Open CourseWare
Recent changes

Laboratorul 07 - Correlation Power Analysis

In this lab we'll implement a side-channel attack known as Correlation Power Analysis.

The principle is quite simple:

  1. Choose your target (generally the S-box output of some block cipher - in our case AES)
  2. Obtain a large number (thousands) of leakage samples for that target, when processing different plaintexts
  3. Choose a suitable leakage model (usually the hamming weight of the target value)
  4. For each possible key candidate (e.g. all values from 0 to 255), compute Pearson's correlation coefficient between the leakage model estimate for that key candidate and the leakage traces.
  5. Decide for the key that gives maximum correlation

We'll discuss more in detail at the lab.

In this lab we shall use Matlab or Octave (MATLAB is preferred for speed reasons):

Octave main page Download link for Windows

You might also need these additional packages:

Link for additional packages

Use these files as starting point: lab6.zip

Exercise 1 (2p)

Open the file lab6_cpa.m and plot the leakage data from simdata.mat and the correlation for the first key hypothesis.

Exercise 2 (4p)

Compute the correlation for all the possible key values. Plot this correlation against all the possible key values. That is, use the plot(x, y) command, where x is a vector having values [0:255] (or [1:256]) and y is a vector with the correlation values corresponding to each key value).

The correlation is computed easily with corrcoef, but this returns a matrix of size 2×2 in our case. Select the element with index (1, 2) as the value we'll use. The values (1,1) and (2,2) are in fact the variance of each variable (Hamming weight and leakage data). We'll let you figure out who is the element (2,1).

Exercise 3 (4p)

To evaluate the security of a device against these attacks, evaluation labs typically compute a measure known as the success rate, which measures how effective is a side channel attack. To compute the success rate, do the following.

Run the attack on different sets of traces (e.g. R=50 subsets of N traces) and for each attack determine whether the correct key (K) leads to the highest correlation. Then compute the success rate as the number of times the correct key lead to the highest correlation divided by the total number of experiments: $SR={#correct key first}/{#experiments}$

Compute the success rate (SR) for different amounts of leakage traces (e.g. $N \in \{10, 20, 50, 100, 200, 500, 1000\}$) and then plot the SR as a function of N.

Administrativ

Cursuri

Laboratoare

Resurse

Teme

Table of Contents

ic/laboratoare/07.txt · Last modified: 2018/11/05 14:25 by dan.dragan
Old revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0