taylor expansion of maximum likelihood attacks
play

Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas - PowerPoint PPT Presentation

Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1 , 3 , Mines-Telecom Annelie Heuser 1 , Olivier Rioul 1 , cois-Xavier Standaert 4 , Yannick Teglia 2 Fran 1 T el ecom-ParisTech, Crypto


  1. Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1 , 3 , Mines-Telecom Annelie Heuser 1 , Olivier Rioul 1 , cois-Xavier Standaert 4 , Yannick Teglia 2 Fran¸ 1 T´ el´ ecom-ParisTech, Crypto & ComNum Group, Paris, FRANCE 2 STMicroelectronics, AST division, Rousset, FRANCE 3 Secure-IC S.A.S., Rennes, FRANCE 4 Universit´ e Catholique de Louvain, Louvain-la-Neuve, BELGIQUE STMicroelectronics Cryptarchi 2016 — La Grande Motte, France

  2. Introduction Rounded Optimal Attack Case Study Outline Introduction Side-Channel Analysis as a Threat Protection Methods Template Attacks Rounded Optimal Attack Truncated Taylor Expansion Complexity Case Study Protected Table Recomputation Implementation Bi-Variate Attacks Multi-Variate Attacks 2/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  3. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Outline Introduction Side-Channel Analysis as a Threat Protection Methods Template Attacks Rounded Optimal Attack Case Study 3/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  4. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Side-Channel Analysis on Embedded Systems [GMN + 11] noisy measurement moments: µ , σ , etc . distributions: side-channel 0xc7 probe !!! Preprocessing: Distinguisher: - filtering - extract link w/ a model leakage - denoising w/ wavelets - for many possible keys - time/freq. analysis 0xc7 - dimensionality reduction (PCA, LDA) ? ? ? ? ... ... 0x00 0x01 0xc7 0xff 4/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  5. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks ( d − 1) th-Order Masking: Principle Aim The sensitive variable Z is randomly split into Ω shares: ⇒ need random masks M i , 0 < i < Ω Z . . . Z ⊥ M 1 ⊥ ... ⊥ M Ω − 1 M Ω − 1 M 1 Consequence Increases the minimum key-dependent statistical moment 5/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  6. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks ( d − 1) th-Order Masking: Principle Aim The sensitive variable Z is randomly split into Ω shares: ⇒ need random masks M i , 0 < i < Ω Z . . . Z ⊥ M 1 ⊥ ... ⊥ M Ω − 1 M Ω − 1 M 1 Consequence Increases the minimum key-dependent statistical moment 5/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  7. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks ( d − 1) th-Order Masking: Principle Aim The sensitive variable Z is randomly split into Ω shares: ⇒ need random masks M i , 0 < i < Ω Z . . . Z ⊥ M 1 ⊥ ... ⊥ M Ω − 1 M 1 M Ω − 1 Consequence Increases the minimum key-dependent statistical moment 5/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  8. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  9. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  10. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  11. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  12. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  13. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  14. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  15. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  16. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 Consequences Increase the noise in the attacks. 6/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  17. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Summary of the Protection Parameters The security level of the protections depends on these parameters: Masking ◮ Ω: the number of shares (link to the numbers of masks) ◮ O : the order (i.e. the minimal key dependent statistical moment) Shuffling ◮ Π the size of the permutation 7/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  18. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Template Attacks Template attacks are the most powerful in a information-theoretic sense [CRR02]. Off-line Profiling The leakage model is learned: ◮ non-parametric methods (e.g. histogram, kernel methods...) ◮ parametric methods (e.g. mixture models) Online Attack Recover the key using the models by applying a maximum likelihood (ML) attack 8/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  19. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Template Attacks Template attacks are the most powerful in a information-theoretic sense [CRR02]. Off-line Profiling The leakage model is learned: ◮ non-parametric methods (e.g. histogram, kernel methods...) ◮ parametric methods (e.g. mixture models) Online Attack Recover the key using the models by applying a maximum likelihood (ML) attack 8/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  20. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Parametric or Non-Parametric ? Parametric The only random part is the noise with known distribution. ◮ easy to estimate; ◮ shuffle and mask are known; ◮ many templates are learned. Non-Parametric Shuffle and masks are part of the noise. ◮ can be hard to estimate ⇒ curse of dimensionality; ◮ shuffle and mask are unknown. 9/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  21. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Notations for the Online attack The attack are applied on: ◮ D leakage points; ◮ Q traces. For each trace the leakage model is X = y ( t , k ∗ , R ) + N where: ◮ X is the leakage measurement; ◮ y = y ( t , k ∗ , R ) is the deterministic part of the model that depends on the correct key k ∗ , some known text t , and the unknown random values (masks and permutations) R ; ◮ N is a random noise, which follows a Gaussian distribution � � − z 2 1 p N ( z ) = 2 πσ 2 exp . √ 2 σ 2 1 We let γ = 2 σ 2 be the SNR parameter. 10/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

  22. Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Maximum Likelihood Attacks Theorem (Maximum Likelihood [ ? ]) When the y ( t , k , R ) are known then the optimal distinguisher ( OPT ) is given by R DQ × R DQ F n → 2 Q log E exp −� x ( q ) − y ( t ( q ) , k , R ) � 2 � ( x , y ( t , k , R )) �→ argmax 2 σ 2 k ∈ F n q =1 2 where expectation E is applied to the random variable R ∈ R and � · � is the Euclidean norm: D 2 � 2 � � x ( q ) − y ( t ( q ) , k , R ) � � x ( q ) � − y d ( t ( q ) , k , R ) = . � � d � d =1 11/29 Taylor Expansion of Maximum Likelihood Attacks Juin 2016

Recommend


More recommend