Presentation is loading. Please wait.

Presentation is loading. Please wait.

Statistical Tools Flavor Side-Channel Collision Attacks 17. April 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany.

Similar presentations


Presentation on theme: "Statistical Tools Flavor Side-Channel Collision Attacks 17. April 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany."— Presentation transcript:

1 Statistical Tools Flavor Side-Channel Collision Attacks 17. April 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany

2 2 Embedded Security Group Outline  Challenges – Side-Channel Attacks (SCA) – Collision SCA – Problems and our solution  What is new in this paper  Some experimental results EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

3 3 Embedded Security Group What is the story?  SCA (implementation attacks) – recovering the key of crypto devices – hypothetical model for power consumption – compare the model with side-channel leakage (power)  How? Sbox k p p 123d78…f9ab3d power 0.120.010.14…0.200.060.02 [k=00] S c927bc…996227 445…434 [k=01] S 7debb6…41aceb 665…246 [k=ff] S 552517…6f2025 434…613 0.011 0.060 … 0.231 … 0.095 Correlation … EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

4 4 Embedded Security Group Sbox k1k1 p1p1 p2p2 k2k2 Side-Channel Collision p 1 123d78…f9ab3d power …  when the circuit uses a module (Sbox) more than once (in e.g., a round)  once a collision found?  false positive collision detections – a couple of heuristic and systematic ways to handle p 2 459acf…0417e2 power … ? ? ? ? known as linear collision attack EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

5 5 Embedded Security Group Sbox k1k1 p1p1 p2p2 k2k2 Our Solution at CHES 2010 (Correlation-Enhanced) p 1 123d78…f9ab3d power 0.010.150.12…0.240.050.11 ( ) p 1 000102…fdfeff 0.230.120.21…0.060.090.14 average p 2 459acf…0417e2 power 0.320.200.05…0.190.270.26 ( ) average … 0.230 0.408 … 0.839 … 0.312 000102…fdfeff 000102…fdfeff 000102…fdfeff 0.320.200.05…0.190.270.26 0.200.320.17…0.090.260.27 0.260.270.19…0.050.200.32 000102…fdfeff Correlation EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

6 6 Embedded Security Group Problems  having a countermeasure (secret sharing) – computations on all shares at the same time (Threshold Imp.) – a univariate leakage – a MIA might be applicable – a CE collision might NOT averaging...  how about higher-order statistical moments EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi Variance skewness kurtosis

7 7 Embedded Security Group Sbox k1k1 p1p1 p2p2 k2k2 Solution (applying higher-order moments) p 1 123d78…f9ab3d power 0.010.150.12…0.240.050.11 ( ) p 1 000102…fdfeff 1.702.050.70…3.121.961.79 variance p 2 459acf…0417e2 power 0.320.200.05…0.190.270.26 ( ) variance … 0.305 0.412 … 0.780 … 0.309 000102…fdfeff 000102…fdfeff 000102…fdfeff 2.673.960.84…3.041.644.78 3.962.672.09…1.834.781.64 4.781.643.04…0.843.962.67 000102…fdfeff Correlation EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

8 8 Embedded Security Group Sbox k1k1 p1p1 p2p2 k2k2 Solution (applying higher-order moments) p 1 123d78…f9ab3d power 0.010.150.12…0.240.050.11 ( ) p 1 000102…fdfeff 1.702.050.70…3.121.961.79 skewness p 2 459acf…0417e2 power 0.320.200.05…0.190.270.26 ( ) skewness … 0.305 0.412 … 0.780 … 0.309 000102…fdfeff 000102…fdfeff 000102…fdfeff 2.673.960.84…3.041.644.78 3.962.672.09…1.834.781.64 4.781.643.04…0.843.962.67 Correlation EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

9 9 Embedded Security Group Sbox k1k1 p1p1 p2p2 k2k2 General Form (no specific moment) p 1 123d78…f9ab3d power 0.010.150.12…0.240.050.11 ( ) p 1 000102…fdfeff … pdf p 2 459acf…0417e2 power 0.320.200.05…0.190.270.26 ( ) pdf … 0.104 0.094 … 0.006 … 0.143 000102…fdfeff 000102…fdfeff 000102…fdfeff … … … 000102…fdfeff Jeffreys Divergence EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

10 10 Embedded Security Group Practical Issues  higher statistical moments, lower estimation accuracy – more traces (measurements) required  estimating pdf by e.g., histogram – reducing accuracy as well  Jeffreys divergence – based on Kullback-Leibler divergence – symmetric  Experimental Platforms – Virtex II-pro FPGA (SASEBO) – Atmel uC (smartcard) EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

11 11 Embedded Security Group Experimental Results (PRESENT TI)  J. Cryptology 24(2) EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

12 12 Embedded Security Group Experimental Results (PRESENT TI) Average Variance Skewness pdf EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

13 13 Embedded Security Group Experimental Results (AES TI)  EC 2011 EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

14 14 Embedded Security Group Experimental Results (AES TI) Average Variance Skewness pdf EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi

15 15 Embedded Security Group Experimental Results (masked software) EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi  time to move toward multivariate case – joint pdfs can be estimated – joint statistical moments also can be estimated the same as doing a preprocess (by multiplication) step prior to a univariate attack

16 Thanks! Any questions? Embedded Security Group, Ruhr University Bochum, Germany amir.moradi@rub.de

17 17 Embedded Security Group Measurement Speed?  (Threshold) UART PC sends a small number of bytes (~20) Control FPGA communicates with the Target FPGA sending/receiving ~10K plaintext/ciphertext while the oscilloscope measures Speed of the measurement depends on the length of each trace In this case, 2000 points, 100M traces in 11 hours!

18 18 Embedded Security Group Experimental Results (masked software) EUROCRYPT 2012 | Cambridge | 17. April 2012 Amir Moradi


Download ppt "Statistical Tools Flavor Side-Channel Collision Attacks 17. April 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany."

Similar presentations


Ads by Google