Ridge-based Profiled Differential Power Analysis

SESSION ID:SESSION ID:
#RSAC
Yu Yu
Ridge-based Profiled Differential Power
Analysis
CRYP-F01
Research Professor
Shanghai Jiao Tong University

#RSAC
Outline
2
Introduction
(Profiled) Differential power analysis
Profiling phase
Exploitation phase
Our contributions
Ridge-based profiling
Theoretical analysis
Why and how is ridge-based profiling better?
How the coefficients shrink in the ridge-based profiling?
Experimental Results
Simulation-based experiments
Experiments on real FPGA implementation

#RSAC
Outline
3
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
(profiled) Difference power analysis
4
Two phases:
profiling
Exploitation
Leakage of :
L(·) is leakage function
Power model :
xz
L( )z xT z
M()
M( ) L( )x xz z
M( )z xT z

#RSAC
Outline
5
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
Classical profiling
6
The leakage follows Gaussian distribution:
For each intermediate variable z: The adversary finds sample mean
and the sample covariance .
Sample mean is obtained by averaging the power consumptions
corresponding to intermediate variable z.
To accelerate the profiling: we can assume the sample covariance
are identical for all the intermediate variable.
z zM( ) (N ), µz
z
ˆµ
z
ˆ
z
ˆ

#RSAC
Pro and con of LR-based profiling
9

#RSAC
Outline
10
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
Outline
12
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
Our contributions
13
(to mitigate the overfitting issue) New profiling method based on
ridge-regression
An optimized parameter find method based on cross-validation
Theoretical analysis of the new method’s improvement
Simulation based and practical experiments

#RSAC
Outline
14
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
Construction of ridge-based profiling
15

#RSAC
Parameter optimization
16

#RSAC
Optimized parameter is related to the noise level
17
simulation-based experiment
trace number = 2000

#RSAC
Outline
18
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
Variance of the coefficients
19

#RSAC
20
Figure: The variances of the coefficients for degrees (of the model) and λ. The
left and right figures correspond to the cases for d = 1 and d = 2 respectively.

#RSAC
21
Figure: The variances of the coefficients for degrees (of the model) and λ. The
left and right figures correspond to the cases for d = 4 and d = 8 respectively.

#RSAC
Outline
22
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
How the coefficients shrink in the ridge-based
profiling?
23

#RSAC
Outline
24
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
Setup
25
Profiling methods:
ridge-based profiling
LR-based profiling
classical profiling
Target intermediate variable: output of AES-128’s first S-box of the
first round.
Univariate leakage.
Different degrees and randomized coefficients.
Metrics: perceived Information, guessing entropy.

#RSAC
A comparison of different profilings for leakage
degree 8
26

#RSAC
degree 4
27

#RSAC
degree 1
28

#RSAC
A comparison of different profilings for with
‘conservatively’ degree of model
29
The adversary may have no knowledge about the actual degree of the
leakage function.
He can use the model whose degree is higher than the one of the
leakage function.
We simulate the traces with leakage functions of degrees 1 and 2 and
then conduct the above experiments assuming a model of degree 4
for profiling.

#RSAC
Degrees of leakage function and model are 1 and
4 respectively
30

#RSAC
Degrees of leakage function and model are 2 and
4 respectively
31

#RSAC
Outline
32
Introduction
Profiling phase
Exploitation phase
Our contributions

#RSAC
Practical experiments
33
test board:
SAKURA-X
oscilloscope:
LeCroy
waverunner
610Zi

#RSAC
Second setting (robust profiling)
35

#RSAC
Summary
36
Ridge-based profiling can save significant factors in the number of traces
they need to build a satisfying leakage model:
Better performance for nonlinear leakage functions.
Time complexity: equal to the one of LR-based profiling.
Robust profiling.

SESSION ID:SESSION ID:
#RSAC
Si Gao
My Traces Learn What You Did in the
Dark: Recovering Secret Signals without
Key Guesses
CRYP-F01
PhD Student
Trusted Computing and Information Assurance Laboratory Institute of Software,
Chinese Academy of Sciences

#RSAC
Outline
Applications in SCA
ICA-based signal recovery
Preliminaries
Introduction
Summary

#RSAC
Introduction
Side Channel Analysis (SCA)
Exploit the computation leakages
— Leakages depend on the intermediate state

#RSAC
Introduction
Traditional SCA flow (Non-profiled)
Guess-and-determine
— Step 1: take a key guess
Eve
Encryption Algorithm
Plaintext
k1
k2
k3
.
.
.
kr
Key Guess List Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
 1 1 1
(1),..., ( )k k kx x Tx
 2 2 2
(1),..., ( )k k kx x Tx
 (1),..., ( )r r rk k kx x Tx
 (1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
   1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   = ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.

#RSAC
Introduction
Guess-and-determine
— Step 2: Compute the intermediate states from T plaintexts and the key guess
 Eg. The output of an AES Sbox, x=S(p⊕kg)
Eve
Plaintext
k1
k2
k3
.
.
.
kr
.
.
.
.
Actual
Leakage
Most likely key
guess k
 1 1 1
(1),..., ( )k k kx x Tx
 2 2 2
(1),..., ( )k k kx x Tx
 (1),..., ( )r r rk k kx x Tx
 (1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
   1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   = ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.

#RSAC
Introduction
Guess-and-determine
— Step 3: Compute the expected leakages of the key guess
 Eg. The Hamming Weight model, where M(x)=HW(x)
Eve
Plaintext
k1
k2
k3
.
.
.
kr
.
.
.
.
Actual
Leakage
Most likely key
guess k
 1 1 1
(1),..., ( )k k kx x Tx
 2 2 2
(1),..., ( )k k kx x Tx
 (1),..., ( )r r rk k kx x Tx
 (1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
   1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   = ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.

#RSAC
Introduction
Guess-and-determine
— Step 4: Finding out the most likely key guess
 Eg. In CPA, rank key guesses with Pearson's correlation coefficient
Eve
Plaintext
k1
k2
k3
.
.
.
kr
.
.
.
.
Actual
Leakage
Most likely key
guess k
 1 1 1
(1),..., ( )k k kx x Tx
 2 2 2
(1),..., ( )k k kx x Tx
 (1),..., ( )r r rk k kx x Tx
 (1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
   1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   = ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.

#RSAC
Introduction
Question: did Eve actually recover the intermediate states x?
— Only found the most likely one from a predetermined list
Not a problem for SCA
— Focus on key recovery (Kerckhoffs's principle)
Pros
— The predetermined list (signal list) << whole signal space
— SCA works when SNR<<1
— Efficient key-recovery

#RSAC
Introduction
Cons
— The key guess space should be small
— Known plaintext/ciphertext, known encryption algorithms
Eve
Plaintext
k1
k2
k3
.
.
.
kr
Signal List
.
.
.
.
Actual
Leakage
Most likely key
guess k
 1 1 1
(1),..., ( )k k kx x Tx
 2 2 2
(1),..., ( )k k kx x Tx
 (1),..., ( )r r rk k kx x Tx
 (1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
   1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   = ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.

#RSAC
Introduction
Limitations: only works for the first/last few rounds
— The related key guess space is too large for SCA
 Eg. In AES, the first/last two rounds are protected
Eve
Plaintext
k1
k2
k3
.
.
.
kr
.
.
.
.
Actual
Leakage
Most likely key
guess k
 1 1 1
(1),..., ( )k k kx x Tx
 2 2 2
(1),..., ( )k k kx x Tx
 (1),..., ( )r r rk k kx x Tx
 (1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
   1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   = ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
Too large

#RSAC
Introduction
Limitations: Side Channel Analysis for Reverse Engineering
— Cannot compute the intermediate states
Eve
Plaintext
k1
k2
k3
.
.
.
kr
.
.
.
.
Actual
Leakage
Most likely key
guess k
 1 1 1
(1),..., ( )k k kx x Tx
 2 2 2
(1),..., ( )k k kx x Tx
 (1),..., ( )r r rk k kx x Tx
 (1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
Expected
Leakages
   1 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   2 1 1
= ( (1)),..., ( ( ))k k kM M M Tx x x
   = ( (1)),..., ( ( ))r r rk k kM M M Tx x x
.
.
.
.
Unknown

#RSAC
Introduction
A New Model (Non-profiled)
Directly exploit the leakages, without the pre-determined list
A much harder problem
— Signal List<<Signal Space
— A preliminary attempt in this direction
Eve
Actual
Leakage
Most likely key
guess k
 (1),..., ( )l l Tl
Intermediate States
(Assumed)
Leakage
Model
M
    * * *
1 ,..., Tx x x

#RSAC
Introduction
Notes on profiled attacks
Much stronger pre-conditions
— The Attacker gets an identical encryption device
 Build templates
 Perform template matching
— Works even if T=1 (in theory)
— Reverse the intermediate states without key guesses
Not always appropriate
— Power Variability Issues [Renauld, M., et al EUROCRYPT 2011]
We only focus on non-profiled attacks in this paper
Eve
Actual
Leakage
Most likely key
guess k
 (1),..., ( )l l Tl
Intermediate States
Templates
Tp
    * * *
1 ,..., Tx x x

#RSAC
Preliminaries
Blind Source Separation (BSS)
n people were talking simultaneously
m microphones placed in different positions
all records can be regarded as linear mixtures of the original conversations
source from http://http://slsp.kaist.ac.kr/xe/?mid=BSS

#RSAC
Preliminaries
Blind Source Separation (BSS)
unknown sources：n conversations
unknown mix matrix：the mix features of m microphones

#RSAC
Preliminaries
Independent Component Analysis (ICA)
Blind sources S=(s1,s2,…,sn)
Linear mix matrix A
m observations Y=(y1,y2,…,ym)
Y=A*S+N (N represents the noise )
Goal: recover S from Y

#RSAC
Preliminaries
Independent Component Analysis (ICA)
ICA assumptions
— Independence: the sources are independent of each other
— Non-gaussian: the distribution of the blind sources are not gaussian
— n ≤ m
ICA algorithms
— Many popular algorithms
— Not “that” different, use FastICA in this paper

#RSAC
ICA versus SCA: Similarities
n bits intermediate state X
Assume the leakage s.t. the weighted Hamming Weight Model

#RSAC
ICA versus SCA: Differences
Number of observations: m v.s. 1
Level of Noise: low v.s. high
0 1 1( ) n nL x x x     

#RSAC
Constructing multi-channel observations
XOR constant
— If a binary source s is XORed with a constant k, the resultant source s′ is
— XOR 1 equals to flip the signal sign
— Move the sign to the leakage function
— Different leakage functions→ Multi-channel observations
0
'
1 1
k
k

 
 
s
s
s

#RSAC
Constructing multi-channel observations
XOR constant
Whitening Transformation
 0,1s
 *
1,1 s
2
0
1




Whitening Transformation
 ' 1 1,0  s s
 *
' 1, 1 s
( 1) 
ICA ambiguity
Leakage Function
L
Leakage Function
L
Real
source
Equivalent
source

#RSAC
Noise tolerance
Noise affects the performance of ICA
— ICA usually works in cases where SNR>>1
— For application in SCA, we need more robust algorithm
Ignored feature in ICA
— the distribution of the sources is given: binary signals
— the priori distribution can make ICA more robust to noise
— EM-ICA: specialized for discrete sources with random noise, using Expectation-
Maximization algorithm [Belouchrouni, Cardoso 1994]

#RSAC
Specialized ICA for SCA
A specialized ICA based on EM-ICA

#RSAC
Applications in SCA
Experimental Setting
Target Implementation
— Unprotected software implementation of DES
— 8 bit microprocessor (IC card)
Measurement
— LeCroy WaveRunner 610Zi oscilloscope
— Sampling at 20 MSa/s, 80 000 sample points per trace (first 3 rounds)
— 20 000 traces
Extra property
— Perform P bit-by-bit
— Bit-wise leakage Natural multi-channel observations

#RSAC
Applications in SCA
New SCA distinguisher
Attack one of the Sbox in the first round
— Recover the intermediate states from ICA
— Compute the Sbox outputs with key guess
— Find the correct key through
comparing the distance between and
k
X k
rX
k
XrX
L0 R0
IP
E
SP

L1 R1
E
SP

K1
K2
……
rX
k
X

#RSAC
Applications in SCA
New SCA distinguisher
Attack one of the Sbox in the first round
— Key rank: CPA (HW) v.s. ICA

#RSAC
Applications in SCA
Extending SCA to the Middle Rounds
Recovering the 8 Sboxes’ outputs in the second round
— 4-bit outputs, n=4
— The success rate of an ICA recovery
L0 R0
IP
E
SP

L1 R1
E
SP

K1
K2
……
rX
Correct signal

#RSAC
Applications in SCA
Extending SCA to the Middle Rounds
Recovering the 8 Sboxes’ outputs in the second round
— 80% success rate is usually more than enough for round-reduced key-recovery

#RSAC
Applications in SCA
Reverse Engineering on Sbox
A customized DES with secret Sboxes
— Attacker controls the plaintext
— Attacker knows IP and E
— The secret key is embedded in the secret Sbox
— Traditional non-profiled SCA does not work (secret Sbox)
— Attacker can choose several leakage points
'( ) ( )S x S x k 
L0 R0
IP
E
SP

L1 R1
E
SP

K1
K2
……
rX

#RSAC
Applications in SCA
— Leakage point selection:
 Manually pick
 Linear Discriminant Analysis (LDA)
— Linear Discriminant Analysis
 Do not need precise points, only an approximate range
 Better recovery with larger trace sets
 not suitable when the number of traces is smaller than the range of interest

#RSAC
Applications in SCA

#RSAC
Applications in SCA
Reverse Engineering on Feistel Round Function
A customized Feistel cipher (both S and P are altered)
— Attacker controls the plaintext
— Attacker knows IP and E
— The first Sbox’s input in the second round
The 6 least significant
bits of E
First round function Initial state after IP
L0 R0
IP
E
SP

L1 R1
E
SP

K1
K2
……
rX

#RSAC
Applications in SCA
— Build observations with our XOR constant method
 Choose L0 so that E0(L0)={0x01,0x02,0x04,0x08,0x10,0x20}
 Randomly picked a T-length signal R0
 Measure the leakages for each (E0,R0)
 Repeat 10 times, randomly pick other bits in L0
XOR constant secret signal
L0 R0
IP
E
SP

L1 R1
E
SP

K1
K2
……
rX

#RSAC
Applications in SCA

#RSAC
Summary
SCA ≠ guess-and-determine
Directly recover the secret intermediate states without any key guess
— Proposed an ICA-based SCA
 Construct multi-channel observations with XOR constant
 Utilize the priori distribution with EM-ICA
— New possibilities in non-profiled SCA
 Attacking the middle round’s encryption
 Reverse engineering with fewer restrictions
A promising tool in the future?
— Needs more research effort

#RSAC
Thanks for your attention!

Ridge-based Profiled Differential Power Analysis

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to Ridge-based Profiled Differential Power Analysis

Similar to Ridge-based Profiled Differential Power Analysis (20)

More from Priyanka Aash

More from Priyanka Aash (20)

Recently uploaded

Recently uploaded (20)

Ridge-based Profiled Differential Power Analysis