optimal attacks for multivariate and multimodel side
play

Optimal Attacks for Multivariate and Multimodel Side-Channel - PowerPoint PPT Presentation

Sep 02, 2022 •741 likes •1.11k views

Introduction Solution Results Conclusions and perspectives Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain Guilley, Annelie Heuser, Damien Marion and Olivier Rioul Saturday August 20, 2016

  1. Introduction Solution Results Conclusions and perspectives Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain Guilley, Annelie Heuser, Damien Marion and Olivier Rioul Saturday August 20, 2016 PROOFS, UCSB, Santa Barbara N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  2. Introduction Solution Results Conclusions and perspectives Outline Introduction 1 Solution 2 Solution for α known Solution for α unknown Summary for S > 2 Models Summary for S = 2 Models 3 Results Results on synthetic traces Results on real-world traces Conclusions and perspectives 4 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  3. Introduction Solution Results Conclusions and perspectives Presentation Outline Introduction 1 Solution 2 Solution for α known Solution for α unknown Summary for S > 2 Models Summary for S = 2 Models 3 Results Results on synthetic traces Results on real-world traces Conclusions and perspectives 4 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  4. Introduction Solution Results Conclusions and perspectives Facts Side-channel leakages are: multi-variate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .(in time) multi-model . . . . . . . . . . . . . . . . . . . . . . . . . .(e.g., each bit leaks � ) N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  5. Introduction Solution Results Conclusions and perspectives Matrix Notations Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . number of queries, D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .number of samples, S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .number of models. In matrix notation: X = α Y ⋆ + N (1) where X is a matrix of size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D × Q , α is a matrix of size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D × S , Y ⋆ (the star means: “for the correct key k = k ⋆ ”) is a matrix of size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S × Q , N is a matrix of size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D × Q . N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  6. Introduction Solution Results Conclusions and perspectives Examples of X It is a matrix Plaintext Trace, X 0xe3e70682c2094cac629f6fbed82c07cd 0x82e2e662f728b4fa42485e3a0a5d2f34 0xd4713d60c8a70639eb1167b367a9c378 0x23a7711a8133287637ebdcd9e87a1613 0xe6f4590b9a164106cf6a659eb4862b21 0x85776e9add84f39e71545a137a1d5006 0xd71037d1b83e90ec17e0aa3c03983ca8 0xf7b0b7d2cda8056c3d15eef738c1962e 0x1759edc372ae22448b0163c1cd9d2b7d 0x8c25166a1ff39849b4e1357d4a84eb03 0x966e12778c1745a79a6a5f92cca74147 0xcc45782198a6416d1775336d71eacd05 0x4a5308cc3dfabc08935ddd725129fb7c 0x79fdef7c42930b33a81ad477fb3675b8 0xd7ab792809e469e6ec62b2c82648ee38 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  7. Introduction Solution Results Conclusions and perspectives Examples of X It is a matrix Plaintext Trace, X 0xe3e70682c2094cac629f6fbed82c07cd 8 9 5 3 7 0x82e2e662f728b4fa42485e3a0a5d2f34 2 8 8 8 5 0xd4713d60c8a70639eb1167b367a9c378 9 5 4 6 9 0x23a7711a8133287637ebdcd9e87a1613 9 7 0 6 4 0xe6f4590b9a164106cf6a659eb4862b21 6 8 2 7 1 0x85776e9add84f39e71545a137a1d5006 2 7 3 8 1 0xd71037d1b83e90ec17e0aa3c03983ca8 1 6 0 5 9 0xf7b0b7d2cda8056c3d15eef738c1962e 5 6 0 6 6 0x1759edc372ae22448b0163c1cd9d2b7d 5 3 3 9 0 0x8c25166a1ff39849b4e1357d4a84eb03 0 9 1 1 2 0x966e12778c1745a79a6a5f92cca74147 8 9 0 4 1 0xcc45782198a6416d1775336d71eacd05 2 2 6 3 1 0x4a5308cc3dfabc08935ddd725129fb7c 5 0 1 9 1 3 7 8 9 1 0x79fdef7c42930b33a81ad477fb3675b8 6 9 0 6 8 0xd7ab792809e469e6ec62b2c82648ee38 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  8. Introduction Solution Results Conclusions and perspectives Examples of Y k It is a matrix Bits of Sbox #0 Plaintext 1st byte ( Y k for k = 0x00 ) 0xe3e70682c2094cac629f6fbed82c07cd 0xbd 10111101 0x82e2e662f728b4fa42485e3a0a5d2f34 0x18 00011000 0xd4713d60c8a70639eb1167b367a9c378 0xbc 10111100 0x23a7711a8133287637ebdcd9e87a1613 0x7d 01111101 0xe6f4590b9a164106cf6a659eb4862b21 0xfd 11111101 0x85776e9add84f39e71545a137a1d5006 0x6f 01101111 0xd71037d1b83e90ec17e0aa3c03983ca8 0xc2 11000010 0xf7b0b7d2cda8056c3d15eef738c1962e 0x31 00110001 0x1759edc372ae22448b0163c1cd9d2b7d 0xff 11111111 0x8c25166a1ff39849b4e1357d4a84eb03 0x7b 01111011 0x966e12778c1745a79a6a5f92cca74147 0xa0 10100000 0xcc45782198a6416d1775336d71eacd05 0x6b 01101011 0x4a5308cc3dfabc08935ddd725129fb7c 0x10 00010000 0x79fdef7c42930b33a81ad477fb3675b8 0x6c 01101100 0xd7ab792809e469e6ec62b2c82648ee38 0x07 00000111 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  9. Introduction Solution Results Conclusions and perspectives Examples of Y k It is a matrix Bits of Sbox #0 Plaintext 1st byte ( Y k for k = 0x01 ) 0xe3e70682c2094cac629f6fbed82c07cd 0x4b 01001011 0x82e2e662f728b4fa42485e3a0a5d2f34 0x96 10010110 0xd4713d60c8a70639eb1167b367a9c378 0xb6 10110110 0x23a7711a8133287637ebdcd9e87a1613 0xc9 11001001 0xe6f4590b9a164106cf6a659eb4862b21 0xb7 10110111 0x85776e9add84f39e71545a137a1d5006 0xc5 11000101 0xd71037d1b83e90ec17e0aa3c03983ca8 0xd3 11010011 0xf7b0b7d2cda8056c3d15eef738c1962e 0x15 00010101 0x1759edc372ae22448b0163c1cd9d2b7d 0x10 00010000 0x8c25166a1ff39849b4e1357d4a84eb03 0x77 01110111 0x966e12778c1745a79a6a5f92cca74147 0x5a 01011010 0xcc45782198a6416d1775336d71eacd05 0xf2 11110010 0x4a5308cc3dfabc08935ddd725129fb7c 0xff 11111111 0x79fdef7c42930b33a81ad477fb3675b8 0x56 01010110 0xd7ab792809e469e6ec62b2c82648ee38 0x12 00010010 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  10. Introduction Solution Results Conclusions and perspectives Examples of Y k It is a matrix Bits of Sbox #0 Plaintext 1st byte ( Y k for k = 0x02 ) 0xe3e70682c2094cac629f6fbed82c07cd 0x8a 10001010 0x82e2e662f728b4fa42485e3a0a5d2f34 0x05 00000101 0xd4713d60c8a70639eb1167b367a9c378 0xda 11011010 0x23a7711a8133287637ebdcd9e87a1613 0x82 10000010 0xe6f4590b9a164106cf6a659eb4862b21 0x26 00100110 0x85776e9add84f39e71545a137a1d5006 0xf2 11110010 0xd71037d1b83e90ec17e0aa3c03983ca8 0xac 10101100 0xf7b0b7d2cda8056c3d15eef738c1962e 0x71 01110001 0x1759edc372ae22448b0163c1cd9d2b7d 0xd2 11010010 0x8c25166a1ff39849b4e1357d4a84eb03 0x7c 01111100 0x966e12778c1745a79a6a5f92cca74147 0x6e 01101110 0xcc45782198a6416d1775336d71eacd05 0xc5 11000101 0x4a5308cc3dfabc08935ddd725129fb7c 0xf3 11110011 0x79fdef7c42930b33a81ad477fb3675b8 0xf4 11110100 0xd7ab792809e469e6ec62b2c82648ee38 0x80 10000000 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  11. Introduction Solution Results Conclusions and perspectives Examples of Y k It is a matrix Bits of Sbox #0 Plaintext 1st byte ( Y k for k = 0xff ) 0xe3e70682c2094cac629f6fbed82c07cd 0x23 00100011 0x82e2e662f728b4fa42485e3a0a5d2f34 0x1f 00011111 0xd4713d60c8a70639eb1167b367a9c378 0x17 00010111 0x23a7711a8133287637ebdcd9e87a1613 0xce 11001110 0xe6f4590b9a164106cf6a659eb4862b21 0x1d 00011101 0x85776e9add84f39e71545a137a1d5006 0x99 10011001 0xd71037d1b83e90ec17e0aa3c03983ca8 0x5b 01011011 0xf7b0b7d2cda8056c3d15eef738c1962e 0x3e 00111110 0x1759edc372ae22448b0163c1cd9d2b7d 0x13 00010011 0x8c25166a1ff39849b4e1357d4a84eb03 0xb0 10110000 0x966e12778c1745a79a6a5f92cca74147 0x6c 01101100 0xcc45782198a6416d1775336d71eacd05 0x2d 00101101 0x4a5308cc3dfabc08935ddd725129fb7c 0xec 11101100 0x79fdef7c42930b33a81ad477fb3675b8 0xa0 10100000 0xd7ab792809e469e6ec62b2c82648ee38 0xc6 11000110 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

  12. Introduction Solution Results Conclusions and perspectives Real-World Example The figure below shows power consumption traces taken from an ATMega smartcard—datasets are available from the DPA contest V4 team [TEL14] (knowing the mask). S = 2 S = 9 S = 9 N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels (a) Weights of bits of the sensitive variable

  13. Introduction Solution Results Conclusions and perspectives Real-World Example The figure below shows power consumption traces taken from an ATMega smartcard—datasets are available from the DPA contest V4 team [TEL14] (knowing the mask). S = 9 S = 9 S = 2 (b) Mean power consumption for each Hamming weight class N. Bruneau, S. Guilley, A. Heuser, D. Marion and O. Rioul Optimal Attacks for multi-variate & multi-models side-channels

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Adaptive Control Chapter 13: Multimodel adaptive control with switching Chapter 13: Multimodel

Adaptive Control Chapter 13: Multimodel adaptive control with switching Chapter 13: Multimodel

Adaptive Control Chapter 13: Multimodel adaptive control with switching Chapter 13: Multimodel adaptive control with switching Outline 1. Introduction 2. Multimodel Adaptive Control with Switching 3. Stability of the Adaptive System 4.

558 views • 38 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks Pieter Robyns Motivation and introduction Motivation Information about performing EM side-channel attacks using SDR is quite scarce A few

758 views • 42 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) K. Sakurai(ISIT) Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate

587 views • 23 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

Nicolas Belleville 1 Damien Courouss 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Universit, CNRS, LIP6, F-75005, Paris, France

715 views • 53 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
HiPS Hierarchical Parameter Synchronization in Large-Scale Distributed Machine Learning

HiPS Hierarchical Parameter Synchronization in Large-Scale Distributed Machine Learning

HiPS Hierarchical Parameter Synchronization in Large-Scale Distributed Machine Learning Jinkun Geng, Dan Li, Yang Cheng, Shuai Wang, and Junfeng Li 1 ACM SIGCOMM Workshop on NetAI Net AI for 2 Background Computation Communication

542 views • 33 slides
Structured Data Processing - Spark SQL Amir H. Payberah payberah@kth.se 17/09/2019 The Course

Structured Data Processing - Spark SQL Amir H. Payberah payberah@kth.se 17/09/2019 The Course

Structured Data Processing - Spark SQL Amir H. Payberah payberah@kth.se 17/09/2019 The Course Web Page https://id2221kth.github.io 1 / 87 Where Are We? 2 / 87 Motivation 3 / 87 Hive A system for managing and querying structured data

1.5k views • 110 slides
The Rise of Monitorial Citizenship Erhardt Graeff @erhardt MIT Center for Civic Media

The Rise of Monitorial Citizenship Erhardt Graeff @erhardt MIT Center for Civic Media

The Rise of Monitorial Citizenship Erhardt Graeff @erhardt MIT Center for Civic Media & Olin College of Engineering DML 2018 Ignite Erhardt Graeff 1 August 1, 2018 neverseconds.blogspot.co.uk neverseconds.blogspot.co.uk

360 views • 20 slides
Inequality Josef Berger University of Greifswald, Germany CTFM, 18 February 2013 Consider the

Inequality Josef Berger University of Greifswald, Germany CTFM, 18 February 2013 Consider the

Inequality Josef Berger University of Greifswald, Germany CTFM, 18 February 2013 Consider the following axioms. (A) x = y x = z y = z (B) 1 x y x = y x z z y (C) x = y x y y x

375 views • 14 slides
CS 327E Class 2 September 16, 2019 1) Which is not a Data Manipulation Language construct? a)

CS 327E Class 2 September 16, 2019 1) Which is not a Data Manipulation Language construct? a)

CS 327E Class 2 September 16, 2019 1) Which is not a Data Manipulation Language construct? a) CREATE b) SELECT c) INSERT d) UPDATE 2) How many fields does this query return? SELECT group FROM ACL_Lineup_2019 a) 5 b) 4 c) 1 d) 0 3) How

663 views • 16 slides
SQL: Updates (DML) and Views (DDL) Murali Mani SQL DML (Updating the Data) Insert

SQL: Updates (DML) and Views (DDL) Murali Mani SQL DML (Updating the Data) Insert

SQL: Updates (DML) and Views (DDL) Murali Mani SQL DML (Updating the Data) Insert Delete Update Murali Mani 1 Inserting tuples INSERT INTO Student VALUES (6, Emily, 324 FL, NULL); INSERT INTO Student (sNumber,

107 views • 9 slides
Program -ing Finger Trees In Coq or How To Morph Endo Using Type Theory Matthieu Sozeau LRI ,

Program -ing Finger Trees In Coq or How To Morph Endo Using Type Theory Matthieu Sozeau LRI ,

Program -ing Finger Trees In Coq or How To Morph Endo Using Type Theory Matthieu Sozeau LRI , Univ. Paris-Sud - D emons Team & INRIA Saclay - ProVal Project ICFP07 October 13 2007 Freiburg, Germany The Curry-Howard isomorphism

667 views • 50 slides
Some principles weaker than Markovs principle Makoto Fujiwara (joint work with Hajime

Some principles weaker than Markovs principle Makoto Fujiwara (joint work with Hajime

Background Results Some principles weaker than Markovs principle Makoto Fujiwara (joint work with Hajime Ishihara and Takako Nemoto) School of Information Science, Japan Advanced Institute of Science and Technology (JAIST) CTFM 2015 9

612 views • 38 slides

More recommend