Template attacks
Generating vector distributions
A pooled distribution (consisting of different mean vectors for all values and a common covariance matrix) is stored in the following Templates
struct:
CryptoSideChannel.TemplateAttacks.Templates
— TypeThe Templates
struct stores a pooled noise covariance matrix, as well as mean vectors for all integers that are possibly loaded.
If the integer x
is processed, a random vector from distribution
is drawn. Then, values[x]
is added to this random vector.
These distributions can be created either manually to model a specific behaviour, or can be drawn randomly for testing purposes. The following two methods generate random distributions:
CryptoSideChannel.TemplateAttacks.random_diagonal_multivariate_distribution
— Functionrandom_diagonal_multivariate_distribution(d::Integer)
Generate a random normal multivariate distribution over d
dimensions. The mean will be a vector chosen randomly from $\[0, 1\]^d$.
Note that all random values are uncorrelated. Hence, our covariance matrix is a diagonal matrix.
CryptoSideChannel.TemplateAttacks.random_uncorrelated_templates
— Functionrandom_uncorrelated_templates(dimensions::Integer, max_value::Integer)
Generate a random template over d
dimensions, that supports operations on integers between $0$ and max_value
.
Sampling vectors
Usually, template attacks only target single instructions. For example, the target of an attack could be a single load instruction executed on a microcontroller. Those small targeted instructions are provided by the following two functions:
CryptoSideChannel.TemplateAttacks.single_load_instruction
— Functionsingle_load_instruction(value)
Simulate a single load instruction of value
.
CryptoSideChannel.TemplateAttacks.multi_load_instructions
— Functionmulti_load_instructions(a::Vector)
Simulate multiple consecutive load instructions for all values in the vector a
, in the order of the vector.
Given the functions that should be sampled, template vectors are collected using the following sample_function
. If multiple attack traces with the same input are required, those can be generated with generate_attack_vectors
.
CryptoSideChannel.TemplateAttacks.sample_function
— Functionsample_function(templates::Templates, fun, value)
Sample the provided function fun
on input value
.
Arguments
templates
defines the underlying emissions that should be simulated (i.e. mean and covariance matrices for values).fun
must be a function taking a single integer. This function should describe the operation that is targeted. For example,fun
could besingle_load_instruction
ormulti_load_instructions
.value
should be an integer, or an array of integers thatfun
is executed on.
Returns
The leakage vector that the execution of fun
on value
would produce, assuming that the emissions are defined by templates
.
CryptoSideChannel.TemplateAttacks.generate_attack_vectors
— Functiongenerate_attack_vectors(templates::Templates, secret; fun = single_load_instruction, N = 2^10)
Sample N
attack vectors of the function fun
.
Arguments
templates
stores the noise distribution of our side-channel.secret
is the secret value that is loaded for our attack. For example, this could be a single key byte.fun
is the function that processes the secret value. This defaults to a single load instruction. This function must take a single integer.N
is the number of attack traces to produce.
Returns
A list of side-channel attack vectors that record the operation of fun(secret)
. The function fun
must have the type signature Int -> Any
. fun
will be executed on input secret
, which should be an integer or an vector of integers.
The attack vectors are sampled by using the sample_function
.
Attacking
CryptoSideChannel.TemplateAttacks.template_core_attack
— Functiontemplate_core_attack(profiled_vectors::AbstractMatrix, inputs::AbstractVector, attack_vectors::AbstractMatrix)
Arguments
inputs
: A vector containing $N$ entries, where $N$ is the number of sampled vectors. At position $x$ shall be the input that was used to generate the $x$-th vector.profiled_vectors
: A $M \times N$ matrix. The columnprofiled_vectors[:,x]
should contain the data that was generated on inputx
.attack_vectors
: A $M \times K$ matrix, where $K$ is the number of traces from the attacked device. Traces are stored in column-major order. All traces must be generated with the same secret input.
Returns
A vector of tuples (likelyhood, value) for all values in inputs
, sorted by decreasing likelyhood of the value.