[PPT] - Confusing Information: How Confusion Improves Side-Channel Analysis PowerPoint Presentation

SLIDE 1

Confusing Information:

How Confusion Improves Side-Channel Analysis for Monobit Leakages

Cryptarchi 2018 June 17-19, 2018 Guidel-Plage, France Eloi de Chérisey, Sylvain Guilley & Olivier Rioul

Télécom ParisTech, Université Paris-Saclay, France.

SLIDE 2

2 / 31

June 17-19, 2018

Télécom ParisTech Confusing Information

Motivation

What is the exact link between side-channel distinguishers and the confusion coefficient for monobit leakages?

SLIDE 5

4 / 31

June 17-19, 2018

Télécom ParisTech Confusing Information

Motivation

What is the exact link between side-channel distinguishers and the confusion coefficient for monobit leakages? Re-derive it for DoM, CPA, KSA and derive it for MIA;

SLIDE 6

4 / 31

June 17-19, 2018

Télécom ParisTech Confusing Information

Motivation

What is the exact link between side-channel distinguishers and the confusion coefficient for monobit leakages? Re-derive it for DoM, CPA, KSA and derive it for MIA; Is any sound distinguisher a function of the confusion coefficient (and noise)?

SLIDE 7

5 / 31

June 17-19, 2018

Télécom ParisTech Confusing Information

Leakage Model

Definition (Leakage Sample)

Observable leakage X can be written as: X = Y (k∗) + N where Y (k) = f(k, T) is the sensitive variable. Notations: T: a random plain or ciphertext; k∗: the secret key; N: some additive noise; f: a deterministic function.

SLIDE 8

6 / 31

June 17-19, 2018

Télécom ParisTech Confusing Information

Assumptions

W.l.o.g. assume Y (k) = ±1 equiprobable:

zero mean E[Y (k)] = 0 and unit variance E[Y (k)2] = 1
P(Y (k) = −1) = P(Y (k) = +1) = 1/2

Gaussian noise N ∼ N(0, σ2).

Definition (Distinguisher)

Practical distinguisher: ˆ D(k), Theoretical distinguisher: D(k). ˆ k = arg max ˆ D(k). The estimated key maximizes D(k). If sound, arg max ˆ D(k) = k∗.

SLIDE 9

7 / 31

June 17-19, 2018

Télécom ParisTech Confusing Information

Fei et al.’s “Confusion Coefficient”

After [Fei et al., 2012].

Definition (Confusion Coefficient)

κ(k, k∗) = κ(k) = P(Y (k) = Y (k∗)) valid only for monobit leakages (DoM).

SLIDE 10

8 / 31

June 17-19, 2018

Télécom ParisTech Confusing Information

Confusion and Security

From [Heuser et al., 2014].

Theorem (Differential Uniformity)

The differential uniformity of an S-box is linked with the confusion coefficient by: 2−n∆S − 1 2 = max

k=k∗

1

2 − κ(k)

=

⇒ a “good” S-box should have confusion coefficient near 1

2.

SLIDE 11

9 / 31

June 17-19, 2018

Télécom ParisTech Confusing Information

Illustration Without Permutation

Example with Y (k) = T ⊕ k mod 2 k∗ = 54.

SLIDE 12

10 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Illustration for Random Permutation

Example with Y (k) = RP(T ⊕ k) mod 2

SLIDE 13

11 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Illustration for AES S-box

Example with Y (k) = Sbox(T ⊕ k) mod 2

SLIDE 14

12 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

A Confusion Channel from Y (k) to Y (k∗)

−1 1 − p −1 1 1 − q 1 p q Y (k) Y (k∗) Since P(Y (k∗) = −1) = (1 − p)P(Y (k) = −1) + qP(Y (k) = 1) = P(Y (k∗) = 1) = (1 − q)P(Y (k) = 1) + pP(Y (k) = 1), we have: p = q = κ(k) . This is a binary symmetric channel (BSC).

SLIDE 16

14 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Confusion Channel’s Capacity

Since Y (k) is equiprobable, the mutual information of the BSC equals its capacity: C(k) = I(Y (k∗); Y (k)) = 1 − H2(κ(k))

SLIDE 17

15 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

A General Result for any Distinguisher

Theorem (Monobit Leakage Distinguisher)

The theoretical distinguisher of any monobit leakage is a function of κ(k) and σ.

Proof.

The theoretical distinguisher depends on the joint distribution of X and Y (k): P(X, Y (k)) = P(Y (k∗) + N; Y (k)) = P(Y (k)) · P(Y (k∗) + N | Y (k)) = P(B1/2) · P(Bκ(k) + N) where N ∼ N(0, σ2).

SLIDE 18

16 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Difference of Means (DoM)

Definition (DoM)

Practical distinguisher: ˆ D(k) =

q/Y (k)=+1 Xq
q/Y (k)=+1 1 −
q/Y (k)=−1 Xq
q/Y (k)=−1 1 .

Theoretical distinguisher: D(k) = E[X · Y (k)]

SLIDE 20

18 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

DoM Computation

We have: D(k) = E[X · Y (k)] = E[(Y (k∗) + N) · Y (k)] = E[Y (k) · Y (k∗)] = E[2Y (k)=Y (k∗) − 1] = 2(1 − κ(k)) − 1 = 1 − 2κ(k). Therefore: D(k) = 2 1 2 − κ(k)

.

SLIDE 21

19 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Correlation Power Analysis (CPA)

Definition (CPA)

Practical distinguisher: Pearson coefficient ˆ D(k) = |ˆ E[X · Y (k)] − ˆ E[X] · ˆ E[Y (k)]| ˆ σX · ˆ σY (k) , Theoretical distinguisher: D(k) = |E[X · Y (k)] − E[X] · E[Y (k)]| σX · σY (k) , which is the correlation coefficient between X and Y (k).

SLIDE 22

20 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

CPA Computation

Since E[Y (k)] = 0 and σY (k) = 1, we have: D(k) = E[X · Y (k)] − E[X] · E[Y (k)] σX · σY (k) = |E[X · Y (k)]| σX . From the DoM computation and since σ2

X = 1 + σ2, we have:

D(k) = 2|1/2 − κ(k)| √ 1 + σ2 .

SLIDE 23

21 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Illustration for AES SubBytes w.r.t. Noise

σ = 4 σ = 8

SLIDE 24

22 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Illustration for σ = 8 w.r.t. SubBytes

AES SubBytes no SubBytes

SLIDE 25

23 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Kolmogorov-Smirnov Analysis (KSA)

Definition (KSA)

Practical Distinguisher: ˆ D(k) = EY (k) ˆ F(x|Y (k)) − ˆ F(x)∞ Theoretical Distinguisher: D(k) = EY (k)F(x|Y (k)) − F(x)∞ where: F(x) and F(x | Y (k)) the cumulative distribution functions of X and X | Y (k). f(x)∞ = supx∈R |f(x)|.

SLIDE 26

24 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

KSA Computation

Theorem (KSA and Confusion [Heuser et al., 2014])

With our assumptions, we have: D(k) = erf

SNR

2

1

2 − κ(k)

where erf(x) =

2 √π

x

−∞ e−t2dt.

SLIDE 27

25 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Mutual Information Analysis (MIA)

Definition (MIA)

Practical Distinguisher: ˆ D(k) = ˆ I(X; Y (k)) Theoretical Distinguisher: D(k) = I(X; Y (k)) = h(X) − h(X|Y (k))

Theorem (MIA Computation (Main result))

For a monobit leakage: D(k) = 2(log2 e) 1 2 − κ(k) 2 f(σ). where f is such that f(σ) → 1 when σ → 0 and f(σ) ∼ 1/σ2 as σ → ∞.

SLIDE 28

26 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Main Result: Sketch of the Proof

I(X; Y (k)) = h(X) − h(X | Y (k)) = h(B′

1/2 + N) − H(B′ κ(k) + N)

Case 1: Very high SNR (σ → 0) h(B′

1/2 + N) ≈ H(B′ 1/2) + h(N)

H(B′

κ(k) + N) ≈ H(B′ κ(k)) + h(N)

D(k) ≈ 1 − H(B′

κ(k)) = 1 − H2(κ(k))

Second order Taylor expansion about 1/2: D(k) ≈ 2(log2 e)(1/2 − κ(k))2

SLIDE 29

27 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Main Result: Sketch of the Proof (Cont’d)

Case 2: Very low SNR (σ → +∞) All signals behaves like Gaussian. D(k) = h(B′

1/2 + N) − h(B′ κ(k) + N)

≈ 1 2 log2(2πe(σ2 + 1)) − 1 2 log2(2πe(σ2 + 4κ(k)(1 − κ(k))) = 1 2 log2 σ2 + 1 σ2 + 4κ(k)(1 − κ(k)) = −1 2 log2 σ2 + 1 + 4κ(k)(1 − κ(k)) − 1 σ2 + 1 ≈ (log2 e) 2 4κ(k)(1 − κ(k)) − 1 σ2 + 1 = 2(log2 e)(1/2 − κ(k))2 σ2

SLIDE 30

28 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Main Result: Sketch of the Proof (Cont’d)

General Case: any SNR, first order in 1/2 − κ

Theorem

D(k) = 2(log2 e) 1 2 − κ(k) 2 1 2EX

tanh2(σX + 1

σ2 ) + tanh2(σX − 1 σ2 )

where X ∼ N(0, 1) is standard normal.

SLIDE 31

29 / 31 June 17-19, 2018

Télécom ParisTech Confusing Information

Conclusion

A unified view of side-channel distinguishers on monobit leakages: DoM: 1

2(1/2 − κ(k));

CPA: |1/2−κ(k)|

1+σ2

; KSA: |1/2 − κ(k)|erf

SNR

2

;

MIA: 2(log2 e)(1/2 − κ(k))2f(σ).

SLIDE 33

Confusing Information:

How Confusion Improves Side-Channel Analysis for Monobit Leakages

Cryptarchi 2018 June 17-19, 2018 Guidel-Plage, France Eloi de Chérisey, Sylvain Guilley & Olivier Rioul

Télécom ParisTech, Université Paris-Saclay, France.

SLIDE 34

32 / 32 June 17-19, 2018

Télécom ParisTech Confusing Information

References I

Fei, Y., Luo, Q., and Ding, A. A. (2012). A Statistical Model for DPA with Novel Algorithmic Confusion Analysis. In Prouff, E. and Schaumont, P ., editors, CHES, volume 7428 of LNCS, pages 233–250. Springer. Heuser, A., Rioul, O., and Guilley, S. (2014). A Theoretical Study of Kolmogorov-Smirnov Distinguishers — Side-Channel Analysis vs. Differential Cryptanalysis. In Prouff, E., editor, Constructive Side-Channel Analysis and Secure Design - 5th International Workshop, COSADE 2014, Paris, France, April 13-15, 2014. Revised Selected Papers, volume 8622 of Lecture Notes in Computer Science, pages 9–28. Springer.

Confusing Information:

How Confusion Improves Side-Channel Analysis for Monobit Leakages

Cryptarchi 2018 June 17-19, 2018 Guidel-Plage, France Eloi de Chérisey, Sylvain Guilley & Olivier Rioul

Télécom ParisTech, Université Paris-Saclay, France.

Contents

Introduction Motivation Notations and Assumptions The Confusion Coefficient κ The Confusion Channel Computation of Known Distinguishers w.r.t. κ DoM CPA KSA MIA Conclusion

Contents

Introduction Motivation Notations and Assumptions The Confusion Coefficient κ The Confusion Channel Computation of Known Distinguishers w.r.t. κ DoM CPA KSA MIA Conclusion

Motivation

What is the exact link between side-channel distinguishers and the confusion coefficient for monobit leakages?

Motivation

What is the exact link between side-channel distinguishers and the confusion coefficient for monobit leakages? Re-derive it for DoM, CPA, KSA and derive it for MIA;

Motivation

What is the exact link between side-channel distinguishers and the confusion coefficient for monobit leakages? Re-derive it for DoM, CPA, KSA and derive it for MIA; Is any sound distinguisher a function of the confusion coefficient (and noise)?

Leakage Model

Definition (Leakage Sample)

Observable leakage X can be written as: X = Y (k∗) + N where Y (k) = f(k, T) is the sensitive variable. Notations: T: a random plain or ciphertext; k∗: the secret key; N: some additive noise; f: a deterministic function.

Assumptions

W.l.o.g. assume Y (k) = ±1 equiprobable:

Gaussian noise N ∼ N(0, σ2).

Definition (Distinguisher)

Practical distinguisher: ˆ D(k), Theoretical distinguisher: D(k). ˆ k = arg max ˆ D(k). The estimated key maximizes D(k). If sound, arg max ˆ D(k) = k∗.

Fei et al.’s “Confusion Coefficient”

After [Fei et al., 2012].

Definition (Confusion Coefficient)

κ(k, k∗) = κ(k) = P(Y (k) = Y (k∗)) valid only for monobit leakages (DoM).

Confusion and Security

From [Heuser et al., 2014].

Theorem (Differential Uniformity)

The differential uniformity of an S-box is linked with the confusion coefficient by: 2−n∆S − 1 2 = max

2 − κ(k)

⇒ a “good” S-box should have confusion coefficient near 1

Illustration Without Permutation

Example with Y (k) = T ⊕ k mod 2 k∗ = 54.

Illustration for Random Permutation

Example with Y (k) = RP(T ⊕ k) mod 2

Illustration for AES S-box

Example with Y (k) = Sbox(T ⊕ k) mod 2

Contents

Introduction Motivation Notations and Assumptions The Confusion Coefficient κ The Confusion Channel Computation of Known Distinguishers w.r.t. κ DoM CPA KSA MIA Conclusion

A Confusion Channel from Y (k) to Y (k∗)

−1 1 − p −1 1 1 − q 1 p q Y (k) Y (k∗) Since P(Y (k∗) = −1) = (1 − p)P(Y (k) = −1) + qP(Y (k) = 1) = P(Y (k∗) = 1) = (1 − q)P(Y (k) = 1) + pP(Y (k) = 1), we have: p = q = κ(k) . This is a binary symmetric channel (BSC).

Confusion Channel’s Capacity

Since Y (k) is equiprobable, the mutual information of the BSC equals its capacity: C(k) = I(Y (k∗); Y (k)) = 1 − H2(κ(k))

A General Result for any Distinguisher

Theorem (Monobit Leakage Distinguisher)

The theoretical distinguisher of any monobit leakage is a function of κ(k) and σ.

Proof.

The theoretical distinguisher depends on the joint distribution of X and Y (k): P(X, Y (k)) = P(Y (k∗) + N; Y (k)) = P(Y (k)) · P(Y (k∗) + N | Y (k)) = P(B1/2) · P(Bκ(k) + N) where N ∼ N(0, σ2).

Contents

Introduction Motivation Notations and Assumptions The Confusion Coefficient κ The Confusion Channel Computation of Known Distinguishers w.r.t. κ DoM CPA KSA MIA Conclusion

Difference of Means (DoM)

Definition (DoM)

Practical distinguisher: ˆ D(k) =

Theoretical distinguisher: D(k) = E[X · Y (k)]

DoM Computation

We have: D(k) = E[X · Y (k)] = E[(Y (k∗) + N) · Y (k)] = E[Y (k) · Y (k∗)] = E[2Y (k)=Y (k∗) − 1] = 2(1 − κ(k)) − 1 = 1 − 2κ(k). Therefore: D(k) = 2 1 2 − κ(k)

Correlation Power Analysis (CPA)

Definition (CPA)

Practical distinguisher: Pearson coefficient ˆ D(k) = |ˆ E[X · Y (k)] − ˆ E[X] · ˆ E[Y (k)]| ˆ σX · ˆ σY (k) , Theoretical distinguisher: D(k) = |E[X · Y (k)] − E[X] · E[Y (k)]| σX · σY (k) , which is the correlation coefficient between X and Y (k).

CPA Computation

Since E[Y (k)] = 0 and σY (k) = 1, we have: D(k) = E[X · Y (k)] − E[X] · E[Y (k)] σX · σY (k) = |E[X · Y (k)]| σX . From the DoM computation and since σ2

D(k) = 2|1/2 − κ(k)| √ 1 + σ2 .

Illustration for AES SubBytes w.r.t. Noise

σ = 4 σ = 8

Illustration for σ = 8 w.r.t. SubBytes

AES SubBytes no SubBytes

Kolmogorov-Smirnov Analysis (KSA)

Definition (KSA)

Practical Distinguisher: ˆ D(k) = EY (k) ˆ F(x|Y (k)) − ˆ F(x)∞ Theoretical Distinguisher: D(k) = EY (k)F(x|Y (k)) − F(x)∞ where: F(x) and F(x | Y (k)) the cumulative distribution functions of X and X | Y (k). f(x)∞ = supx∈R |f(x)|.

KSA Computation

Theorem (KSA and Confusion [Heuser et al., 2014])

With our assumptions, we have: D(k) = erf

2

2 − κ(k)

x

Mutual Information Analysis (MIA)

Definition (MIA)

Practical Distinguisher: ˆ D(k) = ˆ I(X; Y (k)) Theoretical Distinguisher: D(k) = I(X; Y (k)) = h(X) − h(X|Y (k))

Theorem (MIA Computation (Main result))