generic side channel distinguishers improvements and
play

Generic Side-Channel Distinguishers: Improvements and Limitations - PowerPoint PPT Presentation

Sep 22, 2022 •99 likes •355 views

Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit e catholique

  1. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit´ e catholique de Louvain crypto 2011, August 16 1/ 22

  2. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Evaluating Implementations With dpa Attacks Adversary j predict V j , P X j , P model j � = s ? D j P compute V s , P Y k , P leak k Device Main ingredients: leakage model & dependency test 2/ 22

  3. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Evaluating Implementations With dpa Attacks 0.16 0.25 0.2 0.14 Adversary 0.15 0.12 0.1 0.1 0.05 j 0.08 0 0.06 −0.05 predict V j , P X j , P model 0.04 −0.1 0.02 −0.15 0 −0.2 0 50 100 150 200 250 300 350 400 0 50 100 150 200 250 300 350 400 Power measurement em measurement j � = s ? D j P compute V s , P Y k , P leak k Device Main ingredients: leakage model & dependency test 2/ 22

  4. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Evaluating Implementations With dpa Attacks Adversary j predict V j , P X j , P model j � = s ? D j P compute V s , P Y k , P leak k Device Main ingredients: leakage model & dependency test 2/ 22

  5. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Ingredient 1: Leakage Models Two adversarial scenarios: Profiled case: preliminary estimation of the leakage pdf Gaussian distribution Mixture model . . . Non-profiled case: assumption on the leakages pdf (based on engineering intuition) Hamming weight/distance Linear (or quadratic, . . . ) function of bits Identity function . . . 3/ 22

  6. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Ingredient 2: Dependency Test Different adversarial choices depending on: Number of samples used: univariate or multivariate Moment of the pdf exploited: mean, variance, . . . Type of dependency tested: linear, monotonic, . . . 4/ 22

  7. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Existing Tests: Efficiency vs. Genericity Pearson correlation univariate Efficient mean linear Spearman correlation univariate mean monotonic Least Square Regression multivariate mean MV linear Mutual information multivariate all moments Generic any dependency 5/ 22

  8. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Additional Concern: Choice of Parameters e.g. number of histogram bins (or kernel bandwidth, number of mixture components) 6/ 22

  9. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Open questions Question 1: can we design a generic side-channel distinguisher that is free of parameters? Question 2: can we evaluate side-channel attacks with non-profiled distinguishers only? 7/ 22

  10. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Our Contributions w.r.t. question 1, a new distinguisher based on: 1 leakage space reduction through copulas 2 dimensionality reduction using spacings 3 non-parametric uniformity test w.r.t. question 2: empirical evaluations showing: 1 the efficiency of the new generic test 2 the necessity of profiled security evaluations 8/ 22

  11. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions The new distinguisher 9/ 22

  12. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Tool 1: Leakage Space Reduction ˆ F Y ( y ) Empirical Cumulant Pr[ Y = y ] y Pr[ Z = z ] Copula y z = ˆ F Y ( y ) 1 z Marginal distribution 0 Conditional distribution X j , P = 0 Conditional distribution X j , P = 1 + Cumulants are easier to estimate than pdfs + Projected marginal distribution is uniform 10/ 22

  13. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Tool 2: Leakage Partition and Distance Sampling correct key wrong key Pr[ U = u ] Pr[ U = u ] 1 u 1 u 0 0 + Wrong key candidates should behave like uniform + All model values contribute to the estimation 11/ 22

  14. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Tool 3: Smoothing and Evaluation Pr[ U = u ] Pr[ U = u ] 1 u 1 u 0 0 Pr[ U = u ] Theoretical distribution Correct key Wrong key + No parameters 1 u 0 12/ 22

  15. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions 2D case: Leakage Space Reduction y 2 Pr[ Y = y ] F Y 2 ( y ) ˆ y 1 Hamming weight = 1 ˆ F Y 1 ( y ) Hamming weight = 6 + Copula transform preserves multivariate dependencies 13/ 22

  16. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions 2D case: Leakage Partition and Distance Sampling correct key wrong key Pr[ U = u ] Pr[ U = u ] 1 u 1 u 0 0 + Univariate pdf of a multidimensional distance 14/ 22

  17. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions 2D case: Smoothing and Evaluation Pr[ U = u ] Pr[ U = u ] Pr[ U = u ] 1 u 1 u 0 0 1 u 0 Theoretical distribution Correct key Wrong key 15/ 22

  18. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Experimental Results 16/ 22

  19. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Univariate Hamming Weight Leakages Correlation, HW model MIA, HW model LSR, linear basis New test, HW model success 1.0 0.8 0.6 0.4 0.2 0.0 #msg 10 20 30 40 50 60 70 80 • Specific distinguishers are more efficient 17/ 22

  20. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Hamming Weight Leakage, Bivariate Dependency MIA, HW model New test, HW model success 1.0 0.8 0.6 0.4 0.2 0.0 #msg 500 1000 1500 2000 2500 3000 • New test exploits samples efficiently (compared to MIA) 18/ 22

  21. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions cmos 65 nm Measurements, Bivariate Dependency MIA, 7-bit model MIA, clusters New test, 7-bit model New test, clusters success 1.0 0.8 0.6 0.4 0.2 0.0 #msg 1000 2000 3000 4000 5000 • Leakage model hard to infer from engineering intuition 19/ 22

  22. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Dual-Rail Simulations, Univariate Dependency Correlation, HW model New test, clusters LSR, linear basis MIA, clusters success 1.0 0.8 0.6 0.4 0.2 #msg 0.0 20 40 60 80 100 • Non-linear leakage functions can be exploited 20/ 22

  23. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Dual-Rail Simulations, Bivariate Dependency New test, clusters Bivariate template MIA, clusters success 1.0 0.8 0.6 0.4 0.2 0.0 #msg 1000 2000 3000 4000 5000 • Profiling is needed to evaluate protected implementations 21/ 22

  24. Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Conclusions 1 SCAs = efficiency vs. genericity tradeoff (’simple’ dependencies are easier to exploit) New generic test completely free of parameters 2 Profiling is needed for security evaluations Dependency tests can be generic . . . but not leakage models (so far) (Eurocrypt 2009 evaluation framework) Open question: do highly non-linear leakage functions exist in practice? (or can non-linearity be used as a design criteria) 22/ 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie Heuser, Sylvain Guilley, Olivier Rioul INSTITUT MINES-TLCOM Outline Motivation State of the art New metric: success metric (SM)

1.32k views • 25 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel Evaluations Stjepan Picek, Annelie Heuser, Alan Jovic, Shivam Bhasin, and Francesco Regazzoni Big Picture side-channel measurements device classifier

822 views • 33 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Harvey Jones Channel Improvements Project Non-Mandatory Pre-Bid Conference April 14, 2014 1

Harvey Jones Channel Improvements Project Non-Mandatory Pre-Bid Conference April 14, 2014 1

Harvey Jones Channel Improvements Project Non-Mandatory Pre-Bid Conference April 14, 2014 1 Harvey Jones Channel Improvements Project Introductions: SSCAFCA Staff Charles Thomas, P.E., Executive Engineer Jim Service, Field

589 views • 16 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
The Need for Speed: Applications of HPC in Side Channel

The Need for Speed: Applications of HPC in Side Channel

The Need for Speed: Applications of HPC in Side Channel Research Dr. M. Elisabeth Oswald Reader, EPSRC Leadership Fellow University of Bristol Roadmap

280 views • 25 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
Beta kernels and transformed kernels applications to copulas and quantiles Arthur Charpentier

Beta kernels and transformed kernels applications to copulas and quantiles Arthur Charpentier

Arthur CHARPENTIER, transformed kernels and beta kernels Beta kernels and transformed kernels applications to copulas and quantiles Arthur Charpentier Universit Rennes 1 arthur.charpentier@univ-rennes1.fr http

1.18k views • 96 slides
Stochastic cosmic ray sources and the TeV break in the all-electron spectrum arXiv:1809.?????

Stochastic cosmic ray sources and the TeV break in the all-electron spectrum arXiv:1809.?????

Stochastic cosmic ray sources and the TeV break in the all-electron spectrum arXiv:1809.????? Philipp Mertsch TeVPA 2018, Berlin 30 August 2018 Philipp Mertsch (RWTH Aachen) Stochastic sources and the TeV electron break 30 August 2018 1 /

732 views • 34 slides
Subjects, Predicates, and Systema3city Paul M. Pietroski University

Subjects, Predicates, and Systema3city Paul M. Pietroski University

Subjects, Predicates, and Systema3city Paul M. Pietroski University of Maryland Dept. of Linguis3cs, Dept. of Philosophy Origins of Proposi3onal Thought What

358 views • 18 slides
Copula Mixture Model for Dependency-seeking Clustering Melanie Rey, Volker Roth Department of

Copula Mixture Model for Dependency-seeking Clustering Melanie Rey, Volker Roth Department of

Copula Mixture Model for Dependency-seeking Clustering Melanie Rey, Volker Roth Department of Mathematics and Computer Science, University of Basel, Switzerland December 16, 2011 1 / 1 Dependency-seeking Clustering Clustering co-occurring

294 views • 16 slides
Statistical Bias Correction of hydrological forcing fields from GCMs: basic concepts . Claudio

Statistical Bias Correction of hydrological forcing fields from GCMs: basic concepts . Claudio

Statistical Bias Correction of hydrological forcing fields from GCMs: basic concepts . Claudio Piani Department of Computer Sciences, Mathematics and Environmental Sciences American University of Paris 6, Rue du Colonel Combes 75007 Paris

390 views • 37 slides
Variation on Preschoolers Acquisition of Questions Student Author: Saundra Scott Mentor

Variation on Preschoolers Acquisition of Questions Student Author: Saundra Scott Mentor

Impact of Dialectal Variation on Preschoolers Acquisition of Questions Student Author: Saundra Scott Mentor Author: Isabelle Barrire NSF Grant #1659607 1 Introduction What is Mainstream American English (MAE)? dialect of English

257 views • 15 slides
What is Judgment? The definition of judgment The definition of proposition Elements of a

What is Judgment? The definition of judgment The definition of proposition Elements of a

Three Acts of the Mind Mental Act: Verbal Expression: Simple Apprehension Term Judgment Proposition Deductive Inference Syllogism Slide 4-1 What is Judgment? The definition of judgment The definition of proposition

342 views • 6 slides
The diversity of inflectional periphrasis in Persian Olivier Bonami 1 Pollet Samvelian 2 1 U.

The diversity of inflectional periphrasis in Persian Olivier Bonami 1 Pollet Samvelian 2 1 U.

The diversity of inflectional periphrasis in Persian Olivier Bonami 1 Pollet Samvelian 2 1 U. Paris-Sorbonne & UMR 7023 Laboratoire de Linguistique Formelle 2 U. Sorbonne Nouvelle & UMR 7528 Mondes iranien et indien PER-GRAM

393 views • 20 slides

More recommend