BS20 CHES2020 CTF Attack

This repository contains the attack by Bronchain and Standaert against
the CHES2020 CTF software targets. It
leverages Soft Analytical Side-Channel
Attacks and is using its
implementation in SCALib
(version 0.3.3). It allows to break all the masked software
implementations of Spook protected with 3,4,6 and 8 shares.

This is an artifact of the research paper Breaking Masked
Implementations with Many Shares on 32-bit Software Platforms or When
the Security Order Does Not
Matter
published in TCHES 2021, Issue 3.

Important: We stress that this repository is a support to the
research paper made to reproduce the results. We therefore assume that
the user has read the research paper.

Overview

In order to mount the attack against a given implementation, two steps
must be followed (see Section 4 of the paper).

1. Profile: Which consists in deriving a Gaussian template for each
   of the shares within the masked Sbox.
2. Attack: Which consists in recovering the secret keys by
   leveraging Soft
   Analytical Side-Channel Attacks (SASCA).

Since the output of profiling and attacks are made available online,
each step can be done independently (profiling is the more costly).

System requirement

In order to run the project, at least a Linux systems is required with
Python >=3.6, pip, curl, unzip, wget and gcc installed
(default on most of modern distributions). Since some steps of the
computation can be expensive, all the outputted results are made
available online and can be downloaded with download.py.

To run the full package (profiling and attack), we recommend to have at
least 32-GB of RAM. The user can specify the memory he wants to dedicate
to it by changing memory_limit in env_parse.py. More RAM is welcome
since it allows a better usage of parallelism. The artifact has been
tested with 90 GB of RAM and 48 threads.

To run profiling and/or attacks, traces must be downloaded from the
CHES2020 CTF website and stored on the disk (with download.py). For
the simplest target (3-shares), it represents about 36 GB of data. We
note that the user is not forced to download all the dataset. See the
next section for more details.

Install

All the Python dependencies are available on PyPi and can be installed
with:

pip install -r requirements.txt

We note that the user can install these dependencies in a virtualenv.
Both curl, unzip, wget and gcc must be installed on the system.
This can be done with the distribution package manager (e.g., apt-get,
pacman, etc ...).

Parameters

A few parameters can be tuned by the user in env_parse.py. We list and
describe them below:

• memory_limit: The target RAM (in GB) usage. Because Python has
  garbage collection, this limit can be (slightly) exceeded.
• dataset_dir: Is the directory containing the datasets. The
  downloaded traces will be placed there. If you already have the
  traces available on your system, make dataset_dir pointing to
  their location.
• npoi: The number of dimensions in the traces taken to build the
  templates. It is set to 3600.
• p: The number of dimensions in the considered linear subspace. It
  is set to 8.
• d: (passed through command line arguments) is the number of shares
  within the implementation. The dataset contains implementations with
  3,4,6 and 8 shares.

Download Datasets

The script download.py is an interactive script to select what dataset
must be downloaded. The user can select to download profile and/or
attack dataset for each of the implementations. The following example
downloads both datasets for the 3-shares implementation. It also allows
to download all the precomputed models and attacks results.

bash: python3 download.py

Confirm what you want to download. You can edit to top of this file.

About to download 26.00-GB for 3-shares profiling dataset. Continue ? [y/n]: y
About to download 32.00-GB for 4-shares profiling dataset. Continue ? [y/n]: n
Skipping
About to download 62.00-GB for 6-shares profiling dataset. Continue ? [y/n]: n
Skipping
About to download 82.00-GB for 8-shares profiling dataset. Continue ? [y/n]: n
Skipping


About to download 6.50-GB for 3-shares attack datasets. Continue ? [y/n]: y
About to download 8.00-GB for 4-shares attack datasets. Continue ? [y/n]: n
Skipping
About to download 62.00-GB for 6-shares attack datasets. Continue ? [y/n]: n
Skipping
About to download 164.00-GB for 8-shares attack datasets. Continue ? [y/n]: n
Skipping

....

note: The script does not download entire attack datasets but only
enough traces to recover the full keys. The full profiling datasets are
downloaded.

Profiling

note: All the commands to reproduce all the profiling and attacks
are in all.sh.

Running

The profiling is done by running sequentially the three following
scripts where <D> is the number of shares in the implementation to
profile.

python3 gen_labels.py -d <D> 
python3 compute_snr.py -d <D> 
python3 gen_templates.py -d <D>

gen_labels.py derives the values for each of the shares within the
masked Sbox by using the implementation sources (with additional MACRO).
compute_snr.py computes the SNR for each of the shares within the
masked Sbox. gen_templates.py builds a template for each of shares by
using LDAClassifier in SCALib.

Reporting

In order display the results of profiling (SNR and PoIs), the user can
start the interactive script report_profiling.py. The user will first
be asked the intermediate variables within the masked Sbox he wants to
display. Second, he will be asked what byte within that 32-bit variable
we wants to report. He so has to choose a byte index (0,1,2 or 3). The
script is used by running the command:

python3 report_profiling.py -d <D>

warning: Profiling is the most expensive steps. See Section 4. of
the paper for additional details about complexities.

Attack

Running

The attack can be executed by running the scripts

python3 attack.py -d <D> -n <n1,n2,n3,..>

where ni is the number of points to consider for the attack. The
attacks are performed on each of the 5 datasets. For each attacks, the
scripts displays the correct key, the key guess with highest probability
and the correct key rank (which corresponds to the enumeration power
needed by the evalutor to recover the key).

Reporting

The results can be reported with the script report_attack.py. This
report on the x-axis the number of traces in the attack and on the
y-axis the full key rank (log2-scale). The crosses are for individual
attack dataset (out of 5) and the red curve is the median. This curves
corresponds to Figure 8 in the research paper.

python3 report_attack.py -d <D>

Contact

For additional information, issues and suggestions, please contact
Olivier Bronchain at
olivier.bronchain@uclouvain.be.

License

All the files in this project (expected for spook_sw/) are distributed
under AGPLv3. Please see for additional information.