improved side channel analysis of finite field
play

Improved Side-Channel Analysis of Finite-Field Multiplication Sonia - PowerPoint PPT Presentation

Oct 08, 2022 •126 likes •459 views

Improved Side-Channel Analysis of Finite-Field Multiplication Sonia Belad 1 Jean-Sbastien Coron 2 Pierre-Alain Fouque 3 Benot Grard 4 Jean-Gabriel Kammerer 5 Emmanuel Prouff 6 1cole normale suprieure and Thales Communications &

  1. Improved Side-Channel Analysis of Finite-Field Multiplication Sonia Belaïd 1 Jean-Sébastien Coron 2 Pierre-Alain Fouque 3 Benoît Gérard 4 Jean-Gabriel Kammerer 5 Emmanuel Prouff 6 1École normale supérieure and Thales Communications & Security, 2University of Luxembourg 3Université de Rennes 1 and Institut Universitaire de France 4DGA.MI and IRISA 5DGA.MI and IRMAR 6ANSSI 1 / 20 09-15-2015

  2. Outline Introduction Side-Channel Attacks Classical Power-Analysis Attacks Hidden Multiplier Problem State of The Art New Attack Main Idea Filtering Solving the System with Errors Extension to Chosen Inputs Conclusion 2 / 20 09-15-2015

  3. Outline Introduction Side-Channel Attacks Classical Power-Analysis Attacks Hidden Multiplier Problem State of The Art New Attack Main Idea Filtering Solving the System with Errors Extension to Chosen Inputs Conclusion 3 / 20 09-15-2015

  4. ➜ Black-box cryptanalysis ➜ Side-channel analysis 4 / 20 09-15-2015

  5. ➜ Black-box cryptanalysis: A ← ( m i , c i ) ➜ Side-Channel Analysis k m i c i 4 / 20 09-15-2015

  6. ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m i , c i , L i ) k c i m i L i 4 / 20 09-15-2015

  7. ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m i , c i , L i ) k c i m i L i 4 / 20 09-15-2015

  8. ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m i , c i , L i ) k c i m i L i 4 / 20 09-15-2015

  9. ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m i , c i , L i ) k c i m i L i 4 / 20 09-15-2015

  10. ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m i , c i , L i ) k c i m i L i 4 / 20 09-15-2015

  11. Classical Power-Analysis Attack against AES Attack on 8 bits ◮ prediction of the outputs for the 128-bit input m 256 possible 8-bit secret – 8 bits ◮ correlation between predictions � k 0 and leakage ◮ selection of the best correlation to S-box find the correct 8-bit secret 8-bit v Attack on 128 bits ◮ repetition of the attack on 8 bits on each S-box 5 / 20 09-15-2015

  12. Power-Analysis Attack against AES-GCM authentication, multiplication-based fresh re-keying, ... ➜ k is only manipulated in multiplications 128-bit input m 128-bit key k × 8 × 8 ... × 8 128-bit output v 6 / 20 09-15-2015

  13. Power-Analysis Attack against AES-GCM authentication, multiplication-based fresh re-keying, ... ➜ k is only manipulated in multiplications 128-bit input m 128-bit key k 128-bit input m 128-bit key k × 8 × 8 × 128 ... 128-bit output v × 8 128-bit output v 6 / 20 09-15-2015

  14. Hidden Multiplier Problem n-bit input m n-bit key k Definition Let k ← GF ( 2 n ) . Let ℓ ∈ N . Given a sequence { m i , L i } 1 ≤ i ≤ ℓ × n where ◮ m i ← GF ( 2 n ) ◮ L i = HW ( v i )+ ε i , ε i ∼ N ( 0 , σ 2 ) n-bit output v recover k . 7 / 20 09-15-2015

  15. State of The Art Sonia Belaïd, Pierre-Alain Fouque, and Benoît Gérard. Side-channel analysis of multiplications in GF ( 2 128 ) - application to AES-GCM. In Asiacrypt 2014, Proceedings, Part II , pages 306–325. ➜ use Hamming Weights’ LSB ➜ solve a system with errors Signal-to-Noise Ratio = signal variance noise variance = 32 /σ 2 Method 3.200 800 200 128 ( 2 8 , 2 21 ) ( 2 8 , 2 21 ) ( 2 8 , 2 65 ) ( 2 8 , 2 107 ) Naive method ( C s , C t ) ( 2 11 , 2 14 ) ( 2 20 , 2 22 ) ( 2 32 , 2 34 ) ( 2 48 , 2 50 ) LPN (LF Algo) ( C s , C t ) Linear decoding ( C s , C t ) ( 2 6 , 2 6 ) ( 2 6 , 2 7 ) ( 2 8 , 2 25 ) ( 2 9 , 2 62 ) 8 / 20 09-15-2015

  16. State of The Art Sonia Belaïd, Pierre-Alain Fouque, and Benoît Gérard. Side-channel analysis of multiplications in GF ( 2 128 ) - application to AES-GCM. In Asiacrypt 2014, Proceedings, Part II , pages 306–325. ➜ use Hamming Weights’ LSB ➜ solve a system with errors Signal-to-Noise Ratio = signal variance noise variance = 32 /σ 2 Method 3.200 800 200 128 ( 2 8 , 2 21 ) ( 2 8 , 2 21 ) ( 2 8 , 2 65 ) ( 2 8 , 2 107 ) Naive method ( C s , C t ) ( 2 11 , 2 14 ) ( 2 20 , 2 22 ) ( 2 32 , 2 34 ) ( 2 48 , 2 50 ) LPN (LF Algo) ( C s , C t ) Linear decoding ( C s , C t ) ( 2 6 , 2 6 ) ( 2 6 , 2 7 ) ( 2 8 , 2 25 ) ( 2 9 , 2 62 ) ✘ specific to multiplication in GF ( 2 128 ) ✘ highly impacted by noise 8 / 20 09-15-2015

  17. Outline Introduction Side-Channel Attacks Classical Power-Analysis Attacks Hidden Multiplier Problem State of The Art New Attack Main Idea Filtering Solving the System with Errors Extension to Chosen Inputs Conclusion 9 / 20 09-15-2015

  18. Contributions New Attack: ➜ filter the multiplication’s outputs leakage to extract high and low Hamming weights ➜ solve a system with errors 10 / 20 09-15-2015

  19. Contributions New Attack: ➜ filter the multiplication’s outputs leakage to extract high and low Hamming weights ➜ solve a system with errors ✔ less impacted by noise ✔ more generic 10 / 20 09-15-2015

  20. Main Idea of The Attack Reminder: L ( v ) = HW ( v ) + ε = HW ( m · k ) + ε Extreme cases: HW ( v ) = n ➜ v = 2 n − 1 HW ( v ) = 0 ➜ v = 0  � �  � �   � � � � k j = 0 k j = 1   v 0 = i ∈ I ( 0 , j ) m i v 0 = i ∈ I ( 0 , j ) m i       0 � j < n 0 � j < n      � �  � �       � � � � k j = 0 k j = 1   v 1 = i ∈ I ( 1 , j ) m i v 1 = i ∈ I ( 1 , j ) m i   0 � j < n 0 � j < n . . . . . .   . . . . . .   . . . . . .         � � � �       � � � �  k j = 0  k j = 1 v n − 1 = i ∈ I ( n − 1 , j ) m i v n − 1 = i ∈ I ( n − 1 , j ) m i       0 � j < n 0 � j < n 11 / 20 09-15-2015

  21. Main Idea of The Attack Reminder: L ( v ) = HW ( v ) + ε = HW ( m · k ) + ε Usual cases: L ( v ) high ➜ v ≈ 2 n − 1 L ( v ) low ➜ v ≈ 0  � �  � �   � � � � k j = 0 k j = 1   v 0 = i ∈ I ( 0 , j ) m i v 0 = i ∈ I ( 0 , j ) m i       0 � j < n 0 � j < n      � �  � �       � � � � k j = 0 k j = 1   v 1 = i ∈ I ( 1 , j ) m i v 1 = i ∈ I ( 1 , j ) m i   0 � j < n 0 � j < n . . . . . .   . . . . . .   . . . . . .         � � � �       � � � �  k j = 0  k j = 1 v n − 1 = i ∈ I ( n − 1 , j ) m i v n − 1 = i ∈ I ( n − 1 , j ) m i       0 � j < n 0 � j < n with an error probability p 11 / 20 09-15-2015

  22. Two Steps 1. filter the lowest and highest Hamming weights with a limited number of consumption traces to limit the error probability p ➜ obtain a linear system with errors 2. solve the system with the error probability p ➜ recover the secret key k 12 / 20 09-15-2015

  23. Step 1: Filtering 50 78 · 10 − 2 B ( 128 , 0 . 5 ) 6 . 0 √ n √ n 4 . 0 HW < n HW > n 2 − λ 2 + λ 2 2 2 . 0 0 . 0 20 40 60 80 100  SNR = 128  1 trace over 2 5 filtering:  n = 128 error probability: p ≈ 0 . 38  λ ≈ 2 . 5  13 / 20 09-15-2015

  24. Step 1: Filtering Proportion of filtered acquisitions: � n / 2 + λ s n � n � √ � F ( λ, σ ) = 1 − 2 − n with s = n / 2 φ y ,σ ( t ) dt , y y = 0 n / 2 − λ s Error probability:    n / 2 − λ s  � n � + ∞ n   1 � � y � 1 − y � �   y p ( λ, σ ) = φ y ,σ ( t ) dt + φ y ,σ ( t ) dt   2 n F ( λ, σ ) n n   y = 0   n / 2 + λ s −∞   � �� � � �� � low Hamming weights high Hamming weights 14 / 20 09-15-2015

  25. Step 1: Filtering log 2 ( 1 / F ( λ )) 30 25 20 15 10 5 SNR = 128, σ = 0 . 5 6 . 00 5 . 46 4 . 85 4 . 15 3 . 29 2 . 16 λ 0 . 23 0 . 25 0 . 28 0 . 31 0 . 34 0 . 39 p p [BFG14] 0 . 31 SNR = 8, σ = 2 6 . 37 5 . 79 5 . 14 4 . 39 3 . 48 2 . 28 λ 0 . 25 0 . 27 0 . 29 0 . 32 0 . 35 0 . 40 p p [BFG14] > 0 . 49 SNR = 2, σ = 4 7 . 42 6 . 73 5 . 97 5 . 09 4 . 03 2 . 64 λ 0 . 28 0 . 30 0 . 32 0 . 34 0 . 37 0 . 41 p p [BFG14] > 0 . 49 SNR = 0 . 5, σ = 8 10 . 57 9 . 58 8 . 48 7 . 21 5 . 71 3 . 73 λ 0 . 34 0 . 36 0 . 37 0 . 39 0 . 41 0 . 44 p p [BFG14] > 0 . 49 15 / 20 09-15-2015

  26. Step 2: Solving the System with Errors Classical LPN problem: recover the secret key from a noisy system - limited memory - limited computational power Specific constraints: - limited number of equations/consumption traces - key size n ( e.g. , 128) - probability of errors dependent on the filtering and on the noise 16 / 20 09-15-2015

  27. Experiments ◮ Filtering on a Virtex 5 (128 bits) : SNR = 8 . 21, σ = 7 . 11 0 . 44 p theoretical error probabilities p experimental 0 . 42 0 . 4 0 . 38 0 . 36 1 1 . 5 2 2 . 5 3 3 . 5 4 filtering ( λ ) ◮ Expected complexities to recover k with 2 20 traces ( p ≈ 0 . 29) 2 59 . 31 , 2 27 . 00 � � 2 51 . 68 , 2 36 . 00 � (time , memory ) � 2 50 . 00 , 2 44 . 00 � � 17 / 20 09-15-2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved Blind Side-Channel Analysis by Exploitation of Joint Distributions of Leakages Christophe

Improved Blind Side-Channel Analysis by Exploitation of Joint Distributions of Leakages Christophe

Improved Blind Side-Channel Analysis by Exploitation of Joint Distributions of Leakages Christophe Clavier, L eo Reynaud Universit e de Limoges - XLIM Introduction Joint distributions and maximum of likelihood Extension to masked

657 views • 31 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
Decomposition of Permutations in a Finite Field SVETLA NIKOVA 1 , VENTZISLAV NIKOV 2 , AND VINCENT

Decomposition of Permutations in a Finite Field SVETLA NIKOVA 1 , VENTZISLAV NIKOV 2 , AND VINCENT

Decomposition of Permutations in a Finite Field SVETLA NIKOVA 1 , VENTZISLAV NIKOV 2 , AND VINCENT RIJMEN 1 1 IMEC COSIC, KU LEUVEN, BELGIUM 2 NXP SEMICONDUCTORS, BELGIUM Decomposition of Permutations in relation to Side Channel

415 views • 15 slides
Side ide-Chan Channel nel Res Resis istant tant Scalar calar Multiplication ultiplication

Side ide-Chan Channel nel Res Resis istant tant Scalar calar Multiplication ultiplication

Side-Channel Resistant Scalar Multiplication Algorithms over Finite Fields Side ide-Chan Channel nel Res Resis istant tant Scalar calar Multiplication ultiplication Algorithms Algorithms ov over er Finite Finite Fields Fields

771 views • 27 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, &quot;Power Analysis Attacks, Revealing the Secrets of Smart Cards&quot;, Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Link with linear cryptanalysis Standard Differential Power Analysis Noise-based security (is

1.17k views • 92 slides
Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to the basics!! details on power / EM leakage (low/high noise scenario) how/where to attack AES? di ff erent attacker models overview of

1.28k views • 74 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

FIRST TALK A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt f r Sicherheit in der Informationstechnik (BSI), Bonn, Germany Barcelona, May 22, 2007 Power attacks on a block cipher

1.13k views • 13 slides
Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas

Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas

Background Correlation Analysis Results Conclusion Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas Peyrin CHES 2010 Workshop Santa Barbara - August 18, 2010 Background Correlation Analysis

1.1k views • 36 slides
Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Conference on Cryptographic Hardware and Embedded Systems (CHES) 2020 Strength in Numbers: Improving Generalization with Ensembles in Machine Learning-based Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

468 views • 25 slides
Russell Toris and Sonia Chernova Worcester Polytechnic Institute, Worcester, MA, USA Motivation

Russell Toris and Sonia Chernova Worcester Polytechnic Institute, Worcester, MA, USA Motivation

Learning of Multi-Hypothesized Task Templates from a Corpus of Noisy Human Demonstrations Russell Toris and Sonia Chernova Worcester Polytechnic Institute, Worcester, MA, USA Motivation Traditional LfD focuses on teaching sequences

260 views • 13 slides
The Impact of School Fees on the Intergenerational Transmission of Education Sonia Bhalotra,

The Impact of School Fees on the Intergenerational Transmission of Education Sonia Bhalotra,

The Impact of School Fees on the Intergenerational Transmission of Education Sonia Bhalotra, Kenneth Harttgen, Stephan Klasen University of Bristol, ETH Z urich, University of G ottingen Inequality - measurement, trends, impacts and

580 views • 18 slides
Some possible exponentiations over the enveloping algebras universal enveloping algebra of sl 2 (

Some possible exponentiations over the enveloping algebras universal enveloping algebra of sl 2 (

Possible Exponentia- tions over Some possible exponentiations over the enveloping algebras universal enveloping algebra of sl 2 ( C ) Sonia LInnocente Sonia LInnocente Department of Mathematics Institute of Mathematics University of

817 views • 56 slides
Ramsey spaces and the Katetov order Sonia Navarro Flores National University of Mexico BLAST

Ramsey spaces and the Katetov order Sonia Navarro Flores National University of Mexico BLAST

Borel ideals Kat e tov order Ellentuck space Topological Ramsey spaces Ramsey spaces and the Katetov order Sonia Navarro Flores National University of Mexico BLAST 2018 August 8th, 2018 Sonia Navarro Flores Ramsey spaces and the Katetov

369 views • 21 slides
Mathematical Programming: Modelling and Applications September 2009 Sonia Cafieri LIX, cole

Mathematical Programming: Modelling and Applications September 2009 Sonia Cafieri LIX, cole

Mathematical Programming: Modelling and Applications September 2009 Sonia Cafieri LIX, cole Polytechnique cafieri@lix.polytechnique.fr Outline Some basic AMPL useful operations &amp; commands A modelling problem Formulation of

600 views • 20 slides
Sorting and Factor Intensity: Production and Unemployment Across Skills Eeckhout and Kircher

Sorting and Factor Intensity: Production and Unemployment Across Skills Eeckhout and Kircher

Sorting and Factor Intensity: Production and Unemployment Across Skills Eeckhout and Kircher Discussant: Sonia Jaffe (Harvard University) Milton Friedman Institute Conference on Matching and Price Theory May 6, 2011 Sonia Jaffe Discussion

344 views • 6 slides
Outline Background Research Questions Use Case Experimental Implementation

Outline Background Research Questions Use Case Experimental Implementation

8/14/2020 David Perez, Ling-Hung Hong, Sonia Xu, Ka Yee Yeung, Wes Lloyd daperez@uw.edu, wlloyd@uw.edu August 17-24, 2020 School of Engineering and Technology University Of Washington, Tacoma CBDCOM 2020: IEEE International Conference on

352 views • 13 slides
In this class ! Gephi (visualization and basic network metrics) ! NetLogo (modeling network

In this class ! Gephi (visualization and basic network metrics) ! NetLogo (modeling network

SNA L1B: software tools Lada Adamic In this class ! Gephi (visualization and basic network metrics) ! NetLogo (modeling network dynamics) ! iGraph (for programming assignments) Alternatives (User friendly) ! Pajek ! http://pajek.imfm.si/doku.php

623 views • 8 slides

More recommend