Efficient Template Attacks

Abstract

Template attacks remain a powerful side-channel technique to eavesdrop on tamper-resistant hardware. They model the probability distribution of leaking signals and noise to guide a search for secret data values. In practice, several numerical obstacles can arise when implementing such attacks with multivariate normal distributions. We propose efficient methods to avoid these. We also demonstrate how to achieve significant performance improvements, both in terms of information extracted and computational cost, by pooling covariance estimates across all data values. We provide a detailed and systematic overview of many different options for implementing such attacks. Our experimental evaluation of all these methods based on measuring the supply current of a byte-load instruction executed in an unprotected 8-bit microcontroller leads to practical guidance for choosing an attack algorithm.

Appendices

Evaluation Board

For our experiments, we built a custom PCB for the Atmel microcontroller (see Fig. 4, left). This 4-layer PCB has inputs for the clock signal and supply voltage, a USB port to communicate with a PC, and a \(10\,\Omega \) resistor in the ground line for power measurements. The PCB connects all the ground pins of the microcontroller to the same line, which leads to the measurement resistor.

Fig. 4.

Left: the device used during our experiments. Right: A single example trace \({{\mathbf {x}}}^{\text {r}}_{i}\) from our experimental setup.

Executed Code

During all our experiments we recorded traces with 2500 samples, covering the execution of several instructions, as shown in Fig. 4 (right). The executed instruction sequence is

The load instructions use the Z pointer (which refers to registers r31:r30) for indirect RAM addressing. The initial value of registers r8–r12 before the load operations is zero. The initial value of Z before the first load instruction is 2020.

Some Proofs

In Sect. 5.3 we rewrote (22) as (24). This is possible because

$$\begin{aligned} {\bar{{\mathbf {x}}}_{k}}'\mathbf {S}_{\mathrm {pooled}}^{-1}{\mathbf {x}}= {({\bar{{\mathbf {x}}}_{k}}'\mathbf {S}_{\mathrm {pooled}}^{-1}{\mathbf {x}})}' = {{\mathbf {x}}}'{\mathbf {S}_{\mathrm {pooled}}^{-1}}'\bar{{\mathbf {x}}}_{k}= {{\mathbf {x}}}'\mathbf {S}_{\mathrm {pooled}}^{-1}\bar{{\mathbf {x}}}_{k}. \end{aligned}$$

(32)

In Sect. 5.4 we state that \({\mathrm {d}}_{\mathrm {LINEAR}}\) provides the same results for both options of combining the traces (from average trace and based on joint likelihood). This happens because if we let \( c_{k} = -\frac{1}{2}{\bar{{\mathbf {x}}}_{k}}'\mathbf {S}_{\mathrm {pooled}}^{-1}\bar{{\mathbf {x}}}_{k}\) for any \(k\), then we have

$$\begin{aligned} {\mathrm {d}}_{\mathrm {LINEAR}}^{\mathrm {joint}}(k\mid {\mathbf {X}}_{k{\star }})&= {\bar{{\mathbf {x}}}_{k}}'\mathbf {S}_{\mathrm {pooled}}^{-1} \bigg (\displaystyle \sum _{{{\mathbf {x}}}_{i}\in {\mathbf {X}}_{k{\star }}} {{\mathbf {x}}}_{i}\bigg ) + n_{{\mathrm {a}}}c_{k}, \end{aligned}$$

(33)

$$\begin{aligned} {\mathrm {d}}_{\mathrm {LINEAR}}^{\mathrm {avg}}(k\mid {\mathbf {X}}_{k{\star }})&= {\bar{{\mathbf {x}}}_{k}}'\mathbf {S}_{\mathrm {pooled}}^{-1} \bigg (\frac{1}{n_{{\mathrm {a}}}} \displaystyle \sum _{{{\mathbf {x}}}_{i}\in {\mathbf {X}}_{k{\star }}} {{\mathbf {x}}}_{i}\bigg ) + c_{k}, \end{aligned}$$

(34)

and therefore for any \(u, v\in {\mathcal {S}}\) it is true that

$$\begin{aligned} {\mathrm {d}}_{\mathrm {LINEAR}}^{\mathrm {avg}}(u \mid {\mathbf {X}}_{k{\star }})&> {\mathrm {d}}_{\mathrm {LINEAR}}^{\mathrm {avg}}(v \mid {\mathbf {X}}_{k{\star }}) \Leftrightarrow \\ {\bar{{\mathbf {x}}}_{u}}'\mathbf {S}_{\mathrm {pooled}}^{-1} \bigg (\frac{1}{n_{{\mathrm {a}}}} \displaystyle \sum _{{{\mathbf {x}}}_{i}\in {\mathbf {X}}_{k{\star }}} {{\mathbf {x}}}_{i}\bigg ) + c_u&> {\bar{{\mathbf {x}}}_{v}}'\mathbf {S}_{\mathrm {pooled}}^{-1} \bigg (\frac{1}{n_{{\mathrm {a}}}} \displaystyle \sum _{{{\mathbf {x}}}_{i}\in {\mathbf {X}}_{k{\star }}} {{\mathbf {x}}}_{i}\bigg ) + c_v \Leftrightarrow \\ {\bar{{\mathbf {x}}}_{u}}'\mathbf {S}_{\mathrm {pooled}}^{-1} \bigg (\displaystyle \sum _{{{\mathbf {x}}}_{i}\in {\mathbf {X}}_{k{\star }}} {{\mathbf {x}}}_{i}\bigg ) + n_{{\mathrm {a}}}c_u&> {\bar{{\mathbf {x}}}_{v}}'\mathbf {S}_{\mathrm {pooled}}^{-1} \bigg (\displaystyle \sum _{{{\mathbf {x}}}_{i}\in {\mathbf {X}}_{k{\star }}} {{\mathbf {x}}}_{i}\bigg ) + n_{{\mathrm {a}}}c_v \Leftrightarrow \\ {\mathrm {d}}_{\mathrm {LINEAR}}^{\mathrm {joint}}(u \mid {\mathbf {X}}_{k{\star }})&> {\mathrm {d}}_{\mathrm {LINEAR}}^{\mathrm {joint}}(v \mid {\mathbf {X}}_{k{\star }}). \end{aligned}$$