ridge-based profiled differential power analysis

SESSION ID:SESSION ID:

#RSAC

Yu Yu

Ridge-based Profiled Differential Power Analysis

CRYP-F01

Research ProfessorShanghai Jiao Tong University

#RSAC

Outline

2

Introduction(Profiled) Differential power analysis

Profiling phase

Exploitation phase

Our contributions

Ridge-based profiling

Theoretical analysisWhy and how is ridge-based profiling better?

How the coefficients shrink in the ridge-based profiling?

Experimental ResultsSimulation-based experiments

Experiments on real FPGA implementation

#RSAC

Outline

3


Profiling phase

Exploitation phase

Our contributions






#RSAC

(profiled) Difference power analysis

4

Two phases:

profiling

Exploitation

Leakage of :

L(·) is leakage function

Power model :

xz

L( )z xT z

M( )

M( ) L( )x xz z

M( )z xT z

#RSAC

Outline

5


Profiling phase

Exploitation phase

Our contributions






#RSAC

Classical profiling

6

The leakage follows Gaussian distribution:

For each intermediate variable z: The adversary finds sample mean and the sample covariance .

Sample mean is obtained by averaging the power consumptions corresponding to intermediate variable z.

To accelerate the profiling: we can assume the sample covariance are identical for all the intermediate variable.

z zM( ) (N ), µz

zµ

z

z

#RSAC

LR-based profiling

7

#RSAC

LR-based profiling

8

#RSAC

Pro and con of LR-based profiling

9

#RSAC

Outline

10


Profiling phase

Exploitation phase

Our contributions






#RSAC

Exploitation phases

11

#RSAC

Outline

12


Profiling phase

Exploitation phase

Our contributions






#RSAC

Our contributions

13

(to mitigate the overfitting issue) New profiling method based on ridge-regression

An optimized parameter find method based on cross-validation

Theoretical analysis of the new method’s improvement

Simulation based and practical experiments

#RSAC

Outline

14


Profiling phase

Exploitation phase

Our contributions






#RSAC

Construction of ridge-based profiling

15

#RSAC

Parameter optimization

16

#RSAC

Optimized parameter is related to the noise level

17

simulation-based experimenttrace number = 2000

#RSAC

Outline

18


Profiling phase

Exploitation phase

Our contributions






#RSAC

Variance of the coefficients

19

#RSAC


20

Figure: The variances of the coefficients for degrees (of the model) and λ. The left and right figures correspond to the cases for d = 1 and d = 2 respectively.

#RSAC


21

Figure: The variances of the coefficients for degrees (of the model) and λ. The left and right figures correspond to the cases for d = 4 and d = 8 respectively.

#RSAC

Outline

22


Profiling phase

Exploitation phase

Our contributions






#RSACHow the coefficients shrink in the ridge-based profiling?

23

#RSAC

Outline

24


Profiling phase

Exploitation phase

Our contributions






#RSAC

Setup

25

Profiling methods:ridge-based profiling

LR-based profiling

classical profiling

Target intermediate variable: output of AES-128’s first S-box of the first round.

Univariate leakage.

Different degrees and randomized coefficients.

Metrics: perceived Information, guessing entropy.

#RSACA comparison of different profilings for leakage degree 8

26


27


28

#RSACA comparison of different profilings for with‘conservatively’ degree of model

29

The adversary may have no knowledge about the actual degree of the leakage function.

He can use the model whose degree is higher than the one of the leakage function.

We simulate the traces with leakage functions of degrees 1 and 2 and then conduct the above experiments assuming a model of degree 4 for profiling.

#RSACDegrees of leakage function and model are 1 and 4 respectively

30

#RSACDegrees of leakage function and model are 2 and 4 respectively

31

#RSAC

Outline

32


Profiling phase

Exploitation phase

Our contributions






#RSAC

Practical experiments

33

test board: SAKURA-X

oscilloscope: LeCroywaverunner610Zi

#RSAC

First setting

34

#RSAC

Second setting (robust profiling)

35

#RSAC

Summary

36

Ridge-based profiling can save significant factors in the number of traces they need to build a satisfying leakage model:

Better performance for nonlinear leakage functions.

Time complexity: equal to the one of LR-based profiling.

Robust profiling.

#RSAC

37

THANK YOU

Question?

SESSION ID:SESSION ID:

#RSAC

Si Gao

My Traces Learn What You Did in the Dark: Recovering Secret Signals without Key Guesses

CRYP-F01

PhD StudentTrusted Computing and Information Assurance Laboratory Institute of Software,

Chinese Academy of Sciences

#RSAC

Outline

Applications in SCA

ICA-based signal recovery

Preliminaries

Introduction

Summary

#RSAC

Introduction

Side Channel Analysis (SCA)Exploit the computation leakages

— Leakages depend on the intermediate state

#RSAC

Introduction

Traditional SCA flow (Non-profiled) Guess-and-determine

— Step 1: take a key guess

Eve

Encryption Algorithm

Plaintext

k1

k2

k3

.

.

.

kr

Key Guess List Signal List

.

.

.

.

Actual

Leakage

Most likely key

guess k

1 1 1

(1),..., ( )k k kx x Tx

2 2 2

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Model

M

Expected

Leakages

1 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

2 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

.

.

.

.

#RSAC

Introduction


— Step 2: Compute the intermediate states from T plaintexts and the key guess Eg. The output of an AES Sbox, x=S(p⊕kg)

Eve


Plaintext

k1

k2

k3

.

.

.

kr


.

.

.

.

Actual

Leakage

Most likely key

guess k

1 1 1

(1),..., ( )k k kx x Tx

2 2 2

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Model

M

Expected

Leakages

1 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

2 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

.

.

.

.

#RSAC

Introduction


— Step 3: Compute the expected leakages of the key guess Eg. The Hamming Weight model, where M(x)=HW(x)

Eve


Plaintext

k1

k2

k3

.

.

.

kr


.

.

.

.

Actual

Leakage

Most likely key

guess k

1 1 1

(1),..., ( )k k kx x Tx

2 2 2

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Model

M

Expected

Leakages

1 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

2 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

.

.

.

.

#RSAC

Introduction


— Step 4: Finding out the most likely key guess Eg. In CPA, rank key guesses with Pearson's correlation coefficient

Eve


Plaintext

k1

k2

k3

.

.

.

kr


.

.

.

.

Actual

Leakage

Most likely key

guess k

1 1 1

(1),..., ( )k k kx x Tx

2 2 2

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Model

M

Expected

Leakages

1 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

2 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

.

.

.

.

#RSAC

Introduction

Traditional SCA flow (Non-profiled) Question: did Eve actually recover the intermediate states x?

— Only found the most likely one from a predetermined list

Not a problem for SCA

— Focus on key recovery (Kerckhoffs's principle)

Pros

— The predetermined list (signal list) << whole signal space

— SCA works when SNR<<1

— Efficient key-recovery

#RSAC

Introduction

Traditional SCA flow (Non-profiled) Cons

— The key guess space should be small

— Known plaintext/ciphertext, known encryption algorithms

Eve


Plaintext

k1

k2

k3

.

.

.

kr

Signal List

.

.

.

.

Actual

Leakage

Most likely key

guess k

1 1 1

(1),..., ( )k k kx x Tx

2 2 2

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Model

M

Expected

Leakages

1 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

2 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

.

.

.

.

#RSAC

Introduction

Traditional SCA flow (Non-profiled) Limitations: only works for the first/last few rounds

— The related key guess space is too large for SCA Eg. In AES, the first/last two rounds are protected

Eve


Plaintext

k1

k2

k3

.

.

.

kr


.

.

.

.

Actual

Leakage

Most likely key

guess k

1 1 1

(1),..., ( )k k kx x Tx

2 2 2

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Model

M

Expected

Leakages

1 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

2 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

.

.

.

.

Too large

#RSAC

Introduction

Traditional SCA flow (Non-profiled) Limitations: Side Channel Analysis for Reverse Engineering

— Cannot compute the intermediate states

Eve


Plaintext

k1

k2

k3

.

.

.

kr


.

.

.

.

Actual

Leakage

Most likely key

guess k

1 1 1

(1),..., ( )k k kx x Tx

2 2 2

(1),..., ( )k k kx x Tx

(1),..., ( )r r rk k kx x Tx

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Model

M

Expected

Leakages

1 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

2 1 1

= ( (1)),..., ( ( ))k k kM M M Tx x x

= ( (1)),..., ( ( ))r r rk k kM M M Tx x x

.

.

.

.

Unknown

#RSAC

Introduction

A New Model (Non-profiled) Directly exploit the leakages, without the pre-determined list

A much harder problem

— Signal List<<Signal Space

— A preliminary attempt in this direction

Eve

Actual

Leakage

Most likely key

guess k

(1),..., ( )l l Tl

Intermediate States

(Assumed)

Leakage

Model

M

* * *1 ,..., Tx x x

#RSAC

Introduction

Notes on profiled attacks Much stronger pre-conditions

— The Attacker gets an identical encryption device Build templates

Perform template matching

— Works even if T=1 (in theory)

— Reverse the intermediate states without key guesses

Not always appropriate

— Power Variability Issues [Renauld, M., et al EUROCRYPT 2011]

We only focus on non-profiled attacks in this paper

Eve

Actual

Leakage

Most likely key

guess k

(1),..., ( )l l Tl

Intermediate States

Templates

Tp

* * *1 ,..., Tx x x

#RSAC

Outline

Applications in SCA


Preliminaries

Introduction

Summary

#RSAC

Preliminaries

Blind Source Separation (BSS)n people were talking simultaneously

m microphones placed in different positions

all records can be regarded as linear mixtures of the original conversations

source from http://http://slsp.kaist.ac.kr/xe/?mid=BSS

#RSAC

Preliminaries

Blind Source Separation (BSS)

unknown sources：n conversations

unknown mix matrix：the mix features of m microphones


#RSAC

Preliminaries

Independent Component Analysis (ICA)Blind sources S=(s1,s2,…,sn)

Linear mix matrix A

m observations Y=(y1,y2,…,ym)

Y=A*S+N (N represents the noise )


Goal: recover S from Y

#RSAC

Preliminaries

Independent Component Analysis (ICA)ICA assumptions

— Independence: the sources are independent of each other

— Non-gaussian: the distribution of the blind sources are not gaussian

— n ≤ m

ICA algorithms

— Many popular algorithms

— Not “that” different, use FastICA in this paper

#RSAC

Outline

Applications in SCA


Preliminaries

Introduction

Summary

#RSAC


ICA versus SCA: Similaritiesn bits intermediate state X

Assume the leakage s.t. the weighted Hamming Weight Model

#RSAC


ICA versus SCA: DifferencesNumber of observations: m v.s. 1

Level of Noise: low v.s. high

0 1 1( ) n nL x x x

#RSAC


Constructing multi-channel observationsXOR constant

— If a binary source s is XORed with a constant k, the resultant source s′ is

— XOR 1 equals to flip the signal sign

— Move the sign to the leakage function

— Different leakage functions→ Multi-channel observations

0 '

1 1

k

k

ss

s

#RSAC


Constructing multi-channel observationsXOR constant

Whitening Transformation

0,1s

* 1,1 s2

0

1

Whitening Transformation

' 1 1,0 s s

*' 1, 1 s

( 1)

ICA ambiguity

Leakage Function

L

Leakage Function

L

Real

source

Equivalent

source

#RSAC


Noise toleranceNoise affects the performance of ICA

— ICA usually works in cases where SNR>>1

— For application in SCA, we need more robust algorithm

Ignored feature in ICA

— the distribution of the sources is given: binary signals

— the priori distribution can make ICA more robust to noise

— EM-ICA: specialized for discrete sources with random noise, using Expectation-Maximization algorithm [Belouchrouni, Cardoso 1994]

#RSAC


Specialized ICA for SCAA specialized ICA based on EM-ICA

#RSAC

Outline

Applications in SCA


Preliminaries

Introduction

Summary

#RSAC

Applications in SCA

Experimental SettingTarget Implementation— Unprotected software implementation of DES— 8 bit microprocessor (IC card)

Measurement— LeCroy WaveRunner 610Zi oscilloscope

— Sampling at 20 MSa/s, 80 000 sample points per trace (first 3 rounds)— 20 000 traces

Extra property— Perform P bit-by-bit

— Bit-wise leakage Natural multi-channel observations

#RSAC

Applications in SCA

New SCA distinguisherAttack one of the Sbox in the first round

— Recover the intermediate states from ICA

— Compute the Sbox outputs with key guess

— Find the correct key through

comparing the distance between and

kX k

rX

kXrX

L0 R0

IP

ESP

L1 R1

ESP

K1

K2

……

rX

kX

#RSAC

Applications in SCA

New SCA distinguisherAttack one of the Sbox in the first round

— Key rank: CPA (HW) v.s. ICA

#RSAC

Applications in SCA

Extending SCA to the Middle RoundsRecovering the 8 Sboxes’ outputs in the second round

— 4-bit outputs, n=4

— The success rate of an ICA recovery

L0 R0

IP

ESP

L1 R1

ESP

K1

K2

……

rX

Correct signal

#RSAC

Applications in SCA

Extending SCA to the Middle RoundsRecovering the 8 Sboxes’ outputs in the second round

— 80% success rate is usually more than enough for round-reduced key-recovery

#RSAC

Applications in SCA

Reverse Engineering on SboxA customized DES with secret Sboxes

— Attacker controls the plaintext

— Attacker knows IP and E

— The secret key is embedded in the secret Sbox

— Traditional non-profiled SCA does not work (secret Sbox)

— Attacker can choose several leakage points

'( ) ( )S x S x k

L0 R0

IP

ESP

L1 R1

ESP

K1

K2

……

rX

#RSAC

Applications in SCA


— Leakage point selection: Manually pick

Linear Discriminant Analysis (LDA)

— Linear Discriminant Analysis Do not need precise points, only an approximate range

Better recovery with larger trace sets

not suitable when the number of traces is smaller than the range of interest

#RSAC

Applications in SCA


#RSAC

Applications in SCA

Reverse Engineering on Feistel Round FunctionA customized Feistel cipher (both S and P are altered)

— Attacker controls the plaintext

— Attacker knows IP and E

— The first Sbox’s input in the second round

The 6 least significant bits of E

First round function Initial state after IP

L0 R0

IP

ESP

L1 R1

ESP

K1

K2

……

rX

#RSAC

Applications in SCA


— Build observations with our XOR constant method Choose L0 so that E0(L0)={0x01,0x02,0x04,0x08,0x10,0x20}

Randomly picked a T-length signal R0

Measure the leakages for each (E0,R0)

Repeat 10 times, randomly pick other bits in L0

XOR constant secret signal

L0 R0

IP

ESP

L1 R1

ESP

K1

K2

……

rX

#RSAC

Applications in SCA


#RSAC

Outline

Applications in SCA


Preliminaries

Introduction

Summary

#RSAC

Summary

SCA ≠ guess-and-determineDirectly recover the secret intermediate states without any key guess

— Proposed an ICA-based SCA Construct multi-channel observations with XOR constant

Utilize the priori distribution with EM-ICA

— New possibilities in non-profiled SCA Attacking the middle round’s encryption

Reverse engineering with fewer restrictions

A promising tool in the future?

— Needs more research effort

#RSAC

Thanks for your attention!

ridge-based profiled differential power analysis

Technology