Efficient Evaluation of the Success Rate in Side Channel Attacks ... · Automate leakage assessment practice I Develop tools and practices allowing resistance assessment Deliver tools

Efficient Evaluation of the Success Rate in SideChannel Attacks

H2020 Project REASSURE

Emmanuel [email protected]

Agence Nationale de la Securite des Systemes d’Information

TIs – January, 09, 2018

E. PROUFF, ANSSI Security Evaluation

[email protected]

REASSURE

Overview

1 REASSURE


REASSURE

Robust and Efficient Approaches to Evaluating SideChannel and Fault Resilience

Started in Jan. 2017

Ending in Dec. 2019

Funding: 4, 165, 726 euros

Partners: UCL, Bristol University, NXP, SAFRAN, RISCURE,ANSSI


REASSURE

REASSURE

Improve efficiency and quality of evaluationI Develop a structured detect-map-exploit approachI Improve comparability of evaluations

Automate leakage assessment practiceI Develop tools and practices allowing resistance assessment

Deliver tools to stakeholders

Push results towards standards (e.g. drafts ISO/IEC WD20085-1 and 20085-2 or ISO/IEC 17825)


Side-Channel Introduction

Overview

2 Side-Channel Introduction


Introduction to Side-Channel Analysis

Side Channel Analysis

Side Channel Attacks (SCA) appear about 20 years agoI 1996: Timing AttacksI 1998: Power AnalysisI 2000: Electromagnetic Analysis

Numerous attacksI 1998: (single-bit) DPA KocherJaffeJune1999I 1999: (multi-bit) DPA Messerges99I 2000: Higher-order SCA Messerges2000I 2002: Template SCA ChariRaoRohatgi2002I 2004: CPA BrierClavierOlivier2004I 2005: Stochastic SCA SchindlerLemkePaar2006I 2008: Mutual Information SCA GierlichsBatinaTuyls2008I etc.I Recently: attacks based on Machine Learning and Deep

Learning



Side Channel Analysis

Side Channel Attacks (SCA) appear about 20 years agoI 1996: Timing AttacksI 1998: Power AnalysisI 2000: Electromagnetic Analysis

Numerous attacksI 1998: (single-bit) DPA KocherJaffeJune1999I 1999: (multi-bit) DPA Messerges99I 2000: Higher-order SCA Messerges2000I 2002: Template SCA ChariRaoRohatgi2002I 2004: CPA BrierClavierOlivier2004I 2005: Stochastic SCA SchindlerLemkePaar2006I 2008: Mutual Information SCA GierlichsBatinaTuyls2008I etc.I Recently: attacks based on Machine Learning and Deep

Learning



Advanced Side Channel Attacks (DPA like attacks)Side Channel Analysis: General Framework.

Secrets

Implementation

Optionnal

Statistical Tools

AES

Channel

Side Channel

Adversary

Chip Model



Advanced Side Channel AttacksSide Channel Analysis: General Framework (Theoretical)

Context: attack during the manipulation of S(X + k).

1 Measurement :I get a leakages sample (`k,i )i related to a sample (xi )i of plaintexts.

2 Model Selection :I Design/Select a function m(·).

3 Prediction :I For every k, compute mk,i = m(S(xi + k)).

4 Distinguisher Selection :I Choose a statistical distinguisher ∆.

5 Key Discrimination :I For every k, compute the distinguishing value ∆k :

∆k = ∆(

(`k,i )i , (mk,i )i

).

6 Key Candidate Selection :I Deduce k from all the values ∆k .



Advanced Side Channel AttacksSide Channel Analysis: attack Description Sheet

Attack Description Sheet

Type of Leakage: e.g. power consumption or electromagnetic emanation

Model Function:e.g. one bit of Z or its Hamming weight

Statistical Distinguisher: e.g. difference of means, correlation or entropy

Key Candidate Selection: e.g. the candidate the maximizes the scores



Overview

1 How to Quickly assess the leakage of a chip?

2 Success Rate of Higher-Order SCA

3 PCD Methodology

4 Conclusion


How to quickly assess the leakage of a chip?

Overview

3 How to quickly assess the leakage of a chip?



A designer/evaluator POV

Security of a device against SCA is tested bydesigners/evaluators.

Large set of SCA to test: CPA, MIA, LRA, DPA, ML, etc.

Little time, limited means, constrained resources.

Strong knowledge of my device.

CPA

ML LRA

DPA

MIA








CPA

ML LRA

DPA

MIA








CPA

ML LRA

DPA

MIA








CPA

ML LRA

DPA

MIA



Leakage assessment: is there information in the traces?

must be very efficient in the number of traces.

must be as generic as possible: any kind information must berevealed.

↪→ independent from leakage functions.↪→ takes into account as many intermediate variables as possible.

Intuitions

First focus on first-order leakages, i.e. the information iscontained in the conditional mean of the traces.

E [T | Z = z ] 6= E [T ]

A secure implementation would behave as manipulatingrandom values.



Test Vector Leakage Assessment (TVLA) [Becker et al.White Paper CRI]

Acquire some sets of traces:

S1: Plaintexts and Keys are both fixed to well chosen values.

S2: Plaintexts are randomly chosen and Keys are fixed.

S3: Plaintexts are fixed and Keys are randomly chosen.

. . .

Welch t-test

between Si and S1 compute , for each time sample t,

score(t) =E [Si ]− E [S1]√(

V [Si ]Ni

+ V [S1]N1

)where E and V are estimations of the mean and of thevariance respectively.

if score(t) > threshold then there is a leakage. . .



An example on AES implem. (8-bit ATMega)

200000 observations, Random plaintexts vs. Fixed Set.threshold = 4.5std(score) + mean.



TVLA output. . .

There are first-order leakages!



TVLA output. . .

There are first-order leakages!But which sensitive value is leaking?



TVLA output. . .


+ There is some first-order leakages and their time samples.

- These leakages may not be sensitive. . . ↪→ use S3

- These leakages may depend on sensitive values in any ways:I several bytes of plaintext/key may be involved.I relationship between these leakages and intermediate variables

may be tricky.



TVLA output. . .





may be tricky.



TVLA output. . .





may be tricky.



TVLA output. . .


Find strategies to identify the plaintext/key bytes involved

minimize the number of subsequent acquisition campaigns.

use generic tools to observe leakages: T-test, SNR, etc. . .




200000 obs., Signal to Noise Ratio on each Plaintext byte:

SNRi =V [E [T | Pi ]]

E [V [T | Pi ]], i = 0..15




200000 obs., Signal to Noise Ratio on the Plaintext bytes.


E [V [T | Pi ]], i = 0..15




200000 obs., Signal to Noise Ratio on the Plaintext bytes.


E [V [T | Pi ]], i = 0..15



SNR output. . .

The first leakage depends from a singleplaintext byte!



SNR output. . .

The first leakage depends from a singleplaintext byte!this is the 4th byte. . . why?



SNR output. . .


+ Any intermediate value only depending on a singleplaintext/key byte is captured.

- These leakages may not be sensitive. . . ↪→ varying keys

- No knowledge on the leakage function. . .

↪→ try classical leakage model (e.g. HW, HD)↪→ infer the leakage function from sca obs.



SNR output. . .








SNR output. . .








SNR output. . .







Success Rate of Higher-Order Side-Channel Analysis

Overview

4 Success Rate of Higher-Order Side-Channel AnalysisContextA new methodology


Success Rate of Higher-Order Side-Channel Analysis Context

Higher Order Side Channel AttacksCore Principle

First Order Masking: M0 = Z ⊕M1

=⇒ Second Order SCA:



Higher Order Side Channel AttacksCore Principle

Masking of order d : M0 = Z ⊕M1 ⊕ · · · ⊕Md

Attack of order d + 1:



Higher-Order SCAHigher-Order Side Channel Analysis: General Framework (Theoretical)

Context: attack during the manipulation of s0, s1, · · · , sdwith S(X + k) =

∑di=0 mi .

1 Measurement :I get a leakages sample (~k,i )i related to a sample (xi )i of plaintexts.

2 Pre-processing and Model Selection :I Select a combination function f(~), Design/Select a function m(s).

3 Prediction :I For every k, compute mk,i = m(S(xi + k)).

4 Distinguisher Selection :I Choose a statistical distinguisher ∆.

5 Key Discrimination :I For every k, compute the distinguishing value ∆k :

∆k = ∆(

(f (~k,i ))i , (mk,i )i

).

6 Key Candidate Selection :I Deduce k from all the values ∆k .




200000 observations, Random plaintexts vs. Fixed Set.Combination function: Centered product.



TVLA 2nd-order output. . .

There are second-order leakages!




There are second-order leakages!The trace sizes are squared. . .




There are second-order leakages!The trace sizes are squared. . .

+ The centered product + TVLA allow to identify second orderleakages.

- The treatment complexity increases exponentially with theorder.

- The number of traces increases exponentially with the order.



Security of a device: practice

Problem: Is my device secure against an attack ?

Perform SCA

SCA

Success / Failure



Security of a device: much better


Perform the SCA a lot of times, count thenumber of successes.

SCA

Success Rate %

Issue: Might be too expensive (acquisitions, computations ...).E. PROUFF, ANSSI Security Evaluation


Security of a device: much better


Perform the SCA a lot of times, count thenumber of successes.

SCA

Success Rate %

Issue: Might be too expensive (acquisitions, computations ...).E. PROUFF, ANSSI Security Evaluation


An example : 2O-CPA

1000× 10000 = 10 Millions of observations.

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

10

20

30

40

50

60

70

80

90

100

Number of observations

Success R

ate

(%

)



An example : 4O-CPA

1000× 107 = 10 Billions of observations.

0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

x 107

0

10

20

30

40

50

60

70

80

90

100

Number of messages

Success r

ate

(%

)



Issue

Costly attack =⇒ Impossible to assess the security.

No insurance of security against an attacker with more time,means, resources than us.



Knowledge of the device

The designer/evaluator has a strong knowledge of the device:I Leakage functions.I Noises distributions.I ...

Total control over inputs:I Plaintext.I Key.I Randoms.

credit:ZeptoBars



Security of a device: designer


Methodology

Costly SCA

Success Rate %


Success Rate of Higher-Order Side-Channel Analysis A new methodology

PCD Methodology

1 Profile the device parameters.

2 Compute some formulas using these parameters.

3 Deduce the success rate.



Key Values

A methodology from profiling to compute SR.

Works for any additive distinguisher st. DPA, CPA, MaximumLikelihood, etc.

Generalizes to HO versions.

Clearly identifies the impact of each device’s parameter on itssecurity.



Key Values







Key Values







Key Values







Assumptions

s = ϕ(x , k∗)

s0 s1 · · · sd

f (s0) + N0 f (s1) + N1 · · · f (sd) + Nd

Leakage

Ni independents.

Sensitive variable

Sharing



Assumptions

s = ϕ(x , k∗)

s0 s1 · · · sd

f (s0) + N0 f (s1) + N1 · · · f (sd) + Nd

Leakage

Ni independents.

Sensitive variable

Sharing



Assumptions

s = ϕ(x , k∗)

s0 s1 · · · sd

f (s0) + N0 f (s1) + N1 · · · f (sd) + Nd

Leakage

Ni independents.

Sensitive variable

Sharing



Rivain[SAC08]

Score vector

Vector of scores given by the SCA.

~d = (dk0 , dk1 , · · · , dk255)

Comparison vector

Vector of differences of scores between k? and k .

~c = (dk? − dk0 , dk? − dk1 , · · · , dk? − dk255)

Attack success ⇔ ~c > ~0.

SR = P[~c > ~0].



Rivain[SAC08]

Score vector

Vector of scores given by the SCA.

~d = (dk0 , dk1 , · · · , dk255)

Comparison vector

Vector of differences of scores between k? and k .

~c = (dk? − dk0 , dk? − dk1 , · · · , dk? − dk255)

Attack success ⇔ ~c > ~0.

SR = P[~c > ~0].



Additive distinguisher

Definition

Distinguisher such that:

dk = gx1,k( ~1) + gx2,k( ~2) + · · ·+ gxq−1,k( ~`q−1) + gxq ,k( ~q).

We prove that HO-CPA and HO-ML are additive by exhibitingfunctions gx ,k .




Definition







Definition






Example: HO-CPA

Functions gx ,k(~)

Model m(x , k): eg. HW(SB(x ⊕ k)).

Combination Function C (~): eg. Normalized Product.

gx ,k(~) = (m(x ,k)−mk )√1q

∑i (m(xi ,k)−mk )2

· C (~).



Generalizing Rivain[SAC08] to HOSCA

Distribution of score vector

q →∞ =⇒ ~d ∼ N (md ,Σd) (mCLT).

(gx ,k , Lx ,k?)→ md ,Σd .

Distribution of comparison vector

q →∞ =⇒ ~c ∼ N (mc ,Σc) (mCLT).

(md ,Σd)→ mc ,Σc .

SR = P[~c > ~0] = Φmc ,Σc (~0, ~∞).



Generalizing Rivain[SAC08] to HOSCA

Distribution of score vector

q →∞ =⇒ ~d ∼ N (md ,Σd) (mCLT).

(gx ,k , Lx ,k?)→ md ,Σd .

Distribution of comparison vector

q →∞ =⇒ ~c ∼ N (mc ,Σc) (mCLT).

(md ,Σd)→ mc ,Σc .

SR = P[~c > ~0] = Φmc ,Σc (~0, ~∞).



Evaluation of SR: PCD Methodology

1 Profile the leakage of every share.

2 Compute the parameters md and Σd of the score vector.

3 Deduce the parameters mc and Σc and evaluate the successrate thanks to the multivariate normal cdf.





















Validation of the approach

Context

Two ’real life’ devices: 130nm and 350nm architectures.

Masked AES, output of S-box.

EM radiations.

Methodology

Estimation of leakage parameters using linear regressiontechniques on 200.000 samples.

HO-CPAs using normalized product combination function, andHW model function.




Context

Two ’real life’ devices: 130nm and 350nm architectures.

Masked AES, output of S-box.

EM radiations.

Methodology

Estimation of leakage parameters using linear regressiontechniques on 200.000 samples.

HO-CPAs using normalized product combination function, andHW model function.



ResultsFigure: 130nm, 2OCPA

0 2000 4000 6000 8000 10000 12000 140000

20

40

60

80

100

Figure: 350 nm, 3OCPA

0 2000 4000 6000 8000 100000

20

40

60

80

100

Figure: 350nm, 2OCPA

0 2000 4000 6000 8000 100000

20

40

60

80

100

Figure: 350 nm, 4OCPA

0 10000 20000 30000 40000 500000

20

40

60

80

100




Main factors of precision

Tightness of Gaussian approximation (CLT).

Accuracy of leakage parameter estimations.



Tightness of the Gaussian Approximation

Context

Simulations of the same devices.

HO-CPA, HO-ML.



Results on simulated 130nmFigure: 2O CPA

0 5000 10000 150000

10

20

30

40

50

60

70

80

90

100

Figure: 3O CPA

0 1 2 3 4 5

x 105

0

10

20

30

40

50

60

70

80

90

100

Figure: 2O ML

0 1000 2000 3000 4000 5000 6000 7000 80000

10

20

30

40

50

60

70

80

90

100

Figure: 3O ML

0 0.5 1 1.5 2 2.5 3 3.5

x 105

10

20

30

40

50

60

70

80

90

100



Results on simulated 350nm

Figure: 2O CPA

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

10

20

30

40

50

60

70

80

90

100

Figure: 2O ML

0 100 200 300 400 500 600 700 8000

10

20

30

40

50

60

70

80

90

100

Not enough samples to obtain a tight convergence towards thenormal law.



Results on simulated 350nm

Figure: 2O ML, σ × 4

0 200 400 600 800 1000 1200 1400 1600 1800 20000

10

20

30

40

50

60

70

80

90

100

Figure: 2O ML, σ × 6

0 500 1000 1500 2000 2500 3000 3500 40000

10

20

30

40

50

60

70

80

90

100



Impact of leakage profiling

What happens when we regress with less samples ?

Leak(X ) = c0 + c1X1 + c2X2 + c3X3 + c4X4 + c5X5 + c6X6 + c7X7 + Noise

0 500 1000 1500 2000 2500

-8

-6

-4

-2

0

2

4

Number of observations



Results Figure: 350 nm, 2OCPA

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

10

20

30

40

50

60

70

80

90

100

Conclusion: 1500 samples are enough to accurately assess theefficiency of this attack (instead of 10 Millions !).



Increasing the order

Number of observations: constant (instead of exponential).

Number of operations: linear (instead of exponential).



What about our 4O-CPA ?

1000× 107 = 10 Billions of observations.

0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

x 107

0

10

20

30

40

50

60

70

80

90

100

Number of messages

Success r

ate

(%

)



What about our 4O-CPA ?15 hundreds of observations.

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

x 107

0

10

20

30

40

50

60

70

80

90

100

Number of messages

Success r

ate

(%

)



Conclusion

We have proposed a methodology to accurately and efficientlycompute the SR of a SCA without having to actually performit.

Validated against real devices and simulations.

Formulas indicates the impact of device’s parameters on theSR.

Possible to precisely know the SR of an attack requiring a lotof observations, using only a very limited number ofacquisitions !



Conclusion







Conclusion







Conclusion







Conclusion







Acknowledgement: part of the slides come from presentationsgiven by Thomas Roche and Adrian Thillard.


Documents

Efficient Evaluation of the Success Rate in Side Channel Attacks ... · Automate leakage assessment practice I Develop tools and practices allowing resistance assessment Deliver tools