Télécom ParisTech Modèle PowerPoint

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie Heuser, Sylvain Guilley, Olivier Rioul

INSTITUT MINES-TÉLÉCOM

Outline ‣ Motivation ‣ State of the art ‣ New metric: success metric (SM) ‣ Empirical evaluation ‣ Closed-form expression of SM ‣ Outlook

2


REVEALING THE SECRETS OF SUCCESS, A. HEUSER, S. GUILLEY, O. RIOUL

Problem Statement Interclass Information Analysis Difference of Means Mutual Information Analysis Linear Correlation Analysis Linear Regression

Kolmogorov-Smirnov Analysis

How to compare side-channel distinguishers? Empirically ‣ Real measurements (portable?) ‣ Simulations (model suitable?) 3


Theoretically ‣ Is this realistic?


State of the Art

Emp i Crit rical eria

[Standaert+09] Unified framework for the analysis of side-channel key recovery attacks ‣ Estimated success rate (o-th order) ‣ Estimated guessing entropy

4



State of the Art The ore Crit tical eria

[WhitnallOswald11] A fair evaluation framework for comparing side-channel distinguisher

‣ Theoretical evaluation criteria (e.g., nearest distinguishing margin) ‣ Distinguisher is provided with full information about the leakage ‣ New insights in the theoretical behavior

5



State of the Art

[Fei+12] Algorithmic confusion analysis for DPA ‣ Closed-form expression of one-bit DPA for the success rate using a multivariate normal CDF Algorithmic confusion coefficient Signal-to-noise ratio Number of traces

6



State of the Art

Empirical Criteria

Theoretical Criteria

Closed-form expression

displays the practical outcome

displays the theoretical distinguishability

reflects relevant parameters

ad-hoc computation

equivalent to the practical outcome?

only DPA; multivariate CDF estimation

coincides with the empirical success rate more insights on parameters

New metric 7

“simple“ closed-form expression for any additive distinguisher



Notation

Side-channel Model RV modeling the key secret key on the device

sensitive variable depending on the key sensitive variable - correct key guess

measured leakage

8


with


Notation

Distinguisher

distinguisher

difference estimated difference

9



Notation

Statistical parameter from Estimation Theory Estimation Bias Estimation Variance such that the mean-squared error of the estimation is given by

10



Success Metric

To derive our new metric we start with the theoretical success rate:

Failure rate

11



Success Metric

Approximate the failure rate: 1. Union bound

Failure rate

Normal approximation

12


Chebyshev/ Chernov bound


Success Metric 2. Normal Approximation Assumption

exponentially for large m 13



Success Metric 3. First order approximation Since we achieved exponentially convergence

Relation to failure rate

Normal approximation

FR = 1 - SR

14



Success Metric Derived from the theoretical success rate through approximations, we define the success metric as

Roughly speaking

15



Empirical Evaluation

Setu

is the first DES Sbox

p

in each setting we conducted 300 experiments

Disti

he s i u ng

r

‣ ‣ ‣

16

Correlation Power Analysis (CPA) Mutual Information Analysis (MIA) ‣ Histograms ‣ Parzen window Kolmogorov-Smirnov Analysis (KSA)



Empirical Evaluation Noise level = 4

SR and SM coincide 17



Empirical Evaluation

Relative Distinguishing Margin [WhitnallOswald11]

Theoretical Criteria

18

does not depends on ‣ number of traces ‣ estimation method



Empirical Evaluation Using 50 traces

Using 500 traces

SM depends on the number of traces

19



Empirical Evaluation Using 500 traces

20



Success Metric

Closed-form expressions for additive distinguisher

21



Generalized Confusion Coefficient

only valid for one-bit models

[Fei+12]

=

One-bit models

=

We assume that that the sensitive variable is normalized 22



Closed-form Expression

CPA

one-bit DPA

23



Conclusion & Future Work Conclusion

‣ ‣ ‣ ‣ ‣

Introduced the success metric that is derived from the theoretical success rate Success metric coincide with the empirical success rate We are able to make predictions about crossings that are not visible in the SR Extended the idea of confusion Derived a closed-form expression for the success metric that is easier to compute

Future Work

‣ ‣

‣

24


Explain the ranking of various distinguishers Determine the influence of the leakage model ‣ Sbox ‣ Mask ‣ nonlinear relationship between X and Y* Determine the influence of the estimation


Questions?

25



Télécom ParisTech Modèle PowerPoint

Télécom ParisTech Modèle PowerPoint

Suggest Documents

Nouveau modle Chronos

3R - Modle Communication courte

Modle Abstract EXRS2006 - LNHB

Doctorat ParisTech THÃSE TELECOM ParisTech ... - Eurecom

Doctorat ParisTech

Doctorat ParisTech

Doctorat ParisTech THÃSE TELECOM ParisTech ... - Antoine Saillenfest

AO 102 - ENSTA ParisTech

Download PDF - MINES ParisTech

Corrigé - ENSTA ParisTech

letters - MINES ParisTech

Doctorat europÃ©en ParisTech

Untitled - CRI, Mines ParisTech

INSTRUCTION FILE ... - ENSTA ParisTech

Codes pour programmation du modle RT-U43C0

Modle de communication SFMu-2007

Doctorat europÃ©en ParisTech

Final Draft - MINES ParisTech

Labelling Operators - MINES ParisTech

Maq Cailletaud - MINES ParisTech

Untitled - CRI, Mines ParisTech

telecom paristech - CiteSeerX

Présentation Chimie ParisTech - CGE

analysis - MINES ParisTech

Télécom ParisTech Modèle PowerPoint