Efficient Template Attacks CARDIS 2013 Omar Choudary Markus G. - - PowerPoint PPT Presentation

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Efficient Template Attacks

CARDIS 2013 Omar Choudary Markus G. Kuhn Berlin, 29 November 2013

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 1

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Introduction

Template Attacks [Chari et al., ’03]

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Introduction

Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Introduction

Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Contributions:

Dealing with large number of samples (avoiding numerical pitfalls)

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Introduction

Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Contributions:

Dealing with large number of samples (avoiding numerical pitfalls) Efficient implementation (reducing evaluation time, e.g. from 3 days to 30 minutes)

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Introduction

Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Contributions:

Dealing with large number of samples (avoiding numerical pitfalls) Efficient implementation (reducing evaluation time, e.g. from 3 days to 30 minutes) Fair evaluation of most common compression techniques

Show several assumptions do not hold in general Practical guideline for choosing the right compression

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Introduction

Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Contributions:

Dealing with large number of samples (avoiding numerical pitfalls) Efficient implementation (reducing evaluation time, e.g. from 3 days to 30 minutes) Fair evaluation of most common compression techniques

Show several assumptions do not hold in general Practical guideline for choosing the right compression

And ... we provide data and code so you can try it!

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Experiment: eavesdropping on 8-bit data bus

Executed Code: movw r30, r24 ld r8, Z+ ld r9, Z+ ld r10, Z+ ld r11, Z+

2 4 6 8 10 Time [µs] Amplitude

MOV LD R8, clk #1 LD R8, clk #2 LD R9, clk #1 LD R9, clk #2 LD R10, clk #1 LD R10, clk #2 LD R11 clk #1 LD R11, clk #2 LD R12 clk #1

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 3

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Experiment: eavesdropping on 8-bit data bus

Executed Code: movw r30, r24 ld r8, 0 ld r9, k ld r10, 0 ld r11, 0

2 4 6 8 10 Time [µs] Amplitude

MOV LD R8, clk #1 LD R8, clk #2 LD R9, clk #1 LD R9, clk #2 LD R10, clk #1 LD R10, clk #2 LD R11 clk #1 LD R11, clk #2 LD R12 clk #1

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 4

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Profiling: Acquire Traces

Executed Code: movw r30, r24 ld r8, 0 ld r9, k ld r10, 0 ld r11, 0 k = 0

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

k = 1

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

. . . k = 255

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 5

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Profiling: Estimate Templates

k = 0

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

k = 1

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

. . . k = 255 ¯ xk

3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 0.01 0.02 0.03 0.04 0.05 0.06 Time [µs] Amplitude [V] µr

1

µr

1 + std(µr 1)

µr

1 − std(µr 1)

maxk(µr

k)

mink(µr

k)

Sk

10 20 30 40 50 60 10 20 30 40 50 60 5 10 15 20 x 10

6

Compression

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 6

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Attack: using the multivariate normal distribution

d(k | x) =

1

√

(2π)m|Sk| exp

• − 1

2(x − ¯

xk)′S−1

k (x − ¯

xk)

• 2

4 6 8 10 Time [µs] Amplitude

MOV LD R8, clk #1 LD R8, clk #2 LD R9, clk #1 LD R9, clk #2 LD R10, clk #1 LD R10, clk #2 LD R11 clk #1 LD R11, clk #2 LD R12 clk #1

k⋆ → argmaxk d(k | x)

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 7

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Problem 1: Floating point issues

d(k | x) =

1

√

(2π)m|Sk| exp

• − 1

2(x − ¯

xk)′S−1

k (x − ¯

xk)

• Issue 1: exp(x) is only safe for |x| < 710, which is easily

exceeded in our experiments.

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 8

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Problem 1: Floating point issues

d(k | x) =

1

√

(2π)m|Sk| exp

• − 1

2(x − ¯

xk)′S−1

k (x − ¯

xk)

• Issue 1: exp(x) is only safe for |x| < 710, which is easily

exceeded in our experiments. Issue 2: |Sk| can overflow/underflow easily for large m (> 50). These are real problems. Naive implementations are likely to fail.

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 9

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Solution: use LOG

dLOG(k | x) = − m

2 log 2π − 1 2 log |Sk| − 1 2(x − ¯

xk)′S−1

k (x − ¯

xk) log

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 10

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Caveat: pdf can be larger than 1

[Mangard, Oswald, Popp ’07] “[Choose the candidate k that leads to the] smallest absolute value [of dLOG]” log

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 11

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Caveat: pdf can be larger than 1

[Mangard, Oswald, Popp ’07] “[Choose the candidate k that leads to the] smallest absolute value [of dLOG]” Incorrect: log is monotonic, abs is not! We choose k with highest value of dLOG. log

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 12

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Problem 2: dealing with large number of samples

Myth: problems with inversion of Sk as soon as m is large. m = number of samples np = number of traces from profiling, for each k

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 13

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Problem 2: dealing with large number of samples

Myth: problems with inversion of Sk as soon as m is large. Clarification:

np ≤ m: Sk cannot be inverted (rank(Sk) < np)

m = number of samples np = number of traces from profiling, for each k

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 13

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Problem 2: dealing with large number of samples

Myth: problems with inversion of Sk as soon as m is large. Clarification:

np ≤ m: Sk cannot be inverted (rank(Sk) < np) np > m: Sk will most likely be invertible (ignoring highly correlated samples)

m = number of samples np = number of traces from profiling, for each k

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 13

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Problem 2: dealing with large number of samples

Myth: problems with inversion of Sk as soon as m is large. Clarification:

np ≤ m: Sk cannot be inverted (rank(Sk) < np) np > m: Sk will most likely be invertible (ignoring highly correlated samples)

Problem: obtaining np > m can be difficult due to memory and time constrainints. m = number of samples np = number of traces from profiling, for each k

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 13

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Scenario 1: Sk dependent on k

x1 x2 S1 S2 S3 S4 S5 S6

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 14

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Scenario 2: Sk independent on k

x1 x2 S1 S2 S3 S4 S5 S6

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 15

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Efficient solution: use Spooled

x1 x2

S1 S2 S3 S4 S5 S6

x1 x2 average

Spooled Spooled Spooled Spooled Spooled Spooled

Spooled is an average of the covariances. Spooled uses |S|np traces, while Sk only np. Now the condition for non-singularity is np > m

|S|

A great advantage in practice.

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 16

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Mahalanobis Distance

d(k | x) =

1

√

(2π)m|Spooled| exp

• − 1

2(x − ¯

xk)′S−1

pooled(x − ¯

xk)

• Omar Choudary, Markus G. Kuhn

Efficient Template Attacks Slide 17

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Mahalanobis Distance

dMD(k | x) = − 1

2(x − ¯

xk)′S−1

pooled(x − ¯

xk) Still not optimal: quadratic in x dMD ≈

• i
• j

sijxixj

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 18

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Combining traces for na > 1

djoint

MD (k | Xk⋆) = − 1 2

• xi∈Xk⋆

(xi − ¯ xk)′S−1

k (xi − ¯

xk)

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 19

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Combining traces for na > 1

djoint

MD (k | Xk⋆) = − 1 2

• xi∈Xk⋆

(xi − ¯ xk)′S−1

k (xi − ¯

xk) Computation of MD: O(m3) na = number of traces used in attack

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 20

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Combining traces for na > 1

djoint

MD (k | Xk⋆) = − 1 2

• xi∈Xk⋆

(xi − ¯ xk)′S−1

k (xi − ¯

xk) Computation of MD: O(m3) Total computation: O(nam3)

Not good for large m 3 days for m = 125, na = 1000

na = number of traces used in attack

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 20

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Linear Discriminant

djoint

LINEAR(k | Xk⋆) = ¯

x′

kS−1 pooled xi∈Xk⋆

xi

• − na

2 ¯ x′

kS−1 pooled¯

xk Computation in O(na + m3) Much better than djoint

MD : O(nam3)

In practice: for m = 125, na = 1000

djoint

MD needs 3 days

djoint

LINEAR only 30 minutes

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 21

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Compression Methods

k = 0

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

k = 1

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

. . . k = 255 ¯ xk

3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 0.01 0.02 0.03 0.04 0.05 0.06 Time [µs] Amplitude [V] µr

1

µr

1 + std(µr 1)

µr

1 − std(µr 1)

maxk(µr

k)

mink(µr

k)

Sk

10 20 30 40 50 60 10 20 30 40 50 60 5 10 15 20 x 10

6

Compression

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 22

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Compression Methods: Sample Selection

1 1.5 2 2.5 clock cycles dom sosd snr std clock

Myth: “Additional samples per clock do not provide additional information” [Rechberger,Oswald ’05] 1ppc: 1 point per clock [Rechberger,Oswald ’05] 3ppc (20 samples) 20ppc (70 samples) allap (125 samples)

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 23

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Compression Methods: PCA

     Xr Xr

1

. . . Xr

255

     →      ¯ x0 ¯ x1 . . . ¯ x255      → PCA → U

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 24

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Compression Methods: PCA

     Xr Xr

1

. . . Xr

255

     →      ¯ x0 ¯ x1 . . . ¯ x255      → PCA → U

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

U′ Sr

k

U = Sk (large m) (small m) [Archambeau et al. ’06]

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 25

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Compression Methods: PCA

     Xr Xr

1

. . . Xr

255

     →      ¯ x0 ¯ x1 . . . ¯ x255      → PCA → U

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

2 4 6 8 10 Time [µs] Amplitude

U′ Sr

k

U = Sk (large m) (small m) [Archambeau et al. ’06] 1. Xr

k

U = Xk (large m) (small m)

• 2. Sk = Cov(Xk)

Our approach

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 26

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Compression Methods: LDA

     ¯ x0 ¯ x1 . . . ¯ x255      + Spooled → LDA → U

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 27

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Compression Methods: LDA

     ¯ x0 ¯ x1 . . . ¯ x255      + Spooled → LDA → U U′ Sr

k

U = Sk (large m) (small m) [Standaert et al. ’08]

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 28

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Compression Methods: LDA

     ¯ x0 ¯ x1 . . . ¯ x255      + Spooled → LDA → U U′ Sr

k

U = Sk (large m) (small m) [Standaert et al. ’08] Sk = I (we can ignore it, while using all information!) Our approach:

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 29

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Evaluation by Guessing Entropy

• 1. Sort candidates by decreasing score d(k | Xk⋆)

1 k = 74 2 k = 13 Dk⋆ = 3 k = k⋆ = 9 depth of correct k . . . . . . 256 k = 201

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 30

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Evaluation by Guessing Entropy

• 1. Sort candidates by decreasing score d(k | Xk⋆)

1 k = 74 2 k = 13 Dk⋆ = 3 k = k⋆ = 9 depth of correct k . . . . . . 256 k = 201

• 2. Compute average over all k⋆:

¯ Dk⋆

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 31

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Evaluation by Guessing Entropy

• 1. Sort candidates by decreasing score d(k | Xk⋆)

1 k = 74 2 k = 13 Dk⋆ = 3 k = k⋆ = 9 depth of correct k . . . . . . 256 k = 201

• 2. Compute average over all k⋆:

¯ Dk⋆

• 3. Guessing Entropy = log2 Dk⋆

Estimates the remaining key strength in targeted brute force search that tries most likely candidates first

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 32

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Results

10 10

1

10

2

10

3

1 2 3 4 5 6 na (log axis) Guessing entropy (bits) 10 10

1

10

2

10

3

1 2 3 4 5 6 na (log axis) Guessing entropy (bits) 10 10

1

10

2

10

3

1 2 3 4 5 6 na (log axis) Guessing entropy (bits) 10 10

1

10

2

10

3

1 2 3 4 5 6 na (log axis) Guessing entropy (bits)

Sk Spooled np = 200 np = 2000 PCA

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 33

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Results

10 10

1

10

2

10

3

1 2 3 4 5 6 na (log axis) Guessing entropy (bits)

Spooled, np = 200 LDA PCA 1ppc

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 34

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Results

10 10

1

10

2

10

3

1 2 3 4 5 6 na (log axis) Guessing entropy (bits)

Spooled, np = 2000 LDA 1ppc

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 35

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Practical Guideline

np

200 2000 log 1ppc log 3ppc log 20ppc log allap log pca md 1ppc md 3ppc md 20ppc md allap md pca md lda 1 2 3 4 5 6

na = 1 Sk Spooled

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 36

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Practical Guideline

np

200 2000 log 1ppc log 3ppc log 20ppc log allap log pca md 1ppc md 3ppc md 20ppc md allap md pca md lda 1 2 3 4 5 6

na = 1000 Sk Spooled

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 37

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Code and Data available

http://www.cl.cam.ac.uk/research/security/datasets/grizzly/

Raw data used for all the results shown in the paper. MATLAB scripts to compute template attacks efficiently, including all the algorithms described in the paper.

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 38

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Conclusion

Template Attacks can be much more efficient than we thought

Can use large number of samples Evaluation time reduced from 3 days to 30 minutes Explore this when using template attacks Might influence CC Evaluation

Be aware of incorrect assumptions/implementations ⇒ Now you have our paper! Practical guideline for choosing the right compression method Now you have data and code to implement efficient template attacks

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 39

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion

Questions?

Omar Choudary: omar.choudary@cl.cam.ac.uk Markus G. Kuhn: markus.kuhn@cl.cam.ac.uk

Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 40