Lascar: Donjon Side Channel Library
Introducing Lascar
Recently, Ledger Donjon (Security Team) published its open source python3 Side Channel Attack library on github: meet Lascar.
Lascar stands for Ledger’s Advanced Side Channel Analysis Repository. Its goal is to gather and provide common tools and techniques used in the field of Side Channel Analysis, within an open, customizable library.
Based on the principle that published Side Channel Attacks, any scientific piece, should be reproducible, we aim at offering an open source platform for publishing your work.
From our experience, every Side Channel team owns and maintains its own tools, and very few people share their code. This may be caused by very few solutions being available.
Lascar is designed to provide almost everything one would need to complete a state-of-the-art Side Channel Analysis.
Main Features
Lascar provides primitives for all the required steps in Side Channel Analysis. It allows the implementaton of end-to-end Side Channel Attacks. The library offers:
A convenient data representation.
Multi-dimensional Traces
and the corresponding meta-data are stored within the same object. This is good practice for side channel implementations, as it prevents mistakes during the side channel processing where the traces and the corresponding plaintext/ciphertext mismatch. All native data types are supported transparently: int8_t
, uint8_t
, int16_t
, uint16_t
, int32_t
, uint32_t
, int64_t
, uint64_t
, float
, double
.
Lascar offers an answer to this problem through the Trace
class and Container
Class.
In Lascar, every side-channel experiment is called a Trace
, and is represented as a couple (leakage,value)
where:
leakage
is a table containing your side-channel(s),value
is a table containing the value manipulated during the acquisition of the leakage,- both leakage and value have to be translatable as a numpy array.
As an extension the Container Class can be seen as a collection of Traces.
No matter the source of your side-channel data:
- stored files of your own format (
npy
,hdf5
,…) - simulated traces,
- raw traces from your side-channel bench,
A set of primitives for resynchronization purposes.
When using classical Side Channel Attacks Methodology, synchronization of traces with each other is key. Through this path, a classical and quite efficient countermeasure consists of introducing jitter, shuffling, randomization, in order to desynchronize traces. Lascar includes a set of useful and easy-to-use primitives for resynchronization purposes including:
- Peak detection
- Pattern detection
- Elastic alignment
Adding to that, Lascar is very versatile, allowing to add easily user-defined primitives. In Side Channel Attacks, when attacking a new set of traces, some tweaks are often necessary to post-process the traces. That’s why versatility is a key feature.
A set of primitives for Side Cannel leakage characterization purposes.
Often, Side Channel Analysis first starts with a characterization. In this situation, the attacker has access to a device on which he knows the key / sensitive value he’s trying to attack. It can be another device, another similar application… In this situation, it’s definitely more efficient to start the analysis with statistical analysis for Side Channel leakage detection. Several of these statistical moments are implemented in Lascar:
- SNR
- NICV
- TTEST
These statistical moments allow the attacker to characterize the dependence between the key / sensitive data and the traces. They are key to performing efficient attacks.
A set of primitives for Side Channel Attacks methodology.
Ultimately, attacks are what we want to do. There are plenty of methodologies to attack a cryptographic (or non-cryptographic) implementation using Side Channel. They range from basic Timing Attacks / SPA, to Supervised High Order Machine Learning Based Attacks. Lascar offers a comprehensive set of attack primitives allowing you to implement your favorite attack.
Often, within Side Channel Analysis, the attacker wants to try a lot of different methodologies, combining them in different order to try new ideas. In Lascar’s case, implementing an end-to-end attack is very easy and convenient.
The performance was not the first requirement, but it has not been neglected.
For now, on a standard laptop (i7–8550U @1.8GHz), running a CPA targeting AES SBOX on a set of 100.000 traces of 10.000 samples will take around 25 seconds.
If you are a student interested in learning about Side Channel Attacks, a professional researcher, or an expert in Side Channel Analysis working in a security evaluation lab, Lascar is for you ;-).
Have a look on our Github, fork it, clone it, and don’t hesitate to contribute to its development.
By Ledger Donjon — Manuel San Pedro — Victor Servant— Charles Guillemet