Project topics and materials
Get Complete Project Material File(s) Now! »
Prior Knowledge
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm, ini-tially called Rijindael, submitted to the National Institute of Standards and Technology (NIST) competition in 1998 and ratified as a standard in 2001 [1]. The algorithm is a block cipher that digests input blocks of 128 bits. The internal state is also made up of 128 bits, where the numbering is visible in Fig. 2.1. The input master key is sized 128, 192 or 256 bits, according to the wanted level of security, and is used to generate the 11, 13 or 15 rounds keys. Indeed, the AES falls in the Substitution-Permutation Network (SPN) algorithms with 10, 12 or 14 rounds as a function of the key size. Each round is divided in four subfunctions:
∙ the add round key applies a eXclusive OR (XOR) between the current state and the subkey round. The round keys are computed applying the Rijndael keysched-ule to the input key (also called master key),
∙ the S-box is publicly known 8-bit substitution function with good non-linearity properties,
∙ the shiftRows lets the first row unmodified, shifts the second one by one to the left, the third one by two and the last one by three as displayed in the following Fig. 2.1,
∙ the mixColumns is a linear function applied on each column of the input state, is represented as matrix product in the Fig 2.2. For examples, 0 = 0x02. 0 + 0x03. 1 + 2 + 3, the operation are done in F28 .
The complete subfunctions’ schedule of an AES-128 is provided in Fig. 2.3, it starts off by a XOR between the 128-bit of the plaintext and the master key ( ⋆0) ; followed by ninth rounds composed of the four subfunctions, previously described, and a last one without the mixColumns. Almost all practical validations we present are done on the AES implementation. This choice is motivated by its robustness, as it remains cryptographically secure after more than twenty years of evaluation ; and by its wide use in many sorts of applications. Further more, the implementations and the set of traces used are publicly available allowing the repoductibility.
Introduction to the Side-Channel Analysis (SCA)
Since ′99 and the seminal paper of Kocher et al. [46] called Differential Power Analysis (DPA), embedded systems (smartcards, smartphones, Internet of Thing (IoT). . . ) are known to be vulnerable to the Side-Channel Analysis (SCA). This kind of attacks use leakage of information from non-conventional communications channels (ElectroMag-netic (EM), execution time, power consumption. . . ) to extract secret information. The main application of the SCA is the recovery of secret keys manipulated by symmetric or asymmetric cryptographic algorithms.
Others exploitation of the SCA have been proposed as the Side-Channel Analysis for Reverse Engineering (SCARE) [19, 21, 55, 64], with the objective to reveal secrets characteristics of the implementation. For examples SCARE could be used to recover secret S-box. Indeed, it could happen that manufacturers secretly change functions of public cryptosystem even if Kerckhoffs’s principle advises that a cryptosystem “must not require secrecy” (except the key) [45] to be secure.
In the case of key recovering, the objective is to discriminate ⋆ between com-paring recorded leakage and models . But have been presented as an -bit vector (usually, = 8) that is much more less than a real cryptographic key size. Indeed, some institutions, summarized in Tab. 2.1, advise to use a key length between 84-bit and 3072-bit according to the chosen cryptographic primitives. That is why the SCA adopts “divide-and-conquer” approach, splitting the entire key in words of -bit , with enough small to be exhaustively iterated. Then each sub key is independently ana-lyzed.
Notations
Matrices
Whatever the target and regardless of the acquisition method, an attacker will record traces and additional data as inputs and/or outputs values. Matrix is the perfect mathematical object to store and manipulate these collected data. That is why we adopt in the whole thesis matrix notations. The queries are indexed by = 1, . . . , , where is the number of traces. The samples in a given trace are indexed by = 1, . . . , .
Signals
Let denote the leakage measurements, the model, the measurement noise, and the link between the model and the measurements. Notations , are consistent with the usual convention in machine learning, where is for the collected data and for the classification labels. The model depends on a key guess , an -bit vector (as usual = 8), and on some known plaintexts (usually also an -bit vector, it could also be the ciphertext). In a view not to overload the notations, we write instead of ( ). As it is customary in SCA, the correct key is denoted by ⋆. The corresponding model using the correct key ( ⋆) is denoted by ⋆. A sensitive variable that depends on the unknown secret key is leaking through a leakage function . Let be the model dimensionality and : F2 × F2 → R a vectorial function, with components. Typically, is the Hamming Weight (HW) function, a sum of weighted bits, or its composition with a S-box. In order to further simplify the mathematical derivations, we assume that is centered.
Models Illustrations
With the aim of illustrating the signals notations previously introduced, we provide some concrete examples for distinct values of . The leakage signal may be represented as a continuous curve as illustrated in Fig. 2.4. The practical acquisition is done through a temporal series of “discrete samples” within one clock period. For = 1, the traces
Distinguishers
Once we have the collected the data , and the models , the comparing step use a dis-criminant function called a distinguisher and noted D. For example, the DPA [46] uses the difference between averaged traces, the Correlation Power Analysis (CPA) [11] the Pearson correlation coefficient, the Template Attack (TA) [18] the probability density function of Gaussian distributions. . . A distinguisher D maps a collection of leakages and publicly known plaintexts (or ciphertexts) bytes to an estimation of the secret key ⋆. Thereafter, Heuser et al. define in [42] the notion of optimal distinguisher rewriting the SCA as a communication channel problem. The goal is to maximize the probability of success of D( , = ⋆) and it could be formalized as in the Theorem 2.1 proposed in [42].
Table of contents :
1 Résumé de la Thèse en Français
1.1 Chapitre 1 : Introduction
1.2 Chapitre 2 : Moins C’est Plus
1.3 Chapitre 3 : Fuites Multivariées et Modèles Multiples
1.4 Chapitre 4 : Analyse Binaire pour l’Évaluation des Fuites d’un Code Source
2 Introduction
2.1 Prior Knowledge
2.1.1 Advanced Encryption Standard (AES)
2.1.2 Introduction to the Side-Channel Analysis (SCA)
2.2 Notations
2.2.1 Matrices
2.2.2 Signals
2.2.3 Models Illustrations
2.3 Distinguishers
2.4 Examples of Side-Channel Analysis (SCA)
2.4.1 First Key Recovering
2.4.2 Successfully Mounted Attacks
2.5 Contributions
2.6 The Thesis
3 Less Is More
3.1 Contributions
3.2 Review of the State-of-the-Art
3.3 Theoretical Solution in the Presence of Gaussian Noise
3.3.1 Optimal Attack
3.3.2 Optimal Dimensionality Reduction
3.3.3 Discussion
3.4 Noise Distributions
3.4.1 White Noise
3.4.2 Correlated Autoregressive Noise
3.5 Comparison with PCA and LDA
3.5.1 Principal Component Analysis (PCA)
3.5.2 Linear Discriminant Analysis (LDA)
3.5.3 Numerical Comparison Between Asymptotic PCA and LDA
3.6 Practical Validations
3.6.1 Attack with a Precharacterization of 𝛼𝐷 and Σ
3.6.2 SNR Computations of DPA Contest V2 [73] Traces
3.7 Conclusions and Perspectives
4 Multivariate Leakages and Multiple Models
4.1 Contributions
4.2 Theoretical Results and Implementation
4.2.1 General Mathematical Expressions
4.2.2 Mathematical Expressions for 𝑆 = 2
4.2.3 Efficient Implementation
4.3 Practical Results
4.3.1 Characterization of Σ
4.3.2 Attacks on Synthetic (i.e., Simulated) Traces
4.3.3 Attacks on Real-World Traces
4.4 Conclusions and Perspectives
5 Binary Data Analysis for Source Code Leakage Assessment
5.1 Introduction
5.1.1 Previous Work
5.1.2 Contributions
5.2 Solution Presentation
5.2.1 Notations and Recording Step
5.2.2 Realignment Algorithm
5.2.3 Data Reduction
5.2.4 Distinguisher: Correlation Power Analysis (CPA)
5.3 Results
5.3.1 White Box Cryptography (WBC) Analysis
5.3.2 Analysis Improvement
5.4 Conclusion
6 Conclusion and Perspectives
6.1 Conclusion
6.2 Perspectives
Bibliography
