efficient template attacks
play

Efficient Template Attacks CARDIS 2013 Omar Choudary Markus G. - PowerPoint PPT Presentation

Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Efficient Template Attacks CARDIS 2013 Omar Choudary Markus G. Kuhn Berlin, 29 November 2013 Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide


  1. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Efficient Template Attacks CARDIS 2013 Omar Choudary Markus G. Kuhn Berlin, 29 November 2013 Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 1

  2. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Introduction Template Attacks [Chari et al., ’03] Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

  3. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Introduction Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

  4. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Introduction Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Contributions: Dealing with large number of samples (avoiding numerical pitfalls) Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

  5. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Introduction Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Contributions: Dealing with large number of samples (avoiding numerical pitfalls) Efficient implementation (reducing evaluation time, e.g. from 3 days to 30 minutes) Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

  6. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Introduction Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Contributions: Dealing with large number of samples (avoiding numerical pitfalls) Efficient implementation (reducing evaluation time, e.g. from 3 days to 30 minutes) Fair evaluation of most common compression techniques Show several assumptions do not hold in general Practical guideline for choosing the right compression Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

  7. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Introduction Template Attacks [Chari et al., ’03] Certification to CC profiles requires their evaluation Contributions: Dealing with large number of samples (avoiding numerical pitfalls) Efficient implementation (reducing evaluation time, e.g. from 3 days to 30 minutes) Fair evaluation of most common compression techniques Show several assumptions do not hold in general Practical guideline for choosing the right compression And ... we provide data and code so you can try it! Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 2

  8. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Experiment: eavesdropping on 8-bit data bus Executed Code: movw r30, r24 ld r8, Z+ ld r9, Z+ ld r10, Z+ ld r11, Z+ MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 Amplitude 0 0 2 4 6 8 10 Time [ µ s] Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 3

  9. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Experiment: eavesdropping on 8-bit data bus Executed Code: movw r30, r24 ld r8, 0 ld r9, k ld r10, 0 ld r11, 0 MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 Amplitude 0 0 2 4 6 8 10 Time [ µ s] Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 4

  10. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Profiling: Acquire Traces Executed Code: movw r30, r24 ld r8, 0 MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 ld r9, k Amplitude MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 ld r10, 0 k = 0 Amplitude MOV 0 0 2 4 6 8 10 LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 Time [ µ s] LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 ld r11, 0 Amplitude 0 0 2 4 6 8 10 Time [ µ s] 0 0 2 4 6 8 10 Time [ µ s] MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 Amplitude MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 k = 1 Amplitude MOV 0 0 2 4 6 8 10 LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 Time [ µ s] LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 Amplitude 0 0 2 4 6 8 10 Time [ µ s] . . . 0 0 2 4 6 8 10 Time [ µ s] k = 255 Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 5

  11. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Profiling: Estimate Templates 0.06 µ r 1 µ r 1 + std( µ r 1 ) µ r 1 − std( µ r 1 ) 0.05 max k ( µ r k ) MOV min k ( µ r LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 k ) LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 0.04 Amplitude Amplitude [V] MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 ¯ x k 0.03 k = 0 Amplitude MOV 0 0 2 4 6 8 10 LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 Time [ µ s] LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 Amplitude 0.02 0 0 2 4 6 8 10 Time [ µ s] Compression 0.01 0 0 2 4 6 8 10 Time [ µ s] 0 3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 Time [ µ s] 6 MOV x 10 LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 20 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 Amplitude 10 MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 15 20 S k k = 1 Amplitude MOV 0 0 2 4 6 8 10 LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 Time [ µ s] LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 30 10 Amplitude 0 0 2 4 6 8 10 Time [ µ s] 40 . . 5 . 0 50 0 2 4 6 8 10 Time [ µ s] 60 0 10 20 30 40 50 60 k = 255 Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 6

  12. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Attack: using the multivariate normal distribution x k ) ′ S − 1 1 − 1 √ � � d ( k | x ) = (2 π ) m | S k | exp 2 ( x − ¯ k ( x − ¯ x k ) k ⋆ → argmax k d ( k | x ) MOV LD R8, clk #2 LD R9, clk #2 LD R10, clk #2 LD R11, clk #2 LD R8, clk #1 LD R9, clk #1 LD R10, clk #1 LD R11 clk #1 LD R12 clk #1 Amplitude 0 0 2 4 6 8 10 Time [ µ s] Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 7

  13. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Problem 1: Floating point issues x k ) ′ S − 1 1 − 1 √ � � d ( k | x ) = (2 π ) m | S k | exp 2 ( x − ¯ k ( x − ¯ x k ) Issue 1: exp( x ) is only safe for | x | < 710, which is easily exceeded in our experiments. Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 8

  14. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Problem 1: Floating point issues x k ) ′ S − 1 1 − 1 √ � � d ( k | x ) = (2 π ) m | S k | exp 2 ( x − ¯ k ( x − ¯ x k ) Issue 1: exp( x ) is only safe for | x | < 710, which is easily exceeded in our experiments. Issue 2: | S k | can overflow/underflow easily for large m ( > 50). These are real problems. Naive implementations are likely to fail. Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 9

  15. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Solution: use LOG x k ) ′ S − 1 2 log 2 π − 1 2 log | S k | − 1 d LOG ( k | x ) = − m 2 ( x − ¯ k ( x − ¯ x k ) log Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 10

  16. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Caveat: pdf can be larger than 1 “[Choose the candidate k that leads to the] smallest absolute value [of d LOG ]” [Mangard, Oswald, Popp ’07] log Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 11

  17. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Caveat: pdf can be larger than 1 “[Choose the candidate k that leads to the] smallest absolute value [of d LOG ]” Incorrect: log is monotonic, abs is not! We choose k with highest value of d LOG . [Mangard, Oswald, Popp ’07] log Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 12

  18. Introduction Classic Approach Problems Efficient Templates Evaluation Conclusion Problem 2: dealing with large number of samples Myth: problems with inversion of S k as soon as m is large. m = number of samples n p = number of traces from profiling, for each k Omar Choudary, Markus G. Kuhn Efficient Template Attacks Slide 13

Recommend


More recommend