Effective Feature Extraction Method for SVM-Based Profiled Attacks

Nowadays, one of the most powerful side channel attacks (SCA) is profiled attack. Machine learning algorithms, for example support vector machine, are currently used for improving the effectiveness of the attack. One issue when using SVM-based profiled attack is extracting points of interest, or features from power traces. So far, studies in SCA domain have selected the points of interest (POIs) from the raw power trace for the classifiers. Our work proposes a novel method for finding POIs that based on the combining variational mode decomposition (VMD) and Gram-Schmidt orthogonalization (GSO). That is, VMD is used to decompose the power traces into sub-signals (modes) of different frequencies and POIs selection process based on GSO is conducted on these sub-signals. As a result, the selected POIs are used for SVM classifier to conduct profiled attack. This attack method outperforms other profiled attacks in the same attack scenario. Experiments were performed on a trace data set collected from the Atmega8515 smart card run on the side channel evaluation board Sakura-G/W and the data set of DPA contest v4 to verify the effectiveness of our method in reducing number of power traces for the attacks, especially with noisy power traces

Practical Improvements of Profiled Side-Channel Attacks on a Hardware Crypto-Accelerator

Abstract. This article investigates the relevance of the theoretical frame-work on profiled side-channel attacks presented by F.-X. Standaert et al. at Eurocrypt 2009. The analyses consist in a case-study based on side-channel measurements acquired experimentally from a hardwired crypto-graphic accelerator. Therefore, with respect to previous formal analyses carried out on software measurements or on simulated data, the inves-tigations we describe are more complex, due to the underlying chip’s architecture and to the large amount of algorithmic noise. In this dif-ficult context, we show however that with an engineer’s mindset, two techniques can greatly improve both the off-line profiling and the on-line attack. First, we explore the appropriateness of different choices for the sensitive variables. We show that a skilled attacker aware of the regis-ter transfers occurring during the cryptographic operations can select the most adequate distinguisher, thus increasing its success rate. Sec-ond, we introduce a method based on the thresholding of leakage data to accelerate the profiling or the matching stages. Indeed, leveraging on an engineer’s common sense, it is possible to visually foresee the shape of some eigenvectors thereby anticipating their estimation towards their asymptotic value by authoritatively zeroing weak components containing mainly non-informational noise. This method empowers an attacker, in that it saves traces when converging towards correct values of the secret. Concretely, we demonstrate a 5 times speed-up in the on-line phase of the attack.

Side-Channel assessment of Open Source Hardware Wallets

Side-channel attacks rely on the fact that the physical behavior of a device depends on the data it manipulates. We show in this paper how to use this class of attacks to break the security of some cryptocurrencies hardware wallets when the attacker is given physical access to them. We mounted two profiled side-channel attacks: the first one extracts the user PIN used through the verification function, and the second one extracts the private signing key from the ECDSA scalar multiplication using a single signature. The results of our study were responsibly disclosed to the manufacturer who patched the PIN vulnerability through a firmware upgrade

Cryptanalysis of the CHES 2009/2010 Random Delay Countermeasure

Inserting random delays in cryptographic implementations is often used as a countermeasure against side-channel attacks. Most previous works on the topic focus on improving the statistical distribution of these delays. For example, efficient random delay generation algorithms have been proposed at CHES 2009/2010. These solutions increase security against attacks that solve the lack of synchronization between different leakage traces by integrating them. In this paper, we demonstrate that integration may not be the best tool to evaluate random delay insertions. For this purpose, we first describe different attacks exploiting pattern recognition techniques and Hidden Markov Models. Using these tools, we succeed in cryptanalyzing a (straightforward) implementation of the CHES 2009/2010 proposal in an Atmel microcontroller, with the same data complexity as an unprotected implementation of the AES Rijndael. In other words, we completely cancel the countermeasure in this case. Next, we show that our cryptanalysis tools are remarkably robust to attack improved variants of the countermeasure, e.g. with additional noise or irregular dummy operations. We also exhibit that the attacks remain applicable in a non-profiled adversarial scenario. Overall, these results suggest that the use of random delays may not be effective for protecting small embedded devices against side-channel leakage. They also confirm the need of worst-case analysis in physical security evaluations

Systematic Characterization of Power Side Channel Attacks for Residual and Added Vulnerabilities

Power Side Channel Attacks have continued to be a major threat to cryptographic devices. Hence, it will be useful for designers of cryptographic systems to systematically identify which type of power Side Channel Attacks their designs remain vulnerable to after implementation. It’s also useful to determine which additional vulnerabilities they have exposed their devices to, after the implementation of a countermeasure or a feature. The goal of this research is to develop a characterization of power side channel attacks on different encryption algorithms\u27 implementations to create metrics and methods to evaluate their residual vulnerabilities and added vulnerabilities. This research studies the characteristics that influence the power side leakage, classifies them, and identifies both the residual vulnerabilities and the added vulnerabilities. Residual vulnerabilities are defined as the traits that leave the implementation of the algorithm still vulnerable to power Side Channel Attacks (SCA), sometimes despite the attempt at implementing countermeasures by the designers. Added vulnerabilities to power SCA are defined as vulnerabilities created or enhanced by the algorithm implementations and/or modifications. The three buckets in which we categorize the encryption algorithm implementations are: i. Countermeasures against power side channel attacks, ii. IC power delivery network impact to power leakage (including voltage regulators), iii. Lightweight ciphers and applications for the Internet of Things (IoT ) From the characterization of masking countermeasures, an example outcome developed is that masking schemes, when uniformly distributed random masks are used, are still vulnerable to collision power attacks. Another example outcome derived is that masked AES, when glitches occur, is still vulnerable to Differential Power Analysis (DPA). We have developed a characterization of power side-channel attacks on the hardware implementations of different symmetric encryption algorithms to provide a detailed analysis of the effectiveness of state-of-the-art countermeasures against local and remote power side-channel attacks. The characterization is accomplished by studying the attributes that influence power side-channel leaks, classifying them, and identifying both residual vulnerabilities and added vulnerabilities. The evaluated countermeasures include masking, hiding, and power delivery network scrambling. But, vulnerability to DPA depends largely on the quality of the leaked power, which is impacted by the characteristics of the device power delivery network. Countermeasures and deterrents to power side-channel attacks targeting the alteration or scrambling of the power delivery network have been shown to be effective against local attacks where the malicious agent has physical access to the target system. However, remote attacks that capture the leaked information from within the IC power grid are shown herein to be nonetheless effective at uncovering the secret key in the presence of these countermeasures/deterrents. Theoretical studies and experimental analysis are carried out to define and quantify the impact of integrated voltage regulators, voltage noise injection, and integration of on-package decoupling capacitors for both remote and local attacks. An outcome yielded by the studies is that the use of an integrated voltage regulator as a countermeasure is effective for a local attack. However, remote attacks are still effective and hence break the integrated voltage regulator countermeasure. From experimental analysis, it is observed that within the range of designs\u27 practical values, the adoption of on-package decoupling capacitors provides only a 1.3x increase in the minimum number of traces required to discover the secret key. However, the injection of noise in the IC power delivery network yields a 37x increase in the minimum number of traces to discover. Thus, increasing the number of on-package decoupling capacitors or the impedance between the local probing site and the IC power grid should not be relied on as countermeasures to power side-channel attacks, for remote attack schemes. Noise injection should be considered as it is more effective at scrambling the leaked signal to eliminate sensitive identifying information. However, the analysis and experiments carried out herein are applied to regular symmetric ciphers which are not suitable for protecting Internet of Things (IoT) devices. The protection of communications between IoT devices is of great concern because the information exchanged contains vital sensitive data. Malicious agents seek to exploit those data to extract secret information about the owners or the system. Power side channel attacks are of great concern on these devices because their power consumption unintentionally leaks information correlatable to the device\u27s secret data. Several studies have demonstrated the effectiveness of authenticated encryption with advanced data (AEAD), in protecting communications with these devices. In this research, we have proposed a comprehensive evaluation of the ten algorithm finalists of the National Institute of Standards and Technology (NIST) IoT lightweight cipher competition. The study shows that, nonetheless, some still present some residual vulnerabilities to power side channel attacks (SCA). For five ciphers, we propose an attack methodology as well as the leakage function needed to perform correlation power analysis (CPA). We assert that Ascon, Sparkle, and PHOTON-Beetle security vulnerability can generally be assessed with the security assumptions Chosen ciphertext attack and leakage in encryption only, with nonce-misuse resilience adversary (CCAmL1) and Chosen ciphertext attack and leakage in encryption only with nonce-respecting adversary (CCAL1) , respectively. However, the security vulnerability of GIFT-COFB, Grain, Romulus, and TinyJambu can be evaluated more straightforwardly with publicly available leakage models and solvers. They can also be assessed simply by increasing the number of traces collected to launch the attack

Bridging the Gap: Advanced Tools for Side-Channel Leakage Estimation beyond Gaussian Templates and Histograms

The accuracy and the fast convergence of a leakage model are both essential components for the efficiency of side-channel analysis. Thus for efficient leakage estimation an evaluator is requested to pick a Probability Density Function (PDF) that constitutes the optimal trade-off between both aspects. In the case of parametric estimation, Gaussian templates are a common choice due to their fast convergence, given that the actual leakages follow a Gaussian distribution (as in the case of an unprotected device). In contrast, histograms and kernel-based estimations are examples for non-parametric estimation that are capable to capture any distribution (even that of a protected device) at a slower convergence rate. With this work we aim to enlarge the statistical toolbox of a side-channel evaluator by introducing new PDF estimation tools that fill the gap between both extremes. Our tools are designed for parametric estimation and can efficiently characterize leakages up to the fourth statistical moment. We show that such an approach is superior to non-parametric estimators in contexts where key-dependent information in located in one of those moments of the leakage distribution. Furthermore, we successfully demonstrate how to apply our tools for the (worst-case) information-theoretic evaluation on masked implementations with up to four shares, both in a profiled and non-profiled attack scenario. We like to remark that this flexibility capturing information from different moments of the leakage PDF can provide very valuable feedback for hardware designers to their task to evaluate the individual and combined criticality of leakages in their (protected) implementations

Hiding in Plain Sight: Non-profiling Deep Learning-based Side-channel Analysis with Plaintext/Ciphertext

Deep learning-based profiling side-channel analysis is widely adopted in academia and industry thanks to the ability to reveal secrets protected with countermeasures. To leverage its capability, the adversary needs to have access to a clone of an attack device to obtain the profiling measurements. Moreover, the adversary needs to know secret information to label these measurements. Non-profiling attacks avoid those constraints by not relying on secret information to label data but rather by trying all key guesses and taking the most successful one. Deep learning approaches also form the basis of several non-profiling attacks. Unfortunately, such approaches suffer from high computational complexity and low generality when applied in practice. This paper proposes a novel non-profiling deep learning-based side-channel analysis technique. Our approach relies on the fact that there is (commonly) a bijective relationship between known information, such as plaintext and ciphertext, and secret information. We use this fact to label the leakage measurement with the known information and then mount attacks. Our results show that we reach at least $3\times$ better attack performance with negligible computational effort than existing non-profiling methods. Moreover, our non-profiling approach rivals the performance of state-of-the-art deep learning-based profiling attacks

Practical Evaluation of FSE 2016 Customized Encoding Countermeasure

To protect against side-channel attacks, many countermeasures have been proposed. A novel customized encoding countermeasure was published in FSE 2016. Customized encoding exploits knowledge of the profiled leakage of the device to construct an optimal encoding and minimize the overall side-channel leakage. This technique was originally applied on a basic table look-up. In this paper, we implement a full block cipher with customized encoding countermeasure and investigate its security under simulated and practical setting for a general purpose microcontroller. Under simulated setting, we can verify that customized encoding shows strong security properties under proper assumption of leakage estimation and noise variance. However, in practical setting, our general observation is that the side-channel leakage will mostly be present even if the encoding scheme is applied, highlighting some limitation of the approach. The results are supported by experiments on 8-bit AVR and 32-bit ARM microcontroller

When Theory Meets Practice: A Framework for Robust Profiled Side-channel Analysis

Profiled side-channel attacks are the most powerful attacks and they consist of two steps. The adversary first builds a leakage model, using a device similar to the target one, then it exploits this leakage model to extract the secret information from the victim's device. These attacks can be seen as a classification problem, where the adversary needs to decide to what class (corresponding to the secret key) the traces collected from the victim's devices belong to. For a number of years, the research community studied profiled attacks and proposed numerous improvements. Despite a large number of empirical works, a framework with strong theoretical foundations to address profiled side-channel attacks is still missing. In this paper, we propose a framework capable of modeling and evaluating all profiled analysis attacks. This framework is based on the expectation estimation problem that has strong theoretical foundations. Next, we quantify the effects of perturbations injected at different points in our framework through robustness analysis where the perturbations represent sources of uncertainty associated with measurements, non-optimal classifiers, and methods. Finally, we experimentally validate our framework using publicly available traces, different classifiers, and performance metrics

Security Evaluations Beyond Computing Power: How to Analyze Side-Channel Attacks you Cannot Mount?

Present key sizes for symmetric cryptography are usually required to be at least 80-bit long for short-term protection, and 128-bit long for long-term protection. However, current tools for security evaluations against side-channel attacks do not provide a precise estimation of the remaining key strength after some leakage has been observed, e.g. in terms of number of candidates to test. This leads to an uncomfortable situation, where the security of an implementation can be anywhere between enumerable values (i.e. $2^{40}$ -- $2^{50}$ key candidates to test) and the full key size (i.e. $2^{80}$ -- $2^{128}$ key candidates to test). In this paper, we mitigate this important issue, and describe a key rank estimation algorithm that provides tight bounds for the security level of leaking cryptographic devices. As a result and for the first time, we are able to analyze the full complexity of “standard” (i.e. divide-and-conquer) side-channel attacks, in terms of their tradeoff between time, data and memory complexity