improved blind side channel analysis by exploitation of
play

Improved Blind Side-Channel Analysis by Exploitation of Joint - PowerPoint PPT Presentation

Feb 21, 2023 •336 likes •657 views

Improved Blind Side-Channel Analysis by Exploitation of Joint Distributions of Leakages Christophe Clavier, L eo Reynaud Universit e de Limoges - XLIM Introduction Joint distributions and maximum of likelihood Extension to masked

  1. Improved Blind Side-Channel Analysis by Exploitation of Joint Distributions of Leakages Christophe Clavier, L´ eo Reynaud Universit´ e de Limoges - XLIM

  2. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Table of contents 1. Introduction 2. Joint distributions and maximum of likelihood 3. Extension to masked implementations 4. Conclusion 1

  3. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Side Channel attacks Common non profiled side channel attacks k • DPA guess y m x • CPA known predicted ⊕ S • MIA Figure 1: Internal states variables Needs • Leakage on some internal state • Knowledge and variability of plain/ciphertext 2

  4. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Side Channel attacks Common non profiled side channel attacks k • DPA guess y m x • CPA known predicted ⊕ S • MIA Figure 1: Internal states variables Needs • Leakage on some internal state • Knowledge and variability of plain/ciphertext How to attack with no or not variable plain/ciphertext ? 2

  5. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion EMV : no exploitable plain/ciphertext ... ATC ATC 0x00 0x00 0x00 high low AES master key session key M 1 M 2 M n ⊕ ⊕ ⊕ IV AES AES AES cryptogram Figure 2: EMV session key derivation 3

  6. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion What is available ? We only have access to consumptions k y m x unpredictable unknown ⊕ S Figure 3: Leakages 4

  7. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion What is available ? We only have access to consumptions k y m x unpredictable unknown ⊕ S Figure 3: Leakages Joint distributions 4

  8. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion 5

  9. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Joint distributions : theoretical distributions For each key, we can count couples (HW( m ),HW( y )) when exhausting all inputs m Figure 4: Theoretical distribution Figure 5: Theoretical distribution k = 126 k = 39 6

  10. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Joint distributions : theoretical distributions For each key, we can count couples (HW( m ),HW( y )) when exhausting all inputs m Figure 4: Theoretical distribution Figure 5: Theoretical distribution k = 126 k = 39 ⇒ All theoretical distributions are different 6

  11. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Joint distributions : theoretical distributions For each key, we can count couples (HW( m ),HW( y )) when exhausting all inputs m Figure 4: Theoretical distribution Figure 5: Theoretical distribution k = 126 k = 39 ⇒ All theoretical distributions are different ⇒ Discrimination of the key 6

  12. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Joint distributions in a nutshell Cons • Need to locate the points of interest (PoI) • Use HW instead of consumption Pros • Work without plain/ciphertext • Any round can be attacked 7

  13. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Joint distributions : steps Step 1 Locate the PoI where the variables considered leak Step 2 Infer HW from the leakages observed at the PoI Step 3 Build the joint distribution for each key Step 4 Select the key whose distribution best fits the observations 8

  14. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Contribution Prior work Le Bouder Linge • Maximum of likelihood • Slice method → HW (Step 2) → key • Distances between histograms (Step 4) → key (Step 4) Our contribution • Variance method → HW (Step 2) • Improvement on the maximum of likelihood (Step 4) • Extension to masked implementations (Step 3) 9

  15. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Slice method to infer HW (Linge) Consumption model ℓ = α HW( v ) + β + ω Slice method • Sort the N leakages by ascending order • Assign HW = 0 to the N · C 0 lowest 8 2 8 ⇒ Integer valued HW • Assign HW = 1 to the N · C 1 next ... 8 2 8 Leakages . . . N ∗ C 2 HW = 2 8 • ... 2 8 • • • • • • N ∗ C 1 HW = 1 • • • 8 • • 2 8 • • • • • • • • • • • • HW = 0 • • • N ∗ C 0 8 2 8 Figure 6: Slice method to infer HW 10

  16. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Variance method to infer HW Variance Goal : infer α and β in order to inverse the leakage function Var( ℓ ) = Var( α HW( v ) + β ) + Var( ω ) 11

  17. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Variance method to infer HW Variance Goal : infer α and β in order to inverse the leakage function Var( ℓ ) = Var( α HW( v ) + β ) + Var( ω ) = α 2 Var(HW( v )) + Var( ω ) 11

  18. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Variance method to infer HW Variance Goal : infer α and β in order to inverse the leakage function Var( ℓ ) = Var( α HW( v ) + β ) + Var( ω ) = α 2 Var(HW( v )) + Var( ω ) = 2 α 2 + Var( ω ) 11

  19. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Variance method to infer HW Variance Goal : infer α and β in order to inverse the leakage function � Var( ℓ ) − Var( ω ) Var( ℓ ) = Var( α HW( v ) + β ) + Var( ω ) α = ± 2 = α 2 Var(HW( v )) + Var( ω ) = 2 α 2 + Var( ω ) PoI � Var ( ℓ ) � Var ( ω ) Figure 7: Standard deviation trace 11

  20. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Variance method to infer HW Variance Goal : infer α and β in order to inverse the leakage function � Var( ℓ ) − Var( ω ) Var( ℓ ) = Var( α HW( v ) + β ) + Var( ω ) α = ± 2 = α 2 Var(HW( v )) + Var( ω ) β = E( ℓ ) − α E(HW( v )) = 2 α 2 + Var( ω ) PoI � Var ( ℓ ) � Var ( ω ) Figure 7: Standard deviation trace 11

  21. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Variance method to infer HW Variance Goal : infer α and β in order to inverse the leakage function � Var( ℓ ) − Var( ω ) Var( ℓ ) = Var( α HW( v ) + β ) + Var( ω ) α = ± 2 = α 2 Var(HW( v )) + Var( ω ) β = E( ℓ ) − α E(HW( v )) = 2 α 2 + Var( ω ) PoI � Var ( ℓ ) Once α and β are known : HW( v ) = ℓ − β α � Var ( ω ) ⇒ Real valued HW Figure 7: Standard deviation trace 11

  22. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Distinguisher : maximum of likelihood Observations h m = h ∗ h y = h ∗ m + ω m y + ω y h ∗ m , h ∗ y : correct HW (integer) ω m , ω y : noise Bayes Pr( k | ( h m , h y )) = Pr(( h m , h y ) | k ) · Pr( k ) ∼ Pr(( h m , h y ) | k ) · Pr( k ) Pr(( h m , h y )) Law of total probability Pr(( h m , h y ) | ( h ∗ m , h ∗ y )) · Pr(( h ∗ m , h ∗ Pr(( h m , h y ) | k ) = � y ) | k ) h ∗ m , h ∗ y Noise probability Pr(( h m , h y ) | ( h ∗ m , h ∗ y )) = Pr( ω m = h m − h ∗ m ) · Pr( ω y = h y − h ∗ y ) 12

  23. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Improvements on basic attack Key likelihood can be computed Attack on the HW of the key for other/more observed HW Attack on m and x : Better results with new/more • Only gives information about variables : the HW of k • m - x - y • Very efficient • m - x - y -3 · y • HW of all extended key bytes • m -3 · y sufficient to retrieve the key • ... Every combination of m and other variables (not involving other keys) HW( k )=0 HW( k )=2 may bring information 13

  24. Introduction Joint distributions and maximum of likelihood Extension to masked implementations Conclusion Simulation results 120 m-y σ =0.7 m-y σ =1.0 100 m-y σ =1.5 m-x-y σ =0.7 m-x-y σ =1.0 Rank of HW of the correct key Correct key rank 2 80 m-x-y σ =1.5 m-x σ =0.7 m-x σ =1.0 60 1.5 m-x σ =1.5 1 40 20 0.5 0 0 0 500 1000 1500 2000 0 100 200 300 400 500 Number of observations Number of observations Figure 8: Improvements using m - x - y Figure 9: m - x attack 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved Side-Channel Analysis of Finite-Field Multiplication Sonia Belad 1 Jean-Sbastien

Improved Side-Channel Analysis of Finite-Field Multiplication Sonia Belad 1 Jean-Sbastien

Improved Side-Channel Analysis of Finite-Field Multiplication Sonia Belad 1 Jean-Sbastien Coron 2 Pierre-Alain Fouque 3 Benot Grard 4 Jean-Gabriel Kammerer 5 Emmanuel Prouff 6 1cole normale suprieure and Thales Communications &

459 views • 32 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Link with linear cryptanalysis Standard Differential Power Analysis Noise-based security (is

1.17k views • 92 slides
Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to the basics!! details on power / EM leakage (low/high noise scenario) how/where to attack AES? di ff erent attacker models overview of

1.28k views • 74 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

FIRST TALK A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt f r Sicherheit in der Informationstechnik (BSI), Bonn, Germany Barcelona, May 22, 2007 Power attacks on a block cipher

1.13k views • 13 slides
Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas

Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas

Background Correlation Analysis Results Conclusion Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas Peyrin CHES 2010 Workshop Santa Barbara - August 18, 2010 Background Correlation Analysis

1.1k views • 36 slides
Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Conference on Cryptographic Hardware and Embedded Systems (CHES) 2020 Strength in Numbers: Improving Generalization with Ensembles in Machine Learning-based Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

468 views • 25 slides
Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages

Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages

Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages Cryptarchi 2018 June 17-19, 2018 Guidel-Plage, France Eloi de Chrisey, Sylvain Guilley & Olivier Rioul Tlcom ParisTech, Universit

559 views • 34 slides
Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high security solutions Rohde & Schwarz SIT GmbH Stuttgart/Germany Dr. Torsten Schtze Workshop on Applied Cryptography Lightweight

595 views • 15 slides
What is the designers challenge in making all of this work? NACUSO 2010 Annual Conference

What is the designers challenge in making all of this work? NACUSO 2010 Annual Conference

What is the designers challenge in making all of this work? NACUSO 2010 Annual Conference April 25-28, 2010 Randy Karnes, CEO CU*Answers Guy set the stage for me to talk about the possibilities in the design, integration and use of the

596 views • 30 slides
SYNNEX Announces Spin-Off of Concentrix Creates Two Industry Leading Public Companies Investor

SYNNEX Announces Spin-Off of Concentrix Creates Two Industry Leading Public Companies Investor

SYNNEX Announces Spin-Off of Concentrix Creates Two Industry Leading Public Companies Investor Presentation January 9, 2020 Safe Harbor Statement Statements in this presentation regarding SYNNEX Corporation which are not historical facts may be

427 views • 28 slides
IATA World Passenger Symposium in October 2015 in Hamburg By Paul Tilstone & Aurelie Krau

IATA World Passenger Symposium in October 2015 in Hamburg By Paul Tilstone & Aurelie Krau

A Presentation Made To Delegates at the IATA World Passenger Symposium in October 2015 in Hamburg By Paul Tilstone & Aurelie Krau www.festive-road.com If you talk to a man in a language he understands, that goes to his head. If you talk

505 views • 9 slides
GEO-Software R. Prez, G. Gonzlez, J. Becedas, F. Pedrera, M. J. Latorre Jonathan Becedas, PhD

GEO-Software R. Prez, G. Gonzlez, J. Becedas, F. Pedrera, M. J. Latorre Jonathan Becedas, PhD

Testing Cloud Computing for Massive Space Data Processing Storage and Distribution with Open Source GEO-Software R. Prez, G. Gonzlez, J. Becedas, F. Pedrera, M. J. Latorre Jonathan Becedas, PhD R&D Manager This project has received

589 views • 29 slides
Semi-Quantum Key Distribution with Limited Measurement Capabilities Walter O. Krawec Computer

Semi-Quantum Key Distribution with Limited Measurement Capabilities Walter O. Krawec Computer

Semi-Quantum Key Distribution with Limited Measurement Capabilities Walter O. Krawec Computer Science & Engineering Department University of Connecticut Storrs, CT USA Email: walter.krawec@gmail.com ISITA 2018 Quantum Key Distribution

450 views • 43 slides
Arthur Kressner CON EDISONS ELECTRIC SYSTEM NEW YORK CITY AND WESTCHESTER COUNTY ! 3.2

Arthur Kressner CON EDISONS ELECTRIC SYSTEM NEW YORK CITY AND WESTCHESTER COUNTY ! 3.2

Arthur Kressner CON EDISONS ELECTRIC SYSTEM NEW YORK CITY AND WESTCHESTER COUNTY ! 3.2 million customers, 14-16 million people ! 36,000 miles of overhead lines ! 94,000 miles of underground lines ! 80 local distribution

340 views • 11 slides
Electric System Financial Results Storm Costs Recovery- Municipal vs. IOU Building Community

Electric System Financial Results Storm Costs Recovery- Municipal vs. IOU Building Community

Electric System Financial Results Storm Costs Recovery- Municipal vs. IOU Building Community Financial Planning Budget and Rates Municipal utilities, such as JEA, receive state and federal (FEMA) reimbursement funds for eligible

229 views • 3 slides
Learning near-optimal hyperparameters with minimal overhead Gellrt Weisz Andrs Gyrgy

Learning near-optimal hyperparameters with minimal overhead Gellrt Weisz Andrs Gyrgy

Learning near-optimal hyperparameters with minimal overhead Gellrt Weisz Andrs Gyrgy Csaba Szepesvri Workshop on Automated Algorithm Design (TTIC 2019) August 7, 2019 1 / 22 Introduction Problem: find good parameter settings

804 views • 58 slides

More recommend