algebraic side channel attacks beyond the hamming weight leakage model
Download
Skip this Video
Download Presentation
Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model

Loading in 2 Seconds...

play fullscreen
1 / 15

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model - PowerPoint PPT Presentation


  • 122 Views
  • Uploaded on

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model. Yossi Oren , Mathieu Renauld , François-Xavier Standaert and Avishai Wool CHES Workshop, Leuven, September 2012. Outline. What is Template-TASCA? How do you use it?. Review: solvers and optimizers.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model' - mili


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
algebraic side channel attacks beyond the hamming weight leakage model

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model

Yossi Oren, Mathieu Renauld, François-Xavier Standaert and Avishai Wool

CHES Workshop, Leuven, September 2012

outline
Outline
  • What is Template-TASCA?
  • Howdo you use it?
review solvers and optimizers
Review: solvers and optimizers

Goal function

Set of m logical statements over n variables x1, …,xn

Solver

Optimizer

Satisfying assignment

Optimal

cryptanalysis using solvers
Cryptanalysis using solvers
  • Modern crypto is strong enough to withstand Algebraic Cryptanalysis using solvers [MM00]
  • If we add side-channel information the key can be recovered quickly and efficiently [RS09]
  • Physical limitations of the attack setup introduce errors which can be overcome by replacing solvers with optimizers [OKPW10]

Oren, Kirschbaum, Popp and Wool,CHES 2010

Massacci and Marraro, Journal of Automated Reasoning 2000

Renauld and Standaert, INSCRYPT 2009

our contributions
Our contributions
  • We extend ASCA from a priori (HW) leakage model towards any profiled model
  • The resulting attack methodology, called Template-TASCA (alt. Template-Set-ASCA), combines the low data complexity of algebraic attacks and the versatility of template attacks
  • Our results apply both to solvers and to optimizers
versatility of template tasca
Versatility of Template-TASCA

Template Decoder

Power trace

Secret Key

Solver/ Optimizer

Hamming weights

Secret Key

versatility of template tasca1
Versatility of Template-TASCA

Power Trace

EM Trace

Whatever

Aposteriori probability vectors

Template Decoder

Hamming weights

Solver/ Optimizer

Secret Key

solvers and optimizers
Solvers and Optimizers
  • Solvers are fast, optimizers are versatile
solvers and optimizers1
Solvers and Optimizers
  • Solvers cannot operate over the entire solution space (need additional heuristics)
shopping list
Shopping list
  • Device under test (DUT)
  • Template decoder
  • Optimizer (or solver)
  • Cipher equations
  • Leak equations
start like template
Start like template…
  • In offline phase, create template decoders for many intermediate states
  • In online phase, apply decoders to power trace, obtaining multiple aposteriori probability vectors
end like tasca
… end like TASCA
  • Pass probability vectors, together with device description, to optimizer or solver
  • The output will be the state (and key) which optimally matches the probabilities of all the intermediate values:
summary
Summary
  • Using Template-TASCA and Template-Set-ASCA, crypto devices can be attacked with very low data complexity
  • Any leak can be used, as long as a “soft decoder” exists for it
  • This is theoretically a very strong attack – can it have impact on real world devices?
thank you
Thank you!

http://iss.oy.ne.ro/Template-TASCA

ad