how to certify the leakage of a chip? · how to certify the leakage of a chip? françois-xavier...
TRANSCRIPT
![Page 1: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/1.jpg)
How to Certify the Leakage of a Chip?
François-Xavier Standaert
UCL Crypto Group, Belgium
Journées C2, Les Sept Laux, France, March 2014
![Page 2: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/2.jpg)
Context: side-channel attacks 1
![Page 3: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/3.jpg)
Problem statement
• How to evaluate the security of a leaking device?
2
![Page 4: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/4.jpg)
Outline
• The Eurocrypt 2009 framework revisited
• New results towards leakage certification
• Security analyzes and time complexity
![Page 5: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/5.jpg)
Outline
• The Eurocrypt 2009 framework revisited
• New results towards leakage certification
• Security analyzes and time complexity
![Page 6: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/6.jpg)
How not to evaluate
• Launch a single attack with an arbitrary distinguisher
3
![Page 7: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/7.jpg)
How not to evaluate
• Launch a single attack with an arbitrary distinguisher
• First issue: no statistical confidence in evaluation
3
![Page 8: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/8.jpg)
A first improvement
• Repeat the attack and estimate (e.g.) a success rate
4
![Page 9: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/9.jpg)
A first improvement
• Repeat the attack and estimate (e.g.) a success rate
• Second issue: arbitrary adversary (maybe suboptimal)
4
![Page 10: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/10.jpg)
A first improvement
• Repeat the attack and estimate (e.g.) a success rate
• A stronger adversary may invalidate the evaluation
4
![Page 11: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/11.jpg)
A second improvement
• Apply an “optimal” template attack
5
![Page 12: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/12.jpg)
A second improvement
• Apply an “optimal” template attack
• Of course nobody know what is generally “optimal”!
5
![Page 13: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/13.jpg)
Background: EC09 framework [1] 6
![Page 14: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/14.jpg)
Background: EC09 framework [1] 6
• More generally: evaluate implementations with IT
metrics, evaluate adversaries with security metrics
![Page 15: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/15.jpg)
Fair evaluation of side-channel leakage 7
• Leakage certification is first concerned with IT
metrics (i.e. aims at estimating the information
leakage independent of the adversary)
![Page 16: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/16.jpg)
Fair evaluation of side-channel leakage 7
• Leakage certification is first concerned with IT
metrics (i.e. aims at estimating the information
leakage independent of the adversary)
• But estimating the mutual information between
arbitrary distributions is notoriously hard!
![Page 17: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/17.jpg)
Fair evaluation of side-channel leakage 7
• Leakage certification is first concerned with IT
metrics (i.e. aims at estimating the information
leakage independent of the adversary)
• But estimating the mutual information between
arbitrary distributions is notoriously hard!
• Good news: side-channel attacks need a model
• i.e. an estimation of the leakage distribution
![Page 18: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/18.jpg)
Fair evaluation of side-channel leakage 7
• Leakage certification is first concerned with IT
metrics (i.e. aims at estimating the information
leakage independent of the adversary)
• But estimating the mutual information between
arbitrary distributions is notoriously hard!
• Good news: side-channel attacks need a model
• i.e. an estimation of the leakage distribution
• Main idea: estimate the mutual information from
the “best available” profiled model (i.e. worst case)
![Page 19: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/19.jpg)
Definition 8
• Information leakage on the secret key
• where Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘|𝑙] is obtained by profiling
• and Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 is unknown but can be sampled
H 𝐾 − Pr 𝑘 Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
𝑙𝑘
. log2 Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘|𝑙]
![Page 20: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/20.jpg)
In practice: two-step process 9
• Step 1: estimate the leakage model Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘|𝑙]
• e.g. with Gaussian templates, linear regression,
Gaussian mixtures, Kernel density estimation, …
![Page 21: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/21.jpg)
In practice: two-step process 9
• Step 1: estimate the leakage model Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘|𝑙]
• e.g. with Gaussian templates, linear regression,
Gaussian mixtures, Kernel density estimation, …
• Step 2: estimate the information leakage by
sampling Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 (i.e. perform measurements)
![Page 22: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/22.jpg)
In practice: two-step process 9
• Step 1: estimate the leakage model Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘|𝑙]
• e.g. with Gaussian templates, linear regression,
Gaussian mixtures, Kernel density estimation, …
• Step 2: estimate the information leakage by
sampling Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 (i.e. perform measurements)
• Note: measurements to estimate the leakage model
and the IT metric must be independent!
![Page 23: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/23.jpg)
Example 10
• 4 key candidates with correct key k=1
![Page 24: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/24.jpg)
Example 10
• 4 key candidates with correct key k=1
• Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 = 1𝑙 . log2 Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘 = 1|𝑙]
![Page 25: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/25.jpg)
Example 10
• 4 key candidates with correct key k=1
• Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 = 1𝑙 . log2 Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘 = 1|𝑙]
k=0 k=1 k=2 k=3
l1 p10 p11 p12 p13
![Page 26: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/26.jpg)
Example 10
• 4 key candidates with correct key k=1
• Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 = 1𝑙 . log2 Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘 = 1|𝑙]
k=0 k=1 k=2 k=3
l1 p10 p11 p12 p13
l2 p20 p21 p22 p23
![Page 27: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/27.jpg)
Example 10
• 4 key candidates with correct key k=1
• Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 = 1𝑙 . log2 Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘 = 1|𝑙]
k=0 k=1 k=2 k=3
l1 p10 p11 p12 p13
l2 p20 p21 p22 p23
l3 p30 p31 p32 p3
![Page 28: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/28.jpg)
Example 10
• 4 key candidates with correct key k=1
• Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 = 1𝑙 . log2 Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘 = 1|𝑙]
k=0 k=1 k=2 k=3
l1 p10 p11 p12 p13
l2 p20 p21 p22 p23
l3 p30 p31 p32 p3
… … … … …
lN pN0 pN1 pN2 pN3
![Page 29: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/29.jpg)
Example 10
• 4 key candidates with correct key k=1
• Pr𝑐ℎ𝑖𝑝 𝑙 𝑘 = 1𝑙 . log2 Pr 𝑚𝑜𝑑𝑒𝑙 [𝑘 = 1|𝑙]
=>
k=0 k=1 k=2 k=3
l1 p10 p11 p12 p13
l2 p20 p21 p22 p23
l3 p30 p31 p32 p3
… … … … …
lN pN0 pN1 pN2 pN3
1
𝑁 log2 𝑝𝑖1
𝑁
𝑖=1
![Page 30: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/30.jpg)
Two cases can happen [2] 11
• Case #1 (ideal): perfect profiling phase
• i. e. Pr 𝑚𝑜𝑑𝑒𝑙 𝑘 𝑙 = Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
MI (K;L) = H 𝐾 − Pr 𝑘 Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
𝑙𝑘
. log2 Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
![Page 31: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/31.jpg)
Two cases can happen [2] 11
• Case #1 (ideal): perfect profiling phase
• i. e. Pr 𝑚𝑜𝑑𝑒𝑙 𝑘 𝑙 = Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
• Case #2 (actual): bounded profiling phase
• i. e. Pr 𝑚𝑜𝑑𝑒𝑙 𝑘 𝑙 ≠ Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
MI (K;L) = H 𝐾 − Pr 𝑘 Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
𝑙𝑘
. log2 Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
PI (K;L) = H 𝐾 − Pr 𝑘 Pr𝑐ℎ𝑖𝑝 𝑙 𝑘
𝑙𝑘
. log2 Pr 𝑚𝑜𝑑𝑒𝑙 𝑘 𝑙
![Page 32: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/32.jpg)
Main theorem (informal) 12
• PI(K;L) is directly proportional to the success rate
of an adversary using Pr 𝑚𝑜𝑑𝑒𝑙 𝑘 𝑙 as template
![Page 33: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/33.jpg)
Main theorem (informal) 12
• PI(K;L) is directly proportional to the success rate
of an adversary using Pr 𝑚𝑜𝑑𝑒𝑙 𝑘 𝑙 as template
• e.g. PI(K;L) in function of the noise variance
![Page 34: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/34.jpg)
As a result 13
• Left of the intersection
• Countermeasure #2 more secure than first one
![Page 35: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/35.jpg)
As a result 13
• Right of the intersection
• Countermeasure #1 more secure than second one
![Page 36: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/36.jpg)
In other words 14
• MI(K;L) measures the worst case leakage
![Page 37: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/37.jpg)
In other words 14
• PI(K;L) is the evaluator’s best estimate
![Page 38: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/38.jpg)
Relation with data complexity 15
• Theorem only proven in very specific cases
• But holds surprisingly well in real-world settings
![Page 39: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/39.jpg)
Example: masking [3] 16
• Main idea: split the sensitive data in r shares
![Page 40: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/40.jpg)
Example: masking [3] 16
• Main idea: split the sensitive data in r shares
• If “perfect” implementation, the data complexity to
break masking is proportional to (𝜎𝑛2)𝑟
• Perfect ≈ if the smallest-order key-dependent
moment in the leakage distribution is r
• Essentially depends on the hardware (e.g.
glitches may make the implementation imperfect)
![Page 41: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/41.jpg)
Information theoretic intuition 17
• Smallest-order key-dept. moment = curve slope
![Page 42: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/42.jpg)
Information theoretic intuition 17
• Flaws due to physical defaults can be detected
![Page 43: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/43.jpg)
How to evaluate the metrics? 18
• Implies to select good statistical tools
• Critical point: PDF estimation problem
![Page 44: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/44.jpg)
How to evaluate the metrics? 18
• Implies to select good statistical tools
• Critical point: PDF estimation problem
• Tools are highly dependent on the contexts
• So is the distance between MI and PI (and
hence, the relevance of security evaluations)
![Page 45: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/45.jpg)
How to evaluate the metrics? 18
• Implies to select good statistical tools
• Critical point: PDF estimation problem
• Tools are highly dependent on the contexts
• So is the distance between MI and PI (and
hence, the relevance of security evaluations)
• A few examples next…
![Page 46: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/46.jpg)
Examples 19
• Different implementations and countermeasures
• Which cases are “easy to evaluate”?
![Page 47: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/47.jpg)
Examples 19
• Most distinguishers are asymtotically equivalent [4]
• … if provided with the same leakage model
![Page 48: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/48.jpg)
Examples 19
• PCA, LDA, … useful in the profiled case [5]
• Dimension reduction uneasy in non-profiled case
![Page 49: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/49.jpg)
Examples 19
• Same tools as for unprotected devices work well
• Non-linear leakage functions require profiling [6]
![Page 50: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/50.jpg)
Examples 19
• Uneasy to evaluate for both type of attacks
• Signal proc. can cancel countermeasures [7,8]
![Page 51: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/51.jpg)
Examples 19
• Becomes measurement intensive as r increases
• No solution is always optimal in non-profiled case
![Page 52: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/52.jpg)
Examples 19
• Specially hard if the design is unknown
• Large distance btw. profiled & non-profiled cases
![Page 53: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/53.jpg)
Summarizing 20
• PI(K;L) provide a unifying view of countermeasures
• IT curves capture most intuition regarding the data
complexity of worst case side-channel attacks
![Page 54: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/54.jpg)
Summarizing 20
• PI(K;L) provide a unifying view of countermeasures
• IT curves capture most intuition regarding the data
complexity of worst case side-channel attacks
• Evaluator’s goal: avoid “false sense of security”
• PI(K;L) ≠ MI(K;L)
• Significant differences may arise due to signal
processing, bad assumptions on the leakage, …
• Measurement setup also matters!
![Page 55: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/55.jpg)
Outline
• The Eurocrypt 2009 framework revisited
• New results towards leakage certification
• Security analyzes and time complexity
![Page 56: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/56.jpg)
The fundamental evaluation problem 21
• What is the distance between the MI and the PI?
• (i.e. how good is my leakage model?)
![Page 57: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/57.jpg)
The fundamental evaluation problem 21
• What is the distance between the MI and the PI?
• (i.e. how good is my leakage model?)
• Difficult since the leakage function is unknown
=> Impossible to compute this distance directly!
![Page 58: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/58.jpg)
The fundamental evaluation problem 21
• What is the distance between the MI and the PI?
• (i.e. how good is my leakage model?)
• Difficult since the leakage function is unknown
=> Impossible to compute this distance directly!
• Next: we show that indirect approaches allow
answering the question quite rigorously
![Page 59: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/59.jpg)
The fundamental evaluation problem 21
• What is the distance between the MI and the PI?
• (i.e. how good is my leakage model?)
• Difficult since the leakage function is unknown
=> Impossible to compute this distance directly!
• Next: we show that indirect approaches allow
answering the question quite rigorously
• Main idea: quantify estimation & assumption errors
![Page 60: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/60.jpg)
1. Estimation errors => cross-validation 22
• Split traces in 10 (non-overlapping) sets, use
9/10th for profiling, 1/10th for estimating the PI
• Repeat 10 times to get average & spread
![Page 61: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/61.jpg)
2. Assumption errors => distance sampling 23
• Fact: two multidimensional distributions F and G
are equal if the variables X~F and Y~G generate
identical distributions for the distance D(X,Y)
![Page 62: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/62.jpg)
2. Assumption errors => distance sampling 23
• Fact: two multidimensional distributions F and G
are equal if the variables X~F and Y~G generate
identical distributions for the distance D(X,Y)
• We can compute the simulated distance
𝑓𝑠𝑖𝑚 𝑑 = Pr 𝐿1 − 𝐿2 ≤ 𝑑 𝐿1, 𝐿2 ~ Pr 𝑚𝑜𝑑𝑒𝑙]
![Page 63: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/63.jpg)
2. Assumption errors => distance sampling 23
• Fact: two multidimensional distributions F and G
are equal if the variables X~F and Y~G generate
identical distributions for the distance D(X,Y)
• We can compute the simulated distance
• And the sampled distance
𝑓𝑠𝑖𝑚 𝑑 = Pr 𝐿1 − 𝐿2 ≤ 𝑑 𝐿1, 𝐿2 ~ Pr 𝑚𝑜𝑑𝑒𝑙]
𝑔 𝑁 𝑑 = Pr 𝑙1 − 𝑙2 ≤ 𝑑 𝑙1𝑁 Pr
𝑚𝑜𝑑𝑒𝑙 , 𝑙2 𝑁 Pr𝑐ℎ𝑖𝑝]
![Page 64: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/64.jpg)
2. Assumption errors => distance sampling 23
• Fact: two multidimensional distributions F and G
are equal if the variables X~F and Y~G generate
identical distributions for the distance D(X,Y)
• We can compute the simulated distance
• And the sampled distance
• And test their CvM divergence
𝑓𝑠𝑖𝑚 𝑑 = Pr 𝐿1 − 𝐿2 ≤ 𝑑 𝐿1, 𝐿2 ~ Pr 𝑚𝑜𝑑𝑒𝑙]
𝑔 𝑁 𝑑 = Pr 𝑙1 − 𝑙2 ≤ 𝑑 𝑙1𝑁 Pr
𝑚𝑜𝑑𝑒𝑙 , 𝑙2 𝑁 Pr𝑐ℎ𝑖𝑝]
CvM (𝑓𝑠𝑖𝑚,𝑔 𝑁) = 𝑓𝑠𝑖𝑚 𝑥 − 𝑔 𝑁 𝑥 ²𝑑𝑥
![Page 65: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/65.jpg)
With cross-validation again, we obtain 24
• Any incorrect assumption => CvM saturates
![Page 66: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/66.jpg)
3. Can we quantify the information loss? 25
• Estimation errors can be made arbitrarily small by
measuring => assumption errors more damaging
![Page 67: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/67.jpg)
3. Can we quantify the information loss? 25
• Estimation errors can be made arbitrarily small by
measuring => assumption errors more damaging
• Idea: try to detect when (i.e. for which # of traces
in the cross-validation set) assumption errors
become significant in front of estimation ones
![Page 68: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/68.jpg)
𝑓 𝑠𝑖𝑚,𝑁 𝑑 = Pr 𝑙1 − 𝑙2 ≤ 𝑑 𝑙1, 𝑙2𝑁 Pr
𝑚𝑜𝑑𝑒𝑙]
How to? 26
• Compute a sampled simulated distance
![Page 69: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/69.jpg)
𝑓 𝑠𝑖𝑚,𝑁 𝑑 = Pr 𝑙1 − 𝑙2 ≤ 𝑑 𝑙1, 𝑙2𝑁 Pr
𝑚𝑜𝑑𝑒𝑙]
How to? 26
• Compute a sampled simulated distance
• Characterize the probability that a given
divergence between 𝑓𝑠𝑖𝑚 and 𝑓 𝑠𝑖𝑚,𝑁 would be
observed for a given number of traces N
![Page 70: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/70.jpg)
𝑓 𝑠𝑖𝑚,𝑁 𝑑 = Pr 𝑙1 − 𝑙2 ≤ 𝑑 𝑙1, 𝑙2𝑁 Pr
𝑚𝑜𝑑𝑒𝑙]
How to? 26
• Compute a sampled simulated distance
• Characterize the probability that a given
divergence between 𝑓𝑠𝑖𝑚 and 𝑓 𝑠𝑖𝑚,𝑁 would be
observed for a given number of traces N
• Look whether a given divergence between 𝑓𝑠𝑖𝑚
and 𝑔 𝑁 (the latter obtained during cross-validation
again) can be due to estimation errors
![Page 71: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/71.jpg)
Illustration 27
p-value (hyp. incorrect model)
CvM (𝑓𝑠𝑖𝑚,𝑔 𝑁)
![Page 72: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/72.jpg)
Example 28
Gaussian templates Stochastic model
![Page 73: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/73.jpg)
Towards leakage bounds? 29
• Conjecture: for Nth such that the assumption
errors are “not significant” in front of estimation
errors, we can “bound” the information loss by
quantifying the estimation error
• (intuition: assumption errors that are detected
for smaller Nth’s are inevitably larger)
![Page 74: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/74.jpg)
Example 30
• Identified template attack with PI = 0.58
![Page 75: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/75.jpg)
Example 30
• Identified template attack with PI = 0.58
• No assumption errors for N=1000
![Page 76: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/76.jpg)
Example 30
• Identified template attack with PI = 0.58
• No assumption errors for N=1000
• Estimation error ~ 0.11 at this point
![Page 77: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/77.jpg)
Example 30
• Identified template attack with PI = 0.58
• No assumption errors for N=1000
• Estimation error ~ 0.11 at this point
=> With “low” confidence, no attack exist with PI>0.69
=> With “high” confidence, no attack exist with PI>0.80
![Page 78: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/78.jpg)
Example 31
• Identified stochastic attack with PI = 0.38
![Page 79: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/79.jpg)
Example 31
• Identified stochastic attack with PI = 0.38
• Assumption errors for N=100
![Page 80: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/80.jpg)
Example 31
• Identified stochastic attack with PI = 0.38
• Assumption errors for N=100
• Estimation error ~ 0.29 at this point
![Page 81: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/81.jpg)
Example 31
• Identified stochastic attack with PI = 0.38
• Assumption errors for N=100
• Estimation error ~ 0.29 at this point
=> With “low” confidence, no attack exist with PI>0.67
=> With “high” confidence, no attack exist with PI>0.96
![Page 82: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/82.jpg)
Interpretation with success rates 32
![Page 83: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/83.jpg)
Is that formally proven? 33
• No! In fact there exist counterexamples
![Page 84: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/84.jpg)
Is that formally proven? 33
• No! In fact there exist counterexamples
• Simulated device leaking according to non-HW
model and analyzed with LR (9-element basis)
![Page 85: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/85.jpg)
Main issues with such bounds 34
• The threshold for which assumption errors are
detected (e.g. average p-value) is hard to set
independent of the leakage distributions
![Page 86: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/86.jpg)
Main issues with such bounds 34
• The threshold for which assumption errors are
detected (e.g. average p-value) is hard to set
independent of the leakage distributions
• Information bounds anyway become pessimistic as
the noise increases (since the noise then
dominates the assumption errors in the MSE)
![Page 87: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/87.jpg)
Main issues with such bounds 34
• The threshold for which assumption errors are
detected (e.g. average p-value) is hard to set
independent of the leakage distributions
• Information bounds anyway become pessimistic as
the noise increases (since the noise then
dominates the assumption errors in the MSE)
Note: there could be more positive results for certain
distributions (scope for further research), meanwhile…
![Page 88: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/88.jpg)
Pragmatic evaluation guidelines 35
• For a fixed number of measurements
(which is the case of all real-world evaluations)
![Page 89: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/89.jpg)
Pragmatic evaluation guidelines 35
• For a fixed number of measurements
(which is the case of all real-world evaluations)
• If assumption errors are detected: the loss of
information due to an imprecise model is
significant (i.e. the model can be improved)
![Page 90: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/90.jpg)
Pragmatic evaluation guidelines 35
• For a fixed number of measurements
(which is the case of all real-world evaluations)
• If assumption errors are detected: the loss of
information due to an imprecise model is
significant (i.e. the model can be improved)
• If assumption errors are not detected: improving
the model would not lead to better information
extraction (since this improvement could not be
distinguished due to the estimation errors)
![Page 91: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/91.jpg)
Pragmatic evaluation guidelines 35
• For a fixed number of measurements
(which is the case of all real-world evaluations)
• If assumption errors are detected: the loss of
information due to an imprecise model is
significant (i.e. the model can be improved)
• If assumption errors are not detected: improving
the model would not lead to better information
extraction (since this improvement could not be
distinguished due to the estimation errors)
• All bets are of if more measurements are taken…
![Page 92: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/92.jpg)
Outline
• The Eurocrypt 2009 framework revisited
• New results towards leakage certification
• Security analyzes and time complexity
![Page 93: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/93.jpg)
Security analyzes 36
• Note: the previous discussion mainly relates to
the data complexity of side-channel attacks
• Time/memory complexity also matters
![Page 94: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/94.jpg)
Security analyzes 36
• Note: the previous discussion mainly relates to
the data complexity of side-channel attacks
• Time/memory complexity also matters
• In the context of “standard DPA”, the exploitation
of computation is typically reflected by:
• Key enumeration
• Rank estimation
![Page 95: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/95.jpg)
Key enumeration [9] 37
• Significant impact on the success rates!
• Very efficient attack tool (e.g. DPA contest)
![Page 96: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/96.jpg)
Key enumeration [9] 38
• Missing data can always be traded for computations
![Page 97: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/97.jpg)
Rank estimation [10] 39
• Evaluator’s counterpart to key enumeration (the key
must be known!) leading to complete security graphs
![Page 98: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/98.jpg)
Conclusions 40
Main message:
• Strict bounds on the information leakage are hard
to obtain in general (independent of the
distributions and number of measurements)
• But given a number of measurements, we can be
sure that a model is “good enough” (or not)
![Page 99: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/99.jpg)
Conclusions 40
Main message:
• Strict “bounds” on the information leakage are
hard to obtain in general (independent of the
distributions and number of measurements)
• But given a number of measurements, we can be
sure that a model is “good enough” (or not)
Cautionary note:
• Fair evaluations must consider both data and time
• i.e. enumeration and rank estimation for DPA
• But also algebraic side-channel attacks [11]
![Page 100: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/100.jpg)
Bibliography 41
1. F.-X. Standaert, T.G. Malkin, M. Yung, A Unified Framework for the Analysis of Side-
Channel Key Recovery Attacks, in the proceedings of Eurocrypt 2009, Lecture Notes in
Computer Science, vol 5479, pp 443-461, Cologne, Germany, April 2009, Springer.
2. M. Renauld, F.-X. Standaert, N. Veyrat-Charvillon, D. Kamel, D. Flandre, A Formal Study
of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices, in the
proceedings of Eurocrypt 2011, Lecture Notes in Computer Science, vol 6632, pp 109-128,
Tallinn, Estonia, May 2011, Springer.
3. F.-X. Standaert, N. Veyrat-Charvillon, E. Oswald, B. Gierlichs, M. Medwed, M. Kasper, S.
Mangard, The World is Not Enough: Another Look on Second-Order DPA, in the
proceedings of Asiacrypt 2010, Lecture Notes in Computer Science, vol 6477, pp 112-129,
Singapore, December 2010, Springer.
4. S. Mangard, E. Oswald, F.-X. Standaert, One for All - All for One: Unifying Standard DPA
Attacks, in IET Information Security, vol 5, issue 2, pp 100-110, June 2011.
5. F.-X. Standaert, C. Archambeau, Using Subspace-Based Template Attacks to Compare
and Combine Power and Electromagnetic Information Leakages, in the proceedings of
CHES 2008, Lecture Notes in Computer Science, vol 5154, pp 411-425, Washington DC,
USA, August 2008, Springer.
6. C. Whitnall, E. Oswald, F.-X. Standaert, The Myth of Generic DPA... and the Magic of
Learning, in the proceedings of CT-RSA 2014, Lecture Notes in Computer Science, vol xxxx,
pp yyy-zzz, San Francisco, USA, February 2014, Springer.
![Page 101: How to Certify the Leakage of a Chip? · How to Certify the Leakage of a Chip? François-Xavier Standaert UCL Crypto Group, Belgium Journées C2, Les Sept Laux, France, March 2014](https://reader033.vdocuments.site/reader033/viewer/2022050213/5f5ee63bf91f835f1837dd70/html5/thumbnails/101.jpg)
Bibliography 42
7. N. Veyrat-Charvillon, M. Medwed, S. Kerckhof, F.-X. Standaert, Shuffling Against Side-
Channel Attacks: a Comprehensive Study with Cautionary Note, in the proceedings of
Asiacrypt 2012, Lecture Notes in Computer Science, vol 7658, pp 740-757, Bejing, China,
December 2012, Springer.
8. F. Durvaux, M. Renauld, F.-X. Standaert, L. van Oldeneel tot Oldenzeel, N. Veyrat-
Charvillon, Efficient Removal of Random Delays from Embedded Software Implementations
using Hidden Markov Models, in the proceedings of CARDIS 2012, Lecture Notes in
Computer Science, vol 7771, pp 123-140, Graz, Austria, November 2012, Springer.
9. N. Veyrat-Charvillon, B. Gerard, M. Renauld, F.-X. Standaert, An optimal Key
Enumeration Algorithm and its Application to Side-Channel Attacks, in the proceedings of
SAC 2012, Lecture Notes in Computer Science, vol 7707, pp 391-407, Windsor, Ontario,
Canada, August 2012, Springer.
10. N. Veyrat-Charvillon, B. Gerard, F.-X. Standaert, Security Evaluations Beyond
Computing Power: How to Analyze Side-Channel Attacks you Cannot Mount?, to appear in
the proceedings of Eurocrypt 2013, Lecture Notes in Computer Science, vol 7881, pp 126-
141, Athens, Greece, May 2013, Springer.
11. M. Renauld, F.-X. Standaert, Algebraic Side-Channel Attacks, in the proceedings of
Inscrypt 2009, Lecture Notes in Computer Science, vol 6151, pp 393-410, Bejing, China,
December 2009, Springer.