Mutual Information Analysis: How, When and Why?

Size: px

Start display at page:

Download "Mutual Information Analysis: How, When and Why?"

Vivien Chandler
7 years ago
Views:

1 Mutual Information Analysis: How, When and Why? Nicolas Veyrat-Charvillon and François-Xavier Standaert Crypto Group Université catholique de Louvain CHES 09, September 3rd 2009

2 Side-channel analysis j Adversary predict V j,p model X j,p P D j j s? compute V s,p leak Y k,p k Device

3 Classical attacks Classical solutions in non profiled SCA: Kocher s original DPA, at Crypto 1999 Correlation attacks, at CHES 2004

4 So, what to do? X 0 = y 0 y 1 y 3 y 7 y y 2 y 5 y y 4 y 6 y 13 y 8 y 9 y y y X 1 = y 7 y 0 y 1 y 5 y 6... y 2 y 3 y 8... y 13 y 4 y 10 y 15 y 9 y y y 14...

5 Pearson s correlation coefficient Measure of linear dependence between r.v. s X and Y. ρ(x, Y ) = cov(x, Y ) σ X σ Y = E[XY ] E[X ] E[Y ] σ x σ Y.

6 Pearson s correlation coefficient Measure of linear dependence between r.v. s X and Y. ρ(x, Y ) = cov(x, Y ) σ X σ Y = E[XY ] E[X ] E[Y ] σ x σ Y.

7 Pearson s correlation coefficient Measure of linear dependence between r.v. s X and Y. ρ(x, Y ) = cov(x, Y ) σ X σ Y = E[XY ] E[X ] E[Y ] σ x σ Y.

8 So, what to do? Pr [Y = y] x = 0 x = 1 x = 2 x = 3 x = 4 Pr [Y = y, X = x] Pr [Y = y, X = x] X 0 = y 0 y 1 y 3 y 7 y y 2 y 5 y y 4 y 6 y 13 y 8 y 9 y y y y X 1 = y 7 y 0 y 1 y 5 y 6... y 2 y 3 y 8... y 13 y 4 y 10 y 15 y 9 y y y y

9 So, what to do? 1 Estimate the probability density of the leakages 2 Test for a dependence between X and Y

10 Mutual information Analysis Introduced at CHES 2008 by Gierlichs & al. Aims at genericity: as little assumptions as possible about the leakage H [X, Y ] y H [X Y ] I (X ; Y ) H [Y X ]

11 How to use MIA: the information theoretic toolbox Outline 1 How to use MIA: the information theoretic toolbox 2 When to use it: MIA versus correlation 3 Why to use it: MIA as an evaluation metric

12 How to use MIA: the information theoretic toolbox 1 Estimation: Non-parametric methods y y

13 How to use MIA: the information theoretic toolbox 1 Estimation: Non-parametric methods y y Well, non-parametric... bin width and bandwidth to choose

14 How to use MIA: the information theoretic toolbox Information theoretic definitions Shannon s entropy, a measure of information H [X ] = x X Pr [X = x] log (Pr [X = x]) Mutual information, a general measure of dependence I (X ; Y ) = Pr [X = x, Y = y] x X,y Y log ( Pr [X = x, Y = y] ) Pr [X = x] Pr [Y = y]

15 How to use MIA: the information theoretic toolbox Information theoretic definitions H [X, Y ] H [X ] H [Y ] H [X Y ] I (X ; Y ) H [Y X ] Information diagram

16 How to use MIA: the information theoretic toolbox 2 Test: Kullback-Leibler divergence D KL (P Q) = z Z Pr [Z = z, Z P] log Relation to mutual information: Pr [Z = z, Z P] Pr [Z = z, Z Q] I (X ; Y ) = D KL (Pr [X, Y ] Pr [X ] Pr [Y ]) = E x X (D KL (Pr [Y X = x] Pr [Y ]))

17 How to use MIA: the information theoretic toolbox 2 Test: F-divergences I f (P, Q) = z Z Pr [Z = z, Z Q] f ( ) Pr [Z = z, Z P] Pr [Z = z, Z Q] Different parameter functions f give different measures: Kullback-Leibler divergence f (t) = t log t Inverse Kullback-Leibler f (t) = log t Pearson χ 2 divergence f (t) = (t 1) 2 Hellinger distance f (t) = 1 t Total variation f (t) = t 1

18 How to use MIA: the information theoretic toolbox 1&2: Implicit pdf estimation Empirical cumulative function: F (x t ) = 1 n n χ xi x t, where χ xi x t = i=1 { 1 if xi x t 0 otherwise. Two sample Kolmogorov-Smirnov test D KS (P Q) = sup x t F P (x t ) F Q (x t ) Two sample Cramér-von-Mises test D CvM (P Q) = + (F P (x t ) F Q (x t )) 2 dx t

19 How to use MIA: the information theoretic toolbox Experimental results 1 success rate correlation histogram MIA Kernel MIA (D KL ) Kernel χ Kernel Hellinger Kolmogorov-Smirnov 0.2 KS normalized Cramér-von-Mises messages Success rate of different distinguishers

20 How to use MIA: the information theoretic toolbox Experimental results 1 success rate correlation histogram MIA Kernel MIA (D KL ) Kernel χ Kernel Hellinger Kolmogorov-Smirnov 0.2 KS normalized Cramér-von-Mises messages Success rate of different distinguishers

21 How to use MIA: the information theoretic toolbox Experimental results 1 success rate correlation histogram MIA Kernel MIA (D KL ) Kernel χ Kernel Hellinger Kolmogorov-Smirnov 0.2 KS normalized Cramér-von-Mises messages Success rate of different distinguishers

22 How to use MIA: the information theoretic toolbox Experimental results 1 success rate correlation histogram MIA Kernel MIA (D KL ) Kernel χ Kernel Hellinger Kolmogorov-Smirnov 0.2 KS normalized Cramér-von-Mises messages Success rate of different distinguishers

23 How to use MIA: the information theoretic toolbox Experimental results 1 success rate correlation histogram MIA Kernel MIA (D KL ) Kernel χ Kernel Hellinger Kolmogorov-Smirnov 0.2 KS normalized Cramér-von-Mises messages Success rate of different distinguishers

24 How to use MIA: the information theoretic toolbox Experimental results 1 success rate correlation histogram MIA Kernel MIA (D KL ) Kernel χ Kernel Hellinger Kolmogorov-Smirnov 0.2 KS normalized Cramér-von-Mises messages Success rate of different distinguishers

25 When to use it: MIA versus correlation Outline 1 How to use MIA: the information theoretic toolbox 2 When to use it: MIA versus correlation 3 Why to use it: MIA as an evaluation metric

26 When to use it: MIA versus correlation An example: leaky bit on a data bus a 1 a 2 a 3 a 4 Data bus Pr [Y = y] x = 0 x = 1 x = 2 x = 3 x = 4 Pr [Y = y, X = x] y Effect of a leaky bit on the pdfs

27 When to use it: MIA versus correlation An example: leaky bit on a data bus a 1 a 2 a 3 a 4 Data bus Pr [Y = y] x = 0 x = 1 x = 2 x = 3 x = 4 Pr [Y = y, X = x] y Effect of a leaky bit on the pdfs

28 When to use it: MIA versus correlation An example: leaky bit on a data bus a 1 a 2 a 3 a 4 Data bus Pr [Y = y] x = 0 x = 1 x = 2 x = 3 x = 4 Pr [Y = y, X = x] y Effect of a leaky bit on the pdfs

29 When to use it: MIA versus correlation An example: leaky bit on a data bus messages a messages a 1 messages Correlation Kernel MIA (D KL ) KS normalized Weight of the first leaking bit vs number of messages for a success rate of 50% (left), 75% (middle) and 90% (right) a 1

30 When to use it: MIA versus correlation Limitations MIA is not the only way to go here: DPA would work! What about: protected logics masking scheme More resilient to erroneous leakage models But not immune, requires I (X g ; Y ) > I (X w ; Y )

31 Why to use it: MIA as an evaluation metric Outline 1 How to use MIA: the information theoretic toolbox 2 When to use it: MIA versus correlation 3 Why to use it: MIA as an evaluation metric

32 Why to use it: MIA as an evaluation metric MIA versus Mutual Information Metric Eurocrypt 2009:

33 Why to use it: MIA as an evaluation metric MIA is not MIM More precisely: 1 MIA: Î (X ; Y ) / MIM: I (K; Y ) 2 MIM directly targets the key dependencies 3 MIA requires an intermediate variable 4 MIM approximates I (K; Y ) with templates 5 MIA estimates Î (X ; Y ) on-the-fly If the leakage model used by the adversary is not perfect, MIA will underestimate the leakage: I (K; Y ) > Î (X ; Y )

34 Why to use it: MIA as an evaluation metric Summarizing MIA is a toolbox MIA is more resilient to erroneous leakage models MIA and MIM are two complementary tools with different purpose: generic adversary and generic evaluation tool

35 Conclusion Any Questions?

36 Conclusion T. W. Anderson. On the distribution of the two-sample cramér-von mises criterion. The Annals of Mathematical Statistics, 33 (3) : , Sébastien Aumonier. Generalized correlation power analysis. In Ecrypt Workshop on Tools For Cryptanalysis. Krakòw, Poland, September E. Brier, C. Clavier, F. Olivier. Correlation power analysis with a leakage model. In CHES 2004, LNCS, vol 3156, pp 16-29, Boston, MA, USA, August T.M. Cover, J.A. Thomas. Elements of Information Theory. Wiley, 1991.

37 Conclusion Imre Csiszár and Paul C. Shields. Information theory and statistics: a tutorial. Commun. Inf. Theory, vol 1, num 4, pp , DPA Contest 2008/2009, B. Gierlichs, L. Batina, P. Tuyls, B. Preneel. Mutual information analysis. In CHES 2008, LNCS, vol 5154, pp , Washington DC, USA, August P. Kocher, J. Jaffe, B. Jun, Differential power analysis. In Crypto 1999, LNCS, vol 1666, pp , Santa-Barbara, CA, USA, August Emmanuel Prouff and Matthieu Rivain. Theoretical and practical aspects of mutual information based side channel analysis.

38 Conclusion To appear in ACNS, Applied Cryptography and Network Security, LNCS, Paris, June Francois-Xavier Standaert, Tal G. Malkin, and Moti Yung. A unified framework for the analysis of side-channel key recovery attacks (extended version). Cryptology eprint Archive, Report 2006/139,

Physical Security: Status and Outlook

Physical Security: Status and Outlook ECRYPT II: Crypto for 2020 January 22-24, Tenerife, Spain Stefan Tillich Ideal World P C 2 Real World P C, C,errC 3 Implementation Attacks First publication ~ 16 years