Near Collision Side Channel Attacks
 588 Downloads
Abstract
Side channel collision attacks are a powerful method to exploit side channel leakage. Otherwise than a few exceptions, collision attacks usually combine leakage from distinct points in time, making them inherently bivariate. This work introduces the notion of near collisions to exploit the fact that values depending on the same subkey can have similar while not identical leakage. We show how such knowledge can be exploited to mount a key recovery attack. The presented approach has several desirable features when compared to other stateoftheart collision attacks: Near collision attacks are truly univariate. They have low requirements on the leakage functions, since they work well for leakages that are linear in the bits of the targeted intermediate state. They are applicable in the presence of masking countermeasures if there exist distinguishable leakages, as in the case of leakage squeezing. Results are backed up by a broad range of simulations for unprotected and masked implementations, as well as an analysis of the measurement set provided by DPA Contest v4.
Keywords
Side channel collision attack Leakage squeezing Differential power analysis1 Introduction
Side channel analysis and countermeasures belong to the most active research areas of applied cryptography today. Many variants are known and all kinds of attacks and defenses are introduced since the seminal paper by Kocher et al. [13]. The assumptions for attacks, power and adversary models vary, but all together it can be said that the challenges remain to defend against this type of attacks as an adversary is assumed to always take the next step.
For example, side channel collision attacks exploit the fact that identical intermediate values consume the same power and hence similar patterns can be observed in power/EM measurements. More in detail, an internal collision attack exploits the fact that a collision in an algorithm often occurs for some intermediate values. This happens if, for at least two different inputs, a function within the algorithm returns the same output. In this case, the side channel traces are assumed to be very similar during the time span when the internal collision persists. Since their original proposal [21], a number of works have improved on various aspects of collision attacks, such as collision finding [5] or effective key recovery [10].
There are also different approaches in collision detection. Batina et al. introduce Differential Cluster Analysis (DCA) as a new method to detect internal collisions and extract keys from side channel signals [2]. The new strategy includes key hypothesis testing and the partitioning step similar to those of DPA. Being inherently multivariate, DCA as a technique also inspired a simple extension of standard DPA to multivariate analysis. The approach by Moradi et al. [17] extends collision attacks by creating a first order (or higher order in [15]) leakage model and comparing it to the leakage of other key bytes through correlation. The approach is univariate only if leakages for different subkeys occur at the same time instance, i.e. for parallel implementations, as often found in hardware. When software implementations are considered, these two sensitive values would leak in different times, therefore other papers pursued the possibility to pursue a similar attack for software implementations in a bivariate setting [8, 23]. Although finding the exact time samples which leak information about the intended intermediate variables increases the attack complexity, this type of attacks are especially favourable when the leakage function is unknown, or it is a nonlinear function of the bits of the sensitive variable [10].
In general, it is desirable for attacks to apply to a wide range of leakage functions. Some strategies are leakage model agnostic, e.g. Mutual Information Analysis [11]. In contrast to this assumptionless leakage model approach, there is also an alternative in choosing a very generic model as in stochastic models approach [20]. We follow this direction in terms of restricting ourselves to leakages that are linear functions of the contributing bits. Nevertheless, in our scenario this is considered merely as a ballpark rather than a restriction.
When univariate attacks are considered such as the one that is proposed in this work, the best way to mitigate is to implement a masking scheme. However, one of the biggest drawbacks of masking schemes is the overhead introduced into implementations. Recently there has been a rising interest in reducing the entropy needed and thereby the implementation overhead by cleverly choosing masks from a reduced set. These approaches are commonly referred to as Low entropy masking schemes (LEMS) or leakage squeezing. In fact, LEMS are a lowcost solution proposed to at least keep or even enhance the security over classical masking [7, 18, 19]. Since the proposal, LEMS have been analyzed from different angles, including specific attacks [24], a detailed analysis of the applicability of made assumptions [12] and problems that may occur during its implementation [16]. Attention to LEMS has been stipulated to a specific version of LEMS, the Rotating Sbox Masking (RSM) [18], since it has been used for both DPA contest v4 and v4.2 [3].

We introduce a new way of analysing side channel measurements which is void of strong assumptions on the power consumption of a device.

The attack that we propose is a nonprofiled univariate attack which only assumes that the leakage function of the target device is linear.

We further extend this idea to analyse a low entropy masking scheme by improving on [24], and we show that our technique is more efficient to recover the key than generic univariate mutual information analysis.

The proposed attack is applicable to any low entropy mask set that is a binary linear code [4].
2 Backgound and Notation
In this section we briefly summarize side channel attacks and also introduce the notation used throughout the paper.
Side channel analysis is a cryptanalysis method aiming to recover the secret key of a cryptographic algorithm by analyzing the unintended information leakages observed through various methods. In this work, we focus on the information leakage on the power consumption or electromagnetic leakage of an implementation. Further, we use the Advanced Encryption Standard (AES) to explain our new attack and run experiments as it is a widely deployed crypto algorithm around the world. This ensures comparability with other works in the literature that use AES for presenting results, but does not hinder generalization to other block ciphers in a natural way.
Correlation based power or EM analysis (CPA) against AES implementations usually focuses on the output of the Sbox operation which is the only nonlinear element of the algorithm. This nonlinearity ensures a good distinguishability between the correct and incorrect key guesses for CPA; the correlation between the observed and the predicted power or EM leakage will be (close to) zero if the key guess is incorrect, due to the highly nonlinear relation between the predicted state and the key. To run a CPA the analyst observes the power (or EM) leakages of the device for each input \(x\in X\) and stores it as an observed value \(o^x \in O^X\). The next step is to reveal the relation between \(o^x\) and x through estimating the power consumption of the target device. Assume that the analyst would like to estimate power consumption with the Hamming weight function (\(\text{ HW }(x)\)) which returns the number of ones in the bit representation of a given variable. In this case, the power estimation for the input value x becomes \(P(x,k_g) = \text{ HW }(S(x\oplus k_g) )\), where \(k_g\) is a key guess for the part of the key related to x. Proceeding this way, the analyst forms 256 sets \(P_{k_g} = \{P(x,k_g) : x\in X\}\) from the known input values \(x_i \in X\) for each key guess \(k_g \in \mathbb {F}^8_2\). What remains is to compare the estimated power consumptions \(P_{k_g}\) with the set of observations \(O^X\) on the power consumption through a distinguisher, in this case through computing the Pearson correlation coefficient \(\rho (P_{k_g},O^X),\ \forall k_g \in \mathbb {F}_2^8\). If the analyst has sufficient data and if the modelled leakage P is close enough to the actual leakage function L of the device (i.e. a linear representative of L), then the correct key \(k_c\) should result in a distinguishing value for the Pearson correlation when compared to the wrong key guesses \(k_w\). In case P is not a linear representative of L however, then the correct key may not be distinguishable with this technique. Therefore, the choice of power model determines the strength of CPA.
3 Side Channel Near Collision Attack
In this chapter we introduce the univariate nonprofiled attack, namely the side channel near collision attack (NCA) with an example to an AES implementation. NCA is very similar to other collision attacks in the sense that a priori knowledge of the leakage function is not required to mount it. However, unlike collision attacks proposed up until now, near collision attack exploits the existence of very similar but yet distinct values that are computed when the inputs are assumed to be selected uniformly at random from the entire set of inputs: \(\mathbb {F}_2^{8}\). This brings up an implicit power model assumption that the power consumption should be linearly related to the bits of the sensitive value that is computed in the device. In comparison to the popular Hamming weight model, this implicit power model assumption is a much weaker one and therefore makes the attack more powerful against a wider range of platforms and devices with different leakage functions.
For real measurements, this attack can be implemented in a known plaintext setting by computing the mean of the observed values \(\mu (O^{x_0^i})\) and \(\mu (O^{x_1^i})\) for each input value \(x_0^i\) and \(x_1^i\) to reduce noise as in [17]. Furthermore, the attack can be run on larger than 128 value vectors to reduce multiple times for different values of t to compute the byte difference \(\varDelta (t)\), and the resulting correlation coefficients can be added together for each key guess \(k_g\) to constitute one final value to better distinguish the key.
3.1 Simulated Experiments on Unprotected AES Implementation
We have run simulated experiments to assess the capabilities of the near collision attack (NCA) and its efficiency in comparison to other similar attacks in the literature. To evaluate how our attack reacts to noise, we have fixed the number of traces and conducted experiments with various signal to noise ratio values (SNR = \(\frac{var(signal)}{var(noise)}\), where signal and noise are computed as defined in [14]).
An important note here is that we have use scaled simulated values to mimic the measurements collected from an oscilloscope. Usually when simulated measurements are analysed, the fact that the simulations provide unnaturally optimistic measurements is neglected. Since this may lead to misleading simulation results which cannot be reproduced in real life, we have chosen to filter the simulated traces and scale them to the resolution of an 8bit oscilloscope, therefore producing 256 unique values for traces. Note that, depending on the noise level the simulated traces can cover a large range of values. Therefore we have chosen to scale the values in a way such that the maximum and minimum values (128 and −127) are assigned to values \((\mu + 3 \times \sigma )\) and \((\mu  3 \times \sigma )\) respectively, where \(\mu \) is the mean, and \(\sigma \) is the standard deviation of the simulated traces. The rest of the values are distributed equally over the subranges which are of equal size.
 (a)
The first method computes the Hamming weight of the Sbox output (HW model).
 (b)
The second method is a weighted linear function of the bits of the Sbox output, where the weight values are picked uniformly at random in the range \([1,1]\subset \mathbb {R}\) (Random linear model).
For comparison, we have selected the popular nonprofiling univariate attacks, namely: correlation power analysis (CPA) [6], absolute sum DPA (ASDPA) [1], nonprofiled linear regression attack (NPLRA) [9], and univariate mutual information analysis (UMIA) [11]. We have included CPA with Hamming weight model to have a basis for comparison as it is a popular choice for doing side channel analysis. The choice of ASDPA and NPLRA are to have a comparison with attacks which also have weak assumptions on the leakage model; ASDPA assumes that each bit of the sensitive variable contribute significantly to the power consumption, where NPLRA usually limits the algebraic order of the leakage function. For this work, we have restricted the basis functions of NPLRA to linear relations (the case \(d=1\) in [9]), so that it would be a fair comparison to our work. Furthermore, we have included the leakage model dependent UMIA with Hamming weight model (UMIA(HW)), and the leakage model agnostic variant UMIA which measures the mutual information between the least significant 7 bits of the sensitive variable and power measurements (UMIA(7 LSB)).
Finally, if we only consider the attacks which have fewer assumptions on the leakage function, absolute sum DPA and the nonprofiled linear regression attack seems to be able to deal with noise more efficiently when compared to NCA in an unprotected setting. Section 4 explains how the near collision approach of looking for small differences in the sensitive values can lead to a significant improvement over the state of the art attack against low entropy masking schemes.
3.2 Implementation Efficiency of NCA
Average timing results from 100 independent experiments.
Technique  Time (s) 

NCA  5.2727 
CPA (HW)  1.0285 
ASDPA  1.1568 
NPLRA (d = 1)  2.7621 
UMIA (HW)  1.4130 
UMIA (7 LSB)  6.6153 
Looking at the results presented in Table 1 and also Fig. 2, ASDPA seems to be the best choice for the analyst in the tested cases in terms of running time and the ability to deal with Gaussian noise. However, even ASDPA and NPLRA are more efficient in the unprotected case, these techniques are not applicable in a univariate attack setting against low entropy masking schemes.
4 Near Collision Attack Against LEMS
4.1 Leaking Set Collision Attack
4.2 Leaking Set Near Collision Attack
 1.Generate the (disjoint) subsets of inputs (x) of which the Sbox outputs contribute to the same distribution:$$D_{M_{16}}^{x_i} = \{ x : x= S^{1}(S(x_i) \oplus m),\ \forall \ m\in M_{16}\}.$$
 2.
Make a key guess \(k_g\).
 3.
For each input byte \(x \oplus k_g\) which contribute to the same distribution (e.g. \(x \oplus k_g \in D_{M_{16}}^{x_i}\)), collect the corresponding measurement sample in a set \(O^{x_i}(k_g)\).
 4.
Use 2sample KolmogorovSmirnov (KS) test to check how similar the distributions of \(O^{x_i}(k_g)\) and \(O^{x_j}(k_g)\) are, where \(S(x_i) \oplus S(x_j) = \varDelta (t),\ \forall t \in \{1,...,8\}\).
 5.
Store sum of all 2sample KS test statistics for each \(k_g\).
Note that in Step 4, only the sets which have a 1bit difference in between are used for 2sample KStest statistic calculation. In fact, sets with more than one bit difference in their Sbox outputs might have the same Hamming weight, which in turn leads to similar (but not the same) distributions. Therefore, we expect the correct key to lead to a large distance between the two distributions. In case of an incorrect key guess however, each of the 16 elements in the set \(D_{M_{16}}^{x_i}\) will lead to 16 distinct values after the Sbox, therefore resulting in a distribution which spans the entire space \(\mathbb {F}_2^8\). Sets with only one bit difference however will always result in different distributions. For instance, if the device leaks the Hamming weight of a value it computes, comparing sets with more than one bit difference would introduce noise in the cumulative KStest statistic as values \((\texttt {05})_{16}\) and \((\texttt {03})_{16}\) have a 2bit XOR difference in between, but have the same Hamming weight. Further note that doing the analysis on 1bit different sensitive values limits the analysis to 64 calls to the 2sample KStest, therefore saves running time when the device leaks the Hamming weight of the sensitive variable. On the other hand, if the leakage function is an injection, all \({16 \atopwithdelims ()2} = 120\) combinations should be compared cumulatively. Here, using only the sets with 1bit difference for comparison can be thought of a method similar to using mutual information analysis (MIA) by estimating power consumption with the Hamming weight model, since there is an implicit leakage function assumption that there is no interbit interaction in the leaking variable. In fact, if the leakage function is nonlinear, the improvement gained through using only 1bit different sets for comparing distributions would be less pronounced.
Unlike LSCA (outlined in Sect. 4.1), the cumulative test statistic now results in much smaller values for the incorrect key guesses. This is due to the fact that a wrong key guess (\(k_w\)) results in a random sampling of the set \(\mathbb {F}_2^8\) and taking into account that 16 masks in \(M_{16}\) results in 16 distinct values for each sample in the set, the resulting \(O^{x_i}(k_w)\) has a cardinality much closer to \(\mathbb {F}_2^8\). However, this does not diminish the distinguishability of the correct key from other candidates. In the case where the key guess is correct (\(k_c\)), the set \(O^{x_i}(k_c)\) will have around 16 unique values (the exact number can increase due to noise in the measurement setup). Now that we have a much smaller sampling of the set \(\mathbb {F}_2^8\), a comparison of distinct sets (\([O^{x_i}(k_c),O^{x_j}(k_c)],\ i \ne j\)) is more meaningful, and in fact the cumulative 2sample KStest statistic value results in a larger value than the one obtained for a wrong key guess as the distributions are definitely different.
Note that this mask set is an example of the mask sets that are generated as a linear code [4]. As binary linear codes have the intrinsic property of being closed sets with respect to the XOR operation, any mask set that is a binary linear code is vulnerable to the attack explained in this section.
4.3 Simulated Experiments on AES Implementation with LEMS
In this section we present results of our simulated experiments with different SNR values and also with two different leakage functions as it is done in Sect. 3.1. In our simulations, we compare our attacks to the previously proposed univariate, nonprofiled attacks: univariate MIA (UMIA) and LSCA that is recalled in Sect. 4.1. To compare the efficiency of the attacks in terms of the expected remaining work to find the key, we use the guessing entropy metric [22]. For each experiment using a random linear model as the leakage function, we generate 8 values which are picked uniformly at random from \([1,10] \subset \mathbb {R}\). Unlike the simulations presented in Sect. 3.1, we have chosen to use a linear leakage function which is slightly different, and favour the attacks assuming that each bit of the sensitive value contributes to the leakages. Although this may not always be the case in real life, we choose to use this leakage function as it is a favourable leakage model for MIA using the Hamming weight model. We present results that show the proposed technique in Sect. 4.2 is more efficient than MIA in terms of handling the noise in an unknown linear leakage model setting even when the leakage model favours MIA.
4.4 Experiments on DPA Contest V4 Traces
First thing to notice in the figure is that LSCA has some room for improvement even when compared to a generic univariate MIA (UMIA (7bit) in Fig. 5). On the other hand, when MIA is applied with a more accurate power model (in this case the Hamming weight model), the gap is rather large. When the leaking set near collision attack proposed in this work is considered, it is easy to see that the one which does not assume any power model (‘ID’) performs twice as efficient in terms of the number of traces required to recover the full key when compared to the generic univariate MIA (‘7 LSB’). Moreover, when the leakage function is assumed to have a linear relation with respect to the bits of the leaking value, the results are almost identical to the ones from a univariate MIA which models the power consumption as the Hamming weight of the leaking value. One should note that Hamming weight model is rather accurate in this case as SNR values (computed with Hamming weight model) vary between 3 and 5 for the points taken into consideration for the analysis.
4.5 Implementation Efficiency of the Attack
Similar to the near collision attack, leaking set near collision attack also requires to find the traces in the measurement set which correspond to a set of input bytes. Although this operation is computationally heavy when applied to a large trace set, it does not get worse when multiple samples are needed to be analysed. The analyst can group all the traces corresponding to a leaking set and then compute 2sample KS test statistic for each sample of a pair of leaking sets.
Average timing results from 100 independent experiments.
Technique  Time (s) 

LSNCA (Linear)  13.7144 
LSNCA (ID)  15.4003 
LSCA  8.6176 
UMIA (HW)  1.5648 
UMIA (7 LSB)  7.6951 
Looking at the results presented in Table 2 and taking into consideration that the leaking set near collision attacks (LSNCA) require less number of traces, they are the strongest attacks against software implementations of LEMS.
5 Conclusions
In this work, we introduced a new way of analysing side channel traces, namely the side channel near collision attack (NCA). Unlike the collision attacks proposed in the literature, NCA is intrinsically univariate and only assumes the leakage function to be linear. Simulations show that NCA is indifferent to changes in the linear leakage function.
Furthermore, we present a new attack, leaking set near collision attack, against the low entropy masking scheme used in DPA Contest v4 [19]. This attack improves the attack proposed in [24] by fully exploiting the properties of the used mask set, and combining it with the NCA approach. As the proposed attack is univariate, it is especially of interest for software implementations of low entropy masking schemes. Simulations show that in case the leakage function diverges from a perfect Hamming weight leakage but yet stays a linear function, our attack overpowers univariate MIA.
It should be noted that not only the mask set \(M_{16}\), but all mask sets which have a linear relation in between (as proposed in [4]) are vulnerable to the attack presented in this paper.
Application of the proposed analysis methods to nonlinear leakage functions remains a research direction to follow as a future work.
Notes
Acknowledgements
This work was supported in part by the Technology Foundation STW (project 12624  SIDES), The Netherlands Organization for Scientific Research NWO (project ProFIL 628.001.007), the ICT COST actions IC1204 TRUDEVICE, and IC1403 CRYPTACUS. LB is supported by NWO VIDI and Aspasia grants. TE is supported by the National Science Foundation under grant CNS1314770.
References
 1.Agrawal, D., Rao, J.R., Rohatgi, P.: Multichannel attacks. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 2–16. Springer, Heidelberg (2003). http://dx.doi.org/10.1007/9783540452386_2 CrossRefGoogle Scholar
 2.Batina, L., Gierlichs, B., LemkeRust, K.: Differential cluster analysis. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 112–127. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/9783642041389_9 CrossRefGoogle Scholar
 3.Bhasin, S., Bruneau, N., Danger, J.L., Guilley, S., Najm, Z.: Analysis and improvements of the DPA contest v4 implementation. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds.) SPACE 2014. LNCS, vol. 8804, pp. 201–218. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/9783319120607_14 Google Scholar
 4.Bhasin, S., Carlet, C., Guilley, S.: Theory of masking with codewords in hardware: lowweight \(d\)thorder correlationimmune Boolean functions. Cryptology ePrint Archive, Report 2013/303 (2013). http://eprint.iacr.org/
 5.Bogdanov, A.: Multipledifferential sidechannel collision attacks on AES. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 30–44. Springer, Heidelberg (2008). http://dx.doi.org/10.1007/9783540850533_3 CrossRefGoogle Scholar
 6.Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). http://dx.doi.org/10.1007/9783540286325_2 CrossRefGoogle Scholar
 7.Carlet, C., Danger, J.L., Guilley, S., Maghrebi, H.: Leakage squeezing of order two. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 120–139. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/9783642349317_8 CrossRefGoogle Scholar
 8.Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Improved collisioncorrelation power analysis on first order protected AES. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 49–62. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/9783642239519_4 CrossRefGoogle Scholar
 9.Doget, J., Prouff, E., Rivain, M., Standaert, F.X.: Univariate side channel attacks and leakage modeling. J. Cryptograph. Eng. 1(2), 123–144 (2011). http://dx.doi.org/10.1007/s1338901100102 CrossRefGoogle Scholar
 10.Gérard, B., Standaert, F.X.: Unified and optimized linear collision attacks and their application in a nonprofiled setting. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 175–192. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/9783642330278_11 CrossRefGoogle Scholar
 11.Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008). http://dx.doi.org/10.1007/9783540850533_27 CrossRefGoogle Scholar
 12.Grosso, V., Standaert, F.X., Prouff, E.: Leakage Squeezing, Revisited (2013)Google Scholar
 13.Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 14.Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards (Advances in Information Security). Springer, New York, Secaucus (2007)zbMATHGoogle Scholar
 15.Moradi, A.: Statistical tools flavor sidechannel collision attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 428–445. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/9783642290114_26 CrossRefGoogle Scholar
 16.Moradi, A., Guilley, S., Heuser, A.: Detecting hidden leakages. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 324–342. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/9783319075365_20 Google Scholar
 17.Moradi, A., Mischke, O., Eisenbarth, T.: Correlationenhanced power analysis collision attack. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 125–139. Springer, Heidelberg (2010). http://dx.doi.org/10.1007/9783642150319_9 CrossRefGoogle Scholar
 18.Nassar, M., Guilley, S., Danger, J.L.: Formal analysis of the entropy/security tradeoff in firstorder masking countermeasures against sidechannel attacks. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 22–39. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/9783642255786_4 CrossRefGoogle Scholar
 19.Nassar, M., Souissi, Y., Guilley, S., Danger, J.L.: RSM: a small and fast countermeasure for AES, secure against 1st and 2ndorder zerooffset SCAs. In: Proceedings of the Conference on Design, Automation and Test in Europe, DATE 2012, EDA Consortium, San Jose, CA, USA, pp. 1173–1178 (2012). http://dl.acm.org/citation.cfm?id=2492708.2492999
 20.Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005). http://dx.doi.org/10.1007/11545262_3 CrossRefGoogle Scholar
 21.Schramm, K., Wollinger, T., Paar, C.: A new class of collision attacks and its application to DES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 206–222. Springer, Heidelberg (2003). http://dx.doi.org/10.1007/9783540398875_16 CrossRefGoogle Scholar
 22.Standaert, F.X., Malkin, T.G., Yung, M.: A unified framework for the analysis of sidechannel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/9783642010019_26 CrossRefGoogle Scholar
 23.Ye, X., Chen, C., Eisenbarth, T.: Nonlinear collision analysis. In: Sadeghi, A.R., Saxena, N. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 198–214. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/9783319130668_13 Google Scholar
 24.Ye, X., Eisenbarth, T.: On the vulnerability of low entropy masking schemes. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 44–60. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/9783319083025_4 Google Scholar