A C OMPREHENSIVE E VALUATION OF M UTUAL I NFORMATION A NALYSIS U SING A F AIR E VALUATION F RAMEWORK Carolyn Whitnall, Elisabeth Oswald carolyn.whitnall@bris.ac.uk Department of Computer Science, University of Bristol 16 th August 2011 C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 1 / 1
Photo from Casey Marshall on Flickr + = Photo from Iain Tate on Flickr Photo from Becky Stern on Flickr Algorithm = Measurements! + Device But how to make the most of those measurements? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 2 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? 0.6 3 # standard deviations 0.4 Distinguisher value 2 0.2 1 0 0 −1 −0.2 −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis True key Nearest rival C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? 0.6 3 # standard deviations 0.4 Distinguisher value 2 0.2 1 0 0 −1 −0.2 −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis True key Nearest rival C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? 0.6 3 # standard deviations 0.4 Distinguisher value 2 0.2 1 0 0 −1 −0.2 −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis True key Nearest rival C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT IS A S IDE -C HANNEL D ISTINGUISHER ? 0.6 3 # standard deviations 0.4 Distinguisher value 2 0.2 1 0 0 −1 −0.2 −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis True key Nearest rival C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 3 / 1
W HAT M AKES A G OOD D ISTINGUISHER ? T HE USUAL APPROACH . . . Desirable metric: “# of trace measurements required for key recovery” Not like-for-like: Practical outcomes highly sensitive to estimator choice Not computable: Sampling distributions (usually) unknown O UR CONTRIBUTION ‘True’ distinguishing vectors can be directly computed for well-defined hypothetical scenarios Theoretic advantages � = ⇒ practical advantages (unequal estimation costs) BUT Certain characteristics have a strong bearing on likely practical outcomes What features of the theoretic distinguishing vectors most contribute to its estimatability? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 5 / 1
W HAT M AKES A G OOD D ISTINGUISHER ? T HE USUAL APPROACH . . . Desirable metric: “# of trace measurements required for key recovery” Not like-for-like: Practical outcomes highly sensitive to estimator choice Not computable: Sampling distributions (usually) unknown O UR CONTRIBUTION ‘True’ distinguishing vectors can be directly computed for well-defined hypothetical scenarios Theoretic advantages � = ⇒ practical advantages (unequal estimation costs) BUT Certain characteristics have a strong bearing on likely practical outcomes What features of the theoretic distinguishing vectors most contribute to its estimatability? C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 5 / 1
‘A F AIR E VALUATION F RAMEWORK ’ 0.6 3 Correct key ranking in the theoretic vector 0.4 # standard deviations Distinguisher value 2 0.2 1 ◮ Distinguisher must isolate key in theory to stand a 0 0 −1 chance in practice −0.2 −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis Nearest-rival distinguishing score – # s.d. between correct key value and highest ranked alternative ◮ The smaller the margin, the fewer the traces needed for estimation! Average minimum support – how large an input support does the distinguisher need? ◮ An attack which needs to ‘see more inputs’ will inevitably need more traces C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 6 / 1
‘A F AIR E VALUATION F RAMEWORK ’ 0.6 3 Correct key ranking in the theoretic vector 0.4 # standard deviations Distinguisher value 2 0.2 1 ◮ Distinguisher must isolate key in theory to stand a 0 0 −1 chance in practice −0.2 −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis 0.6 Nearest-rival distinguishing score – # s.d. between 3 0.4 # standard deviations Distinguisher value 2 correct key value and highest ranked alternative 0.2 1 0 0 ◮ The smaller the margin, the fewer the traces needed −1 −0.2 for estimation! −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis Average minimum support – how large an input support does the distinguisher need? ◮ An attack which needs to ‘see more inputs’ will inevitably need more traces C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 6 / 1
‘A F AIR E VALUATION F RAMEWORK ’ 0.6 3 Correct key ranking in the theoretic vector 0.4 # standard deviations Distinguisher value 2 0.2 1 ◮ Distinguisher must isolate key in theory to stand a 0 0 −1 chance in practice −0.2 −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis 0.6 Nearest-rival distinguishing score – # s.d. between 3 0.4 # standard deviations Distinguisher value 2 correct key value and highest ranked alternative 0.2 1 0 0 ◮ The smaller the margin, the fewer the traces needed −1 −0.2 for estimation! −2 −0.4 0 0 10 10 20 20 30 30 40 40 50 50 60 60 Key hypothesis Average minimum support – how large an input 1 Theoretic success rate 0.8 support does the distinguisher need? 0.6 0.4 ◮ An attack which needs to ‘see more inputs’ will 0.2 inevitably need more traces 0 0 10 20 30 40 Support size C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 6 / 1
T HE D ISTINGUISHERS AT A G LANCE . . . MIA: M UTUAL INFORMATION Defined as: D ( k ) = I ( L k ∗ + ε ; M k ) = H ( L k ∗ + ε ) − H ( L k ∗ + ε | M k ) , where � H is the differential entropy: H ( X ) = − x ∈X p X ( x ) log 2 ( p X ( x )) Functional of the distribution —estimation problematic DPA outcomes extremely sensitive to estimator choice; no ‘ideal’ exists No general results for the sampling distributions CPA: P EARSON ’ S CORRELATION COEFFICIENT Cov ( L k ∗ + ε, M k ) √ Var ( L k ∗ + ε ) √ Defined as: D ( k ) = ρ ( L k ∗ + ε, M k ) = Var ( M k ) Function of distributional moments —estimation simple Sample correlation coefficient suits a broad range of assumptions Lots of ‘nice’ results for its sampling distribution C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 7 / 1
T HE D ISTINGUISHERS AT A G LANCE . . . MIA: M UTUAL INFORMATION Defined as: D ( k ) = I ( L k ∗ + ε ; M k ) = H ( L k ∗ + ε ) − H ( L k ∗ + ε | M k ) , where � H is the differential entropy: H ( X ) = − x ∈X p X ( x ) log 2 ( p X ( x )) Functional of the distribution —estimation problematic DPA outcomes extremely sensitive to estimator choice; no ‘ideal’ exists No general results for the sampling distributions CPA: P EARSON ’ S CORRELATION COEFFICIENT Cov ( L k ∗ + ε, M k ) √ Var ( L k ∗ + ε ) √ Defined as: D ( k ) = ρ ( L k ∗ + ε, M k ) = Var ( M k ) Function of distributional moments —estimation simple Sample correlation coefficient suits a broad range of assumptions Lots of ‘nice’ results for its sampling distribution C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 7 / 1
W HY ‘M UTUAL I NFORMATION A NALYSIS ’? Proposed (Gierlichs et al. , 2008) as an enhancement to correlation DPA: Optimal in an information theoretic sense – quantifies total dependence Generic – should work even without a good power model However . . . correlation DPA frequently performs better in empirical comparisons What can we learn from a theoretic evaluation? Distinguisher Power model Abbreviation Correlation DPA Hamming weight CPA(HW) Hamming weight MIA(HW) Mutual Information Analysis Identity MIA(ID) C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 8 / 1
W HY ‘M UTUAL I NFORMATION A NALYSIS ’? Proposed (Gierlichs et al. , 2008) as an enhancement to correlation DPA: Optimal in an information theoretic sense – quantifies total dependence Generic – should work even without a good power model However . . . correlation DPA frequently performs better in empirical comparisons What can we learn from a theoretic evaluation? Distinguisher Power model Abbreviation Correlation DPA Hamming weight CPA(HW) Hamming weight MIA(HW) Mutual Information Analysis Identity MIA(ID) C. W HITNALL (U NIVERSITY OF B RISTOL ) E VALUATING MIA CRYPTO 2011 8 / 1
Recommend
More recommend