Journal of Cryptographic Engineering

, Volume 5, Issue 4, pp 255–267 | Cite as

The bias–variance decomposition in profiled attacks

  • Liran Lerman
  • Gianluca Bontempi
  • Olivier Markowitch
Regular Paper


The profiled attacks challenge the security of cryptographic devices in the worst case scenario. We elucidate the reasons underlying the success of different profiled attacks (that depend essentially on the context) based on the well-known bias–variance tradeoff developed in the machine learning field. Note that our approach can easily be extended to non-profiled attacks. We show (1) how to decompose (in three additive components) the error rate of an attack based on the bias–variance decomposition, and (2) how to reduce the error rate of a model based on the bias–variance diagnostic. Intuitively, we show that different models having the same error rate require different strategies (according to the bias–variance decomposition) to reduce their errors. More precisely, the success rate of a strategy depends on several criteria such as its complexity, the leakage information and the number of points per trace. As a result, a suboptimal strategy in a specific context can lead the adversary to overestimate the security level of the cryptographic device. Our results also bring warnings related to the estimation of the success rate of a profiled attack that can lead the evaluator to underestimate the security level. In brief, certify that a chip leaks (or not) sensitive information represents a hard if not impossible task.


Side-channel attack Bias–variance decomposition  Profiled attack Machine learning Stochastic attack  Template attack 


  1. 1.
    Bartkewitz, T., Lemke-Rust, K.: Efficient template attacks based on probabilistic multi-class support vector machines. In: Mangard, S. (ed.) CARDIS, LNCS, vol. 7771, pp. 263–276. Springer (2012)Google Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, New York (1993)zbMATHCrossRefGoogle Scholar
  3. 3.
    Breiman, L.: Bagging predictors. Technical report, Department of Statistics, University of California (1995)Google Scholar
  4. 4.
    Breiman, L.: Arcing classifiers. Technical report, Department of Statistics, University of California (1996)Google Scholar
  5. 5.
    Breiman, L.: Randomizing outputs to increase prediction accuracy. Mach. Learn. 40(3), 229–242 (2000)zbMATHCrossRefGoogle Scholar
  6. 6.
    Breiman, L.: Random forests. Mach. Learn. 45, 5–32 (2001)zbMATHCrossRefGoogle Scholar
  7. 7.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (ed.) CHES, LNCS, vol. 2523, pp. 13–28. Springer (2002)Google Scholar
  8. 8.
    Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20(3), 273–297 (1995)zbMATHGoogle Scholar
  9. 9.
    Dietterich, T.G., Kong, E.B.: Machine learning bias, statistical bias, and statistical variance of decision tree algorithms. Technical report, Department of Computer Science, Oregon State University (1995)Google Scholar
  10. 10.
    Doget, J., Prouff, E., Rivain, M., Standaert, F.-X.: Univariate side channel attacks and leakage modeling. J. Cryptogr. Eng. 1(2), 123–144 (2011)CrossRefGoogle Scholar
  11. 11.
    Domingos, P.: A unified bias-variance decomposition and its applications. In: Langley, P. (ed.) ICML, pp. 231–238. Morgan Kaufmann, San Francisco (2000)Google Scholar
  12. 12.
    Domingos, P.: A unified bias-variance decomposition for zero-one and squared loss. In: Kautz, H.A., Porter, B.W. (eds.) AAAI/IAAI, pp. 564–569. AAAI Press/The MIT Press, New York (2000)Google Scholar
  13. 13.
    Durvaux, F., Standaert, F.-X., Veyrat-Charvillon, N.: How to certify the leakage of a chip? In: EUROCRYPT, LNCS, vol. 8441, pp. 459–475. Springer (2014) (to appear)Google Scholar
  14. 14.
    Elaabid, M.A., Guilley, S.: Portability of templates. J. Cryptogr. Eng. 2(1), 63–74 (2012)CrossRefGoogle Scholar
  15. 15.
    Fei, Y., Ding, A.A., Lao, J., Zhang, L.: A statistics-based fundamental model for side-channel attack analysis. Cryptology ePrint Archive, Report 2014/152 (2014). Accessed 1 July 2014
  16. 16.
    Freund, Y., Schapire, R.E.: A decision-theoretic generalization of on-line learning and an application to boosting. J. Comput. Syst. Sci. 55(1), 119–139 (1997)zbMATHMathSciNetCrossRefGoogle Scholar
  17. 17.
    Friedman, J.H.: On bias, variance, 0/1-loss, and the curse-of-dimensionality. Data Min. Knowl. Discov. 1(1), 55–77 (1997)CrossRefGoogle Scholar
  18. 18.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (ed.) CHES, LNCS, vol. 2162, pp. 251–261. Springer (2001)Google Scholar
  19. 19.
    Geman, S., Bienenstock, E., Doursat, R.: Neural networks and the bias/variance dilemma. Neural Comput. 4(1), 1–58 (1992)CrossRefGoogle Scholar
  20. 20.
    Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates vs. stochastic methods. In: Goubin, L., Matsui, M. (ed.) Cryptographic Hardware and Embedded Systems—CHES 2006, 8th International Workshop, Yokohama, Japan, 10–13 October 2006, Proceedings, LNCS, vol. 4249, pp. 15–29. Springer (2006)Google Scholar
  21. 21.
    Hastie, T., Tibshirani, R., Friedman, J.: The Elements of Statistical Learning: Data Mining, Inference and Prediction, 2nd edn. Springer, New York (2009)CrossRefGoogle Scholar
  22. 22.
    Heskes, T.: Bias/variance decompositions for likelihood-based estimators. Neural Comput. 10(6), 1425–1433 (1998)CrossRefGoogle Scholar
  23. 23.
    Heuser, A., Rioul, O., Guilley, S.: A theoretical study of kolmogorov-smirnov distinguishers—side-channel analysis vs. differential cryptanalysis. In: Prouff, E. (ed.) Constructive Side-Channel Analysis and Secure Design—5th International Workshop, COSADE 2014, Paris, France, 13–15 April 2014. Revised Selected Papers, LNCS, vol. 8622, pp. 9–28. Springer (2014)Google Scholar
  24. 24.
    Heuser, A., Zohner, M.: Intelligent machine homicide - breaking cryptographic devices using support vector machines. In: Proceedings of the Third international conference on Constructive Side-Channel Analysis and Secure Design, LNCS, vol. 7275, pp. 249–264. Springer, Berlin, Heidelberg (2012)Google Scholar
  25. 25.
    Hospodar, G., Gierlichs, B., Mulder, E.D., Verbauwhede, I., Vandewalle, J.: Machine learning in side-channel analysis: a first study. J. Cryptogr. Eng. 1(4), 293–302 (2011)CrossRefGoogle Scholar
  26. 26.
    Hospodar, G., Mulder, E.D., Gierlichs, B., Vandewalle, J., Verbauwhede, I.: Least squares support vector machines for side-channel analysis. In: Second International Workshop on Constructive Side Channel Analysis and Secure Design, pp. 99–104. Center for Advanced Security Research Darmstadt (2011)Google Scholar
  27. 27.
    James, G., Hastie, T.: Generalizations of the bias/variance decomposition for prediction error. Technical report, Department of Statistics, Standford University (1996)Google Scholar
  28. 28.
    Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO, LNCS, vol. 1109, pp. 104–113. Springer (1996)Google Scholar
  29. 29.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO, LNCS, pp. 388–397. Springer (1999)Google Scholar
  30. 30.
    Kohavi, R., Wolpert, D.: Bias plus variance decomposition for zero-one loss functions. In: Saitta, L. (ed.) ICML, pp. 275–283. Morgan Kaufmann, San Francisco (1996)Google Scholar
  31. 31.
    Lerman, L., Bontempi, G., Markowitch, O.: Side channel attack: an approach based on machine learning. In: Second International Workshop on Constructive Side Channel Analysis and Secure Design, pp. 29–41. Center for Advanced Security Research Darmstadt (2011)Google Scholar
  32. 32.
    Lerman, L., Bontempi, G., Markowitch, O.: Power analysis attack: an approach based on machine learning. Int. J. Appl. Cryptogr. 3(2), 97–115 (2014)zbMATHMathSciNetCrossRefGoogle Scholar
  33. 33.
    Lerman, L., Bontempi, G., Markowitch, O.: A machine learning approach against a masked aes. J. Cryptogr. Eng. 5(2), 123–139 (2015)CrossRefGoogle Scholar
  34. 34.
    Lerman, L., Bontempi, G., Ben Taieb, S., Markowitch, O.: A time series approach for profiling attack. In: Gierlichs, B., Guilley, S., Mukhopadhyay, D. (ed.) SPACE, LNCS, vol. 8204, pp. 75–94. Springer (2013)Google Scholar
  35. 35.
    Lerman, L., Fernandes Medeiros, S., Bontempi, G., Markowitch, O.: A machine learning approach against a masked AES. In: Francillon, A., Rohatgi, P. (ed.) Smart Card Research and Advanced Applications—12th International Conference, CARDIS 2013, Berlin, Germany, 27–29 November 2013. Revised Selected Papers, LNCS, vol. 8419, pp. 61–75. Springer (2013)Google Scholar
  36. 36.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks—Revealing the Secrets of Smart Cards. Springer, New York (2007)zbMATHGoogle Scholar
  37. 37.
    Matsui, M.: Linear cryptoanalysis method for des cipher. In: Helleseth, T. (ed.) EUROCRYPT, LNCS, vol. 765, pp. 386–397. Springer (1993)Google Scholar
  38. 38.
    Meier, W., Staffelbach, O.: Nonlinearity criteria for cryptographic functions. In: Quisquater, J-J., Vandewalle, J. (ed.) EUROCRYPT, LNCS, vol. 434, pp. 549–562. Springer (1989)Google Scholar
  39. 39.
    Montminy, D.P., Baldwin, R.O., Temple, M.A., Laspe, E.D.: Improving cross-device attacks using zero-mean unit-variance normalization. J. Cryptogr. Eng. 3(2), 99–110 (2013)CrossRefGoogle Scholar
  40. 40.
    Ng, A.Y.: Preventing “overfitting” of cross-validation data. In: Fisher, D.H. (ed.) ICML, pp. 245–253. Morgan Kaufmann, San Francisco (1997)Google Scholar
  41. 41.
    Prouff, E.: DPA attacks and S-boxes. In: Gilbert, H., Handschuh, H. (ed.) Fast Software Encryption, LNCS, vol. 3557. pp. 424–441. Springer, Berlin, Heidelberg (2005)Google Scholar
  42. 42.
    Rivain, M., Dottax, E., Prouff, E.: Block ciphers implementations provably secure against second order side channel analysis. In: Nyberg, K. (ed.) FSE, LNCS, vol. 5086, pp. 127–143. Springer (2008)Google Scholar
  43. 43.
    Schapire, R. E.: The boosting approach to machine learning: an overview. In: MSRI Workshop on Nonlinear Estimation and Classification, Berkeley, CA, USA (2001)Google Scholar
  44. 44.
    Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (ed.) CHES, LNCS, vol. 3659, pp. 30–46. Springer (2005)Google Scholar
  45. 45.
    Standaert, F-X., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT, LNCS, vol. 5479, pp. 443–461. Springer (2009)Google Scholar
  46. 46.
    Sugawara, T., Homma, N., Aoki, T., Satoh, A.: Profiling attack using multivariate regression analysis. IEICE Electron. Express 7(15), 1139–1144 (2010)CrossRefGoogle Scholar
  47. 47.
    Tibshirani, R.: Bias, variance, and prediction error for classification rules. Technical report, Statistics Department, University of Toronto, Toronto (1996)Google Scholar
  48. 48.
    Weisberg, S.: Applied Linear Regression. Wiley Series in Probability and Statistics, Wiley, New York (2005)zbMATHCrossRefGoogle Scholar
  49. 49.
    Whitnall, C., Oswald, E.: Profiling DPA: efficacy and efficiency trade-offs. In: Bertoni, G., Coron, J-S. (ed.) CHES, LNCS, vol. 8086, pp. 37–54. Springer (2013)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Liran Lerman
    • 1
    • 2
  • Gianluca Bontempi
    • 2
  • Olivier Markowitch
    • 1
  1. 1.Quality and Security of Information Systems, Département d’informatiqueUniversité Libre de BruxellesBrusselsBelgium
  2. 2.Machine Learning Group, Département d’informatiqueUniversité Libre de BruxellesBrusselsBelgium

Personalised recommendations