Fast leakage assessment Oscar Reparaz COSIC / KU Leuven Benedikt Gierlichs CHES 2017 Taipei (Taiwan) 2017-09-26 Ingrid Verbauwhede 1
an empirical approach to test device security “Enumerate all attacks, check if any is successful” ✅ very concrete view on the security level provided ❌ a bit slow ❌ di ffi cult to be comprehensive not all attacks are public, time is finite, … 2
evaluation space measurement setup input structure intermediate targeted distinguisher power random plaintext round 1 after sbox 1 single bit EM at coordinate (x,y) fix first column round 1 after sbox 2 CPA with HW EM at di ff erent place … CPA with HD CPA + linear round 1 after MC 1 regression 3
measurement setup input structure intermediate targeted distinguisher power random plaintext round 1 after sbox 1 single bit EM at coordinate (x,y) fix first column round 1 after sbox 2 CPA with HW EM at di ff erent place … CPA with HD CPA + linear round 1 after MC 1 regression 4
measurement setup input structure intermediate targeted distinguisher power random plaintext round 1 after sbox 1 single bit EM at coordinate (x,y) fix first column round 1 after sbox 2 CPA with HW EM at di ff erent place … CPA with HD CPA + linear round 1 after MC 1 regression one million knobs to adjust 5
Fast leakage assessment 6
Security notions key recovery # Can an adversary extract the key? “pragmatic” security notion ≈ DPA 7
Security notions (in)distinguishability key recovery k=k1 k=k2 # # Can an adversary Can an adversary extract the key? tell the two devices apart? “pragmatic” security notion “stronger” security notion ≈ DPA ≈ leakage assessment 8
FC 2000 Leakage assessment review A. Take N measurements for each plaintext class measurement setup B. For each class, describe the trace distribution distribution statistic A. normally use some descriptive statistic: mean, variances, skewness, kurtosis, … C. Compare the class-dependent statistics statistical test A. If significant di ff erence -> fail test B. Otherwise: “pass” 9
measurement setup input structure intermediate targeted distinguisher power random plaintext EM at coordinate (x,y) fix first column EM at di ff erent place 10
A common instance of leakage assessment • Distribution parameter to check: means x 1 − ¯ x 2 ¯ • Statistical test: Welch’s t-test t = q n 1 + s 2 s 2 1 2 • Classes definition: n 2 • p=a fix “special” value (=non-specific first-order test) • p=a random value Generalization: higher-order tests (useful when targeting masked implementations) THIS TALK: COMPUTATIONAL EFFICIENCY 11
Problem description • Compute e ffi ciently all statistical moments up to order d • Important practicalities: • online (=one pass) formulas • acquire trace, process it and throw away. Never touches HDD (bottleneck) • many traces, probably long • numerical stability (millions of traces). results should be, well, reliable 12
Fast leakage assessment 13
formulae [Schneider—Moradi] samples statistics samples densities statistics • Observation: traces take integral values in ([0 , 2 Q ) ∩ Z ) L 14
2015 Schneider—Moradi 15
formulae [Schneider—Moradi] samples statistics samples densities statistics • Observation: traces take integral values in ([0 , 2 Q ) ∩ Z ) L 16
(complicated) formulae, per each trace [Schneider—Moradi] samples statistics [Reparaz—Gierlichs] trivial, trivial, once per each trace only when required samples densities statistics • Observation: traces take integral values in ([0 , 2 Q ) ∩ Z ) L 17
Our method: 1. Build a histogram expressing trace distribution 2. From the histogram, compute arbitrary distribution parameters [Reparaz—Gierlichs] trivial also trivial hist[s]++ samples densities statistics • Observation: traces take integral values in ([0 , 2 Q ) ∩ Z ) L 18
19
240 220 200 180 160 140 120 100 0 200 400 600 800 1000 1200 800 600 400 200 0 0 50 100 150 200 250 20
240 220 200 180 160 140 120 100 0 200 400 600 800 1000 1200 800 600 400 200 0 0 50 100 150 200 250 21
240 220 200 180 160 140 120 100 0 200 400 600 800 1000 1200 800 600 400 200 0 0 50 100 150 200 250 22
Implementation • C99 prototype in 130 lines. Uses 32-bit counters -> at most 4 billion measurements without overflowing. • Q=8 (as most ADCs) • Variance: do not need to use single pass! • but used Welford method (just to recycle code) 23
Results • N=1 million, L=3000 samples, gcc -O3, Core i5, up to order 5 • 9.8 s for step 1 • 0.8 s for step 2 • this makes 305 MB/s -> 500 to 800 times faster • (synthetic dataset with worst-case cache access pattern) • Memory: when L=3000 the two histograms take 6 MB which just fits on L2 cache 24
25
26
27
Floating point vs integer arithmetic! • Time scales linear in (essentially) everything. Embarrassingly parallel • Take away : 500-800 fold speed-up • Before: 3 CPU- months , now 4 CPU- hours 28
• BONUS 1 : exact arithmetic. Work in Q • wrote GMP mpq_t rational integers type -> exact result. algorithm choice has no e ff ect whatsoever. • final square root operation with 128-bit precision • BONUS 2 : apply kernel-based estimation methods • apply kernels directly to histograms! useful when playing with di ff erent kernel parameters, do not need to take new traces • BONUS 3 : arbitrary pre-processing function • do leakage detection test on |x|, or sin(x), or whatever • BONUS 4 : information-theoretic leakage detection • compute mutual information, Kolmogorov—Smirnov, anything, possibly combined with kernels • BONUS 5 : clipping detection • did you screw with the measurement setup? Very useful in Leuven 29
Conclusion • Methodology to significantly alleviate the computational e ff ort. • Extremely simple (130 lines of C) • Significant improvement: several orders of magnitude, 500x to 800x • Mature: deployed in our Leuven lab in summer 2014, used almost every day to evaluate our designs • Trace processing is no longer bottleneck in our setup! 30
Thank you for your attention Questions? 31
Recommend
More recommend
