Codes for Side-Channel Attacks and Protections

Abstract

This article revisits side-channel analysis from the standpoint of coding theory. On the one hand, the attacker is shown to apply an optimal decoding algorithm in order to recover the secret key from the analysis of the side-channel. On the other hand, the side-channel protections are presented as a coding problem where the information is mixed with randomness to weaken as much as possible the sensitive information leaked into the side-channel. Therefore, the field of side-channel analysis is viewed as a struggle between a coder and a decoder. In this paper, we focus on the main results obtained through this analysis. In terms of attacks, we discuss optimal strategy in various practical contexts, such as type of noise, dimensionality of the leakage and of the model, etc. Regarding countermeasures, we give a formal analysis of some masking schemes, including enhancements based on codes contributed via fruitful collaborations with Claude Carlet.

A SNR in the Presence of First Order Masking

Let us consider a first-order masking scheme [1]. By design, a first-order side-channel attack fails. However, a second-order side-channel attack, combining two samples, can succeed. The setup is the following: the leakage is:

$$\begin{aligned} \left( \begin{array}{c} X_1 \\ X_2 \\ \end{array} \right) = \left( \begin{array}{c} \alpha _1 Y_1^\star \\ \alpha _2 Y_2^\star \\ \end{array} \right) + \left( \begin{array}{c} N_1 \\ N_2 \\ \end{array} \right) , \end{aligned}$$

where:

• \(N_1\sim \mathcal {N}(0,\sigma _1^2)\) and \(N_2\sim \mathcal {N}(0,\sigma _2^2)\) are two independent noise sources,

• \(\alpha _1\) and \(\alpha _2\) are the amount of leakage,

• \(Y_1^\star \) and \(Y_2^\star \) are leakage functions (assumed normalized, that is \(\mathbb {E}(Y_i^\star ) = 0\) and \(\mathsf {Var}(Y_i^\star ) = 1\), for \(i\in \{1,2\}\)).

In the Boolean masking where the attacker target the pair (mask, masked substitution box S), the leakage model is:

• \(Y_1 = \frac{2}{\sqrt{n}} \left( w_H(S(T\oplus k)\oplus M) - \frac{n}{2} \right) =-\frac{1}{\sqrt{n}} \sum _{b=1}^n (-1)^{S_b(T\oplus k)\oplus M_b}\) and

• \(Y_2 = \frac{2}{\sqrt{n}} \left( w_H(M) - \frac{n}{2} \right) =-\frac{1}{\sqrt{n}} \sum _{b=1}^n (-1)^{M_b}\).

The notation \(M_b\) means bit \(b\in \{1,\ldots ,n\}\) in bitvector \(M\in \mathbb {F}_2^n\).

As the masking is first-order perfect, we indeed have that \(\mathbb {E}(Y_i|T=t)\) does not depend on the key, for each share \(i\in \{1,2\}\). However, the attacker is inclined to combine the two leakages by a centered product, since the expectation of this combination \(Y_c = Y_1 Y_2\) depends on the key, despite the masking with the uniform \(M\sim \mathcal {U}(\mathbb {F}_2^n)\). Precisely, let \(t\in \mathbb {F}_2^n\) one realization of T. We have that:

$$\begin{aligned} \mathbb {E}(Y_c|T=t)&= \frac{1}{2^n} \sum _{m\in \mathbb {F}_2^n} \frac{1}{n} \sum _{b,b'} (-1)^{S_b(T\oplus k)\oplus m_b\oplus m_{b'}} \nonumber \\&= \frac{1}{n 2^n} \sum _{m\in \mathbb {F}_2^n} \sum _{b} (-1)^{S_b(T\oplus k)} \qquad \text {(because } m \text { is uniform on } \mathbb {F}_2^n)\nonumber \\&= -\frac{1}{2\sqrt{n}} \left( w_H(S(T\oplus k)) - \frac{n}{2} \right) , \end{aligned}$$

(12)

which happens to be proportional to the leakage model of the substitution box when the masking is disabled (\(M=0\)). Indeed, one can derive from Eq. (12) that:

$$\begin{aligned} \mathbb {E}(Y_c|T=t) = -\frac{1}{2\sqrt{n}} \mathbb {E}(Y_1|T=t,M=0) . \end{aligned}$$

The second-order attack thus consists in applying the regular correlation power analysis (CPA [2]):

• targeting \(X_c = X_1 X_2\) instead of \(X_1\) or \(X_2\),

• using as leakage model \(\mathbb {E}(Y_c|T)\), where we recall that \(Y_c = Y_1 Y_2\) [38].

Thus, the new leakage to analyse is:

$$\begin{aligned} X_c = X_1 X_2&= (\alpha _1 Y_1^\star + N_1) (\alpha _2 Y_2^\star + N_2) \\&= \underbrace{\alpha _1 \alpha _2 Y_1^\star Y_2^\star }_{\text {signal}} + \underbrace{\alpha _1 Y_1^\star N_2 + \alpha _2 Y_2^\star N_1 + N_1 N_2}_{\text {noise}} . \end{aligned}$$

Indeed, the term \(Y_1^\star Y_2^\star \) conditionally to the known plaintext T depends on the key (recall Eq. (12)), whereas the other terms \(\alpha _1 Y_1^\star N_2 + \alpha _2 Y_2^\star N_1 + N_1 N_2\) do not.

Therefore, the SNR in the case of the second-order attack is:

$$\begin{aligned} \text {SNR(2o)} =\frac{\mathsf {Var}(\alpha _1 \alpha _2 Y_1^\star Y_2^\star )}{\mathsf {Var}(\alpha _1 Y_1^\star N_2 + \alpha _2 Y_2^\star N_1 + N_1 N_2)} . \end{aligned}$$

(13)

Proposition 11

The SNR in the case of the second-order attack is:

$$\begin{aligned} SNR(2o) = \frac{SNR_1 \cdot SNR_2}{1 + SNR_1 + SNR_2} , \end{aligned}$$

where \({SNR}_i = \alpha _i^2 / \sigma _i^2\) for \(i\in \{1,2\}\).

Proof

We have:

$$\begin{aligned} \mathbb {E}_{T,M}(Y_1^\star Y_2^\star )&= \frac{1}{2^{2n}} \sum _{t\in \mathbb {F}_2^n, m\in \mathbb {F}_2^n} Y_1^\star Y_2^\star \nonumber \\&= \frac{1}{2^{2n}} \left( \frac{2}{\sqrt{n}} \right) ^2 \sum _m \left( w_H(m)-\frac{n}{2} \right) \sum _t \left( w_H(S(t\oplus k^\star )\oplus m)-\frac{n}{2} \right) \nonumber \\&= \frac{1}{2^{2n}} \left( \frac{2}{\sqrt{n}} \right) ^2 \sum _m \left( w_H(m)-\frac{n}{2} \right) \sum _z \left( w_H(z)-\frac{n}{2} \right) \\&= 0 \times 0 = 0 . \nonumber \end{aligned}$$

(14)

At line (14), we used the fact that S is a bijection of \(\mathbb {F}_2^n\) (as is SubBytes in AES [36]).

Besides, we also have:

$$\begin{aligned} \mathbb {E}_{T,M}\left( (Y_1^\star Y_2^\star )^2\right)&= \frac{1}{2^{2n}} \sum _{t\in \mathbb {F}_2^n, m\in \mathbb {F}_2^n} (Y_1^\star )^2 (Y_2^\star )^2 \nonumber \\&= \frac{1}{2^{2n}} \left( \frac{2}{\sqrt{n}} \right) ^4 \sum _m \left( w_H(m)-\frac{n}{2} \right) ^2 \sum _t \left( w_H(S(t\oplus k^\star )\oplus m)-\frac{n}{2} \right) ^2 \nonumber \\&= \frac{1}{2^{2n}} \left( \frac{2}{\sqrt{n}} \right) ^4 \sum _m \left( w_H(m)-\frac{n}{2} \right) ^2 \sum _z \left( w_H(z)-\frac{n}{2} \right) ^2 \\&= 1 \times 1 = 1 \qquad \text {(as per the normalization of } Y_1^\star \text { and } Y_2^\star ) . \nonumber \end{aligned}$$

(15)

Therefore, the variance of the signal is equal to \(\alpha _1^2 \alpha _2^2\).

Regarding the noise part, we have:

$$\begin{aligned} \mathbb {E}(\alpha _1 Y_1^\star N_2 + \alpha _2 Y_2^\star N_1 + N_1 N_2) = 0 , \end{aligned}$$

by independence between \(N_1\), \(N_2\) and \(Y_i^\star \) for \(i\in \{1,2\}\). We also have:

$$\begin{aligned} \mathsf {Var}(\alpha _1 Y_1^\star N_2 + \alpha _2 Y_2^\star N_1 + N_1 N_2)&= \mathbb {E}\left( (\alpha _1 Y_1^\star N_2 + \alpha _2 Y_2^\star N_1 + N_1 N_2)^2\right) - 0 \\&= \alpha _1^2 \sigma _2^2 + \alpha _2^2 \sigma _1^2 + \sigma _1^2 \sigma _2^2 . \end{aligned}$$

As a result, we have:

$$\begin{aligned} \text {SNR(2o)} = \frac{\alpha _1^2 \alpha _2^2}{\alpha _1^2 \sigma _2^2 + \alpha _2^2 \sigma _1^2 + \sigma _1^2 \sigma _2^2} = \frac{\text {SNR}_1 \cdot \text {SNR}_2}{1 + \text {SNR}_1 + \text {SNR}_2} . \end{aligned}$$

   \(\square \)

Corollary 12

(Limit of SNR(2o) in the presence of large noise). When the noise is large, that is \({SNR}_i \ll 1\) for \(i\in \{1,2\}\), then

$$\begin{aligned} {SNR(2o)}&\approx {SNR}_1 \cdot {SNR}_2 \approx {SNR}^2 \qquad (if \,\ {SNR}_1 \approx {SNR}_2 = {SNR}) . \end{aligned}$$

(16)

Proof

Immediate first-order simplification of \(\text {SNR(2o)}\) as given in Proposition 11.    \(\square \)