Tuesday, September 27, 2011

Non-invasive attack testing workshop, day 2

Some interesting discussions were to be had today at NIAT about the challenges involved with designing testing regimes and metrics to assess the vulnerability a device has to side-channel attacks. Benjamin Jun and Pankaj Rohatgi of Cryptography Research gave two talks on their own testing methodologies for symmetric algorithms and for RSA, which essentially involved trying to test to see if the device produces any statistically significant information leakage by using hypothesis testing on acquired signals. The challenges for NIST to overcome are constructing a methodology that can be easily and quickly used across all testing laboratories, that can be used for conformance testing, and that does not require any exceptional operator skill.

A different perspective was provided in the final talk of the day was given by Francois-Xavier Standaert of the UCL Crypto Group at Université catholique de Louvain. The talk considered using the worst-case scenario for the device as a security metric. This is when the attacker has the most complete power model possible; essentially mounting an optimal template attack. In this way the evaluator can have some idea of the available 'security margin' for the device. Two particular analyses were proposed; one information theoretic analysis to assess the data complexity of the worst-case attack, and a second security analysis to assess the time complexity, because in practice a side-channel attack has to trade-off between the two. In the former analysis, an information theoretic metric based on mutual information was proposed as a better alternative to the success-rate of the adversary, because whilst success-rate is perfectly representative of all the available information, it is not as easy to interpret the results.

A cautionary note was given, which is that in practice we cannot exactly compute the mutual information because of the problem of needing to estimate probability density functions, an issue we've run into ourselves at Bristol. So instead MI was proposed to be renamed 'percieved information', to ensure that people remember that the estimation may not be perfect.

No comments:

Post a Comment