Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1 , 3 , Mines-Telecom Annelie Heuser 1 , Olivier Rioul 1 , cois-Xavier Standaert 4 , Yannick Teglia 5 Fran¸ 1 T´ el´ ecom-ParisTech, Crypto & ComNum Group, Paris, FRANCE 2 STMicroelectronics, AST division, Rousset, FRANCE 3 Secure-IC S.A.S., Rennes, FRANCE 4 Universit´ e Catholique de Louvain, Louvain-la-Neuve, BELGIQUE 5 Gemalto, La Ciotat, FRANCE STMicroelectronics ASIACRYPT 2016 — Hanoi, Vietnam
Introduction Rounded Optimal Attack Case Study Nicolas Bruneau, Sylvain Guilley, Annelie Heuser, Olivier Rioul, Fran¸ cois-Xavier Standaert, Yannick Teglia 2/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Rounded Optimal Attack Case Study Outline Introduction Side-Channel Analysis as a Threat Protection Methods Template Attacks Rounded Optimal Attack Truncated Taylor Expansion Complexity Case Study Protected Table Recomputation Implementation Bi-Variate Attacks Multi-Variate Attacks 3/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Outline Introduction Side-Channel Analysis as a Threat Protection Methods Template Attacks Rounded Optimal Attack Case Study 4/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Side-Channel Analysis on Embedded Systems noisy measurement moments: µ , σ , etc . distributions: side-channel 0xc7 probe !!! Preprocessing: Distinguisher: - filtering - extract link w/ a model leakage - denoising w/ wavelets - for many possible keys - time/freq. analysis 0xc7 - dimensionality reduction (PCA, LDA) ? ? ? ? ... ... 0x00 0x01 0xc7 0xff 5/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks (Ω − 1) th-Order Masking: Principle Aim The sensitive variable Z is randomly split into Ω shares: ⇒ need random masks M i , 0 < i < Ω Z . . . Z ⊥ M 1 ⊥ ... ⊥ M Ω − 1 M 1 M Ω − 1 6/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks (Ω − 1) th-Order Masking: Principle Aim The sensitive variable Z is randomly split into Ω shares: ⇒ need random masks M i , 0 < i < Ω Z . . . Z ⊥ M 1 ⊥ ... ⊥ M Ω − 1 M 1 M Ω − 1 6/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks (Ω − 1) th-Order Masking: Principle Aim The sensitive variable Z is randomly split into Ω shares: ⇒ need random masks M i , 0 < i < Ω Z . . . Z ⊥ M 1 ⊥ ... ⊥ M Ω − 1 M 1 M Ω − 1 Consequence Increases the minimum key-dependent statistical moment. 6/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 3 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 3 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Shuffling: Principle Aim Randomize the order of execution ⇒ need a random permutation π Z 1 Z 2 Z 3 Z 4 Consequences The attacks are applied on the sum of the variables ⇒ increases the algorithmic noise. 7/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Protection Parameters The security level of the protections depends on these parameters: Masking ◮ Ω: the number of shares (Ω − 1 masks); ◮ O : the order (i.e. the minimal key-dependent statistical moment). Perfect masking scheme ⇔ O = Ω. Shuffling ◮ Π the size of the permutation. 8/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Template Attacks Template attacks are the most powerful in a information-theoretic sense [Chari et al., 2002]. Offline Profiling The leakage model is learned: ◮ non-parametric methods (e.g. histogram, kernel methods...); ◮ parametric methods (e.g. mixture models). Online Attack Recover the key using the models by applying a maximum likelihood (ML) attack. 9/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Parametric or Non-Parametric ? Parametric The only random part is the noise with known distribution. ◮ easy to estimate; ◮ shuffle and mask are known; ◮ many templates are learned. Non-Parametric Shuffle and masks are part of the noise. ◮ can be hard to estimate ⇒ curse of dimensionality; ◮ shuffle and mask are unknown. 10/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Parametric or Non-Parametric ? Parametric The only random part is the noise with known distribution. ◮ easy to estimate; ◮ shuffle and mask are known; ◮ many templates are learned. Non-Parametric Shuffle and masks are part of the noise. ◮ can be hard to estimate ⇒ curse of dimensionality; ◮ shuffle and mask are unknown. 10/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Notations for the Online attack The attacks are applied on: ◮ Q queries (i.e. the traces). ◮ D dimension (i.e. the number of leakage samples); A leakage measurement is X = y ( t , k ∗ , R ) + N where: ◮ y ( t , k ∗ , R ) is the deterministic part of the model; ◮ the secret key k ∗ and the plaintext t are n -bit words; ◮ R is the random countermeasure; ◮ N is a random Gaussian noise of variance σ 2 . 11/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Introduction Side-Channel Analysis as a Threat Rounded Optimal Attack Protection Methods Case Study Template Attacks Maximum Likelihood Attacks Theorem (Maximum Likelihood [Bruneau et al., 2014]) When the model is known the optimal distinguisher ( OPT ) consists in maximizing the sum over all traces q = 1 , . . . , Q of the log-likelihood: Q log E exp −� x ( q ) − y ( t ( q ) , k , R ) � 2 � LL = , 2 σ 2 q =1 where expectation E is applied to the random variable R ∈ R and � · � is the Euclidean norm on R D . 1 For convenience we let γ = 2 σ 2 be the SNR parameter. 12/30 Taylor Expansion of Maximum Likelihood Attacks December 2016
Recommend
More recommend