Quadrivariate Improved Blind Side-Channel Analysis on Boolean Masked AES
Previous blind side-channel analysis have been proposed to recover a block cipher secret key while neither the plaintext nor the ciphertext is available to the attacker. A recent improvement has been proposed that deals with several first-order Boolean masking schemes. Unfortunately the proposed attacks only work if at least two intermediate states that involve a same key byte are protected by a same mask. In this paper we describe a quadrivariate analysis which involves a pair of key bytes and allows to threaten improved Boolean masked implementations where all masks on inputs of AddRoundKey, SubBytes and MixColumns (respectively \(r_m\), \(r_x\) and \(r_y\)) related to a same key byte are independant.
Our attack comes in two flavors: in a first variant the attacker learns Hamming distances between pairs of expanded key bytes of his choice while in the other variant he learns whether two pairs of extended key bytes share the same unknown Hamming distance. We provide an analysis and simulation results which demonstrate that the ciphering key can be recovered in both settings.
KeywordsUnknown plaintext Joint distributions Maximum likelihood Boolean masking
- 6.Le Bouder, H.: Un formalisme unifiant les attaques physiques sur circuits cryptographiques et son exploitation afin de comparer et rechercher de nouvelles attaques. Ph.D. thesis, École Nationale Supérieure des Mines de Saint-Étienne (2014)Google Scholar