A machine learning approach against a masked AES A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH Université Libre de Bruxelles Faculty of Sciences Department of Computer Sciences Cryptography and Security Service & Machine Learning Group CARDIS 2013 L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 1 / 20
A machine learning approach against a masked AES Cryptography Context Cryptography has been used for a long time for confidentiality purposes Mobile phones Banks Cars L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 2 / 20
A machine learning approach against a masked AES Side channel attacks Side channel attacks Reduction in cryptography security in real situation Possibility to find the secret key when we focalize on a side channel Timing attack (Kocher - 1996) Electromagnetic attack (Gandolfi, Mourtel & Olivier - 2001) Power monitoring attack (Kocher, Ja ff e & Jun - 1999) L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 3 / 20
A machine learning approach against a masked AES Side channel attacks Power monitoring attack L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 4 / 20
A machine learning approach against a masked AES Side channel attacks EM leakage [1] T ( Q ) = n T ( Q ) o ( t ) ∈ R | t ∈ [ 1 ; n ] [1] MARTINASEK, Z., ZEMAN, V., TRASY, K.. Simple Electromagnetic Analysis in Cryptography. International Journal of Advances in Telecommunications, Electrotechnics, Signals and Systems, North America, 1, sep. 2012. L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 5 / 20
A machine learning approach against a masked AES Side channel attacks Non-profiling attacks f is the target function (e.g. SBox) using P and Q L is the leakage model (e.g. HW) D is the distinguisher (e.g. Pearson correlation) ˆ Q = arg max Q ∈ Q | D ( L ( f ( P , Q )) , T ) | L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 6 / 20
A machine learning approach against a masked AES Side channel attacks Profiling attacks ˆ Q = arg max P ( Q | T ) Q ˆ P ( T | Q ) × P ( Q ) Q = arg max P ( T ) Q ˆ P ( T | Q ) × ˆ ˆ Q = arg max P ( Q ) Q How to estimate P ( T | Q ) ? L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 7 / 20
A machine learning approach against a masked AES Side channel attacks Profiling attacks Parametric methods TA (i.e. P ( T | Q i ) ∼ N ( µ i , Σ i ) ) [S. Chari et al. 2002] SA (i.e. P ( T | Q i ) ∼ N ( µ i , Σ ) ) [W. Schindler et al. 2005] Non-parametric methods [L. Lerman et al. 2011 & 2013, G. Hospodar et al. 2011, A. Heuser et al. 2012, T. Bartkewitz et al. 2012] SVM RF KNN Results in unprotected contexts A ML model is as e ffi cient (and often better) than TA L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 8 / 20
A machine learning approach against a masked AES Side channel attacks Countermeasures Several countermeasures Masking Hiding Several algorithms of masking schemes Boolean, multiplicative, a ffi ne masking schemes L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 9 / 20
A machine learning approach against a masked AES A machine learning approach against a masked AES Issues Are the results of the previous ML works still the same in a protected environment? 1 How many traces are required 1 against a protected device with a ML model compared to a strategy based on TA or SA? 2 by a ML model attacking a protected device compared to an unprotected device? 2 What is the impact of the number of traces used in the profiling step by a ML model attacking a protected device? L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 10 / 20
A machine learning approach against a masked AES A machine learning approach against a masked AES Framework 1 PRELIMINARY PHASE 2 PROFILING PHASE Cryptographic Device Data Collection Pre-Processing Profiled Model Selection Implementation mask value Security Level Non-Profiled Attack Profiled Model Estimation (e.g. CPA, KS, MIA) (e.g. SVM, TA, SA) 4 POST-ATTACKING PHASE 3 ATTACKING PHASE Lower the error between the correct and the estimated mask values, higher the correlation between the real and the predicted traces for the correct key L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 11 / 20
A machine learning approach against a masked AES Experiments Target AES-128 protected by the Rotating Sbox (Boolean) Masking scheme (based on table look-up) Atmel ATMega-163 smart card According to its authors (in a hardware context): Performances and complexity close to unprotected scheme Resistant against several side-channel attacks L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 12 / 20
A machine learning approach against a masked AES Experiments Models Profiling attacks TA SA SVM RF Non-profiling attack CPA on HW ( maskedSBox ( plaintext ⊕ mask ⊕ key )) L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 13 / 20
A machine learning approach against a masked AES Experiments Dataset Public dataset of the DPAContest V4 (updated in October) Electromagnetic emission leakages First round of AES Each trace has 435,002 samples L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 14 / 20
A machine learning approach against a masked AES Experiments Finding the o ff set value on traces ρ ( t T , o ff set ) on 1500 traces Feature selection step: 50 instants highest linearly correlated with the o ff set value L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 15 / 20
A machine learning approach against a masked AES Experiments Model estimation Validation set Learning set 1500 traces 1500 traces 100% 75% 50% 25% Testing set L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 16 / 20
A machine learning approach against a masked AES Experiments Model selection results Higher the number of traces in the learning set, higher the accuracy Higher the number of features, higher the success rates for SVM, RF and SA (except TA) The success rates of ML models SVM: 0.88 RF: 0.81 SA: 0.90 TA: 0.66 L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 17 / 20
A machine learning approach against a masked AES Experiments Attacking step Unmasked implementation CPA: 16.3 traces in 200 Minimum number of traces Minimum number of traces average (5s) Average number of traces Average number of traces Maximum number of traces Maximum number of traces 175 Masked implementation 150 125 number of traces SVM / CPA: 26 traces 100 in average (20s) 75 SA / CPA: 27.8 traces in average (80s) 50 TA / CPA: 56.4 traces in 25 average (45s) 0 A P A A P SA: 107 traces in C P A C C P A / S C M / / A A V S T S average (180s) Unprotected Protected device device L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 18 / 20
A machine learning approach against a masked AES Discussion & Conclusion Discussion & Conclusion (Unprotected) implementation of the Rotating Sbox Masking 26 traces with 20s during the attacking phase ML approach outperforms TA in data complexity Original SA is less e ffi cient than the new strategy based on SA SVM outperforms SA in time complexity How to improve the attack ? Increasing the number of points selected in each trace Optimizing the model’s parameters L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 19 / 20
A machine learning approach against a masked AES Discussion & Conclusion Last but not least ... O ffi cial result in the DPAContest V4 : 22 traces with 0.528 seconds in order to retrieve the secret key of AES-128 L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH 20 / 20
Recommend
More recommend
