Algebraic side channel attacks beyond the hamming weight leakage model
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model PowerPoint PPT Presentation


  • 69 Views
  • Uploaded on
  • Presentation posted in: General

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model. Yossi Oren , Mathieu Renauld , François-Xavier Standaert and Avishai Wool CHES Workshop, Leuven, September 2012. Outline. What is Template-TASCA? How do you use it?. Review: solvers and optimizers.

Download Presentation

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Algebraic side channel attacks beyond the hamming weight leakage model

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model

Yossi Oren, Mathieu Renauld, François-Xavier Standaert and Avishai Wool

CHES Workshop, Leuven, September 2012


Outline

Outline

  • What is Template-TASCA?

  • Howdo you use it?


Review solvers and optimizers

Review: solvers and optimizers

Goal function

Set of m logical statements over n variables x1, …,xn

Solver

Optimizer

Satisfying assignment

Optimal


Cryptanalysis using solvers

Cryptanalysis using solvers

  • Modern crypto is strong enough to withstand Algebraic Cryptanalysis using solvers [MM00]

  • If we add side-channel information the key can be recovered quickly and efficiently [RS09]

  • Physical limitations of the attack setup introduce errors which can be overcome by replacing solvers with optimizers [OKPW10]

Oren, Kirschbaum, Popp and Wool,CHES 2010

Massacci and Marraro, Journal of Automated Reasoning 2000

Renauld and Standaert, INSCRYPT 2009


Our contributions

Our contributions

  • We extend ASCA from a priori (HW) leakage model towards any profiled model

  • The resulting attack methodology, called Template-TASCA (alt. Template-Set-ASCA), combines the low data complexity of algebraic attacks and the versatility of template attacks

  • Our results apply both to solvers and to optimizers


Versatility of template tasca

Versatility of Template-TASCA

Template Decoder

Power trace

Secret Key

Solver/ Optimizer

Hamming weights

Secret Key


Versatility of template tasca1

Versatility of Template-TASCA

Power Trace

EM Trace

Whatever

Aposteriori probability vectors

Template Decoder

Hamming weights

Solver/ Optimizer

Secret Key


Two cases of successful key recovery

Two cases of successful key recovery


Solvers and optimizers

Solvers and Optimizers

  • Solvers are fast, optimizers are versatile


Solvers and optimizers1

Solvers and Optimizers

  • Solvers cannot operate over the entire solution space (need additional heuristics)


Shopping list

Shopping list

  • Device under test (DUT)

  • Template decoder

  • Optimizer (or solver)

  • Cipher equations

  • Leak equations


Start like template

Start like template…

  • In offline phase, create template decoders for many intermediate states

  • In online phase, apply decoders to power trace, obtaining multiple aposteriori probability vectors


End like tasca

… end like TASCA

  • Pass probability vectors, together with device description, to optimizer or solver

  • The output will be the state (and key) which optimally matches the probabilities of all the intermediate values:


Summary

Summary

  • Using Template-TASCA and Template-Set-ASCA, crypto devices can be attacked with very low data complexity

  • Any leak can be used, as long as a “soft decoder” exists for it

  • This is theoretically a very strong attack – can it have impact on real world devices?


Thank you

Thank you!

http://iss.oy.ne.ro/Template-TASCA


  • Login