Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit´ e catholique de Louvain crypto 2011, August 16 1/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Evaluating Implementations With dpa Attacks Adversary j predict V j , P X j , P model j � = s ? D j P compute V s , P Y k , P leak k Device Main ingredients: leakage model & dependency test 2/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Evaluating Implementations With dpa Attacks 0.16 0.25 0.2 0.14 Adversary 0.15 0.12 0.1 0.1 0.05 j 0.08 0 0.06 −0.05 predict V j , P X j , P model 0.04 −0.1 0.02 −0.15 0 −0.2 0 50 100 150 200 250 300 350 400 0 50 100 150 200 250 300 350 400 Power measurement em measurement j � = s ? D j P compute V s , P Y k , P leak k Device Main ingredients: leakage model & dependency test 2/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Evaluating Implementations With dpa Attacks Adversary j predict V j , P X j , P model j � = s ? D j P compute V s , P Y k , P leak k Device Main ingredients: leakage model & dependency test 2/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Ingredient 1: Leakage Models Two adversarial scenarios: Profiled case: preliminary estimation of the leakage pdf Gaussian distribution Mixture model . . . Non-profiled case: assumption on the leakages pdf (based on engineering intuition) Hamming weight/distance Linear (or quadratic, . . . ) function of bits Identity function . . . 3/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Ingredient 2: Dependency Test Different adversarial choices depending on: Number of samples used: univariate or multivariate Moment of the pdf exploited: mean, variance, . . . Type of dependency tested: linear, monotonic, . . . 4/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Existing Tests: Efficiency vs. Genericity Pearson correlation univariate Efficient mean linear Spearman correlation univariate mean monotonic Least Square Regression multivariate mean MV linear Mutual information multivariate all moments Generic any dependency 5/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Additional Concern: Choice of Parameters e.g. number of histogram bins (or kernel bandwidth, number of mixture components) 6/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Open questions Question 1: can we design a generic side-channel distinguisher that is free of parameters? Question 2: can we evaluate side-channel attacks with non-profiled distinguishers only? 7/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Our Contributions w.r.t. question 1, a new distinguisher based on: 1 leakage space reduction through copulas 2 dimensionality reduction using spacings 3 non-parametric uniformity test w.r.t. question 2: empirical evaluations showing: 1 the efficiency of the new generic test 2 the necessity of profiled security evaluations 8/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions The new distinguisher 9/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Tool 1: Leakage Space Reduction ˆ F Y ( y ) Empirical Cumulant Pr[ Y = y ] y Pr[ Z = z ] Copula y z = ˆ F Y ( y ) 1 z Marginal distribution 0 Conditional distribution X j , P = 0 Conditional distribution X j , P = 1 + Cumulants are easier to estimate than pdfs + Projected marginal distribution is uniform 10/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Tool 2: Leakage Partition and Distance Sampling correct key wrong key Pr[ U = u ] Pr[ U = u ] 1 u 1 u 0 0 + Wrong key candidates should behave like uniform + All model values contribute to the estimation 11/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Tool 3: Smoothing and Evaluation Pr[ U = u ] Pr[ U = u ] 1 u 1 u 0 0 Pr[ U = u ] Theoretical distribution Correct key Wrong key + No parameters 1 u 0 12/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions 2D case: Leakage Space Reduction y 2 Pr[ Y = y ] F Y 2 ( y ) ˆ y 1 Hamming weight = 1 ˆ F Y 1 ( y ) Hamming weight = 6 + Copula transform preserves multivariate dependencies 13/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions 2D case: Leakage Partition and Distance Sampling correct key wrong key Pr[ U = u ] Pr[ U = u ] 1 u 1 u 0 0 + Univariate pdf of a multidimensional distance 14/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions 2D case: Smoothing and Evaluation Pr[ U = u ] Pr[ U = u ] Pr[ U = u ] 1 u 1 u 0 0 1 u 0 Theoretical distribution Correct key Wrong key 15/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Experimental Results 16/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Univariate Hamming Weight Leakages Correlation, HW model MIA, HW model LSR, linear basis New test, HW model success 1.0 0.8 0.6 0.4 0.2 0.0 #msg 10 20 30 40 50 60 70 80 • Specific distinguishers are more efficient 17/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Hamming Weight Leakage, Bivariate Dependency MIA, HW model New test, HW model success 1.0 0.8 0.6 0.4 0.2 0.0 #msg 500 1000 1500 2000 2500 3000 • New test exploits samples efficiently (compared to MIA) 18/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions cmos 65 nm Measurements, Bivariate Dependency MIA, 7-bit model MIA, clusters New test, 7-bit model New test, clusters success 1.0 0.8 0.6 0.4 0.2 0.0 #msg 1000 2000 3000 4000 5000 • Leakage model hard to infer from engineering intuition 19/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Dual-Rail Simulations, Univariate Dependency Correlation, HW model New test, clusters LSR, linear basis MIA, clusters success 1.0 0.8 0.6 0.4 0.2 #msg 0.0 20 40 60 80 100 • Non-linear leakage functions can be exploited 20/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Dual-Rail Simulations, Bivariate Dependency New test, clusters Bivariate template MIA, clusters success 1.0 0.8 0.6 0.4 0.2 0.0 #msg 1000 2000 3000 4000 5000 • Profiling is needed to evaluate protected implementations 21/ 22
Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Conclusions 1 SCAs = efficiency vs. genericity tradeoff (’simple’ dependencies are easier to exploit) New generic test completely free of parameters 2 Profiling is needed for security evaluations Dependency tests can be generic . . . but not leakage models (so far) (Eurocrypt 2009 evaluation framework) Open question: do highly non-linear leakage functions exist in practice? (or can non-linearity be used as a design criteria) 22/ 22
Recommend
More recommend