Advertisement

Journal of Cryptographic Engineering

, Volume 7, Issue 1, pp 1–17 | Cite as

Mutual information analysis: higher-order statistical moments, efficiency and efficacy

  • Mathieu CarboneEmail author
  • Yannick Teglia
  • Gilles R. Ducharme
  • Philippe Maurine
Regular Paper
  • 168 Downloads

Abstract

The wide attention given to the mutual information analysis (MIA) is often connected to its statistical genericity, denoted flexibility in this paper. Indeed, MIA is expected to lead to successful key recoveries with no reliance on a priori knowledge about the implementation (impacted by the error modeling made by the attacker. and with as minimum assumptions as possible about the leakage distribution, i.e. able to exploit information lying in any statistical moment and to detect all types of functional dependencies), up to the error modeling which impacts its efficiency (and even its effectiveness). However, emphasis is put on the powerful generality of the concept behind the MIA, as well as on the significance of adequate probability density functions (PDF) estimation which seriously impacts its performance. By contrast to its theoretical advantages, MIA suffers from underperformance in practice limiting its usage. Considering that this underperformance could be explained by suboptimal estimation procedures, we studied in-depth MIA by analyzing the link between the setting of tuning parameters involved in the commonly used nonparametric density estimation, namely kernel density estimation, with respect to three criteria: the statistical moment where the leakage prevails, MIA’s efficiency and its flexibility according to the classical Hamming weight model. The goal of this paper was, therefore, to cast some interesting light on the field of PDF estimation issues in MIA for which much work has been devoted to finding improved estimators having their pros and cons, while little attempt has been made to identify whether existing classical methods can be practically improved or not according to the degree of freedom offered by hyperparameters (when available). We show that some ‘optimal’ estimation procedures following a problem-based approach rather than the systemic use of heuristics following an accuracy-based approach can make MIA more efficient and flexible and a practical guideline for tuning the hyperparameters involved in MIA should be designed. The results of this analysis allowed us defining a guideline based on a detailed comparison of MIA’s results across various simulations and real-world datasets (including publicly available ones such as DPA contest V2 and V4.1).

Keywords

Side-channel analysis Mutual information Bandwidth Statistical moments 

References

  1. 1.
    TELECOM ParisTech SEN research group: DPA Contest. 2008–2014Google Scholar
  2. 2.
    Akaike, H.: Information theory and an extension of the Maximum Likelihood Principle. In: Petrov, B.N., Csaki, F. (eds.) Second International Symposium on Information Theory. Akadémiai Kiadom, Budapest (1973)Google Scholar
  3. 3.
    Aumonier, S.: Generalized correlation power analysis. In: ECRYPT Workshop on Tools For Cryptanalysis, Kraków, Poland (2007)Google Scholar
  4. 4.
    Barndorff-Nielsen, O.: Exponentially decreasing distributions for the logarithm of particle size. R. Soc. Lond. Proc. Ser. A 353, 401–419 (1977)CrossRefGoogle Scholar
  5. 5.
    Batina, L., Gierlichs, B., Lemke-Rust, K.: Differential cluster analysis. In: Clavier, C., Gaj, K. (eds.) Cryptographic Hardware and Embedded Systems. Lecture notes in computer science, vol. 5747, pp. 112–127. Springer, Berline (2009)Google Scholar
  6. 6.
    Batina, L., Gierlichs, B., Prouff, E., Rivain, M., Standaert, F.-X., Veyrat-Charvillon, N.: Mutual information analysis: a comprehensive study. J. Cryptol. 24, 269–291 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Belgarric, P., Bruneau, N., Danger, J.-L., Debande, N., Guilley, S., Heuser, A., Najm, Z., Rioul, O., Bhasin, S.: Time-frequency analysis for second-order attacks. In: Aurélien, F., Pankaj, R. (eds.) Smart Card Research and Advanced Applications - 12th International Conference, CARDIS 2013, Berlin, Germany, Nov 27–29, 2013, Revised Selected Papers. Lecture Notes in Computer Science, vol. 8419, pp. 108–122. Springer(2013)Google Scholar
  8. 8.
    Bevan, R., Knudsen, E.: Ways to enhance differential power analysis. In: Lee, P.J., Lim, C.H. (eds.) Information Security and Cryptology - 5th International Conference ICISC 2002, Seoul, Korea, Nov 28–29, 2002, Revised Papers. Lecture Notes in Computer Science, vol. 2587, pp. 327–342. Springer (2002)Google Scholar
  9. 9.
    Bhasin, S., Carlet, C., Guilley, S.: Theory of masking with codewords in hardware: low-weight dth-order correlation-immune Boolean functions. IACR Cryptol. ePrint Arch. 2013, 303 (2013)Google Scholar
  10. 10.
    Bhasin, S., Danger, J., Guilley, S., Najm, Z.: Side-channel leakage and trace compression using normalized inter-class variance. In: Lee, R.B., Shi, W. (eds.) HASP, pp. 7:1–7:9. ACM, New York (2014)Google Scholar
  11. 11.
    Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Higher-order threshold Implementations. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LCNS, vol. 8874, pp. 326–343. Springer, Heidelberg (2014)Google Scholar
  12. 12.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Cryptographic Hardware and Embedded Systems, vol. 3156, LNCS, pp. 16–29, Cambridge, MA, USA. Springer, Heidelberg (2004)Google Scholar
  13. 13.
    Carbone, M., Tiran, S., Ordas, S., Agoyan, M., Teglia, Y., Ducharme, G.R., Maurine, P.: On Adaptive Bandwidth Selection for Efficient MIA. In: COSADE (2014)Google Scholar
  14. 14.
    Coron, J., Prouff, E., Rivain, M.: Side channel cryptanalysis of a higher order masking scheme. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems. LNCS, vol. 4727, pp. 28–44. Springer, Heidelberg (2007)Google Scholar
  15. 15.
    Doget, J., Prouff, E., Rivain, M., Standaert, F.-X.: Univariate side channel attacks and leakage modeling. J. Cryptogr. Eng. 1, 123–144 (2011)CrossRefGoogle Scholar
  16. 16.
    Freedman, D., Diaconis, P.: On the histogram as a density estimator:L2 theory. Probab. Theory Relat. Fields 57, 453–476 (1981)zbMATHGoogle Scholar
  17. 17.
    Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis: a generic side-channel distinguisher. In: Oswald, E., Rohatgi, P. (eds) Cryptographic Hardware and Embedded Systems - 10th International Workshop, CHES 2008, Lecture Notes in Computer Science, vol. 5141, pp. 426–442 (2008)Google Scholar
  18. 18.
    Hansen, B.E.: Lecture Notes on Nonparametrics. Unpublished lecture notes (2009)Google Scholar
  19. 19.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) Advances in Cryptology-CRYPTO ’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19. Proceedings. Lecture Notes in Computer Science, vol. 1666, pp. 388–397. Springer (1999)Google Scholar
  20. 20.
    Le, T.-H., Berthier, M.: Mutual information analysis under the view of higher-order statistics. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) Advances in Information and Computer Security - 5th International Workshop on Security, IWSEC, Kobe, Japan, November 22–24. Proceedings. Lecture Notes in Computer Science, vol. 6434, pp. 285–300. Springer (2010)Google Scholar
  21. 21.
    Linge, Y., Dumas, C., Lambert-Lacroix, S.: Maximal Information Coefficient Analysis. Cryptology ePrint Archive, Report 2014/012, (2014)Google Scholar
  22. 22.
    Lomné, V., Prouff, E., Roche, T.: Behind the scene of side channel attacks. In: Sako, K., Sarkar, P. (eds) ASIACRYPT, vol. Kazue Sako and Palash Sarkar, LNCS, pp. 506–525. Springer (2013)Google Scholar
  23. 23.
    Maghrebi, H., Guilley, S., Danger, J.-L.: Leakage squeezing countermeasure against high-order attacks. In: Ardagna, C.A., Zhou, J. (eds.) WISTP. Lecture notes in computer science, pp. 208–223. Springer, New York (2011)Google Scholar
  24. 24.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31, 1st edn. Springer Publishing Company Incorporated, New York (2006)Google Scholar
  25. 25.
    Messerges, T.S.: Power Analysis Attacks and Countermeasures for Cryptographic Algorithms. PhD thesis, University of Illinois (2000)Google Scholar
  26. 26.
    Messerges, T.S., Dabbish, E.A.: Investigations of power analysis attacks on smartcards. In: Guthery, S. B., Honeyman, P. (eds.) Proceedings of the 1st Workshop on Smartcard Technology, Smartcard 1999, Chicago, Illinois, USA, May 10–11. USENIX Association (1999)Google Scholar
  27. 27.
    Moradi, A., Guilley, S., Heuser, A.: Detecting hidden leakages. In: ACNS, pp 324–342 (2014)Google Scholar
  28. 28.
    Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT. Lecture notes in computer science, vol. 6632, pp. 69–88. Springer, Berlin (2011)Google Scholar
  29. 29.
    Moradi, A., Wild, A.: Assessment of hiding the higher-order leakages in hardware-what are the achievements versus overheads? In: Güneysu, T.G., Handschuh, H. (eds.) Cryptographic Hardware and Embedded Systems. LNCS, vol. 9293, pp. 453–474. Springer, Heidelberg (2015)Google Scholar
  30. 30.
    Nassar, M., Souissi, Y., Guilley, S., Danger, J.-L.: RSM: a small and fast countermeasure for AES, secure against 1st and 2nd-order zero-offset SCAs. In: DATE, pp. 1173–1178 (2012)Google Scholar
  31. 31.
    Oswald, D., Paar, C.: Improving side-channel analysis with optimal linear transforms. Proceedings of the 11th International Conference on Smart Card Research and Advanced Applications. CARDIS’12, pp. 219–233. Springer-Verlag, Berlin (2013)Google Scholar
  32. 32.
    Prouff, E., McEvoy, R.P.: First-order side-channel attacks on the permutation tables countermeasure—extended version. IACR Cryptol. ePrint Arch. 2010, 385 (2010)Google Scholar
  33. 33.
    Prouff, E., Rivain, M.: Theoretical and practical aspects of mutual information based side channel analysis. ACNS 2009. vol 5536, LNCS, pp. 499–518. France, Paris (2009)Google Scholar
  34. 34.
    Prouff, E., Rivain, M.: Theoretical and practical aspects of mutual information based side channel analysis. IJACT 2(2), 121–138 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Reparaz, O., Gierlichs, B., Verbauwhede, I.: Generic DPA attacks: curse or blessing? In: Prouff, E.(ed.) Constructive Side-Channel Analysis and Secure Design - 5th International Workshop, COSADE 2014, Paris, France, Apr 13–15, 2014. Revised Selected Papers, vol. 8622, pp. 98–111. Springer (2014)Google Scholar
  36. 36.
    Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Cryptographic Hardware and Embedded Systems, vol. 3659, Lecture Notes Computer Science, pp. 30–46. Springer (2005)Google Scholar
  37. 37.
    Schneider, T., Moradi, A.: Leakage assessment methodology-a clear roadmap for side-channel evaluations. In: Güneysu, T., Handschuh, H. (eds.) Cryptographic Hardware and Embedded Systems. LNCS, vol. 9293, pp. 495–513. Springer, New York (2015)Google Scholar
  38. 38.
    Schneider, T., Moradi, A., Güneysu, T.: Robust and one-pass parallel computation of correlation-based attacks at arbitrary order. IACR Cryptol. ePrint Arch. 2015, 571 (2015)Google Scholar
  39. 39.
    Schramm, K., Paar, C.: Higher order masking of the AES. In: Pointcheval, D. (ed.) CT-RSA. Lecture notes in computer science, vol. 3860. Springer, Berline (2006)Google Scholar
  40. 40.
    Scott, D.W.: On optimal and data-based histograms. Biometrika 66, 605–610 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
  41. 41.
    Scott, D.W.: Multivariate Density Estimation: Theory. Practice and Visualization. Wiley, New York (1992)CrossRefzbMATHGoogle Scholar
  42. 42.
    Silverman, B.: Density Estimation for Statistics and Data Analysis, p. 48. Chapman & Hall/CRC, London (1998)Google Scholar
  43. 43.
    Standaert, F.-X., Gierlichs, B., Verbauwhede, I.: Partition vs comparison side-channel distinguishers: an empirical evaluation of statistical tests for univariate side-channel attacks against two unprotected CMOS devices. In: Lee, P.J., Cheon, J.H. (eds.) Information Security and Cryptology - ICISC 2008, 11th International Conference, Seoul, Korea, December 3–5, 2008, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5461, pp. 253–267. Springer (2008)Google Scholar
  44. 44.
    Standaert, F.-X., Malkin, T.G., Yung, M.: A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. Proceedings of the 28th Annual International Conference on Advances in Cryptology: The Theory and Applications of Cryptographic Techniques. EUROCRYPT ’09, pp. 443–461. Springer-Verlag, Berlin (2009)Google Scholar
  45. 45.
    Standaert, F.-X., Veyrat-Charvillon, N.: Mutual information analysis: how, when and why? In: Cryptographic Hardware and Embedded Systems, vol. 5747, LNCS, pp. 429–443, Lausanne, Switzerland (2009)Google Scholar
  46. 46.
    Tiran, S., Ordas, S., Teglia, Y., Agoyan, M., Maurine, P.: A model of the leakage in the frequency domain and its application to CPA and DPA. J. Cryptogr. Eng. 4(3), 197–212 (2014)CrossRefGoogle Scholar
  47. 47.
    Tiran, S., Reymond, G., Rigaud, J., Aboulkassimi, D., Gierlichs, B., Carbone, M., Ducharme, G.R., Maurine, P.: Analysis of variance and CPA in SCA. IACR Cryptol. ePrint Arch. 2014, 707 (2014)Google Scholar
  48. 48.
    Venelli, A.: Efficient entropy estimation for mutual information analysis using B-splines. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds.) Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices, 4th IFIP WG 11.2 International Workshop, WISTP 2010, Passau, Germany, Apr 12–14, 2010. Proceedings. Lecture Notes in Computer Science,vol. 6033, pp. 17–30. Springer (2010)Google Scholar
  49. 49.
    Veyrat-Charvillon, N., Standaert, F.-X.: Generic side-channel distinguishers: Improvements and limitations. In: CRYPTO 2011, vol. 6841, LNCS, pp 354–372. Cryptology ePrint Archive, Report 2011/149 (2011)Google Scholar
  50. 50.
    Whitnall, C., Oswald, E.: A fair evaluation framework for comparing side-channel distinguishers. J. Cryptogr. Eng. 1(2), 145–160 (2011)CrossRefGoogle Scholar
  51. 51.
    Whitnall, C., Oswald, E., Standaert, F.-X.: The myth of generic DPA...and the magic of learning. In: Benaloh, J. (ed.) Topics in Cryptology - CT-RSA 2014 - The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, Feb 25–28, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8366, pp. 183–205. Springer (2014)Google Scholar
  52. 52.
    Ye, X., Eisenbarth, T.: On the vulnerability of low entropy masking schemes. In: Francillon, A., Rohatgi, P. (eds.) Smart Card Research and Advanced Applications - 12th International Conference, CARDIS 2013, Berlin, Germany, Nov 27–29, 2013. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8419, pp. 44–60. Springer (2014)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Mathieu Carbone
    • 1
    • 2
    Email author
  • Yannick Teglia
    • 1
  • Gilles R. Ducharme
    • 3
  • Philippe Maurine
    • 2
    • 4
  1. 1.ST Microelectronics-Advanced System TechnologyRoussetFrance
  2. 2.LIRMM-Laboratoire d’Informatique de Robotique et de Microélectronique de MontpellierMontpellier Cedex 5France
  3. 3.EPS-Institut de Mathématiques et de Modélisation de MontpellierMontpellier Cedex 5France
  4. 4.CEA-Centre Microélectronique de Provence Georges CharpakGardanneFrance

Personalised recommendations