[PPT] - Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor PowerPoint Presentation

SLIDE 1

Behind the Scene of Side Channel Attacks

ASIACRYPT 2013

Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE

ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013

SLIDE 2

Side Channel Attacks (SCA)| Linear Regression Attack (LRA)| Template Attack (TA)| Conclusion|

Agenda

1

Side Channel Attacks (SCA)

a. Background
b. Contributions

2

Linear Regression Attack (LRA)

a. LRA Basics
b. Experimental Results

3

Template Attack (TA)

a. Template Attack Basics
b. Experimental Results

4

Conclusion

1/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 3

Agenda

1

Side Channel Attacks (SCA)

a. Background
b. Contributions

2

Linear Regression Attack (LRA)

a. LRA Basics
b. Experimental Results

3

Template Attack (TA)

a. Template Attack Basics
b. Experimental Results

4

Conclusion

2/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 4

Context

Since the 90’s, increasing use of Embedded Systems

◮ 7G smartcards sold in 2012 (SIM, banking, pay-TV, ID, ✿ ✿ ✿)

Embedded Systems integrating Cryptography are susceptible to Side Channel Cryptanalysis

3/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 5

Side Channel Cryptanalysis [Kocher et al - Crypto99]

A CMOS device leaks info. about its state during a computation through side-channels e.g.: time, power consumption, EM radiations, ✿ ✿ ✿ SCA exploit these physical leakages to guess a secret

PLAINTEXT

blablablablablabla blibliblibliblibliblibl bloblobloblobloblo blublublublublublu blyblyblyblyblybly

CIPHERTEXT

tO^à@:/!uYe#&²é" ccGt*µ$Bg;./rSdrtg ([jKé~-|kLm%*ø$tf vB:!§eR'{qZé~rt6- phçö^$"NhR([qSrT

CRYPTOSYSTEM

gray-box model (spy the computation)

time power electromagnetic radiations vibrations light ...

4/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 6

Generic SCA Flow

1. Collect N side channel traces w. known inputs

t1 ✦ Enc✭p1❀ k✮❀ ✿ ✿ ✿ ❀ tN ✦ Enc✭pN ❀ k✮

2. Choose sensitive variable depend. on input & secret

e.g. AES Sbox output ✦ v

❫ k i ❂ S✭pi ✟ ❫

k✮

3. Choose a Leakage Model

e.g. Hamming Weight (H)

4. Compute predictions for each key hypothesis

❫ k ❂ 0 ✦ H✭v

❫ k❂0 1

✮❀ ✿ ✿ ✿ ❀ H✭v

❫ k❂0 N

✮ ✿ ✿ ✿ ❫ k ❂ 255 ✦ H✭v

❫ k❂255 1

✮❀ ✿ ✿ ✿ ❀ H✭v

❫ k❂255 N

✮

5. Use a distinguisher to discriminate the correct key

by comparing the N traces and the predictions

5/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 7

SCA flow and Leakage Model: 3 cases

1. Select a priori a Leakage Model

◮ Hamming Weight, Hamming Distance ◮ Used in classical SCA (DPA, CPA, MIA, ✿ ✿ ✿)

2. Select a priori a space of Leakage Models

◮ Attack will guess the correct model in selected space ◮ Used in Linear Regression Attack (LRA)

3. Infer a Leakage Model through profiling before attack

◮ A preliminary step is performed on an open copy of the

device to build a leakage model for each key value

◮ Used in Template Attack (TA) 6/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 8

Agenda

1

Side Channel Attacks (SCA)

a. Background
b. Contributions

2

Linear Regression Attack (LRA)

a. LRA Basics
b. Experimental Results

3

Template Attack (TA)

a. Template Attack Basics
b. Experimental Results

4

Conclusion

7/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 9

Microelectronics & Side Channel Cryptanalysis

Moore’s law:

◮ Nb. of transistors on ICs doubles approx. every two years ◮ CMOS processes decrease

1995 ✦ CMOS process 350nm / 2013 ✦ CMOS process 22nm

Consequence:

◮ intra-chip variability increases

✮ bits leak differently ones from others

◮ inter-chip variability increases

✮ two identical ICs behave differently

✮ New challenges for Side Channel Attacks ?!

8/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 10

Our Contributions

Propose a study on the practicality of:

◮ Linear Regression Attack (LRA) ◮ Template Attack (TA)

Perform experiments on 3 different microcontrollers:

◮ Device A - CMOS process 350nm - AES128 enc.

51600 points per trace - highest SNR1: 0✿3

◮ Device B - CMOS process 130nm - AES128 enc.

16800 points per trace - highest SNR1: 0✿6

◮ Device C - CMOS process 90nm

AES128 enc.

12800 points per trace - highest SNR1: 0✿09

Use of 3 copies of each device for cross-tests

1SNR: Signal-to-Noise Ratio 9/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 11

Agenda

1

Side Channel Attacks (SCA)

a. Background
b. Contributions

2

Linear Regression Attack (LRA)

a. LRA Basics
b. Experimental Results

3

Template Attack (TA)

a. Template Attack Basics
b. Experimental Results

4

Conclusion

10/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 12

Linear Regression Attack [Doget et al - Cosade11]

Leakage function L: models the handling of sens. var. v handling of v ✦ L✭v✮ ✰ B, with B a gaussian noise In LRA, L assumed unknown and viewed as a multivariate polynomial in the bit-coordinates vi of v w. coefs. in R L✭v✮ ❂ ✎0v0 ✰ ✎1v1 ✰ ✿ ✿ ✿

⑤ ④③ ⑥

linear part

✰ ✎0❀1v0v1 ✰ ✎0❀2v0v2 ✰ ✿ ✿ ✿

⑤ ④③ ⑥

quadratic part

✰ ✿ ✿ ✿

⑤④③⑥

etc

In LRA, guessing L is hence equivalent to solve a polynomial interpolation in a noisy context ✮ use of linear regression techniques

11/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 13

LRA Issues

Previous works reporting experiments on LRA consider side channel traces composed of one unique point In practice, side channel traces are never composed of

ne unique point, but rather several thousands

Classical strategy consists in applying SCA on each time sample and to keep the key candidate maximizing the score

ver all time samples

In our experiments, such a strategy did not work for LRA

12/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 14

Our Solution

From our experiments, we observed that correct key k is ranked first at time samples where:

◮ the distance score✭k✮ E❬score✭k✮] is large ◮ Var❬score✭k✮❪ is small

We hence deduced a normalization step:

◮ center the scores ◮ divide by their variance ◮ normalized_score✭k✮ ❂ score✭k✮E❬score✭k✮❪

Var❬score✭k✮❪

13/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 15

Agenda

1

Side Channel Attacks (SCA)

a. Background
b. Contributions

2

Linear Regression Attack (LRA)

a. LRA Basics
b. Experimental Results

3

Template Attack (TA)

a. Template Attack Basics
b. Experimental Results

4

Conclusion

14/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 16

LRA vs. Normalized LRA (device A - 350nm)

100 200 300 400 500 600 700 800 900 1000 20 40 60 80 100 120 140 160

number of traces average rank of the correct key

LRA normalized LRA

Figure: Correct key rank evolution vs. nb. of traces

15/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 17

LRA vs. Normalized LRA (device B - 130nm)

100 200 300 400 500 600 700 800 900 1000 20 40 60 80 100 120 140 160

number of traces average rank of the correct key

LRA normalized LRA

Figure: Correct key rank evolution vs. nb. of traces

16/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 18

LRA vs. Normalized LRA (device C - 90nm)

500 1000 1500 2000 2500 3000 3500 4000 20 40 60 80 100 120 140 160

number of traces average rank of the correct key

LRA normalized LRA

Figure: Correct key rank evolution vs. nb. of traces

17/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 19

Normalized LRA vs. CPA (device C - 90nm)

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 50 100 150 200 250 mean of the rank of the correct key byte for uC 90nm (average over the 3 samples) number of traces mean of the rank of the correct key absolute CPA normalized LR

Figure: Correct key rank evolution vs. nb. of traces

18/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 20

Agenda

1

Side Channel Attacks (SCA)

a. Background
b. Contributions

2

Linear Regression Attack (LRA)

a. LRA Basics
b. Experimental Results

3

Template Attack (TA)

a. Template Attack Basics
b. Experimental Results

4

Conclusion

19/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 21

Template Attack (TA) [Chari et al - CHES02]

1. Profiling Phase (performed on an open device copy)

1.1 Collect M side channel traces w. known inputs & keys

t1 ✦ Enc✭p1❀ k1✮❀ ✿ ✿ ✿ ❀ tN ✦ Enc✭pM ❀ kM ✮

1.2 Choose sensitive variable depend. on input & secret

e.g. AES Sbox output ✦ v

❫ k i ❂ S✭pi ✟ ❫

k✮

1.3 Compute the pdf of the leakage for each key value

pdf❫

k❂0❀ ✿ ✿ ✿ ❀ pdf❫ k❂255

2. Attack Phase (performed on a device copy set at an unknown secret)

2.1 Collect N side channel traces w. diff. inputs

t1 ✦ Enc✭p1❀ k✮❀ ✿ ✿ ✿ ❀ tN ✦ Enc✭pN ❀ k✮

2.2 Use a maximum likelihood test to discriminate the correct key by comparing the N traces and the pdfs

20/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 22

Agenda

1

Side Channel Attacks (SCA)

a. Background
b. Contributions

2

Linear Regression Attack (LRA)

a. LRA Basics
b. Experimental Results

3

Template Attack (TA)

a. Template Attack Basics
b. Experimental Results

4

Conclusion

21/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 23

TA on device A (350nm) - copy 1 ✦ copy 1

20 40 60 80 100 120 140 160 180 200 1 1.5 2 2.5 3 3.5 4 4.5 5 x 10

4

number of traces used for the attack phase number of traces used for the profiling phase

10 20 30 40 50 60 70

Figure: Correct key rank evolution vs. nb. of traces for the profiling phase (y-axis) and the attack phase (x-axis)

22/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 24

TA on device A (350nm) - copy 1 ✦ copy 2

20 40 60 80 100 120 140 160 180 200 1 1.5 2 2.5 3 3.5 4 4.5 5 x 10

4

number of traces used for the attack phase number of traces used for the profiling phase

10 20 30 40 50 60 70 80 90 100

Figure: Correct key rank evolution vs. nb. of traces for the profiling phase (y-axis) and the attack phase (x-axis)

23/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 25

TA on device B (130nm) - copy 1 ✦ copy 1

10 20 30 40 50 60 70 80 90 100 0.5 1 1.5 2 2.5 3 x 10

4

number of traces used for the attack phase number of traces used for the profiling phase

20 40 60 80 100 120 140

Figure: Correct key rank evolution vs. nb. of traces for the profiling phase (y-axis) and the attack phase (x-axis)

24/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 26

TA on device B (130nm) - copy 1 ✦ copy 2

10 20 30 40 50 60 70 80 90 100 0.5 1 1.5 2 2.5 3 x 10

4

number of traces used for the attack phase number of traces used for the profiling phase

20 40 60 80 100 120

Figure: Correct key rank evolution vs. nb. of traces for the profiling phase (y-axis) and the attack phase (x-axis)

25/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 27

TA on device C (90nm) - copy 1 ✦ copy 1

100 200 300 400 500 600 700 800 900 1000 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 x 10

5

number of traces used for the attack phase number of traces used for the profiling phase

20 40 60 80 100 120 140 160

Figure: Correct key rank evolution vs. nb. of traces for the profiling phase (y-axis) and the attack phase (x-axis)

26/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 28

TA on device C (90nm) - copy 1 ✦ copy 3

100 200 300 400 500 600 700 800 900 1000 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 x 10

5

number of traces used for the attack phase number of traces used for the profiling phase

20 40 60 80 100 120 140

Figure: Correct key rank evolution vs. nb. of traces for the profiling phase (y-axis) and the attack phase (x-axis)

27/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 29

Side Channel Attacks (SCA)| Linear Regression Attack (LRA)| Template Attack (TA)| Conclusion|

Agenda

1

Side Channel Attacks (SCA)

a. Background
b. Contributions

2

Linear Regression Attack (LRA)

a. LRA Basics
b. Experimental Results

3

Template Attack (TA)

a. Template Attack Basics
b. Experimental Results

4

Conclusion

28/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 30

Side Channel Attacks (SCA)| Linear Regression Attack (LRA)| Template Attack (TA)| Conclusion|

Our Results

1. Improvement to apply LRA in a practical setup
2. Experiments show that LRA is more effective than

classical SCA as CMOS process tends to nanometer scale

3. Experiments show that TA work well:

◮ even if both phases are performed on diff. device copies ◮ TA effectiveness outperforms unprofiled SCA

4. Partition method allowing to implement efficiently all SCA

◮ algo. complexity does not depend from nb. of traces

(not described in this presentation)

29/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 31

Side Channel Attacks (SCA)| Linear Regression Attack (LRA)| Template Attack (TA)| Conclusion|

Some Numbers

uC CPA LRA TA2 TA3 350nm 250 1000 80 10 130nm 350 800 100 10 90nm 7500 2000 700 100

Table: average nb. of traces to retrieve the correct key

2Template Attack inter-chip 3Template Attack intra-chip 30/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks

SLIDE 32

Side Channel Attacks (SCA)| Linear Regression Attack (LRA)| Template Attack (TA)| Conclusion|

Talk Finished !

Thanks for your attention ! Questions ?

full version: http://eprint.iacr.org/2013/794

31/31 Victor LOMNE - ANSSI / Behind the Scene of Side Channel Attacks