Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept....
-
date post
21-Dec-2015 -
Category
Documents
-
view
223 -
download
0
Transcript of Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept....
![Page 1: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/1.jpg)
Fault Injection and a Timing Channel on an Analysis Technique
John A Clark and Jeremy L JacobDept. of Computer Science
University of York, UK{jac,jeremy}@cs.york.ac.uk
Amsterdam 29.04.2002
![Page 2: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/2.jpg)
Structure of the Talk Background Specific technical
Part I: Describing underlying perceptron problems
Part II: Describing simulated annealing Part III: Solving by search Part IV: Fault injection analogy Part V: Timing channel analogy
Conclusions and future work
![Page 3: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/3.jpg)
Background: Side Channels for All
Some very high profile attacks have been demonstrated in the past decade that attack the implementation and not the algorithm
Fault injection (Boneh, de Milo and Lipton) Timing attacks (Kocher)
In this talk we aim to demonstrate that analysis techniques too may use such concepts
You can try to solve mutated or warped problem instances to see what happens (fault injection on the problem)
Observe the computational dynamics of the search (timing channel)
Will concentrate on general concepts
![Page 4: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/4.jpg)
Background: Identification Problems
Zero-knowledge (Goldwasser and Micali) Early identification scheme by Shamir Several schemes of late based on NP-
complete problems Permuted Kernel Problem (Shamir) Syndrome Decoding (Stern) Constrained Linear Equations (Stern) Permuted Perceptron Problem (Pointcheval)
We shall demonstrate some new attacks on this problem
![Page 5: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/5.jpg)
Part I: Underpinning Perceptron Problems
Won’t go into details of the protocols.
“A New Identification Scheme Based on the Perceptron Problems”
(Pointcheval Eurocrypt 1995)
![Page 6: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/6.jpg)
Perceptron Problem
Given
A nm
1a ij
a......aa
...............
a......aa
a.......aa
mnm2m1
2n2221
1n1211
1 js
Find
:
: 2
1
ns
s
s
S n 1
0
:
0
0
:
2
1
mw
w
w
SA nnm 1
So That
Simple version used in some experiments.
![Page 7: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/7.jpg)
Permuted Perceptron Problem
Given
A nm
1a ij
a......aa
...............
a......aa
a.......aa
mnm2m1
2n2221
1n1211
1 js
Find
:
: 2
1
ns
s
s
S n 1
:
2
1
mw
w
w
SA nnm 1
So That
Make Problem harder by imposing extra constraint.
Has particular histogram H of positive values
1 3 5 .. .. ..
![Page 8: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/8.jpg)
Example: PPP Problem
PP and PPP-example Every PPP solution is a PP solution.
5
1
1
3
1
1
1
1
1
11111
11111
1111-1
1-11-1-1
)1,1,2(
))5(),3(),1((
hhhH
Has particular histogram H of positive values
1 3 5
![Page 9: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/9.jpg)
Generating Instances
Suggested method of generation
1
1
1
1
1
• Generate random secret S
5
1
1
3
• Calculate AS
• Generate random matrix A
11111
11111
1111-1
11-111-
Significant structure in this problem; high correlation between majority values of matrix columns and secret corresponding secret bits• If any (AS)i <0 then negate ith row of
A
5
1
1
3
1
1
1
1
1
11111
11111
1111-1
1-11-1-1
![Page 10: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/10.jpg)
Instance Properties
Each matrix row/secret dot product is the sum of n Bernouilli (+1/-1) variables.
Initial image histogram has Binomial shape and is symmetric about 0 After negation simply folds over to be positive
-7–5-3-1 1 3 5 7… 1 3 5 7…
Image elements tend to be small
![Page 11: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/11.jpg)
Part II: Search - Simulated Annealing
![Page 12: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/12.jpg)
Simulated Annealing
x0 x1
x2
z(x)Allows non-improving moves so that it is possible to go down
x11
x4
x5
x6
x7
x8
x9
x10
x12
x13
x
in order to rise again
to reach global optimum
In practice neighbourhood may be very large and trial neighbour is chosen randomly. Possible to accept worsening move when improving ones exist.
![Page 13: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/13.jpg)
Simulated Annealing Improving moves always accepted Non-improving moves may be accepted
probabilistically and in a manner depending on the temperature parameter T. Loosely
the worse the move the less likely it is to be accepted
a worsening move is less likely to be accepted the cooler the temperature
The temperature T starts high and is gradually cooled as the search progresses.
Initially virtually anything is accepted, at the end only improving moves are allowed (and the search effectively reduces to hill-climbing)
![Page 14: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/14.jpg)
Simulated Annealing Current candidate x. Minimisation formulation.
farsobestisSolution
TempTemp
rejectelse
acceptyxcurrentUifelse
acceptyxcurrentif
yfxf
xighbourgenerateNey
timesDo
dofrozenUntil
TTemp
xxcurrent
Temp
95.0
)( ))1,0((exp
)( )0(
)()(
)(
400
)(
0
0
/
At each temperature consider 400 moves
Always accept improving moves
Accept worsening moves probabilistically.
Gets harder to do this the worse the move.
Gets harder as Temp decreases.
Temperature cycle
![Page 15: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/15.jpg)
Simulated Annealing
1 Do 400 trial moves
2 Do 400 trial moves
3 Do 400 trial moves
4 Do 400 trial moves
m Do 400 trial moves
100T
95.0TT
95.0TT
95.0TT
95.0TT
00001.0Tn Do 400 trial moves
95.0TT
Iteration
![Page 16: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/16.jpg)
Part III: Solving By Search
![Page 17: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/17.jpg)
Using Search
Aim to search the space of possible secret vectors x to find one that is an actual solution to the problem at hand.
Define a cost function: vectors that nearly solve the problem have low cost vectors that are far from solving the problem have
high cost. Define a means of generating neighbours to the
current vector Define a means of determining whether to move
to that neighbour or not.
![Page 18: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/18.jpg)
PP Using Search: Pointcheval
Pointcheval couched the Perceptron Problem as a search problem.
1
1
1
1
1
1Y
1
1
1
1
1
2Y
1
1
1
1
1
3Y
1
1
1
1
1
4Y
1
1
1
1
1
5Y
current solution Y
Neighbourhood defined by single bit flips on current solution
1
1
1
1
1
Cost function punishes any negative image components
1
3
1
1
AY
costNeg(y)=|-1|+|-3| =4
m
i iAYYCost1
}0,)(max{)(
![Page 19: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/19.jpg)
Using Annealing: Pointcheval
PPP solution is also PP solution. Based estimates of cracking PPP on ratio of PP
solutions to PPP solutions. Calculated sizes of matrix for which this should be
most difficult Gave rise to (m,n)=(m,m+16) Recommended (m,n)=(101,117),(131,147),
(151,167) Gave estimates for number of years needed to
solve PPP using annealing as PP solution means Instances with matrices of size 200 ‘could usually be
solved within a day’ But no PPP problem instance greater than 71 was ever
solved this way ‘despite months of computation’.
![Page 20: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/20.jpg)
Perceptron Problem (PP)
Knudsen and Meier approach in 1999 (loosely):
Carrying out sets of runs Note positions where results obtained all agree Fix those elements where there is complete
agreement and carry out new set of runs and so on.
If repeated runs give same values for particular bits assumption is that those bits are actually set correctly
Used this sort of approach to solve instances of PP problem up to 180 times faster than previous for (151,167) problem.
![Page 21: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/21.jpg)
Profiling Annealing
Approach is not without its problems. Not all bits that have complete agreement are correct.
Actual SecretRun 1Run 2Run 3Run 4Run 5Run 6All runs agree
All agree (wrongly)
1-1
![Page 22: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/22.jpg)
Knudsen and Meier (1999) Have used this method to attack PPP problem
sizes (101,117) Uses enumeration stage (to search for wrong
bits). Used new cost function w1=30, w2=1 with
histogram punishment
cost(y)=w1costNeg(y)+w2costHist(y)
1
1
1
1
Ay)0,0,3()(
)1,1,2()(
yhist
shist
010123)(costHist y
![Page 23: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/23.jpg)
Part IV: Fault Injection
![Page 24: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/24.jpg)
PP Move Effects
What limits the ability of annealing to find a PP solution?
A move changes a single element of the current solution.
Want current negative image values to go positive But changing a bit to cause negative values to go
positive will often cause small positive values to go negative.
01234567 01234567
iAYi
W 2'' i
WiAYiW
![Page 25: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/25.jpg)
Problem Fault Injection
Can significantly improve results by punishing at positive value K
For example punish any value less than K=4 during the search
Drags the elements away from the boundary during search. Also use higher exponent in differences, e.g. |Wi-K|2 rather
than simple deviation
01234567
AYW Rm
i iAYKYCost )}0,)((max{)(1
(201,217): K=20,15,10
(401,417): K=30,25,20,15
(501,517): K=25
(601,617): K=25
R=2
R=3
![Page 26: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/26.jpg)
Results for PP Fault Injection Have solved instances of size (number of
solutions from 30 runs). Some solved directly - others after 1, 2,
or 3 bit local search(201,217): 3 22 26 29 13 15 26 27 28 11
(601,617): 1 1 0 2 0 4 4 0 0 0
Secret vectors solved three times as long as previously
![Page 27: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/27.jpg)
PP Solution Correlation with Generating Secrets
(201,217): 79.2%-87.1%
(401,417): 83.4%-87.5%
(501,517): 80.6%-86.4%
(601,617): 77.5%-86.1%
![Page 28: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/28.jpg)
PPP Extensions Used similar cost function as Knudsen
And Meier but with fault injection on the negativity part (plus different exponents)
n
i
Rsy
Rm
i i iHiHAYKGYCost11
|)()(|)}0,)((max{)(
Attack each PPP problem instance using a variety of different weightings G, bounds K and values of exponent R.
These are different `viewpoints’ on each problem.
![Page 29: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/29.jpg)
PPP Results: Final Bits Correct Consequence is that warped problems
typically give rise to solutions with more agreement than the original secret than non-warped ones.
For example (101,117): up to 108 bits correct (131,147): up to 139 bits correct (151,167): up to 157 bits correct.
However, results may vary considerably and also between runs for the same problem
![Page 30: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/30.jpg)
Democratic Viewpoint Analysis
Problem P
Problem P1 Problem P2 Problem Pn-1 Problem Pn
Essentially same as K&M before but this time go for substantial rather than unanimous agreement.
By choosing the amount of disagreement tolerated carefully you can sometimes get over half the key this way. And on occasion have had only 1 bit in 115 most agreed bits incorrect (out of 167)
It’s a 1 It’s a 1 It’s a 1 No. It’s a -1
![Page 31: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/31.jpg)
Part V: Timing Channel:PPP
![Page 32: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/32.jpg)
Profiling Annealing: Timing
A lot of information is thrown away – better to monitor the search process as it cools down. Based on notion of thermostatistical
annealing. Analysis shows that some elements will
take some values early in the search and then never subsequently change.
They get ‘stuck’ early in the search. The ones that get stuck early often do so
for good reason – they are the correct values.
![Page 33: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/33.jpg)
Results: Initial Bits Correct The timing profile of warped problems
can reveal significant information. For example
(101,117): up to 72 initial bits correct (131,147): up to 97 initial bits correct (151,167): up to 98 initial bits correct
Again, results may vary considerably and also between runs for the same problem
![Page 34: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/34.jpg)
PPP (101, 117)
PPP (101,117)
0
20
40
60
80
100
120
1 5 9 13 17 21 25 29Problem Number
Ma
x B
its
Co
rre
ct O
ver
All
R
un
s
Bits Correct in FinalSolution
Initial N Bits StuckCorrect
![Page 35: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/35.jpg)
PPP (131, 147)
PPP (131,147)
0
20
40
60
80
100
120
140
160
1 4 7
10
13
16
19
22
25
28
Problem Number
Ma
x B
its
Co
rre
ct
Ov
er A
ll R
un
s
Bits Correct in FinalSolution
Initial N Bits StuckCorrect
![Page 36: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/36.jpg)
PPP (151, 167)
PPP (151,167)
0
50
100
150
200
1 4 7 10 13 16 19 22 25 28Problem Number
Ma
x B
its
Co
rre
ct O
ver
All
R
un
s
Max Bits Correct inFinal Solution
Initial N Bits StuckCorrect
![Page 37: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/37.jpg)
Multiple Clock Watchers Analysis
Problem P
Problem P1 Problem P2 Problem Pn-1 Problem Pn
Essentially same as for timing analysis but this time add up the times over all runs where each bit got stuck.
As you might expect those bits that often get stuck early (i.e. have low aggregate times to getting stuck) generally do so at their correct values (take the majority value).
Also seems to have significant potential but needs more work.
![Page 38: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/38.jpg)
Conclusions I Search techniques have a computational
dynamics too. Have profiled the action of annealing on
various warped problems - mutants of the original problem.
Analogy with fault injection, though here it is fault injection on public mathematics
The trajectory by which a search reaches its final path may reveal more information about the sought secret than the final result of the search
timing channel on an analysis
![Page 39: Fault Injection and a Timing Channel on an Analysis Technique John A Clark and Jeremy L Jacob Dept. of Computer Science University of York, UK {jac,jeremy}@cs.york.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022033107/56649d5f5503460f94a3f3ad/html5/thumbnails/39.jpg)
Future Work A local optimum is a strong source of
information for cryptanalysis purposes: Can more subtle use be made of the distribution of
local optima found using annealing searches? Use ‘results’ of optimising as sources of
information. Can we detect secrets with extreme correctness
properties? MAX-XOR problems.
If you are given a large number of linear approximations for key bits (some of which may be misleading) what happens if you try to maximise the number solved?