Presentation is loading. Please wait.

Presentation is loading. Please wait.

Statistical Tools Flavor Side-Channel Collision Attacks

Published byMaliyah Jewel Modified over 9 years ago

Similar presentations

Presentation on theme: "Statistical Tools Flavor Side-Channel Collision Attacks"— Presentation transcript:

1 Statistical Tools Flavor Side-Channel Collision Attacks
17. April 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany

2 Outline Side-Channel Attacks (SCA) Collision SCA
Challenges Side-Channel Attacks (SCA) Collision SCA Problems and our solution What is new in this paper Some experimental results EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

3 What is the story? SCA (implementation attacks)
recovering the key of crypto devices hypothetical model for power consumption compare the model with side-channel leakage (power) How? Sbox k p p 12 3d 78 f9 ab Correlation power 0.12 0.01 0.14 0.20 0.06 0.02 0.011 0.060 0.231 0.095 [k=00] S c9 27 bc 99 62 4 5 3 [k=01] S 7d eb b6 41 ac 6 5 2 4 [k=ff] S 55 25 17 6f 20 4 3 6 1 EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

4 Side-Channel Collision
when the circuit uses a module (Sbox) more than once (in e.g., a round) once a collision found? false positive collision detections a couple of heuristic and systematic ways to handle Sbox k1 p1 p2 k2 p1 12 3d 78 f9 ab power ? ? ? ? power p2 45 9a cf 04 17 e2 known as linear collision attack EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

5 Our Solution at CHES 2010 (Correlation-Enhanced)
Sbox k1 p1 p2 k2 ( p1 12 3d 78 f9 ab ) power 0.01 0.15 0.12 0.24 0.05 0.11 p1 00 01 02 fd fe ff average 0.23 0.12 0.21 0.06 0.09 0.14 ( p2 45 9a cf 04 17 e2 ) power 0.32 0.20 0.05 0.19 0.27 0.26 Correlation 00 01 02 fd fe ff average 0.230 0.408 0.839 0.312 0.32 0.20 0.05 0.19 0.27 0.26 average 00 01 02 fd fe ff 0.20 0.32 0.17 0.09 0.26 0.27 average 00 01 02 fd fe ff 0.26 0.27 0.19 0.05 0.20 0.32 EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi 00 01 02 fd fe ff

6 Problems computations on all shares at the same time (Threshold Imp.)
having a countermeasure (secret sharing) computations on all shares at the same time (Threshold Imp.) a univariate leakage a MIA might be applicable a CE collision might NOT averaging... how about higher-order statistical moments skewness kurtosis Variance EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

7 Solution (applying higher-order moments)
Sbox k1 p1 p2 k2 ( p1 12 3d 78 f9 ab ) power 0.01 0.15 0.12 0.24 0.05 0.11 p1 00 01 02 fd fe ff variance 𝜎 2 1.70 2.05 0.70 3.12 1.96 1.79 ( p2 45 9a cf 04 17 e2 ) power 0.32 0.20 0.05 0.19 0.27 0.26 Correlation 00 01 02 fd fe ff variance 0.305 0.412 0.780 0.309 𝜎 2 2.67 3.96 0.84 3.04 1.64 4.78 variance 00 01 02 fd fe ff 𝜎 2 3.96 2.67 2.09 1.83 4.78 1.64 variance 00 01 02 fd fe ff 𝜎 2 4.78 1.64 3.04 0.84 3.96 2.67 EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi 00 01 02 fd fe ff

8 Solution (applying higher-order moments)
Sbox k1 p1 p2 k2 ( p1 12 3d 78 f9 ab ) power 0.01 0.15 0.12 0.24 0.05 0.11 p1 00 01 02 fd fe ff skewness 𝛾 1.70 2.05 0.70 3.12 1.96 1.79 ( p2 45 9a cf 04 17 e2 ) power 0.32 0.20 0.05 0.19 0.27 0.26 Correlation 00 01 02 fd fe ff skewness 0.305 0.412 0.780 0.309 𝛾 2.67 3.96 0.84 3.04 1.64 4.78 skewness 00 01 02 fd fe ff 𝛾 3.96 2.67 2.09 1.83 4.78 1.64 skewness 00 01 02 fd fe ff 𝛾 4.78 1.64 3.04 0.84 3.96 2.67 EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

9 General Form (no specific moment)
Sbox k1 p1 p2 k2 𝑝()−𝑞() log 𝑝() 𝑞() ( p1 12 3d 78 f9 ab ) power 0.01 0.15 0.12 0.24 0.05 0.11 p1 00 01 02 fd fe ff pdf Pr ( p2 45 9a cf 04 17 e2 ) Jeffreys Divergence power 0.32 0.20 0.05 0.19 0.27 0.26 00 01 02 fd fe ff pdf 0.104 0.094 0.006 0.143 Pr pdf 00 01 02 fd fe ff Pr pdf 00 01 02 fd fe ff Pr EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi 00 01 02 fd fe ff

10 Practical Issues more traces (measurements) required
higher statistical moments, lower estimation accuracy more traces (measurements) required estimating pdf by e.g., histogram reducing accuracy as well Jeffreys divergence based on Kullback-Leibler divergence symmetric Experimental Platforms Virtex II-pro FPGA (SASEBO) Atmel uC (smartcard) EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

11 Experimental Results (PRESENT TI)
J. Cryptology 24(2) EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

12 Experimental Results (PRESENT TI)
Average Variance Skewness pdf EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

13 Experimental Results (AES TI)
EC 2011 EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

14 Experimental Results (AES TI)
Average Variance Skewness pdf EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

15 Experimental Results (masked software)
time to move toward multivariate case joint pdfs can be estimated joint statistical moments also can be estimated the same as doing a preprocess (by multiplication) step prior to a univariate attack EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

16 Thanks! Any questions? amir.moradi@rub.de
Embedded Security Group, Ruhr University Bochum, Germany

17 Measurement Speed? (Threshold)
Speed of the measurement depends on the length of each trace In this case, 2000 points, 100M traces in 11 hours! UART PC sends a small number of bytes (~20) Control FPGA communicates with the Target FPGA sending/receiving ~10K plaintext/ciphertext while the oscilloscope measures

18 Experimental Results (masked software)
EUROCRYPT 2012 | Cambridge | 17. April Amir Moradi

Download ppt "Statistical Tools Flavor Side-Channel Collision Attacks"

Similar presentations

Toward Practical Public Key Anti- Counterfeiting for Low-Cost EPC Tags Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April 2011 1.

Toward Practical Public Key Anti- Counterfeiting for Low-Cost EPC Tags Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April
AES Side Channel Attacks

AES Side Channel Attacks
14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Guest Lecturer: Yossi Oren 1.

Information Security – Theory vs. Reality , Winter 2011 Guest Lecturer: Yossi Oren 1.
GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.
Detection Theory Chapter 12 Model Change Detection Xiang Gao January 18, 2011.

Detection Theory Chapter 12 Model Change Detection Xiang Gao January 18, 2011.
Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1.

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1.
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.
Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.
Study of AES Encryption/Decription Optimizations Nathan Windels.

Study of AES Encryption/Decription Optimizations Nathan Windels.

Similar presentations

Ads by Google