Abstract
The best possible side-channel attack maximizes the success rate and would correspond to a maximum likelihood (ML) distinguisher if the leakage probabilities were totally known or accurately estimated in a profiling phase. When profiling is unavailable, however, it is not clear whether Mutual Information Analysis (MIA), Correlation Power Analysis (CPA), or Linear Regression Analysis (LRA) would be the most successful in a given scenario. In this paper, we show that MIA coincides with the maximum likelihood expression when leakage probabilities are replaced by online estimated probabilities. Moreover, we show that the calculation of MIA is lighter that the computation of the maximum likelihood. We then exhibit two case-studies where MIA outperforms CPA. One case is when the leakage model is known but the noise is not Gaussian. The second case is when the leakage model is partially unknown and the noise is Gaussian. In the latter scenario MIA is more efficient than LRA of any order.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Obviously, this hypothesis only holds provided the device manufacturer does not reuse the same cryptographic engine in an open platform, such as a JavaCard, where the user is able to use the cryptographic API at its will.
We comply with the usual notations of [7] where offline quantities are indicated with a hat, whereas online quantities are indicated with a tilde. In this paper, there is no profiling phase hence no offline quantities.
We use bold letters to indicate vectors while scalars are presented using small italic letters.
In order to uniquely distinguish the correct key, some conditions on the expressions of y are required. Specifically, let us denote by y k the function t↦y k (t) = y(k,t), and let \(\mathcal {B}\) the set of bijections on the leakage space \(\mathcal {X}\). We have:
$$\begin{array}{@{}rcl@{}} \text{if }\forall k, \exists k^{\prime}\neq k, &\ \ \ & \exists \beta\in\mathcal{B} \text{ s.t. } y_{k^{\prime}} = \beta \circ y_{k}, \quad \text{then the distinguisher features a } \text{tie}, \end{array} $$(3)$$\begin{array}{@{}rcl@{}} \text{if }\forall k, \forall k^{\prime}\neq k, &\ \ \ & \exists \beta\in\mathcal{B} \text{ s.t. } y_{k^{\prime}} = \beta \circ y_{k}, \quad \text{then the distinguisher is } \text{not\ sound} . \end{array} $$(4)Indeed, in (3), there is no way for the distinguisher to tell k ∗ from k ′, and in (4), the distinguisher yields the same value for all the key guesses.
We refer the interested reader to the work done in [24, Sec. 3]. We note that y i = k ⊕ t i does not lead to a sound distinguisher, as for all k ′, x↦x ⊕ k ′ is bijective, and maps y k to \(y_{k\oplus k^{\prime }}\). On the contrary, there is no bijection β such that for all t, w H (k ⊕ t) = β(w H (k ⊕ k ′⊕ t)). So the choice y i = w H (k ⊕ t i ) is sound.
Some side-channels are discrete by nature, such as the timing measurements (measured in units of clock period). In addition, oscilloscopes or data acquisition appliances rely on ADCs (Analog to Digital Converters), which usually sample a continuous signal into a sequence of integers, most of the time represented on 8 bits (hence \(\mathcal {X}={\mathbb {F}_{2}^{8}}\)).
Universal, in the information theoretic sense of the word, means: computed from the available data without prior information.
In practice, logarithms require a high computational power, hence the number of calls to this function shall be minimized.
The least significant bit S 0 of the PRESENT Sbox S is not suitable because one has \(\forall z{\in \mathbb F_{2}^{4}}\), S 0(z) = S 0(z ⊕0x9) = ¬S 0(z ⊕0x1) = ¬S 0(z ⊕0x8). As in (3) of footnote 4, ties occur: it is not possible to distinguish k ∗, k ∗⊕0x9, k ∗⊕0x1, k ∗⊕0x8 (the corresponding bijections are respectively x↦x and x↦1 − x). Therefore, we consider component 1 instead of 0, which does not satisfy such relationships.
References
Brier, É. , Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: CHES, Volume 3156 of LNCS, pp 16–29. Springer, Cambridge (2004)
Carbone, M., Tiran, S., Ordas, S., Agoyan, M., Teglia, Y., Ducharme, G. R., Maurine, P.: On adaptive bandwidth selection for efficient MIA. In: Prouff [15], pp. 82–97
Casella, G., Berger, R. L.: Statistical inference. Duxbury press. Second edition. ISBN-10: 0534243126 – ISBN-13: 978-0534243128 (2002)
Chari, S., Rao, J. R., Rohatgi, P.: Template attacks. In: CHES, Volume 2523 of LNCS, pp. 13–28. Springer, Redwood City (2002)
Common criteria consortium: Common criteria (aka CC) for information technology security evaluation (ISO/IEC 15408). Website: http://www.commoncriteriaportal.org/ (2013)
Doget, J., Prouff, E., Rivain, M., Standaert, F. -X.: Univariate side channel attacks and leakage modeling. J. Cryptogr. Eng. 1(2), 123–144 (2011)
Durvaux, F., Standaert, F. -X., Veyrat-Charvillon, N.: How to certify the leakage of a chip? In: Nguyen, P. Q., Oswald, E. (eds.) Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, volume 8441 of Lecture Notes in Computer Science, pp. 459–476. Springer (2014)
Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: CHES, 10th International Workshop, Volume 5154 of Lecture Notes in Computer Science, pp 426–442. Springer, Washington, D.C. (2008)
Heuser, A., Kasper, M., Schindler, W., Stöttinger, M.: A new difference method for side-channel analysis with high-dimensional leakage models. In: Dunkelman, O. (ed.) CT-RSA, volume 7178 of Lecture Notes in Computer Science, pp. 365–382. Springer (2012)
Heuser, A., Rioul, O., Guilley, S.: Good is not good enough - deriving optimal distinguishers from communication theory. In: Batina, L., Robshaw, M. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2014 - 16th International Workshop, Busan, South Korea, September 23-26, 2014. Proceedings, volume 8731 of Lecture Notes in Computer Science, pp. 55–74. Springer (2014)
Lomné, V., Prouff, E., Roche, T.: Behind the scene of side channel attacks. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT (1), volume 8269 of Lecture Notes in Computer Science, pp. 506–525. Springer (2013)
Matsuda, S., Moriai, S.: Lightweight cryptography for the cloud: exploit the power of bitslice implementation. In: Prouff, E., Schaumont, P. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2012 - 14th International Workshop, Leuven, Belgium, September 9-12, 2012. Proceedings, volume 7428 of LNCS, pp. 408–425. Springer (2012)
Moradi, A., Mousavi, N., Paar, C., Salmasizadeh, M.: A comparative study of mutual information analysis under a Gaussian assumption. In: WISA (Information Security Applications, 10th International Workshop), volume 5932 of Lecture Notes in Computer Science, pp. 193–205. Springer, August 25-27, Busan, Korea (2009)
De Mulder, E., Gierlichs, B., Preneel, B., Verbauwhede, I.: Practical DPA attacks on MDPL. In: 1st IEEE International Workshop on Information Forensics and Security, WIFS 2009, London, UK, December 6-9, 2009, pp. 191–195. IEEE (2009)
Prouff, E. (ed.): Constructive Side-Channel Analysis and Secure Design - 5th International Workshop, COSADE 2014, Paris, France, April 13-15, 2014, Revised Selected Papers, volume 8622 of Lecture Notes in Computer Science, Springer (2014)
Prouff, E., Rivain, M.: Theoretical and practical aspects of mutual information-based side channel analysis. Int. J. Appl. Crypt. (IJACT) 2(2), 121–138 (2010)
Rebeiro, C., Selvakumar, A. D., Devi, A. S. L.: Bitslice implementation of AES. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) Cryptology and Network Security, 5th International Conference, CANS 2006, Suzhou, China, December 8-10, 2006, Proceedings, volume 4301 of Lecture Notes in Computer Science, pp. 203–212. Springer (2006)
Reparaz, O., Gierlichs, B., Verbauwhede, I.: Generic DPA attacks: Curse or blessing? In: Prouff [15], pp. 98–111
Standaert, F. -X., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: EUROCRYPT, Volume 5479 of LNCS, pp. 443–461. Springer, Cologne (2009)
Veyrat-Charvillon, N., Standaert, F. -X.: Mutual information analysis: how, when and why? In: Clavier, C., Gaj, K. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings, volume 5747 of Lecture Notes in Computer Science, pp. 429–443. Springer (2009)
Whitnall, C., Oswald, E.: A comprehensive evaluation of mutual information analysis using a fair evaluation framework. In: Rogaway, P. (ed.) CRYPTO, volume 6841 of Lecture Notes in Computer Science, pp. 316–334. Springer (2011)
Whitnall, C., Oswald, E.: A fair evaluation framework for comparing Side-Channel distinguishers. J. Crypt. Eng. 1(2), 145–160 (2011)
Whitnall, C., Oswald, E., Mather, L.: An exploration of the Kolmogorov-Smirnov test as a competitor to mutual information Analysis. In: Prouff, E. (ed.) CARDIS, volume 7079 of Lecture Notes in Computer Science, pp. 234–251. Springer (2011)
Whitnall, C., Oswald, E., Standaert, F. -X.: The myth of generic DPA ... and the magic of learning. In: Benaloh, J. (ed.) CT-RSA, volume 8366 of Lecture Notes in Computer Science, pp. 183–205. Springer (2014)
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Recent Trends in Cryptography
Guest Editors: Tor Helleseth and Bart Preneel
Rights and permissions
About this article
Cite this article
de Chérisey, É., Guilley, S., Heuser, A. et al. On the optimality and practicability of mutual information analysis in some scenarios. Cryptogr. Commun. 10, 101–121 (2018). https://doi.org/10.1007/s12095-017-0241-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-017-0241-x