Application to Timing Attacks
Total Page:16
File Type:pdf, Size:1020Kb
Template Attacks with Partial Profiles and Dirichlet Priors: Application to Timing Attacks Eloi de Chérisey1, Sylvain Guilley1;2, Olivier Rioul1, and Darshana Jayasinghe1 1 Télécom ParisTech, LTCI, CNRS, Université Paris-Saclay, 75 013 Paris, France. 2 Secure-IC, 15 rue Claude Chappe, Bâtiment B, 35 510 Cesson-Sévigné, France. ABSTRACT In this paper, we consider side-channel attacks that are performed in In order to retrieve the secret key in a side-channel attack, the attacker two phases: computes distinguisher values using all the available data. A profiling 1. a profiling phase where the attacker accumulates leakage from a stage is very useful to provide some a priori information about the device with a known secret key; leakage model. However, profiling is essentially empirical and may not 2. an attacking phase where the attacker accumulates leakage from be exhaustive. Therefore, during the attack, the attacker may come up on the device with an unknown secret key. previously unseen data, which can be troublesome. A lazy workaround is to ignore all such novel observations altogether. In this paper, we show This type of attack is known as a template attack [7]. It has been that this is not optimal and can be avoided. Our proposed techniques shown [7] to be very efficient under three conditions: (a) leakage eventually improve the performance of classical information-theoretic samples are independent and identically distributed (i.i.d.); (b) the noise distinguishers in terms of success rate. is additive white Gaussian; and (c) the secret key leaks byte by byte, which enables a divide-and-conquer approach. For some side-channels, such as power or electromagnetic radiations, condition (b) is met in 1. INTRODUCTION practice. However, for timing attacks, the noise cannot be Gaussian as The field of cryptography is currently very sensitive as it deals with timing is discrete. Moreover, the noise source is non-additive in this data protection and safety. Thus, in order to assess the security of case, since it arises from complex replacement policies in caches and cryptographic devices, it is crucial to know and test their weaknesses. processor-specific on-the-fly instructions reordering. For example, the Advanced Encryption Standard (AES) [1] is renowned The first proposed profiled timing attack is the seminal timing attack as trustworthy from a mathematical point of view—there is currently of Kocher [8]. The same methodology can be used on AES, as noted by no realistic way to cryptanalyze the AES-128. However, it is possible Bernstein in 2005 [9]. Further works used the same method [10, 11, 12]. to break the 128-bit secret key byte by byte using side-channel analysis To our best knowledge, all these works consist in profiling moments, (SCA). SCA exploits the physical fact that the secret key leaks some such as the average timing under a given plaintext and key. However, it information out of the device boundary through various “side-channels” is known [7] that the best attacks should use maximum likelihood. such as power consumption or timing—number of clock cycles to In this paper, as illustrated in Tab. 1, we focus on a profiling where perform a given operation. These leakages, correctly analyzed by SCA, the distribution is kept, and is not reduced to its moments. The attacker yield the secret key of a device. computes distributions using histogram methods. These distributions A good side-channel attack needs a good leakage model. Timing, for are then used to recover the correct secret key. example, can be modeled easily when the implementation is unbalanced: Several successful attacks [2, 3, 4, 5] exploit a timing leakage in the conditional extra-reductions of Montgomery modular multiplications. Table 1: State-of-the-art on profiled timing attacks Some conditional operations can also happen in AES, e.g. in field Profiling method Reference articles operations, as for instance discussed in [6, Alg. 1]. Even when the code is balanced—a recommended secure coding practice—some residual Moments [9, 10, 11, 12] unbalances in timing can result from the hardware which executes the Distributions Our paper (Caution about empty bins) code. Indeed, processors implement speed optimization mechanisms such as memory caching and out-of-order execution. As a consequence, The discrete nature of timing leakage leads to an empty bin issue it is not possible to predict with certainty how timing leaks information. which appears when a data value in the attacking phase has never been The attacker is then led to make predictions about the way the device seen during the profiling phase. Based on profiling only, this data should leaks. have a zero probability, which can be devastating for the attack. One known workaround is to use kernel distribution methods [13] to estimate Permission to make digital or hard copies of all or part of this work for personal or classroom probabilities since the smoothing can be such that no empty bins remain. use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. However, this method has very large computational complexity and its Copyrights for components of this work owned by others than ACM must be honored. performance highly depends on ad-hoc choices of several parameters Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or such as kernel type and bandwidth. to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. HASP 2016, June 18 2016, , Contributions. c 2016 ACM. ISBN 978-1-4503-4769-3/16/06...$15.00 In this paper we show that even when all requirements (a), (b), (c) DOI: http://dx.doi.org/10.1145/2948618.2948625 above are not present, timing attacks with incomplete profiling can be achieved successfully by adapting the maximum likelihood distinguisher where 1A = 1 if A is true, = 0 otherwise. and keeping the histogram method for probabilities estimation. We build six different distinguishers which are all good answers to the empty DEFINITION 2.1 (PROBABILITIES). We define three2 different bin issue. For some of them, new histograms are built, such that the types of probabilities P, Pb and Pe. P is the actual (real) underlying empty bin issue totally disappears. Furthermore, we compare these probability distribution, but it is generally not available and has to be distinguishers and show which one of them is the best in every specific estimated by either Pb or Pe. context. Finally, we provide some theoretical results proving how optimal some of the distinguishers can be. • Pb is computed using the profiling data: q Organization. 1 b nx;t b(x;t) = 1 = b ; (2) P ∑ bxi=x;bti=t The paper is organized as follows. Section 2 provides mathemati- bq i=1 bq cal tools to understand distinguishers and notations. Section 3 intro- 1 bq n duces new distinguishers that are suitable in the context of empty bins. (x) = 1 = bx : (3) Pb ∑ bxi=x Section 4 provides simulations for these distinguishers and Section 5 bq i=1 bq investigates real attacks on an ARM processor. Section 6 concludes. • Pe is computed using the attacking data: 2. MATHEMATICAL DERIVATIONS q 1 e nx;t e(x;t) = 1 = e ; (4) 2.1 Notations and Assumptions P ∑ exi=x;eti=t eq i=1 eq We consider a side-channel attack with a profiling stage and use the 1 eq n following notations: (x) = 1 = ex : (5) Pe ∑ exi=x eq i=1 eq • during the profiling phase, a vectorbt of bq text bytes is sent and the profiler garners a vector of x measurements; b In practice, as the secret key leaks through the function via a XOR • during the attacking phase, a vectoret of eq text bytes is sent and (Equation (1)), we shall often consider P(x;t ⊕k). the attacker gathers a vector ex of leakage measurements—also For a fair comparison between distinguishers, Standaert et al. [14] customarily known as traces; have put forward the success rate as a measure of efficiency of a given distinguisher. • we use simplified notations t, q and x when discussing either profiling data or attacking data; DEFINITION 2.2 (SUCCESS RATE). The success rate SR is prob- • the probability of a vector x with i.i.d. components xi is denoted ability, averaged over all possible keys, of obtaining the correct key. by P(x) = ∏i P(xi); 2n−1 1 ∗ SR = ∗ (k = k ); (6) • we define the following sets: n ∑ Pk e 2 k∗=0 1. Xc, Tc, Xf and Tf are the sets of possible values of com- where ek is the key guess obtained by the distinguisher during the attack. ponents bx,bt, ex andet, respectively; 2. X = Xc [Xf and T = Tc [Tf; It has been proven [15, Theorem 1, equation (3)] that for equiprobable keys the optimal distinguisher maximizes likelihood: 3. K is the set of all possible values for the key k. • k and t are made of n bits (in particular, they are “bytes” when DOptimal(ex;et) = arg max P(exjet⊕k): (7) k2K n = 8). In real life, however, the attacker does not know the leakage model per- Here all sample components of one vector are i.i.d. and belong to some fectly and thus P(xjet⊕k) is not available. In order to get an estimation discrete set. Typically, X is a finite subset of and T is equal to e N of , we use the profiling data to build defined in Equation (2).