Measuring Security of Symmetric Encryption Schemes Against On-the-Fly Side-Channel Key-Recovery Attacks

Abstract

In this paper, we propose a framework to analyze the security of symmetric encryption schemes against an adversary which attempts to recover the secret key by mounting side-channel attacks. In our adversarial side-channel model, the adversary is allowed to eavesdrop the public communication channel to obtain the ciphertexts and to collect on-the-fly some information about the secret keys of the scheme via measurement of certain physical phenomenon induced by the physical device, when the device is running the encryption process. Based on our framework, we derive the maximum success probability of the adversary to recover the secret keys. Our analysis does not assume any computation or storage limitation on the adversary and uses the bandwidths of the public communication channel and side-channel as the parameters. Hence, our results apply even in the case of quantum adversaries. Though in our framework the adversary does not have full control of the physical device, our framework is entirely independent of the type of physical phenomenon observed by the adversary and also of the method used by the adversary, which is interesting in its own right.

Appendices

A Proof of Lemma 1

Let us define the followings.

$$\begin{aligned} W(A)&={\left\{ \begin{array}{ll} 1 &{} \text {if }f(A)g(A)\geqq uv,\\ 0 &{} \text {otherwise.} \end{array}\right. } \end{aligned}$$

$$\begin{aligned} U(A)={\left\{ \begin{array}{ll} 1 &{} \text {if }f(A)\geqq u,\\ 0 &{} \text {otherwise.} \end{array}\right. }&\qquad V(A)={\left\{ \begin{array}{ll} 1 &{} \text {if }g(A)\geqq v,\\ 0 &{} \text {otherwise.} \end{array}\right. } \end{aligned}$$

Now, let us rewrite Eq. (11).

$$\begin{aligned} p_{A}&\!\! (W(A)=1)\\&\!\! =p_{A}\left\{ (W(A)=1)\wedge (U(A)=1)\wedge (V(A)=1)\right\} \\&\!\! \qquad +p_{A}\left\{ (W(A)=1)\wedge (\overline{(U(A)=1)\wedge (V(A)=1)})\right\} \\&\!\! \geqq p_{A}\left\{ (W(A)=1)\wedge (U(A)=1)\wedge (V(A)=1)\right\} \\&\!\! =p_{A}\left\{ (U(A)=1)\wedge (V(A)=1)\right\} . \end{aligned}$$

The last transformation is due to the fact that if \(f(A)=u+\alpha \) and \(g(A)=v+\beta \) hold for some \(\alpha ,\beta \geqq 0\), then automatically \(f(A)g(A)=(u+\alpha )(v+\beta )\geqq uv+\alpha \beta +\alpha v+\beta u\) holds, since \(\alpha \beta ,\alpha v,\beta u\geqq 0\). This ends the proof.    \(\square \)

B Proof of Lemma 2

Let us define the following set.

$$\begin{aligned} \mathcal {S}&:=\left\{ \alpha \in \mathcal {A}:f(\alpha )\geqq 0\right\} \end{aligned}$$

Thus, we have as follows.

The transformation (a) is due to the facts that:

• since \(u>0\), if \(A\in \mathcal {\mathcal {A}\backslash \mathcal {S}}\), it is impossible to have \(f(A)\geqq u\),

• and if \(A\in \mathcal {\mathcal {\mathcal {S}}}\), \(|f(A)|=f(A)\) by definition of \(\mathcal {S}\).

This ends the proof.    \(\square \)

C Proof of Lemma 3

Let us define the followings.

$$\begin{aligned} W(A)&={\left\{ \begin{array}{ll} 1 &{} \text {if }f(A)+g(A)>u+v,\\ 0 &{} \text {otherwise.} \end{array}\right. } \end{aligned}$$

$$\begin{aligned} U(A)={\left\{ \begin{array}{ll} 1 &{} \text {if }f(A)\geqq u,\\ 0 &{} \text {otherwise.} \end{array}\right. }&\qquad V(A)={\left\{ \begin{array}{ll} 1 &{} \text {if }g(A)>v,\\ 0 &{} \text {otherwise.} \end{array}\right. } \end{aligned}$$

Now, let us rewrite Eq. (7).

$$\begin{aligned} p_{A}(W(A)=1)&=p_{A}\left\{ (W(A)=1)\wedge (U(A)=1)\wedge (V(A)=1)\right\} \\&\qquad +p_{A}\left\{ (W(A)=1)\wedge (\overline{(U(A)=1)\wedge (V(A)=1)})\right\} \\&\geqq p_{A}\left\{ (W(A)=1)\wedge (U(A)=1)\wedge (V(A)=1)\right\} \\&=p_{A}\left\{ (U(A)=1)\wedge (V(A)=1)\right\} . \end{aligned}$$

The last transformation is due to the fact that if \(f(A)=u+\alpha \) and \(g(A)=v+\beta \) hold for some \(\alpha \geqq 0\) and \(\beta >0\), then automatically \(f(A)+g(A)=u+v+(\alpha +\beta )>u+v\) holds. This ends the proof.    \(\square \)