Keywords

1 Introduction

There exist many kinds of leakages such as power consumption [7] and electromagnetic [2] when the cryptographic devices are on operation. Side channel attacks can be used to efficiently recover the key and pose serious threats to cryptographic implementation security. Side channel collision attack was firstly introduced in [13] against DES and extended in [12]. Nonlinear S-boxes are usually chosen as attack points. The linear parts such as MixColumns of AES, are also targeted in collision attack [12].

One advantage of collision attack is that it can help conquer the random masking of some AES implementations [3] and DES implementations [6]. Moradi et al. proposed MDCA based on binary voting and ternary voting [4]. Subsequently, he proposed CCA [9], which established the relationship among several key bytes using the collisions between different S-boxes. It is very efficient for CCA to attack the masking schemes such as Rotating S-boxes Masking (RSM) [10]. CCA directly uses the correlation coefficients between two columns of two different S-boxes, it doesn’t relay on any hypothesis power leakage model. In 2012, Bogdanov and Kizhvatov combined CPA with collision attack, which was more efficient than both stand-alone CPA and collision attack [5]. Moreover, the concept of test of chain was given. However, there was no practical scheme given in their paper. Wang et al. proposed fault tolerant chain in [15]. As far as we know, fault tolerant chain is the only one practical scheme to enhance test of chain. So, in this paper, we just compare our scheme with fault tolerant chain.

Let \(k_{a}\) and \(k_{b}\) denote the \(a^{th}\) and the \(b^{th}\) key bytes respectively. Taking AES for example, CCA considers the relationship between two key bytes. However, any key byte falling outside the threshold \(Thr_{k}\) will result in very complex key recovery, since the attacker does not know which one is error. The scheme of Wang et al. can identify the specific error key byte. However, the scheme may be not a good one. Firstly, the efficiency of CCA is much lower than that of CPA, a combination of CCA and CPA is unreasonable. Secondly, the threshold \(Thr_{\varDelta }\) (\(\varDelta _{(k_{a},k_{b})}=k_{a} \oplus k_{b}\)) of any two key bytes \(k_{a}\) and \(k_{b}\) is always set to 1, a lot of correct \(\varDelta \) values fall outside the threshold. This leads to failure of key recovery. Thirdly, the scheme uses only one \(\varDelta _{(k_{a},k_{b})}\) to identify the value of key byte \(k_{b}\). If both \(\varDelta _{(k_{a},k_{b})}\) and \(k_{b}\) are wrong, but they still satisfy that \(k_{b}=\varDelta _{(k_{a},k_{b})} \oplus k_{a}\). Then, the scheme of Wang et al. will regard \(k_{b}\) as the correct key byte, which leads to the failure of key recovery. Actually, the probability of this situation is about 10% when \(Thr_{k}=2\) and reaches more than 70% when \(Thr_{k}=8\) (see Fig. 4).

In this paper, we propose group verification chain to enhance fault tolerant chain. We then combine MDCA with our group verification chain and propose Group Verification based MDCA (GV-MDCA). Two schemes named Frequency based GV-MDCA (FGV-MDCA) and Weight based GV-MDCA (WGV-MDCA) are given. Our scheme can successfully search the correct key in large thresholds and significantly improve the attack efficiency.

This paper is organized as follows. MDCA, CCA, Bogdanov and Kizhvatov’s test of chain and fault tolerant chain proposed by Wang et al. are briefly introduced in Sect. 2. In Sect. 3, group verification chain is introduced. FGV-MDCA and WGV-MDCA are given in this section. Experiments are performed on power trace set secmatv1 downloaded from the website DPA contest v4 [1] in Sect. 4. Finally, we conclude this paper in Sect. 5.

2 Preliminaries

Bogdanov and Kizhvatov proposed linear collision attack in [5]. AES performs the 16 parallel SubBytes operations within the first round. A collision occurs if there are two S-boxes within the same AES encryption or with several AES encryptions accepting the same byte value as their input. \(K=\left\{ k_{j} \right\} _{j=1}^{16}\), \(k_{j}\in F_{2^{8}}\) is the 16-byte subkey in the first round of AES. \(P^{i}=\left\{ p_{j}^{i} \right\} _{j=1}^{16}\), \(p_{j}^{i}\in F_{2^{8}}\), are plaintexts, where i = 1,2, ... is the number of AES execution. If

$$\begin{aligned} S(p_{j_{1}}^{i_{1}}\oplus k_{j_{1}})=S(p_{j_{2}}^{i_{2}}\oplus k_{j_{2}}), \end{aligned}$$
(1)

a collision happens. The attacker obtains a linear equation

$$\begin{aligned} p_{j_{1}}^{i_{1}}\oplus p_{j_{2}}^{i_{2}}= k_{j_{1}} \oplus k_{j_{2}} = \varDelta _{(k_{j_{1}},k_{j_{2}})}. \end{aligned}$$
(2)

Each equation is named a step of a chain [5].

2.1 Multiple Differential Collision Attack

The attacker will encounter a problem when the side channel collision theory is used in side channel attack. That is, how to detect collisions. Actually, the attacker can do this by comparing power traces of two S-boxes. For example, Bogdanov set a differential threshold in his MDCA. If the correlation coefficient of these two power traces was larger than the differential threshold, he deemed that a collision happened.

2.2 Correlation Enhanced Collision Attack

Moradi et al. divided power trace sections of each S-box into 256 classes according to their plaintext \(\alpha \) from 0 to 255 [9]. Then, they averaged the power traces in each class and obtained 256 averaged power traces. Let \(M_{j}^{\alpha }\) denote the averaged power trace of the \(j^{th}\) Sbox where the \(j^{th}\) plaintext byte are equal to \(\alpha \).

The value \(\varDelta _{(k_{a},k_{b})} = k_{a} \oplus k_{b}\) is a constant, since the key used in the cryptographic device is constant. Hence, a collision occurs whenever the \(a^{th}\) and \(b^{th}\) plaintext bytes show the same difference. Moradi et al. guessed the difference \(\varDelta _{(k_{a},k_{b})}\) and verified their guess by detecting all collisions \(p_{a} = \alpha \) and \(p_{b} =\alpha \oplus \varDelta _{(k_{a},k_{b})}\) for all \(\alpha \in GF(2^{8})\) [9]. To detect the correct \(\varDelta _{(k_{a},k_{b})}\), they calculated the correlation coefficient of \(M_{a}^{\alpha }\) and \(M_{b}^{\alpha \oplus \varDelta _{(k_{a},k_{b})}}\) for all \(\alpha \in GF(2^{8})\). The correct difference \(\varDelta _{(k_{a},k_{b})}\) of two key bytes \(k_{a}\) and \(k_{b}\) is then given by:

(3)

The correlation coefficients are computed for each \(\alpha \in GF(2^{8})\). The correct \(\varDelta _{(k_{a},k_{b})}\) corresponds to the maximum correlation coefficient.

2.3 Test of Chain

Bogdanov and Kizhvatov defined test of chain in [5]. Suppose that the attacker uses CPA to obtain the 16 guessing key byte sequences \(\left\{ \xi _{i}|i=1,2,\cdots ,16 \right\} \) of AES algorithm (as shown in Fig. 1). Specifically, he uses CCA to calculate \(\varDelta _{(k_{a},k_{b})}\) between any two key bytes \(k_{a}\) and \(k_{b}\). He then sorts correlation coefficients for all possible guess key byte values in descending order.

Each vertical line denotes a sorted guessing key byte. Each black point in Fig. 1 denotes a possible guessing key byte value. Each line from \(\xi _{a}\) to \(\xi _{b}\) (\(1\le a< b\le 16\)) denotes a step of a chain. For example, the red line from \(\xi _{2}\) to \(\xi _{3}\) denotes that the sixth guessing value of the second key byte and the first guessing value of the third key byte are in \(Thr_{k}\), the corresponding \(\varDelta _{(k_{2},k_{3})}\) of these two guessing values is in \(Thr_{\varDelta }\), too. \(Thr_{k}\) and \(Thr_{\varDelta }\) here are defined as the threshold of key byte values and the threshold of \(\varDelta \). As shown in Fig. 1, there are 10 black points within \(Thr_{k}\) on each vertical line. So, \(Thr_{k}\) is set to 10 here. \(Thr_{\varDelta }\) is set in the same way. We only consider the guessing values in \(Thr_{k}\) on each list \(\xi _{i}\). They are the most possible candidates of the key byte \(k_{i}\).

Fig. 1.
figure 1

Bogdanov and Kizhvatov’s test of chain.

Full size image

The chain is accepted if all key bytes of it are within the top m candidates. The chain is rejected if at least one key byte of it falls outside the m top candidates. m here is equal to \(Thr_{k}\). In order to recover the full 16-byte key, the attacker usually hopes that a chain includes 15 steps as introduced in [5]. However, if a chain includes 15 steps, it is too long. The attacker has to calculate \(\varDelta \) between any two adjacent guessing key bytes. The complexity of computation is larger than exhausting all possible keys in \(Thr_{k}\). For example, if \(Thr_{k}\) and \(Thr_{\varDelta }\) are set to 10 and 5 respectively, the attacker has to enumerate \(10^{16}\) guessing keys in \(Thr_{k}\) by using brute-force attack. However, each step of a chain brings extra computation. The attacker has to enumerate all \(\varDelta \)s in \(Thr_{\varDelta }\). So, the computation complexity becomes \(10^{16}*5^{15}\).

2.4 Fault Tolerant Chain

Bogdanov and Kizhvatov did not give a practical scheme of their test of chain in [5]. The computation complexity of their test of chain is even greater than that of brute-force attack. For a chain, there may be several steps in the path from the free variable to the end. If an error happens in one of these steps, the key bytes computed in the following steps will be wrong, which will result in the failure of attack. Unfortunately, this kind of errors happen with non-negligible probability and lead to low efficiency of Bogdanov and Kizhvatov’s attack.

Wang et al. constructed a new chain named fault-tolerant chain [15]. In their scheme, \(k_{i}(i \ge 2)\) depends on only one key byte (i.e. \(k_{1}\)) instead of the other 14 key bytes. There are 15 chains from \(k_{1}\) to \(k_{i}\) \((i=2,\cdots ,16)\) (as shown in Fig. 2). Each chain only includes a step. This scheme greatly reduces the computation of test of chain proposed by Bogdanov and Kizhvatov [5]. Specifically, if the attacker enumerates all possible keys in the thresholds, the complexity is only \(15*(Thr_{k})^{2}*(Thr_{\varDelta })\) compared to \((Thr_{k})^{16}*(Thr_{\varDelta })^{15}\) of test of chain.

Fig. 2.
figure 2

Fault tolerant chain proposed by Wang et al.

Full size image

Another advantage of fault tolerant chain is that, if \(k_{i}\) is wrong (under the threshold line), the attacker can still attempt to recover other ones. The error key bytes can still be exhausted. However, the threshold \(Thr_{\varDelta }\) of CCA is always set to 1 in their paper. Specifically, correlation coefficients of \(\varDelta _{(k_{1},k_{i})}\) of two key bytes \(k_{1}\) and \(k_{i}\) are calculated using CCA. The 256 \(\varDelta \) values are sorted according to these correlation coefficients. Then the \(\varDelta \) corresponding to the maximum correlation coefficient is chosen as the candidate. Other \(\varDelta \) values in the \(\varDelta _{(k_{1},k_{i})}\) sequence are not taken into consideration. Actually, enlarging the threshold will lead to very complex key recovery. If \(k_{i}=k_{1} \oplus \varDelta _{(k_{1},k_{i})}\) is under the threshold, they deduced that the chain is wrong. Subsequently, exhaustion is performed to find the correct key byte.

Moreover, if \(k_{i}\) and \(\varDelta _{(k_{1},k_{i})}\) are wrong and \(k_{i}=k_{1} \oplus \varDelta _{(k_{1},k_{i})}\) is still satisfied, the attacker will regard the wrong guessing \(k_{i}\) as the correct key byte value. Actually, this kind of error happens with a high probability and increases with \(Thr_{k}\). This is the main reason why the success rate declines in Fig. 4.

3 Group Verification Based MDCA

The \(Thr_{\varDelta }\) is always set to 1 in fault tolerant chain [15]. They did not discuss how to efficiently recover the key when \(Thr_{\varDelta }>1\). In fact, enlarging \(Thr_{\varDelta }\) will result in very complex key recovery because of very huge key search space. In this case, the scheme of Wang et al. can’t be applied any more.

3.1 Group Verification Chain

In this section, we introduce group verification chain, which can be used under the condition that both \(Thr_{k}\) and \(Thr_{\varDelta }\) are set largely. Group verification here is defined as the mutual verification among key bytes. Let \(\xi _{i}^{k}\) and \(\xi _{\gamma +1 }^{t}\) denote the \(k^{th}\) and \(t^{th}\) guessing key values in \(\xi _{i}\) and \(\xi _{\gamma +1 }\). \(\varDelta _{(i,\gamma +1 )}^{m}\) denotes the \(m^{th}\) value in the \(\varDelta _{(i,\gamma +1 )}\) sequence. If the equation

$$\begin{aligned} \xi _{i}^{k}\oplus \xi _{\gamma +1 }^{t}=\varDelta _{(i,\gamma +1 )}^{m} \end{aligned}$$
(4)

is satisfied, then we say that \(\xi _{\gamma +1 }^{t}\) can be verified by \(\xi _{i}^{k}\). In our group verification chain, we do not care if \(\xi _{i}^{k}\), \(\xi _{\gamma +1 }^{t}\) and \(\varDelta _{(i,\gamma +1 )}^{m}\) are the correct key byte values and \(\varDelta \) value. Each candidate value can be verified by guessing values of other key bytes just like voting. When the support of a guessing key byte value is greater than the differential threshold, we deem that this is a good candidate.

Fig. 3.
figure 3

Group verification chain.

Full size image

Suppose that we use key byte values in \(\xi _{1},\cdots ,\xi _{5}\) to verify guessing key byte values in \(\xi _{6},\cdots ,\xi _{16}\) of AES algorithm (as shown in Fig. 3). 120 sequences of \(\varDelta _{(k_{a},k_{b})}\) between any two key bytes \(k_{a}\) and \(k_{b}\) are also calculated. The correct key byte values are effectively supported that the Eq. 4 is satisfied for most key values and \(\varDelta \)s. Finally, the attacker gets the correct key.

3.2 Frequency Based GV-MDCA

Bogdanov proposed MDCA using binary voting and ternary voting [4], in which multiple difference is used for collision detection between any two S-boxes. Specifically, it is used to compare the power traces of two S-boxes to judge if collision has happened. In this paper, we deem that each S-box can be used as a key byte vote for other S-boxes.

There are 16 guessing key byte sequences \(\left\{ \xi _{i}|i=1,2,\cdots ,16 \right\} \in GF(2^{8})\) corresponding to S-boxes 1,\(\cdots \), 16 of AES algorithm. Let \(Y^{FGV}\) denote a decision threshold of possible key byte values. Suppose that we use the \(1\cdots \gamma \) key bytes to verify the \((\gamma +1)^{th}\) key byte. Then, a Frequency based GV-MDCA (FGV-MDCA) can be defined as:

$$\begin{aligned} \varPsi _{\xi _{\gamma +1}^{t}}^{FGV}={\left\{ \begin{array}{ll} 1 \mathbf {(collision)}, &{} \text { if } \varPhi _{\xi _{\gamma +1}^{t}}^{FGV} > Y^{FGV} \\ 0 \mathbf {(no collision)}, &{} \text { if } \varPhi _{\xi _{\gamma +1}^{t}}^{FGV} < Y^{FGV} \end{array}\right. } \end{aligned}$$
(5)

where \(\varPsi _{\xi _{\gamma +1}^{t}}^{FGV}\) denotes that \(\xi _{\gamma +1}^{t}\) is a candidate byte value in the sequence \(\xi _{(\gamma +1)}\) and

$$\begin{aligned} \varPhi _{\xi _{\gamma +1}^{t}}^{FGV}=\sum _{i=1}^{\gamma }\varTheta (\xi _{i}^{k},\xi _{\gamma +1}^{t}). \end{aligned}$$
(6)

\(\varTheta (\xi _{i}^{k},\xi _{\gamma +1}^{t})\) here is defined as

$$\begin{aligned} \varTheta (\xi _{i}^{k},\xi _{\gamma +1}^{t})={\left\{ \begin{array}{ll} 1, &{} \text {if } \xi _{i}^{k}\oplus \xi _{\gamma +1}^{t}=\varDelta _{(i,\gamma +1)}^{m} \\ 0, &{} \text {else}. \end{array}\right. } \end{aligned}$$
(7)

The frequency of the correct byte values will be higher than these of wrong guessing key byte values in FGV-MDCA. This also shows that the correct key byte values obtain more support in the process of mutual verification, which makes them become obvious. The attacker can effectively restore the key by observing the frequencies of key byte values. He does not need to enumerate all possible key values within the threshold.

3.3 Weight Based GV-MDCA

Test of chain and fault tolerant chain introduced in Sect. 2, and our FGV-MDCA introduced in Sect. 3.2 use thresholds \(Thr_{k}\) and \(Thr_{\varDelta }\). All possible keys within the thresholds are searched with the same probability. Obviously, this is unreasonable. The key values ranked in the front of \(\left\{ \xi _{i}|i=1,2,\cdots ,16 \right\} \) should be enumerated with higher priority. A more accurate and higher efficient key search scheme named Weight Based GV-MDCA (WGV-MDCA) is proposed.

The attacker obtains key byte sequences and \(\varDelta \) sequences. The key byte values in the tops the sequences should be given higher weights. CPA is much more powerful than that of CCA in most cases. If we use moderate number of power traces, most of the correct byte values will be in the top of key byte sequences \(\left\{ \xi _{i}|i=1,2,\cdots ,16 \right\} \). However, a number of correct \(\varDelta \) values are not in the top of their corresponding sequences when the same number of power traces are used. So, \(\varDelta \) values here become the most important factor of attack efficiency. So, we weigh key byte values referring to \(\varDelta \) sequences. Specifically, \(\varTheta (\xi _{i}^{k},\xi _{\gamma +1}^{t})\) here is defined as

$$\begin{aligned} \varTheta (\xi _{i}^{k},\xi _{\gamma +1}^{t})={\left\{ \begin{array}{ll} Thr_{\varDelta }-m, &{} \text {if } \xi _{i}^{k}\oplus \xi _{\gamma +1}^{t}=\varDelta _{(i,\gamma +1)}^{m} \\ 0, &{} \text {else}. \end{array}\right. } \end{aligned}$$
(8)

For example, if \(Thr_{\varDelta }\) is set to 10 and m in Eq. 8 is 6 (\(\varDelta _{(i,\gamma +1)}^{6}\) is the sixth guessing value of the corresponding sequence of \(\varDelta _{(i,\gamma +1)}\)). Then, \(\varTheta (\xi _{i}^{k},\xi _{\gamma +1}^{t})\) is 4. By using WGV-MDCA, the difference between the correct key and wrong keys becomes more obvious compared to FGV-MDCA.

3.4 The Differential Threshold

It is very hard to get a good value of \(Y^{FGV}\) in both FGV-MDCA and WGV-MDCA. This value is very different in these two schemes. We normalize each reordered sequence. If the attacker gives a large value to \(Y^{FGV}\), the correct key byte value may be deleted. If he gives a small value to \(Y^{FGV}\), there will be a lot of guessing keys be to enumerated. We set the differential threshold \(Y^{FGV}\) of our group verification chain to \(\frac{1}{3}\). This value is achieved through experience.

4 Experimental Results

Our experiments are performed on an Rotating S-boxes Masking (RSM) [8] protected AES-256 implemented on the Side-channel Attack Standard Evaluation Board (SASEBO). 10000 power traces are downloaded from the webset of DPA contest v4 [1]. CCA is used to find the time samples of each S-box in the first round. To enhance the attack ability of CCA, Template Attack (TA) is combined with CCA. Then, we extract 4 interesting points from time interval of about a clock cycle suggested in [11].

We only compare our group verification chain with the fault tolerant chain proposed by Wang et al. [15]. Since fault tolerant chain is so far the only one practical scheme. \(\xi _{1},\cdots ,\xi _{7}\) are used to verify guessing key byte values on \(\xi _{8},\cdots ,\xi _{16}\). \(\xi _{10},\cdots ,\xi _{16}\) are used to verify guessing key byte values on \(\xi _{1},\cdots ,\xi _{7}\). Experimental results under different thresholds \(Thr_{k}\), \(Thr_{\varDelta }\) and different numbers of power traces are given in Sects. 4.1, 4.2 and 4.3.

4.1 Experimental Results Under Different Thresholds \(Thr_{k}\)

Firstly, we compare our group verification chain (FGV-MDCA and WGV-MDCA) with fault tolerant chain under different thresholds \(Thr_{k}\). \(Thr_{\varDelta }\) in fault tolerant chain is set to 1. This value is set to 5 in our FGV-MDCA and WGV-MDCA.

The success rate [14] of the 3 schemes are shown in Fig. 4. If \(\varDelta _{(k_{1},k_{b})}\) of two key bytes \(k_{1}\) and \(k_{b}\) is wrong and there exist one or several wrong \(k_{b}\) that satisfy \(k_{b}=k_{1} \oplus \varDelta _{(k_{1},k_{b})}\). Then, the scheme of Wang et al. will considers \(k_{b}\) as the correct key byte value. This is the main reason of failure of key recovery.

The success rate of fault tolerant chain decreases with the increase of \(Thr_{k}\), which is very high when \(Thr_{k} \le 2\) (as shown in Fig. 4). Since the probability of wrong key byte \(k_{b}\) satisfying \(k_{b}=k_{1} \oplus \varDelta _{(k_{1},k_{b})}\) is small. With the increase of \(Thr_{k}\), this probability increases. When \(Thr_{k}=2\), fault tolerant chain can get a success rate of about 0.90. However, this value is only about 0.44 when \(Thr_{k}=5\). When \(Thr_{k}>13\), the success rate is smaller than 0.10. That is to say, The larger the \(Thr_{k}\), the harder for the attacker to get success.

Fig. 4.
figure 4

Success rate under different \(Thr_{k}\)

Full size image

The success rate of our FGV-MDCA and WGV-MDCA increases with \(Thr_{k}\). When \(Thr_{k}\) is from 2 to 13, the success rate of FGV-MDCA and WGV-MDCA is from about 0.70 to about 1.00. When \(Thr_{k}>3\), the success rate of our FGV-MDCA and WGV-MDCA is greater than that of the scheme of Wang et al. This indicates that, the efficiency of group verification chain is slightly lower when \(Thr_{k}\) is small. With the increase of \(Thr_{k}\), the correct key byte values fall within \(Thr_{k}\) and will be more effectively verified by group in our scheme.

Since \(Thr_{\varDelta }\) is set to 5, the success rate of FGV-MDCA and WGV-MDCA are very similar by only enlarging \(Thr_{k}\).

4.2 Experimental Results Under Different Thresholds \(Thr_{\varDelta }\)

Secondly, we compare our FGV-MDCA and WGV-MDCA with the scheme of Wang et al. under different thresholds \(Thr_{\varDelta }\). \(Thr_{k}\) here is set to 8. \(Thr_{\varDelta }\) of the scheme of Wang et al. is changed. Fault tolerant chain introduced in Sect. 2 can not be used in large \(Thr_{\varDelta }\). We here enlarge this threshold. We then enumerate all possible chains that satisfy fault tolerant chain.

The success rate of the 3 schemes under different thresholds \(Thr_{\varDelta }\) are shown in Fig. 5. The success rate of fault tolerant chain is far lower than that of our FGV-MDCA and WGV-MDCA. The success rate of fault tolerant chain does not significantly change with the increase of \(Thr_{\varDelta }\). It ranges from 0.25 to 0.30 compared to from 0.8 to 1.00 of our FGV-MDCA and WGV-MDCA. The success rate of our FGV-MDCA and WGV-MDCA increase with \(Thr_{\varDelta }\).

Fig. 5.
figure 5

Success rate under different thresholds \(Thr_{\varDelta }\)

Full size image

When \(Thr_{\varDelta }=2\), the success rate of FGV-MDCA and WGV-MDCA are about 0.87 and 0.82 respectively, both of which are significantly higher than that of the scheme of Wang et al. The success rate of FGV-MDCA is a little higher than that of WGV-MDCA when \(Thr_{\varDelta }<4\). When \(Thr_{\varDelta }\ge 4\), the success rate of WGV-MDCA is higher than that of FGV-MDCA. The normalized weight of the correct key byte value in each reordered sequence \(\left\{ \xi _{i}|i=1,2,\cdots ,16 \right\} \) in WGV-MDCA is more obvious than that in FGV-MDCA. This indicates that, the WGV-MDCA is more efficient than that of FGV-MDCA when \(Thr_{\varDelta }\) is large.

4.3 Experimental Results Under Different Numbers of Power Traces

Finally, we compare our FGV-MDCA and WGV-MDCA with the scheme of Wang et al. under the condition that different numbers of power traces are used. \(Thr_{\varDelta }\) is set to 5 and \(Thr_{k}\) is set to 8. \(Thr_{\varDelta }\) of the scheme of Wang et al. is still set to 1, since \(Thr_{\varDelta }>1\) is very different from the fault tolerant chain.

When the number of power traces used in each repetition is from 60 to 170, the success rate of the 3 schemes are shown in Fig. 6. The success rate of the scheme of Wang et al. is far lower than that of our FGV-MDCA and WGV-MDCA. It ranges from 0 to 0.55 compared from 0.18 to 1.00 of our FGV-MDCA and from 0.37 to 1.00 of our WGV-MDCA. When the number of power traces used in each repetition is more than 150, the success rate of FGA-MDCA and WGA-MDCA is close to 1. However, the success rate of fault tolerant chain is only about 0.50 when about 170 power traces are used.

Fig. 6.
figure 6

Success rate under different numbers of power traces

Full size image

The success rate of FGV-MDCA and WGV-MDCA is very close when more than 100 power traces are used in each repetition (as shown in Fig. 6). This is because, with the increase number of power traces, the locations of the correct key byte values and \(\varDelta \)s fall in the top positions of \(\left\{ \xi _{i}|i=1,2,\cdots ,16 \right\} \) and \(\varDelta \)s sequences with higher probabilities.

5 Conclusions

In this paper, we propose group verification chain to enhance fault tolerant chain proposed by Wang et al. We combine MDCA and CCA to implement group verification chain and propose Group Verification based Multiple-Differential Collision Attack (GV-MDCA). Frequency based GV-MDCA (FGV-MDCA) and Weight based GV-MDCA (WGV-MDCA) are given. Experimental results performed on the power trace set of DPA contest v4 show that our group verification chain significantly improve the efficiency of fault tolerant chain.