R OBUST P ROFILING FOR DPA-S TYLE A TTACKS Carolyn Whitnall 1 , Elisabeth Oswald 1 1 Department of Computer Science, University of Bristol carolyn.whitnall@bris.ac.uk September 2015 C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 1 / 19
I NTRODUCTION Top line: Extracting ‘portable’ power models for DPA attacks. ML key recovery ‘Standard’ DPA with fully profiled with ‘standard’ templates models (e.g. HW) ‘Standard’ DPA with approximated leakage models Outline: I Preliminaries: ‘Standard’ DPA; different ‘types’ of power model; unsupervised ( k -means) clustering. I Proposed methodology: unsupervised clustering for building nominal power models. I Experimental results. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 2 / 19
I NTRODUCTION Top line: Extracting ‘portable’ power models for DPA attacks. ML key recovery ‘Standard’ DPA with fully profiled with ‘standard’ templates models (e.g. HW) ‘Standard’ DPA with approximated leakage models Outline: I Preliminaries: ‘Standard’ DPA; different ‘types’ of power model; unsupervised ( k -means) clustering. I Proposed methodology: unsupervised clustering for building nominal power models. I Experimental results. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 2 / 19
‘S TANDARD DPA ATTACK ’ 0.6 Distinguisher value 3 # std deviations 0.4 2 0.2 1 0 0 − 1 − 0.2 − 2 − 0.4 0 0 20 20 40 40 60 60 Key hypothesis True key Nearest rival C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 3 / 19
D IFFERENT TYPES OF POWER MODEL The power model M can approximate the deterministic part of the leakage L at different ‘levels’ . . . L EVEL C ORRESPONDENCE A SSOCIATED ATTACKS Bayesian templates, M ⇡ L Direct stochastic profiling Pearson’s correlation M ⇡ α L Proportional coefficient { z | M ( z ) < M ( z 0 ) } ⇡ Spearman’s rank Ordinal { z | L ( z ) < L ( z 0 ) } 8 z 0 2 Z correlation coefficient ‘Partition’-based: { z | M ( z ) = M ( z 0 ) } ⇡ Nominal mutual information, { z | L ( z ) = L ( z 0 ) } 8 z 0 2 Z variance ratio, etc. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 4 / 19
D IFFERENT TYPES OF POWER MODEL The power model M can approximate the deterministic part of the leakage L at different ‘levels’ . . . L EVEL C ORRESPONDENCE A SSOCIATED ATTACKS Bayesian templates, M ⇡ L Direct stochastic profiling Pearson’s correlation M ⇡ α L Proportional coefficient { z | M ( z ) < M ( z 0 ) } ⇡ Spearman’s rank Ordinal { z | L ( z ) < L ( z 0 ) } 8 z 0 2 Z correlation coefficient ‘Partition’-based: { z | M ( z ) = M ( z 0 ) } ⇡ Nominal mutual information, { z | L ( z ) = L ( z 0 ) } 8 z 0 2 Z variance ratio, etc. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 4 / 19
D IFFERENT TYPES OF POWER MODEL The power model M can approximate the deterministic part of the leakage L at different ‘levels’ . . . L EVEL C ORRESPONDENCE A SSOCIATED ATTACKS Bayesian templates, M ⇡ L Direct stochastic profiling Pearson’s correlation M ⇡ α L Proportional coefficient { z | M ( z ) < M ( z 0 ) } ⇡ Spearman’s rank Ordinal { z | L ( z ) < L ( z 0 ) } 8 z 0 2 Z correlation coefficient ‘Partition’-based: { z | M ( z ) = M ( z 0 ) } ⇡ Nominal mutual information, { z | L ( z ) = L ( z 0 ) } 8 z 0 2 Z variance ratio, etc. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 4 / 19
D IFFERENT TYPES OF POWER MODEL The power model M can approximate the deterministic part of the leakage L at different ‘levels’ . . . L EVEL C ORRESPONDENCE A SSOCIATED ATTACKS Bayesian templates, M ⇡ L Direct stochastic profiling Pearson’s correlation M ⇡ α L Proportional coefficient { z | M ( z ) < M ( z 0 ) } ⇡ Spearman’s rank Ordinal { z | L ( z ) < L ( z 0 ) } 8 z 0 2 Z correlation coefficient ‘Partition’-based: { z | M ( z ) = M ( z 0 ) } ⇡ Nominal mutual information, { z | L ( z ) = L ( z 0 ) } 8 z 0 2 Z variance ratio, etc. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 4 / 19
D IFFERENT TYPES OF POWER MODEL The power model M can approximate the deterministic part of the leakage L at different ‘levels’ . . . L EVEL C ORRESPONDENCE A SSOCIATED ATTACKS Bayesian templates, M ⇡ L Direct stochastic profiling Pearson’s correlation M ⇡ α L Proportional coefficient { z | M ( z ) < M ( z 0 ) } ⇡ Spearman’s rank Ordinal { z | L ( z ) < L ( z 0 ) } 8 z 0 2 Z correlation coefficient ‘Partition’-based: { z | M ( z ) = M ( z 0 ) } ⇡ Nominal mutual information, { z | L ( z ) = L ( z 0 ) } 8 z 0 2 Z variance ratio, etc. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 4 / 19
U NSUPERVISED CLUSTERING Task: Arrange objects s.t. those inside a given group are similar whilst those in different groups are dissimilar . Assumption: Number or characteristics of the underlying classes are a priori unknown (unlike supervised classification). Method: Large selection of iterative trial-and-error solutions: I Cluster models vary: hierarchical, centroid-based, density- or distribution-based, graph-based . . . I ‘Similarity’ measures vary: Euclidean distance, correlation, Hamming, Manhattan . . . N.B.: Notoriously difficult to match the best-suited learning algorithm to a given problem. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 5 / 19
U NSUPERVISED CLUSTERING Task: Arrange objects s.t. those inside a given group are similar whilst those in different groups are dissimilar . Assumption: Number or characteristics of the underlying classes are a priori unknown (unlike supervised classification). Method: Large selection of iterative trial-and-error solutions: I Cluster models vary: hierarchical, centroid-based, density- or distribution-based, graph-based . . . I ‘Similarity’ measures vary: Euclidean distance, correlation, Hamming, Manhattan . . . N.B.: Notoriously difficult to match the best-suited learning algorithm to a given problem. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 5 / 19
U NSUPERVISED CLUSTERING Task: Arrange objects s.t. those inside a given group are similar whilst those in different groups are dissimilar . Assumption: Number or characteristics of the underlying classes are a priori unknown (unlike supervised classification). Method: Large selection of iterative trial-and-error solutions: I Cluster models vary: hierarchical, centroid-based, density- or distribution-based, graph-based . . . I ‘Similarity’ measures vary: Euclidean distance, correlation, Hamming, Manhattan . . . N.B.: Notoriously difficult to match the best-suited learning algorithm to a given problem. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 5 / 19
U NSUPERVISED CLUSTERING Task: Arrange objects s.t. those inside a given group are similar whilst those in different groups are dissimilar . Assumption: Number or characteristics of the underlying classes are a priori unknown (unlike supervised classification). Method: Large selection of iterative trial-and-error solutions: I Cluster models vary: hierarchical, centroid-based, density- or distribution-based, graph-based . . . I ‘Similarity’ measures vary: Euclidean distance, correlation, Hamming, Manhattan . . . N.B.: Notoriously difficult to match the best-suited learning algorithm to a given problem. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 5 / 19
P ROPOSED METHODOLOGY G ENERAL STRATEGY 1 Partition the profiling traces according to the intermediate values and compute the means { ¯ t z } z 2 Z . 2 Obtain a mapping M : Z � ! M by clustering the mean traces. Values in Z not represented in the profiling dataset are mapped to cluster C + 1 (i.e. an ‘other’ category). 3 Use M as the (nominal) power model in ‘partition-based’ DPA against the target traces. E XAMPLE INSTANTIATION Clustering algorithm: Principal component analysis followed by k -means clustering. DPA distinguisher: Univariate and multivariate variance ratio. Benchmark: Correlation DPA using the first principal component to approximate a ‘proportional’ power model. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 6 / 19
P ROPOSED METHODOLOGY G ENERAL STRATEGY 1 Partition the profiling traces according to the intermediate values and compute the means { ¯ t z } z 2 Z . 2 Obtain a mapping M : Z � ! M by clustering the mean traces. Values in Z not represented in the profiling dataset are mapped to cluster C + 1 (i.e. an ‘other’ category). 3 Use M as the (nominal) power model in ‘partition-based’ DPA against the target traces. E XAMPLE INSTANTIATION Clustering algorithm: Principal component analysis followed by k -means clustering. DPA distinguisher: Univariate and multivariate variance ratio. Benchmark: Correlation DPA using the first principal component to approximate a ‘proportional’ power model. C. W HITNALL (U NIVERSITY OF B RISTOL ) C LUSTERING FOR DPA CHES 2015 6 / 19
Recommend
More recommend
