Changes

Template Attacks

1,931 bytes added, 14:18, 25 May 2016
Using the Template: Described attack method
= Using the Template =
Apply the With a template by measuring more in hand, we can finish our attack. For the attack, we need a smaller number of traces - we'll say that we have <math>A</math> traces. The sample values will be labeled <math>a_{j, s_i}</math> (<math>1 \le j \le A</math>).
== Finding Applying the Key Template ==How First, let's apply the template to use a single trace. Our job is to decide how likely all of our key guesses are. We need to do the following:* Put our trace values at the POIs into a vector. This vector will be <math>\mathbf{a_j} = \begin{bmatrix}a_{j,1} \\a_{j,2} \\a_{j,3} \\\vdots\end{bmatrix}</math> * Calculate the PDF for every key guess and save these for later. This might look like: <math>p_{k, j} = f_k(\mathbf{a_j})</math> * Repeat these two steps for all of the attack traces.  This process gives us an array of <math>p_{k, j}</math>, which says: "Looking at trace <math>j</math>, how likely is it that key <math>k</math> is the correct one?" == Combining the Results ==The very last step is to combine our <math>p_{k, j}</math> values to decide which key is the best fit. The easiest way to do this is to combine them as <math>P_k = \prod_{j=1}^{A} p_{k,j}</math> For example, if we guessed that a subkey was equal to 0x00 and our PDF results in 3 traces were (0.9, 0.8, 0.95), then our overall result would be 0.684. Having one trace that doesn't match the template can cause this number to narrow down drop quickly, helping us eliminate the wrong guesses. Finally, we can pick the highest value of <math>P_k</math>, which tells us which guess fits the templates the best, and we're done!  This method of combining our per-trace results can suffer from precision issues. After multiplying many large or small numbers together, we could end up with numbers that are too large or small to fit into a floating point variable. An easy fix is to work with logarithms. Instead of using <math>P_k</math> directly, we can calculate <math>\log P_k = \sum_{j=1}^A \log p_{k,j}</math> Comparing these logarithms will give us the same results without the possibilitiesprecision issues.
== Attack Time ==
Approved_users
510
edits