On the Optimality of Mutual Information Analysis for Discrete Leakages Cryptarchi June 29-30, 2015 Leuven
|
|
- Lionel Hill
- 6 years ago
- Views:
Transcription
1 On the Optimality of Mutual Information Analysis for Discrete Leakages Cryptarchi June 29-30, 2015 Leuven Éloi de Chérisey*, Annelie Heuser**, Sylvain Guilley** and Olivier Rioul** * ENS Cachan, **Telecom ParisTech
2 Éloi Sylvain Annelie Olivier de CHÉRISEY GUILLEY HEUSER RIOUL is with is also with is PhD fellow at is also Prof at Research thread: Distinguishing distinguishers CHES 2014: known model + large Gaussian noise = CPA is optimal ASICRYPT 2014: idem with masking = HO-CPA is optimal CRYPTARCHI 2015: unknown model = MIA is optimal
3 Introduction Outline On Optimality of MIA Notations and Assumptions Mathematical Derivations An Example where MIA Outperforms CPA Pedagogical Case-Study Implementation Issues On Binning Size Fast Computation of MIA 3 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
4 Introduction Outline On Optimality of MIA Notations and Assumptions Mathematical Derivations An Example where MIA Outperforms CPA Pedagogical Case-Study Implementation Issues On Binning Size Fast Computation of MIA 4 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
5 Motivations 1. How to attack when no leakage model is available? no profiling is possible? (e.g., balanced dual-rail circuits) 5 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
6 Motivations 1. How to attack when no leakage model is available? no profiling is possible? (e.g., balanced dual-rail circuits) 5 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
7 Motivations 1. How to attack when no leakage model is available? no profiling is possible? (e.g., balanced dual-rail circuits) Mutual Information Analysis (MIA) [Gierlichs et al., CHES 2008] 5 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
8 Motivations 1. How to attack when no leakage model is available? no profiling is possible? (e.g., balanced dual-rail circuits) Mutual Information Analysis (MIA) [Gierlichs et al., CHES 2008] 2. Is it possible for MIA to be: Optimal? Effective? Efficient? 5 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
9 Results We show that: MIA is optimal in that it is equivalent to a universal maximum likelihood (U-ML) MIA can even outperform CPA the computational complexity of MIA can be significantly reduced 6 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
10 Introduction Outline On Optimality of MIA Notations and Assumptions Mathematical Derivations An Example where MIA Outperforms CPA Pedagogical Case-Study Implementation Issues On Binning Size Fast Computation of MIA 7 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
11 Leakage model Assumptions: secret key k : deterministic but unknown uniformly distributed text bytes t = (t 1,..., t m ): random but known m i.i.d. noisy measurements x = (x 1,..., x m ) leakage model: x = y(k ) + n y(k) = ϕ(f(k, t)) t n t k f ϕ y + x D(x, t) ˆk Device side Attacker s side 8 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
12 Markov Condition Markov Chain Property The leakage x depends on the secret key k only through the computed model y(k ) = ϕ(f(k, t)) Thus the conditional distribution P(x y) depends on the key only through the value of y. Example x i = w H (k t i ) + n i, where w H is the Hamming weight x i = ϕ(s(k t i )) + n i, where S is a substitution box 9 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
13 Assumptions Empirical Distribution (Histogram) Leakage is discrete (or discretized via binning). Counting occurrences of each value of x and y gives the estimate: P(x y) = m i=1 1 x i =x,y i =y m i=1 1 y i =y Definition (Empirical Mutual Information) Ĩ(X; Y ) = x X y Y P(x, y) log 2 P(x, y) P(x) P(y) 10 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
14 Best Distinguisher The optimal distinguisher D(x, y) and associated distinguishing rule ˆk = arg max D(x, y) maximizes success: k K Definition (Average Success Rate) SR = 1 2 n 1 2 n P k (ˆk(X, T) = k) k=0 This is a theoretical definition since P k (x, t) is not known perfectly. 11 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
15 Maximum likelihood Theorem (Optimal Distinguisher = Maximum Likelihood) D opt (x, t) = arg max P(x y) k K Recall y = ϕ(f(k, t)) depends on the key hypothesis k. Proved by [Heuser et al., in CHES 2014] Optimality holds for perfectly known leakage model ϕ 12 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
16 Universal Maximum Likelihood Universal = from the data without prior information. Definition (Universal Maximum Likelihood) where P(x y) = m i=1 P(x i y i ) ˆk = arg max P(x y) k K Loss in performance due to empirical probability estimation. 13 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
17 Universal Maximum Likelihood Theorem (MIA = U-ML) The universal ML key estimate is equivalent to MIA! [Gierlichs et al. CHES 2008] ˆk = arg max k K P(x y) = arg max Ĩ(X; Y ) k K This surprising theoretical result shows that MIA is universally optimal as it maximizes SR = 1 2 n 1 P 2 n k (ˆk(X, T) = k) k=0 14 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
18 Proof of the Theorem Rearrange empirical probability: m P(x y) = P(x i y i ) = P(x y) nx,y i=1 x X,y Y where m n x,y = 1 xi =x,y i =y = m P(x, y) i=1 Now take the logarithm: log P(x y) = m P(x, y) log( P(x y)) x X,y Y We recognize entropy! H(X Y ) = P(x, y) log( P(x y)) /... x X,y Y 15 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
19 Proof of the Theorem (cont d) In other words: P(x y) = 2 m H(X Y ) Thus maximizing P(x y) amounts to minimizing H(X Y ), i.e., maximizing Ĩ(X, Y ) = H(X) H(X Y ) since H(X) does not depend on k. Conclusion: arg max P(x y) = arg max Ĩ(X; Y ) k K k K 16 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
20 Introduction Outline On Optimality of MIA Notations and Assumptions Mathematical Derivations An Example where MIA Outperforms CPA Pedagogical Case-Study Implementation Issues On Binning Size Fast Computation of MIA 17 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
21 Case-Study Consider the following leakage : X = Y + N with Y = ϕ(f(t K )) where Y = ±1 and N U(±σ) (uniformly distributed with values ±σ). Assumptions T, K F n 2 f : F n 2 Fn 2 is an Sbox function applied to a xor and ϕ is a one-bit selection function. σ N is an integer Example Dynamic Voltage Scaling (DVS) used as a countermeasure. 18 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
22 Case-Study: Distinguisher Theorem (Optimal Distinguisher) One easily finds 1 D opt (x, t) = arg max P(x y) = arg max k K k K 2 m m 1 if x ϕ(f(t, k)) = 0 1 if x ϕ(f(t, k)) = 2σ 0 otherwise i=1 To be compared to i CPA: ii MIA : D CP A (x, t) = arg max k K cov(x, Y ) σ X σ Y D MIA (x, t) = arg max Ĩ(X, Y ) k K 19 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
23 Results for MIA and CPA (σ = 1) 20 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
24 Results for MIA and CPA (σ = 4) 21 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
25 Introduction Outline On Optimality of MIA Notations and Assumptions Mathematical Derivations An Example where MIA Outperforms CPA Pedagogical Case-Study Implementation Issues On Binning Size Fast Computation of MIA 22 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
26 Size of the Bins Why Binning? Due to noise, x assumes real values: p(x y) as a pdf that must be estimated using bins as P(x y) what is the optimal size of bins? does it depend of the number of traces? 23 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
27 Leakage Example Example y = ϕ(f(y(k, t))) with f(k, t) = Sbox(t k ) ϕ = ψ(w H ( )) where ψ is a non-linear bijective function s.t. Cov(Y, ϕ(y )) = 0 ϕ(y ) Y
28 Leakage Example (cont d) MIA using 30 traces = 1 = 5 25 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
29 Leakage Example (cont d) Correct key guess False key guess = 1 = 5 26 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
30 Fast MIA Algorithm Principle See [Victor Lomné et al. in ASIACRYPT 2013] for CPA Principle The pmf is given by P(y, x) = P(t, x) t ϕ(f(t,k))=y Implement this once and for all in place of empirical probability P(t, x). 27 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
31 Fast MIA Algorithm Flow input : x a set of m traces which take discrete values, t a corresponding set of m plaintexts/ciphertexts output: (Ĩ(x, y(k))) k K // From x and t, build an hash table PMF[t][x] (i.e., an histogram); 1 for i {1,..., m} do 2 PMF[t i][x i] += 1; 3 end 4 for x X do 5 P(x) = 0 ; 6 for t F n 2 do 7 P(x) += PMF[t][x] ; 8 end 9 end // P(x) holds m P(x) 28 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
32 1 for k K do // Key enumeration Fast MIA Algorithm Flow 2 x X, y Y, P(x, y) = 0 ; // P(x, y) holds m P(x, y) 3 for t F n 2 do 4 for x X do 5 P(x, ϕ(f(k, t))) += PMF[t][x] ; // y = ϕ(f(k, t)) 6 end 7 end 8 Ĩ(x, y(k)) = 0; 9 for y Y do 10 P(y) = 0 ; // P(y) holds m P(y) 11 for x X do 12 P(y) += P(x, y); 13 end 14 for x X do 15 if P(x, y) 0 then // P(x, y) 0 = (P(x) 0 P(y) 0) 16 Ĩ(x, y(k)) += P(x,y) m log 2 mp(x,y) P(x)P(y) ; 17 end 18 end 19 end 20 end 21 return (Ĩ(x, y(k))) k K 29 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
33 1 for k K do // Key enumeration Fast MIA Algorithm Flow 2 x X, y Y, P(x, y) = 0 ; // P(x, y) holds m P(x, y) 3 for t F n 2 do 4 for x X do 5 P(x, ϕ(f(k, t))) += PMF[t][x] ; // y = ϕ(f(k, t)) 6 end 7 end 8 Ĩ(x, y(k)) = 0; 9 for y Y do 10 P(y) = 0 ; // P(y) holds m P(y) 11 for x X do 12 P(y) += P(x, y); 13 end 14 for x X do 15 if P(x, y) 0 then // P(x, y) 0 = (P(x) 0 P(y) 0) 16 P(x,y) Ĩ(x, y(k)) += P(x, y) log 2 ; P(y) // no longer a mutual information, but OK end 18 end 19 end 20 end 21 return (Ĩ(x, y(k))) k K 29 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
34 Conclusions MIA is equivalent to Universal ML MIA can be close to optimal Binning size is crucial Fast MIA 30 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
35 Thank you! Questions? 31 June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
36 References Benedikt Gierlichs, Lejla Batina, Pim Tuyls, and Bart Preneel. Mutual information analysis. In CHES, 10th International Workshop, volume 5154 of Lecture Notes in Computer Science, pages Springer, August Washington, D.C., USA. Annelie Heuser, Olivier Rioul, and Sylvain Guilley. Good Is Not Good Enough - Deriving Optimal Distinguishers from Communication Theory. In Lejla Batina and Matthew Robshaw, editors, Cryptographic Hardware and Embedded Systems - CHES th International Workshop, Busan, South Korea, September 23-26, Proceedings, volume 8731 of Lecture Notes in Computer Science, pages Springer, Victor Lomné, Emmanuel Prouff, and Thomas Roche. Behind the Scene of Side Channel Attacks. In Kazue Sako and Palash Sarkar, editors, ASIACRYPT (1), volume 8269 of Lecture Notes in Computer Science, pages Springer, June 29-30, 2015 Institut Mines-Télécom Cryptarchi 2015
Side-Channel Attack against RSA Key Generation Algorithms
Side-Channel Attack against RSA Key Generation Algorithms CHES 2014 Aurélie Bauer, Eliane Jaulmes, Victor Lomné, Emmanuel Prouff and Thomas Roche Agence Nationale de la Sécurité des Systèmes d Information
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationNon-Profiled Deep Learning-Based Side-Channel Attacks
Non-Profiled Deep Learning-Based Side-Channel Attacks Benjamin Timon UL Transaction Security, Singapore benjamin.timon@ul.com Abstract. Deep Learning has recently been introduced as a new alternative to
More informationMasking as a Side-Channel Countermeasure in Hardware
Masking as a Side-Channel Countermeasure in Hardware 6. September 2016 Ruhr-Universität Bochum 1 Agenda Physical Attacks and Side Channel Analysis Attacks Measurement setup Power Analysis Attacks Countermeasures
More informationHow Far Should Theory be from Practice?
How Far Should Theory be from Practice? Evaluation of a Countermeasure Amir Moradi and Oliver Mischke Horst Görtz Institute for IT Security, Ruhr University Bochum, Germany {moradi,mischke}@crypto.rub.de
More informationFault Sensitivity Analysis
Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing
More informationPower Analysis of Atmel CryptoMemory Recovering Keys from Secure EEPROMs
Power Analysis of Atmel CryptoMemory Recovering Keys from Secure EEPROMs Josep Balasch 1, Benedikt Gierlichs 1, Roel Verdult 2, Lejla Batina 1,2, and Ingrid Verbauwhede 1 1 ESAT/COSIC, KU Leuven 2 ICIS/Digital
More information1 Overview. 2 Applications of submodular maximization. AM 221: Advanced Optimization Spring 2016
AM : Advanced Optimization Spring 06 Prof. Yaron Singer Lecture 0 April th Overview Last time we saw the problem of Combinatorial Auctions and framed it as a submodular maximization problem under a partition
More informationAdaptive Chosen-Message Side-Channel Attacks
Adaptive Chosen-Message Side-Channel Attacks Nicolas Veyrat-Charvillon, François-Xavier Standaert, Université catholique de Louvain, Crypto Group, Belgium. e-mails: nicolas.veyrat;fstandae@uclouvain.be
More informationSide-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?
Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel? 11. Sep 2013 Ruhr University Bochum Outline Power Analysis Attack Masking Problems in hardware Possible approaches
More informationProfiling Good Leakage Models For Masked Implementations
Profiling Good Leakage Models For Masked Implementations Changhai Ou,2, Zhu Wang,, Degang Sun, and Xinping Zhou,2 Institute of Information Engineering, Chinese Academy of Sciences 2 School of Cyber Security,
More informationOn the Practical Security of a Leakage Resilient Masking Scheme
On the Practical Security of a Leakage Resilient Masking Scheme T. Roche thomas.roche@ssi.gouv.fr Joint work with E. Prouff and M. Rivain CT-RSA 2014 Feb. 2014 Side Channel Analysis Side Channel Attacks
More informationTime-Frequency Analysis for Second-Order Attacks
Time-Frequency Analysis for Second-Order Attacks Pierre BELGARRIC 1,3, Shivam BHASIN 1, Nicolas BRUNEAU 1,4, Jean-Luc DANGER 1,5, Nicolas DEBANDE 1,6, Sylvain GUILLEY 1,5, Annelie HEUSER 1, Zakaria NAJM
More informationPower Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA)
More informationCountermeasures against EM Analysis
Countermeasures against EM Analysis Paolo Maistri 1, SebastienTiran 2, Amine Dehbaoui 3, Philippe Maurine 2, Jean-Max Dutertre 4 (1) (2) (3) (4) Context Side channel analysis is a major threat against
More informationEfficient Entropy Estimation for Mutual Information Analysis Using B-Splines
Efficient Entropy Estimation for Mutual Information Analysis Using B-Splines Alexandre Venelli 1,2 1 IML ERISCS Université delaméditerranée, Case 97, 163 Avenue de Luminy 13288 Marseille Cedex 9, France
More informationToday s outline: pp
Chapter 3 sections We will SKIP a number of sections Random variables and discrete distributions Continuous distributions The cumulative distribution function Bivariate distributions Marginal distributions
More informationLow-Overhead Implementation of a Soft Decision Helper Data Algorithm for SRAM PUFs
Low-Overhead Implementation of a Soft Decision Helper Data Algorithm for SRAM PUFs Roel Maes 1, Pim Tuyls 1,2, Ingrid Verbauwhede 1 1. COSIC, K.U.Leuven and IBBT 2. Intrinsic-ID, Eindhoven Workshop on
More informationBinary decision diagram to design balanced secure logic styles
Binary decision diagram to design balanced secure logic styles Hyunmin Kim, Seokhie Hong, Bart Preneel and Ingrid Verbauwhede Center for Information Security Technologies Korea University, Seoul, South
More informationStudy of a Novel Software Constant Weight Implementation
Study of a Novel Software Constant Weight Implementation Victor Servant 1, Nicolas Debande 2, Houssem Maghrebi 1, Julien Bringer 1 1 SAFRAN Morpho, 18, Chaussée Jules César, 9552 Osny, France. firstname.lastname@morpho.com
More informationCS 395T Computational Learning Theory. Scribe: Wei Tang
CS 395T Computational Learning Theory Lecture 1: September 5th, 2007 Lecturer: Adam Klivans Scribe: Wei Tang 1.1 Introduction Many tasks from real application domain can be described as a process of learning.
More informationOn the Easiness of Turning Higher-Order Leakages into First-Order
On the Easiness of Turning Higher-Order Leakages into First-Order Thorben Moos and Amir Moradi Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Bochum, Germany {firstname.lastname}@rub.de
More informationDPA CONTEST 08/09 A SIMPLE IMPROVEMENT OF CLASSICAL CORRELATION POWER ANALYSIS ATTACK ON DES
DPA CONTEST 08/09 A SIMPLE IMPROVEMENT OF CLASSICAL CORRELATION POWER ANALYSIS ATTACK ON DES, Fakultät für Informatik Antonio Almeida Prof. Dejan Lazich Karlsruhe, 9 th June 2010 KIT Universität des Landes
More informationStatistical Techniques in Robotics (16-831, F10) Lecture #02 (Thursday, August 28) Bayes Filtering
Statistical Techniques in Robotics (16-831, F10) Lecture #02 (Thursday, August 28) Bayes Filtering Lecturer: Drew Bagnell Scribes: Pranay Agrawal, Trevor Decker, and Humphrey Hu 1 1 A Brief Example Let
More informationDiscrete Mathematics Course Review 3
21-228 Discrete Mathematics Course Review 3 This document contains a list of the important definitions and theorems that have been covered thus far in the course. It is not a complete listing of what has
More informationProfiling Side-channel Analysis in the Restricted Attacker Framework
Profiling Side-channel Analysis in the Restricted Attacker Framework Stjepan Picek 1, Annelie Heuser 2, and Sylvain Guilley 3 1 Delft University of Technology, Mekelweg 2, Delft, The Netherlands s.picek@tudelft.nl
More informationOnline Algorithms. Lecture 11
Online Algorithms Lecture 11 Today DC on trees DC on arbitrary metrics DC on circle Scheduling K-server on trees Theorem The DC Algorithm is k-competitive for the k server problem on arbitrary tree metrics.
More informationIEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 53, NO. 10, OCTOBER
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 53, NO. 10, OCTOBER 2007 3413 Relay Networks With Delays Abbas El Gamal, Fellow, IEEE, Navid Hassanpour, and James Mammen, Student Member, IEEE Abstract The
More informationMulti-Stage Fault Attacks
Multi-Stage Fault Attacks Applications to the Block Cipher PRINCE Philipp Jovanovic Department of Informatics and Mathematics University of Passau March 27, 2013 Outline 1. Motivation 2. The PRINCE Block
More informationWill Monroe July 21, with materials by Mehran Sahami and Chris Piech. Joint Distributions
Will Monroe July 1, 017 with materials by Mehran Sahami and Chris Piech Joint Distributions Review: Normal random variable An normal (= Gaussian) random variable is a good approximation to many other distributions.
More informationSelecting Time Samples for Multivariate DPA Attacks
Selecting Time Samples for Multivariate DPA Attacks Oscar Reparaz, Benedikt Gierlichs, and Ingrid Verbauwhede KU Leuven Dept. Electrical Engineering-ESAT/SCD-COSIC and IBBT Kasteelpark Arenberg 10, B-3001
More informationDefeating Embedded Cryptographic Protocols by Combining Second-Order with Brute Force
Defeating Embedded Cryptographic Protocols by Combining Second-Order with Brute Force Benoit Feix (B), Andjy Ricart, Benjamin Timon, and Lucille Tordella UL Transaction Security Lab, Basingstoke, England
More informationPower Analysis Attacks
Power Analysis Attacks Elisabeth Oswald Computer Science Department Crypto Group eoswald@cs.bris.ac.uk Elisabeth.Oswald@iaik.tugraz.at Outline Working principle of power analysis attacks DPA Attacks on
More informationMedical Image Segmentation Based on Mutual Information Maximization
Medical Image Segmentation Based on Mutual Information Maximization J.Rigau, M.Feixas, M.Sbert, A.Bardera, and I.Boada Institut d Informatica i Aplicacions, Universitat de Girona, Spain {jaume.rigau,miquel.feixas,mateu.sbert,anton.bardera,imma.boada}@udg.es
More informationLeakage Squeezing Countermeasure against High-Order Attacks
Leakage Squeezing Countermeasure against High-Order Attacks Houssem Maghrebi, Sylvain Guilley, Jean-Luc Danger To cite this version: Houssem Maghrebi, Sylvain Guilley, Jean-Luc Danger. Leakage Squeezing
More informationCombined Fault and Side-Channel Attack on Protected Implementations of AES
Combined Fault and Side-Channel Attack on Protected Implementations of AES Thomas Roche, Victor Lomné, and Karim Khalfallah ANSSI, 51, Bd de la Tour-Maubourg, 75700 Paris 07 SP, France firstname.lastname@ssi.gouv.fr
More informationMasking vs. Multiparty Computation: How Large is the Gap for AES?
Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso 1, François-Xavier Standaert 1, Sebastian Faust 2. 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium.
More informationRecommendation to Protect Your Data in the Future
Recommendation to Protect Your Data in the Future Prof. Dr.-Ing. Tim Güneysu Arbeitsgruppe Technische Informatik / IT-Sicherheit (CEITS) LEARNTEC Karlsruhe 27.01.2016 Long-Term Security in the Real World
More informationLeakage-Resilient Symmetric Cryptography (Overview of the ERC Project CRASH, part II)
Leakage-Resilient Symmetric Cryptography (Overview of the ERC Project CRASH, part II) François-Xavier Standaert UCL Crypto Group, Belgium INDOCRYPT, December 2016 Outline Introduction Natural PRGs/PRFs
More informationCoupon Recalculation for the GPS Authentication Scheme
Coupon Recalculation for the GPS Authentication Scheme Georg Hofferek and Johannes Wolkerstorfer Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse
More informationHybrid Quasi-Monte Carlo Method for the Simulation of State Space Models
The Tenth International Symposium on Operations Research and Its Applications (ISORA 211) Dunhuang, China, August 28 31, 211 Copyright 211 ORSC & APORC, pp. 83 88 Hybrid Quasi-Monte Carlo Method for the
More informationHOST Differential Power Attacks ECE 525
Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately, cryptographic
More informationPRACTICAL DPA ATTACKS ON MDPL. Elke De Mulder, Benedikt Gierlichs, Bart Preneel, Ingrid Verbauwhede
PRACTICAL DPA ATTACKS ON MDPL Elke De Mulder, Benedikt Gierlichs, Bart Preneel, Ingrid Verbauwhede K.U. Leuven, ESAT/SCD-COSIC and IBBT Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {elke.demulder,benedikt.gierlichs,bart.preneel,ingrid.verbauwhede}@esat.kuleuven.be
More informationA Fast Estimation of SRAM Failure Rate Using Probability Collectives
A Fast Estimation of SRAM Failure Rate Using Probability Collectives Fang Gong Electrical Engineering Department, UCLA http://www.ee.ucla.edu/~fang08 Collaborators: Sina Basir-Kazeruni, Lara Dolecek, Lei
More informationStatistical Analysis of the Alleged RC4 Keystream Generator
Statistical Analysis of the Alleged RC4 Keystream Generator Scott R. Fluhrer and David A. McGrew Cisco Systems, Inc. 170 West Tasman Drive, San Jose, CA 95134 {sfluhrer, mcgrew}@cisco.com Abstract. The
More informationHow to Certify the Leakage of a Chip?
How to Certify the Leakage of a Chip? F. Durvaux, F.-X. Standaert, N. Veyrat-Charvillon UCL Crypto Group, Belgium EUROCRYPT 2014, Copenhagen, Denmark Problem statement Evaluation / certification of leaking
More informationGraphical Models. David M. Blei Columbia University. September 17, 2014
Graphical Models David M. Blei Columbia University September 17, 2014 These lecture notes follow the ideas in Chapter 2 of An Introduction to Probabilistic Graphical Models by Michael Jordan. In addition,
More informationMasking Proofs are Tight
Masking Proofs are Tight and How to Exploit it in Security Evaluations Vincent Grosso 1, François-Xavier Standaert 2 1 Radboud University Nijmegen, Digital Security Group, The Netherlands. 2 ICTEAM - Crypto
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationNearest Neighbor with KD Trees
Case Study 2: Document Retrieval Finding Similar Documents Using Nearest Neighbors Machine Learning/Statistics for Big Data CSE599C1/STAT592, University of Washington Emily Fox January 22 nd, 2013 1 Nearest
More informationBlind Differential Cryptanalysis for Enhanced Power Attacks
Blind Differential Cryptanalysis for Enhanced Power Attacks Bart Preneel COSIC K.U.Leuven - Belgium bart.preneel(at)esat.kuleuven.be Joint work with Helena Handschuh Concept Differential cryptanalysis
More informationPractical Electromagnetic Template Attack on HMAC
Practical Electromagnetic Template Attack on HMAC Pierre Alain Fouque 1 Gaétan Leurent 1 Denis Réal 2,3 Frédéric Valette 2 1ENS,75Paris,France. 2CELAR,35Bruz,France. 3INSA-IETR,35Rennes,France. September
More informationDissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks
Dissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks A Practical Security Evaluation on FPGA Florian Unterstein Johann Heyszl Fabrizio De Santis a Robert Specht, 13.04.2017 a Technical
More informationInformation theory methods for feature selection
Information theory methods for feature selection Zuzana Reitermanová Department of Computer Science Faculty of Mathematics and Physics Charles University in Prague, Czech Republic Diplomový a doktorandský
More informationThe Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab
The Davies-Murphy Power Attack Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab Introduction Two approaches for attacking crypto devices traditional cryptanalysis Side Channel Attacks
More informationARELAY network consists of a pair of source and destination
158 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 55, NO 1, JANUARY 2009 Parity Forwarding for Multiple-Relay Networks Peyman Razaghi, Student Member, IEEE, Wei Yu, Senior Member, IEEE Abstract This paper
More informationAnalysis and Improvements of the DPA Contest v4 Implementation
Analysis and Improvements of the DPA Contest v4 Implementation Shivam BHASIN 1, Nicolas BRUNEAU 1,2, Jean-Luc DANGER 1,3, Sylvain GUILLEY 1,3 and Zakaria NAJM 1 1 TELECOM-ParisTech, Crypto Group, Paris,
More informationSecond-Order Power Analysis Attacks against Precomputation based Masking Countermeasure
, pp.259-270 http://dx.doi.org/10.14257/ijsh.2016.10.3.25 Second-Order Power Analysis Attacks against Precomputation based Masking Countermeasure Weijian Li 1 and Haibo Yi 2 1 School of Computer Science,
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationOn the Simplicity of Converting Leakages from Multivariate to Univariate
On the Simplicity of Converting Leakages from Multivariate to Univariate 21. Aug. 2013, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany Outline Definitions,
More informationHomework. Gaussian, Bishop 2.3 Non-parametric, Bishop 2.5 Linear regression Pod-cast lecture on-line. Next lectures:
Homework Gaussian, Bishop 2.3 Non-parametric, Bishop 2.5 Linear regression 3.0-3.2 Pod-cast lecture on-line Next lectures: I posted a rough plan. It is flexible though so please come with suggestions Bayes
More informationEvolutionary computation in cryptography and security
Evolutionary computation in cryptography and security SoSySec seminar: Artificial Intelligence and Security Rennes, 25.4.2017. Domagoj Jakobović (jakobovic@computer.org) FER, University of Zagreb http://gp.zemris.fer.hr
More informationDetection of Man-made Structures in Natural Images
Detection of Man-made Structures in Natural Images Tim Rees December 17, 2004 Abstract Object detection in images is a very active research topic in many disciplines. Probabilistic methods have been applied
More informationCorrelated Power Noise Generator as a Low Cost DPA Countermeasures to Secure Hardware AES Cipher
Correlated Power Noise Generator as a Low Cost DPA Countermeasures to Secure Hardware AES Cipher Najeh Kamoun 1, Lilian Bossuet 2, and Adel Ghazel 1 1 CIRTA COM, SUP COM 2 IMS, University of Bordeaux Tunis,
More informationA machine learning approach against a masked AES
J Cryptogr Eng (215) 5: 139 DOI 1.17/s13389-14-89-3 REGULAR PAPER A machine learning approach against a masked AES Reaching the limit of side-channel attacks with a learning model Liran Lerman Gianluca
More informationA systematic approach to eliminating the vulnerabilities in smart cards evaluation
A systematic approach to eliminating the vulnerabilities in smart cards evaluation Hongsong Shi, Jinping Gao, Chongbing Zhang hongsongshi@gmail.com China Information Technology Security Evaluation Center
More informationW[1]-hardness. Dániel Marx 1. Hungarian Academy of Sciences (MTA SZTAKI) Budapest, Hungary
W[1]-hardness Dániel Marx 1 1 Institute for Computer Science and Control, Hungarian Academy of Sciences (MTA SZTAKI) Budapest, Hungary School on Parameterized Algorithms and Complexity Będlewo, Poland
More informationCS242: Probabilistic Graphical Models Lecture 3: Factor Graphs & Variable Elimination
CS242: Probabilistic Graphical Models Lecture 3: Factor Graphs & Variable Elimination Instructor: Erik Sudderth Brown University Computer Science September 11, 2014 Some figures and materials courtesy
More informationComputer Vision Group Prof. Daniel Cremers. 4. Probabilistic Graphical Models Directed Models
Prof. Daniel Cremers 4. Probabilistic Graphical Models Directed Models The Bayes Filter (Rep.) (Bayes) (Markov) (Tot. prob.) (Markov) (Markov) 2 Graphical Representation (Rep.) We can describe the overall
More informationA first-order chosen-plaintext DPA attack on the third round of DES
A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz 1,2 and Benedikt Gierlichs 1 firstname.lastname@esat.kuleuven.be 1 KU Leuven, imec-cosic, Belgium 2 Square, Inc. Abstract.
More informationAuxiliary Variational Information Maximization for Dimensionality Reduction
Auxiliary Variational Information Maximization for Dimensionality Reduction Felix Agakov 1 and David Barber 2 1 University of Edinburgh, 5 Forrest Hill, EH1 2QL Edinburgh, UK felixa@inf.ed.ac.uk, www.anc.ed.ac.uk
More informationBreaking Korea Transit Card with Side-Channel Attack
Breaking Korea Transit Card with Side-Channel Attack -Unauthorized Recharging- Black Hat Asia 2017 Tae Won Kim, Tae Hyun Kim, and Seokhie Hong Outline 1. Attack Goal & Scenario 2. Target Device Details
More informationA Patent Retrieval Method Using a Hierarchy of Clusters at TUT
A Patent Retrieval Method Using a Hierarchy of Clusters at TUT Hironori Doi Yohei Seki Masaki Aono Toyohashi University of Technology 1-1 Hibarigaoka, Tenpaku-cho, Toyohashi-shi, Aichi 441-8580, Japan
More informationDifferential Fault Analysis on the AES Key Schedule
ifferential Fault Analysis on the AES Key Schedule Junko TAKAHASHI and Toshinori FUKUNAGA NTT Information Sharing Platform Laboratories, Nippon Telegraph and Telephone Corporation, {takahashi.junko, fukunaga.toshinori}@lab.ntt.co.jp
More informationMachine Learning (CSE 446): Concepts & the i.i.d. Supervised Learning Paradigm
Machine Learning (CSE 446): Concepts & the i.i.d. Supervised Learning Paradigm Sham M Kakade c 2018 University of Washington cse446-staff@cs.washington.edu 1 / 17 Review 1 / 17 Decision Tree: Making a
More informationFeature Selection for Image Retrieval and Object Recognition
Feature Selection for Image Retrieval and Object Recognition Nuno Vasconcelos et al. Statistical Visual Computing Lab ECE, UCSD Presented by Dashan Gao Scalable Discriminant Feature Selection for Image
More informationECSE-626 Project: An Adaptive Color-Based Particle Filter
ECSE-626 Project: An Adaptive Color-Based Particle Filter Fabian Kaelin McGill University Montreal, Canada fabian.kaelin@mail.mcgill.ca Abstract The goal of this project was to discuss and implement a
More informationThe Basics of Graphical Models
The Basics of Graphical Models David M. Blei Columbia University September 30, 2016 1 Introduction (These notes follow Chapter 2 of An Introduction to Probabilistic Graphical Models by Michael Jordan.
More informationIntroduction to Image Super-resolution. Presenter: Kevin Su
Introduction to Image Super-resolution Presenter: Kevin Su References 1. S.C. Park, M.K. Park, and M.G. KANG, Super-Resolution Image Reconstruction: A Technical Overview, IEEE Signal Processing Magazine,
More informationA Related-Key Attack on TREYFER
The Second International Conference on Emerging Security Information, Systems and Technologies A Related-ey Attack on TREYFER Aleksandar ircanski and Amr M Youssef Computer Security Laboratory Concordia
More informationProbability Model for 2 RV s
Probability Model for 2 RV s The joint probability mass function of X and Y is P X,Y (x, y) = P [X = x, Y= y] Joint PMF is a rule that for any x and y, gives the probability that X = x and Y= y. 3 Example:
More informationLevel-set MCMC Curve Sampling and Geometric Conditional Simulation
Level-set MCMC Curve Sampling and Geometric Conditional Simulation Ayres Fan John W. Fisher III Alan S. Willsky February 16, 2007 Outline 1. Overview 2. Curve evolution 3. Markov chain Monte Carlo 4. Curve
More informationPerception Viewed as an Inverse Problem
Perception Viewed as an Inverse Problem Fechnerian Causal Chain of Events - an evaluation Fechner s study of outer psychophysics assumes that the percept is a result of a causal chain of events: Distal
More informationFault Attacks on AES with Faulty Ciphertexts Only
Fault Attacks on AES with Faulty Ciphertexts Only Thomas Fuhr, Eliane Jaulmes, Victor Lomné and Adrian Thillard ANSSI 51, Bd de la Tour-Maubourg, 75700 Paris 07 SP, France firstname.lastname@ssi.gouv.fr
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationBME I5000: Biomedical Imaging
1 Lucas Parra, CCNY BME I5000: Biomedical Imaging Lecture 11 Point Spread Function, Inverse Filtering, Wiener Filtering, Sharpening,... Lucas C. Parra, parra@ccny.cuny.edu Blackboard: http://cityonline.ccny.cuny.edu/
More informationNetwork Security. Random Number Generation. Chapter 6. Network Security (WS 2003): 06 Random Number Generation 1 Dr.-Ing G.
Network Security Chapter 6 Random Number Generation Network Security (WS 2003): 06 Random Number Generation 1 Tasks of Key Management (1) Generation: It is crucial to security, that keys are generated
More informationRandomized Algorithms Part Four
Randomized Algorithms Part Four Announcements Problem Set Three due right now. Due Wednesday using a late day. Problem Set Four out, due next Monday, July 29. Play around with randomized algorithms! Approximate
More informationRandomized Algorithms Part Four
Randomized Algorithms Part Four Announcements Problem Set Three due right now. Due Wednesday using a late day. Problem Set Four out, due next Monday, July 29. Play around with randomized algorithms! Approximate
More information[Ch 6] Set Theory. 1. Basic Concepts and Definitions. 400 lecture note #4. 1) Basics
400 lecture note #4 [Ch 6] Set Theory 1. Basic Concepts and Definitions 1) Basics Element: ; A is a set consisting of elements x which is in a/another set S such that P(x) is true. Empty set: notated {
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationCPS2323. Symmetric Ciphers: Stream Ciphers
Symmetric Ciphers: Stream Ciphers Content Stream and Block Ciphers True Random (Stream) Generators, Perfectly Secure Ciphers and the One Time Pad Cryptographically Strong Pseudo Random Generators: Practical
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationSpread: a new layer for profiled deep-learning side-channel attacks
Spread: a new layer for profiled deep-learning side-channel attacks Christophe Pfeifer 1,2 and Patrick Haddad 3 1 Karlsruhe Institute of Technology, Karlsruhe, Germany 2 Grenoble INP - Ensimag, Grenoble,
More informationJoint probability distributions
Joint probability distributions Let X and Y be two discrete rv s defined on the sample space S. The joint probability mass function p(x, y) is p(x, y) = P(X = x, Y = y). Note p(x, y) and x y p(x, y) =
More informationChapter 6 Random Number Generation
Chapter 6 Random Number Generation Requirements / application Pseudo-random bit generator Hardware and software solutions [NetSec/SysSec], WS 2007/2008 6.1 Requirements and Application Scenarios Security
More informationA physical level perspective
UMass CS 660 Advanced Information Assurance Spring 2011Guest Lecture Side Channel Analysis A physical level perspective Lang Lin Who am I 5 th year PhD candidate in ECE Advisor: Professor Wayne Burleson
More informationDigital Image Processing Laboratory: Markov Random Fields and MAP Image Segmentation
Purdue University: Digital Image Processing Laboratories Digital Image Processing Laboratory: Markov Random Fields and MAP Image Segmentation December, 205 Introduction This laboratory explores the use
More informationIntroduction to Trajectory Clustering. By YONGLI ZHANG
Introduction to Trajectory Clustering By YONGLI ZHANG Outline 1. Problem Definition 2. Clustering Methods for Trajectory data 3. Model-based Trajectory Clustering 4. Applications 5. Conclusions 1 Problem
More informationA Linear Approximation Based Method for Noise-Robust and Illumination-Invariant Image Change Detection
A Linear Approximation Based Method for Noise-Robust and Illumination-Invariant Image Change Detection Bin Gao 2, Tie-Yan Liu 1, Qian-Sheng Cheng 2, and Wei-Ying Ma 1 1 Microsoft Research Asia, No.49 Zhichun
More information