side channel countermeasures dissection
play

Side-Channel Countermeasures Dissection and the Limits of Closed - PowerPoint PPT Presentation

Sep 30, 2022 •313 likes •2.22k views

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

  1. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion What About Real-World Targets ? A few published attacks on real products exist: Olivier Bronchain Side-Channel Countermeasures’ Dissection 5 / 27

  2. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion What About Real-World Targets ? A few published attacks on real products exist: ◮ Key recovery for bitstream encryption keys (Moradi et al ., 2011) Olivier Bronchain Side-Channel Countermeasures’ Dissection 5 / 27

  3. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion What About Real-World Targets ? A few published attacks on real products exist: ◮ Key recovery for bitstream encryption keys (Moradi et al ., 2011) ◮ Update forgery on HP Light Bumps (Ronen et al ., 2016) Olivier Bronchain Side-Channel Countermeasures’ Dissection 5 / 27

  4. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion What About Real-World Targets ? A few published attacks on real products exist: ◮ Key recovery for bitstream encryption keys (Moradi et al ., 2011) ◮ Update forgery on HP Light Bumps (Ronen et al ., 2016) ◮ Car opening against Tesla Key Fob (Wouters et al ., 2019) Olivier Bronchain Side-Channel Countermeasures’ Dissection 5 / 27

  5. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion What About Real-World Targets ? A few published attacks on real products exist: ◮ Key recovery for bitstream encryption keys (Moradi et al ., 2011) ◮ Update forgery on HP Light Bumps (Ronen et al ., 2016) ◮ Car opening against Tesla Key Fob (Wouters et al ., 2019) Once (huge) reverse engineering done, attacks are straightforward. Olivier Bronchain Side-Channel Countermeasures’ Dissection 5 / 27

  6. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion What About Real-World Targets ? A few published attacks on real products exist: ◮ Key recovery for bitstream encryption keys (Moradi et al ., 2011) ◮ Update forgery on HP Light Bumps (Ronen et al ., 2016) ◮ Car opening against Tesla Key Fob (Wouters et al ., 2019) Once (huge) reverse engineering done, attacks are straightforward. ◮ These examples are however not reflective of certified products Olivier Bronchain Side-Channel Countermeasures’ Dissection 5 / 27

  7. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion What About Real-World Targets ? A few published attacks on real products exist: ◮ Key recovery for bitstream encryption keys (Moradi et al ., 2011) ◮ Update forgery on HP Light Bumps (Ronen et al ., 2016) ◮ Car opening against Tesla Key Fob (Wouters et al ., 2019) Once (huge) reverse engineering done, attacks are straightforward. ◮ These examples are however not reflective of certified products ◮ We lack practically relevant examples of ”sound combinations of countermeasures” Olivier Bronchain Side-Channel Countermeasures’ Dissection 5 / 27

  8. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  9. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: ◮ From a team of experts Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  10. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: ◮ From a team of experts ◮ Mixed countermeasures Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  11. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: ◮ From a team of experts ◮ Mixed countermeasures ◮ Preliminary leakage assessment Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  12. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: ◮ From a team of experts ◮ Mixed countermeasures ◮ Preliminary leakage assessment !! Educational purpose only !! Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  13. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: ◮ From a team of experts ◮ Mixed countermeasures ◮ Preliminary leakage assessment !! Educational purpose only !! It could be used to study: Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  14. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: ◮ From a team of experts ◮ Mixed countermeasures ◮ Preliminary leakage assessment !! Educational purpose only !! It could be used to study: 1. Effectiveness of mixed countermeasures Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  15. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: ◮ From a team of experts ◮ Mixed countermeasures ◮ Preliminary leakage assessment !! Educational purpose only !! It could be used to study: 1. Effectiveness of mixed countermeasures 2. Security on popular 32-bit MCU’s Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  16. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Useful step in this direction: ANSSI’s Implem. Open-source protected AES: ◮ From a team of experts ◮ Mixed countermeasures ◮ Preliminary leakage assessment !! Educational purpose only !! It could be used to study: 1. Effectiveness of mixed countermeasures 2. Security on popular 32-bit MCU’s 3. Impact of open designs for worst-case security evaluations Olivier Bronchain Side-Channel Countermeasures’ Dissection 6 / 27

  17. 5000 4000 3000 2000 Current 1000 0 1000 2000 15 20 25 30 35 40 45 time Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiled Side-Channel Attacks in Worst-case analysis in two phases: Olivier Bronchain Side-Channel Countermeasures’ Dissection 7 / 27

  18. 5000 4000 3000 2000 Current 1000 0 1000 2000 15 20 25 30 35 40 45 time Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiled Side-Channel Attacks in Worst-case analysis in two phases: 1. Profiling / Learning target behavior Olivier Bronchain Side-Channel Countermeasures’ Dissection 7 / 27

  19. 5000 4000 3000 2000 Current 1000 0 1000 2000 15 20 25 30 35 40 45 time Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiled Side-Channel Attacks in . . . k 0 k 1 k 15 p 0 p 1 p 15 Sbox Sbox Sbox x 0 x 1 x 15 Linear Layer Worst-case analysis in two phases: 1. Profiling / Learning target behavior ◮ Algorithm/Implementation knowledge Olivier Bronchain Side-Channel Countermeasures’ Dissection 7 / 27

  20. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiled Side-Channel Attacks in 5000 . . . k 0 k 1 k 15 4000 3000 p 0 p 1 p 15 2000 Current Sbox Sbox Sbox 1000 0 x 0 x 1 x 15 1000 2000 15 20 25 30 35 40 45 Linear Layer time Worst-case analysis in two phases: 1. Profiling / Learning target behavior ◮ Algorithm/Implementation knowledge ◮ Leakage examples in controlled settings (i.e. known randomness) Olivier Bronchain Side-Channel Countermeasures’ Dissection 7 / 27

  21. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiled Side-Channel Attacks in 5000 . . . k 0 k 1 k 15 4000 3000 x=0xff p 0 p 1 p 15 2000 Current Sbox Sbox Sbox 1000 0 x=0x0f x 0 x 1 x 15 1000 2000 15 20 25 30 35 40 45 Linear Layer time x=0x00 Worst-case analysis in two phases: 1. Profiling / Learning target behavior ◮ Algorithm/Implementation knowledge ◮ Leakage examples in controlled settings (i.e. known randomness) Olivier Bronchain Side-Channel Countermeasures’ Dissection 7 / 27

  22. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiled Side-Channel Attacks in 5000 . . . k 0 k 1 k 15 4000 3000 x=0xff p 0 p 1 p 15 2000 Current Sbox Sbox Sbox 1000 0 x=0x0f x 0 x 1 x 15 1000 2000 15 20 25 30 35 40 45 Linear Layer time x=0x00 Worst-case analysis in two phases: 1. Profiling / Learning target behavior ◮ Algorithm/Implementation knowledge ◮ Leakage examples in controlled settings (i.e. known randomness) 2. Attack Olivier Bronchain Side-Channel Countermeasures’ Dissection 7 / 27

  23. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiled Side-Channel Attacks in 5000 . . . k 0 k 1 k 15 4000 3000 x=0xff p 0 p 1 p 15 2000 Current Sbox Sbox Sbox 1000 0 x=0x0f x 0 x 1 x 15 1000 2000 15 20 25 30 35 40 45 Linear Layer time x=0x00 Worst-case analysis in two phases: 1. Profiling / Learning target behavior ◮ Algorithm/Implementation knowledge ◮ Leakage examples in controlled settings (i.e. known randomness) 2. Attack ◮ Extract information from leakage Olivier Bronchain Side-Channel Countermeasures’ Dissection 7 / 27

  24. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiled Side-Channel Attacks in 5000 . . . k 0 k 1 k 15 4000 3000 x=0xff p 0 p 1 p 15 2000 Current Sbox Sbox Sbox 1000 0 x=0x0f x 0 x 1 x 15 1000 2000 15 20 25 30 35 40 45 Linear Layer time x=0x00 Worst-case analysis in two phases: 1. Profiling / Learning target behavior ◮ Algorithm/Implementation knowledge ◮ Leakage examples in controlled settings (i.e. known randomness) 2. Attack ◮ Extract information from leakage ◮ Processing for secret recovery Olivier Bronchain Side-Channel Countermeasures’ Dissection 7 / 27

  25. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Content Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Olivier Bronchain Side-Channel Countermeasures’ Dissection 8 / 27

  26. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  27. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: ◮ Affine masking on bytes Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  28. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: ◮ Affine masking on bytes ◮ Multiplicative mask r m (same for all the 16-bytes) Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  29. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: ◮ Affine masking on bytes ◮ Multiplicative mask r m (same for all the 16-bytes) ◮ Additive mask r a Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  30. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: ◮ Affine masking on bytes ◮ Multiplicative mask r m (same for all the 16-bytes) ◮ Additive mask r a ◮ Requires alternative Sbox table pre-computation Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  31. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: ◮ Affine masking on bytes ◮ Multiplicative mask r m (same for all the 16-bytes) ◮ Additive mask r a ◮ Requires alternative Sbox table pre-computation ◮ Shuffled execution Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  32. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: ◮ Affine masking on bytes ◮ Multiplicative mask r m (same for all the 16-bytes) ◮ Additive mask r a ◮ Requires alternative Sbox table pre-computation ◮ Shuffled execution ◮ One permutation for the 16 Sboxes Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  33. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: ◮ Affine masking on bytes ◮ Multiplicative mask r m (same for all the 16-bytes) ◮ Additive mask r a ◮ Requires alternative Sbox table pre-computation ◮ Shuffled execution ◮ One permutation for the 16 Sboxes ◮ Another permutation for the 4 MixColumns Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  34. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures At a high level: ◮ Affine masking on bytes ◮ Multiplicative mask r m (same for all the 16-bytes) ◮ Additive mask r a ◮ Requires alternative Sbox table pre-computation ◮ Shuffled execution ◮ One permutation for the 16 Sboxes ◮ Another permutation for the 4 MixColumns ◮ Both are pre-computed Olivier Bronchain Side-Channel Countermeasures’ Dissection 9 / 27

  35. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  36. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a � P r m , r in , r out Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  37. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a � Multiplicative P r m , r in , r out Pre-Computation Sbox ′ Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  38. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P r m , r in , r out Pre-Computation Sbox ′ Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  39. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P AddRoundKey r m , r in , r out Pre-Computation Sbox ′ Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  40. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P AddRoundKey r m , r in , r out Pre-Computation r in Sbox ′ Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  41. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P AddRoundKey r m , r in , r out Pre-Computation r in Sbox ′ Sbox ′ Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  42. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P AddRoundKey r m , r in , r out Pre-Computation r in Sbox ′ Sbox ′ r out Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  43. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P AddRoundKey r m , r in , r out Pre-Computation r in Sbox ′ Sbox ′ r out ShiftRows ShiftRows MixColumns MixColumns Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  44. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P AddRoundKey r m , r in , r out Pre-Computation r in Sbox ′ seed 1 Sbox ′ seed 2 r out seed ′ 1 ShiftRows ShiftRows seed ′ 2 MixColumns MixColumns Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  45. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P AddRoundKey r m , r in , r out Pre-Computation r in Sbox ′ Perm. over seed 1 { 0 , . . . , 15 } 16 Sbox ′ seed 2 Computation 16 p � C , p � R a r out Perm. over seed ′ 1 { 0 , 1 , 2 , 3 } 2 ShiftRows ShiftRows seed ′ 2 Computation 2 MixColumns MixColumns p ′ C , p ′ � � R a Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  46. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Inputs Pre-computation Encryption � R a C = ( r m ⊗ � � P ) ⊕ � R a � Multiplicative P p � AddRoundKey C r m , r in , r out Pre-Computation r in Sbox ′ Perm. over seed 1 { 0 , . . . , 15 } 16 Sbox ′ seed 2 p � Computation C 16 p � C , p � R a r out Perm. over seed ′ 1 { 0 , 1 , 2 , 3 } p � 2 p � ShiftRows ShiftRows seed ′ R a C 2 Computation 2 p ′ p ′ MixColumns MixColumns � � C R a p ′ C , p ′ � � R a Olivier Bronchain Side-Channel Countermeasures’ Dissection 10 / 27

  47. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Full expression is written as f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  48. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Full expression is written as f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 Mult. mask Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  49. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Full expression is written as Add. mask f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 Mult. mask Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  50. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Full expression is written as Add. mask f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 Mult. mask Perm. on shares Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  51. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Full expression is written as Add. mask Template f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 Mult. mask Perm. on shares Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  52. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Optimal but rapidly out of reach: Full expression is written as Add. mask Template f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 Mult. mask Perm. on shares Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  53. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Optimal but rapidly out of reach: Full expression is written as ◮ One template per Add. mask Template randomness combination f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 Mult. mask Perm. on shares Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  54. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Optimal but rapidly out of reach: Full expression is written as ◮ One template per Add. mask Template randomness combination ◮ Sum over all the possible f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 randomness Mult. mask Perm. on shares Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  55. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Optimal Distinguisher Profiled attacks are based on secret con- ditional distribution which depends on the countermeasures. Optimal but rapidly out of reach: Full expression is written as ◮ One template per Add. mask Template randomness combination ◮ Sum over all the possible f[ � o 2 f[ � l | x ] ∝ � � � � l | r m , r a , c , o 1 , o 2 ] r m r a o 1 randomness Mult. mask Perm. on shares = ⇒ Hypotheses needed Olivier Bronchain Side-Channel Countermeasures’ Dissection 11 / 27

  56. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  57. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  58. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask Add. mask + Perm f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  59. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask Add. mask + Perm f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Enc. + Perm Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  60. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask Add. mask + Perm f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Enc. + Perm Countermeasures’ Dissection: Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  61. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask Add. mask + Perm f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Enc. + Perm Countermeasures’ Dissection: ◮ What: From combined countermeasures, expected multiplicative effect Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  62. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask Add. mask + Perm f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Enc. + Perm Countermeasures’ Dissection: ◮ What: From combined countermeasures, expected multiplicative effect ◮ Reduce it to a small factor, ideally of 1. Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  63. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask Add. mask + Perm f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Enc. + Perm Countermeasures’ Dissection: ◮ What: From combined countermeasures, expected multiplicative effect ◮ Reduce it to a small factor, ideally of 1. ◮ How: Bias the sums by independent partial attacks on secrets (i.e. shares) Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  64. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask Add. mask + Perm f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Enc. + Perm Countermeasures’ Dissection: ◮ What: From combined countermeasures, expected multiplicative effect ◮ Reduce it to a small factor, ideally of 1. ◮ How: Bias the sums by independent partial attacks on secrets (i.e. shares) ◮ ց attack time complexity because terms are removed Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  65. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Countermeasures Dissection Mult. mask Add. mask + Perm f[ � r m Pr[ r m | � l | x ] ∝ � l r m ] · � r a Assuming ⊥ leakages on secret: �� � o 1 f [ � l r a | r a , o 1 ] · Pr[ o 1 | � · l o 1 ] �� � o 2 f [ � l c | c , o 2 ] · Pr[ o 2 | � · l o 2 ] Enc. + Perm Countermeasures’ Dissection: ◮ What: From combined countermeasures, expected multiplicative effect ◮ Reduce it to a small factor, ideally of 1. ◮ How: Bias the sums by independent partial attacks on secrets (i.e. shares) ◮ ց attack time complexity because terms are removed ◮ ց number of templates because not joint on all randomness Olivier Bronchain Side-Channel Countermeasures’ Dissection 12 / 27

  66. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Content Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Olivier Bronchain Side-Channel Countermeasures’ Dissection 13 / 27

  67. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Measurement Setup Composed of ◮ Cortex-M4 Atmel ◮ High end EM Probe ◮ PicoScope 5000 series sampling at 1GHz Olivier Bronchain Side-Channel Countermeasures’ Dissection 14 / 27

  68. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Measurement Setup Composed of ◮ Cortex-M4 Atmel ◮ High end EM Probe ◮ PicoScope 5000 series sampling at 1GHz Olivier Bronchain Side-Channel Countermeasures’ Dissection 14 / 27

  69. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Measurement Setup Composed of ◮ Cortex-M4 Atmel ◮ High end EM Probe ◮ PicoScope 5000 series sampling at 1GHz Olivier Bronchain Side-Channel Countermeasures’ Dissection 14 / 27

  70. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Measurement Setup Composed of ◮ Cortex-M4 Atmel ◮ High end EM Probe ◮ PicoScope 5000 series sampling at 1GHz How to extract information in ? Olivier Bronchain Side-Channel Countermeasures’ Dissection 14 / 27

  71. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiling (e.g., permutation) 1. Compute SNR seed ′ 1 seed ′ 2 0 . 10 SNR 0 . 05 0 . 00 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 × 10 − 3 time [ s ] Olivier Bronchain Side-Channel Countermeasures’ Dissection 15 / 27

  72. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiling (e.g., permutation) 1. Compute SNR seed ′ 1 seed ′ 2 0 . 10 2. Select points of interest SNR 0 . 05 0 . 00 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 × 10 − 3 time [ s ] Olivier Bronchain Side-Channel Countermeasures’ Dissection 15 / 27

  73. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiling (e.g., permutation) 1. Compute SNR seed ′ 1 seed ′ 2 0 . 10 2. Select points of interest SNR 0 . 05 0 . 00 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 × 10 − 3 time [ s ] 3000 Olivier Bronchain Side-Channel Countermeasures’ Dissection 15 / 27

  74. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiling (e.g., permutation) 1. Compute SNR seed ′ 1 seed ′ 2 0 . 10 2. Select points of interest SNR 0 . 05 3. Train projection 0 . 00 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 × 10 − 3 time [ s ] 3000 PCA Training Olivier Bronchain Side-Channel Countermeasures’ Dissection 15 / 27

  75. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiling (e.g., permutation) 1. Compute SNR seed ′ 1 seed ′ 2 0 . 10 2. Select points of interest SNR 0 . 05 3. Train projection 0 . 00 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 × 10 − 3 time [ s ] 3000 3000 PCA Training PCA Olivier Bronchain Side-Channel Countermeasures’ Dissection 15 / 27

  76. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiling (e.g., permutation) 1. Compute SNR seed ′ 1 seed ′ 2 0 . 10 2. Select points of interest SNR 0 . 05 3. Train projection 0 . 00 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 × 10 − 3 time [ s ] 4. Project to subspace 3000 3000 PCA Training PCA 3 20 0 . 200 0 . 175 15 0 . 150 10 1 ] f [ l 2 | seed ′ 0 . 125 l 1 0 . 100 5 0 . 075 0 . 050 0 0 . 025 − 5 0 . 000 − 15 − 10 − 5 0 5 − 10 − 5 0 5 10 15 l 2 l 0 Olivier Bronchain Side-Channel Countermeasures’ Dissection 15 / 27

  77. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiling (e.g., permutation) 1. Compute SNR seed ′ 1 seed ′ 2 0 . 10 2. Select points of interest SNR 0 . 05 3. Train projection 0 . 00 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 × 10 − 3 time [ s ] 4. Project to subspace 5. Fit pdf estimation (i.e. gauss.) 3000 3000 f [ � l o 1 | o 1 = 0] PCA Training PCA 3 20 0 . 200 0 . 175 15 0 . 150 10 1 ] f [ l 2 | seed ′ 0 . 125 l 1 0 . 100 5 0 . 075 0 . 050 0 0 . 025 − 5 0 . 000 − 15 − 10 − 5 0 5 − 10 − 5 0 5 10 15 l 2 l 0 Olivier Bronchain Side-Channel Countermeasures’ Dissection 15 / 27

  78. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Profiling (e.g., permutation) 1. Compute SNR seed ′ 1 seed ′ 2 0 . 10 2. Select points of interest SNR 0 . 05 3. Train projection 0 . 00 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 × 10 − 3 time [ s ] 4. Project to subspace 5. Fit pdf estimation (i.e. gauss.) 3000 3000 f [ � l o 1 | o 1 = 0] PCA Training PCA 3 20 0 . 200 0 . 175 15 0 . 150 10 1 ] f [ l 2 | seed ′ 0 . 125 l 1 0 . 100 5 0 . 075 0 . 050 0 f [ � 0 . 025 l o 1 | o 1 = 1] − 5 0 . 000 − 15 − 10 − 5 0 5 − 10 − 5 0 5 10 15 l 2 l 0 Olivier Bronchain Side-Channel Countermeasures’ Dissection 15 / 27

  79. Introduction Countermeasures’ Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Partial Attacks 0 . 03 1. Measure a trace Signal [ mV ] 0 . 02 0 . 01 0 . 00 − 0 . 01 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 time [ s ] × 10 − 3 PCA Training Olivier Bronchain Side-Channel Countermeasures’ Dissection 16 / 27

Recommend

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel Power Resistance for Encryption Algo- rithms using Dynamic Partial Reconfiguration or SPREAD As a countermeasure to DPA, CPA and other types of

689 views • 10 slides
Towards the Automatic Applications of Side Channel Countermeasures Francesco Regazzoni Francesco

Towards the Automatic Applications of Side Channel Countermeasures Francesco Regazzoni Francesco

Towards the Automatic Applications of Side Channel Countermeasures Francesco Regazzoni Francesco Regazzoni 23 October 2015, Chia, Italy P. 1 Contents 1 Motivations 2 DPA Resistant Synthesis 3 DPA Resistant Place and Route 4 DPA

1.01k views • 55 slides
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC February 21, 2008 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current

673 views • 42 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

622 views • 21 slides
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat Europe 2008 Black Hat Europe 2008 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

653 views • 42 slides
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Friday, September 11 th , 2015 Motivation Physical Attacks & Countermeasures input output input output Timing, Power, EM,

746 views • 47 slides
Side Channel Analysis & Countermeasures Begl Bilgin 27 Dec. 2014 - IAM Alumni Meeting

Side Channel Analysis & Countermeasures Begl Bilgin 27 Dec. 2014 - IAM Alumni Meeting

Side Channel Analysis & Countermeasures Begl Bilgin 27 Dec. 2014 - IAM Alumni Meeting Adversary Models 2 Adversary Models 2 Adversary Models Black-box Gray-box White-box 3 Adversary Models Black-box Gray-box White-box Key

1.45k views • 118 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Part II: Cow Eye Dissection Dissection of a Cow s Eye After the front of the eye has been

Part II: Cow Eye Dissection Dissection of a Cow s Eye After the front of the eye has been

Part II: Cow Eye Dissection Dissection of a Cow s Eye After the front of the eye has been removed from the back, the internal parts can be seen. This view of the back of the eyeball, seen from inside, shows the retina as a translucent

95 views • 5 slides
The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel Evaluations Stjepan Picek, Annelie Heuser, Alan Jovic, Shivam Bhasin, and Francesco Regazzoni Big Picture side-channel measurements device classifier

822 views • 33 slides
Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit e catholique

355 views • 24 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides

More recommend