Fast leakage assessment Oscar Reparaz COSIC / KU Leuven Benedikt - - PowerPoint PPT Presentation

Fast leakage assessment

Oscar Reparaz Benedikt Gierlichs Ingrid Verbauwhede

COSIC / KU Leuven CHES 2017 Taipei (Taiwan) 2017-09-26

1

an empirical approach to test device security

“Enumerate all attacks, check if any is successful” ✅ very concrete view on the security level provided ❌ a bit slow ❌ difficult to be comprehensive not all attacks are public, time is finite, …

2

evaluation space

3

measurement setup input structure intermediate targeted distinguisher power random plaintext round 1 after sbox 1 single bit EM at coordinate (x,y) fix first column round 1 after sbox 2 CPA with HW EM at different place … CPA with HD round 1 after MC 1 CPA + linear regression

measurement setup input structure intermediate targeted distinguisher power random plaintext round 1 after sbox 1 single bit EM at coordinate (x,y) fix first column round 1 after sbox 2 CPA with HW EM at different place … CPA with HD round 1 after MC 1 CPA + linear regression

4

measurement setup input structure intermediate targeted distinguisher power random plaintext round 1 after sbox 1 single bit EM at coordinate (x,y) fix first column round 1 after sbox 2 CPA with HW EM at different place … CPA with HD round 1 after MC 1 CPA + linear regression

5

• ne million knobs to adjust

Fast leakage assessment

6

Security notions

#

Can an adversary extract the key? key recovery “pragmatic” security notion

7

≈ DPA

Security notions

#

k=k1 k=k2 Can an adversary tell the two devices apart?

#

Can an adversary extract the key? key recovery (in)distinguishability “stronger” security notion “pragmatic” security notion

8

≈ DPA ≈ leakage assessment

Leakage assessment review

• A. Take N measurements for each plaintext class
• B. For each class, describe the trace distribution
• A. normally use some descriptive statistic:

mean, variances, skewness, kurtosis, …

• C. Compare the class-dependent statistics
• A. If significant difference -> fail test
• B. Otherwise: “pass”

statistical test distribution statistic measurement setup

9

FC 2000

10

measurement setup input structure intermediate targeted distinguisher power random plaintext EM at coordinate (x,y) fix first column EM at different place

A common instance of leakage assessment

• Distribution parameter to check:

means

• Statistical test: Welch’s t-test
• Classes definition:
• p=a fix “special” value
• p=a random value

t = ¯ x1 − ¯ x2 q

s2

1

n1 + s2

2

n2

Generalization: higher-order tests (useful when targeting masked implementations) (=non-specific first-order test)

THIS TALK: COMPUTATIONAL EFFICIENCY

11

Problem description

• Compute efficiently all statistical moments up to order d
• Important practicalities:
• online (=one pass) formulas
• acquire trace, process it and throw away. Never

touches HDD (bottleneck)

• many traces, probably long
• numerical stability (millions of traces). results should be,

well, reliable

12

Fast leakage assessment

13

14

samples samples statistics densities

• Observation: traces take integral values in ([0, 2Q) ∩ Z)L

formulae [Schneider—Moradi]

statistics

2015 Schneider—Moradi

15

16

samples samples statistics densities

• Observation: traces take integral values in ([0, 2Q) ∩ Z)L

formulae [Schneider—Moradi]

statistics

17

samples statistics samples statistics densities

• Observation: traces take integral values in ([0, 2Q) ∩ Z)L

(complicated) formulae, per each trace [Schneider—Moradi] [Reparaz—Gierlichs] trivial,

• nce per each trace

trivial,

• nly when required

18

samples statistics densities

• Observation: traces take integral values in ([0, 2Q) ∩ Z)L

[Reparaz—Gierlichs] trivial also trivial Our method:

• 1. Build a histogram expressing trace distribution
• 2. From the histogram, compute arbitrary distribution parameters

hist[s]++

19

20

200 400 600 800 1000 1200 100 120 140 160 180 200 220 240 50 100 150 200 250 200 400 600 800

21

200 400 600 800 1000 1200 100 120 140 160 180 200 220 240 50 100 150 200 250 200 400 600 800

22

200 400 600 800 1000 1200 100 120 140 160 180 200 220 240 50 100 150 200 250 200 400 600 800

Implementation

• C99 prototype in 130 lines. Uses 32-bit counters -> at

most 4 billion measurements without overflowing.

• Q=8 (as most ADCs)
• Variance: do not need to use single pass!
• but used Welford method (just to recycle code)

23

Results

• N=1 million, L=3000 samples, gcc -O3, Core i5, up to order 5
• 9.8 s for step 1
• 0.8 s for step 2
• this makes 305 MB/s -> 500 to 800 times faster
• (synthetic dataset with worst-case cache access pattern)
• Memory: when L=3000 the two histograms take 6 MB which

just fits on L2 cache

24

25

26

27

• Time scales linear in (essentially) everything.

Embarrassingly parallel

• Take away: 500-800 fold speed-up
• Before: 3 CPU-months, now 4 CPU-hours

28

Floating point vs integer arithmetic!

• BONUS 1: exact arithmetic. Work in
• wrote GMP mpq_t rational integers type -> exact result. algorithm choice has

no effect whatsoever.

• final square root operation with 128-bit precision
• BONUS 2: apply kernel-based estimation methods
• apply kernels directly to histograms! useful when playing with different kernel

parameters, do not need to take new traces

• BONUS 3: arbitrary pre-processing function
• do leakage detection test on |x|, or sin(x), or whatever
• BONUS 4: information-theoretic leakage detection
• compute mutual information, Kolmogorov—Smirnov, anything, possibly

combined with kernels

• BONUS 5: clipping detection
• did you screw with the measurement setup? Very useful in Leuven

29

Q

Conclusion

• Methodology to significantly alleviate the computational

effort.

• Extremely simple (130 lines of C)
• Significant improvement: several orders of magnitude,

500x to 800x

• Mature: deployed in our Leuven lab in summer 2014,

used almost every day to evaluate our designs

• Trace processing is no longer bottleneck in our setup!

30

31

Thank you for your attention Questions?