characterisation and estimation of the key rank
play

Characterisation and Estimation of the Key Rank Distribution in the - PowerPoint PPT Presentation

Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel Evaluations https://github.com/bristol-sca/labynkyr December 7, 2016 Daniel P. Martin, Luke Mather, Elisabeth Oswald, Martijn Stam Cryptography Group,


  1. Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel Evaluations https://github.com/bristol-sca/labynkyr December 7, 2016 Daniel P. Martin, Luke Mather, Elisabeth Oswald, Martijn Stam Cryptography Group, University of Bristol 1

  2. OUTLINE non-invasive side-channel attacks as well as we could be. improved evaluation methodology. 2 ◮ Claim : we’re not evaluating the resistance of a device to ◮ This work : outline the reasons why, and describe an

  3. WHY IS THIS IMPORTANT? Being able to accurately evaluate the resistance of a device to SCA is important: (Common Criteria; FIPS 140-3); attacker that captures this probabilistic nature. 3 ◮ Resistance to SCA encoded in several evaluation processes ◮ Billions of devices implementing cryptography; ◮ SCA is almost always probabilistic in nature; ◮ Have to make a value judgement on the strength of an

  4. PLAN Motivation: we need to change how we view the outcome of a (non-invasive) side-channel attack 1. How we view side-channel attacks at the moment; 2. The current evaluation strategy; attack; 4. This work: how do we appropriately modify our evaluation methodology. 4 3. Changing our view to include the rank of a side-channel

  5. CURRENT MODEL FOR A SIDE-CHANNEL ATTACK 5 Con fi gure attack Gather n measurements - Pick model for leakage (traces) - Choose distinguisher Run attack Candidate key k Check using a known plaintext/ciphertext pair c == Enc (p) ? k

  6. FACTORS AFFECTING SUCCESS The quality of an attack is affected by: 1. The nature of the ‘true’ underlying leakage signal; 2. The quality of the adversary’s model for that leakage; 3. The statistical technique used to assign scores to key candidates; 4. Noise: environmental, countermeasures, measurement quality; 5. The number of measurements available. 6

  7. CURRENT EVALUATION APPROACH Attack-based evaluation approach: Judge impact of attack outcomes: 1. Does the adversary recover the secret key? 3. (other properties assessed: time, expense, ...) 7 ◮ Run a battery of attacks, and see what happens. 2. If yes, how many measurements were needed?

  8. 8 SIDE-CHANNEL ATTACKS: WITH KEY RANK Veyrat-Charvillion (SAC 2012) noticed that the adversary doesn't need the attack to be "perfect": Con fi gure attack Gather n measurements - Pick model for leakage (traces) - Choose distinguisher Run attack Auxiliary information assigning 'scores' to all key candidates Enumerate and check the key candidates in order of their score

  9. KEY RANK: A DEFINITION 9 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  10. KEY RANK: A DEFINITION 10 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 INCORRECT 2 3 4 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  11. KEY RANK: A DEFINITION 11 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 INCORRECT 3 4 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  12. KEY RANK: A DEFINITION 12 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 INCORRECT 3 4 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  13. KEY RANK: A DEFINITION 13 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 INCORRECT 5 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  14. KEY RANK: A DEFINITION 14 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 INCORRECT 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  15. KEY RANK: A DEFINITION 15 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 INCORRECT 2 57 -1 2 57 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  16. KEY RANK: A DEFINITION 16 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 2 57 -1 2 57 CORRECT (R = 2 57 ) 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  17. KEY RANK: A DEFINITION 17 Rank R : the number R of candidate keys an adversary must enumerate and check before generating the correct key. Key candidate Most likely 1 2 3 4 5 Note: enumeration of candidate keys is expensive! 2 57 -1 (see ePrint 2016/609) 2 57 CORRECT (R = 2 57 ) 2 57 + 1 2 128 -1 2 128 Least likely Check each candidate key k by encrypting a known plaintext ciphertext pair (p,c)

  18. EVALUATION: WITH KEY RANK Which is more powerful: or 18 An attack requiring 10,000 measurements with a rank of 2 55 ? An attack requiring 50,000 measurements with a rank of 2 53 ?

  19. KEY RANK AS A RANDOM VARIABLE (a fixed number of) measurements Answer: no, in practice we don’t know all the distributions involved. 19 Key rank R is a random variable defined over the randomness in Can we analytically compute the distribution of R ? Later: is looking at the expectation E ( R ) a good idea?

  20. ESTIMATING THE RANK DISTRIBUTION The only usable approach is to estimate the rank distribution using repeated sampling. 3. Compute or estimate the rank for that attack. 4. Repeat. Questions we wanted to answer: 1. What is the shape of the distribution? 2. Is there consistency across the spectrum of SCA scenarios? 20 1. Fix an attack strategy, and a number of measurements n . 2. Capture a fresh set of n measurements, and run the attack.

  21. COMPUTING RANK Need a non-naive method for approximating rank when key is known. Majority of existing attempts provide an estimate for an interval: We chose to look at optimising: 21 Care about speed and minimising the error in bits b : if the true rank is 2 x , then the estimate is within 2 x ± b . ◮ Veyrat-Charvillon et al. (Eurocrypt 2013) ◮ Glowacz et al. (FSE 2015) (*) ◮ Duc et al. (Eurocrypt 2015) ◮ Bernstein et al. (ePrint 2015/221) ◮ Martin et al. (Asiacrypt 2015)

  22. IMPROVING RANK ESTIMATION Made several observations to reduce the run-time of Martin et al. rank estimation algorithm. precision at no additional cost on a workstation CPU. 22 ◮ Able to achieve ∼ 8 − 10 orders of magnitude more ◮ ⇒ can get a very accurate point estimate in a few seconds

  23. RESULTS: DISTRIBUTION CONSISTENCY across a variety of: 23 In general, distribution and shape of R is very consistent. ◮ Performed hundreds of thousands of repeat experiments ◮ ◮ Noise levels; ◮ Distinguisher types; ◮ Leakage distributions; ◮ Quantities of measurements. ◮ ... estimating and recording the rank after each attack.

  24. RESULTS: DISTRIBUTION SHAPE -- REAL WORLD EXPERIMENT 24 Repeated DPA attacks on a BeagleBone Black implementing AES-128 in hardware (Longo et al. CHES 2015) 120 Median rank Min / max observed rank 100 10th / 90th percentile of rank Estimated rank (log 2 ) 80 60 40 20 0 0 20000 40000 60000 80000 100000 Number of measurements (EM traces)

  25. 25 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 16 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  26. 26 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 32 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  27. 27 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 48 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  28. 28 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 64 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  29. 29 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 80 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  30. 30 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 96 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

  31. 31 RESULTS: DISTRIBUTION SHAPE -- IN DETAIL Histograms of repeated attacks grouped by mean rank: Repeated attacks with an average rank of 2 112 Count 0 20 40 60 80 100 120 Estimated rank (log 2 )

Recommend


More recommend