International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems, Volume 2023

Efficient Regression-Based Linear Discriminant Analysis for Side-Channel Security Evaluations :

Towards Analytical Attacks against 32-bit Implementations


README

Efficient Regression-Based Linear Discriminant Analysis for Side-Channel Security Evaluations

This repository contains the code to reproduce experiments presented in the
TCHES2023 paper Efficient Regression-Based Linear Discriminant Analysis for
Side-Channel Security Evaluations
:

  1. Scripts for reproducing our "atomic experiments": modeling and quantifying
    the leakage of a single XOR operation on 32-bit words on a Cortex-M4
    processor.

  2. Scripts for reproducing our attack on ISAP initialization: 32-bit leakage modeling and SASCA on 32-bit variables.

  3. Additionaly, the algorithms shown in the paper have been included in the SCALib library (from version 0.5.6) and made available on PyPI. Namely :

To ease the replication of our experiments, we uploaded our datasets at https://doi.org/10.5281/zenodo.7874633 (compressed size: 19 GB, uncompressed size: 27 GB).

System requirements

For the atomic experiments:

For the attack on ISAP:

Dependencies

For running our scripts:

The PyPI SCALib build supports only x86_64 processors with AVX2 instructions,
or Apple ARM. Otherwise, you can build SCALib yourself, with the following
dependencies:

Instructions for building SCALib are available here.

Installation

Note: commands are given for a bash shell. Adapt the syntax if you use another shell.

  1. Get our artifact.
git clone https://git-crypto.elen.ucl.ac.be/ucl-crypto/rlda_artifact
  1. Create a python virtual environment
# Run from the rlda_artifact directory
python3 -m venv ve
source ve/bin/activate # change path on Windows (ve/Scripts/activate)
pip install -r requirements.txt
  1. Execute the script that downloads the datasets and extracts them into
    rlda_artifact/dataset/atomic_exp and rlda_artifact/dataset/isap.
# Run from the rlda_artifact directory
./download_datasets.sh

Usage

Atomic experiments

# Run from the rlda_artifact directory
source ve/bin/activate # change path on Windows (ve/Scripts/activate)
cd atomic_exp
bash run.sh ../dataset/atomic_exp

It will run the profiling and estimate the PI bounds.
To change the parameters, edit run.sh or use cluster_analysis.py directly
(run python3 cluster_analysis.py --help to get more information on the
parameters).
Datasets are available with bus widths from 2 bits up to 32 with step of 2 bits. By default, run.sh is set to run experiments from 8 to 16 bits.
Some parameter sets can result in a failed clustering, due to a too low value of t, in such case, the scripts exits with a an error message.

Attack on ISAP

# Run from the rlda_artifact directory
source ve/bin/activate # change path on Windows (ve/Scripts/activate)
cd isap
bash attack.sh ../dataset/isap 20 0

The script profiles the leakage model and for the attack it prints the guessing entropy of the key words.

To run the full attack, replace 20 by 32 in the above command.

The third parameter ("0") determines which single trace in the dataset is used
to run the attack (hence which key is attacked, too).

Datasets

The full description of the acquisition methodology for the datasets is given in the paper.
For the atomic experiment, the code is also given in the paper, while for the Isap experiment,
we use the implementation of the Ascon permutation available at
https://github.com/ascon/ascon-c/blob/main/crypto_aead/ascon128av12/ref/round.h.