1 Introduction
2 Leakage model
-
The attacker tries to find an n-bit subkey \(k_c\) of the S-Box computation in the first round of the block cipher. The input of this S-Box computation is of the form \(p_{w}\oplus k_c\) with plaintext inputs \(p_w\).
-
We have m measurements. m is a multiple of \(N={2^n}\), and all plaintext inputs \(p_w\) of this S-Box are equally distributed over these m measurements.
-
The side-channel measurement is a trace of a certain number of points. We assume that the key-dependent leakage occurs in just one point of time which is known to the attacker.
-
The measurement in this point of time is the sum of a deterministic signal and Gaussian noise. It can be written in the form\(\tilde{h}\) is a deterministic function that only depends on the input \(p_{w}\oplus k_c\) of the S-Box computation. \(\tilde{h}\) is completely known to the attacker. \(\tilde{\tau }_w\) describes the noise of the measurement. We assume that \(\tilde{\tau }_w\) are realizations of m independent random variables \(\tilde{T}_w\); each one is normally distributed with known expectation and variance. For ease of notation, we associate the sets \(\{0,1\}^n\) and \(\{0,1,\ldots ,N-1\}\) by the 2-adic representation of an integer. We further assume$$\begin{aligned} \tilde{b}_{w}=\tilde{h}(p_{w}\oplus k_c)+\tilde{\tau }_{w}.\end{aligned}$$$$\begin{aligned} E(\tilde{T}_w)= & {} 0, V(\tilde{T}_w)=\sigma ^2, \\&\sum _{z=0}^{N-1} \tilde{h}(z)=0, \sum _{z=0}^{N-1} \tilde{h}(z)^2=N \tilde{\delta }^2.\end{aligned}$$
-
We can calculate the mean value of all \(\tilde{b}_w\) with the same \(p_w\). In the representation of \(\tilde{b}_w\), this just reduces the variance of \(\tilde{T}_w\). Additionally, by applying a constant factor to each \(\tilde{b}_w\) we can normalize the representation of \(\tilde{b}_w\). To this end, we get a representation in the formwith$$\begin{aligned}b_{w}={h}(w\oplus k_c)+\tau _{w}, w=0,\ldots ,N-1\end{aligned}$$If we start with the representation of \(\tilde{b}_w\), the normalized representation \(b_w\) has parameter \(\delta \) with$$\begin{aligned} E(T_w){=}0, V(T_w){=}1, \sum _{z=0}^{N-1} h(z)=0, \sum _{z=0}^{N-1} h(z)^2{=}N \delta ^2.\end{aligned}$$$$\begin{aligned}\delta ^2=\frac{m}{N} \frac{\tilde{\delta }^2}{\sigma ^2}.\end{aligned}$$
3 An approximation of the success rate
-
If we start with the representation of \(\tilde{b}_w\), the success rate as computed by the second approximating formula only depends on$$\begin{aligned} \delta ^2=\frac{m}{N} \frac{\tilde{\delta }^2}{\sigma ^2}. \end{aligned}$$
-
The approximating formulas are only valid if the eigenvalues do not vary too much. As an extreme example, we can consider the case that only one eigenvalue is large, whereas the others can be neglected. Let \(\lambda _0> 0\) be this large eigenvalue. Then, \(A \cdot T\) is roughly distributed as \(\lambda _0 X_0v_0\). \(\hbox {Pr}(A \cdot T \in R)\) can be written as a one-dimensional integral over the random variable \(X_0\).
-
In our approach, we replaced the covariance matrix \(A^2\) by a diagonal matrix. In effect, we treated \(X_k\) as independent random variables.
-
\(\hbox {Pr}( T \in \tilde{R}) \ge \frac{1}{N}\) with equality for \(\delta =0\). The probability of \(\frac{1}{N}\) for \(\delta =0\) follows from the symmetry of the set \(\tilde{R}\).
4 More on the matrix A
5 Example: h depends on a single bit
6 Example: h depends on the Hamming weight of the input
7 Simulation results
\(\delta =0.1 \) | \(\delta =0.2 \) | \( \delta =0.3\) | |
---|---|---|---|
2nd approx. formula | 0.13 | 0.64 | 0.97 |
\(h=\delta (-1)^f\) | 0.12 | 0.62 | 0.96 |
\(h=\delta g\circ P\) | 0.12 | 0.62 | 0.96 |
Hamming weight formula | 0.07 | 0.33 | 0.69 |
\(h=\delta g\) | 0.07 | 0.33 | 0.69 |
\(\delta =0.2 \) | \(\delta =0.3 \) | \( \delta =0.4\) | |
---|---|---|---|
2nd approx. formula | 0.25 | 0.53 | 0.79 |
\(h=\delta (-1)^f\) | 0.24 | 0.50 | 0.75 |
\(h=\delta g\circ P\) | 0.24 | 0.50 | 0.75 |
Hamming weight formula | 0.17 | 0.34 | 0.55 |
\(h=\delta g\) | 0.17 | 0.34 | 0.55 |
\(\sigma =37.6\) | \(\sigma =26.6 \) | \(\sigma =21.6\) | |
---|---|---|---|
\(\delta =0.1\) | \(\delta =0.2 \) | \(\delta =0.3\) | |
Simulation | 0.07 | 0.33 | 0.70 |
Hamming weight formula | 0.07 | 0.33 | 0.69 |
\(\sigma =21.1\) | \(\sigma =14.8\) | \( \sigma =11.9\) | |
---|---|---|---|
\(\delta =0.1\) | \(\delta =0.2 \) | \( \delta =0.3\) | |
Simulation | 0.07 | 0.33 | 0.71 |
Hamming weight formula | 0.07 | 0.33 | 0.69 |
\(\sigma =37.6 \) | \(\sigma =26.6\) | \(\sigma =21.6 \) | |
---|---|---|---|
\( \delta =0.1 \) | \(\delta =0.2 \) | \(\delta =0.3 \) | |
Simulation | 0.13 | 0.62 | 0.96 |
2nd approx. formula | 0.13 | 0.64 | 0.97 |
\(\sigma =21.1\) | \(\sigma =14.8\) | \(\sigma =11.9 \) | |
---|---|---|---|
\(\delta =0.1\) | \(\delta =0.2\) | \( \delta =0.3 \) | |
Simulation | 0.12 | 0.62 | 0.96 |
2nd approx. formula | 0.13 | 0.64 | 0.97 |
8 Success rate in the case of masking
-
We have m measurements. m is a multiple of N, and all plaintext inputs \(p_w\) of this S-Box are equally distributed over these m measurements.
-
There are exactly two points of time when meaningful leakages occur. Both points of time are known to the attacker. One leakage is mask-dependent; the other one is key-dependent, but on the input of an S-Box computation.
-
The measurements can be written in the form\(\mu \) is a centralized form of the Hamming weight, i.e.,$$\begin{aligned} \tilde{b}'_{w}= & {} \mu (p_{w}\oplus k_c \oplus m_w)+\tilde{\tau }'_{w}\\ \tilde{b}''_{w}= & {} \mu (m_w)+\tilde{\tau }''_{w}. \end{aligned}$$\(\tilde{\tau }'_w\) and \(\tilde{\tau }''_{w}\) describe the noise of the measurement. We assume that \(\tilde{\tau }'_w\) and \(\tilde{\tau }''_{w}\) are realizations of 2m independent random variables \(\tilde{T}'_w\), \(\tilde{T}''_w\); each one is normally distributed with expectation 0 and variance \(\sigma ^2\). \(m_w\) describes the mask. \(m_w\) are the realizations of m independent uniformly distributed random variables \(M_w\) on \(\hbox {GF}(N)\).$$\begin{aligned}\mu (z)=(-1)^{z_1}+ \cdots +(-1)^{z_n}. \end{aligned}$$