On the power of template attacks in highly multivariate context
- PDF / 1,613,629 Bytes
- 18 Pages / 595.276 x 790.866 pts Page_size
- 97 Downloads / 163 Views
REGULAR PAPER
On the power of template attacks in highly multivariate context Maamar Ouladj1
· Nadia El Mrabet2 · Sylvain Guilley3,4,5 · Philippe Guillot1 · Gilles Millérioux6
Received: 8 March 2019 / Accepted: 18 August 2020 © Springer-Verlag GmbH Germany, part of Springer Nature 2020
Abstract When implemented in software (or hardware), a cryptographic protocol can leak sensitive information during its execution. Side-channel attacks can use those leakages in order to reveal some information about the secret used by the algorithm. The leaking side-channel information can take place in many time samples. Measurement appliances can cope with the acquisition of multiple samples. From an adversarial point of view, it is therefore beneficial to attempt to make the most of highly multivariate traces. On the one hand, template attacks have been introduced to deal with multivariate leakages, with as few assumptions as possible on the leakage model. On the other hand, many works have underlined the need for dimensionality reduction. In this paper, we clarify the relationship between template attacks in full space and in linear subspaces, in terms of success rate. In particular, we exhibit a clear mathematical expression for template attacks, which enables an efficient computation even on large dimensions such as several hundred of samples. It is noteworthy that both of PoI-based and PCA-based template attacks can straightforwardly benefit from our approach. Furthermore, we extend the approach to the masking-based protected implementations. Our approach is validated both by simulated and real-world traces. Keywords Multivariate traces · Template attacks · Dimensionality reduction · Masking · Success rate · Signal-to-noise ratio · Spectral approach for computational speed improvement
1 Introduction
1.2 Problem: making the most of high dimensionality
1.1 Context: the side channel threat Side-channel traces collected from software code are extremely rich, since a same variable can leak at different places. Typically, leakage can spread over several samples within one clock cycle, and in addition, software implementations typically move variables in several registers or memory locations, causing leakage at many clock cycles.
B
Modern oscilloscopes sample their input at a very high frequency; hence, it is possible to get more than one leakage sample per leaking sensitive variable. How to exploit such abundance of leakage measurements? Few non-supervised side-channel distinguishers manage such situation. Indeed, the samples usually leak differently; therefore, it is complex without prior knowledge to know how to best combine them constructively.
Maamar Ouladj [email protected]
1
LAGA, UMR 7539, CNRS, Université de Paris VIII, 2 Rue de la liberté, Saint Denis 93200, France
2
CEA-Tech, Departement SAS, Centre CMP, Mines de Saint-Etienne, Gardanne 13541, France
3
TELECOM-ParisTech, COMELEC department, SSH group, Paris Cedex 13, France
4
Secure-IC S.A.S., Tour Montparnasse, 75015 Paris, France
5
Éc
Data Loading...
