Leakage assessment methodology

Abstract

Evoked by the increasing need to integrate side-channel countermeasures into security-enabled commercial devices, evaluation labs are seeking a standard approach that enables a fast, reliable and robust evaluation of the side-channel vulnerability of the given products. To this end, standardization bodies such as NIST intend to establish a leakage assessment methodology fulfilling these demands. One of such proposals is the Welch’s t test, which is being put forward by Cryptography Research Inc. and is able to relax the dependency between the evaluations and the device’s underlying architecture. In this work, we deeply study the theoretical background of the test’s different flavors and present a roadmap which can be followed by the evaluation labs to efficiently and correctly conduct the tests. More precisely, we express a stable, robust and efficient way to perform the tests at higher orders. Further, we extend the test to multivariate settings and provide details on how to efficiently and rapidly carry out such a multivariate higher-order test. Including a suggested methodology to collect the traces for these tests, we point out practical case studies where different types of t tests can exhibit the leakage of supposedly secure designs.

Appendices

Appendix 1: Necessary moments for up to 5th-order t tests

Below we consider \(\Delta =y-M_{1,\mathcal {Q}}\), where \(M_{1,\mathcal {Q}}\) denotes the first raw moment of \(\mathcal {Q}\), and y as the new element to construct \(\mathcal {Q}'=\mathcal {Q} \cup \{y\}\) with cardinality of n.

1.1 Central moments iterative

$$\begin{aligned} CS_{2,\mathcal {Q}'} =~&CS_{2,\mathcal {Q}} + \frac{\Delta ^2(n-1)}{n} \end{aligned}$$

(19)

$$\begin{aligned} CS_{3,\mathcal {Q}'} =~&CS_{3,\mathcal {Q}} - \frac{3\Delta }{n}CS_{2,\mathcal {Q}} \nonumber \\&+ \frac{\Delta ^3(n-1)((n-1)^2-1)}{n^3} \end{aligned}$$

(20)

$$\begin{aligned} CS_{4,\mathcal {Q}'} =~&CS_{4,\mathcal {Q}} - \frac{4\Delta }{n}CS_{3,\mathcal {Q}} + \frac{6\Delta ^2}{n^2}CS_{2,\mathcal {Q}}\nonumber \\&+ \frac{\Delta ^4(n-1)((n-1)^3+1)}{n^4} \end{aligned}$$

(21)

$$\begin{aligned} CS_{5,\mathcal {Q}'} =~&CS_{5,\mathcal {Q}} - \frac{5\Delta }{n}CS_{4,\mathcal {Q}}\nonumber \\&+ \frac{10\Delta ^2}{n^2}CS_{3,\mathcal {Q}} - \frac{10\Delta ^3}{n^3}CS_{2,\mathcal {Q}} \nonumber \\&+ \frac{\Delta ^5(n-1)((n-1)^4-1)}{n^5} \end{aligned}$$

(22)

$$\begin{aligned} CS_{6,\mathcal {Q}'} =~&CS_{6,\mathcal {Q}} - \frac{6\Delta }{n}CS_{5,\mathcal {Q}}\nonumber \\&+ \frac{15\Delta ^2}{n^2}CS_{4,\mathcal {Q}} - \frac{20\Delta ^3}{n^3}CS_{3,\mathcal {Q}} \nonumber \\&+ \frac{15\Delta ^4}{n^4}CS_{2,\mathcal {Q}} + \frac{\Delta ^6(n-1)((n-1)^5+1)}{n^6} \end{aligned}$$

(23)

$$\begin{aligned} CS_{7,\mathcal {Q}'} =~&CS_{7,\mathcal {Q}} - \frac{7\Delta }{n}CS_{6,\mathcal {Q}} \nonumber \\&+ \frac{21\Delta ^2}{n^2}CS_{5,\mathcal {Q}} - \frac{35\Delta ^3}{n^3}CS_{4,\mathcal {Q}} \nonumber \\&+ \frac{35\Delta ^4}{n^4}CS_{3,\mathcal {Q}} - \frac{21\Delta ^5}{n^5}CS_{2,\mathcal {Q}}\nonumber \\&+ \frac{\Delta ^7(n-1)((n-1)^6-1)}{n^7} \end{aligned}$$

(24)

$$\begin{aligned} CS_{8,\mathcal {Q}'} =~&CS_{8,\mathcal {Q}} - \frac{8\Delta }{n}CS_{7,\mathcal {Q}} + \frac{28\Delta ^2}{n^2}CS_{6,\mathcal {Q}}\nonumber \\&- \frac{56\Delta ^3}{n^3}CS_{5,\mathcal {Q}} + \frac{70\Delta ^4}{n^4}CS_{4,\mathcal {Q}}\nonumber \\&- \frac{56\Delta ^5}{n^5}CS_{3,\mathcal {Q}} + \frac{28\Delta ^6}{n^6}CS_{2,\mathcal {Q}} \nonumber \\&+ \frac{\Delta ^8(n-1)((n-1)^7+1)}{n^8} \end{aligned}$$

(25)

$$\begin{aligned} CS_{9,\mathcal {Q}'} =~&CS_{9,\mathcal {Q}} - \frac{9\Delta }{n}CS_{8,\mathcal {Q}} + \frac{36\Delta ^2}{n^2}CS_{7,\mathcal {Q}} \nonumber \\&- \frac{84\Delta ^3}{n^3}CS_{6,\mathcal {Q}} + \frac{126\Delta ^4}{n^4}CS_{5,\mathcal {Q}} \nonumber \\&- \frac{126\Delta ^5}{n^5}CS_{4,\mathcal {Q}} + \frac{84\Delta ^6}{n^6}CS_{3,\mathcal {Q}} \nonumber \\&- \frac{36\Delta ^7}{n^7}CS_{2,\mathcal {Q}} + \frac{\Delta ^9(n-1)((n-1)^8-1)}{n^9} \end{aligned}$$

(26)

$$\begin{aligned} CS_{10,\mathcal {Q}'}=~&CS_{10,\mathcal {Q}} - \frac{10\Delta }{n}CS_{9,\mathcal {Q}} + \frac{45\Delta ^2}{n^2}CS_{8,\mathcal {Q}}\nonumber \\&- \frac{120\Delta ^3}{n^3}CS_{7,\mathcal {Q}} + \frac{210\Delta ^4}{n^4}CS_{6,\mathcal {Q}}\nonumber \\&- \frac{252\Delta ^5}{n^5}CS_{5,\mathcal {Q}} + \frac{210\Delta ^6}{n^6}CS_{4,\mathcal {Q}} \nonumber \\&- \frac{120\Delta ^7}{n^7}CS_{3,\mathcal {Q}}+ \frac{45\Delta ^8}{n^8}CS_{2,\mathcal {Q}} \nonumber \\&+ \frac{\Delta ^{10}(n-1)((n-1)^9+1)}{n^{10}} \end{aligned}$$

(27)

At any time, central moments can be computed as \(CM_{d}=\displaystyle {\frac{CS_{d}}{n}}\). Note that if a single variable is used for \(CS_{p,\mathcal {Q}'}\) and \(CS_{p,\mathcal {Q}}\) in the underlying computer-executable code, the order of executions should be backwards from Eqs. 27 to 19.

1.2 Central moments from the raw moments

$$\begin{aligned} CM_2 =~&M_2 - {M_1}^2 \end{aligned}$$

(28)

$$\begin{aligned} CM_3 =~&M_3 - 3\,M_2\,M_1 + 2\,{M_1}^3 \end{aligned}$$

(29)

$$\begin{aligned} CM_4 =~&M_4 - 4\,M_3\,M_1 + 6\,M_2\,{M_1}^2 - 3\,{M_1}^4 \end{aligned}$$

(30)

$$\begin{aligned} CM_5 =~&M_5 - 5\,M_4\,M_1 + 10\,M_3\,{M_1}^2 - 10\,M_2\,{M_1}^3\nonumber \\&+ 4\,{M_1}^5 \end{aligned}$$

(31)

$$\begin{aligned} CM_6 =~&M_6 - 6\,M_5\,M_1 + 15\,M_4\,{M_1}^2 - 20\,M_3\,{M_1}^3\nonumber \\&+ 15\,M_2\,{M_1}^4 - 5\,{M_1}^6 \end{aligned}$$

(32)

$$\begin{aligned} CM_7 =~&M_7 - 7\,M_6\,M_1 + 21\,M_5\,{M_1}^2 - 35\,M_4\,{M_1}^3\nonumber \\&+ 35\,M_3\,{M_1}^4 - 21\,M_2\,{M_1}^5 + 6\,{M_1}^7 \end{aligned}$$

(33)

$$\begin{aligned} CM_8 =~&M_8 - 8\,M_7\,M_1 + 28\,M_6\,{M_1}^2 - 56\,M_5\,{M_1}^3\nonumber \\&+ 70\,M_4\,{M_1}^4 - 56\,M_3\,{M_1}^5 + 28\,M_2\,{M_1}^6\nonumber \\&- 7\,{M_1}^8 \end{aligned}$$

(34)

$$\begin{aligned} CM_9 =~&M_9 - 9\,M_8\,M_1 + 36\,M_7\,{M_1}^2 - 84\,M_6\,{M_1}^3\nonumber \\&+ 126\,M_5\,{M_1}^4 - 126\,M_4\,{M_1}^5 + 84\,M_3\,{M_1}^6\nonumber \\&- 36\,M_2\,{M_1}^7 + 8\,{M_1}^9 \end{aligned}$$

(35)

$$\begin{aligned} CM_{10} =~&M_{10} - 10\,M_9\,M_1 + 45\,M_8\,{M_1}^2 - 120\,M_7\,{M_1}^3\nonumber \\&+ 210\,M_6\,{M_1}^4 - 252\,M_5\,{M_1}^5 + 210\,M_4\,{M_1}^6\nonumber \\&- 120\,M_3\,{M_1}^7 + 45\,M_2\,{M_1}^8 - 9\,{M_1}^{10} \end{aligned}$$

(36)

1.3 Mean and variance for each t test

$$\begin{aligned}&\mathrm {(1st~order)}~~~\mu =~ M_1,&\quad s^2 =~&CM_2 \end{aligned}$$

(37)

$$\begin{aligned}&\mathrm {(2nd~order)}~~~\mu =~ CM_2,&\quad s^2 =~&CM_4 - {CM_2}^2 \end{aligned}$$

(38)

$$\begin{aligned}&\mathrm {(3rd~order)}~~~\mu =~ SM_3=\frac{CM_{3}}{\big (\sqrt{CM_2}\big )^3},&\quad s^2 =~&\frac{CM_6 - {CM_3}^2}{{CM_2}^3}\nonumber \\ \end{aligned}$$

(39)

$$\begin{aligned}&\mathrm {(4th~order)}~~~\mu =~ SM_4=\frac{CM_{4}}{\big (\sqrt{CM_2}\big )^4},&\quad s^2 =~&\frac{CM_8 - {CM_4}^2}{{CM_2}^4}\nonumber \\ \end{aligned}$$

(40)

$$\begin{aligned}&\mathrm {(5th~order)}~~~\mu =~ SM_5=\frac{CM_{5}}{\big (\sqrt{CM_2}\big )^5},&\quad s^2 =~&\frac{CM_{10} - {CM_5}^2}{{CM_2}^5}\nonumber \\ \end{aligned}$$

(41)

Appendix 2: Necessary formulas for a bivariate second-order t tests

In the following we give the necessary formulas to compute a bivariate second-order t test for exemplary sample points \(\mathcal {J} = \{1,2\}\). We denote the two sample points of the new trace by tuple \((y^{(1)} , y^{(2)})\) to be added to the trace set as \(\mathcal {Q}' = \mathcal {Q}\cup \{(y^{(1)} , y^{(2)})\}\) with cardinality of n. We also consider \(\Delta ^{(j\in \mathcal {J})} = y^{(j)} - \mu _{\mathcal {Q}}^{(j)}\), with \(\mu _{\mathcal {Q}}^{(j)}\) as the mean of the set \(\mathcal {Q}\) at sample point j.

$$\begin{aligned} C_{2,\mathcal {Q}',\{1,1\}} =~&C_{2,\mathcal {Q},\{1,1\}} + \frac{\Delta ^{(1)}\Delta ^{(1)}(n-1)}{n} \end{aligned}$$

(42)

$$\begin{aligned} C_{2,\mathcal {Q}',\{1,2\}} =~&C_{2,\mathcal {Q},\{1,2\}} + \frac{\Delta ^{(1)}\Delta ^{(2)}(n-1)}{n} \end{aligned}$$

(43)

$$\begin{aligned} C_{2,\mathcal {Q}',\{2,2\}} =~&C_{2,\mathcal {Q},\{2,2\}} + \frac{\Delta ^{(2)}\Delta ^{(2)}(n-1)}{n} \end{aligned}$$

(44)

$$\begin{aligned} C_{3,\mathcal {Q}',\{1,2,1\}} =~&C_{3,\mathcal {Q},\{1,2,1\}} - 2\,C_{2,\mathcal {Q},\{1,2\}}\frac{\Delta ^{(1)}}{n}\nonumber \\&- C_{2,\mathcal {Q},\{1,1\}}\frac{\Delta ^{(2)}}{n}\nonumber \\&+ \frac{\Delta ^{(1)}\Delta ^{(2)}\Delta ^{(1)}\left( n^2 - 3n + 2\right) }{n^2} \end{aligned}$$

(45)

$$\begin{aligned} C_{3,\mathcal {Q}',\{1,2,2\}} =~&C_{3,\mathcal {Q},\{1,2,2\}} - 2\,C_{2,\mathcal {Q},\{1,2\}}\frac{\Delta ^{(2)}}{n}\nonumber \\&- C_{2,\mathcal {Q},\{2,2\}}\frac{\Delta ^{(1)}}{n}\nonumber \\&+ \frac{\Delta ^{(1)}\Delta ^{(2)}\Delta ^{(2)}\left( n^2 - 3n + 2\right) }{n^2} \end{aligned}$$

(46)

$$\begin{aligned} C_{4,\mathcal {Q}',\{1,2,1,2\}}&= C_{4,\mathcal {Q},\{1,2,1,2\}} - 2\,C_{3,\mathcal {Q},\{1,2,1\}}\frac{\Delta ^{(2)}}{n}\nonumber \\&\quad - 2\,C_{3,\mathcal {Q},\{1,2,2\}}\frac{\Delta ^{(1)}}{n} + C_{2,\mathcal {Q},\{1,1\}}\frac{\Delta ^{(2)}\Delta ^{(2)}}{n^2}\nonumber \\&\quad + 4\,C_{2,\mathcal {Q},\{1,2\}}\frac{\Delta ^{(1)}\Delta ^{(2)}}{n^2}\nonumber \\&\quad + C_{2,\mathcal {Q},\{2,2\}}\frac{\Delta ^{(1)}\Delta ^{(1)}}{n^2}\nonumber \\&\quad + \frac{\Delta ^{(1)}\Delta ^{(2)}\Delta ^{(1)}\Delta ^{(2)}\left( n^3 - 4n^2 + 6n - 3\right) }{n^3} \end{aligned}$$

(47)

In this scenario, \(\mu = \displaystyle {\frac{C_{2,\mathcal {Q}',\{1,2\}}}{n}}\) corresponds to the first parameter and \(s^2~=~\displaystyle {\frac{C_{4,\mathcal {Q}',\{1,2,1,2\}}}{n}}-\mu ^2\) to the second parameter of a bivariate second-order t test.

Appendix 3: Pseudo-code of the protected AES (DPA contest v4.2)

See Fig. 5.

Appendix 4: NLFSR

Fig. 5

Architecture of the second-order TI of the NLFSR