Abstract
Side-channel attacks generally rely on the availability of good leakage models to extract sensitive information from cryptographic implementations. The recently introduced leakage certification tests aim to guarantee that this condition is fulfilled based on sound statistical arguments. They are important ingredients in the evaluation of leaking devices since they allow a good separation between engineering challenges (how to produce clean measurements) and cryptographic ones (how to exploit these measurements). In this paper, we propose an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014. This gain admittedly comes at the cost of a couple of heuristic (yet reasonable) assumptions on the leakage distribution. To confirm its relevance, we first show that it allows confirming previous results of leakage certification. We then put forward that it leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modelling.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Available at http://point-at-infinity.org/avraes/.
Note that theoretic approaches to guarantee that a distribution is well characterized by its moments (such as Carleman’s condition [25]) typically apply when considering an infinite number of them, and in general, no distribution is determined by a finite number of moments. So the restriction of our reasoning to specific classes of meaningful distributions is in fact necessary for our approach to be sound. Besides, note also that nonparametric PDF estimations may not suffer from assumption errors (at the cost of a significantly increased estimation cost), so are out of scope here.
Student’s t distribution is a parametric probability density function whose only parameter is its number of freedom degrees that can be directly derived from k and the previous \(\sigma \) estimates as: \(d_{f} = (k-1)\times [({\hat{\sigma }}_y^d)^2+({\tilde{\sigma }}_y^d)^2]^2/[({\hat{\sigma }}_y^d)^4+({\tilde{\sigma }}_y^d)^4]\).
This happens for the selected time sample because of pipelining effects in the AVR microcontroller. Note that as in [9], the linear model did not exhibit any assumption error for other time samples given the amount of measured traces.
We considered simulated measurements for two main reasons. First, and as shown in Sect. 5, it allows us to control, and therefore to accurately understand, the observed leakages (e.g. we are sure that the Gaussian mixture modelling is perfect / without assumption errors). Second, concretely estimating Gaussian mixtures for our hardware masked implementations with transition-based leakages would be measurement intensive (since we would typically need to build templates for \(2^{12}\times 2^{12}\) transitions). Note that an alternative would be to consider the LR-based profiling from [14], which we leave as an interesting scope for further research.
References
Batina, L., Gierlichs, B., Prouff, E., Rivain, M., Standaert, F.-X., Veyrat-Charvillon, N.: Mutual information analysis: a comprehensive study. J. Cryptol. 24(2), 269–291 (2011)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) Proceedings of Cryptographic Hardware and Embedded Systems—CHES 2004: 6th International Workshop Cambridge, MA, USA, August 11–13, 2004. Lecture Notes in Computer Science, vol. 3156, pp. 16–29. Springer (2004)
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Burton S.K. Jr., Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13–15, 2002, Revised Papers. Lecture Notes in Computer Science, vol. 2523, pp. 13–28. Springer (2002)
Dabosville, G., Doget, J., Prouff, E.: A new second-order side channel attack based on linear regression. IEEE Trans. Comput. 62(8), 1629–1640 (2013)
Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete—or how to evaluate the security of any leaking device. In: Oswald, E., Fischlin, M. (eds.) Proceedings of Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Part I. Lecture Notes in Computer Science, vol. 9056, pp. 401–429. Springer (2015)
Durvaux, F., Standaert, F.-X.: From improved leakage detection to the detection of points of interests in leakage traces. In: Fischlin, M., Coron, J.-S. (eds.) Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9665 , pp. 240–262. Springer (2016)
Durvaux, F., Standaert, F.-X., Veyrat-Charvillon, N.: How to certify the leakage of a chip? In: Nguyen, P.Q., Oswald, E. (eds.) Proceedings of Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Lecture Notes in Computer Science, vol. 8441, pp. 459–476. Springer (2014)
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, October 25–28, 2008, Philadelphia, PA, USA, pp. 293–302. IEEE Computer Society (2008)
Gilbert Goodwill, B.J., Jaffe, J., Rohatgi, P.: A testing methodology for side channel resistance validation. In: NIST Non-invasive Attack Testing Workshop, 2011. http://csrc.nist.gov/news_events/non-invasive-attack-testing-workshop/papers/08_Goodwill.pdf
Grosso, V., Standaert, F.-X., Prouff, E.: Low entropy masking schemes, revisited. In: Francillon, A., Rohatgi, P. (eds.) Smart Card Research and Advanced Applications—12th International Conference, CARDIS 2013, Berlin, Germany, November 27–29, 2013. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8419, pp. 33–43. Springer (2013)
Heuser, A., Rioul, O., Guilley, S.: Good is not good enough—deriving optimal distinguishers from communication theory. In: Batina, L., Robshaw, M. (eds.) Proceedings of Cryptographic Hardware and Embedded Systems—CHES 2014—16th International Workshop, Busan, South Korea, September 23–26, 2014. Lecture Notes in Computer Science, vol. 8731 , pp. 55–74. Springer (2014)
Lemke-Rust, K., Paar, C.: Analyzing side channel leakage of masked implementations with stochastic methods. In: Biskup, J., Lopez, J. (eds.) Proceedings of Computer Security—ESORICS 2007, 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24-26, 2007. Lecture Notes in Computer Science, vol. 4734, pp. 454–468. Springer (2007)
Mangard, S., Oswald, E., Standaert, F.-X.: One for all–all for one: unifying standard differential power analysis attacks. IET Inf. Secur. 5(2), 100–110 (2011)
Mather, L., Oswald, E., Bandenburg, J., Wójcik, M.: Does my device leak information? an a priori statistical power analysis of leakage detection tests. In: Sako, K., Sarkar, P. (eds.) Advances in Cryptology—ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8269, pp. 486–505. Springer (2013)
Mather, L., Oswald, E., Whitnall, C.: Multi-target DPA attacks: pushing DPA beyond the limits of a desktop computer. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I. Lecture Notes in Computer Science, vol. 8873, pp. 243–261. Springer (2014)
Moradi, A., Standaert, F.-X.: Moments-correlating DPA. IACR Cryptol ePrint Arch. 2014, 409 (2014)
Poschmann, A., Moradi, A., Khoo, K., Lim, C.-W., Wang, H., Ling, S.: Side-channel resistant crypto for less than 2, 300 GE. J. Cryptol. 24(2), 322–345 (2011)
Prouff, E., Rivain, M., Bevan, R.: Statistical analysis of second order differential power analysis. IEEE Trans. Comput. 58(6), 799–811 (2009)
Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N., Kamel, D., Flandre, D.: A formal study of power variability issues and side-channel attacks for nanoscale devices. In: Paterson, K.G.(ed.) Proceedings of Advances in Cryptology—EUROCRYPT 2011—30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15–19, 2011. Lecture Notes in Computer Science, vol. 6632, pp. 109–128. Springer (2011)
Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) Proceedings of Cryptographic Hardware and Embedded Systems—CHES 2005, 7th International Workshop, Edinburgh, UK, August 29–September 1, 2005. Lecture Notes in Computer Science, vol. 3659, pp. 30–46. Springer (2005)
Schneider, T., Moradi, A.: Leakage assessment methodology—a clear roadmap for side-channel evaluations. In: Güneysu, T., Handschuh, H. (eds.) Proceedings of Cryptographic Hardware and Embedded Systems—CHES 2015—17th International Workshop, Saint-Malo, France, September 13–16, 2015. Lecture Notes in Computer Science, vol. 9293, pp. 495–513. Springer (2015)
Schneider, T., Moradi, A., Standaert, F.-X., Güneysu, T.: Bridging the gap: advanced tools for side-channel leakage estimation beyond gaussian templates and histograms. IACR Cryptol. ePrint Arch. 2016, 719 (2016)
Spanos, A.: Probability Theory and Statistical Inference: Econometric Modeling with Observational Data. Cambridge University Press, Cambridge (1999)
Standaert, F.-X., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) Proceedings of Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009. Lecture Notes in Computer Science, vol. 5479, pp. 443–461. Springer (2009)
Standaert, F.-X., Peeters, E., Rouvroy, G., Quisquater, J.-J.: An overview of power analysis attacks against field programmable gate arrays. Proc. IEEE 94(2), 383–394 (2006)
Standaert, F.-X., Veyrat-Charvillon, N., Oswald, E., Gierlichs, B., Medwed, M., Kasper, M., Mangard, S.: The world is not enough: another look on second-order DPA. In: Abe, M. (ed.) Proceedings of Advances in Cryptology—ASIACRYPT 2010—16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5–9, 2010. Lecture Notes in Computer Science, vol. 6477, pp. 112–129. Springer (2010)
Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) Selected Areas in Cryptography, 19th International Conference, SAC 2012, Windsor, ON, Canada, August 15–16, 2012, Revised Selected Papers. Lecture Notes in Computer Science, vol. 7707, pp. 390–406. Springer (2012)
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) Proceedings of Advances in Cryptology—EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26–30, 2013. Lecture Notes in Computer Science, vol. 7881, pp. 126–141. Springer (2013)
Whitnall, C., Oswald, E.: A fair evaluation framework for comparing side-channel distinguishers. J. Cryptogr. Eng. 1(2), 145–160 (2011)
Acknowledgements
François-Xavier Standaert Standaert is a research associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.). This work has been funded in parts by the European Commission through the ERC Project 280141 (CRASH) and by the ARC Project NANOSEC.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
See Figs. 9, 10, 11, 12, 13 and 14
Gaussian leakages, Gaussian model, error in the estimated variance
Gaussian mixture leakages, Gaussian model, error in the estimated skewness
Gaussian mixture leakages, Gaussian model, error in the estimated kurtosis
MCP-DPA results for unprotected hardware
Exemplary leakage distributions for masked simulations
Results of the new leakage certification test with masked simulations (two shares)
Rights and permissions
About this article
Cite this article
Durvaux, F., Standaert, FX. & Del Pozo, S.M. Towards easy leakage certification: extended version. J Cryptogr Eng 7, 129–147 (2017). https://doi.org/10.1007/s13389-017-0150-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-017-0150-0