Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015
Motivation Security Evaluation
Motivation Security Evaluation 3
Motivation Security Evaluation 4
Motivation Security Evaluation Does the chip leak information? Problem: Evaluation is not trivial. 5
Motivation Security Evaluation Does the chip leak information? Problem: Evaluation is not trivial. Non-Invasive Attack Testing Workshop, 011 Goal: Establish testing methodology capable of robustly assessing the physical vulnerability of cryptographic devices. 6
Motivation Attack-based Testing Perform state-of-the-art attacks on the device under test (DUT) Attacks Types: DPA CPA MIA Intermediate Values: Sbox In Sbox Out Sbox In/Out Leakage Models: HW HD Bit 7
Motivation Attack-based Testing Perform state-of-the-art attacks on the device under test (DUT) Attacks Types: DPA CPA MIA Intermediate Values: Sbox In Sbox Out Sbox In/Out Leakage Models: HW HD Bit Problems: High computational complexity Requires lot of expertise Does not cover all possible attack vectors 8
Motivation Testing based on t-test Tries to detect any type of leakage at a certain order Proposed by CRI at NIST workshop Advantages: Independent of architecture Independent of attack model Fast & simple Versatile 9
Motivation Testing based on t-test Tries to detect any type of leakage at a certain order Proposed by CRI at NIST workshop Advantages: Independent of architecture Independent of attack model Fast & simple Versatile Problems: No information about hardness of attack Possible false positives if no care about evaluation setup 10
Contribution 1. Explain statistical background in a (hopefully) more understandable way. More detailed discussion of higher-order testing 3. Hints how to design fast & correct measurement setup 4. Optimization of analysis phase 11
Statistical Background t-test 1
Statistical Background t-test 13
Statistical Background t-test Sample Q 0 Sample Q 1 14
Statistical Background t-test Sample Q 0 Sample Q 1 Null Hypothesis: Two population means are equal. 15
Statistical Background t-test Sample Q 0 Sample Q 1 16
Statistical Background t-test Sample Q 0 Sample Q 1 Sample mean: Sample variance: Sample size: μ 0 s 0 n 0 μ 1 s 1 n 1 17
Statistical Background t-test Sample Q 0 Sample Q 1 Sample mean: Sample variance: Sample size: μ 0 s 0 n 0 μ 1 s 1 n 1 Degree of freedom v = s 0 n 0 s 0 n 0 + s 1 n 1 s 1 n 1 n 0 1 + n 1 1 t = μ 0 μ 1 s 0 n 0 + s 1 n 1 t-test statistic 18
Statistical Background t-test t v Estimate the probability to accept null hypothesis with Student s t distribution: f t, v = Γ v + 1 πv Γ v 1 + t v v+1 Compute: p = t f t, v dt 19
Statistical Background t-test t v Estimate the probability to accept null hypothesis with Student s t distribution: f t, v = Γ v + 1 πv Γ v 1 + t v v+1 Compute: p = t f t, v dt Small p values give evidence to reject the null hypothesis 0
Statistical Background t-test For testing usually only the t-value is estimated Compared to a threshold of t > 4.5 p = F 4.5, v > 1000 < 0.00001 Confidence of > 0.99999 to reject the null hypothesis 1
Testing Methodology Specific t-test Non-Specific t-test
Testing Methodology Specific t-test Measurements T i With Associated Data D i Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 3
Testing Methodology Specific t-test target bit D i = 0 Measurements T i With Associated Data D i Q 0 Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 4
Testing Methodology Specific t-test target bit D i = 0 Measurements T i With Associated Data D i target bit D i = 1 Q 0 Q 1 Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 5
Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases 6
Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases Measurements T j With Fixed Associated Data D Q 0 7
Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases Measurements T j With Fixed Associated Data D Measurements T i With Random Associated Data D i Q 0 Q 1 8
Higher-Order Testing Multivariate Univariate 9
Higher-Order Testing Multivariate Multivariate: Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 30
Higher-Order Testing Multivariate Multivariate: S 1 Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 31
Higher-Order Testing Multivariate Multivariate: S 1 S Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 3
Higher-Order Testing Multivariate Multivariate: S 1 S Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first Centered Product: x = x 1 μ 1 x μ 33
Higher-Order Testing Univariate Univariate: S 1 S Shares are processed in parallel (HW) Leakages at the same time instance need to be combined first 34
Higher-Order Testing Univariate Univariate: S 1 S Shares are processed in parallel (HW) Leakages at the same time instance need to be combined first Variance: x = x μ In some cases: x = x μ s d In general: x = x μ d 35
Correct Measurement Setup Case Study: Microcontroller Case Study: FPGA 36
Correct Measurement Setup PC Control Plaintext Ciphertext Target Pitfalls: Order of fixed and random inputs should be random as well Communication between Control and Target should be masked (if possible) Measure Oscilloscope Trigger 37
Correct Measurement Setup PC Control Plaintext Ciphertext Target Pitfalls: Order of fixed and random inputs should be random as well Communication between Control and Target should be masked (if possible) Measure Oscilloscope Trigger 38
Correct Measurement CS: Microcontroller AES with masking & shuffling (DPA contest v4.) No shared communication First-order test 39
Correct Measurement CS: Microcontroller AES with masking & shuffling (DPA contest v4.) No shared communication First-order test Leakage associated to unmasked plaintext 40
Correct Measurement CS: Microcontroller Detectable first order leakage 41
Correct Measurement CS: FPGA First Order Second Order A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 4
Correct Measurement CS: FPGA First Order Second Order A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 43
Correct Measurement CS: FPGA First Order Second Order Fifth Order Second Order (bivariate) A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 44
Efficient Computation Classical Approach Incremental Multivariate Parallelization 45
Efficient Computation Classical Approach Time Measurement Phase T 0 46
Efficient Computation Classical Approach Time Measurement Phase T 0 T 1 47
Efficient Computation Classical Approach Time Measurement Phase T 0 T 1 T T n 1 48
Efficient Computation Classical Approach Time Measurement Phase Analysis Phase T 0 T 1 T t-test T n 1 49
Efficient Computation Classical Approach Time Measurement Phase Analysis Phase T 0 T 1 T t-test Result T n 1 50
Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ 51
Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ T 0 T 1 T n 1 5
Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 T 0 T 1 μ = E T T n 1 53
Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 Pass T 0 T 1 μ = E T s = E T μ T n 1 54
Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 Pass Pass 3 T 0 T 1 μ = E T s = E T μ Required for certain higher-order tests T n 1 55
Efficient Computation Classical Approach Problems: 1) Measurement phase need to be completed ) All measurements need to be stored 3) Traces need to be loaded multiple times Solution: Incremental Computation 56
Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 57
Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 μ, s 58
Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 μ, s μ, s 59
Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 T n 1 μ, s μ, s μ, s μ, s Higher-order tests require the computation of additional values 60
Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 T n 1 μ, s μ, s μ, s μ, s Higher-order tests require the computation of additional values Advantages: 1) Can be run in parallel to measurement phase ) Does not require that all measurements are stored 3) Loads each trace only once 61
Efficient Computation Incremental Problem: Computation of intermediate values 6
Efficient Computation Incremental Problem: Computation of intermediate values Approach 1: Use raw moments d th -order raw moment: M d = E T d Given: M 1 M Compute: μ = M 1 s = M M 1 63
Efficient Computation Incremental Problem: Computation of intermediate values Approach 1: Use raw moments d th -order raw moment: M d = E T d Given: M 1 M Compute: μ = M 1 s = M M 1 Higher-order test require additional moments Example: Univariate 1 st -5 th order tests require M 1 M 10 64
Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 65
Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 t-test Result 66
Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 t-test t-test Result Result 67
Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 Easy to find update formulas for: M d = n 1 i=0 Ti d n Problem: Numerical unstable for large number of traces t-test Result 68
Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 Easy to find update formulas for: M d = n 1 i=0 Ti d n Problem: Numerical unstable for large number of traces Example: Computation of variance based on simulations (100M traces ) with N 100,5 t-test Result Method Order 1 Order Order 3 Order 4 Order 5 3-Pass 5.08399 158.18874 15.00039 96.0834 947.553 Raw 5.08399 158.1413 14.498-1160.83799-193918.83401 69
Efficient Computation Incremental Approach : Use central moments (and M 1 ) d th -order central moment: CM d = E (T μ) d Given: M 1 CM Compute: μ = M 1 s = CM 70
Efficient Computation Incremental Approach : Use central moments (and M 1 ) d th -order central moment: CM d = E (T μ) d Given: M 1 CM Compute: μ = M 1 s = CM Not that easy to find update formulas for: CM d = n 1 i=0 Ti μ d n Multivariate tests require adjusted formulas 71
Efficient Computation Incremental Incremental formulas for tests at arbitrary orders can be found in the paper. Comparison to the raw moments approach: Slightly higher computational effort Less numerical problems, higher accuracy Method Order 1 Order Order 3 Order 4 Order 5 3-Pass 5.08399 158.18874 15.00039 96.0834 947.553 Raw 5.08399 158.1413 14.498-1160.83799-193918.83401 Ours 5.08399 158.18874 15.00039 96.0834 947.553 7
Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 73
Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 0 Thread 1 Thread Thread 3 Thread 4 74
Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 0 Thread 1 Thread Thread 3 Thread 4 Trace n t n,0 t n,1 t n, t n,3 t n,4 Thread 0 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 1 75
Efficient Computation Parallelization Trace n Thread 0 Thread t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 1 Thread 3 Example: 1 st -5 th order t-test 100,000,000 traces (each with 3,000 sample points) 9h on x Intel Xeon X5670 CPUs @.93 GHz (4 hyper-threading cores) 76
Conclusion Recommendations Summary Future Work 77
Conclusion Recommendations Fixed vs. random: DUT with masking countermeasure With masked communication Semi-fixed vs. random: DUT with hiding countermeasure Without masked communication Specific t-test: DUT with no countermeasures Failed in former non-specific tests Identify suitable intermediate values for key recovery 78
Conclusion Summary Testing based on the t-test is simple and fast Has become popular in recent years Things to consider: Correct measurement phase is critical Analysis phase can be strongly optimized Higher-order testing easily possible Additional important aspects: Alignment and signal processing is necessary Finding of points of interest 79
Conclusion Future Work Incremental computing for other attacks/evaluation techniques Robust and One-Pass Parallel Computation of Correlation-Based Attacks at Arbitrary Order Tobias Schneider, Amir Moradi, Tim Güneysu, eprint Report 015/571 CPA MCP-DPA MCC-DPA 80
Thanks for Listening! Any Questions? 81