Theoretical Security Evaluation Against Side-Channel Cube Attack with Key Enumeration

Abstract

Side-channel cube attack (SCCA) is executed in a situation where an adversary can access some information about the internal states of the cipher. The adversary can obtain a system of linear equations by a set of chosen plaintexts called cube and recover the secret key using the system. Error tolerance is a challenging problem in SCCA. To recover the secret key based on likelihoods under an error-prone environment, we propose SCCA with key enumeration (SCCA-KE). Precise likelihoods are computed to obtain lists for sub-key candidates and an optimal list for the complete key candidate is generated by key enumeration. Then, we propose an evaluation method for SCCA-KE which includes information-theoretic evaluation and experimental evaluation by rank estimation. We apply the proposed evaluation method to PRESENT and show some conditions required to thwart SCCA-KE in realistic assumptions. Using the evaluation method, we can consider countermeasures with a sufficient security margin.

Appendices

A Intuitive explanation for the observation

If the number of variables in a linear equation is large, it shares variables with other equations and \(n^j\) becomes large. In early rounds, the number of secret-key variables are small in all superpolies since diffusion of key variables is not enough. In other rounds, the number of secret-key variables in each superpoly increases. However, superpolies with many secret-key variables tend to be non-linear in these rounds. Therefore, the number of secret-key variables in each linear equation is small in any round and \(n^j\) tends to be small.

B Rank estimation algorithm of [10]

Algorithm 3 shows the rank estimation algorithm. The rank-estimation algorithm outputs an estimated rank. The algorithm executes \(t_{re}\) times additions in the convolution:

$$\begin{aligned} t_{re}=\sum _{j=2}^m \ \sum _{b=j-1}^{j\cdot n_{bin} -(j-1)} n_{bin}. \end{aligned}$$

(15)

There is an estimation error caused by the convolution of histograms; however, the rank can be lower bounded by \(\sum _{b=b^\psi +\lceil \eta /2 \rceil }^{\eta \times n_{bin}-(\eta -1) } {\mathsf {H}_{1:\eta }(b)}\) and upper bounded by \(\sum _{b=b^\psi -\lceil \eta /2 \rceil }^{\eta \times n_{bin}-(\eta -1) } {\mathsf {H}_{1:\eta }(b)}\).

C Proof for Proposition 1

A lower bound of guessing entropy can be computed in each sub system.

$$\begin{aligned} LG&=\frac{1}{1+N}\sum _{\mathbf {y}} \left( \sum _{\mathbf {sk}^\psi } Pr[\mathbf {sk}^\psi , \mathbf {y} ]^{\frac{1}{2}} \right) ^2 \\&=\frac{1}{1+N}\sum _{\mathbf {y}} \left( \sum _{\mathbf {k}^\psi } \prod _{j=1}^\eta Pr[\mathbf {y}_j | \mathbf {k}^\psi _j]^{\frac{1}{2}} \cdot Pr[\mathbf {k}^\psi _j]^{\frac{1}{2}} \right) ^2 \cdot \left( \sum _{\mathbf {rk}^\psi } Pr[\mathbf {rk}^\psi ]^{\frac{1}{2}} \right) ^2 \\&=\frac{2^{n'}}{1+N} \sum _{\mathbf {y}} \left( \prod _{j=1}^\eta 2^{\frac{-n_j}{2}} \sum _{\mathbf {k}^\psi _j} Pr[\mathbf {y}_j | \mathbf {k}^\psi _j]^{\frac{1}{2}} \right) ^2 \\&=\frac{2^{n'}}{1+N} \prod _{j=1}^\eta 2^{-n_j} \sum _{\mathbf {y}_j} \left( \sum _{\mathbf {k}^\psi _j} Pr[\mathbf {y}_j | \mathbf {k}^\psi _j]^{\frac{1}{2}} \right) ^2 \\&=\frac{2^{n'}}{1+N} \prod _{j=1}^\eta LG_j \end{aligned}$$

Note that we assume that uniform prior distribution holds (\(Pr[\mathbf {k}_j]=2^{-n_j}\), \(Pr[\mathbf {rk}]=2^{-n'}\)). Then, we can simplify \(LG_j\) by expanding the square part as follows.

$$\begin{aligned}&LG_j=2^{-n_j} \sum _{\mathbf {y}_j } \sum _{o=1}^{2^{n_j}}\sum _{o'=1}^{2^{n_j}} Pr[\mathbf {y}_j|\mathbf {k}^o_j]^{\frac{1}{2}} \cdot Pr[\mathbf {y}_j|\mathbf {k}^{o'}_j]^{\frac{1}{2}} \nonumber \\&=2^{-n_j} \sum _{o=1}^{2^{n_j}}\sum _{o'=1}^{2^{n_j}} \prod _{i=1}^{L_j} \sum _{y_{j,i} }Pr[y_{j,i} \oplus x_{j,i}^{o}]^{\frac{1}{2}} \cdot Pr[y_{j,i} \oplus x_{j,i}^{o'}]^{\frac{1}{2}}\nonumber \\&=2^{-n_j} \sum _{o=1}^{2^{n_j}}\sum _{o'=1}^{2^{n_j}} \prod _{i=1}^{L_j} \left( Pr[0\oplus x_{j,i}^{o}]^{\frac{1}{2}} \cdot Pr[ 0\oplus x_{j,i}^{o'}]^{\frac{1}{2}} + Pr[1\oplus x_{j,i}^{o}]^{\frac{1}{2}} \cdot Pr[1\oplus x_{j,i}^{o'}]^{\frac{1}{2}} \right) \nonumber \\&=2^{-n_j} \sum _{o=1}^{2^{n_j}} \mathop { \sum _{o'=1}^{2^{n_j}}}\limits _{o'\ne o} \left( \mathop { \prod _{i=1 }^{L_j} }\limits _{x_{j,i}^{o} \ne x_{j,i}^{o'}} 2 \cdot p_{j,i}^{\frac{1}{2}}\cdot (1-p_{j,i})^{\frac{1}{2}} \right) + 1 \end{aligned}$$

(16)

In the last rearrangement, we only consider products of probabilities such that \(x_{j,i}^{o} \ne x_{j,i}^{o'}\), since a product of probabilities is always 1 if \(x_{j,i}^{o} = x_{j,i}^{o'}\). If \(o=o'\), the above product is always 1 and there are \(2^{n_j}\) pairs of the same candidate; therefore, \(2^{n_j}\cdot 2^{-n_j}=1\) is added in the last.     \(\square \)