Blind Source Separation from Single Measurements using Singular - - PowerPoint PPT Presentation

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015

Blind Source Separation from Single Measurements using Singular Spectrum Analysis

CHES 2015 14.Sept.2015, Saint-Malo, France

Santos Merino del Pozo and Fran¸ cois-Xavier Standaert

ICTEAM/ELEN/Crypto Group Universit´ e catholique de Louvain, Belgium.

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 1

Because Noise Matters

◮ More noise → More side-channel measurements

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 1

Because Noise Matters

◮ More noise → More side-channel measurements ◮ attacks become more challenging ◮ critical for higher-order (HO) attacks !!

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 1

Because Noise Matters

◮ More noise → More side-channel measurements ◮ attacks become more challenging ◮ critical for higher-order (HO) attacks !! ◮ Ideally, low-noise measurements

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 1

Because Noise Matters

◮ More noise → More side-channel measurements ◮ attacks become more challenging ◮ critical for higher-order (HO) attacks !! ◮ Ideally, low-noise measurements ◮ can be difficult to achieve in practice ◮ architecture, countermeasures, measurement setup, ...

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 1

Because Noise Matters

◮ More noise → More side-channel measurements ◮ attacks become more challenging ◮ critical for higher-order (HO) attacks !! ◮ Ideally, low-noise measurements ◮ can be difficult to achieve in practice ◮ architecture, countermeasures, measurement setup, ... ◮ So, preprocessing the collected traces is always advisable

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 2

State-of-the-Art: Perks and Pitfalls

◮ Averaging ◮ Digital filtering ◮ PCA and LDA

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 2

State-of-the-Art: Perks and Pitfalls

◮ Averaging

✔ easy yet effective ✘ useless when exploiting HO leakages

◮ Digital filtering ◮ PCA and LDA

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 2

State-of-the-Art: Perks and Pitfalls

◮ Averaging

✔ easy yet effective ✘ useless when exploiting HO leakages

◮ Digital filtering

✔ relevant for HO analysis ✘ not trivial to design

◮ PCA and LDA

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 2

State-of-the-Art: Perks and Pitfalls

◮ Averaging

✔ easy yet effective ✘ useless when exploiting HO leakages

◮ Digital filtering

✔ relevant for HO analysis ✘ not trivial to design

◮ PCA and LDA

✔ intuitive and easy to implement ✘ requires profiling, extension to HO analysis?

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 3

Our Solution

◮ Blind source separation using Singular Spectrum Analysis

(SSA)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 3

Our Solution

◮ Blind source separation using Singular Spectrum Analysis

(SSA)

◮ Disregarded in the context of side-channel analysis ◮ Cool features from the attackers point-of-view ◮ working in a per-trace fashion ◮ being readily applied to HO scenarios ◮ not requiring proficiency in signal processing ◮ not needing a profiling stage

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 4

Outline

Singular Spectrum Analysis 101 Experimental Results Masked software Unprotected hardware Conclusions

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 5

SSA 101 - Decomposition

So you got a noisy leakage trace ℓ =

• ℓ1, . . . , ℓN

◮ First, take W = ⌊log (N)c⌋ with c ∈ [1.5, 3], ◮ define D = N − W + 1 delayed vectors

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 5

SSA 101 - Decomposition

So you got a noisy leakage trace ℓ =

• ℓ1, . . . , ℓN

◮ First, take W = ⌊log (N)c⌋ with c ∈ [1.5, 3], ◮ define D = N − W + 1 delayed vectors

ℓ1 ℓ2 . . . ℓW

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 5

SSA 101 - Decomposition

So you got a noisy leakage trace ℓ =

• ℓ1, . . . , ℓN

◮ First, take W = ⌊log (N)c⌋ with c ∈ [1.5, 3], ◮ define D = N − W + 1 delayed vectors

ℓ1 ℓ2 ℓ2 ℓ3 . . . . . . ℓW ℓW +1

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 5

SSA 101 - Decomposition

So you got a noisy leakage trace ℓ =

• ℓ1, . . . , ℓN

◮ First, take W = ⌊log (N)c⌋ with c ∈ [1.5, 3], ◮ define D = N − W + 1 delayed vectors

ℓ1 ℓ2 · · · ℓD ℓ2 ℓ3 · · · ℓD+1 . . . . . . ... . . . ℓW ℓW +1 · · · ℓN

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 5

SSA 101 - Decomposition

So you got a noisy leakage trace ℓ =

• ℓ1, . . . , ℓN

◮ First, take W = ⌊log (N)c⌋ with c ∈ [1.5, 3], ◮ define D = N − W + 1 delayed vectors ◮ and then build the so-called trajectory matrix L

L =      ℓ1 ℓ2 · · · ℓD ℓ2 ℓ3 · · · ℓD+1 . . . . . . ... . . . ℓW ℓW +1 · · · ℓN     

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 6

SSA 101 - Decomposition

Compute the eigenvalues of LL⊤

◮ (λ1 ≥ · · · ≥ λd), the so-called singular spectrum ◮ d = W if none of them is zero

together with the corresponding eigenvectors u1, u2, . . . , ud

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 6

SSA 101 - Decomposition

Compute the eigenvalues of LL⊤

◮ (λ1 ≥ · · · ≥ λd), the so-called singular spectrum ◮ d = W if none of them is zero

together with the corresponding eigenvectors u1, u2, . . . , ud The SVD decomposition of L is L = ˜ L1 + · · · + ˜ Ld, such that ˜ Li = √λiuiv⊤

i and vi = L⊤ui

√λi

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 7

SSA 101 - Reconstruction

Now, we are ready to extract the underlying components of ℓ

◮ Each ˜

Li matrix is transformed into the i-th component ˜ ℓi =

• ˜

ℓ1

i , . . . , ˜

ℓN

i

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 7

SSA 101 - Reconstruction

Now, we are ready to extract the underlying components of ℓ

◮ Each ˜

Li matrix is transformed into the i-th component ˜ ℓi =

• ˜

ℓ1

i , . . . , ˜

ℓN

i

• ◮ Trivial when ˜

Li is a Hankel matrix, i.e., ˜ Li =      ˜ ℓ1

i

˜ ℓ2

i

˜ ℓ3

i

· · · ˜ ℓ2

i

˜ ℓ3

i

· · · · · · ˜ ℓ3

i

. . . ... ˜ ℓN−1

i

. . . . . . ˜ ℓN−1

i

˜ ℓN

i

    

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 7

SSA 101 - Reconstruction

Now, we are ready to extract the underlying components of ℓ

◮ Each ˜

Li matrix is transformed into the i-th component ˜ ℓi =

• ˜

ℓ1

i , . . . , ˜

ℓN

i

• ◮ Trivial when ˜

Li is a Hankel matrix, i.e., ˜ Li =      ˜ ℓ1

i

˜ ℓ2

i

˜ ℓ3

i

· · · ˜ ℓ2

i

˜ ℓ3

i

· · · · · · ˜ ℓ3

i

. . . ... ˜ ℓN−1

i

. . . . . . ˜ ℓN−1

i

˜ ℓN

i

    

◮ but since this is not the case, the so-called hankelization

function must be applied on each ˜ Li

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 8

SSA 101 - Reconstruction

Lastly, the original leakage trace ℓ can be reconstructed as ℓ = ˜ ℓ1 + · · · + ˜ ℓd

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 8

SSA 101 - Reconstruction

Lastly, the original leakage trace ℓ can be reconstructed as

◮ but we aim at a signal vs. noise decomposition

ℓ = ˜ ℓ1 + · · · + ˜ ℓd

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 8

SSA 101 - Reconstruction

Lastly, the original leakage trace ℓ can be reconstructed as

◮ but we aim at a signal vs. noise decomposition ◮ I = {1, . . . , d} is partitioned into Isignal and Inoise,

ℓ = ˜ ℓ1 + · · · + ˜ ℓd

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 8

SSA 101 - Reconstruction

Lastly, the original leakage trace ℓ can be reconstructed as

◮ but we aim at a signal vs. noise decomposition ◮ I = {1, . . . , d} is partitioned into Isignal and Inoise, so

ℓ =

• i∈Isignal

˜ ℓi +

• i∈Inoise

˜ ℓi

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 8

SSA 101 - Reconstruction

Lastly, the original leakage trace ℓ can be reconstructed as

◮ but we aim at a signal vs. noise decomposition ◮ I = {1, . . . , d} is partitioned into Isignal and Inoise, so

ℓ =

• i∈Isignal

˜ ℓi +

• i∈Inoise

˜ ℓi Criteria

◮ Inoise → small singular values producing a slowly

decreasing sequence

◮ Isignal → the remaining ones

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 9

Experimental Results

Two experimental platforms

◮ Atmel 8-bit µC (ATMega644p) ◮ Spartan-6 FPGA (SAKURA-G)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 9

Experimental Results

Two experimental platforms

◮ Atmel 8-bit µC (ATMega644p) ◮ First-order boolean masking scheme of AES ◮ High Signal-to-Noise Ratio ◮ Profiling is allowed ◮ Spartan-6 FPGA (SAKURA-G)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 9

Experimental Results

Two experimental platforms

◮ Atmel 8-bit µC (ATMega644p) ◮ First-order boolean masking scheme of AES ◮ High Signal-to-Noise Ratio ◮ Profiling is allowed ◮ Spartan-6 FPGA (SAKURA-G) ◮ Unprotected implementation of PRESENT-80 ◮ Low Signal-to-Noise Ratio ◮ Small peak-to-peak signal → quantization noise ◮ Profiling is not allowed

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 10

Experimental Results - Masked software

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 11

Experimental Results - Masked software

Signal-to-Noise ratio (raw) Signal-to-Noise ratio (SSA)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 11

Experimental Results - Masked software

Signal-to-Noise ratio (raw) Signal-to-Noise ratio (SSA) Bivariate MCP-DPA (raw) Bivariate MCP-DPA (SSA)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 11

Experimental Results - Masked software

Signal-to-Noise ratio (raw) Signal-to-Noise ratio (SSA) Bivariate TA (raw) Bivariate TA (SSA)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 11

Experimental Results - Masked software

Signal-to-Noise ratio (raw) Signal-to-Noise ratio (SSA) SR of bivariate MCP-DPA SR of bivariate TA

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 12

Experimental Results - Unprotected hardware

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 13

Experimental Results - Unprotected hardware

Signal-to-Noise ratio (raw) Signal-to-Noise ratio (SSA)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 13

Experimental Results - Unprotected hardware

Signal-to-Noise ratio (raw) Signal-to-Noise ratio (SSA) CPA using HD model (raw) CPA using HD model (SSA)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 13

Experimental Results - Unprotected hardware

Signal-to-Noise ratio (raw) Signal-to-Noise ratio (SSA) MCC-DPA (raw) MCC-DPA (SSA)

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 13

Experimental Results - Unprotected hardware

Signal-to-Noise ratio (raw) Signal-to-Noise ratio (SSA) SR of CPA using HD model SR of MCC-DPA

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 14

Conclusions

◮ SSA in the context of side-channel analysis ◮ intuitive, easy to use ◮ window length → standard rule-of-thumb ◮ reconstruction → visual inspection of components ◮ works in a per-trace fashion ◮ on-the-fly filtering ◮ easily integrated into measurement frameworks ◮ effective ◮ SNR gains up to a factor of 4 ◮ attacks with reduced measurement complexity ◮ Future work: ◮ more challenging scenarios (high noise + masking in

hardware)

◮ distinguish components at same frequencies?

UCL Crypto Group

Microelectronics Laboratory

Santos Merino del Pozo - CHES 2015 - 14.Sept.2015 15

Questions?