 the second talk will be given online and everyone hear me yes but we don't see the slides yet oh yeah you have to share them yes okay now it's good yeah it's welcome okay okay so the second presentation is a novel completeness test for liquid models and its application to side channel attacks and it's was responsibly engineered simulators it's by seagull and Elizabeth Oswald and the presentation will be given by seagull for issues thanks for the okay thanks for it so thanks for everyone helping me to set this up and thanks for coming to my talk my name is seagull and today I'm gonna talk about within this talk I'm gonna talk about how you can construct complete liquid models and how does it apply to such an attacks and responsibly engineered simulators so this is my joint work with elizabeth's I now work for far away now but this work was entirely done last year when I was working in the University of Colegion food Austria well I was funded by an ERC funding code C okay so I guess most of our audience already familiar with the concept of such an analysis so such an analysis take advantage of your information decade whether it's timing or consumption etc and then potentially can recover the CPT in a really short time at the cost of taking some additional physical observations for example your power consumption on some assist scope and let's take a systematic systematic point of view let's consider like as an attacker as a session attacker what you have to do so of course you need to have this device running the code and take this assist scope to measuring perhaps your power consumption of course that's always the same but as the attacker is the first thing you need to assume is what's the target you believe states and targeting out for example for normal hamming weight correlation attacks I might assume I'm attacking the first round the first Xbox output so then the target states is the Xbox output yet the other thing I need to assume on is how the space is leaking so perhaps I will assume the leakage the leakage and observing on the trace approximates the hamming weight of the states so today all together I need to assume that my observable leakage approximates the hamming weight of the Xbox output maybe plus with some additional Gaussian noise and what happens later on is with some key guesses KJ here I will compute my assumed leakage and compare that with the observed leakage with the Pearson correlation coefficient so if it's none zero it's a large number perhaps I got the right key guess if it's close to zero maybe I got the wrong key guess of course there is a key liberation process here so this X in general couldn't be too large so if this key guess is like 128 bits of course that doesn't make any sense but one thing we need to keep in mind is from anything you observe on the trace you never know what's the full leakage model what what what does it all like entirely contains all the information we never know so we have maybe successfully attack it with the Xbox output then we know it does contain the information about it this Xbox output but you cannot never say like this is everything you have on the trace so let's now assume we take maybe a golf view let's say like we know for sure this has the Xbox output but it also has some Xbox output leakage as the transition from this Xbox with the previous Xbox this is actually quite common for software platforms like this in this case you might have this kind of leakage from the memory subsystem maybe on your memory bus there is this transition and they will be leaking or you might have it seen some micro architecture registers or buses you might also see this kind of transition leakage it's actually quite common but the thing is you don't really know because it lies whether it's the memory or micro architecture as the co-designer there's no way you will know this before hand so does this really have any impact as a tacker I don't really care too much about this because well although having this might help you develop some somewhere a better attack as the attacker my final goal is recovering my secret key so the complexity of finding this term will be added to the final complexity towards the key so actually most cases finding this term it might take much more effort to then actually just doing this simple attacks and get the key so as a tech I don't really care about whether I'm missing this terminal but if we jump into the evaluator or certification labs choose the story is completely different from evaluation point view we really want to verify whether our masking schemes or masking or our counter measures are secure against all the leakage I observed of course in this case if I assume the leakage is solely about the Xbox output but the reality is there is this additional term which is not really about the Xbox output then perhaps your counter measures is only secure against this term but not this term so it's only like partly effective which is of course not something desirable so we propose and clarify in this paper that leakage model should contains both the intermediate states acts aka the Xbox output here and your leakage function aka the heavyweight assumption here so you don't really have to agree with me on this terminology if you assume leakage model is solely about L that's okay but still as an attacker you do need to consider both of them and there are there are a few solutions for L so if you don't like any way you can try profiling you can also try maybe are doing mutual information there are other options here but for these states acts that's what we are going to emphasis in this talk and we're going to propose something called a completeness tax we call something if a selected set of states is complete if it actually contains all the relevant states for an absurd leakage on the trace and we're going to propose using the app test to verify whether your selected states is actually complete or not if it's not complete it means it failed to express some of the leakage you can observe on trace so to having this complete model will have a few benefits for example for attacks in my review some unexpected new attack vectors or for leakage simulators they might help you to find leaks that would be otherwise missed by over simply the overly simplified models such as the heavyweight model and that's now start our journey how can we find a complete set of intermediate states so this is going to be our roadmap here the first step what what we are trying to do is construct this complete model that captures all the data dependent leakage and then well of course with the realistic measurement we're going to estimate this full model what it looks like and then we're going to take your assumption perhaps the as leakage solely about the set of output and then we'll also take the measurements and construct a model for the assumed model and then later on in the second step we're going to compare this mode this two models and figuring out whether we are missing something so if this model is significantly better than this one then that might suggest we are missing something which means your model is not really complete in other words well on the other hand if you've got something complete that means your model is complete you're not missing something up to the statistic power you are using or in other words the provided number of pieces okay so let's take a look at how we do the first step how to construct a model that can capture all the data dependency so at the first glance list my seems like mission impossible because it's like capturing all the leakage what is all the leakage but if you really think about it for an unmasked AES if we assume the secret key is some constant then all the intermediate states wherever it is whatever where ever lies in whatever it is it will always be a deterministic function of all the input piece on the other as a consequence of the leakage you are going to observe during the encryption whether it's a transition leakage whether it's leach related leakage it will also be a function of all the input piece that means if we can actually construct this model with all the input piece a well capture all the data dependency during the encryption but the problem is there's no way you can work with this model because it requires much more than two to the 128 traces to actually work with so we have to find it into a much smaller space our tricks here is trying to find each byte into one bit so we're using one random bit to represent each input byte for AES in that case we kind of find it each byte into only one bit so entirely if there are like for AES 128 there are 16 bytes which means we only need two to the 16 traces a bit more than two to the 16 traces to work with this is much more desirable and then the second step if we have a complete model like this and we have our assume model only about the xbox outputs then the next step is how we compare them luckily in this case we have some well-accepted techniques in statistics called the F test for analysis of the variance so in the F test we can compare this to with some if the F statistics in the end is larger than some threshold then we say this model you're assuming in actually misses some factor law has significant contribution to the observed package otherwise we'll say it's complete up to this statistic power which in the end depends on the number of traces you are providing okay so put it together the first step we construct a full model and assume model and then using the real list traces to construct both models and then we compare it in the F test so the F test will tell us whether you are assuming model is not complete or in other words is missing something of course it will now tell you what is missing it will just tell you it was missing something go back to our previous case if we still using our previous example here it will of course be rejected because you are missing this handy distance term okay so now let's take a look at a few more complicated applications so first of all how it works in a text so I said first of all I said this is for a text but it doesn't necessarily means we are standing on the position of attackers so if we take a look at our previous example with the hamming with the hamming weight of the Xbox output and had a distance between these two Xbox output do we ask the attacker do we really want this term so as I said previously probably not because finding this term takes intensive effort and not effort well counted to your final complexity towards your secret key the other reason I might not want this is this term actually have two relevant key buys so to attack this term you need to emuberate two key buys versus with the single Xbox output you only need one key buys which means in the end the advantage of adding this term into your attack is almost negligible but the effort to find it is quite large so in the end you might ask the attacker you might not really want to add in this term to your attack but what it's really critical here is we we were wishing we are wishing to using this analysis to review some unexpected micro-architecture features which in the end help us to develop a deeper understanding of our platform which we are well also benefits for the coding and masking implications in this specific platform of course this would also means in the following I'm not really talking about everything in on a tax setup I assume everything was in and profiling setup where we assume all the input we know about it we are only trying to train trying to train a better model for future attacks okay so the target I'm selecting is from NC the fine masking schemes you can find it in this repository so in this schemes every secret despite access encoded with an one multi-plicated mask rm and one additional mask r a so the Xbox will be pre-computed pre-computed before each encryption with the input must are in the upper marks are also later on in the within this encryption you will always do table lookouts here and the additional marks are a will be different for each bite but are in our will be shared within one encryption so within this implementation that's focused on the traces where we are timely calculate the first as boss first must get that boss table lookup well if we truly build the leakage model for it we assume while we are looking table lookup for the first bites then we might leak at zero the true and shared and must it stays for the first bites and are and are a zero and maybe also are in and out so that's all the well stays relevant for computing the first Xbox lookup but if we actually using this as our zoom model and compare that with the full model what we got is the blue lines here so basically in this graph everything above the dash line means you are not complete you're missing something so that means even if we are only timely actually computing this first as boss by the first bites as boss lookup the leakage is not solely about first as boss and why is that what is the missing leakage here so if we consider the target core the Cortex M3 we are using here is actually a 32 bit core which means your memory buses are most likely also 32 bits even if your code is only trying to load one bite from the memory it what is likely to happen is your memory is always loading a word and it is the CPUs responsibility for picking out which bites you want and discarding all the unnecessary bites so this would means on your leakage you are actually observing the leakage from the worldwide loading instead of the fight what's loading so if we add all of those into our consideration our we can get the sign that here which is right below the threshold which suggests this might be a complete model okay let's follow verify if this is actually the case here I presented the well the analysis of all four first four bites within this word and as we can see here all the musket spots the musket states all the first four musket states can be observed as a peak here so which suggests all four of them although timely you are only doing table lookup for the first bites you actually observe all the four bytes leakage simultaneously here so what does this means for attack well previously if you want the leakage for one byte xi and one byte xj you might be looking for two different points on the trace and for this case we actually know if we select something here a simultaneously have the leakage for all four bytes within this list words which means if you I want x1 x0 and x1 I can just pick one sample here and then take the second statistic moment so that will give me simultaneously two points leakage so that means if you're doing second order attacks you can do univari attack instead of fiber attacks which means you don't really have to combine noises from different sources more details will be presented in paper I will skip it for now but I would also like to emphasize this is very far from the most efficient or most powerful attacks of course the most powerful attacks are always profiling attacks but here what we would like to state is using our none our analysis you can review some new attack factors vectors and you can also learn what is previously unexpected in your analysis okay so the next application I'm going to talk about is leakage simulators so previously if you were talking if you're thinking about how we actually work with certification process is you as a crypto engineer you find some masking scheme you code it and you deploy that into your device and then you send to a certificate center which do this leakage detection finding out whether it's secure or not and then if it's a secure you can send it to the market otherwise you might go back so the none ideal part of this is basically at this point you might already finish your development cycle so in companies list means you might already finish this where if the certification center said well it's not secure you need to fix it maybe this is already a year after you actually divide the list you might already pick up what causes this or your colleague might already leaving their job which means really difficult to actually reworking on this so one of the solution for this will be the leakage simulators here so the simulator can provide you some feedback right after you write your code then you can run out leakage simulators and then you can have some well idea of whether my interpretation is right or there is something wrong the other good thing about leakage simulators is well they are fully theoretical so they not only tell the new through leakage detection which instruction is leaking they will also tell you exactly why they're leaking which helps you to develop much more targeted security patches so one important point of this schedule list workflow is quality sorry hello your time is almost up can you please conclude this talk please okay okay so I'm just gonna say the complete test will help you to verify the quality of your leakage simulator and we are gonna verify two existing simulators and what your this is the target we're using and what we observe here is it's actually quite far from what we want so everything almost every cycle is not ideal so we have constructed something better and this the non-complete leakage model actually causes some problems in your leakage detection you can see here you actually fail to detect many of the leakage here okay so I might I think maybe I can skip the ethical consideration here so um with this model we are not estimating this so which may also um avoid the problem of course of using this leakage simulator as great templates so that's the uh ethical part okay that's the end of this talk thank you right maybe we can keep the questions for the after the second talk because the second talk will be given only by uh also by the same speakers so maybe you can yeah simply continue with the second talk and then at the end we can have a few minutes yeah question