Ridge-based Profiled Differential Power Analysis
-
Upload
priyanka-aash -
Category
Technology
-
view
10 -
download
0
Transcript of Ridge-based Profiled Differential Power Analysis
SESSION ID:SESSION ID:
#RSAC
Yu Yu
Ridge-based Profiled Differential Power Analysis
CRYP-F01
Research ProfessorShanghai Jiao Tong University
#RSAC
Outline
2
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
Outline
3
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
(profiled) Difference power analysis
4
Two phases:
profiling
Exploitation
Leakage of :
L(·) is leakage function
Power model :
xz
L( )z xT z
M( )
M( ) L( )x xz z
M( )z xT z
#RSAC
Outline
5
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
Classical profiling
6
The leakage follows Gaussian distribution:
For each intermediate variable z: The adversary finds sample mean and the sample covariance .
Sample mean is obtained by averaging the power consumptions corresponding to intermediate variable z.
To accelerate the profiling: we can assume the sample covariance are identical for all the intermediate variable.
z zM( ) (N ), µz
zµ
z
z
#RSAC
LR-based profiling
7
#RSAC
LR-based profiling
8
#RSAC
Pro and con of LR-based profiling
9
#RSAC
Outline
10
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
Exploitation phases
11
#RSAC
Outline
12
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
Our contributions
13
(to mitigate the overfitting issue) New profiling method based on ridge-regression
An optimized parameter find method based on cross-validation
Theoretical analysis of the new method’s improvement
Simulation based and practical experiments
#RSAC
Outline
14
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
Construction of ridge-based profiling
15
#RSAC
Parameter optimization
16
#RSAC
Optimized parameter is related to the noise level
17
simulation-based experimenttrace number = 2000
#RSAC
Outline
18
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
Variance of the coefficients
19
#RSAC
Variance of the coefficients
20
Figure: The variances of the coefficients for degrees (of the model) and λ. The left and right figures correspond to the cases for d = 1 and d = 2 respectively.
#RSAC
Variance of the coefficients
21
Figure: The variances of the coefficients for degrees (of the model) and λ. The left and right figures correspond to the cases for d = 4 and d = 8 respectively.
#RSAC
Outline
22
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSACHow the coefficients shrink in the ridge-based profiling?
23
#RSAC
Outline
24
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
Setup
25
Profiling methods:ridge-based profiling
LR-based profiling
classical profiling
Target intermediate variable: output of AES-128’s first S-box of the first round.
Univariate leakage.
Different degrees and randomized coefficients.
Metrics: perceived Information, guessing entropy.
#RSACA comparison of different profilings for leakage degree 8
26
#RSACA comparison of different profilings for leakage degree 4
27
#RSACA comparison of different profilings for leakage degree 1
28
#RSACA comparison of different profilings for with‘conservatively’ degree of model
29
The adversary may have no knowledge about the actual degree of the leakage function.
He can use the model whose degree is higher than the one of the leakage function.
We simulate the traces with leakage functions of degrees 1 and 2 and then conduct the above experiments assuming a model of degree 4 for profiling.
#RSACDegrees of leakage function and model are 1 and 4 respectively
30
#RSACDegrees of leakage function and model are 2 and 4 respectively
31
#RSAC
Outline
32
Introduction(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysisWhy and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental ResultsSimulation-based experiments
Experiments on real FPGA implementation
#RSAC
Practical experiments
33
test board: SAKURA-X
oscilloscope: LeCroywaverunner610Zi
#RSAC
First setting
34
#RSAC
Second setting (robust profiling)
35
#RSAC
Summary
36
Ridge-based profiling can save significant factors in the number of traces they need to build a satisfying leakage model:
Better performance for nonlinear leakage functions.
Time complexity: equal to the one of LR-based profiling.
Robust profiling.
#RSAC
37
THANK YOU
Question?
SESSION ID:SESSION ID:
#RSAC
Si Gao
My Traces Learn What You Did in the Dark: Recovering Secret Signals without Key Guesses
CRYP-F01
PhD StudentTrusted Computing and Information Assurance Laboratory Institute of Software,
Chinese Academy of Sciences
#RSAC
Outline
Applications in SCA
ICA-based signal recovery
Preliminaries
Introduction
Summary
#RSAC
Outline
Applications in SCA
ICA-based signal recovery
Preliminaries
Introduction
Summary
#RSAC
Introduction
Side Channel Analysis (SCA)Exploit the computation leakages
— Leakages depend on the intermediate state
#RSAC
Introduction
Traditional SCA flow (Non-profiled) Guess-and-determine
— Step 1: take a key guess
Eve
Encryption Algorithm
Plaintext
k1
k2
k3
.
.
.
kr
Key Guess List Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
1 1 1
(1),..., ( )k k kx x Tx
2 2 2
(1),..., ( )k k kx x Tx
(1),..., ( )r r rk k kx x Tx
(1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
= ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
#RSAC
Introduction
Traditional SCA flow (Non-profiled) Guess-and-determine
— Step 2: Compute the intermediate states from T plaintexts and the key guess Eg. The output of an AES Sbox, x=S(p⊕kg)
Eve
Encryption Algorithm
Plaintext
k1
k2
k3
.
.
.
kr
Key Guess List Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
1 1 1
(1),..., ( )k k kx x Tx
2 2 2
(1),..., ( )k k kx x Tx
(1),..., ( )r r rk k kx x Tx
(1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
= ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
#RSAC
Introduction
Traditional SCA flow (Non-profiled) Guess-and-determine
— Step 3: Compute the expected leakages of the key guess Eg. The Hamming Weight model, where M(x)=HW(x)
Eve
Encryption Algorithm
Plaintext
k1
k2
k3
.
.
.
kr
Key Guess List Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
1 1 1
(1),..., ( )k k kx x Tx
2 2 2
(1),..., ( )k k kx x Tx
(1),..., ( )r r rk k kx x Tx
(1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
= ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
#RSAC
Introduction
Traditional SCA flow (Non-profiled) Guess-and-determine
— Step 4: Finding out the most likely key guess Eg. In CPA, rank key guesses with Pearson's correlation coefficient
Eve
Encryption Algorithm
Plaintext
k1
k2
k3
.
.
.
kr
Key Guess List Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
1 1 1
(1),..., ( )k k kx x Tx
2 2 2
(1),..., ( )k k kx x Tx
(1),..., ( )r r rk k kx x Tx
(1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
= ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
#RSAC
Introduction
Traditional SCA flow (Non-profiled) Question: did Eve actually recover the intermediate states x?
— Only found the most likely one from a predetermined list
Not a problem for SCA
— Focus on key recovery (Kerckhoffs's principle)
Pros
— The predetermined list (signal list) << whole signal space
— SCA works when SNR<<1
— Efficient key-recovery
#RSAC
Introduction
Traditional SCA flow (Non-profiled) Cons
— The key guess space should be small
— Known plaintext/ciphertext, known encryption algorithms
Eve
Encryption Algorithm
Plaintext
k1
k2
k3
.
.
.
kr
Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
1 1 1
(1),..., ( )k k kx x Tx
2 2 2
(1),..., ( )k k kx x Tx
(1),..., ( )r r rk k kx x Tx
(1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
= ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
#RSAC
Introduction
Traditional SCA flow (Non-profiled) Limitations: only works for the first/last few rounds
— The related key guess space is too large for SCA Eg. In AES, the first/last two rounds are protected
Eve
Encryption Algorithm
Plaintext
k1
k2
k3
.
.
.
kr
Key Guess List Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
1 1 1
(1),..., ( )k k kx x Tx
2 2 2
(1),..., ( )k k kx x Tx
(1),..., ( )r r rk k kx x Tx
(1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
= ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
Too large
#RSAC
Introduction
Traditional SCA flow (Non-profiled) Limitations: Side Channel Analysis for Reverse Engineering
— Cannot compute the intermediate states
Eve
Encryption Algorithm
Plaintext
k1
k2
k3
.
.
.
kr
Key Guess List Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
1 1 1
(1),..., ( )k k kx x Tx
2 2 2
(1),..., ( )k k kx x Tx
(1),..., ( )r r rk k kx x Tx
(1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
= ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
Unknown
#RSAC
Introduction
A New Model (Non-profiled) Directly exploit the leakages, without the pre-determined list
A much harder problem
— Signal List<<Signal Space
— A preliminary attempt in this direction
Eve
Actual
Leakage
Most likely key
guess k
(1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
* * *1 ,..., Tx x x
#RSAC
Introduction
Notes on profiled attacks Much stronger pre-conditions
— The Attacker gets an identical encryption device Build templates
Perform template matching
— Works even if T=1 (in theory)
— Reverse the intermediate states without key guesses
Not always appropriate
— Power Variability Issues [Renauld, M., et al EUROCRYPT 2011]
We only focus on non-profiled attacks in this paper
Eve
Actual
Leakage
Most likely key
guess k
(1),..., ( )l l Tl
Intermediate States
Templates
Tp
* * *1 ,..., Tx x x
#RSAC
Outline
Applications in SCA
ICA-based signal recovery
Preliminaries
Introduction
Summary
#RSAC
Preliminaries
Blind Source Separation (BSS)n people were talking simultaneously
m microphones placed in different positions
all records can be regarded as linear mixtures of the original conversations
source from http://http://slsp.kaist.ac.kr/xe/?mid=BSS
#RSAC
Preliminaries
Blind Source Separation (BSS)
unknown sources:n conversations
unknown mix matrix:the mix features of m microphones
source from http://http://slsp.kaist.ac.kr/xe/?mid=BSS
#RSAC
Preliminaries
Independent Component Analysis (ICA)Blind sources S=(s1,s2,…,sn)
Linear mix matrix A
m observations Y=(y1,y2,…,ym)
Y=A*S+N (N represents the noise )
source from http://http://slsp.kaist.ac.kr/xe/?mid=BSS
Goal: recover S from Y
#RSAC
Preliminaries
Independent Component Analysis (ICA)ICA assumptions
— Independence: the sources are independent of each other
— Non-gaussian: the distribution of the blind sources are not gaussian
— n ≤ m
ICA algorithms
— Many popular algorithms
— Not “that” different, use FastICA in this paper
#RSAC
Outline
Applications in SCA
ICA-based signal recovery
Preliminaries
Introduction
Summary
#RSAC
ICA-based signal recovery
ICA versus SCA: Similaritiesn bits intermediate state X
Assume the leakage s.t. the weighted Hamming Weight Model
#RSAC
ICA-based signal recovery
ICA versus SCA: DifferencesNumber of observations: m v.s. 1
Level of Noise: low v.s. high
0 1 1( ) n nL x x x
#RSAC
ICA-based signal recovery
Constructing multi-channel observationsXOR constant
— If a binary source s is XORed with a constant k, the resultant source s′ is
— XOR 1 equals to flip the signal sign
— Move the sign to the leakage function
— Different leakage functions→ Multi-channel observations
0 '
1 1
k
k
ss
s
#RSAC
ICA-based signal recovery
Constructing multi-channel observationsXOR constant
Whitening Transformation
0,1s
* 1,1 s2
0
1
Whitening Transformation
' 1 1,0 s s
*' 1, 1 s
( 1)
ICA ambiguity
Leakage Function
L
Leakage Function
L
Real
source
Equivalent
source
#RSAC
ICA-based signal recovery
Noise toleranceNoise affects the performance of ICA
— ICA usually works in cases where SNR>>1
— For application in SCA, we need more robust algorithm
Ignored feature in ICA
— the distribution of the sources is given: binary signals
— the priori distribution can make ICA more robust to noise
— EM-ICA: specialized for discrete sources with random noise, using Expectation-Maximization algorithm [Belouchrouni, Cardoso 1994]
#RSAC
ICA-based signal recovery
Specialized ICA for SCAA specialized ICA based on EM-ICA
#RSAC
Outline
Applications in SCA
ICA-based signal recovery
Preliminaries
Introduction
Summary
#RSAC
Applications in SCA
Experimental SettingTarget Implementation— Unprotected software implementation of DES— 8 bit microprocessor (IC card)
Measurement— LeCroy WaveRunner 610Zi oscilloscope
— Sampling at 20 MSa/s, 80 000 sample points per trace (first 3 rounds)— 20 000 traces
Extra property— Perform P bit-by-bit
— Bit-wise leakage Natural multi-channel observations
#RSAC
Applications in SCA
New SCA distinguisherAttack one of the Sbox in the first round
— Recover the intermediate states from ICA
— Compute the Sbox outputs with key guess
— Find the correct key through
comparing the distance between and
kX k
rX
kXrX
L0 R0
IP
ESP
L1 R1
ESP
K1
K2
……
rX
kX
#RSAC
Applications in SCA
New SCA distinguisherAttack one of the Sbox in the first round
— Key rank: CPA (HW) v.s. ICA
#RSAC
Applications in SCA
Extending SCA to the Middle RoundsRecovering the 8 Sboxes’ outputs in the second round
— 4-bit outputs, n=4
— The success rate of an ICA recovery
L0 R0
IP
ESP
L1 R1
ESP
K1
K2
……
rX
Correct signal
#RSAC
Applications in SCA
Extending SCA to the Middle RoundsRecovering the 8 Sboxes’ outputs in the second round
— 80% success rate is usually more than enough for round-reduced key-recovery
#RSAC
Applications in SCA
Reverse Engineering on SboxA customized DES with secret Sboxes
— Attacker controls the plaintext
— Attacker knows IP and E
— The secret key is embedded in the secret Sbox
— Traditional non-profiled SCA does not work (secret Sbox)
— Attacker can choose several leakage points
'( ) ( )S x S x k
L0 R0
IP
ESP
L1 R1
ESP
K1
K2
……
rX
#RSAC
Applications in SCA
Reverse Engineering on SboxA customized DES with secret Sboxes
— Leakage point selection: Manually pick
Linear Discriminant Analysis (LDA)
— Linear Discriminant Analysis Do not need precise points, only an approximate range
Better recovery with larger trace sets
not suitable when the number of traces is smaller than the range of interest
#RSAC
Applications in SCA
Reverse Engineering on SboxA customized DES with secret Sboxes
#RSAC
Applications in SCA
Reverse Engineering on Feistel Round FunctionA customized Feistel cipher (both S and P are altered)
— Attacker controls the plaintext
— Attacker knows IP and E
— The first Sbox’s input in the second round
The 6 least significant bits of E
First round function Initial state after IP
L0 R0
IP
ESP
L1 R1
ESP
K1
K2
……
rX
#RSAC
Applications in SCA
Reverse Engineering on Feistel Round FunctionA customized Feistel cipher (both S and P are altered)
— Build observations with our XOR constant method Choose L0 so that E0(L0)={0x01,0x02,0x04,0x08,0x10,0x20}
Randomly picked a T-length signal R0
Measure the leakages for each (E0,R0)
Repeat 10 times, randomly pick other bits in L0
XOR constant secret signal
L0 R0
IP
ESP
L1 R1
ESP
K1
K2
……
rX
#RSAC
Applications in SCA
Reverse Engineering on Feistel Round FunctionA customized Feistel cipher (both S and P are altered)
#RSAC
Outline
Applications in SCA
ICA-based signal recovery
Preliminaries
Introduction
Summary
#RSAC
Summary
SCA ≠ guess-and-determineDirectly recover the secret intermediate states without any key guess
— Proposed an ICA-based SCA Construct multi-channel observations with XOR constant
Utilize the priori distribution with EM-ICA
— New possibilities in non-profiled SCA Attacking the middle round’s encryption
Reverse engineering with fewer restrictions
A promising tool in the future?
— Needs more research effort
#RSAC
Thanks for your attention!