Disclaimer: This page refers to an external person. It only lists all the interactions between this person and the Crypto Group. Validity or accuracy of the following information is thus not guaranteed in any way.
|Abstract:||Many papers on side-channel attacks present remarkable ideas but lack of sound mathematical methods. In particular, only parts of the overall side-channel information are used which lowers the efficiency of the attack. However, in `real life' side-channel measurements may not be available in unlimited numbers, at least they may be costly. Minimizing the error probabilities for the guesses of the particular key parts (for a given number of measurements) or vice versa, minimizing the number of necessary measurements (for fixed error probability) is clearly desirable for a potential attacker. On the other side, however, this enables the system designer to rate the risk potential and the efficiency of the proposed countermeasures. Side-channel information can be interpreted as values assumed by random variables where the relevant information is covered by noise. Often this can be modelled as a stochastic process, and the attack can be viewed as a sequence of statistical decision problems. Roughly speaking, an optimal decision strategy minimizes the expected loss of a decision problem which primarily depends on the probabilities for wrong guesses but also on the consequences of errors. Depending on the concrete situation certain types of errors may be easier to detect and correct than others. In this way the efficiency of a particular timing attack presented at Cardis '98 could be improved by factor 50, for instance. Some side-channel attacks were not detected without stochastical methods. The talk introduces into the subject matter at some examples where the belonging mathematical models, the applied stochastical methods and the main results are sketched.|
|Abstract:||The 'classical' approach in power analysis is DPA. DPA attacks require only little set-up work but on the negative side their attacking efficiency is low. Template attacks interpret measurements as values that are assumed by random variables whose (unknown) distributions depend on the subkey, a part of the plaintext and possibly on a masking value. In the profiling phase (aka characterization phase) measurement series are gained at a training device to estimate the unknown probability densities for each parameter set. The attacking efficiency of 'classical' template attacks(avoiding any model assumptions) is maximal but especially strong masked implementations profiling require gigantic workload. This talk considers a stochastic approach (introduced at CHES 2005) that combines the engineer's qualitative intuition with quantitative statistical methods. This approach does not aim at the exact probability densities but on (sufficiently close) approximators. The profiling workload is order(s) of magnitude smaller than for (classical) template attacks while its attacking efficiency is lower but still comparable. The attacking efficiency of this approach is much stronger than DPA. Moreover, the stochastic approach does not only provide the information whether a design can successfully be attacked but also exhibits the underlying reasons for the side-channel leakage, which allows the aimed re-design of cryptographic implementations. This stochastic approach works for power attacks on non-masked and masked implementations. It can be generalized in a natural way to electromagnetic radiation attacks and, more generally, to multi-channel attacks.|
François-Xavier Standaert, François Koeune, and Werner Schindler. How to Compare Profiled Side-Channel Attacks, proceedings of ACNS 2009, Volume 5536 of Lecture Notes in Computer Science, pages 485-498, Spinger, June 2009 BibTeX
Werner Schindler, François Koeune, and Jean-Jacques Quisquater. Improving Divide and Conquer Attacks Against Cryptosystems by Better Error Detection Correction Strategies, Cryptography and Coding - 8th IMA International Conference on Cryptography and Coding, Volume 2260 of Lecture Notes in Computer Science, pages 245-267, Springer-Verlag, December 2001 PDF BibTeX