International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems, Volume 2023

Efficient Regression-Based Linear Discriminant Analysis for Side-Channel Security Evaluations :

Towards Analytical Attacks against 32-bit Implementations


README

Efficient Regression-Based Linear Discriminant Analysis for Side-Channel Security Evaluations

This repository contains the code to reproduce experiments presented in the
TCHES2023 paper Efficient Regression-Based Linear Discriminant Analysis for
Side-Channel Security Evaluations:

  1. Scripts for reproducing our "atomic experiments": modeling and quantifying
    the leakage of a single XOR operation on 32-bit words on a Cortex-M4
    processor.

  2. Scripts for reproducing our attack on ISAP initialization: 32-bit leakage modeling and SASCA on 32-bit variables.

  3. Additionaly, the algorithms shown in the paper have been included in the SCALib library (from version 0.5.6) and made available on PyPI. Namely :

- scalib.modeling.RLDAClassifier : The RLDA model,
- scalib.metrics.RLDAInformationEstimator : the information bounds,
- scalib.attacks.FactorGraph : The efficient computation of the AND gate in SASCAs.

To ease the replication of our experiments, we uploaded our datasets at https://doi.org/10.5281/zenodo.7874633 (compressed size: 19 GB, uncompressed size: 27 GB).

System requirements

For the atomic experiments:
- 32GB of RAM is recommended if you want to perform the experiments on all bus sizes (i.e., up to 32-bit).
- If you skip the largest bus sizes, only a modest amount of RAM is needed.
- Execution time: less than 10 minutes for small bus sizes (<=24 bits), 4h for largest case (tested on a 64 cores machine).

For the attack on ISAP:
- For the full experiment (32-bit states): 1.6 TB of RAM.
- For ease of evaluation we included a dataset with a reduced number of bits
(all words are only 20-bits, the remaining 12-bits being set to 0 -- this
makes the key 80-bit long).
- Execution time: less than 10 minutes for the 20-bit case, about 14h for largest case (mostly single-threaded workload).

Dependencies

For running our scripts:
- Bash
- python >= 3.8
- pip >= 22.0.0 (older version might be able to install the scalib binary from PyPI)
- Python venv module (often installed with python, sometimes a separate package, such as python3-venv on ubuntu).
- Python scalib module, version 0.5.6 (can be installed with pip).

The PyPI SCALib build supports only x86_64 processors with AVX2 instructions,
or Apple ARM. Otherwise, you can build SCALib yourself, with the following
dependencies:
- Rust toolchain >= 1.70 (can be installed via rustup
- A C/C++ compiler
- clang >=5.0
- python >= 3.8
- Python build module (can be installed with pip).

Instructions for building SCALib are available here.

Installation

Note: commands are given for a bash shell. Adapt the syntax if you use another shell.

  1. Get our artifact.
git clone https://git-crypto.elen.ucl.ac.be/ucl-crypto/rlda_artifact
  1. Create a python virtual environment
# Run from the rlda_artifact directory
python3 -m venv ve
source ve/bin/activate # change path on Windows (ve/Scripts/activate)
pip install -r requirements.txt
  1. Execute the script that downloads the datasets and extracts them into
    rlda_artifact/dataset/atomic_exp and rlda_artifact/dataset/isap.
# Run from the rlda_artifact directory
./download_datasets.sh

Usage

Atomic experiments

# Run from the rlda_artifact directory
source ve/bin/activate # change path on Windows (ve/Scripts/activate)
cd atomic_exp
bash run.sh ../dataset/atomic_exp

It will run the profiling and estimate the PI bounds.
To change the parameters, edit run.sh or use cluster_analysis.py directly
(run python3 cluster_analysis.py --help to get more information on the
parameters).
Datasets are available with bus widths from 2 bits up to 32 with step of 2 bits. By default, run.sh is set to run experiments from 8 to 16 bits.
Some parameter sets can result in a failed clustering, due to a too low value of t, in such case, the scripts exits with a an error message.

Attack on ISAP

# Run from the rlda_artifact directory
source ve/bin/activate # change path on Windows (ve/Scripts/activate)
cd isap
bash attack.sh ../dataset/isap 20 0

The script profiles the leakage model and for the attack it prints the guessing entropy of the key words.

To run the full attack, replace 20 by 32 in the above command.

The third parameter ("0") determines which single trace in the dataset is used
to run the attack (hence which key is attacked, too).

Datasets

The full description of the acquisition methodology for the datasets is given in the paper.
For the atomic experiment, the code is also given in the paper, while for the Isap experiment,
we use the implementation of the Ascon permutation available at
https://github.com/ascon/ascon-c/blob/main/crypto_aead/ascon128av12/ref/round.h.