Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1.

Slides:

Advertisements

Similar presentations

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Advertisements

The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1.

Chaff: Engineering an Efficient SAT Solver Matthew W.Moskewicz, Concor F. Madigan, Ying Zhao, Lintao Zhang, Sharad Malik Princeton University Presenting:

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

Statistical Tools Flavor Side-Channel Collision Attacks

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Strong Error Detection for Control Units Against Advanced Attackers Kahraman Daglar Akdemir Advisor: Berk Sunar Electrical and Computer Engineering MOTIVATION.

Asymptotic Enumerators of Protograph LDPCC Ensembles Jeremy Thorpe Joint work with Bob McEliece, Sarah Fogal.

RAPTOR CODES AMIN SHOKROLLAHI DF Digital Fountain Technical Report.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Ch 1.4 – Equations & Inequalities

Linear Systems The definition of a linear equation given in Chapter 1 can be extended to more variables; any equation of the form for real numbers.

Algebra 1 - Chapter 2 Test.

Step 1: Simplify Both Sides, if possible Distribute Combine like terms Step 2: Move the variable to one side Add or Subtract Like Term Step 3: Solve for.

Introduction Two equations that are solved together are called systems of equations. The solution to a system of equations is the point or points that.

Repairable Fountain Codes Megasthenis Asteris, Alexandros G. Dimakis IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 32, NO. 5, MAY /5/221.

A Secure Protocol for Computing Dot-products in Clustered and Distributed Environments Ioannis Ioannidis, Ananth Grama and Mikhail Atallah Purdue University.

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.

Lecture 5-6 The RSA and Rabin Algorithms. The possibility of the public key cryptosystem was first publicly suggested by Diffie and Hellman. However,

Application of Finite Geometry LDPC code on the Internet Data Transport Wu Yuchun Oct 2006 Huawei Hisi Company Ltd.

My talk describes how the detailed error diagnosis and the automatic solution procedure of problem solving environment T-algebra can be used for automatic.

Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.

1.4 Solving Equations ●A variable is a letter which represents an unknown number. Any letter can be used as a variable. ●An algebraic expression contains.

Major objective of this course is: Design and analysis of modern algorithms Different variants Accuracy Efficiency Comparing efficiencies Motivation thinking.

Attacking Cryptographic Schemes Based on ‘Perturbation Polynomials’ Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

3.1 You should be able to solve one-step equations using algebra. Solve for x.

Sliding Windows Succumbs to Big Mac Attack Colin D. Walter

Real-Time Turbo Decoder Nasir Ahmed Mani Vaya Elec 434 Rice University.

Bell Work: Find the equation of the line that passes through the point (2,3) and has a slope of -2/5.

Fast Query-Optimized Kernel Machine Classification Via Incremental Approximate Nearest Support Vectors by Dennis DeCoste and Dominic Mazzoni International.

9/28/12 - Simplify. 1. 2y + 4 – 3y – (2t + 1) + 10 = -1y – 1 = -14t + 3 HW check today! This is Sheet #2!

New Methods for Cost-Effective Side- Channel Attacks on Cryptographic RFIDs Chair for Embedded Security Ruhr University Bochum David Oswald Timo Kasper.

WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer.

Solve 7n – 2 = 5n + 6. Example 1: Solving Equations with Variables on Both Sides To collect the variable terms on one side, subtract 5n from both sides.

Solve Equations With Variables on Both Sides. Steps to Solve Equations with Variables on Both Sides  1) Do distributive property  2) Combine like terms.

Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.

-1- UC San Diego / VLSI CAD Laboratory Optimal Reliability-Constrained Overdrive Frequency Selection in Multicore Systems Andrew B. Kahng and Siddhartha.

CHAPTER THREE: SYSTEMS OF LINEAR EQUATIONS AND INEQUALITIES ALGEBRA TWO Section Solving Systems of Linear Equations in Three Variables.

Accurate WiFi Packet Delivery Rate Estimation and Applications Owais Khan and Lili Qiu. The University of Texas at Austin 1 Infocom 2016, San Francisco.

Solving Weakened Cryptanalysis Problems for the Bivium Keystream Generator in the Volunteer Computing Project Oleg Zaikin, Alexander Semenov,

§ 2.3 Solving Linear Equations. Martin-Gay, Beginning and Intermediate Algebra, 4ed 22 Solving Linear Equations Solving Linear Equations in One Variable.

Yossi Oren, yos strudel bgu.ac.il, yossioren System Security Engineering course, Dec

Advanced Information Security 6 Side Channel Attacks

Inference and search for the propositional satisfiability problem

Oleg Zaikin, Alexander Semenov, Mikhail Posypkin

On the Size of Pairing-based Non-interactive Arguments

Algebra Bell-work 9/13/17 Turn in your HW! 1.) 7x – 6 = 2x + 9

Interleaver-Division Multiple Access on the OR Channel

Improved Practical Differential Fault Analysis of Grain-128

Ioannis Ioannidis, Ananth Grama and Ioannis Ioannidis

Solving Systems Using Substitution

Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.

Solving Equations with variables on each side

Objective Solve equations in one variable that contain variable terms on both sides.

1.3 Vector Equations.

Resolution Proofs for Combinational Equivalence

- Finish Unit 1 test - Solving Equations variables on both sides

Coordinate Transformation in 3D Final Project Presentation

Solving Linear Equations and Inequalities

Objective Solve equations in one variable that contain variable terms on both sides.

Section Solving Linear Systems Algebraically

Presentation transcript:

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1

Outline What is Template-TASCA? How do you use it?

Review: solvers and optimizers Solver Set of m logical statements over n variables x 1, …,x n Satisfying assignment Optimizer Goal function Optimal

Cryptanalysis using solvers Modern crypto is strong enough to withstand Algebraic Cryptanalysis using solvers [MM00] If we add side-channel information the key can be recovered quickly and efficiently [RS09] Physical limitations of the attack setup introduce errors which can be overcome by replacing solvers with optimizers [OKPW10] Massacci and Marraro, Journal of Automated Reasoning 2000 Oren, Kirschbaum, Popp and Wool, CHES 2010 Renauld and Standaert, INSCRYPT 2009

Our contributions We extend ASCA from a priori (HW) leakage model towards any profiled model The resulting attack methodology, called Template-TASCA (alt. Template-Set-ASCA), combines the low data complexity of algebraic attacks and the versatility of template attacks Our results apply both to solvers and to optimizers

Versatility of Template-TASCA 6 Secret Key Hamming weights Solver/ Optimizer Secret Key Power trace Template Decoder

Versatility of Template-TASCA 7 Secret Key Hamming weights Aposteriori probability vectors Template Decoder Solver/ Optimizer Power TraceEM TraceWhatever

Two cases of successful key recovery uC ungroupeduC grouped by HW ASIC ungroupedASIC grouped by HW

Solvers and Optimizers Solvers are fast, optimizers are versatile 9

Solvers and Optimizers Solvers cannot operate over the entire solution space (need additional heuristics) 10

Shopping list Device under test (DUT) Template decoder Optimizer (or solver) Cipher equations Leak equations

Start like template… In offline phase, create template decoders for many intermediate states In online phase, apply decoders to power trace, obtaining multiple aposteriori probability vectors

… end like TASCA Pass probability vectors, together with device description, to optimizer or solver The output will be the state (and key) which optimally matches the probabilities of all the intermediate values:

Summary Using Template-TASCA and Template- Set-ASCA, crypto devices can be attacked with very low data complexity Any leak can be used, as long as a “soft decoder” exists for it This is theoretically a very strong attack – can it have impact on real world devices? 14

Thank you! 15

The Information-Robustness Tradeoff 16

Measurement Space 17 Precise measurement Actual measurement

The Harsh Reality of Power Analysis The side channel traces have errors Equation set with errors causes unsatisfiability Compensating for errors causes intractability 18

Decoder does not have to be very good! In our experiment: – Ensemble of 100 decoders for intermediate bytes – Average rank of correct byte in decoder output: 14/256 – Worst-case rank of correct byte: 90/256 – Success rate: 100% Template Decoder