learning: Homewor 4 Aarti Singh Carnegie Mellon University ˆ The assignment is due at 10:30 am beginning of class on Mon, Nov 15, 2010. ˆ Separate you answers into five parts, one
More informationImproved Collision-Correlation Power Analysis on First Order Protected AES
Improved Collision-Correlation Power Analysis on First Order Protected AES Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent Verneuil To cite this version: Christophe Clavier,
More informationMutual Information Analysis
Mutual Information Analysis A Universal Differential Side-Channel Attack Benedikt Gierlichs 1, Lejla Batina 1, and Pim Tuyls 1,2 1 K.U. Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationCS293 Report Side Channel Attack with Machine Learning
000 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050
More informationF denotes cumulative density. denotes probability density function; (.)
BAYESIAN ANALYSIS: FOREWORDS Notation. System means the real thing and a model is an assumed mathematical form for the system.. he probability model class M contains the set of the all admissible models
More informationMultiple-Differential Side-Channel Collision Attacks on AES
Multiple-Differential Side-Channel Collision Attacks on AES Andrey Bogdanov Horst Görtz Institute for IT Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. In
More informationFormal Verification of Masked Implementations
Formal Verification of Masked Implementations Sonia Belaïd Benjamin Grégoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order
More informationThe myth of generic DPA... and the magic of learning
The myth of generic DPA... and the magic of learning Carolyn Whitnall 1, Elisabeth Oswald 1, and François-Xavier Standaert 2 1 University of Bristol, Department of Computer Science, Merchant Venturers
More informationA Unified Framework for the Analysis of Side-Channel Key Recovery Attacks
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks François-Xavier Standaert 1, Tal G. Malkin 2, Moti Yung 2,3 1 UCL Crypto Group, Université Catholique de Louvain. 2 Dept. of Computer
More informationEfficient Template Attacks Based on Probabilistic Multi-class Support Vector Machines
Efficient Template Attacks Based on Probabilistic Multi-class Support Vector Machines Timo Bartkewitz and Kerstin Lemke-Rust Department of Computer Science, Bonn-Rhine-Sieg University of Applied Sciences,
More informationAlgebraic Side-Channel Attacks
Algebraic Side-Channel Attacks Mathieu Renauld, François-Xavier Standaert UCL Crypto Group, Université catholique de Louvain, B-1348 Louvain-la-Neuve. e-mails: mathieu.renauld,fstandae@uclouvain.be Abstract.
More informationOn the Practical Security of a Leakage Resilient Masking Scheme
On the Practical Security of a Leakage Resilient Masking Scheme T. Roche thomas.roche@ssi.gouv.fr Joint work with E. Prouff and M. Rivain French Network and Information Security Agency (ANSSI) CryptoExperts
More informationDifferential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b, Jiachao Chen2,c, Junrong Liu3,d
4th International Conference on Sensors, Measurement and Intelligent Materials (ICSMIM 2015) Differential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b,
More informationRandom Active Shield FDTC 2012, Leuven, Belgium.
Random Active Shield FDTC 2012, Leuven, Belgium. Sébastien BRIAIS 1, Jean-Michel CIORANESCO 2,3, Jean-Luc DANGER 1,4, Sylvain GUILLEY 1,4, David NACCACHE 3,5 and Thibault PORTEBOEUF 1. 1 Secure-IC S.A.S.,
More information4: Parameter Estimation in Fully Observed BNs
10-708: Probabilistic Graphical Models 10-708, Spring 2015 4: Parameter Estimation in Fully Observed BNs Lecturer: Eric P. Xing Scribes: Purvasha Charavarti, Natalie Klein, Dipan Pal 1 Learning Graphical
More informationHidden Markov Models
Hidden Markov Models CI/CI(CS) UE, SS 2015 Christian Knoll Signal Processing and Speech Communication Laboratory Graz University of Technology June 23, 2015 CI/CI(CS) SS 2015 June 23, 2015 Slide 1/26 Content
More informationMultiple-Differential Side-Channel Collision Attacks on AES
Multiple-Differential Side-Channel Collision Attacks on AES Andrey Bogdanov Horst Görtz Institute for IT Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de, www.crypto.rub.de Abstract. In
More informationSoft Analytical Side-Channel Attacks
Soft Analytical Side-Channel Attacks Nicolas Veyrat-Charvillon, Benoît Gérard 2, François-Xavier Standaert 3. IRISA-CAIRN, Campus ENSSAT, 2235 Lannion, France. 2 DGA Maîtrise de l Information, 35998 Rennes,
More informationManifold Learning Towards Masking Implementations: A First Study
Manifold Learning Towards Masking Implementations: A First Study Changhai Ou, Degang Sun, Zhu Wang, Xinping Zhou and Wei Cheng Institute of Information Engineering, Chinese Academy of Sciences 2 School
More informationLecture 3: Pattern Classification
EE E6820: Speech & Audio Processing & Recognition Lecture 3: Pattern Classification 1 2 3 4 5 The problem of classification Linear and nonlinear classifiers Probabilistic classification Gaussians, mixtures
More informationDPA-Resistance without routing constraints?
Introduction Attack strategy Experimental results Conclusion Introduction Attack strategy Experimental results Conclusion Outline DPA-Resistance without routing constraints? A cautionary note about MDPL
More informationThe PAC Learning Framework -II
The PAC Learning Framework -II Prof. Dan A. Simovici UMB 1 / 1 Outline 1 Finite Hypothesis Space - The Inconsistent Case 2 Deterministic versus stochastic scenario 3 Bayes Error and Noise 2 / 1 Outline
More informationEfficient Conversion Method from Arithmetic to Boolean Masking in Constrained Devices
Efficient Conversion Method from Arithmetic to Boolean Masing in Constrained Devices Yoo-Seung Won 1 and Dong-Gu Han 1,2 1 Department of Financial Information Security, Koomin University, Seoul, Korea
More informationProtecting AES with Shamir s Secret Sharing Scheme
Protecting AES with Shamir s Secret Sharing Scheme Louis Goubin 1 and Ange Martinelli 1,2 1 Versailles Saint-Quentin-en-Yvelines University Louis.Goubin@prism.uvsq.fr 2 Thales Communications jean.martinelli@fr.thalesgroup.com
More informationChannel Probing in Communication Systems: Myopic Policies Are Not Always Optimal
Channel Probing in Communication Systems: Myopic Policies Are Not Always Optimal Matthew Johnston, Eytan Modiano Laboratory for Information and Decision Systems Massachusetts Institute of Technology Cambridge,
More informationAlgebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model
Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model Yossef Oren 1, Mathieu Renauld 2, François-Xavier Standaert 2, Avishai Wool 1 1 Cryptography and Network Security Lab, School of Electrical
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationRevisiting a Masked Lookup-Table Compression Scheme
Revisiting a Masked Lookup-Table Compression Scheme Srinivas Vivek University of Bristol, UK sv.venkatesh@bristol.ac.uk Abstract. Lookup-table based side-channel countermeasure is the prime choice for
More informationNaïve Bayes classification
Naïve Bayes classification 1 Probability theory Random variable: a variable whose possible values are numerical outcomes of a random phenomenon. Examples: A person s height, the outcome of a coin toss
More informationThe Method of Types and Its Application to Information Hiding
The Method of Types and Its Application to Information Hiding Pierre Moulin University of Illinois at Urbana-Champaign www.ifp.uiuc.edu/ moulin/talks/eusipco05-slides.pdf EUSIPCO Antalya, September 7,
More informationChapter 2 The Naïve Bayes Model in the Context of Word Sense Disambiguation
Chapter 2 The Naïve Bayes Model in the Context of Word Sense Disambiguation Abstract This chapter discusses the Naïve Bayes model strictly in the context of word sense disambiguation. The theoretical model
More informationSide-Channel Attacks on Threshold Implementations using a Glitch Algebra
Side-Channel Attacks on Threshold Implementations using a Glitch Algebra Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland http://lasec.epfl.ch Abstract. Threshold implementations allow to implement circuits
More informationAlgebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model
Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model Yossef Oren 1, Mathieu Renauld 2, François-Xavier Standaert 2, Avishai Wool 1 1 Cryptography and Network Security Lab, School of Electrical
More informationIntro. ANN & Fuzzy Systems. Lecture 15. Pattern Classification (I): Statistical Formulation
Lecture 15. Pattern Classification (I): Statistical Formulation Outline Statistical Pattern Recognition Maximum Posterior Probability (MAP) Classifier Maximum Likelihood (ML) Classifier K-Nearest Neighbor
More informationAdvanced Machine Learning
Advanced Machine Learning Nonparametric Bayesian Models --Learning/Reasoning in Open Possible Worlds Eric Xing Lecture 7, August 4, 2009 Reading: Eric Xing Eric Xing @ CMU, 2006-2009 Clustering Eric Xing
More informationLecture 4: State Estimation in Hidden Markov Models (cont.)
EE378A Statistical Signal Processing Lecture 4-04/13/2017 Lecture 4: State Estimation in Hidden Markov Models (cont.) Lecturer: Tsachy Weissman Scribe: David Wugofski In this lecture we build on previous
More informationHow to Certify the Leakage of a Chip?
How to Certify the Leakage of a Chip? François Durvaux, François-Xavier Standaert, Nicolas Veyrat-Charvillon UCL Crypto Group, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationStatistical learning. Chapter 20, Sections 1 3 1
Statistical learning Chapter 20, Sections 1 3 Chapter 20, Sections 1 3 1 Outline Bayesian learning Maximum a posteriori and maximum likelihood learning Bayes net learning ML parameter learning with complete
More informationA Novel Use of Kernel Discriminant Analysis as a Higher-Order Side-Channel Distinguisher
A Novel Use of Kernel Discriminant Analysis as a Higher-Order Side-Channel Distinguisher Xinping Zhou 1,2,, Carolyn Whitnall 3, Elisabeth Oswald 3, Degang Sun 1,2, and Zhu Wang 1,2 1 Institute of Information
More informationInformation Theoretical Analysis of Digital Watermarking. Multimedia Security
Information Theoretical Analysis of Digital Watermaring Multimedia Security Definitions: X : the output of a source with alphabet X W : a message in a discrete alphabet W={1,2,,M} Assumption : X is a discrete
More informationAlgebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection
Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection Andrey Bogdanov 1, Ilya Kizhvatov 2, and Andrey Pyshkin 3 1 Horst Görtz Institute for Information Security Ruhr-University
More informationPolynomial direct sum masking to protect against both SCA and FIA
Polynomial direct sum masking to protect against both SCA and FIA Claude Carlet, Abderrahman Daif, Sylvain Guilley, Cédric Tavernier November 27, 2017 Abstract Side Channel Attacks (SCA) and Fault Injection
More informationOn the Optimality of Correlation Power Attack on Embedded Cryptographic Systems
On the Optimality of Correlation Power Attack on Embedded Cryptographic Systems Youssef Souissi 1, Nicolas Debande 1,2,SamiMekki 1, Sylvain Guilley 1, Ali Maalaoui 3, and Jean-Luc Danger 1 1 TELECOM ParisTech,
More informationOn the Use of Masking to Defeat Power-Analysis Attacks
1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security
More information