nach oben

Cryptography and Communications

Erschienen in:

20.07.2017

On the optimality and practicability of mutual information analysis in some scenarios

verfasst von: Éloi de Chérisey, Sylvain Guilley, Annelie Heuser, Olivier Rioul

Erschienen in: Cryptography and Communications | Ausgabe 1/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The best possible side-channel attack maximizes the success rate and would correspond to a maximum likelihood (ML) distinguisher if the leakage probabilities were totally known or accurately estimated in a profiling phase. When profiling is unavailable, however, it is not clear whether Mutual Information Analysis (MIA), Correlation Power Analysis (CPA), or Linear Regression Analysis (LRA) would be the most successful in a given scenario. In this paper, we show that MIA coincides with the maximum likelihood expression when leakage probabilities are replaced by online estimated probabilities. Moreover, we show that the calculation of MIA is lighter that the computation of the maximum likelihood. We then exhibit two case-studies where MIA outperforms CPA. One case is when the leakage model is known but the noise is not Gaussian. The second case is when the leakage model is partially unknown and the noise is Gaussian. In the latter scenario MIA is more efficient than LRA of any order.

Vorheriger Artikel Efficient robust secret sharing from expander graphs

Nächster Artikel KISS: A bit too simple

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Obviously, this hypothesis only holds provided the device manufacturer does not reuse the same cryptographic engine in an open platform, such as a JavaCard, where the user is able to use the cryptographic API at its will.

We comply with the usual notations of [7] where offline quantities are indicated with a hat, whereas online quantities are indicated with a tilde. In this paper, there is no profiling phase hence no offline quantities.

We use bold letters to indicate vectors while scalars are presented using small italic letters.

In order to uniquely distinguish the correct key, some conditions on the expressions of y are required. Specifically, let us denote by y _k the function t↦y _k(t) = y(k,t), and let $\mathcal {B}$ the set of bijections on the leakage space $\mathcal {X}$. We have:

$$\begin{array}{@{}rcl@{}} \text{if }\forall k, \exists k^{\prime}\neq k, &\ \ \ & \exists \beta\in\mathcal{B} \text{ s.t. } y_{k^{\prime}} = \beta \circ y_{k}, \quad \text{then the distinguisher features a } \text{tie}, \end{array} $$

(3)

$$\begin{array}{@{}rcl@{}} \text{if }\forall k, \forall k^{\prime}\neq k, &\ \ \ & \exists \beta\in\mathcal{B} \text{ s.t. } y_{k^{\prime}} = \beta \circ y_{k}, \quad \text{then the distinguisher is } \text{not\ sound} . \end{array} $$

(4)

Indeed, in (3), there is no way for the distinguisher to tell k ^∗ from k ^′, and in (4), the distinguisher yields the same value for all the key guesses.

We refer the interested reader to the work done in [24, Sec. 3]. We note that y _i = k ⊕ t _i does not lead to a sound distinguisher, as for all k ^′, x↦x ⊕ k ^′ is bijective, and maps y _k to $y_{k\oplus k^{\prime }}$. On the contrary, there is no bijection β such that for all t, w _H(k ⊕ t) = β(w _H(k ⊕ k ^′⊕ t)). So the choice y _i = w _H(k ⊕ t _i) is sound.

Some side-channels are discrete by nature, such as the timing measurements (measured in units of clock period). In addition, oscilloscopes or data acquisition appliances rely on ADCs (Analog to Digital Converters), which usually sample a continuous signal into a sequence of integers, most of the time represented on 8 bits (hence $\mathcal {X}={\mathbb {F}_{2}^{8}}$).

Universal, in the information theoretic sense of the word, means: computed from the available data without prior information.

In practice, logarithms require a high computational power, hence the number of calls to this function shall be minimized.

The least significant bit S ₀ of the PRESENT Sbox S is not suitable because one has $\forall z{\in \mathbb F_{2}^{4}}$, S ₀(z) = S ₀(z ⊕0x9) = ¬S ₀(z ⊕0x1) = ¬S ₀(z ⊕0x8). As in (3) of footnote 4, ties occur: it is not possible to distinguish k ^∗, k ^∗⊕0x9, k ^∗⊕0x1, k ^∗⊕0x8 (the corresponding bijections are respectively x↦x and x↦1 − x). Therefore, we consider component 1 instead of 0, which does not satisfy such relationships.

Brier, É. , Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: CHES, Volume 3156 of LNCS, pp 16–29. Springer, Cambridge (2004)MATH

Carbone, M., Tiran, S., Ordas, S., Agoyan, M., Teglia, Y., Ducharme, G. R., Maurine, P.: On adaptive bandwidth selection for efficient MIA. In: Prouff [15], pp. 82–97

Casella, G., Berger, R. L.: Statistical inference. Duxbury press. Second edition. ISBN-10: 0534243126 – ISBN-13: 978-0534243128 (2002)

Chari, S., Rao, J. R., Rohatgi, P.: Template attacks. In: CHES, Volume 2523 of LNCS, pp. 13–28. Springer, Redwood City (2002)

Common criteria consortium: Common criteria (aka CC) for information technology security evaluation (ISO/IEC 15408). Website: http://www.commoncriteriaportal.org/ (2013)

Doget, J., Prouff, E., Rivain, M., Standaert, F. -X.: Univariate side channel attacks and leakage modeling. J. Cryptogr. Eng. 1(2), 123–144 (2011)CrossRef

Durvaux, F., Standaert, F. -X., Veyrat-Charvillon, N.: How to certify the leakage of a chip? In: Nguyen, P. Q., Oswald, E. (eds.) Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, volume 8441 of Lecture Notes in Computer Science, pp. 459–476. Springer (2014)

Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: CHES, 10th International Workshop, Volume 5154 of Lecture Notes in Computer Science, pp 426–442. Springer, Washington, D.C. (2008)

Heuser, A., Kasper, M., Schindler, W., Stöttinger, M.: A new difference method for side-channel analysis with high-dimensional leakage models. In: Dunkelman, O. (ed.) CT-RSA, volume 7178 of Lecture Notes in Computer Science, pp. 365–382. Springer (2012)

10.

Heuser, A., Rioul, O., Guilley, S.: Good is not good enough - deriving optimal distinguishers from communication theory. In: Batina, L., Robshaw, M. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2014 - 16th International Workshop, Busan, South Korea, September 23-26, 2014. Proceedings, volume 8731 of Lecture Notes in Computer Science, pp. 55–74. Springer (2014)

11.

Lomné, V., Prouff, E., Roche, T.: Behind the scene of side channel attacks. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT (1), volume 8269 of Lecture Notes in Computer Science, pp. 506–525. Springer (2013)

12.

Matsuda, S., Moriai, S.: Lightweight cryptography for the cloud: exploit the power of bitslice implementation. In: Prouff, E., Schaumont, P. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2012 - 14th International Workshop, Leuven, Belgium, September 9-12, 2012. Proceedings, volume 7428 of LNCS, pp. 408–425. Springer (2012)

13.

Moradi, A., Mousavi, N., Paar, C., Salmasizadeh, M.: A comparative study of mutual information analysis under a Gaussian assumption. In: WISA (Information Security Applications, 10th International Workshop), volume 5932 of Lecture Notes in Computer Science, pp. 193–205. Springer, August 25-27, Busan, Korea (2009)

14.

De Mulder, E., Gierlichs, B., Preneel, B., Verbauwhede, I.: Practical DPA attacks on MDPL. In: 1st IEEE International Workshop on Information Forensics and Security, WIFS 2009, London, UK, December 6-9, 2009, pp. 191–195. IEEE (2009)

15.

Prouff, E. (ed.): Constructive Side-Channel Analysis and Secure Design - 5th International Workshop, COSADE 2014, Paris, France, April 13-15, 2014, Revised Selected Papers, volume 8622 of Lecture Notes in Computer Science, Springer (2014)

16.

Prouff, E., Rivain, M.: Theoretical and practical aspects of mutual information-based side channel analysis. Int. J. Appl. Crypt. (IJACT) 2(2), 121–138 (2010)MathSciNetCrossRefMATH

17.

Rebeiro, C., Selvakumar, A. D., Devi, A. S. L.: Bitslice implementation of AES. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) Cryptology and Network Security, 5th International Conference, CANS 2006, Suzhou, China, December 8-10, 2006, Proceedings, volume 4301 of Lecture Notes in Computer Science, pp. 203–212. Springer (2006)

18.

Reparaz, O., Gierlichs, B., Verbauwhede, I.: Generic DPA attacks: Curse or blessing? In: Prouff [15], pp. 98–111

19.

Standaert, F. -X., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: EUROCRYPT, Volume 5479 of LNCS, pp. 443–461. Springer, Cologne (2009)CrossRef

20.

Veyrat-Charvillon, N., Standaert, F. -X.: Mutual information analysis: how, when and why? In: Clavier, C., Gaj, K. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings, volume 5747 of Lecture Notes in Computer Science, pp. 429–443. Springer (2009)

21.

Whitnall, C., Oswald, E.: A comprehensive evaluation of mutual information analysis using a fair evaluation framework. In: Rogaway, P. (ed.) CRYPTO, volume 6841 of Lecture Notes in Computer Science, pp. 316–334. Springer (2011)

22.

Whitnall, C., Oswald, E.: A fair evaluation framework for comparing Side-Channel distinguishers. J. Crypt. Eng. 1(2), 145–160 (2011)CrossRef

23.

Whitnall, C., Oswald, E., Mather, L.: An exploration of the Kolmogorov-Smirnov test as a competitor to mutual information Analysis. In: Prouff, E. (ed.) CARDIS, volume 7079 of Lecture Notes in Computer Science, pp. 234–251. Springer (2011)

24.

Whitnall, C., Oswald, E., Standaert, F. -X.: The myth of generic DPA ... and the magic of learning. In: Benaloh, J. (ed.) CT-RSA, volume 8366 of Lecture Notes in Computer Science, pp. 183–205. Springer (2014)

Titel: On the optimality and practicability of mutual information analysis in some scenarios
verfasst von: Éloi de Chérisey
Sylvain Guilley
Annelie Heuser
Olivier Rioul
Publikationsdatum: 20.07.2017
Verlag: Springer US
Erschienen in: Cryptography and Communications / Ausgabe 1/2018
Print ISSN: 1936-2447
Elektronische ISSN: 1936-2455
DOI: https://doi.org/10.1007/s12095-017-0241-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2018

POEx: A beyond-birthday-bound-secure on-line cipher

Searchable symmetric encryption over multiple servers

Malleability of the blockchain’s entropy

KISS: A bit too simple

Cryptanalysis of a homomorphic encryption scheme

Missing a trick: Karatsuba variations