[PPT] - A machine learning approach against a masked AES L. LERMAN , S. PowerPoint Presentation

SLIDE 1

A machine learning approach against a masked AES

L. LERMAN, S. FERNANDES MEDEIROS,
G. BONTEMPI, and O. MARKOWITCH

Université Libre de Bruxelles Faculty of Sciences Department of Computer Sciences Cryptography and Security Service & Machine Learning Group

CARDIS 2013

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

1 / 20

SLIDE 2

A machine learning approach against a masked AES Cryptography

Context

Cryptography has been used for a long time for confidentiality purposes Mobile phones Banks Cars

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

2 / 20

SLIDE 3

A machine learning approach against a masked AES Side channel attacks

Side channel attacks

Reduction in cryptography security in real situation Possibility to find the secret key when we focalize on a side channel Timing attack (Kocher - 1996) Electromagnetic attack (Gandolfi, Mourtel & Olivier - 2001) Power monitoring attack (Kocher, Jaffe & Jun - 1999)

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

3 / 20

SLIDE 4

A machine learning approach against a masked AES Side channel attacks

Power monitoring attack

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

4 / 20

SLIDE 5

A machine learning approach against a masked AES Side channel attacks

EM leakage

[1]

T (Q) = n T (Q)

(t) ∈ R|t ∈ [1; n]

[1] MARTINASEK, Z., ZEMAN, V., TRASY, K.. Simple Electromagnetic Analysis in Cryptography.

International Journal of Advances in Telecommunications, Electrotechnics, Signals and Systems, North America, 1, sep. 2012.

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

5 / 20

SLIDE 6

A machine learning approach against a masked AES Side channel attacks

Non-profiling attacks

f is the target function (e.g. SBox) using P and Q L is the leakage model (e.g. HW) D is the distinguisher (e.g. Pearson correlation) ˆ Q = arg max

Q∈Q | D (L (f (P, Q)) , T) |

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

6 / 20

SLIDE 7

A machine learning approach against a masked AES Side channel attacks

Profiling attacks

ˆ Q = arg max

Q

P(Q|T) ˆ Q = arg max

Q P(T|Q)×P(Q) P(T)

ˆ Q = arg max

Q

ˆ P(T|Q) × ˆ P(Q) How to estimate P(T|Q)?

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

7 / 20

SLIDE 8

A machine learning approach against a masked AES Side channel attacks

Profiling attacks

Parametric methods

TA (i.e. P(T|Qi) ∼ N(µi, Σi) ) [S. Chari et al. 2002] SA (i.e. P(T|Qi) ∼ N(µi, Σ) ) [W. Schindler et al. 2005]

Non-parametric methods [L. Lerman et al. 2011 & 2013, G. Hospodar et al. 2011,

A. Heuser et al. 2012, T. Bartkewitz et al. 2012]

SVM RF KNN

Results in unprotected contexts

A ML model is as efficient (and often better) than TA

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

8 / 20

SLIDE 9

A machine learning approach against a masked AES Side channel attacks

Countermeasures

Several countermeasures

Masking Hiding

Several algorithms of masking schemes

Boolean, multiplicative, affine masking schemes

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

9 / 20

SLIDE 10

A machine learning approach against a masked AES A machine learning approach against a masked AES

Issues

Are the results of the previous ML works still the same in a protected environment?

1 How many traces are required 1 against a protected device with a ML model compared to a

strategy based on TA or SA?

2 by a ML model attacking a protected device compared to an

unprotected device?

2 What is the impact of the number of traces used in the

profiling step by a ML model attacking a protected device?

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

10 / 20

SLIDE 11

A machine learning approach against a masked AES A machine learning approach against a masked AES

Framework

Data Collection Cryptographic Device Implementation Pre-Processing PRELIMINARY PHASE Profiled Model Selection Profiled Model (e.g. SVM, TA, SA) PROFILING PHASE ATTACKING PHASE Non-Profiled Attack (e.g. CPA, KS, MIA) mask value Security Level Estimation POST-ATTACKING PHASE 1 2 3 4

Lower the error between the correct and the estimated mask values, higher the correlation between the real and the predicted traces for the correct key

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

11 / 20

SLIDE 12

A machine learning approach against a masked AES Experiments

Target

AES-128 protected by the Rotating Sbox (Boolean) Masking scheme (based on table look-up) Atmel ATMega-163 smart card According to its authors (in a hardware context):

Performances and complexity close to unprotected scheme Resistant against several side-channel attacks

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

12 / 20

SLIDE 13

A machine learning approach against a masked AES Experiments

Models

Profiling attacks

TA SA SVM RF

Non-profiling attack

CPA on HW(maskedSBox(plaintext ⊕ mask ⊕ key))

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

13 / 20

SLIDE 14

A machine learning approach against a masked AES Experiments

Dataset

Public dataset of the DPAContest V4 (updated in October) Electromagnetic emission leakages First round of AES Each trace has 435,002 samples

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

14 / 20

SLIDE 15

A machine learning approach against a masked AES Experiments

Finding the offset value on traces

ρ(tT, offset) on 1500 traces Feature selection step: 50 instants highest linearly correlated with the offset value

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

15 / 20

SLIDE 16

A machine learning approach against a masked AES Experiments

Model estimation Validation set

1500 traces

Testing set

100% 75% 50% 25%

Learning set

1500 traces

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

16 / 20

SLIDE 17

A machine learning approach against a masked AES Experiments

Model selection results

Higher the number of traces in the learning set, higher the accuracy Higher the number of features, higher the success rates for SVM, RF and SA (except TA) The success rates of

ML models

SVM: 0.88 RF: 0.81

SA: 0.90 TA: 0.66

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

17 / 20

SLIDE 18

A machine learning approach against a masked AES Experiments

Attacking step

Minimum number of traces Average number of traces Maximum number of traces 25 50 75 100 125 150 175 200 C P A S V M / C P A S A / C P A T A / C P A S A number of traces Minimum number of traces Average number of traces Maximum number of traces Unprotected device Protected device

Unmasked implementation

CPA: 16.3 traces in average (5s)

Masked implementation

SVM / CPA: 26 traces in average (20s) SA / CPA: 27.8 traces in average (80s) TA / CPA: 56.4 traces in average (45s) SA: 107 traces in average (180s)

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

18 / 20

SLIDE 19

A machine learning approach against a masked AES Discussion & Conclusion

Discussion & Conclusion

(Unprotected) implementation of the Rotating Sbox Masking

26 traces with 20s during the attacking phase

ML approach outperforms TA in data complexity Original SA is less efficient than the new strategy based on SA SVM outperforms SA in time complexity How to improve the attack ?

Increasing the number of points selected in each trace Optimizing the model’s parameters

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

19 / 20

SLIDE 20

A machine learning approach against a masked AES Discussion & Conclusion

Last but not least ...

Official result in the DPAContest V4 : 22 traces with 0.528 seconds in order to retrieve the secret key of AES-128

L. LERMAN, S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH

20 / 20