characterisation and estimation of the key rank
play

Characterisation and Estimation of the Key Rank Distribution in the - PowerPoint PPT Presentation

Sep 27, 2023 •175 likes •516 views

Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel Evaluations https://github.com/bristol-sca/labynkyr December 7, 2016 Daniel P. Martin, Luke Mather, Elisabeth Oswald, Martijn Stam Cryptography Group,

  1. Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel Evaluations https://github.com/bristol-sca/labynkyr December 7, 2016 Daniel P. Martin, Luke Mather, Elisabeth Oswald, Martijn Stam Cryptography Group, University of Bristol 1

  2. OUTLINE non-invasive side-channel attacks as well as we could be. improved evaluation methodology. 2 ◮ Claim : we’re not evaluating the resistance of a device to ◮ This work : outline the reasons why, and describe an

  3. WHY IS THIS IMPORTANT? Being able to accurately evaluate the resistance of a device to SCA is important: (Common Criteria; FIPS 140-3); attacker that captures this probabilistic nature. 3 ◮ Resistance to SCA encoded in several evaluation processes ◮ Billions of devices implementing cryptography; ◮ SCA is almost always probabilistic in nature; ◮ Have to make a value judgement on the strength of an

  4. PLAN Motivation: we need to change how we view the outcome of a (non-invasive) side-channel attack 1. How we view side-channel attacks at the moment; 2. The current evaluation strategy; attack; 4. This work: how do we appropriately modify our evaluation methodology. 4 3. Changing our view to include the rank of a side-channel

  5. CURRENT MODEL FOR A SIDE-CHANNEL ATTACK 5 Con fi gure attack Gather n measurements - Pick model for leakage (traces) - Choose distinguisher Run attack Candidate key k Check using a known plaintext/ciphertext pair c == Enc (p) ? k

  6. FACTORS AFFECTING SUCCESS The quality of an attack is affected by: 1. The nature of the ‘true’ underlying leakage signal; 2. The quality of the adversary’s model for that leakage; 3. The statistical technique used to assign scores to key candidates; 4. Noise: environmental, countermeasures, measurement quality; 5. The number of measurements available. 6

  7. CURRENT EVALUATION APPROACH Attack-based evaluation approach: Judge impact of attack outcomes: 1. Does the adversary recover the secret key? 3. (other properties assessed: time, expense, ...) 7 ◮ Run a battery of attacks, and see what happens. 2. If yes, how many measurements were needed?

  8. 8 SIDE-CHANNEL ATTACKS: WITH KEY RANK Veyrat-Charvillion (SAC 2012) noticed that the adversary doesn't need the attack to be "perfect": Con fi gure attack Gather n measurements - Pick model for leakage (traces) - Choose distinguisher Run attack Auxiliary information assigning 'scores' to all key candidates Enumerate and check the key candidates in order of their score

  9. KEY RANK: A DEFINITION 9 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  10. KEY RANK: A DEFINITION 10 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 INCORRECT 2 3 4 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  11. KEY RANK: A DEFINITION 11 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 INCORRECT 3 4 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  12. KEY RANK: A DEFINITION 12 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 INCORRECT 3 4 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  13. KEY RANK: A DEFINITION 13 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 INCORRECT 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  14. KEY RANK: A DEFINITION 14 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 INCORRECT 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  15. KEY RANK: A DEFINITION 15 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 INCORRECT 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  16. KEY RANK: A DEFINITION 16 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 2 57 -1 2 57 CORRECT (R = 2 57 ) 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  17. KEY RANK: A DEFINITION 17 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 Note: enumeration of candidate keys is expensive! 2 57 -1 (see ePrint 2016/609) 2 57 CORRECT (R = 2 57 ) 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  18. EVALUATION: WITH KEY RANK Which is more powerful: or 18 An attack requiring 10,000 measurements with a rank of 2 55 ? An attack requiring 50,000 measurements with a rank of 2 53 ?

  19. KEY RANK AS A RANDOM VARIABLE (a fixed number of) measurements Answer: no, in practice we don’t know all the distributions involved. 19 Key rank R is a random variable defined over the randomness in Can we analytically compute the distribution of R ? Later: is looking at the expectation E ( R ) a good idea?

  20. ESTIMATING THE RANK DISTRIBUTION The only usable approach is to estimate the rank distribution using repeated sampling. 3. Compute or estimate the rank for that attack. 4. Repeat. Questions we wanted to answer: 1. What is the shape of the distribution? 2. Is there consistency across the spectrum of SCA scenarios? 20 1. Fix an attack strategy, and a number of measurements n . 2. Capture a fresh set of n measurements, and run the attack.

  21. COMPUTING RANK Need a non-naive method for approximating rank when key is known. Majority of existing attempts provide an estimate for an interval: We chose to look at optimising: 21 Care about speed and minimising the error in bits b : if the true rank is 2 x , then the estimate is within 2 x ± b . ◮ Veyrat-Charvillon et al. (Eurocrypt 2013) ◮ Glowacz et al. (FSE 2015) (*) ◮ Duc et al. (Eurocrypt 2015) ◮ Bernstein et al. (ePrint 2015/221) ◮ Martin et al. (Asiacrypt 2015)

  22. IMPROVING RANK ESTIMATION Made several observations to reduce the run-time of Martin et al. rank estimation algorithm. precision at no additional cost on a workstation CPU. 22 ◮ Able to achieve ∼ 8 − 10 orders of magnitude more ◮ ⇒ can get a very accurate point estimate in a few seconds

  23. RESULTS: DISTRIBUTION CONSISTENCY across a variety of: 23 In general, distribution and shape of R is very consistent. ◮ Performed hundreds of thousands of repeat experiments ◮ ◮ Noise levels; ◮ Distinguisher types; ◮ Leakage distributions; ◮ Quantities of measurements. ◮ ... estimating and recording the rank after each attack.

  24. RESULTS: DISTRIBUTION SHAPE -- REAL WORLD EXPERIMENT 24 Repeated DPA attacks on a BeagleBone Black implementing AES-128 in hardware (Longo et al. CHES 2015) 120 Median rank Min / max observed rank 100 10th / 90th percentile of rank Estimated rank (log 2 ) 80 60 40 20 0 0 20000 40000 60000 80000 100000 Number of measurements (EM traces)

  25. 25 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 16 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  26. 26 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 32 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  27. 27 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 48 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  28. 28 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 64 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  29. 29 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 80 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  30. 30 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 96 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  31. 31 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 112 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bayesian Estimation of Low-rank Matrices Pierre Alquier Journes de Statistique du Sud,

Bayesian Estimation of Low-rank Matrices Pierre Alquier Journes de Statistique du Sud,

Bayesian Estimation of Low-rank Matrices : Introduction Bayesian Reduced Rank Regression Bayesian Matrix Completion Bayesian Estimation of Low-rank Matrices Pierre Alquier Journes de Statistique du Sud, Barcelona 09/06/2014 Pierre Alquier

596 views • 44 slides
2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3 INDIANAPOLIS MSA RANK #34 DETROIT MSA RANK #14 COLUMBUS MSA RANK #33 BALTIMORE/ DC CORRIDOR MSA RANK #21 CINCINNATI MSA RANK #28 ATLANTA MSA RANK

726 views • 44 slides
Joint variable and rank selection for parsimonious estimation of high dimensional matrices

Joint variable and rank selection for parsimonious estimation of high dimensional matrices

Framework and motivation Joint Rank and Row Selection Methods Two-step JRRS estimators Numerical performance and examples Summary Joint variable and rank selection for parsimonious estimation of high dimensional matrices Florentina Bunea

370 views • 26 slides
FORMATION AND CHARACTERISATION OF FORMATION AND CHARACTERISATION OF NANOSTRUCTURED

FORMATION AND CHARACTERISATION OF FORMATION AND CHARACTERISATION OF NANOSTRUCTURED

FORMATION AND CHARACTERISATION OF FORMATION AND CHARACTERISATION OF NANOSTRUCTURED METASTABLE ALLOYS NANOSTRUCTURED METASTABLE ALLOYS Viorel Pop Faculty of Physics, Babes-Bolyai University, 3400 Cluj-Napoca, Romania Nanocrystalline

640 views • 49 slides
Phase transitions in low-rank matrix estimation May 11, 2017 Marc Lelarge & L eo Miolane

Phase transitions in low-rank matrix estimation May 11, 2017 Marc Lelarge & L eo Miolane

Phase transitions in low-rank matrix estimation May 11, 2017 Marc Lelarge & L eo Miolane INRIA, ENS 1 / 14 Introduction The statistical model Spiked Wigner model n XX Y + Z =

516 views • 22 slides
Low-rank Matrix Estimation via Approximate Message Passing Andrea Montanari Ramji Venkataramanan

Low-rank Matrix Estimation via Approximate Message Passing Andrea Montanari Ramji Venkataramanan

Low-rank Matrix Estimation via Approximate Message Passing Andrea Montanari Ramji Venkataramanan Stanford University University of Cambridge WoLA 2018 1 / 25 The Spiked Model k i v i v T R n n A = i + W i =1 1 2

783 views • 36 slides
Shower Characterisation James Pillow 19/12/2019 EM Task Force Events MC events from

Shower Characterisation James Pillow 19/12/2019 EM Task Force Events MC events from

Shower Characterisation James Pillow 19/12/2019 EM Task Force Events MC events from ProtoDUNE SP Production 2 with space charge. Using 3D position from shower calorimetry object. Using energy estimation from method Ive talked

565 views • 14 slides
Matching Size and Matrix Rank Estimation in Data Streams Sepehr Assadi University of

Matching Size and Matrix Rank Estimation in Data Streams Sepehr Assadi University of

Matching Size and Matrix Rank Estimation in Data Streams Sepehr Assadi University of Pennsylvania Joint work with Sanjeev Khanna (Penn), and Yang Li (Penn) Sepehr Assadi (Penn) JHU Algorithms and Complexity Seminar The Streaming Model

1.74k views • 135 slides
1 SVD applications: rank, column, row, and null spaces Rank : the rank of a matrix is equal to:

1 SVD applications: rank, column, row, and null spaces Rank : the rank of a matrix is equal to:

Statistical Modeling and Analysis of Neural Data (NEU 560) Princeton University, Spring 2018 Jonathan Pillow Lecture 3A notes: SVD and Linear Systems 1 SVD applications: rank, column, row, and null spaces Rank : the rank of a matrix is equal to:

462 views • 3 slides
R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin -

R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin -

R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin - Madison 2 Western Michigan University 10 July 2013 Kloke, McKean R Packages for Rank-based Estimates Outline Rank-based (R) estimation for linear

529 views • 20 slides
Tensor estimation with structured priors Clment Luneau, Nicolas Macris June 29, 2020

Tensor estimation with structured priors Clment Luneau, Nicolas Macris June 29, 2020

Tensor estimation with structured priors Clment Luneau, Nicolas Macris June 29, 2020 Laboratoire de Thorie des Communications, EPFL, Switzerland Statistical model for tensor estimation Noisy observations of a symmetric rank-one tensor

422 views • 16 slides
/k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight

/k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight

On defining the generalized rank weight Ruud Pellikaan joint work with Relinde Jurrius Autonomous University Barcelona, 6 November 2014 /k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight enumerator

165 views • 15 slides
Improvements in the X- -ray characterisation of ray characterisation of Improvements in the X

Improvements in the X- -ray characterisation of ray characterisation of Improvements in the X

Improvements in the X- -ray characterisation of ray characterisation of Improvements in the X electroceramic thin films thin films by the application by the application of a of a electroceramic novel combined analysis procedure procedure

204 views • 18 slides
10. Learning to Rank Outline 10.1. Why Learning to Rank (LeToR)? 10.2. Pointwise, Pairwise,

10. Learning to Rank Outline 10.1. Why Learning to Rank (LeToR)? 10.2. Pointwise, Pairwise,

10. Learning to Rank Outline 10.1. Why Learning to Rank (LeToR)? 10.2. Pointwise, Pairwise, Listwise 10.3. Gathering User Input 10.4. LeToR Evaluation 10.5. Beyond Search Advanced Topics in Information Retrieval / Learning to Rank 2 10.1.

1.01k views • 34 slides
Preparation and characterisation Julia Lyubina Institute for Metallic Materials, IFW Dresden,

Preparation and characterisation Julia Lyubina Institute for Metallic Materials, IFW Dresden,

Preparation and characterisation Julia Lyubina Institute for Metallic Materials, IFW Dresden, Germany Characterisation x-ray diffraction imaging techniques (SEM, AFM, MFM) differential scanning calorimetry Preparation (included in

1.14k views • 54 slides
Reducing Uncertainty and Increasing Confidence in Reservoir Seismic Characterisation Erick

Reducing Uncertainty and Increasing Confidence in Reservoir Seismic Characterisation Erick

Reducing Uncertainty and Increasing Confidence in Reservoir Seismic Characterisation Erick Alvarez Team Leader Reservoir Seismic Characterisation Senergy Society of Petroleum Engineers Distinguished Lecturer Program www.spe.org/dl 1

275 views • 24 slides
Open Source Developers are Securitys new front line A shifting landscape of attacks Ilkka

Open Source Developers are Securitys new front line A shifting landscape of attacks Ilkka

Open Source Developers are Securitys new front line A shifting landscape of attacks Ilkka Turunen Global Director, Sonatype @llkkaT 20XX: Software has eaten the world It used open source to chew it up Everyone has a software supply

1.25k views • 59 slides
Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an ARM and a Leg Latincrypt 2017, 21st September 2017 1/19 Thom Wiggers Outline Introduction Building a cheap cluster The Cortex-A53 Breaking ECC

741 views • 70 slides
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM

476 views • 25 slides
Welcome to 2017 Analyst Day September 21, 2017 Safe Harbor for Forward-Looking Statements This

Welcome to 2017 Analyst Day September 21, 2017 Safe Harbor for Forward-Looking Statements This

Welcome to 2017 Analyst Day September 21, 2017 Safe Harbor for Forward-Looking Statements This presentation contains forward-looking statements regarding our financial prospects, including financial guidance for 3Q-2017, markets, demand for our

386 views • 13 slides
The Internet of Things and the DNS Jacques Latour / SSAC ICANN65 | June 2019 | 1 Introduction

The Internet of Things and the DNS Jacques Latour / SSAC ICANN65 | June 2019 | 1 Introduction

The Internet of Things and the DNS Jacques Latour / SSAC ICANN65 | June 2019 | 1 Introduction | 2 | 2 Security and Stability Advisory Committee (SSAC) Who We Are What We Do Role: Advise the ICANN community and 39 Members Board on

385 views • 15 slides
Security on cloud storage and IaaS at Taiwan-Japan Workshop 2012/Nov/27

Security on cloud storage and IaaS at Taiwan-Japan Workshop 2012/Nov/27

Resea earch I Institut ute e for or Se Secure Sy Systems Security on cloud storage and IaaS at Taiwan-Japan Workshop 2012/Nov/27 http://www.jst.go.jp/sicp/ws2012_nsc.html Kuniyasu Suzaki Research Institute for Secure Systems (RISEC)

350 views • 22 slides
Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon

Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon

Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon RASTIKIAN Arnaud TISSERAND 2 = 3 PLAN Introduction Elliptic Curve Cryptography Side Channel Attacks

473 views • 33 slides
Missile External Aerodynamics Using Star-CCM+ Star European Conference 03/22-23/2011

Missile External Aerodynamics Using Star-CCM+ Star European Conference 03/22-23/2011

Missile External Aerodynamics Using Star-CCM+ Star European Conference 03/22-23/2011 StarCCM_StarEurope_2011 4/6/11 1 Overview 2 Role of CFD in Aerodynamic Analyses Classical aerodynamics / Semi-Empirical Bound the problem

334 views • 21 slides

More recommend