Presentation is loading. Please wait.

Presentation is loading. Please wait.

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1.

Published byBernard Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1."— Presentation transcript:

1 Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1

2 Outline What is Template-TASCA? How do you use it?

3 Review: solvers and optimizers Solver Set of m logical statements over n variables x 1, …,x n Satisfying assignment Optimizer Goal function Optimal

4 Cryptanalysis using solvers Modern crypto is strong enough to withstand Algebraic Cryptanalysis using solvers [MM00] If we add side-channel information the key can be recovered quickly and efficiently [RS09] Physical limitations of the attack setup introduce errors which can be overcome by replacing solvers with optimizers [OKPW10] Massacci and Marraro, Journal of Automated Reasoning 2000 Oren, Kirschbaum, Popp and Wool, CHES 2010 Renauld and Standaert, INSCRYPT 2009

5 Our contributions We extend ASCA from a priori (HW) leakage model towards any profiled model The resulting attack methodology, called Template-TASCA (alt. Template-Set-ASCA), combines the low data complexity of algebraic attacks and the versatility of template attacks Our results apply both to solvers and to optimizers

6 Versatility of Template-TASCA 6 Secret Key Hamming weights Solver/ Optimizer Secret Key Power trace Template Decoder

7 Versatility of Template-TASCA 7 Secret Key Hamming weights Aposteriori probability vectors Template Decoder Solver/ Optimizer Power TraceEM TraceWhatever

8 Two cases of successful key recovery uC ungroupeduC grouped by HW ASIC ungroupedASIC grouped by HW

9 Solvers and Optimizers Solvers are fast, optimizers are versatile 9

10 Solvers and Optimizers Solvers cannot operate over the entire solution space (need additional heuristics) 10

11 Shopping list Device under test (DUT) Template decoder Optimizer (or solver) Cipher equations Leak equations

12 Start like template… In offline phase, create template decoders for many intermediate states In online phase, apply decoders to power trace, obtaining multiple aposteriori probability vectors

13 … end like TASCA Pass probability vectors, together with device description, to optimizer or solver The output will be the state (and key) which optimally matches the probabilities of all the intermediate values:

14 Summary Using Template-TASCA and Template- Set-ASCA, crypto devices can be attacked with very low data complexity Any leak can be used, as long as a “soft decoder” exists for it This is theoretically a very strong attack – can it have impact on real world devices? 14

15 Thank you! http://iss.oy.ne.ro/Template-TASCA 15

16 The Information-Robustness Tradeoff 16

17 Measurement Space 17 Precise measurement Actual measurement

18 The Harsh Reality of Power Analysis The side channel traces have errors Equation set with errors causes unsatisfiability Compensating for errors causes intractability 18

19 Decoder does not have to be very good! In our experiment: – Ensemble of 100 decoders for intermediate bytes – Average rank of correct byte in decoder output: 14/256 – Worst-case rank of correct byte: 90/256 – Success rate: 100% Template Decoder

Download ppt "Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model 1."

Similar presentations

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1.

The Mechanical Cryptographer (Tolerant Algebraic Side-Channel Attacks using pseudo-Boolean Solvers) 1.
Chaff: Engineering an Efficient SAT Solver Matthew W.Moskewicz, Concor F. Madigan, Ying Zhao, Lintao Zhang, Sharad Malik Princeton University Presenting:

Chaff: Engineering an Efficient SAT Solver Matthew W.Moskewicz, Concor F. Madigan, Ying Zhao, Lintao Zhang, Sharad Malik Princeton University Presenting:
VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Statistical Tools Flavor Side-Channel Collision Attacks

Statistical Tools Flavor Side-Channel Collision Attacks
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.
Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Strong Error Detection for Control Units Against Advanced Attackers Kahraman Daglar Akdemir Advisor: Berk Sunar Electrical and Computer Engineering MOTIVATION.

Strong Error Detection for Control Units Against Advanced Attackers Kahraman Daglar Akdemir Advisor: Berk Sunar Electrical and Computer Engineering MOTIVATION.
Asymptotic Enumerators of Protograph LDPCC Ensembles Jeremy Thorpe Joint work with Bob McEliece, Sarah Fogal.

Asymptotic Enumerators of Protograph LDPCC Ensembles Jeremy Thorpe Joint work with Bob McEliece, Sarah Fogal.
RAPTOR CODES AMIN SHOKROLLAHI DF2003-06-001 Digital Fountain Technical Report.

RAPTOR CODES AMIN SHOKROLLAHI DF Digital Fountain Technical Report.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
Ch 1.4 – Equations & Inequalities

Ch 1.4 – Equations & Inequalities
5.1 - 1 Linear Systems The definition of a linear equation given in Chapter 1 can be extended to more variables; any equation of the form for real numbers.

Linear Systems The definition of a linear equation given in Chapter 1 can be extended to more variables; any equation of the form for real numbers.
Algebra 1 - Chapter 2 Test.

Algebra 1 - Chapter 2 Test.

Similar presentations

Ads by Google