Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Evaluation of ASIC Implementation of Physical Random Number Generators Using RS Latches Kapitel lesen Erstes Kapitel lesen

2014 | OriginalPaper | Buchkapitel

Efficient Template Attacks

verfasst von : Omar Choudary, Markus G. Kuhn

Erschienen in: Smart Card Research and Advanced Applications

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Template attacks remain a powerful side-channel technique to eavesdrop on tamper-resistant hardware. They model the probability distribution of leaking signals and noise to guide a search for secret data values. In practice, several numerical obstacles can arise when implementing such attacks with multivariate normal distributions. We propose efficient methods to avoid these. We also demonstrate how to achieve significant performance improvements, both in terms of information extracted and computational cost, by pooling covariance estimates across all data values. We provide a detailed and systematic overview of many different options for implementing such attacks. Our experimental evaluation of all these methods based on measuring the supply current of a byte-load instruction executed in an unprotected 8-bit microcontroller leads to practical guidance for choosing an attack algorithm.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Glitch It If You Can: Parameter Search Strategies for Successful Fault Injection
Anhänge
Nur mit Berechtigung zugänglich
Fußnoten
1
Throughout this paper \({{\mathbf {x}}}'\) is the transpose of \({\mathbf {x}}\).
 
2
Others [8, 11, 14] use \(1/n_{\mathrm {p}}\) rather than \(1/(n_{\mathrm {p}}-1)\) in \(\mathbf {S}_{k}\), thereby computing the maximum likelihood estimator (MLE) of \(\mathbf {\Sigma }_{k}\). In theory, the correct estimator for \(\mathbf {\Sigma }_{k}\) is the unbiased estimator with \(1/(n_{\mathrm {p}}-1)\); the MLE merely maximises the joint likelihood from the multivariate normal distribution. In practice, we found this choice made no significant performance difference (even down to \(n_{\mathrm {p}}=10, m=6\)).
 
3
The matrix form allows the use of fast, vectorized linear-algebra routines.
 
4
Archambeau et al. [8] show a method for computing \({\mathbf {U}}\) that is more efficient when \({m}^{\mathrm {\text {r}}}\gg |{\mathcal {S}}|\), but in our experiments with \({m}^{\mathrm {\text {r}}}=2500\) this direct approach worked well.
 
5
In our experiments, for \(f=0.95\) and \(n_{\mathrm {p}}<1000\) this method retained the \({m}^{\mathrm {}}=4\) largest components, which correspond to the same components that we had selected using the elbow rule. However, when \(n_{\mathrm {p}}>1000\) the number of components needed for \(f \ge 0.95\) decreased to \({m}^{\mathrm {}}<4\), which led to worse results of the template attack.
 
6
There are a maximum of \(s=\mathrm {min}({m}^{\mathrm {\text {r}}}, |{\mathcal {S}}|-1)\) non-zero eigenvectors, as that is the maximum number of independent linear combinations available in \({\mathbf {B}}\).
 
7
Instead of \(\mathbf {S}_{\mathrm {pooled}}\) we could use \({\mathbf {W}}=|{\mathcal {S}}|(n_{\mathrm {p}}-1)\mathbf {S}_{\mathrm {pooled}}\), known as a sample within groups matrix.
 
8
Note that a pdf, such as \(\mathrm {f}\) from (3), unlike a probability, can be both larger or smaller than 1 and therefore its logarithm can be both positive or negative.
 
9
MATLAB, single core CPU with 3794 MIPS.
 
10
We arbitrarily chose to use the DOM estimate, computed as the sum of absolute differences between the mean vectors. Using SNR instead of DOM as the signal strength estimate \({\mathbf {s}}(t)\) has provided very similar results, omitted due to lack of space.
 
11
The selections 1ppc, 3ppc and 20ppc provide a variable number of samples because of the additional restriction that the selected samples must be above the highest 95th percentile of \({\mathrm {F}}(t)\), which varies with \(n_{\mathrm {p}}\) for each clock edge.
 
12
A similar approach was used by Standaert and Archambeau [11] and Oswald and Paar [16] to report results of template attacks on (part of) the key loading stage of a block cipher.
 
Literatur
1.
Mahalanobis, P.C.: On the generalised distance in statistics. In: Proceedings National Institute of Science, India, vol. 2, pp. 49–55 (1936)
2.
Fisher, R.A.: The statistical utilization of multiple measurements. Ann. Eugen. 8, 376–386 (1938)CrossRef
3.
Box, G.E.P.: Problems in the analysis of growth and wear curves. Biometrics 6, 362–389 (1950)CrossRef
4.
Chari, S., Rao, J., Rohatgi, P.: Template attacks. In: Kaliski Jr, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 51–62. Springer, Heidelberg (2003) CrossRef
5.
Ledoit, O., Wolf, M.: A well-conditioned estimator for large-dimensional covariance matrices. J. Multivar. Anal. 88, 365–411 (2004)CrossRefMATHMathSciNet
6.
Jolliffe, I.: Principal Component Analysis. Wiley, Chichester (2005)
7.
Rechberger, C., Oswald, E.: Practical template attacks. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 440–456. Springer, Heidelberg (2005) CrossRef
8.
Archambeau, C., Peeters, E., Standaert, F.-X., Quisquater, J.-J.: Template attacks in principal subspaces. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 1–14. Springer, Heidelberg (2006) CrossRef
9.
Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates vs. stochastic methods. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 15–29. Springer, Heidelberg (2006) CrossRef
10.
Johnson, R., Wichern, D.: Applied Multivariate Statistical Analysis, 6th edn. Pearson, Upper Saddle River (2007)MATH
11.
Standaert, F.-X., Archambeau, C.: Using subspace-based template attacks to compare and combine power and electromagnetic information leakages. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 411–425. Springer, Heidelberg (2008) CrossRef
12.
Batina, L., Gierlichs, B., Lemke-Rust, K.: Comparative evaluation of rank correlation based DPA on an AES prototype chip. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 341–354. Springer, Heidelberg (2008) CrossRef
13.
Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009) CrossRef
14.
Eisenbarth, T., Paar, C., Weghenkel, B.: Building a side channel based disassembler. Trans. Comput. Sci. X 6340, 78–99 (2010)CrossRefMathSciNet
15.
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, 1st edn. Springer, Heidelberg (2010)
16.
Oswald, D., Paar, C.: Breaking Mifare DESFire MF3ICD40: power analysis and templates in the real world. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 207–222. Springer, Heidelberg (2011) CrossRef
Metadaten
Titel
Efficient Template Attacks
verfasst von
Omar Choudary
Markus G. Kuhn
Copyright-Jahr
2014
Buch
Smart Card Research and Advanced Applications

Print ISBN: 978-3-319-08301-8

Electronic ISBN: 978-3-319-08302-5

Copyright-Jahr: 2014

DOI
https://doi.org/10.1007/978-3-319-08302-5_17

Premium Partner

    Bildnachweise