Gaussian Mixture Models for Higher-Order Side Channel Analysis

Lemke‐Rust, Kerstin; Paar, Christof

doi:10.1007/978-3-540-74735-2_2

Cited by 40 publications

(18 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More precisely, the adversary owns an estimation of the pdf l → P [L = l|S = s] for every s ∈ S. In practice, this estimation is obtained through a profiling phase on a physical implementation identical to the targeted one (except the secret key) and that is under the attacker control (see for instance [2,6,14,19]). The attack consists in estimating the likelihood of a key guess k, i.e.…”

Section: Descriptionmentioning

confidence: 99%

On the Exact Success Rate of Side Channel Analysis in the Gaussian Model

Rivain

2009

Selected Areas in Cryptography

View full text Add to dashboard Cite

Abstract. Nowadays, Side Channel Analysis is one of the most powerful cryptanalytic technique against cryptosystems embedded in portable devices such as smart cards. Faced with this threat, it is of crucial importance to precisely determine what is achievable by a given side channel adversary against a cryptosystem producing a given side channel leakage. This can be answered by evaluating the success rate of an attack according to the adversary capacities and to the leakage properties.In this paper, we investigate the issue of evaluating the success rate of side channel analysis in the widely admitted Gaussian leakage model. We introduce a new approach that allows us to efficiently compute the success rate of an attack in this model and we apply it to the two main families of side channel analysis: differential side channel analysis and profiling side channel analysis.

show abstract

Section: Descriptionmentioning

confidence: 99%

On the Exact Success Rate of Side Channel Analysis in the Gaussian Model

Rivain

2009

Selected Areas in Cryptography

View full text Add to dashboard Cite

show abstract

“…In [4,18], this work is extended by considering PCA. Lemke-Rust and Paar [16] propose a profiled multi-execution attack against masked implementations of symmetric algorithms using the expectationmaximization clustering algorithm and a training set for the estimation of the clusters. In a profiled setting, they estimate mixture densities of clusters for known key values and unknown mask values using multiple executions.…”

Section: Related Workmentioning

confidence: 99%

Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations

Heyszl

Ibing

Mangard

et al. 2014

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

Abstract. Most implementations of public key cryptography employ exponentiation algorithms. Side-channel attacks on secret exponents are typically bound to the leakage of single executions due to cryptographic protocols or side-channel countermeasures such as blinding. We propose for the first time, to use a well-established class of algorithms, i.e. unsupervised cluster classification algorithms such as the k-means algorithm to attack cryptographic exponentiations and recover secret exponents without any prior profiling, manual tuning or leakage models. Not requiring profiling is of significant advantage to attackers, as are well-established algorithms. The proposed non-profiled single-execution attack is able to exploit any available single-execution leakage and provides a straight-forward option to combine simultaneous measurements to increase the available leakage. We present empirical results from attacking an FPGA-based elliptic curve scalar multiplication using the kmeans clustering algorithm and successfully exploit location-based leakage from high-resolution electromagnetic field measurements to achieve a low remaining brute-force complexity of the secret exponent. A simulated multi-channel measurement even enables an error-free recovery of the exponent.

show abstract

“…Our work is also related to Mutual Information Analysis (MIA) [12] in that both approaches can succeed without but benefit from a good power model. Also related to our work is the use of Gaussian mixture models for masked implementations [16]. In this work parameters of different Gaussian components that best fit to the observed mixed multivariate side-channel leakage are estimated without knowing the masks.…”

Section: Introductionmentioning

confidence: 99%

Differential Cluster Analysis

Batina

Gierlichs

Lemke‐Rust

2009

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We propose a new technique called Differential Cluster Analysis for side-channel key recovery attacks. This technique uses cluster analysis to detect internal collisions and it combines features from previously known collision attacks and Differential Power Analysis. It captures more general leakage features and can be applied to algorithmic collisions as well as implementation specific collisions. In addition, the concept is inherently multivariate. Various applications of the approach are possible: with and without power consumption model and single as well as multi-bit leakage can be exploited. Our findings are confirmed by practical results on two platforms: an AVR microcontroller with implemented DES algorithm and an AES hardware module. To our best knowledge, this is the first work demonstrating the feasibility of internal collision attacks on highly parallel hardware platforms. Furthermore, we present a new attack strategy for the targeted AES hardware module.

show abstract

Gaussian Mixture Models for Higher-Order Side Channel Analysis

Cited by 40 publications

References 21 publications

On the Exact Success Rate of Side Channel Analysis in the Gaussian Model

On the Exact Success Rate of Side Channel Analysis in the Gaussian Model

Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations

Differential Cluster Analysis

Contact Info

Product

Resources

About