Conexión de la red (5)

estimated from a set of profiling traces_Lp: modelˆ Lp. Second, a set of

test traces_Lt(following the true distribution Prchip) is used to estimate

the metric: ˆ↵ (Lt,model). As a result, two main types of errors canˆ

arise. First, the number of traces in the profiling set may be too low to estimate the model accurately (which corresponds to estimation errors). Second, the model may not be able to accurately predict the distribution of samples in the test set, even after intensive profiling (which then corresponds to assumption errors).

In order to verify that estimations in a security evaluation are suf- ficiently accurate, the solution used in the next chapters is to exploit cross–validation. In general, this technique allows gauging how well a predictive (here leakage) model performs in practice. For k-fold cross–

validations, the set of evaluation traces_{L is first split into k (non over-}

lapping) setsL(i)_{of approximately the same size. Let us define the pro-}

filing sets_L(j)p =S_i6=jL(i)and the test setsL(j)t =L \ L(j)p . The sample

metric is then repeatedly computed k times for 1  j  k as follows.

First, we build a model from a profiling set: modelˆ (j) _L(j)p . Then we

estimate the metric with the associated test set ˆ↵(j) (L(j)t ,modelˆ

(j) ). Cross–validation protects evaluators from obtaining too optimistic sam- ple metric values due to over-fitting, since the test computations are always performed with an independent data set. Finally, the k outputs can be averaged in order to get an unbiased metric estimate, and their spread characterizes the result accuracy.

2.4

SCA workflow

An intuitive description of a side-channel attack is given in Section 2.2.2 and a formalized framework for their evaluation in Section 2.2.4. Yet, these representations do not take into account some preliminary pro- cedures that are generally required in practice. Figure 2.10 informally illustrates the complete workflow of a practical side-channel analysis. It can be decomposed into five steps, having di↵erent purposes and requir- ing di↵erent skills and tools:

1. Measure: this is the process of recording the physical leakages with measurement equipments. It is the interface between the analog real world and the digital evaluator’s work environment. This step is made thanks to analog-to-digital apparatus (e.g. oscil- loscopes, see Section 2.3.1). The parameters of the measurement process (e.g. sampling frequency, trigger event, requests order) may significantly a↵ect the attack outcome.

1. Measure 2. Preprocessing 3. Modelling 4. Exploitaon

5. Detecon

This thesis

Figure 2.10: Steps of a complete side-channel analysis

2. Preprocessing: it consists in signal processing techniques that are used in order to increase the attack efficiency. Sometimes, they are even necessary to make it succeed. They are for instance meth- ods for enhancing the measurement quality (e.g. filtering [71]), for detecting the (hidden) time samples that contain useful informa- tion [91], i.e. the points-of-interest, or for combining that informa- tion captured within di↵erent POIs [2, 103] (e.g. lower dimensional subspace projection).

3. Modelling: it is the step that aims to predict the leakage function outcome by approximating its behaviour with a model. As men- tioned in Section 2.2.2, it can be either entirely based on assump- tions (e.g. Hamming weight, Hamming distance), or estimated (i.e. profiled) with actual observations of the leakages (i.e. measure- ments) and with less (or lighter) assumptions. In our experiments, we focus on profiled settings (Section 2.3.2). During the profiling, the evaluator is able to manipulate the plaintext and the key such that the targeted intermediate values are processed. The leakage function is then estimated thanks to, for instance, PDF estimation methods. IT metrics (described in Section 2.2.4) are computed at this level in order to determine the amount of meaningful infor- mation that is captured by the model.

4. Exploitation: this is the process of exploiting the time samples in order to recover the secret key. The exploitation outcome is signif- icantly a↵ected by the quality of the previous steps realization. In general, it follows the same procedure as described in Section 2.2.2 (minus the modelling step that is here considered independently) and makes use of distinguishers such as introduced in Section 2.3.3. Security metrics (described in Section 2.2.4), that determine the

2.4. SCA workflow 35 quality of attack, are computed at this level.

5. Detection: like the preprocessing, the detection is a preliminary step, yet with a di↵erent (orthogonal) goal. It aims to detect whether leakages of a given order are e↵ectively present in leak- age traces or not. Therefore, the result returned by this process may not indicate the points-of-interest, i.e. the points that can ef- fectively be used for an attack. Moreover, it may not reflect the amount of information that is actually contained in the leakage. It mainly depends on the statistical metric used by the evaluator for this purpose.

In this thesis, we focus on the preprocessing, modelling and detection steps of a practical side-channel analysis. The first part of our work investigates points-of-interest detection and the relation with leakage detection. For that purpose, we make the comparison with the widely spread Cryptography Research (CRI)’s non specific (fixed vs. random) t-test that is introduced in the next sub-section. The second part is focused on evaluating the quality of models that are built in a profiled setting. This latter part of the work aims to tackle the question “how can we make sure that our model reflects the reality?”.

2.4.1

Fixed vs. random leakage detection test

Introduced by Cryptography Research (the company created by Paul Kocher), the fixed vs. random t-test [38] takes advantage of leakage ob- tained from two di↵erent sets of inputs, namely fixed and random. The first corresponds to a fixed plaintext and key, while the other corresponds

to random plaintexts and a fixed key. They are next denoted as_Lf and

Lr respectively. This test is inspired from the di↵erence of mean distin-

guisher (Section 2.3.3) and essentially works by comparing the leakages corresponding to these two sets. For this purpose, and for each sample, one simply has to estimate and compare two mean values. The first one,

denoted as ˆµf(⌧ ), corresponds to the samples in the fixed set of traces

Lf. The second one, denoted as ˆµr(⌧ ), corresponds to the samples in the

random set of traces Lr. Intuitively, being able to distinguish these two

mean values indicates the presence of data-dependencies in the leakages. For this purpose, and in order to determine whether some di↵erence ob- served in practice is meaningful, Welch’s t-test is applied (which is a variant of Student’s t-test that considers di↵erent variances and sample

size for the sets _Lf and Lr). The statistic to be tested is defined as: (⌧ ) = rµˆf(⌧ ) µˆr(⌧ ) ˆ2 f(⌧ ) Nf + ˆ2 r(⌧ ) Nr ,

where ˆ2_f(⌧ ) (resp. ˆ2_r(⌧ )) is the estimated variance over the Nf (resp.

Nr) samples ofLf (resp.Lr). Its p-value, i.e. the probability of the null

hypothesis which assumes (⌧ ) = 0, can be computed as follows:

p = 2_{⇥ (1} CDFt(| (⌧)|, ⌫)),

where CDFt is the cumulative function of a Student’s t distribution, and

⌫ is its number of freedom degrees, which is derived from the previous

means and variances as: ⌫ = (ˆ2

f/Nf + ˆr2/Nr)/[(ˆ2f/Nf)/(Nf 1) +

(ˆ2_r/Nr)/(Nr 1)]. Intuitively, the value of ⌫ is proportional to the

number of samples Nfand Nr. When increasing, Student’s t distribution

gets closer to a normal distribution_{N (0, 1).}