Abstract
Collision side-channel attacks are effective attacks against cryptographic implementations, however, optimality and efficiency of collision side-channel attacks is an open question. In this paper, we show that collision side-channel attacks can be derived using maximum likelihood principle when the distribution of the values of the leakage function is known. This allows us to exhibit the optimal collision side-channel attack and its efficient computation. Finally, we can compute an upper bound for the success rate of the optimal post-processing strategy, and we show that our method and the optimal strategy have success rates close to each other. Attackers can benefit from our method as we present an efficient collision side-channel attack. Evaluators can benefit from our method as we present a tight upper bound for the success rate of the optimal strategy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The derivation is based on the following equation with statistically independent K and \(\phi \)
$$P(K=k|X=x) =\sum _{\varphi }\frac{P\left( X=x|(K=k,\phi =\varphi )\right) \times P(K=k)\times P(\phi =\varphi )}{P(X=x)}. $$Without knowing the distribution \(P(\phi )\) of the leakage function values we cannot figure out an optimal distinguisher using the maximum likelihood principle.
- 3.
The minus 1 comes from the equivalence of the keys when xor-ing any fixed value with each subkey.
- 4.
The random space exploration algorithm can be seen as a repeated execution of the Wiemers’ and Klein’s algorithm variant 1 with \(W=1\), the details of the algorithm are given in [14]. While the algorithm of Wiemers and Klein was designed for entropy reduction of collision attacks, the target of the random space exploration algorithm was to enable the investigation of the limits of success rates for collision attacks. To sum up, the differences between the Wiemers’ and Klein’s algorithm and the random space exploration algorithm are:
-
the repetition of the execution of variant 1 with \(W=1\) instead of one run with \(W>1\),
-
randomized order of S-boxes on each run instead of the fixed order,
-
the output of only one candidate instead of a list of \(W>1\) candidates,
-
the use of \({D}_{opt.fun.gauss}\) distinguisher instead of a sum of correlation coefficients.
.
-
- 5.
Algorithm 1 with \(max\_tries=128\) and the variant 1 of Wiemers’ and Klein’s algorithm with \(W=128\) visit almost the same number of nodes of the search tree/trees. These settings allow meaningful performance comparison of the two algorithms.
- 6.
In our experiments using only the highest ranked solution or testing of all solutions has a small impact on the success rate of the method.
- 7.
In our experiments this setting provides the highest success rate compared to the other methods described in the paper of Gérard and Standaert, i.e. Euclidean distance vs. correlation coefficient and normalization vs. Bayesian extension. The Bayesian extension is a boost for score combination, but its derivation uses Fisher transform that is an asymptotic tool. Thus, the Bayesian extension can be counterproductive for attacks which use a small number of traces like \(2^8\).
- 8.
In more details, for each experiment we draw a new leakage function \(\varphi \) randomly according to the following rule: for each \(u \in \{0, ... ,255\}\) assign to \(\varphi (u)\) a value selected randomly according to the binomial distribution of 8-bit Hamming weights.
- 9.
When testing all elements in \(B_{16}\) we obtain respectively success rates 0.7808 and 0.7824.
- 10.
Wiemers and Klein give in [14] an approximate lower bound value of 1.2 for \(\tau =\frac{b-a}{\sigma _{c}}\) for the variant 2 of their algorithm in the special case of the remaining entropy value of 0. This bound is also valid when the distinguisher \({D}_{opt.fun.gauss}\) is used. We calculated the means a and b and the variance \(\sigma _{c}^{2}\) of the scalar products \(c_{l_1,l_2}(k^{(l_1)},k^{(l_{2})})=\sum _{q=0}^{255} (x_{q\oplus k^{(l_{1})}}^{(l_{1})}\times x_{q\oplus k^{(l_{2})}}^{(l_{2})})\) for AES-128, Hamming weight leakage and noise variance \(\sigma ^{2}\). Using \(\delta =k^{(l_{1})}\oplus k^{(l_{2})}\), \(a(\delta )\in [3978,4192]\) for all \(\delta \ne 0\), \(b=a(0)=4608\), \(\sigma _{c}^{2}=\sigma ^2(2b+256\sigma ^2)\), and \(\tau =1.2\) we obtained for the variance \(\sigma ^2\) values from 10.2 for \(a=4192\) to 19.4 for \(a=3978\). Already the smaller of these approximate values does not agree with our upper bound.
References
Bogdanov, A.: Improved side-channel collision attacks on AES. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 84–95. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_6
Bogdanov, A.: Multiple-differential side-channel collision attacks on AES. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 30–44. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85053-3_3
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2
Bruneau, N., Carlet, C., Guilley, S., Heuser, A., Prouff, E., Rioul, O.: Stochastic collision attack. IEEE Trans. Inform. Forensics Secur. 12(9), 2090–2104 (2017). https://doi.org/10.1109/TIFS.2017.2697401
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3
Durvaux, F., Standaert, F.-X., Veyrat-Charvillon, N.: How to certify the leakage of a chip? In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 459–476. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_26
Gérard, B., Standaert, F.: Unified and optimized linear collision attacks and their application in a non-profiled setting: extended version. J. Cryptogr. Eng. 3(1), 45–58 (2013). https://doi.org/10.1007/s13389-013-0051-9
Joye, M., Quisquater, J.-J. (eds.): CHES 2004. LNCS, vol. 3156. Springer, Heidelberg (2004). https://doi.org/10.1007/b99451
Martin, D.P., O’Connell, J.F., Oswald, E., Stam, M.: Counting keys in parallel after a side channel attack. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 313–337. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_13
Moradi, A., Mischke, O., Eisenbarth, T.: Correlation-enhanced power analysis collision attack. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 125–139. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_9
Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005). https://doi.org/10.1007/11545262_3
Schramm, K., Leander, G., Felke, P., Paar, C.: A collision-attack on AES. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 163–175. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_12
Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_26
Wiemers, A., Klein, D.: Entropy reduction for the correlation-enhanced power analysis collision attack. In: Inomata, A., Yasuda, K. (eds.) IWSEC 2018. LNCS, vol. 11049, pp. 51–67. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-97916-8_4
Acknowledgments
The authors thank Wolfgang Thumser, Telekom Security for fruitful discussions on the notion of optimality of collision side-channel attacks.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Glowacz, C., Grosso, V. (2020). Optimal Collision Side-Channel Attacks. In: Belaïd, S., Güneysu, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2019. Lecture Notes in Computer Science(), vol 11833. Springer, Cham. https://doi.org/10.1007/978-3-030-42068-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-42068-0_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42067-3
Online ISBN: 978-3-030-42068-0
eBook Packages: Computer ScienceComputer Science (R0)