A statistics-based success rate model for DPA and CPA

Abstract

Side-channel attacks (SCAs) exploit leakage from the physical implementation of cryptographic algorithms to recover the otherwise secret information. In the last decade, popular SCAs like differential power analysis (DPA) and correlation power analysis (CPA) have been invented and demonstrated to be realistic threats to many critical embedded systems. However, there is still no sound and provable theoretical model that illustrates precisely what the success of these attacks depends on and how. Based on the maximum likelihood estimation theory, this paper proposes a general statistical model for side-channel attack analysis that takes characteristics of both the physical implementation and cryptographic algorithm into consideration. The model establishes analytical relations between the success rate of attacks and the cryptographic system. For power analysis attacks, the side-channel characteristic of the physical implementation is modeled as signal-to-noise ratio (SNR), which is the ratio between the single-bit unit power consumption and the standard deviation of power distribution. The side-channel property of the cryptographic algorithm is extracted by a novel algorithmic confusion analysis. Experimental results of DPA and CPA on both DES and AES verify this model with high accuracy and demonstrate effectiveness of the algorithmic confusion analysis and SNR extraction. We expect the model to be extendable to other SCAs, like timing attacks, and would provide valuable tools for evaluating cryptographic system’s resistance to those SCAs.

Appendices

Appendix A: Proof for Lemma 1

We prove the lemma for the general confusion coefficients defined in (6) and (7). Then, of course, it also holds for the DPA confusion coefficients as a special case.

$$\begin{aligned}&\kappa (k_h,k_i) + \kappa (k_h,k_j) - \kappa (k_i,k_j) \\&\quad = E[(V \vert k_h - V \vert k_i)^2 + (V \vert k_h - V \vert k_j)^2 - (V \vert k_i - V \vert k_j)^2]\\&\quad = E[2 (V \vert k_h)^2 -2 (V \vert k_h) (V \vert k_i) -2 (V \vert k_h)(V \vert k_j) \\&\qquad +\, 2 (V \vert k_i)(V \vert k_j)] \\&\quad = 2 E[ (V \vert k_h - V \vert k_i)(V \vert k_h - V \vert k_j)] \\&\quad = 2 {{\tilde{\kappa }}}(k_h,k_i,k_j). \end{aligned}$$

Therefore: \({{\tilde{\kappa }}}(k_h,k_i,k_j) = \frac{1}{2} [ \kappa (k_h,k_i) + \kappa (k_h,k_j) - \kappa (k_i,k_j)].\)

Appendix B: Proof of Theorem 1 and Corollary 2

We shall make the derivation for the general leakage model (18) with Gaussian noise. This would express the general success rate formula in confusion coefficients as in Theorem 1. Then Corollary 2 can be further derived as a special case.

Since we already know the general success rate formula (17) for ML-attack, the proof only needs to verify the formula (21) for the mean \({\varvec{\mu }}\) and variance \({\varvec{\Sigma }}\). We shall do this by direction calculation.

We first find a simplified expression of \({\varDelta } (k_c,k_g)\), the difference between ML-attack statistic for the correct key and a guessed key. From model (18), we have the likelihoods

$$\begin{aligned} f_{{\mathcal {L}}|V}(l|v_c)= & {} \frac{1}{\sqrt{2\pi }\sigma } \mathrm{e}^{-\frac{(l-\epsilon v_c-c)^2}{2\sigma ^2}}\\ f_{{\mathcal {L}}|V}(l|v_g)= & {} \frac{1}{\sqrt{2\pi }\sigma } \mathrm{e}^{-\frac{(l-\epsilon v_g-c)^2}{2\sigma ^2}}. \end{aligned}$$

Therefore, using Eq. (11),

$$\begin{aligned} {\varDelta } (k_c,k_g)= & {} \sum \limits _{m=1}^{n}\frac{(l_m - c - \epsilon v_{m,g})^2 - (l_m - c - \epsilon v_{m,c})^2}{2n\sigma ^2}\nonumber \\= & {} \frac{1}{2n\sigma ^2}\sum \limits _{m=1}^{n}\{[r_m + {\epsilon }(v_{m,c} - v_{m,g})]^2 - (r_m)^2\}\nonumber \\= & {} \frac{\epsilon ^2}{2n\sigma ^2}\sum \limits _{m=1}^{n}[(v_{m,c} - v_{m,g})^2\nonumber \\&+\, \frac{2}{\epsilon }(v_{m,c} - v_{m,g})r_m]. \end{aligned}$$

(31)

We now calculate the mean and variance of the vector \({\varvec{\Delta }}\) from this expression to verify (21).

Since \(r_m\) has mean zero and is independent of \((v_{m,c} - v_{m,g})\), \(E[(v_{m,c} - v_{m,g})r_m]=0\). Hence the entry of vector \({\varvec{\mu }}\) (the mean of \({\varvec{\Delta }}\)) is:

$$\begin{aligned} \mu _{k_g}= & {} E[{\varDelta }(k_c,k_g)] = \frac{\epsilon ^2}{2n\sigma ^2} n E[(v_{1,c}-v_{1,g})^2]\nonumber \\= & {} \frac{\kappa (k_c,k_g)}{2}\left( \frac{\epsilon }{\sigma }\right) ^2 \end{aligned}$$

(32)

with \(\kappa (k_c,k_g)\) defined as in (6). This verifies the first half of (21).

The entries in the \((N_k-1)\times (N_k-1)\) dimensional variance matrix, \({\varvec{\Sigma }}\), are:

$$\begin{aligned}&\hbox {Cov}[{\varDelta }(k_c,k_{g_i}),{\varDelta }(k_c,k_{g_j})] \\&\quad =\sum \limits _{m=1}^{n}\sum \limits _{m^*=1}^{n}E\left\{ \left[ (v_{m,c} - v_{m,gi})^2 + \frac{2}{\epsilon }(v_{m,c} - v_{m,gi})r_m\right] \right. \\&\qquad \times \left. \left[ (v_{m^*,c} - v_{m^*,gj})^2 + \frac{2}{\epsilon }(v_{m^*,c} - v_{m^*,gj})r_{m^*}\right] \right\} \\&\qquad \times \left( \frac{\epsilon ^2}{2n\sigma ^2}\right) ^2 - E[{\varDelta }(k_c,k_{g_i})]E[{\varDelta }(k_c,k_{g_j})]. \end{aligned}$$

Since \(E(r_m)=E(r_{m^*})=E(r_m r_{m^*})=0\) for \(r_m \ne r_{m^*}\), and \(E[(r_m)^2]=\sigma ^2\), the above expression becomes

$$\begin{aligned}&\hbox {Cov}[{\varDelta }(k_c,k_{g_i}),{\varDelta }(k_c,k_{g_j})] \\&\quad =\left( \frac{\epsilon ^2}{2n\sigma ^2}\right) ^2 \left\{ \sum \limits _{m=1}^{n}\sum \limits _{m^*=1}^{n}E[(v_{m,c} -v_{m,gi})^2(v_{m^*,c} - v_{m^*,gj})^2]\right. \\&\qquad \left. +\sum \limits _{m=1}^{n} \left( \frac{2}{\epsilon }\right) ^2 \sigma ^2 E[(v_{m,c} - v_{m,gi})(v_{m,c} - v_{m,gj})]\right\} \\&\qquad -\, \mu _{k_{g_i}} \mu _{k_{g_j}} \\&\quad =\left( \frac{\epsilon ^2}{2n\sigma ^2}\right) ^2\left\{ \sum \limits _{m=1}^{n}E[(v_{m,c} - v_{m,gi})^2(v_{m,c} - v_{m,gj})^2]\right. \\&\qquad + \sum \limits _{m \ne m^*} E[(v_{m,c} - v_{m,gi})^2]E[(v_{m^*,c} - v_{m^*,gj})^2] \\&\qquad \left. + \sum \limits _{m=1}^{n} \left( \frac{2 \sigma }{\epsilon }\right) ^2 E[(v_{m,c} - v_{m,gi})(v_{m,c} - v_{m,gj})]\right\} \\&\qquad -\,\frac{\kappa (k_c,k_{g_i})\kappa (k_c,k_{g_j})}{4}\left( \frac{\epsilon }{\sigma }\right) ^4. \end{aligned}$$

By the definition of the confusion coefficients \(\kappa (k_c,k_{g_i},k_{g_j}) = E[(V|k_c-V|k_{g_i})(V|k_c-V|k_{g_j})]\) in (7), and \(\kappa ^*(k_c,k_{g_i},k_{g_j}) = E[(V|k_c-V|k_{g_i})^2(V|k_c-V|k_{g_j})^2]\) in (8), we have

$$\begin{aligned}&\hbox {Cov}[{\varDelta }(k_c,k_{g_i}),{\varDelta }(k_c,k_{g_j})]\nonumber \\&\quad =\frac{1}{4n^2}\left( \frac{\epsilon }{\sigma }\right) ^4\bigg \{n \kappa ^*(k_c,k_{g_i},k_{g_j})\nonumber \\&\qquad +\, n(n-1) \kappa (k_c,k_{g_i})\kappa (k_c,k_{g_j})\nonumber \\&\qquad +\, n \left( \frac{2\sigma }{\epsilon }\right) ^2 \kappa (k_c,k_{g_i},k_{g_j})\bigg \}-\frac{\kappa (k_c,k_{g_i}) \kappa (k_c,k_{g_j})}{4}\nonumber \\&\qquad \left( \frac{\epsilon }{\sigma }\right) ^4=\frac{1}{4n}\left( \frac{\epsilon }{\sigma }\right) ^4\kappa ^*(k_c,k_{g_i},k_{g_j}) - \frac{1}{4n}\left( \frac{\epsilon }{\sigma }\right) ^4\nonumber \\&\qquad \kappa (k_c,k_{g_i})\kappa (k_c,k_{g_j})+\frac{1}{n}\left( \frac{\epsilon }{\sigma }\right) ^2 \kappa (k_c,k_{g_i},k_{g_j})\nonumber \\&\quad =\frac{1}{n}\left\{ \left( \frac{\epsilon }{\sigma }\right) ^2 \kappa (k_c,k_{g_i},k_{g_j})\right. \nonumber \\&\qquad \left. +\frac{1}{4}\left( \frac{\epsilon }{\sigma }\right) ^4 [\kappa ^*(k_c,k_{g_i},k_{g_j}) - \kappa (k_c,k_{g_i})\kappa (k_c,k_{g_j})]\right\} .\nonumber \\ \end{aligned}$$

(33)

This verifies the second half of (21). The formula (21) is exactly the expressions (32) and (33) in vector and matrix forms. Plug these expressions of \({\varvec{\mu }}\) and \({\varvec{\Sigma }}\) into the success rate formula (17) for ML-attack, we arrives at the explicit formula (22). This finishes the proof of Theorem 1.

Notice that for the DPA model, the V value is either 1 or 0, so that \((V|k_c-V|k_g)^2\) is always either 1 or 0. Hence, as explained after Eqs. (6), (7) and (8), the general confusion coefficients specialize to the confusion coefficients definition for DPA. Hence all formulas (23) and (24) in Corollary 2 holds as the special cases of the corresponding formulas in Theorem 1. Therefore, the Corollary 2 follows.

Appendix C: Proof of Lemma 2

Here we wish to show the ML-attack with unknown \((c,\epsilon ,\sigma )\) parameters value is equivalent to CPA. We will use direct calculation to find the ML-attack test statistic with unknown \((c,\epsilon ,\sigma )\). That is, we maximize \(T_g=\frac{1}{n} \sum \nolimits _{m=1}^{n}\log f_{{\mathcal {L}}|k_g}(l_m)\) over \((c,\epsilon ,\sigma )\). Under model (18), this becomes maximizing \(T_g=-\frac{1}{n}\sum \nolimits _{m=1}^{n}\frac{(l_m-\epsilon v_{m,g}-c)^2}{2\sigma ^2} - \log (\sqrt{2 \pi }\sigma )\) over \((c,\epsilon ,\sigma )\). This is the same problem as finding maximal likelihood estimation under the linear regression model, and the solution is

$$\begin{aligned} {\hat{\sigma }}_g^2= & {} \frac{1}{n}\sum \limits _{m=1}^{n} (l_m- {\hat{\epsilon }}_g v_{m,g}- {\hat{c}}_g)^2,\quad {\hat{c}}_g = \bar{l} - {\hat{\epsilon }}_g \bar{v}_g,\nonumber \\ {\hat{\epsilon }}_g= & {} \frac{\sum _{m=1}^{n} (l_m - {\bar{l}}) (v_{m,g} - \bar{v}_g)}{\sum _{m=1}^{n} (v_{m,g}-\bar{v}_g)^2}, \end{aligned}$$

(34)

with \({\bar{l}} = \frac{1}{n} \sum _{m=1}^{n} l_m\) and \({\bar{v}}_g = \frac{1}{n} \sum _{m=1}^{n} v_{m,g}\). Plug the solution of \({\hat{\sigma }}_g^2\), \({\hat{c}}_g\) and \({\hat{\epsilon }}_g\) back into the test statistics \(T_g\), we get

$$\begin{aligned} T_g= - \log ({\hat{\sigma }}_g) + \hbox {constant}. \end{aligned}$$

Hence the ML-attack with unknown \((c,\epsilon ,\sigma )\) will select key \(k_g\) to minimize \({\hat{\sigma }}_g^2\). From (34),

$$\begin{aligned} {\hat{\sigma }}_g^2= & {} \frac{1}{n}\left[ \sum \nolimits _{m=1}^{n} (l_m - {\bar{l}})^2 - \frac{\left[ \sum \nolimits _{m=1}^{n} (l_m - {\bar{l}}) (v_{m,g} - {\bar{v}}_g)\right] ^2}{\sum \nolimits _{m=1}^{n} (v_{m,g}-{\bar{v}}_g)^2}\right] \\= & {} \frac{1}{n}\sum \limits _{m=1}^{n} (l_m - {\bar{l}})^2(1 - {\hat{\rho }}_g^2), \end{aligned}$$

where \( {\hat{\rho }}_g\) is the Pearson correlation

$$\begin{aligned} {\hat{\rho }}_g = \frac{\sum \nolimits _{m=1}^{n} (l_m - {\bar{l}}) (v_{m,g} - {\bar{v}}_g) }{\sqrt{\sum \nolimits _{m=1}^{n} (l_m - {\bar{l}})^2 \sum \nolimits _{m=1}^{n}(v_{m,g} - {\bar{v}}_g)^2}}. \end{aligned}$$

(35)

Since \(\sum _{m=1}^{n} (l_m - {\bar{l}})^2\) value does not change under different keys, \({\hat{\sigma }}_g^2\) is minimized when \({\hat{\rho }}_g^2\) is maximized. Hence the attack select the same key as CPA.

Appendix D: Proof of Theorem 3

Rivain [22] has shown that CPA also have a success rate described by the multivariate Gaussian distribution. Our task here is to express the success rate in terms of SNR and the confusion coefficients.

First, we define some notations to simplify the calculations later. Under the (Symmetric Keys) Assumption 1, \(V|k_c\) has the same distribution as \(V|k_g\) for all \(k_g\). Hence the j-th moment of V is the same under all keys. That is, we can denote \(c_j = E(V^j|k_c)=E(V^j|k_g)\), \(j=1,2,\ldots \) W.l.o.g (without loss of generality), let \(c_1=0\). This holds for CPA by subtracting h / 2 from the Hamming weight/distance.

Also, w.l.o.g., we assume that \(\epsilon >0\) so that asymptotically the CPA succeeds when \({\hat{\rho }}_c > {\hat{\rho }}_g\) for all \(k_g\). To calculate the probability that \({\hat{\rho }}_c > {\hat{\rho }}_g\) for all \(k_g\), let us denote

$$\begin{aligned} {\tilde{b}}_c = \frac{\sum \nolimits _{m=1}^{n} (l_m - {\bar{l}}) (v_{m,c} - {\bar{v}}_c) }{\sqrt{n\sum \nolimits _{m=1}^{n}(v_{m,c} - {\bar{v}}_c)^2}} \\ {\tilde{b}}_g = \frac{\sum \nolimits _{m=1}^{n} (l_m - {\bar{l}}) (v_{m,g} - {\bar{v}}_g) }{\sqrt{n\sum \nolimits _{m=1}^{n}(v_{m,g} - {\bar{v}}_g)^2}}. \end{aligned}$$

Then \({\hat{\rho }}_c > {\hat{\rho }}_g\) is equivalent to \({\tilde{b}}_c > {\tilde{b}}_g\). Since \(\sum _{m=1}^{n}(v_{m,c} - {\bar{v}}_c)=0\), we have

$$\begin{aligned} {\tilde{b}}_c= & {} \frac{\sum \nolimits _{m=1}^{n} (r_m + \epsilon v_{m,c})(v_{m,c} - {\bar{v}}_c) }{\sqrt{n\sum \nolimits _{m=1}^{n}(v_{m,c} - {\bar{v}}_c)^2}}, \\ {\tilde{b}}_g= & {} \frac{\sum \nolimits _{m=1}^{n} (r_m + \epsilon v_{m,c}) (v_{m,g} - {\bar{v}}_g) }{\sqrt{n\sum \nolimits _{m=1}^{n}(v_{m,g} - {\bar{v}}_g)^2}}. \end{aligned}$$

Applying the Central Limit Theorem, \({\bar{v}}_c = O_p(1/\sqrt{n})\), \({\bar{v}}_g = O_p(1/\sqrt{n})\), \(\sum _{m=1}^{n}(v_{m,c} - {\bar{v}}_c)^2= n c_2 + O_p(\sqrt{n})\) and \(\sum _{m=1}^{n}(v_{m,g} - {\bar{v}}_g)^2 = n c_2 + O_p(\sqrt{n})\). We denote

$$\begin{aligned} b_c= & {} \frac{1}{n\sqrt{c_2}}\sum \limits _{m=1}^{n} (r_m + \epsilon v_{m,c}) v_{m,c}, \\ b_g= & {} \frac{1}{n\sqrt{c_2}}\sum \limits _{m=1}^{n} (r_m + \epsilon v_{m,c}) v_{m,g}, \end{aligned}$$

so that \( {\tilde{b}}_c = b_c + O_p(1/\sqrt{n})\) and \( {\tilde{b}}_g = b_g + O_p(1/\sqrt{n})\). We shall calculate the asymptotic success rate of CPA by finding the asymptotic probability that \(b_c > b_g\) for all \(k_g\).

$$\begin{aligned} b_c - b_g= & {} \frac{1}{n\sqrt{ c_2}}\sum \limits _{m=1}^{n} [r_m (v_{m,c} - v_{m,g}) \\&+\, \epsilon v_{m,c}(v_{m,c} - v_{m,g})]. \end{aligned}$$

What remains is to calculate the mean and variance of the vector with elements as \(b_c - b_g\) similar to the proof of Theorem 1.

The mean vector has elements

$$\begin{aligned} E(b_c - b_g) = \frac{1}{n \sqrt{ c_2}} n \epsilon E[v_{1,c}(v_{1,c} - v_{1,g})] = \frac{\epsilon \kappa (k_c, k_g)}{2 \sqrt{c_2}}.\nonumber \\ \end{aligned}$$

(36)

Here the second equality comes from the following Lemma whose proof is provided at the end.

Lemma 3

Under Assumption 1, \(E[(V|k_c)(V|k_c - V|k_g)]=\kappa (k_c,k_g)/2 \).

Now, the elements in the variance matrix are

$$\begin{aligned}&\hbox {Cov}(b_c - b_{g1}, b_c - b_{g2})\nonumber \\&\quad = E[(b_c - b_{g1})(b_c - b_{g2})]- E[(b_c - b_{g1})]E[(b_c - b_{g2})]\nonumber \\&\quad =\left( \frac{1}{ n \sqrt{ c_2}}\right) ^2\sum \limits _{m_1=1}^{n} \sum \limits _{m_2=1}^{n} E[(r_{m_1} + \epsilon v_{m_1,c})(r_{m_2} + \epsilon v_{m_2,c})\nonumber \\&\qquad \times (v_{m_1,c} - v_{m_1,g1})(v_{m_2,c} - v_{m_2,g2})]\nonumber \\&\qquad - \left( \frac{\epsilon }{2\sqrt{c_2}}\right) ^2 \kappa (k_c, k_{g1})\kappa (k_c, k_{g2})\nonumber \\&\quad = \frac{1}{n^2 c_2} \sum \limits _{m=1}^{n} E[(r_{m} + \epsilon v_{m,c})^2(v_{m,c} - v_{m,g1})(v_{m,c} - v_{m,g2})]\nonumber \\&\qquad + \frac{1}{n^2 c_2} \sum \limits _{m_1 \ne m_2} E[(r_{m_1} + \epsilon v_{m_1,c})(r_{m_2} + \epsilon v_{m_2,c})\nonumber \\&\qquad \times (v_{m_1,c} - v_{m_1,g1})(v_{m_2,c} - v_{m_2,g2})]\nonumber \\&\qquad - \frac{\epsilon ^2}{4 c_2} \kappa (k_c, k_{g1})\kappa (k_c, k_{g2}). \end{aligned}$$

(37)

For \(m_1 \ne m_2\), \(E(r_{m_1})=E(r_{m_2})=E(r_{m_1}r_{m_2})=0\), using the independence of noises \(r_{m_1}\) and \(r_{m_2}\) from \(v_{m_1,c}\), \(v_{m_1,g1}\), \(v_{m_2,c}\), and \(v_{m_2,g2}\), we have

$$\begin{aligned}&E[(r_{m_1} + \epsilon v_{m_1,c})(r_{m_2} + \epsilon v_{m_2,c})(v_{m_1,c} - v_{m_1,g1})\nonumber \\&\quad \times (v_{m_2,c} - v_{m_2,g2})]\nonumber \\&\quad = E[\epsilon v_{m_1,c}\epsilon v_{m_2,c}(v_{m_1,c} - v_{m_1,g1}) (v_{m_2,c} - v_{m_2,g2})]\nonumber \\&\quad = \frac{\epsilon ^2\kappa (k_c, k_{g1})\kappa (k_c, k_{g2})}{4}. \end{aligned}$$

(38)

The last step used the fact that \(v_{m_1,c}\) and \(v_{m_1,g1}\) are independent from \(v_{m_2,c}\) and \(v_{m_2,g2}\), and Lemma 3.

For \(m_1=m_2=m\), since \(E(r_m)=0\), \(E(r_m^2)=\sigma ^2\), we have

$$\begin{aligned}&E[(r_{m} + \epsilon v_{m,c})^2(v_{m,c} - v_{m,g1})(v_{m,c} - v_{m,g2})]\nonumber \\&\quad = \sigma ^2E[(v_{m,c} - v_{m,g1})(v_{m,c} - v_{m,g2})]\nonumber \\&\qquad +\, \epsilon ^2 E[(v_{m,c})^2(v_{m,c} - v_{m,g1})(v_{m,c} - v_{m,g2})]\nonumber \\&\quad = \sigma ^2 \kappa (k_c,k_{g1},k_{g2}) + \epsilon ^2 \kappa ^{**}(k_c,k_{g1},k_{g2}). \end{aligned}$$

(39)

Hence using (38) and (39), (37) becomes

$$\begin{aligned}&\hbox {Cov}(b_c - b_{g1}, b_c - b_{g2})\nonumber \\&\quad = \frac{1}{n^2 c_2} n [\sigma ^2 \kappa (k_c,k_{g1},k_{g2}) + \epsilon ^2 \kappa ^{**}(k_c,k_{g1},k_{g2})]\nonumber \\&\qquad +\, \frac{1}{n^2 c_2} n(n-1) \frac{\epsilon ^2\kappa (k_c, k_{g1})\kappa (k_c, k_{g2})}{4}\nonumber \\&\qquad - \,\frac{\epsilon ^2}{4 c_2} \kappa (k_c, k_{g1})\kappa (k_c, k_{g2})\nonumber \\&\quad = \frac{\sigma ^2}{n c_2}\left\{ \kappa (k_c,k_{g1},k_{g2})\right. \nonumber \\&\qquad \left. + \left( \frac{\epsilon }{\sigma }\right) ^2\left[ \kappa ^{**}(k_c,k_{g1},k_{g2}) - \frac{1}{4}\kappa (k_c, k_{g1})\kappa (k_c, k_{g2})\right] \right\} .\nonumber \\ \end{aligned}$$

(40)

Put (36) and (40) into matrix forms, the multivariate Central Limit Theorem results in the success rate formula (27). This finishes the proof of Theorem 3.

Proof of Lemma 3

$$\begin{aligned} \kappa (k_c,k_g)= & {} E[(V|k_c - V|k_g)^2] \\= & {} E[(V|k_c)^2] - 2 E[(V|k_c)(V|k_g)] + E[(V|k_g)^2]. \end{aligned}$$

By the Symmetric Keys Assumption, \(E[(V|k_c)^2]=E[(V|k_g)^2]\). So this becomes

$$\begin{aligned} \kappa (k_c,k_g)= & {} 2 E[(V|k_c)^2] - 2 E[(V|k_c)(V|k_g)] \\= & {} 2 E[(V|k_c)(V|k_c - V|k_g)]. \end{aligned}$$

That is, \(E[(V|k_c)(V|k_c - V|k_g)]=\kappa (k_c,k_g)/2\).