Annelie Heuser

Intelligent machine homicide

In this contribution we propose the so-called SVM attack, a profiling based side channel attack, which uses the machine learning algorithm support vector machines (SVM) in order to recover a cryptographic secret. We compare the SVM attack to the template attack by evaluating the number of required traces in the attack phase to achieve a fixed guessing entropy. In order to highlight the benefits of the SVM attack, we perform the comparison for power traces with a varying noise level and vary the size of the profiling base. Our experiments indicate that due to the generalization of SVM the SVM attack is able to recover the key using a smaller profiling base than the template attack. Thus, the SVM attack counters the main drawback of the template attack, i.e. a huge profiling base.

Detecting Hidden Leakages

Reducing the entropy of the mask is a technique which has been proposed to mitigate the high performance overhead of masked software implementations of symmetric block ciphers. Rotating S-box Masking (RSM) is an example of such schemes applied to AES with the purpose of maintaining the security at least against univariate first-order side-channel attacks. This article examines the vulnerability of a realization of such technique using the side-channel measurements publicly available through DPA contest V4. Our analyses which focus on exploiting the first-order leakage of the implementation discover a couple of potential attacks which can recover the secret key. Indeed the leakage we exploit is due to a design mistake as well as the characteristics of the implementation platform, none of which has been considered during the design of the countermeasure (implemented in naive C code).

Improved algebraic side-channel attack on AES

In this paper, we present improvements of the algebraic side-channel analysis of the Advanced Encryption Standard (AES) proposed in the works of M. Renauld and F.-X. Standaert. In particular, we optimize the algebraic representation of both the AES block cipher and obtained side-channel information, in the form of Hamming weights of intermediate states, in order to speed up the attack and increase its success rate. We study the performance of our improved attack in both known and unknown plaintext/ciphertext attack scenarios. Our experiments indicate that in both cases the amount of required side-channel information is less than the one required in the attacks introduced earlier. Furthermore, we introduce a method for handling erroneous side-channel information, which allows our improved algebraic side-channel attack (IASCA) to partially escape the assumption of an error-free environment and thus become applicable in practice. We demonstrate the practical use of our IASCA by inserting predictions from a single-trace template attack.

Revealing side-channel issues of complex circuits by enhanced leakage models

In the light of implementation attacks a better understanding of complex circuits of security sensitive applications is an important issue. Appropriate evaluation tools and metrics are required to understand the origin of implementation flaws within the design process. The selected leakage model has significant influence on the reliability of evaluation results concerning the side-channel resistance of a cryptographic implementation. In this contribution we introduce methods, which determine the accuracy of the leakage characterization and allow to quantify the signal-to-noise ratio. This allows a quantitative assessment of the side-channel resistance of an implementation without launching an attack. We validate the conclusions drawn from our new methods by real attacks and obtain similar results. Compared to the commonly used Hamming Distance model in our experiments enhanced leakage models increased the attack efficiency by up to 500%.

Good Is Not Good Enough

We find mathematically optimal side-channel distinguishers by looking at the side-channel as a communication channel. Our methodology can be adapted to any given scenario device, signal-to-noise ratio, noise distribution, leakage model, etc.. When the model is known and the noise is Gaussian, the optimal distinguisher outperforms CPA and covariance. However, we show that CPA is optimal when the model is only known on a proportional scale. For non-Gaussian noise, we obtain different optimal distinguishers, one for each noise distribution. When the model is imperfectly known, we consider the scenario of a weighted sum of the sensitive variable bits where the weights are unknown and drawn from a normal law. In this case, our optimal distinguisher performs better than the classical linear regression analysis.

Time-Frequency Analysis for Second-Order Attacks

Second-order side-channel attacks are used to break first-order masking protections. A practical reason which often limits the efficiency of second-order attacks is the temporal localisation of the leaking samples. Several pairs of leakage samples must be combined which means high computational power. For second-order attacks, the computational complexity is quadratic. At CHES ’04, Waddle and Wagner introduced attacks with complexity \(\mathcal {O}(n \log _2 n)\) on traces collected from a hardware cryptographic implementation, where \(n\) is the window size, by working on traces auto-correlation. Nonetheless, the two samples must belong to the same window which is (normally) not the case for software implementations. In this article, we introduce preprocessing tools that improve the efficiency of bi-variate attacks (while keeping a complexity of \(\mathcal {O}(n \log _2 n)\)), even if the two samples that leak are far away one from the other (as in software). We put forward two main improvements. Firstly, we introduce a method to avoid losing the phase information. Next, we empirically notice that keeping the analysis in the frequency domain can be beneficial for the attack. We apply these attacks in practice on real measurements, publicly available under the DPA Contest v4, to evaluate the proposed techniques. An attack using a window as large as 4000 points is able to reveal the key in only 3000 traces.

A new difference method for side-channel analysis with high-dimensional leakage models

The goal of the DPA contest v2 (2009 --- 2010) was to find the most efficient side-channel attack against a particular unprotected AES-128 hardware implementation. In this paper we discuss two problems of general importance that affect the success rate of profiling based attacks, and we provide effective solutions. First, we consider the impact of temperature variations on the power consumption, which causes a so-called drifting offset. To cope with this problem we introduce a new method called Offset Tolerant Method (OTM) and adjust OTM to the stochastic approach (SA-OTM). The second important issue of this paper concerns the choice of an appropriate leakage model as this determines the success rate of SA and SA-OTM. Experiments with high-dimensional leakage models show that the overall leakage is not only caused by independent transitions of bit lines. Compared to the formely best submitted attack of the DPA contest v2 the combination of SA-OTM with high-dimensional leakage models reduces the required number of power traces to 50%.

Practical improvements of side-channel attacks on AES: feedback from the 2nd DPA contest

Side-channel analyses constitute a major threat for embedded devices, because they allow an attacker to recover secret keys without the device being aware of the sensitive information theft. They have been proved to be efficient in practice on many deployed cryptosystems. Even during the standardization process for the AES, many scientists have raised the attention on the potential vulnerabilities against implementation-level attacks Chari et al. (A Cautionary Note Regarding Evaluation of AES Candidates on Smart-cards, 133–147, 1999). The evaluation of devices against side-channel attacks is now common practice, especially in ITSEFs. This procedure has even been formalized recently Standaert et al. (EUROCRYPT LNCS 5479:443–461, 2009). The framework suggests to estimate the leakage via an information theoretic metric, and the performance of real attacks thanks to either the success rates or the guessing entropy metrics. The DPA contests are a series of international challenges that allow researchers to improve existing side-channel attacks or develop new ones and compare their effectiveness on several reference sets of power consumption traces using a common methodology. In this article, we focus on the second edition of this contest, which targeted a FPGA-based implementation of AES. This article has been written jointly with several of the participants who describe their tactics used in their attacks and their improvements beyond the state of the art. In particular, this feedback puts to the fore some considerations seldom described in the scientific literature, yet relevant to increase the convergence rate of attacks. These considerations concern in particular the correction of acquisition defects such as the drifting side-channel leakage, the identification of the most leaking samples, the order in which subkeys are attacked, how to exploit subkeys that are revealed easily to help retrieve subkeys that leak less, and non-linear leakage models.

How a Symmetry Metric Assists Side-Channel Evaluation - A Novel Model Verification Method for Power Analysis

Side-channel analysis has become an important field of research for the semiconductor industry and for the academic sector as well. Of particular interest is constructive side-channel analysis as it supports a target-oriented associated design process. The main goal is to increase the side-channel resistance of cryptographic implementations within the design phase by a combination of advanced stochastic methods with design methods, tools, and countermeasures. In this contribution we present a new enhanced tool that utilizes symmetry properties to assist the side-channel evaluation of cryptographic implementations. This technique applies a symmetry metric, which is introduced as an engineering tool to verify the suitability of the leakage model in the evaluation phase of security-sensitive designs. Additionally, this approach also supports the designer in the selection of appropriate time instants.

Masks Will Fall Off

Higher-order side-channel attacks are able to break the security of cryptographic implementations even if they are protected with masking countermeasures. In this paper, we derive the best possible distinguishers (High-Order Optimal Distinguishers or HOOD) against masking schemes under the assumption that the attacker can profile. Our exact derivation admits simple approximate expressions for high and low noise and shows to which extent the optimal distinguishers reduce to known attacks in the case where no profiling is possible. From these results, we can explain theoretically the empirical outcome of recent works on second-order distinguishers. In addition, we extend our analysis to any order and to the application to masked tables precomputation. Our results give some insight on which distinguishers have to be considered in the security analysis of cryptographic devices.