Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi

Similar documents
How to Evaluate Side-Channel Leakages

Introduction to Side Channel Analysis. Elisabeth Oswald University of Bristol

Random Delay Insertion: Effective Countermeasure against DPA on FPGAs

Side Channel Analysis and Protection for McEliece Implementations

DPA-Resistance without routing constraints?

Information Security Theory vs. Reality

Correlation Power Analysis. Chujiao Ma

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

On the Use of Masking to Defeat Power-Analysis Attacks

Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA)

Channel Equalization for Side Channel Attacks

Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d

Differential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b, Jiachao Chen2,c, Junrong Liu3,d

Masking and Dual-rail Logic Don't Add Up

Several Masked Implementations of the Boyar-Peralta AES S-Box

Start Simple and then Refine: Bias-Variance Decomposition as a Diagnosis Tool for Leakage Profiling

Towards Sound and Optimal Leakage Detection Procedure

A Theoretical Study of Kolmogorov-Smirnov Distinguishers Side-Channel Analysis vs Differential Cryptanalysis

Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations

Comprehensive Evaluation of AES Dual Ciphers as a Side-Channel Countermeasure

A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Lightweight Cryptography Meets Threshold Implementation: A Case Study for Simon

Side-channel attacks on PKC and countermeasures with contributions from PhD students

Intro to Physical Side Channel Attacks

High-Resolution EM Attacks Against Leakage-Resilient PRFs Explained

Statistical Analysis for Access-Driven Cache Attacks Against AES

Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection

Systematic Construction and Comprehensive Evaluation of Kolmogorov-Smirnov Test Based Side-Channel Distinguishers

Sliding-Window Correlation Attacks Against Encryption Devices with an Unstable Clock

Making Masking Security Proofs Concrete

Partition vs. Comparison Side-Channel Distinguishers

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

A DPA attack on RSA in CRT mode

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Practical CCA2-Secure and Masked Ring-LWE Implementation

Amortizing Randomness Complexity in Private Circuits

Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur

Success through confidence: Evaluating the effectiveness of a side-channel attack.

Mutual Information Analysis: a Comprehensive Study

Masking the GLP Lattice-Based Signature Scheme at Any Order

Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes

My traces learn what you did in the dark: recovering secret signals without key guesses

CS293 Report Side Channel Attack with Machine Learning

SNR to Success Rate: Reaching the Limit of Non-Profiling DPA

Full Collision Attack: Pushing the Limits of Exhaustible Key Spaces

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel Evaluations

Generic Side-Channel Distinguishers: Improvements and Limitations

Masking AES with d + 1 Shares in Hardware

Side-channel analysis in code-based cryptography

Mutual Information Analysis: a Comprehensive Study

Block Ciphers and Side Channel Protection

Analysis of cryptographic hash functions

Consolidating Masking Schemes

Collision-Correlation Attack against some 1 st -order Boolean Masking Schemes in the Context of Secure Devices

Rejection regions for the bivariate case

Investigations of Power Analysis Attacks on Smartcards *

Side-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects

Exponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security

Formal Verification of Side-Channel Countermeasures

Mutual Information Coefficient Analysis

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Elliptic Curve Cryptography and Security of Embedded Devices

Affine Masking against Higher-Order Side Channel Analysis

Consolidating Security Notions in Hardware Masking

LAB 2. HYPOTHESIS TESTING IN THE BIOLOGICAL SCIENCES- Part 2

Consolidating Inner Product Masking

Multiple-Differential Side-Channel Collision Attacks on AES

NICV: Normalized Inter-Class Variance for Detection of Side-Channel Leakage

A Statistics-based Fundamental Model for Side-channel Attack Analysis

DIFFERENTIAL POWER ANALYSIS MODEL AND SOME RESULTS

Lecture 13: Sequential Circuits, FSM

Linear Cryptanalysis of Reduced-Round Speck

Side-Channel Analysis on Blinded Regular Scalar Multiplications

Differential Power Analysis of a McEliece Cryptosystem

Practical Free-Start Collision Attacks on 76-step SHA-1

Computers and Mathematics with Applications

Hardware Security Side channel attacks

Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs

* Tuesday 17 January :30-16:30 (2 hours) Recored on ESSE3 General introduction to the course.

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Review: General Approach to Hypothesis Testing. 1. Define the research question and formulate the appropriate null and alternative hypotheses.

A Stochastic Model for Differential Side Channel Cryptanalysis

How to Estimate the Success Rate of Higher-Order Side-Channel Attacks

Algebraic Side-Channel Attacks

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking

Multi-target DPA attacks: Pushing DPA beyond the limits of a desktop computer

Linear Regression Side Channel Attack Applied on Constant XOR

Masking the GLP Lattice-Based Signature Scheme at any Order

EC2001 Econometrics 1 Dr. Jose Olmo Room D309

Lecture 7: CPA Security, MACs, OWFs

A semi-device-independent framework based on natural physical assumptions

CRYPTOGRAPHIC COMPUTING

Achilles Heel: the Unbalanced Mask Sets May Destroy a Masking Countermeasure

Decomposed S-Boxes and DPA Attacks: A Quantitative Case Study using PRINCE

HYPOTHESIS TESTING. Hypothesis Testing

Template Attacks with Partial Profiles and Dirichlet Priors: Application to Timing Attacks June 18, 2016

A New Framework for Constraint-Based Probabilistic Template Side Channel Attacks

Mutual Information Analysis

White-Box Cryptography

Transcription:

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015

Motivation Security Evaluation

Motivation Security Evaluation 3

Motivation Security Evaluation 4

Motivation Security Evaluation Does the chip leak information? Problem: Evaluation is not trivial. 5

Motivation Security Evaluation Does the chip leak information? Problem: Evaluation is not trivial. Non-Invasive Attack Testing Workshop, 011 Goal: Establish testing methodology capable of robustly assessing the physical vulnerability of cryptographic devices. 6

Motivation Attack-based Testing Perform state-of-the-art attacks on the device under test (DUT) Attacks Types: DPA CPA MIA Intermediate Values: Sbox In Sbox Out Sbox In/Out Leakage Models: HW HD Bit 7

Motivation Attack-based Testing Perform state-of-the-art attacks on the device under test (DUT) Attacks Types: DPA CPA MIA Intermediate Values: Sbox In Sbox Out Sbox In/Out Leakage Models: HW HD Bit Problems: High computational complexity Requires lot of expertise Does not cover all possible attack vectors 8

Motivation Testing based on t-test Tries to detect any type of leakage at a certain order Proposed by CRI at NIST workshop Advantages: Independent of architecture Independent of attack model Fast & simple Versatile 9

Motivation Testing based on t-test Tries to detect any type of leakage at a certain order Proposed by CRI at NIST workshop Advantages: Independent of architecture Independent of attack model Fast & simple Versatile Problems: No information about hardness of attack Possible false positives if no care about evaluation setup 10

Contribution 1. Explain statistical background in a (hopefully) more understandable way. More detailed discussion of higher-order testing 3. Hints how to design fast & correct measurement setup 4. Optimization of analysis phase 11

Statistical Background t-test 1

Statistical Background t-test 13

Statistical Background t-test Sample Q 0 Sample Q 1 14

Statistical Background t-test Sample Q 0 Sample Q 1 Null Hypothesis: Two population means are equal. 15

Statistical Background t-test Sample Q 0 Sample Q 1 16

Statistical Background t-test Sample Q 0 Sample Q 1 Sample mean: Sample variance: Sample size: μ 0 s 0 n 0 μ 1 s 1 n 1 17

Statistical Background t-test Sample Q 0 Sample Q 1 Sample mean: Sample variance: Sample size: μ 0 s 0 n 0 μ 1 s 1 n 1 Degree of freedom v = s 0 n 0 s 0 n 0 + s 1 n 1 s 1 n 1 n 0 1 + n 1 1 t = μ 0 μ 1 s 0 n 0 + s 1 n 1 t-test statistic 18

Statistical Background t-test t v Estimate the probability to accept null hypothesis with Student s t distribution: f t, v = Γ v + 1 πv Γ v 1 + t v v+1 Compute: p = t f t, v dt 19

Statistical Background t-test t v Estimate the probability to accept null hypothesis with Student s t distribution: f t, v = Γ v + 1 πv Γ v 1 + t v v+1 Compute: p = t f t, v dt Small p values give evidence to reject the null hypothesis 0

Statistical Background t-test For testing usually only the t-value is estimated Compared to a threshold of t > 4.5 p = F 4.5, v > 1000 < 0.00001 Confidence of > 0.99999 to reject the null hypothesis 1

Testing Methodology Specific t-test Non-Specific t-test

Testing Methodology Specific t-test Measurements T i With Associated Data D i Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 3

Testing Methodology Specific t-test target bit D i = 0 Measurements T i With Associated Data D i Q 0 Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 4

Testing Methodology Specific t-test target bit D i = 0 Measurements T i With Associated Data D i target bit D i = 1 Q 0 Q 1 Specific t-test: Key is known to enable correct partitioning Test is conducted at each sample point separately (univariate) If corresponding t-test exceeds threshold DPA probable 5

Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases 6

Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases Measurements T j With Fixed Associated Data D Q 0 7

Testing Methodology Non-Specific t-test Non-Specific t-test: fixed vs. random t-test Avoids being dependent on any intermediate value/model Detected leakage of single test is not always exploitable Semi-fixed vs. random t-test useful in certain cases Measurements T j With Fixed Associated Data D Measurements T i With Random Associated Data D i Q 0 Q 1 8

Higher-Order Testing Multivariate Univariate 9

Higher-Order Testing Multivariate Multivariate: Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 30

Higher-Order Testing Multivariate Multivariate: S 1 Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 31

Higher-Order Testing Multivariate Multivariate: S 1 S Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first 3

Higher-Order Testing Multivariate Multivariate: S 1 S Sensitive variable is shared: S = S 1 S Shares are processed at different time instances (SW) Leakages at different time instances need to be combined first Centered Product: x = x 1 μ 1 x μ 33

Higher-Order Testing Univariate Univariate: S 1 S Shares are processed in parallel (HW) Leakages at the same time instance need to be combined first 34

Higher-Order Testing Univariate Univariate: S 1 S Shares are processed in parallel (HW) Leakages at the same time instance need to be combined first Variance: x = x μ In some cases: x = x μ s d In general: x = x μ d 35

Correct Measurement Setup Case Study: Microcontroller Case Study: FPGA 36

Correct Measurement Setup PC Control Plaintext Ciphertext Target Pitfalls: Order of fixed and random inputs should be random as well Communication between Control and Target should be masked (if possible) Measure Oscilloscope Trigger 37

Correct Measurement Setup PC Control Plaintext Ciphertext Target Pitfalls: Order of fixed and random inputs should be random as well Communication between Control and Target should be masked (if possible) Measure Oscilloscope Trigger 38

Correct Measurement CS: Microcontroller AES with masking & shuffling (DPA contest v4.) No shared communication First-order test 39

Correct Measurement CS: Microcontroller AES with masking & shuffling (DPA contest v4.) No shared communication First-order test Leakage associated to unmasked plaintext 40

Correct Measurement CS: Microcontroller Detectable first order leakage 41

Correct Measurement CS: FPGA First Order Second Order A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 4

Correct Measurement CS: FPGA First Order Second Order A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 43

Correct Measurement CS: FPGA First Order Second Order Fifth Order Second Order (bivariate) A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, eprint Report 015/001 44

Efficient Computation Classical Approach Incremental Multivariate Parallelization 45

Efficient Computation Classical Approach Time Measurement Phase T 0 46

Efficient Computation Classical Approach Time Measurement Phase T 0 T 1 47

Efficient Computation Classical Approach Time Measurement Phase T 0 T 1 T T n 1 48

Efficient Computation Classical Approach Time Measurement Phase Analysis Phase T 0 T 1 T t-test T n 1 49

Efficient Computation Classical Approach Time Measurement Phase Analysis Phase T 0 T 1 T t-test Result T n 1 50

Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ 51

Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ T 0 T 1 T n 1 5

Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 T 0 T 1 μ = E T T n 1 53

Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 Pass T 0 T 1 μ = E T s = E T μ T n 1 54

Efficient Computation Classical Approach t-test t = μ 0 μ 1 s 0 n 0 + s 1 n 1 Reminder: μ = E T Requires estimation of: μ 0, s 0 μ 1, s 1 s = E T μ Pass 1 Pass Pass 3 T 0 T 1 μ = E T s = E T μ Required for certain higher-order tests T n 1 55

Efficient Computation Classical Approach Problems: 1) Measurement phase need to be completed ) All measurements need to be stored 3) Traces need to be loaded multiple times Solution: Incremental Computation 56

Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 57

Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 μ, s 58

Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 μ, s μ, s 59

Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 T n 1 μ, s μ, s μ, s μ, s Higher-order tests require the computation of additional values 60

Efficient Computation Incremental Idea: Update intermediate values for each new trace T 0 T 1 T n 1 μ, s μ, s μ, s μ, s Higher-order tests require the computation of additional values Advantages: 1) Can be run in parallel to measurement phase ) Does not require that all measurements are stored 3) Loads each trace only once 61

Efficient Computation Incremental Problem: Computation of intermediate values 6

Efficient Computation Incremental Problem: Computation of intermediate values Approach 1: Use raw moments d th -order raw moment: M d = E T d Given: M 1 M Compute: μ = M 1 s = M M 1 63

Efficient Computation Incremental Problem: Computation of intermediate values Approach 1: Use raw moments d th -order raw moment: M d = E T d Given: M 1 M Compute: μ = M 1 s = M M 1 Higher-order test require additional moments Example: Univariate 1 st -5 th order tests require M 1 M 10 64

Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 65

Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 t-test Result 66

Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 t-test t-test Result Result 67

Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 Easy to find update formulas for: M d = n 1 i=0 Ti d n Problem: Numerical unstable for large number of traces t-test Result 68

Efficient Computation Incremental T 0 T 1 T n 1 M 1 M 10 M 1 M 10 M 1 M 10 M 1 M 10 Easy to find update formulas for: M d = n 1 i=0 Ti d n Problem: Numerical unstable for large number of traces Example: Computation of variance based on simulations (100M traces ) with N 100,5 t-test Result Method Order 1 Order Order 3 Order 4 Order 5 3-Pass 5.08399 158.18874 15.00039 96.0834 947.553 Raw 5.08399 158.1413 14.498-1160.83799-193918.83401 69

Efficient Computation Incremental Approach : Use central moments (and M 1 ) d th -order central moment: CM d = E (T μ) d Given: M 1 CM Compute: μ = M 1 s = CM 70

Efficient Computation Incremental Approach : Use central moments (and M 1 ) d th -order central moment: CM d = E (T μ) d Given: M 1 CM Compute: μ = M 1 s = CM Not that easy to find update formulas for: CM d = n 1 i=0 Ti μ d n Multivariate tests require adjusted formulas 71

Efficient Computation Incremental Incremental formulas for tests at arbitrary orders can be found in the paper. Comparison to the raw moments approach: Slightly higher computational effort Less numerical problems, higher accuracy Method Order 1 Order Order 3 Order 4 Order 5 3-Pass 5.08399 158.18874 15.00039 96.0834 947.553 Raw 5.08399 158.1413 14.498-1160.83799-193918.83401 Ours 5.08399 158.18874 15.00039 96.0834 947.553 7

Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 73

Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 0 Thread 1 Thread Thread 3 Thread 4 74

Efficient Computation Parallelization Trace n t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 0 Thread 1 Thread Thread 3 Thread 4 Trace n t n,0 t n,1 t n, t n,3 t n,4 Thread 0 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 1 75

Efficient Computation Parallelization Trace n Thread 0 Thread t n,0 t n,1 t n, t n,3 t n,4 Trace n+1 t n+1,0 t n+1,1 t n+1, t n+1,3 t n+1,4 Thread 1 Thread 3 Example: 1 st -5 th order t-test 100,000,000 traces (each with 3,000 sample points) 9h on x Intel Xeon X5670 CPUs @.93 GHz (4 hyper-threading cores) 76

Conclusion Recommendations Summary Future Work 77

Conclusion Recommendations Fixed vs. random: DUT with masking countermeasure With masked communication Semi-fixed vs. random: DUT with hiding countermeasure Without masked communication Specific t-test: DUT with no countermeasures Failed in former non-specific tests Identify suitable intermediate values for key recovery 78

Conclusion Summary Testing based on the t-test is simple and fast Has become popular in recent years Things to consider: Correct measurement phase is critical Analysis phase can be strongly optimized Higher-order testing easily possible Additional important aspects: Alignment and signal processing is necessary Finding of points of interest 79

Conclusion Future Work Incremental computing for other attacks/evaluation techniques Robust and One-Pass Parallel Computation of Correlation-Based Attacks at Arbitrary Order Tobias Schneider, Amir Moradi, Tim Güneysu, eprint Report 015/571 CPA MCP-DPA MCC-DPA 80

Thanks for Listening! Any Questions? 81

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback