Ridge-based Profiled Differential Power Analysis

SESSION ID:SESSION ID:

CRYP-F01

Research ProfessorShanghai Jiao Tong University

Outline

Introduction(Profiled) Differential power analysis

Profiling phase

Exploitation phase

Our contributions

Ridge-based profiling

Theoretical analysisWhy and how is ridge-based profiling better?

How the coefficients shrink in the ridge-based profiling?

Experimental ResultsSimulation-based experiments

Experiments on real FPGA implementation

Outline

Profiling phase

Exploitation phase

Our contributions

(profiled) Difference power analysis

Two phases:

profiling

Exploitation

Leakage of :

L(·) is leakage function

Power model :

L( )z xT z

M( ) L( )x xz z

M( )z xT z

Outline

Profiling phase

Exploitation phase

Our contributions

Classical profiling

The leakage follows Gaussian distribution:

For each intermediate variable z: The adversary finds sample mean and the sample covariance .

Sample mean is obtained by averaging the power consumptions corresponding to intermediate variable z.

To accelerate the profiling: we can assume the sample covariance are identical for all the intermediate variable.

z zM( ) (N ), µz

LR-based profiling

Pro and con of LR-based profiling

Outline

Profiling phase

Exploitation phase

Our contributions

Exploitation phases

Outline

Profiling phase

Exploitation phase

Our contributions

(to mitigate the overfitting issue) New profiling method based on ridge-regression

An optimized parameter find method based on cross-validation

Theoretical analysis of the new method’s improvement

Simulation based and practical experiments

Outline

Profiling phase

Exploitation phase

Our contributions

Construction of ridge-based profiling

Parameter optimization

Optimized parameter is related to the noise level

simulation-based experimenttrace number = 2000

Outline

Profiling phase

Exploitation phase

Our contributions

Variance of the coefficients

Figure: The variances of the coefficients for degrees (of the model) and λ. The left and right figures correspond to the cases for d = 1 and d = 2 respectively.

Variance of the coefficients

Figure: The variances of the coefficients for degrees (of the model) and λ. The left and right figures correspond to the cases for d = 4 and d = 8 respectively.

Outline

Profiling phase

Exploitation phase

Our contributions

#RSACHow the coefficients shrink in the ridge-based profiling?

Outline

Profiling phase

Exploitation phase

Our contributions

Profiling methods:ridge-based profiling

LR-based profiling

classical profiling

Target intermediate variable: output of AES-128’s first S-box of the first round.

Univariate leakage.

Different degrees and randomized coefficients.

Metrics: perceived Information, guessing entropy.

#RSACA comparison of different profilings for leakage degree 8

#RSACA comparison of different profilings for with‘conservatively’ degree of model

The adversary may have no knowledge about the actual degree of the leakage function.

He can use the model whose degree is higher than the one of the leakage function.

We simulate the traces with leakage functions of degrees 1 and 2 and then conduct the above experiments assuming a model of degree 4 for profiling.

#RSACDegrees of leakage function and model are 1 and 4 respectively

#RSACDegrees of leakage function and model are 2 and 4 respectively

Outline

Profiling phase

Exploitation phase

Our contributions

Practical experiments

test board: SAKURA-X

oscilloscope: LeCroywaverunner610Zi

First setting

Second setting (robust profiling)

Summary

Ridge-based profiling can save significant factors in the number of traces they need to build a satisfying leakage model:

Better performance for nonlinear leakage functions.

Time complexity: equal to the one of LR-based profiling.

Robust profiling.

THANK YOU

Question?

SESSION ID:SESSION ID:

Si Gao

My Traces Learn What You Did in the Dark: Recovering Secret Signals without Key Guesses

CRYP-F01

PhD StudentTrusted Computing and Information Assurance Laboratory Institute of Software,

Chinese Academy of Sciences

Outline

Applications in SCA

ICA-based signal recovery

Preliminaries

Introduction

Summary

Outline

Applications in SCA

Preliminaries

Introduction

Summary

Introduction

Side Channel Analysis (SCA)Exploit the computation leakages

— Leakages depend on the intermediate state

Introduction

Traditional SCA flow (Non-profiled) Guess-and-determine

— Step 1: take a key guess

Encryption Algorithm

Plaintext

Key Guess List Signal List

Actual

Leakage

Most likely key

guess k

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Expected

Leakages

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

Introduction

— Step 2: Compute the intermediate states from T plaintexts and the key guess Eg. The output of an AES Sbox, x=S(p⊕kg)

Plaintext

Actual

Leakage

Most likely key

guess k

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Expected

Leakages

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

Introduction

— Step 3: Compute the expected leakages of the key guess Eg. The Hamming Weight model, where M(x)=HW(x)

Plaintext

Actual

Leakage

Most likely key

guess k

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Expected

Leakages

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

Introduction

— Step 4: Finding out the most likely key guess Eg. In CPA, rank key guesses with Pearson's correlation coefficient

Plaintext

Actual

Leakage

Most likely key

guess k

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Expected

Leakages

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

Introduction

Traditional SCA flow (Non-profiled) Question: did Eve actually recover the intermediate states x?

— Only found the most likely one from a predetermined list

Not a problem for SCA

— Focus on key recovery (Kerckhoffs's principle)

— The predetermined list (signal list) << whole signal space

— SCA works when SNR<<1

— Efficient key-recovery

Introduction

Traditional SCA flow (Non-profiled) Cons

— The key guess space should be small

— Known plaintext/ciphertext, known encryption algorithms

Plaintext

Signal List

Actual

Leakage

Most likely key

guess k

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Expected

Leakages

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

Introduction

Traditional SCA flow (Non-profiled) Limitations: only works for the first/last few rounds

— The related key guess space is too large for SCA Eg. In AES, the first/last two rounds are protected

Plaintext

Actual

Leakage

Most likely key

guess k

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Expected

Leakages

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

Too large

Introduction

Traditional SCA flow (Non-profiled) Limitations: Side Channel Analysis for Reverse Engineering

— Cannot compute the intermediate states

Plaintext

Actual

Leakage

Most likely key

guess k

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Expected

Leakages

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

Unknown

Introduction

A New Model (Non-profiled) Directly exploit the leakages, without the pre-determined list

A much harder problem

— Signal List<<Signal Space

— A preliminary attempt in this direction

Actual

Leakage

Most likely key

guess k

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

* * *1 ,..., Tx x x

Introduction

Notes on profiled attacks Much stronger pre-conditions

— The Attacker gets an identical encryption device Build templates

Perform template matching

— Works even if T=1 (in theory)

— Reverse the intermediate states without key guesses

Not always appropriate

— Power Variability Issues [Renauld, M., et al EUROCRYPT 2011]

We only focus on non-profiled attacks in this paper

Actual

Leakage

Most likely key

guess k

(1),..., ( )l l Tl

Intermediate States

Templates

* * *1 ,..., Tx x x

Outline

Applications in SCA

Preliminaries

Introduction

Summary

Preliminaries

Blind Source Separation (BSS)n people were talking simultaneously

m microphones placed in different positions

all records can be regarded as linear mixtures of the original conversations

source from http://http://slsp.kaist.ac.kr/xe/?mid=BSS

Preliminaries

Blind Source Separation (BSS)

unknown sources：n conversations

unknown mix matrix：the mix features of m microphones

Preliminaries

Independent Component Analysis (ICA)Blind sources S=(s1,s2,…,sn)

Linear mix matrix A

m observations Y=(y1,y2,…,ym)

Y=A*S+N (N represents the noise )

Goal: recover S from Y

Preliminaries

Independent Component Analysis (ICA)ICA assumptions

— Independence: the sources are independent of each other

— Non-gaussian: the distribution of the blind sources are not gaussian

— n ≤ m

ICA algorithms

— Many popular algorithms

— Not “that” different, use FastICA in this paper

Outline

Applications in SCA

Preliminaries

Introduction

Summary

ICA versus SCA: Similaritiesn bits intermediate state X

Assume the leakage s.t. the weighted Hamming Weight Model

ICA versus SCA: DifferencesNumber of observations: m v.s. 1

Level of Noise: low v.s. high

0 1 1( ) n nL x x x

Constructing multi-channel observationsXOR constant

— If a binary source s is XORed with a constant k, the resultant source s′ is

— XOR 1 equals to flip the signal sign

— Move the sign to the leakage function

— Different leakage functions→ Multi-channel observations

Constructing multi-channel observationsXOR constant

Whitening Transformation

* 1,1 s2

Whitening Transformation

' 1 1,0 s s

*' 1, 1 s

ICA ambiguity

Leakage Function

source

Equivalent

source

Noise toleranceNoise affects the performance of ICA

— ICA usually works in cases where SNR>>1

— For application in SCA, we need more robust algorithm

Ignored feature in ICA

— the distribution of the sources is given: binary signals

— the priori distribution can make ICA more robust to noise

— EM-ICA: specialized for discrete sources with random noise, using Expectation-Maximization algorithm [Belouchrouni, Cardoso 1994]

Specialized ICA for SCAA specialized ICA based on EM-ICA

Outline

Applications in SCA

Preliminaries

Introduction

Summary

Applications in SCA

Experimental SettingTarget Implementation— Unprotected software implementation of DES— 8 bit microprocessor (IC card)

Measurement— LeCroy WaveRunner 610Zi oscilloscope

— Sampling at 20 MSa/s, 80 000 sample points per trace (first 3 rounds)— 20 000 traces

Extra property— Perform P bit-by-bit

— Bit-wise leakage Natural multi-channel observations

Applications in SCA

New SCA distinguisherAttack one of the Sbox in the first round

— Recover the intermediate states from ICA

— Compute the Sbox outputs with key guess

— Find the correct key through

comparing the distance between and

……

Applications in SCA

New SCA distinguisherAttack one of the Sbox in the first round

— Key rank: CPA (HW) v.s. ICA

Applications in SCA

Extending SCA to the Middle RoundsRecovering the 8 Sboxes’ outputs in the second round

— 4-bit outputs, n=4

— The success rate of an ICA recovery

……

Correct signal

Applications in SCA

Extending SCA to the Middle RoundsRecovering the 8 Sboxes’ outputs in the second round

— 80% success rate is usually more than enough for round-reduced key-recovery

Applications in SCA

Reverse Engineering on SboxA customized DES with secret Sboxes

— Attacker controls the plaintext

— Attacker knows IP and E

— The secret key is embedded in the secret Sbox

— Traditional non-profiled SCA does not work (secret Sbox)

— Attacker can choose several leakage points

'( ) ( )S x S x k

……

Applications in SCA

— Leakage point selection: Manually pick

Linear Discriminant Analysis (LDA)

— Linear Discriminant Analysis Do not need precise points, only an approximate range

Better recovery with larger trace sets

not suitable when the number of traces is smaller than the range of interest

Applications in SCA

Reverse Engineering on Feistel Round FunctionA customized Feistel cipher (both S and P are altered)

— Attacker controls the plaintext

— Attacker knows IP and E

— The first Sbox’s input in the second round

The 6 least significant bits of E

First round function Initial state after IP

……

Applications in SCA

— Build observations with our XOR constant method Choose L0 so that E0(L0)={0x01,0x02,0x04,0x08,0x10,0x20}

Randomly picked a T-length signal R0

Measure the leakages for each (E0,R0)

Repeat 10 times, randomly pick other bits in L0

XOR constant secret signal

……

Applications in SCA

Outline

Applications in SCA

Preliminaries

Introduction

Summary

SCA ≠ guess-and-determineDirectly recover the secret intermediate states without any key guess

— Proposed an ICA-based SCA Construct multi-channel observations with XOR constant

Utilize the priori distribution with EM-ICA

— New possibilities in non-profiled SCA Attacking the middle round’s encryption

Reverse engineering with fewer restrictions

A promising tool in the future?

— Needs more research effort

Thanks for your attention!

Ridge-based Profiled Differential Power Analysis

Technology

Transcript of Ridge-based Profiled Differential Power Analysis

FIBRE CEMENT PROFILED SHEETING - Eternit

The Optimization of Profiled Diffusers - USIRusir.salford.ac.uk/14653/1/The_optimization_of_profiled_diffusers.pdf · The optimization of profiled diffusers Trevor J. Cox School of

Lindab Profiled Sheetingcampaigns.lindab.com/facelift/rainline/pdf/coverline/profiled_sheeting.pdfLindab Coverline | Profiled Sheeting Lindab Profile is a business area within the

Resilient Solvers for Partial Differential Equations · Resilient Solvers for Partial Differential Equations Miroslav Stoyanov Eirik Endeve Clayton Webster Oak Ridge National Lab

Prosthodontic management of a patient with mandibular ...Differential Diagnosis † Edentate upper class III alveolar ridge, lower class II alveolar ridge. † Class III skeletal discrepancy

Load-bearing profiled sheet - Ruukki

DIFFERENTIAL PROBING YSTEM - Teledyne LeCroycdn.teledynelecroy.com/files/manuals/d13000ps-om-e.pdf · 700 Chestnut Ridge Road Chestnut Ridge, NY 10977–6499 Tel: (845) 578 6020,

1) The uveitis is profiled Uveitis 2) The profiled case is ...

coposite profiled beam

Marley Eternit Profiled Sheeting Parts List

PROFILED SHEETING - ofelizpainel.com

Profiled Belts English

Lily Brett Profiled in the Courier Mail

MATLAB Functions for Profiled Estimation of Differential Equations

Company Profiled Copy

T cell differentiation dynamics profiled by massively ... · • Multiple levels of analysis were performed to understand differential gene expression between in vitro differentiated

Asbestos Cement Profiled Roofing

Ruukki Load Bearing Profiled Sheet Installation Instructions

PROFILED SHEETING - O FELIZ

Profiled Cladding Sheets Profiled Composite Panels … · Profiled Cladding Sheets Profiled Composite ... • Profiled Composite Panels & Cladding ... • Made to site measurement