No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Faster Leakage Detection and Exploitation
Abstract
Higher-order side-channel analysis has become very widespread due to the popularity of side channel countermeasures. However, these analysis methods become increasingly expensive in terms of computation time if the attacker has no prior knowledge about when leakage occurs. In many realistic scenarios, the attacker only has a global trigger signal, resulting in long leakage traces. Long traces result in very long analysis time, since the computational complexity of analysis grows in polynomial of the trace length with degree d+1 of the order of the attack. In this paper, we propose a novel, intuitive, yet efficient algorithm that trades the abundance in the number of leakage traces and the signal-to-noise ratio into computational efficiency during processing. The proposed algorithm reaches an exponential improvement of O(log(N)) for the processing time, where N is the number of samples in the trace. The algorithm can be naturally extended to higher-order attacks reducing the complexity from O(N{d+1}) to O(N{d}log(N)).
ResearchGate has not been able to resolve any citations for this publication.
Second-order side-channel attacks are used to break �rst-order
masking protections. A practical reason which often limits the e�ciency of
second-order attacks is the temporal localisation of the leaking samples. Several
leakage samples must be combined which means high computational power. For
second-order attacks, the computational complexity is quadratic. At CHES '04,
Waddle and Wagner introduced attacks with complexity O(n log2 n) on hard-
ware traces, where n is the window size, by working on traces auto-correlation.
Nonetheless, the two samples must belong to the same window which is (nor-
mally) not the case for software implementations. In this article, we introduce
preprocessing tools that improve the e�ciency of bi-variate attacks (while
keeping a complexity of O(n log2 n)), even if the two samples that leak are far
away one from the other (as in software). We put forward two main improve-
ments. Firstly, we introduce a method to avoid loosing the phase information.
Next, we empirically notice that keeping the analysis in the frequency domain
can be bene�cial for the attack. We apply these attacks in practice on real
measurements, publicly available under the DPA Contest v4, to evaluate the
proposed techniques. An attack using a window as large as 4000 points is able
to reveal the key in only 3000 traces where a �rst-order CPA fails in 100K
traces.
Differential power analysis is a powerful cryptanalytic technique that exploits information leaking from physical implementations
of cryptographic algorithms. During the two last decades, numerous variations of the original principle have been published.
In particular, the univariate case, where a single instantaneous leakage is exploited, has attracted much research effort.
In this paper, we argue that several univariate attacks among the most frequently used by the community are not only asymptotically
equivalent, but can also be rewritten one in function of the other, only by changing the leakage model used by the adversary.
In particular, we prove that most univariate attacks proposed in the literature can be expressed as correlation power analyses
with different leakage models. This result emphasizes the major role plays by the model choice on the attack efficiency. In
a second point of this paper, we hence also discuss and evaluate side channel attacks that involve no leakage model but rely
on some general assumptions about the leakage. Our experiments show that such attacks, named robust, are a valuable alternative
to the univariate differential power analyses. They only loose bit of efficiency in case a perfect model is available to the
adversary, and gain a lot in case such information is not available.
KeywordsSide channel attack–Correlation–Regression–Model
In this article we describe an improved concept for second-order differential-power analysis (DPA) attacks on masked smart
card implementations of block ciphers. Our concept allows to mount second-order DPA attacks in a rather simple way: a second-order
DPA attack consists of a pre-processing step and a DPA step. Therefore, our way of performing second-order DPA attacks allows
to easily assess the number of traces that are needed for a successful attack. We give evidence on the effectiveness of our
methodology by showing practical attacks on a masked AES smart card implementation. In these attacks we target inputs and
outputs of the SubBytes operation in the first encryption round.
The fair evaluation and comparison of side-channel attacks and countermeasures has been a long standing open question, limiting further developments in the field. Motivated by this challenge, this work proposes a framework for the analysis of cryptographic implementations that includes a theoretical model and an application methodology. The model is based on weak and commonly accepted hypotheses about side- channels that computations give rise to. It allows quantifying the effect of practically relevant leakage functions with a combination of security and information theoretic metrics, respectively measuring the quality of an implementation and the strength of an adversary. From a theoretical point of view, we demonstrate formal connections between these metrics and discuss their intuitive meaning. From a practical point of view, the model implies a unified methodology for the analysis of side-channel key recovery. The proposed solution allows getting rid of most of the subjective parameters that were limiting previous specialized and often ad hoc approaches in the evaluation of physically observable devices. It typically determines the extent to which basic (but practically essential) questions such as "How to compare two implementations?" or "How to compare two side-channel adversaries?" can be fairly answered.
The Mutual Information Analysis (MIA) is a generic side-channel distinguisher that has been introduced at CHES 2008. This
paper brings three contributions with respect to its applicability to practice. First, we emphasize that the MIA principle
can be seen as a toolbox in which different (more or less effective) statistical methods can be plugged in. Doing this, we
introduce interesting alternatives to the original proposal. Second, we discuss the contexts in which the MIA can lead to
successful key recoveries with lower data complexity than classical attacks such as, e.g. using Pearson’s correlation coefficient. We show that such contexts exist in practically meaningful situations and analyze
them statistically. Finally, we study the connections and differences between the MIA and a framework for the analysis of
side-channel key recovery published at Eurocrypt 2009. We show that the MIA can be used to compare two leaking devices only
if the discrete models used by an adversary to mount an attack perfectly correspond to the physical leakages.
We present a statistical test for detecting information leaks in systems with continuous outputs. We use continuous mutual information to detect the information leakage from trial runs of a probabilistic system. It has been shown that there is no universal rate of convergence for sampled mutual information, however when the leakage is zero, and under some reasonable conditions, we establish a rate for the sampled estimate, and show that it can converge to zero very quickly. We use this result to develop a statistical test for information leakage, and we use our new test to analyse a number of possible fixes for a time-based information leak in e-passports. We compare our new test with existing statistical methods, and we find that our test outperforms these other tests in almost all cases, and in one case in particular, ours is the only statistical test that can detect an information leak.
Security devices are vulnerable to side-channel attacks that perform statistical analysis on data leaked from cryptographic computations. Higher-order (HO) attacks are a powerful approach to break protected implementations. They inherently demand multivariate statistics because multiple aspects of signals have to be analyzed jointly. However, most works on HO attacks follow the approach to first apply a pre-processing function to map the multivariate problem to a univariate problem and then to apply established 1st
order techniques. We propose a novel and different approach to HO attacks, Multivariate Mutual Information Analysis (MMIA), that allows to directly evaluate joint statistics without pre-processing. While this approach can benefit from a good power model, it also works without an assumption. We present the first experimental results for 2nd
and 3rd
order MMIA as well as state-of-the-art HO attacks based on real measurements. A thorough empirical evaluation confirms the advantage of the new approach: 3rd
order MMIA attacks require about 800 measurements to achieve 100% success while state-of-the-art HODPA requires 1000 measurements to achieve about 40% success. As a consequence, the security provided by the masking countermeasure needs to be reconsidered as 3rd
and possibly higher order attacks become more practical.
Second order Differential Power Analysis (2O-DPA) is a powerful side-channel attack that allows an attacker to bypass the widely used masking countermeasure. To thwart 2O-DPA, higher order masking may be employed but it implies a nonnegligible overhead. In this context, there is a need to know how efficient a 2O-DPA can be, in order to evaluate the resistance of an implementation that uses first order masking and, possibly, some hardware countermeasures. Different methods of mounting a practical 2O-DPA attack have been proposed in the literature. However, it is not yet clear which of these methods is the most efficient. In this paper, we give a formal description of the higher order DPA that are mounted against software implementations. We then introduce a framework in which the attack efficiencies may be compared. The attacks we focus on involve the combining of several leakage signals and the computation of correlation coefficients to discriminate the wrong key hypotheses. In the second part of this paper, we pay particular attention to 2O-DPA that involves the product combining or the absolute difference combining. We study them under the assumption that the device leaks the Hamming weight of the processed data together with an independent Gaussian noise. After showing a way to improve the product combining, we argue that in this model, the product combining is more efficient not only than absolute difference combining, but also than all the other combining techniques proposed in the literature.
Under a simple power leakage model based on Hamming weight, a software implementation of a data-whitening routine is shown to be vulnerable to a first-order Differential Power Analysis (DPA) attack. This routine is modified to resist the first-order DPA attack, but is subsequently shown to be vulnerable to a second-order DPA attack. A second-order DPA attack that is optimal under certain assumptions is also proposed. Experimental results in an ST16 smartcard confirm the practicality of the first and second-order DPA attacks.
A popular effective countermeasure to protect block cipher implementations against differential power analysis (DPA) attacks is to mask the internal operations of the cryptographic algorithm with random numbers. While the masking technique resists against first-order (univariate) DPA attacks, higher-order (multivariate) attacks were able to break masked devices. In this paper, we formulate a statistical model for higher-order DPA attack. We derive an analytic success rate formula that distinctively shows the effects of algorithmic confusion property, signal-noise-ratio (SNR), and masking on leakage of masked devices. It further provides a formal proof for the centered product combination function being optimal for higher-order attacks in very noisy scenarios. We believe that the statistical model fully reveals how the higher-order attack works around masking, and would offer good insights for embedded system designers to implement masking techniques.
The development of a leakage detection testing methodology for the side-channel resistance of cryptographic devices is an issue that has received recent focus from standardisation bodies such as NIST. Statistical techniques such as hypothesis and significance testing appear to be ideally suited for this purpose. In this work we evaluate the candidacy of three such detection tests: a t-test proposed by Cryptography Research Inc., and two mutual information-based tests, one in which data is treated as continuous and one as discrete. Our evaluation investigates three particular areas: statistical power, the effectiveness of multiplicity corrections, and computational complexity. To facilitate a fair comparison we conduct a novel a priori statistical power analysis of the three tests in the context of side-channel analysis, finding surprisingly that the continuous mutual information and t-tests exhibit similar levels of power. We also show how the inherently parallel nature of the continuous mutual information test can be leveraged to reduce a large computational cost to insignificant levels. To complement the a priori statistical power analysis we include two real-world case studies of the tests applied to software and hardware implementations of the AES.
Masking on the algorithm level, i.e. concealing all sensitive intermediate values with random data, is a popular countermeasure against DPA attacks. A properly implemented masking scheme forces an attacker to apply a higher-order DPA attack. Such attacks are known to require a number of traces growing exponentially in the attack order, and computational power growing combinatorially in the number of time samples that have to be exploited jointly. We present a novel technique to identify such tuples of time samples before key recovery, in black-box conditions and using only known inputs (or outputs). Attempting key recovery only once the tuples have been identified can reduce the computational complexity of the overall attack substantially, e.g. from months to days. Experimental results based on power traces of a masked software implementation of the AES confirm the effectiveness of our method and show exemplary speed-ups.
Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.Keywordsdifferential power analysisDPASPAcryptanalysisDES
KeeLoq remote keyless entry systems are widely used for access control purposes such as garage openers or car door systems. We present
the first successful differential power analysis attacks on numerous commercially available products employing KeeLoq code hopping. Our new techniques combine side-channel cryptanalysis with specific properties of the KeeLoq algorithm. They allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored
in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery
in few minutes. After extracting the manufacturer key once, with similar techniques, we demonstrate how to recover the secret
key of a remote control and replicate it from a distance, just by eavesdropping on at most two messages. This key-cloning
without physical access to the device has serious real-world security implications, as the technically challenging part can
be outsourced to specialists. Finally, we mount a denial of service attack on a KeeLoq access control system. All proposed attacks have been verified on several commercial KeeLoq products.
The recently proposed multiplicative masking countermeasure against power analysis attacks on AES is interesting as it does not require the costly recomputation and RAM storage of S-boxes for every run of AES. This is important for applications where the available space is very limited such as the smart card applications. Unfortunately, it is here shown that this method is in fact inherently vulnerable to differential power analysis. However, it is also shown that the multiplicative masking method can be modified so as to provide resistance to differential power analysis of nonideal but controllable security level, at the expense of increased computational complexity. Other possible random masking methods are also discussed.
Since the announcement of the Differential Power Analysis (DPA) by Paul Kocher and al., several countermeasures were proposed in order to protect software implementations of cryptographic algorithms. In an attempt to reduce the resulting memory and execution time overhead, Thomas Messerges recently proposed a general method that "masks" all the intermediate data. This masking strategy is possible if all the fundamental operations used in a given algorithm can be rewritten with masked input data, giving masked output data. This is easily seen to be the case in classical algorithms such as DES or RSA. However, for algorithms that combine Boolean and arithmetic functions, such as IDEA or several of the AES candidates, two different kinds of masking have to be used. There is thus a need for a method to convert back and forth between Boolean masking and arithmetic masking. In the present paper, we show that the `BooleanToArithmetic' algorithm proposed by T. Messerges is not sufficient to prevent Differential Power Analysis. In a similar way, the 'ArithmeticToBoolean' algorithm is not secure either.
Viable cryptosystem designs must address power analysis attacks, and masking is a commonly proposed technique for defending against these side-channel attacks. It is possible to overcome simple masking by using higher-order techniques, but apparently only at some cost in terms of generality, number of required samples from the device being attacked, and computational complexity. We make progress towards ascertaining the significance of these costs by exploring a couple of attacks that attempt to efficiently employ second-order techniques to overcome masking. In particular, we consider two variants of second-order differential power analysis: Zero-Offset 2DPA and FFT 2DPA.
Under a simple power leakage model based on Hamming weight, a software implementation of a data-whitening routine is shown to be vulnerable to a first-order Differential Power Analysis (DPA) attack. This routine is modified to resist the first-order DPA attack, but is subsequently shown to be vulnerable to a second-order DPA attack. A second-order DPA attack that is optimal under certain assumptions is also proposed. Experimental results in an ST16 smartcard confirm the practicality of the first and second-order DPA attacks.
We introduce the use of multivariate Gaussian mixture models for enhancing higher-order side channel analysis on masked cryptographic
implementations. Our contribution considers an adversary with incomplete knowledge at profiling, i.e., the adversary does
not know random numbers used for masking. At profiling, the adversary observes a mixture probability density of the side channel
leakage. However, the EM algorithm can provide estimates on the unknown parameters of the component densities using samples
drawn from the mixture density. Practical results are presented and confirm the usefulness of Gaussian mixture models and
the EM algorithm. Especially, success rates obtained by automatic classification based on the estimates of the EM algorithm
are very close to success rates of template attacks.
Since the announcement of the Differential Power Analysis (DPA) by Paul Kocher and al., several countermeasures were proposed in order to protect software implementations of cryptographic algorithms. In an attempt to reduce the resulting memory and execution time overhead, Thomas Messerges recently proposed a general method that “masks” all the intermediate data. This masking strategy is possible if all the fundamental operations used in a given algorithm can be rewritten with masked input data, giving masked output data. This is easily seen to be the case in classical algorithms such as DES or RSA. However, for algorithms that combine Boolean and arithmetic functions, such as IDEA or several of the AES candidates, two different kinds of masking have to be used. There is thus a need for a method to convert back and forth between Boolean masking and arithmetic masking. In the present paper, we show that the ‘BooleanToArithmetic’ algorithm proposed by T. Messerges is not sufficient to prevent Differential Power Analysis. In a similar way, the ‘ArithmeticToBoolean’ algorithm is not secure either.
. Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information. Keywords: differential power analysis, DPA, SPA, cryptanalysis, DES 1 Background Attacks that involvemultiple parts of a security system are difficult to predict and model. If cipher designers, software developers, and hardware engineers do not understand or review each other's work, security assumptions made at each level of a system's design may be incomplete or unrealistic. As a result, security faults often involveunanticipated interactions between components designed by different people. Manytechniques ...
A Testing Methodology for Side-Channel Resistance Validation
- Gilbert Goodwill
- B J Jaffe
- J Rohatgi
Rijndael Furious. Implementation. http://point-at-infinity.org/avraes
- B Poettering
Side Channel Leakage Analysis
- X Ye