Fast Analytical Rank Estimation

Liron David; Avishai Wool

doi:10.1007/978-3-030-16350-1_10

International Workshop on Constructive Side-Channel Analysis and Secure Design

COSADE 2019: Constructive Side-Channel Analysis and Secure Design pp 168-190 | Cite as

Fast Analytical Rank Estimation

Authors
Authors and affiliations

Liron David
Avishai Wool

Conference paper

First Online: 16 March 2019

Part of the Lecture Notes in Computer Science book series (LNCS, volume 11421)

Abstract

Rank estimation is an important tool for a side-channel evaluations laboratories. It allows estimating the remaining security after an attack has been performed, quantified as the time complexity and the memory consumption required to brute force the key given the leakages as probability distributions over d subkeys (usually key bytes). These estimations are particularly useful when the key is not reachable with exhaustive search. We propose a new framework for rank estimation that is conceptually simple, and more time and memory efficient than previous proposals. Our main idea is to bound each subkey distribution by an analytical function, and estimate the rank by a closed formula. To demonstrate the power of the framework, we instantiate it with Pareto-like functions to create the PRank algorithm. Pareto-like functions have long-tails that model empirical SCA distributions, and they are easily calculable. We evaluated the performance of PRank through extensive simulations based on two real SCA data corpora, and compared it to the currently-best histogram-based algorithm. We show that PRank gives a good rank estimation with much improved time and memory efficiency, especially for large ranks: For ranks between $2^{80}-2^{100}$ PRank estimation is at most 10 bits above the histogram rank and for ranks beyond $2^{100}$ the PRank estimation is only 4 bits above the histogram rank—yet it runs in milliseconds, and uses negligible memory. One could employ our framework with other classes of functions and possibly achieve even better results.

This is a preview of subscription content, to check access.

Notes

Acknowledgments

Liron David was partially supported by The Yitzhak and Chaya Weinstein Research Institute for Signal Processing.

A Proof for Theorem 1

For any dimension i, if we choose the most likely value in all dimensions $j \ne i$, we can find the minimum probability in dimension i that still fulfills the condition $P_1[x_1] \cdot ... \cdot P_d[x_d] \ge p^*$. Therefore, any index l s.t. $P_i(l)$ is smaller than this minimum probability will never be part of a key whose probability is higher than or equal to $p^*$. Since $P_j$ is non-increasing, the most likely value is at index 1, hence for all dimensions $j \ne i$, the most likely value has probability $P_j(1)$. We look for the farthest index l in dimension i such that the product $P_i(l)\,\cdot \,\prod _{j \ne i} P_j(1)$ is still higher than or equal to $p^*$. Therefore, the number of subkey indexes for dimension i that are needed in order to compute the rank of a key whose probability $p^*$ is

$$\begin{aligned} n^*_i=max_{1\le l \le N}\{l : P_i(l)\cdot \prod _{j \ne i} P_j(1) \ge p^*\}. \end{aligned}$$

$\square $

B Proof for Proposition 2

Let $f^{\alpha ,a}=a/x^\alpha $ be a Pareto-like function with parameters $\alpha $ and a. Since P is a sorted non-increasing probability distribution, P[1] is greater than or equal to any other P[j] for $1 \le j \le N$. Therefore, a trivial Pareto-like upper bound function for P is $f^{0,P[1]}(x)=P[1]$. If $P[2]=P[1]$ then $f^{0,P[1]}(x)$ fulfills the requirements with anchors 1,2.

Else, we shall construct an upper-bound function $f^{\alpha ,P[1]}$, that is anchored at 1, r for some $r>1$. Given any index $r>1$ and the value P[r], let $\alpha _r=\log _r{(P[1]/P[r])}$. Then, the function $f^{\alpha _r,P[1]}(x)=P[1]/x^{\alpha _r}$ is the unique Pareto-like function that is anchored at 1, r. Hence we need to find $1 < r \le N$ s.t. $f^{\alpha _r,P[1]}(x)$ is an upper-bound function: $f^{\alpha _r,P[1]}(x) \ge P[x]$ for all $1 \le x \le N$. For a fixed index $r>1$, the function $g(\alpha )=f^{\alpha ,P[1]}(r)=P[1]/r^\alpha $ for $\alpha \ge 0$ is monotone decreasing, with $g(0)=P[1]$. Clearly $g(\alpha _r)=P[r]$, hence for all $0 \le \alpha \le \alpha _r$ we have $f^{\alpha ,P[1]}(r) \ge P[r]$. Let $\alpha ^*=\underset{r}{\min } \{ \alpha _r \}$ and let $r^*=\underset{r}{\arg \min } \{ \alpha _r \}$ be the minimal index at which $\alpha ^*$ is achieved. Then, $f^{\alpha ^*,P[1]}$ is an upper bound function for P which obeys $f^{\alpha ^*,P[1]}(1)=P[1]$ and $f^{\alpha ^*,P[1]}(r^*)=P[r^*]$ - at all other indices $r \ne 1$, $r \ne r^*$ we have $\alpha ^* \le \alpha _r$ by definition, so $f^{\alpha ^*,P[1]}(r)=g(\alpha ^*)\ge g(\alpha _r)=P[r]$. $\square $

C Proof for Theorem 2

We prove this theorem using induction. The base case is Proposition 2, which shows that $t_1=1$, and whose proof describes how to find $t_2 = r$.

For the induction step we assume that we have a Pareto-like upper bound function f that is anchored at indexes l, r. We prove that if there exists another Pareto-like upper bound function $\hat{f} \ne f$ that is anchored at $\hat{l}, \hat{r}$ s.t. $\hat{l} > l$ then there exists some $r < t\le \hat{l}$ s.t. the Pareto-like function anchored at r, t is an upper-bound function for P.

We shall prove this in 3 steps: in Theorem 3 we prove that the anchors of f and $\hat{f}$ cannot be nested. In Theorem 4 we prove that if the anchors of f and $\hat{f}$ are interleaved then the intermediate anchors coincide, i.e., $t=r=\hat{l}$. Finally in Theorem 5 we prove that if the anchors of f and $\hat{f}$ obey $r < \hat{l}$ then the required t exists and obeys $t\le \hat{l}$.

To prove these theorems, we first state two simple lemmas, and prove Propositions 4 and 5 showing that two different Pareto-like upper bound functions cannot “share” only their left anchors l, or only their right anchor r.

Lemma 2

Let $f_1=a/x^\alpha $ and $f_2=b/x^\beta $ be Pareto-like functions s.t. $\alpha >\beta $. Then, $f_1(x)=f_2(x)$ only at the crossover point $x_c=(a/b)^{\frac{1}{\alpha -\beta }}$.

Lemma 3

Let $f_1=a/x^\alpha $ and $f_2=b/x^\beta $ be Pareto-like functions s.t. $\alpha >\beta $ and let $x_c$ be their crossover point. Then for $x>x_c$ $f_1 < f_2$ and for $x<x_c$ $f_2<f_1$.

Proposition 4

Given a non-increasing sorted probability distribution P and a Pareto-like upper bound function f of P anchored at l, r, then any Pareto-like function $\hat{f} \ne f$ that is anchored at $l,\hat{r}$ s.t. $\hat{r} > r$ will violate the upper bound condition at index r, i.e., $\hat{f}(r) < P[r]$.

Proof: Let $f(x)=a/x^\alpha $ and $\hat{f}(x)=\hat{a}/x^{\hat{\alpha }}$ be defined as above, “sharing” the anchor l. Since f is a Pareto-like upper bound function $f(\hat{r}) \ge P[\hat{r}]$. By definition $P[\hat{r}]=\hat{f}(\hat{r})$, therefore $f(\hat{r}) \ge \hat{f}(\hat{r})$, which is equivalent to

$$\begin{aligned} a \cdot \hat{r}^{\hat{\alpha }} \ge \hat{a} \cdot \hat{r}^{\alpha }. \end{aligned}$$

Substituting $a=P[l]\cdot l^{\alpha }$ and $\hat{a}=P[l] \cdot l^{\hat{\alpha }}$ for the same l we get

$$\begin{aligned} \hat{r}^{\hat{\alpha }-\alpha } \ge l^{\hat{{\alpha }}-\alpha }. \end{aligned}$$

Since $\hat{r} \ge l$, we get $\hat{\alpha }>\alpha $. Since $P[r]=f(r)$ by definition, in order to prove $P[r]>\hat{f}(r)$, it suffices to prove $f(r)>\hat{f}(r)$, which is equivalent to

$$\begin{aligned} \hat{a} \cdot r^\alpha < a \cdot r^{\hat{\alpha }}. \end{aligned}$$

By substituting $a=P[l] \cdot l^\alpha $ and $\hat{a}=P[l] \cdot l^{\hat{\alpha }}$ we get the equivalent inequality

$$\begin{aligned} l^{\hat{\alpha }-\alpha } <r^{\hat{\alpha }-\alpha }, \end{aligned}$$

which holds since $l<r$ and $\hat{\alpha }>\alpha $. $\square $

Proposition 5

Given a non-increasing sorted probability distribution P and a Pareto-like upper bound function f of P anchored at l, r, then any Pareto-like function $\hat{f}\ne f$ that is anchored at $\hat{l},r$ for some $\hat{l} < l$ will violate the upper bound condition at index l, i.e., $\hat{f}(l) < P[l]$.

Proof:

Analogous to that of Proposition 4.

Theorem 3

(No nested anchors). Let P be a non-increasing sorted probability distribution and let two index pairs $l<r$ and $\hat{l}<\hat{r}$ s.t. $l \le \hat{l} < \hat{r} \le r$. There cannot exist two Pareto-like upper bound functions $f \ne \hat{f}$ s.t. f is anchored at l, r and $\hat{f}$ is anchored at $\hat{l},\hat{r}$.

Proof:

From Proposition 4, we see that there cannot exist two different Pareto-like upper bound functions $f,\hat{f}$ s.t. $f(l)=P[l]=\hat{f}(l)$ (i.e., the crossover point is at l) but $f(r)=P[r]$ and $\hat{f}(\hat{r})=P[\hat{r}]$ for $r<\hat{r}$. In the same way, from Proposition 5 we see that there cannot exist two different Pareto-like upper bound functions $f,\hat{f}$ s.t. $f(r)=P[r]=\hat{f}(r)$ (i.e., the crossover point is at r) but $f(l)=P[l]$ and $\hat{f}(\hat{l})=P[\hat{l}]$ for $l<\hat{l}$. Therefore the only option is that $l< \hat{l}< \hat{r} < r$. However, this option also cannot exist since then we get

$$\begin{aligned} \begin{aligned} \hat{f}(l) \ge P[l] = f(l), ~&~ f(\hat{l}) \ge P[\hat{l}] = \hat{f}(\hat{l}), \\ f(\hat{r}) \ge P[\hat{r}] = \hat{f}(\hat{r}), ~&~ \hat{f}(r) \ge P[r] = f(r). \end{aligned} \end{aligned}$$

However, since $f\ne \hat{f}$ at least 3 of these 4 inequalities must be sharp, which means we need to have at least two crossover points, contrary to Lemma 2. $\square $

Theorem 4

(Interleaved anchors). Let P be a non-increasing sorted probability distribution and let two index pairs $l<r$ and $\hat{l}<\hat{r}$ be such that $l \le \hat{l} \le r \le \hat{r}$ and s.t. there exist two different Pareto-like upper bound functions, f anchored at l, r and $\hat{f}$ anchored at $\hat{l},\hat{r}$. Then, $l< \hat{l}= r < \hat{r}$.

Proof:

From properties of f and $\hat{f}$, it holds that:

$$\begin{aligned} \begin{aligned} \hat{f}(l) \ge P[l] = f(l), ~&~ f(\hat{l}) \ge P[\hat{l}] = \hat{f}(\hat{l}), \\ \hat{f}(r) \ge P[r] = f(r), ~&~ f(\hat{r}) \ge P[\hat{r}] = \hat{f}(\hat{r}). \end{aligned} \end{aligned}$$

(4)

In other words, we get $f(l) \le \hat{f}(l) $, $f(\hat{l}) \ge \hat{f}(\hat{l})$, $f(r) \le \hat{f}(r)$ and $f(\hat{r}) \ge \hat{f}(\hat{r})$. Notice that f and $\hat{f}$ are different, therefore they have a single crossover point. To obtain a contradiction, assume that $l<\hat{l}<r<\hat{r}$. If two or more of the inequalities in Eq. (4) are equalities then $f \equiv \hat{f}$, contrary to the premise. Therefore at least 3 of the inequalities in Eq. (4) are sharp. However since $f \ne \hat{f}$ there is a unique crossover point $x_c$ between them, and regardless of where $x_c$ is located with respect to $l, \hat{l},r, \hat{r}$, there will be two indices $u,v \in \{l,\hat{l},r,\hat{r}\}$ either to its left or to its right, such that $f(u)>\hat{f}(u)$ and $f(v)<\hat{f}(v)$, contradicting Lemma 2. Therefore at least two indices need to be equal to each other. As we’ve seen in Proposition 4 there cannot exist two upper bound Pareto-like functions f and $\hat{f}$ such that $f(l)=P[l]=\hat{f}(l)$ (i.e., the crossover point is at l) but $f(r) =P[r]$ and $\hat{f}(\hat{r})=P[\hat{r}]$ for $r< \hat{r}$. Therefore l cannot be equal to $\hat{l}$. In the same way, Proposition 5 shows that there cannot exist two Pareto-like upper bound functions f and $\hat{f}$ such that $f(r)=P[r]=\hat{f}(r)$ (i.e., the crossover point is at r) but $f(l) =P[l]$ and $\hat{f}(\hat{l})=P[\hat{l}]$ for $l<\hat{l}$. Therefore, r cannot be equal to $\hat{r}$. Therefore, the only option is $\hat{l}=r$. $\square $

Theorem 5

(Disjoint anchors). Let P be a non-increasing sorted probability distribution and let two index pairs $l<r$ and $\hat{l}<\hat{r}$ be such that $l< r \le \hat{l} < \hat{r}$ and s.t. there exist two different Pareto-like upper bound functions, f anchored at l, r and $\hat{f}$ anchored at $\hat{l},\hat{r}$. Then there exists $r< t \le \hat{l}$ such that the Pareto-like function $\bar{f}$ anchored at r, t is an upper-bound function.

Proof:

Omitted. $\square $

The combination of Theorems 3, 4 and 5 completes the proof of Theorem 2. $\square $

E Derivation of the Rank Upper-Bound Formula

We start by solving the multiple integral Eq. (1) for the Pareto-like upper bound functions $f_i$, for the first non-trivial case which is $d=3$. Then, we will generalize it for any d. Plugging the Pareto-like function $f_i=a_i/x_i^{\alpha _i}$ for each $1 \le i \le d$ into Eq. (1) we get:

$$\begin{aligned} \underset{\begin{array}{c} \\ \big ( \frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_2}{x_2^{\alpha _2}} \cdot \frac{a_3}{x_3^{\alpha _3}} \big ) \ge p^* \end{array}}{\int _{0}^{N} \int _{0}^{N} \int _{0}^{N} } 1 \,dx_3 dx_2 dx_1 . \end{aligned}$$

(5)

We assume the general case in which $\alpha _i \ne \alpha _j$ for all $i \ne j$. The range of the multiple integrals in Eq. (5) is equivalent to

$$\begin{aligned} \bigg (\frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_2}{x_2^{\alpha _2}} \cdot \frac{a_3}{p^*}\bigg )^{\frac{1}{{\alpha _3}}} \ge x_3. \end{aligned}$$

Therefore, we can plug $x_3$ into Eq. (5) to get

$$\begin{aligned} \int _{0}^{N} \int _{0}^{N} \bigg (\frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_2}{x_2^{\alpha _2}} \cdot \frac{a_3}{p^*}\bigg )^{\frac{1}{{\alpha _3}}} \,dx_2 dx_1 . \end{aligned}$$

(6)

The lower bound of each dimension $x_i$ is 0, but Pareto-like functions are not defined at 0. However, in order to maintain $x_3 \le N$ we require:

$$\begin{aligned} x_3 \le \bigg (\frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_2}{x_2^{\alpha _2}} \cdot \frac{a_3}{p^*}\bigg )^{\frac{1}{{\alpha _3}}} \le N, \end{aligned}$$

which provides a bound on $x_{2}$

$$\begin{aligned} x_{2} \ge (\frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_{2}}{N^{\alpha _{3}}} \cdot \frac{a_3}{p^*})^{\frac{1}{\alpha _{2}}}. \end{aligned}$$

(7)

We denote this lower bound on $x_{2}$ by $x'_{2}$:

$$\begin{aligned} x'_{2} \triangleq (\frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_{2}}{N^{\alpha _{3}}} \cdot \frac{a_3}{p^*})^{\frac{1}{\alpha _{2}}}. \end{aligned}$$

For all $x_{2} < x'_{2}$, we get $x_3>N$ which is out of range, therefore for $x_{2} < x'_{2}$ we take $x_3=N$. By splitting the inner-most integral in Eq. (6) into two ranges we get:

$$\begin{aligned} \int _{0}^{N} \bigg [ \int _{0}^{x'_{2}} N \,dx_{2} + \int _{x'_{2}}^{N} \bigg (\frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_2}{x_2^{\alpha _2}} \cdot \frac{a_3}{p^*}\bigg )^{\frac{1}{{\alpha _3}}} \,dx_{2} \bigg ] \,dx_{1} . \end{aligned}$$

(8)

We repeat the procedure and divide the next dimension $x_{1}$. In order to maintain $x_{2} \le N$, from Eq. (7)

$$\begin{aligned} (\frac{a_{1}}{x_{1}^{\alpha _{1}}} \cdot \frac{a_{2}}{N^{\alpha _{3}}} \cdot \frac{a_3}{p^*})^{\frac{1}{\alpha _{2}}} \le x_{2} \le N, \end{aligned}$$

so $x_{1}$ should maintain

$$\begin{aligned} x_{1} \ge (\frac{a_{1}}{N^{\alpha _{2}}} \cdot \frac{a_{2}}{N^{\alpha _{3}}} \cdot \frac{a_3}{p^*})^{\frac{1}{\alpha _{1}}}. \end{aligned}$$

Denote this lower bound of $x_{1}$ by $x'_{1}$

$$\begin{aligned} x'_{1} \triangleq (\frac{a_{1}}{N^{\alpha _{2}}} \cdot \frac{a_{2}}{N^{\alpha _{3}}} \cdot \frac{a_3}{p^*})^{\frac{1}{\alpha _{1}}}. \end{aligned}$$

For all $x_{1} < x'_{1}$, we get $x_{2}>N$ which is out of range, therefore for $x_{1} < x'_{1}$ we take $x_{2}=N$. Plugging this into Eq. (8)

$$\begin{aligned} \int _{0}^{x'_{1}} \int _{0}^{N} N \,dx_{1} + \int _{x'_{1}}^{N}\bigg [ \int _{0}^{x'_{2}} N \,dx_{2} + \int _{x'_{2}}^{N} \bigg (\frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_2}{x_2^{\alpha _2}} \cdot \frac{a_3}{p^*}\bigg )^{\frac{1}{{\alpha _3}}} \,dx_{2} \bigg ] \,dx_{1}. \end{aligned}$$

(9)

To solve this integral we solve each term separately, starting with the inner-right term of Eq. (9):

$$\begin{aligned} \int _{x'_{2}}^{N} \bigg (\frac{a_1}{x_1^{\alpha _1}} \cdot \frac{a_2}{x_2^{\alpha _2}} \cdot \frac{a_3}{p^*}\bigg )^{\frac{1}{{\alpha _3}}} \,dx_{2}, \end{aligned}$$

which is straightforward:

$$\begin{aligned} \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _3}}} \int _{x'_{2}}^{N} x_2^{-\frac{\alpha _2}{\alpha _3}} \,dx_{2} = \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _3}}} \cdot \frac{\alpha _3}{\alpha _3-\alpha _2} \cdot x_2^ {1-\frac{\alpha _2}{\alpha _3}} \bigg |^{N}_{x'_2}. \end{aligned}$$

After substituting the limits, since $\alpha _2 \ne \alpha _3$, we get:

$$\begin{aligned} \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _3}}} \cdot \frac{\alpha _3}{\alpha _3-\alpha _2} \cdot \bigg [ N^ {\frac{\alpha _3 - \alpha _2}{\alpha _3}} - \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _2}}-\frac{1}{{\alpha _3}} } \cdot N^{\frac{\alpha _2-\alpha _3}{\alpha _2}} \bigg ] \end{aligned}$$

which equals to

$$\begin{aligned} \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _3}}} \cdot \frac{\alpha _3}{\alpha _3-\alpha _2} \cdot N^ {\frac{\alpha _3 - \alpha _2}{\alpha _3}} - \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _2}}} \cdot \frac{\alpha _3}{\alpha _3-\alpha _2} \cdot N^{\frac{\alpha _2-\alpha _3}{\alpha _2}}. \end{aligned}$$

(10)

Now, we calculate the inner-left term of Eq. (9):

$$\begin{aligned} \int _{0}^{x'_{2}} N \,dx_{2} = \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _2}}} \cdot N^ {\frac{\alpha _2 - \alpha _3}{\alpha _2}}. \end{aligned}$$

(11)

Plugging in Eqs. (10) and (11) into the right term of Eq. (9), we get:

$$\begin{aligned} \int _{x'_1}^{N} \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _3}}} \cdot \frac{\alpha _3}{\alpha _3-\alpha _2} \cdot N^ {\frac{\alpha _3 - \alpha _2}{\alpha _3}} + \bigg (\frac{a_1 \cdot a_2 \cdot a_3}{x_1^{\alpha _1} \cdot p^*} \bigg )^{\frac{1}{{\alpha _2}}} \cdot \frac{\alpha _2}{\alpha _2-\alpha _3} \cdot N^{\frac{\alpha _2-\alpha _3}{\alpha _2}} \,dx_{1 } . \end{aligned}$$

Calculating the integral we get:

$$\begin{aligned} \begin{aligned}&\bigg (\frac{a_1 \cdot a_2 \cdot a_3}{p^*} \bigg )^{\frac{1}{{\alpha _3}}} \cdot \frac{\alpha _3}{\alpha _3-\alpha _2} \cdot N^ {\frac{\alpha _3 - \alpha _2}{\alpha _3}} \cdot \frac{\alpha _3}{\alpha _3-\alpha _1} \cdot x_1^{\frac{\alpha _3 - \alpha _1}{\alpha _3}} \bigg |_{x'_1}^{N} + \\ {}&\bigg (\frac{a_1 \cdot a_2 \cdot a_3}{p^*} \bigg )^{\frac{1}{{\alpha _2}}} \cdot \frac{\alpha _2}{\alpha _2-\alpha _3} \cdot N^ {\frac{\alpha _2 - \alpha _3}{\alpha _2}} \cdot \frac{\alpha _2}{\alpha _2-\alpha _1} \cdot x_1^{\frac{\alpha _2 - \alpha _1}{\alpha _2}} \bigg |_{x'_1}^{N}. \end{aligned} \end{aligned}$$

Solving this and adding the solution of the left term of Eq. (9) we get the final formula for $d=3$:

$$\begin{aligned} \begin{aligned}&\bigg (\frac{a_1 \cdot a_2 \cdot a_3}{p^*} \bigg )^{\frac{1}{{\alpha _1}}} \cdot \frac{\alpha _1}{\alpha _1-\alpha _2} \cdot \frac{\alpha _1}{\alpha _1-\alpha _3} \cdot N^ {\frac{\alpha _1 - \alpha _2}{\alpha _1}} \cdot N^ {\frac{\alpha _1 - \alpha _3}{\alpha _1}} + \\ {}&\bigg (\frac{a_1 \cdot a_2 \cdot a_3}{p^*} \bigg )^{\frac{1}{{\alpha _2}}} \cdot \frac{\alpha _2}{\alpha _2-\alpha _3} \cdot \frac{\alpha _2}{\alpha _2-\alpha _1} \cdot N^ {\frac{\alpha _2 - \alpha _1}{\alpha _1}} \cdot N^ {\frac{\alpha _2 - \alpha _3}{\alpha _2}} + \\ {}&\bigg (\frac{a_1 \cdot a_2 \cdot a_3}{p^*} \bigg )^{\frac{1}{{\alpha _3}}} \cdot \frac{\alpha _3}{\alpha _3-\alpha _1} \cdot \frac{\alpha _3}{\alpha _3-\alpha _2} \cdot N^ {\frac{\alpha _3 - \alpha _1}{\alpha _3}} \cdot N^ {\frac{\alpha _3 - \alpha _2}{\alpha _3}} \end{aligned} \end{aligned}$$

(12)

For the general case $d \ge 2$ the analysis is analogous so we omit the details. The final solution for any $d \ge 2$ is the following closed formula:

$$\begin{aligned} \sum _{i=1}^d \bigg [\bigg (\frac{1}{p^*} \cdot \prod _{j=1}^{d}a_j \bigg ) ^{\frac{1}{\alpha _i}} \cdot \prod _{j=1,j\ne i}^{d} \bigg ( \frac{\alpha _i}{\alpha _i - \alpha _j} \cdot N^{\frac{\alpha _i - \alpha _j}{\alpha _i}} \bigg ) \bigg ]. \end{aligned}$$

References

1.
FIPS PUB 197, advanced encryption standard (AES), U.S. Department of Commerce/National Institute of Standards and Technology (NIST) (2001)Google Scholar
2.
Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM Side—Channel(s). In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_4CrossRefGoogle Scholar
3.
Bernstein, D.J., Lange, T., van Vredendaal, C.: Tighter, faster, simpler side-channel security evaluations beyond computing power. IACR Cryptology ePrint Archive, 2015:221 (2015)Google Scholar
4.
Bibinger, M.: Notes on the sum and maximum of independent exponentially distributed random variables with different scale parameters. arXiv preprint, arXiv:1307.3945 (2013)
5.
Bogdanov, A., Kizhvatov, I., Manzoor, K., Tischhauser, E., Witteman, M.: Fast and memory-efficient key recovery in side-channel attacks. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 310–327. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_19CrossRefzbMATHGoogle Scholar
6.
Choudary, M.O., Popescu, P.G.: Back to massey: impressively fast, scalable and tight security evaluation tools. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 367–386. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_18CrossRefGoogle Scholar
7.
David, L., Wool, A.: A bounded-space near-optimal key enumeration algorithm for multi-subkey side-channel attacks. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 311–327. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_18CrossRefGoogle Scholar
8.
David, L., Wool, A.: Poly-logarithmic side channel rank estimation via exponential sampling. In: RSA Conference Cryptographers’ Track, CT-RSA (2019, to appear)Google Scholar
9.
David, L., Wool, A.: Prank: Fast analytical rank estimation matlab code (2019)Google Scholar
10.
Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_16CrossRefGoogle Scholar
11.
Fledel, D., Wool, A.: Sliding-window correlation attacks against encryption devices with an unstable clock. In: Cid, C., Jacobson Jr., M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 193–215. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_9CrossRefGoogle Scholar
12.
Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_21CrossRefGoogle Scholar
13.
Glowacz, C., Grosso, V., Poussier, R., Schüth, J., Standaert, F.-X.: Simpler and more efficient rank estimation for side-channel security assessment. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 117–129. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_6CrossRefGoogle Scholar
14.
Grosso, V.: Scalable key rank estimation (and key enumeration) algorithm for large keys. https://eprint.iacr.org/2018/175.pdf
15.
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
16.
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9CrossRefGoogle Scholar
17.
Li, Y., Meng, X., Wang, S., Wang, J.: Weighted key enumeration for em-based side-channel attacks. In: 2018 IEEE International Symposium on Electromagnetic Compatibility and 2018 IEEE Asia-Pacific Symposium on Electromagnetic Compatibility (EMC/APEMC), pp. 749–752. IEEE (2018)Google Scholar
18.
Li, Y., Wang, S., Wang, Z., Wang, J.: A strict key enumeration algorithm for dependent score lists of side-channel attacks. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 51–69. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_4CrossRefGoogle Scholar
19.
Longo, J., et al.: How low can you go? Using side-channel data to enhance brute-force key recovery. Cryptology ePrint Archive, Report 2016:609 (2016). https://eprint.iacr.org/2016/609
20.
Martin, D.P., Martinoli, Marco: A note on key rank. IACR Cryptology ePrint Archive, 2018:614 (2018)Google Scholar
21.
Martin, D.P., Mather, L., Oswald, E.: Two sides of the same coin: counting and enumerating keys post side-channel attacks revisited. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 394–412. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_21CrossRefGoogle Scholar
22.
Martin, D.P., Mather, L., Oswald, E., Stam, M.: Characterisation and estimation of the key rank distribution in the context of side channel evaluations. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 548–572. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_20CrossRefzbMATHGoogle Scholar
23.
Martin, D.P., Montanaro, A., Oswald, E., Shepherd, D.: Quantum key search with side channel advice. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 407–422. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_21CrossRefGoogle Scholar
24.
Martin, D.P., O’Connell, J.F., Oswald, E., Stam, M.: Counting keys in parallel after a side channel attack. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 313–337. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_13CrossRefzbMATHGoogle Scholar
25.
Oren, Y., Weisse, O., Wool, A.: A new framework for constraint-based probabilistic template side channel attacks. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 17–34. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_2CrossRefGoogle Scholar
26.
Pan, J.: Improving DPA by peak distribution analysis. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 241–261. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19574-7_17CrossRefGoogle Scholar
27.
Poussier, R., Standaert, F.-X., Grosso, V.: Simple key enumeration (and rank estimation) using histograms: an integrated approach. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 61–81. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_4CrossRefzbMATHGoogle Scholar
28.
Quisquater, J.-J., Samyde, D.: ElectroMagnetic Analysis (EMA): measures and counter-measures for smart cards. In: Attali, I., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45418-7_17CrossRefzbMATHGoogle Scholar
29.
Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_25CrossRefGoogle Scholar
30.
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_8CrossRefGoogle Scholar
31.
Wang, S., Li, Y., Wang, J.: A new key rank estimation method to investigate dependent key lists of side channel attacks. In: 2017 Asian Hardware Oriented Security and Trust Symposium, AsianHOST, pp. 19–24. IEEE (2017)Google Scholar
32.
Ye, X., Eisenbarth, T., Martin, W.: Bounded, yet sufficient? How to determine whether limited side channel information enables key recovery. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 215–232. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16763-3_13CrossRefGoogle Scholar

Copyright information

Authors and Affiliations

Liron David
- 1
Email author
Avishai Wool
- 1
Email author

1.School of Electrical EngineeringTel Aviv UniversityRamat AvivIsrael

Fast Analytical Rank Estimation

Abstract

Notes

Acknowledgments

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper