Efficient 2nd-order Power Analysis on Masked Devices Utilizing Multiple Leakage

Transcription

1 Efficient 2nd-order Power Analysis on Mased Devices Utilizing Multiple Leaage Liwei Zhang, A. Adam Ding, Yunsi Fei and Pei Luo Department of Mathematics, Northeastern University, Boston, MA Department of Electrical and Computer Engineering, Northeastern University, Boston, MA Abstract A common algorithm-level effective countermeasure against side-channel attacs is random masing. However, second-order attac can brea first-order mased devices by utilizing power values at two time points. Normally 2 nd -order attacs require the exact temporal locations of the two leaage points. Without profiling, the attacer may only have an educated guessing window of size n w for each potential leaage point. An attac with exhaustive search over combinations of the two leaage points will lead to computational complexity of O(n 2 w). Waddle and Wagner introduced FFT-based attac with a complexity of O(n w log(n w)) in CHES 2004 [1]. Recently Belgarric et al. proposed five preprocessing techniques using time-frequency conversion tools basing on FFT in [2]. We propose a novel efficient 2 nd -order power analysis attac, which pre-processes power traces with FFT to find multiple candidate leaage point pairs and then combines the attacs at multiple candidate pairs into one single attac. We derive the theoretical conditions for two different combination methods to be successful. The resulting attacs retain computational complexity of O(n w log(n w)) and are applied on two data sets, one set of power measurements of an FPGA implementation of mased AES scheme and the other set of measurements from DPA Contest V4 for a software implementation of mased AES. Our attacs improve over the previous FFT-based attacs, particularly when the window size n w is large. Each of the two attacs wors better respectively on different data sets, confirming the theoretical conditions. Index Terms Maximum attac, majority vote attac, statistical model I. INTRODUCTION Ever since the invention of differential power analysis (DPA) attacs [3], various side-channel analysis (SCA) attacs such as correlation power analysis (CPA) [4], mutual information attac (MIA) [5] and template attac [6] have been developed to exploit weaness in cryptography systems for ey retrieval. These attacs are all univariate attacs or 1storder attacs because they use the power measurements at only one time point in each trace. Masing was proposed to protect bloc ciphers against 1storder attacs which randomizes the intermediate data with a random number. To defeat masing, 2nd-order attac was developed [3], [7], [8]. However, to implement 2nd-order attac, the attacers need to now the exact positions of the two leaage time points t 1 0 and t 2 0. Generally, these leaage points are found in a profiling stage using extra nowledge of the device s internal woring (e.g., the mas values). Once these leaage time points are located, 2nd-order attac can be launched and its success rate is studied theoretically in [9], [10], [11], [12]. However, often attacs do not have sufficient implementation details for such a profiling stage and would not now the exact locations of these time points. In this paper, we concentrate on real 2nd-order attacs without nowing the two leaage points. The attacers usually have some educated guessed ranges for the two leaage points. Assuming the two guessed windows are of size n w, we can search over the n 2 w combinations of the two time samples [13]. However, such an exhaustive search have computational complexity O(n 2 w). Toavoid searching the pair (t 1 0,t 2 0), Waddle and Wagner introduced FFT-2DPA in [1]. The method starts with a window L of size n w containing both t 1 0 and t 2 0. The Fast Fourier transform (FFT) is used to compute the self-correlation of L for the attac. This scheme reduces the complexity from O(n 2 w) to O(n w log(n w )). Recently, Belgarric et al. [2] extended the FFT-based attacs, with several schemes on the temporal domain as well as others on the frequency domain. They wored with two windows L 1 and L 2 of size n w containing t 1 0 and t 2 0, respectively. The various forms of FFT were used to sum the leaage from multiple leaage points in the windows which results in a univariate CPA with complexity O(n w log(n w )). However, the power of these attacs decreases quicly as the window size n w increases, i.e., when the attacers are less certain about the leaage location a priori, which is a typical scenario for attacers. In this paper, we propose new attacs using one of the FFT-based attacs as a filter to find a promising candidate set of (t 1 0,t 2 0) combinations. Then we combine the decisions of 2nd-order CPA at these (t 1 0,t 2 0) combinations. The computational complexity O(n w log(n w )) can be retained. How to combine multiple attacs at different leaage points is a challenging open question. A common method for univariate CPA is to select the one with the largest attac statistic over all leaage points and over all eys together. That is, to find the largest difference of means (DoM) [14], the largest correlation [4], or the largest mutual information [5]. We call this method the maximum attac as it simply chooses the one candidate attac with the maximum attac statistic. There are also other wors on combining the information of multiple leaage points through principal component analysis (PCA) [15], [16], [17]. Elaabid et al. [18] reviews these combination methods and proposes product combination of several leaage points. However, PCA is generally used in the context of template attacs, and involves a profiling /15/$31.00 c 2015 IEEE 118

2 stage which we do not assume for our attacs. In this paper, we consider another novel combination method, the majority vote attac, and provide theoretical analysis on the conditions of success for the majority vote attac and the maximum attac, respectively. These two methods combine the multiple decisions at all leaage points, rather than combine the leaage themselves together. We implement the proposed methods on two sets of power traces: (1) power traces of a mased AES implementation [19] on an SASEBO-GII board (hardware implementation) and (2) traces of DPA Contest V4 [20] (software implementation). These proposed attacs provide significant improvement over the previous FFT-based attacs. Moreover, the majority vote attac performs better than the maximum attac on the hardware implementation data and on the software implementation data set with smaller windows size, while the reverse is true for the software implementation data with larger window size. Further inspection of these data sets confirms the theoretical analysis of when each of these two attacs wors better. The rest of this paper is organized as follows: We describe our attac procedure in Section II. The cross correlation attac is used to filter a candidate set of (t 1 0,t 2 0). Then the maximum attac or the majority vote attac combine multiple 2ndorder CPAs on those candidates into a single attac. Section III presents the statistical model, and derives the different theoretical conditions for success of the maximum attac and the majority vote attac. The real data analysis is provided in Section IV, followed by conclusions in Section V. II. PROPOSED ATTACKS ON MASKED DEVICES COMBINING 2ND-ORDER CPA AT MULTIPLE LEAKAGE POINTS The profiling-based 2nd-order CPA selects the ey that results in the largest Pearson s correlation ρ(l(t 1 0)L(t 2 0),V ), where t 1 0 and t 2 0 are the two leaage points, L(t 1 0)L(t 2 0) is the product of centered power leaage at the two time points, and V is the ey-dependent intermediate value. However, in reality, the attacers at best have some educated guesses of two windows that contain these two time points respectively, L 1 and L 2, without loss of generality, L 1 = L 2 = n w. FFT-based attacs in [1], [2] avoid exhaustive search of n 2 w 2nd-order CPA as in [13], and achieve the attac computational complexity O(n w log n w ). The power of our attacs is significantly higher than the previous attacs by combining the decisions on multiple leaage with the computational complexity O(n w log n w ) still retained. A. Screen for a Candidate Set S with S = O(n w log n w ) Considering the two leaage points t 1 0 and t 2 0 in windows L 1 and L 2 at the same size, we can write t 2 0 as ((t 1 0 +Δt 0 ) mod n w ) where Δt 0 the time-lag that correctly aligns up these two leaage points in the two windows. In this way, we translate the search of the pair (t 1 0,t 2 0) into the equivalent search of (t 1 0, Δt 0 ), where t 1 0 can be enumerated in the first window L 1 (n w points) and Δt 0 could be any value between 0 and n w 1. For each Δt value, the (circular) cross-correlation between two vectors X and Y of length n w is x-corr(δt) =X Y(Δt) = n w t=1 X(t)Y ((t +Δt) mod n w ). (1) Let DFT[Y ] denotes the discrete Fourier transform of Y, and IDFT[Y ] denotes the inverse DFT of Y, then the crosscorrelation X Y(Δt) = n w IDFT[DFT[L 1 ] DFT[L 2 ]] by cross-correlation theorem in [2]. The interesting thing is that all of X Y(Δt) for Δt =0,..., n w 1 can be calculated in O(n w log(n w )) time. Hence [2] proposes the x-corr attac, which applies a CPA on a x-corr(δt) =L 1 L 2 (Δt). For each Δt, the CPA attac sums over the n w products of centered leaage at (t 1 0,t 2 0). For all the Δt, the x-corr attac replaces the exhaustive n 2 w 2nd-order CPAs with n w CPA attacs. The x-corr attac is based on the fact that the sum x-corr(δt 0 ) contains L(t 1 0)L(t 2 0) in addition to other (n w 1) less relevant L(t 1 )L(t 2 ). Therefore, ρ[x-corr(δt 0 ),V c ] should be higher on average than ρ[x-corr(δt),v g ] and the maximum correlation ρ would yield both the correct ey and correct Δt. However, when the window size n w increases, much more traces are needed for the correlation ρ[x-corr(δt 0 ),V c ] to rise to the top one when more irrelevant pairs of (t 1,t 2 ) (n w 1 leaage with higher noises) are included in the cross correlation. Our idea is that ρ x-corr (Δt, ) should be used as a preprocessing step to choose only Δt 0 rather than finding c at the same time. We only filter a set of top candidates of Δt 0 without searching for c directly as in the original x-corr attac. This would require much less number of traces compared to the x-corr attac that requires ρ[x-corr(δt 0 ),V c ] to rise to the top. Specifically, we propose the following procedure. Firstly, we compute x-corr(δt) for all n w possible values of Δt. Then at each Δt, we find the maximum absolute value of the Pearson s correlation between the x-corr(δt) and V for the K ey candidates K. ρ (Δt) =max K ρ[x-corr(δt),v ]. Then we ran Δt by the ρ (Δt) values. The top S = 2 log(n w ) values are retained as the candidate set S = {Δt 1, Δt 2,..., Δt 2log(nw) }. Since ρ (Δt) ρ[x-corr(δt),v c ], ρ (Δt 0 ) should be relatively higher due to the included product leaage L(t 1 0)L(t 2 0). In practice, there may be more than one product leaage. Still, the Δt corresponding to those product leaage L(t 1 0)L(t 2 0) should tend to result in relatively higher ρ (Δt) value. Therefore, Δt 0 is liely to be included in the candidate set S without requiring ρ[x-corr(δt 0 ),V c ] to rise to the top one. With the candidate set of Δt 0 being reduced to S, there are n w possible t 1 0 and S possible Δt 0 values in S. Hence, the number of the corresponding candidate pairs (t 1 0,t 2 0) has been reduced to n L = n w 2 log(n w ). We can consider the centered 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) 119

3 product at each candidate pairs (t 1 0,t 2 0) as a univariate leaage, and there are n L leaage candidates. We then apply the two combination methods in Section II-B to combine the n L CPA attacs into a single attac. The computational complexity is O(n L )=O(n w log n w ). B. Combined 2nd-order CPA We now consider two methods to combine attacs at such n L leaage candidates selected a prior, where each leaage candidate is actually a pair of time points (t 1 0,t 2 0). The attac at the i-th leaage candidate is the 2nd-order CPA using the statistic ρ i,, the Pearson s correlation between the centered product and the leaed intermediate value V with ey guess. The attac at leaage candidate i results in i,max = argmax ρ i, and the highest correlation at this leaage with the chosen i,max is therefore: ρ i = ρ i,i,max =max ρ i,, i =1, 2,..., n L. (2) To combine the n L attacs, we consider two methods as following: (A) The first attac uses the maximum attac statistic ρ max =max 1 i nl ρ i among the n L attacs. We select the ey that corresponds to the maximum attac statistic: ˆ = { : ρ i, = ρ max for one i}. (3) (B) For the majority vote attac, the ey that is selected most often among all leaage candidates is taen as the correct ey. Let N = n L i=1 I{ = i,max} be the number of times that the ey is selected among the n L attacs at all leaage candidates. Then the final ey selection is ˆ =argmaxn. (4) The maximum attac is the usual univariate CPA method. The attac succeeds when there is a strong signal at one of the leaage candidates. As the size n L increases, the signal needs to overcome noises from more irrelevant leaage candidates. The theoretical analysis in next section shows that the signal has to be bigger than O( log n L /n tr ), where the log n L factor comes from the uncertainty about the exact location of the real leaage point, and n tr is the number of traces. In practice, some implementations may have multiple leaage points. The majority vote attac can combine weaer signals at multiple leaage points to beat out the maximum attac. The majority vote attac wors when the number of real leaage points exceeds O( n L ), while each leaage point only need signal of O( 1/n tr ). The next section will provide detailed theoretical analysis on the success conditions for these two attacs. III. STATISTICAL ANALYSIS OF THE TWO COMBINATION METHODS We derive the theoretical conditions for the two combination methods under a general model for CPA at multiple leaage points. We first present the statistical multiple leaage model. A. Statistical Model We consider a simplified ideal model where n 0 out of the n L candidates are real leaage points with the same amount of leaages. That is, without loss of generality, we assume that at the first n 0 candidate points, ρ 0 is the true correlation between V c and the centered product of power measurements, and the true correlation is zero at the rest n L n 0 candidate leaage points. Hence, most ρ i, are just random noise with mean zero, and only at the first n 0 candidate points the signal ρ i,c has mean ρ 0. We assume that ρ 0 > 0. Let n K be the size of candidate ey set K, n tr be the number of power traces used in the attac, c denote the true ey and g denote a guessed ey. Hence for all eys, the last n L n 0 candidate leaage points are fae leaage points, ρ i, N(mean =0,var = 1 ), i = n 0 +1,..., n L. (5) n tr On the first n 0 real leaage points, for a positive constant σ 0, ρ i,c N(mean = ρ 0,var = (ρ0σ0)2 n tr ), ρ i,g N(mean =0,var = 1 (6) n tr ), i =1,..., n 0. B. Conditions for Successful Combined Attacs For the attac to succeed, the signal ρ i,c needs to exceed the noise ρ i,g. We can study the maximum noise by the following property of maximum Gaussian noise: max n i=1 ε i = O( log n) for n independent standard Gaussian noises, ε 1,..., ε n, N(0, 1). At a single (i-th) real leaage, the maximum noise max g ρ i,g is of order O( log n K /n tr ) with n K 1 noises and each noise at the order of log 1/n tr, while ρ i,c = O(ρ 0 ). Therefore, the minimum condition for a CPA attac to succeed is: log nk τ 1 = = O(1). (7) ρ 0 ntr For the maximum attac (A) to succeed, ρ i,c = O(ρ 0 ) needs to exceed the maximum noises over all n K 1 wrong eys and all n L leaage candidates which is of order O( (log n K +logn L )/n tr ). Hence the maximum attac (A) succeeds asymptotically with probability one if log nk +logn L τ 0 = 0. (8) ρ 0 ntr Note that the condition (8) is stronger than the requirement of (7) by a factor of 1+logn L / log n K, because it considers n L leaage candidates. When there are multiple (n 0 ) leaage points satisfying the minimum condition (7), we can use their success through the majority vote attac (B). Considering these leaage points, then the true ey c on average is selected more often than the average probability of 1/n K by O(n 0 /n L ). The proportion of any other g being selected, p g, is around 1/n K. The majority vote attac succeeds when the signal p c 1/n K exceeds all other noises p g 1/n K. The maximum noise log n max g p g 1/n K is bounded by O( K n Ln K ). The majority IEEE International Symposium on Hardware Oriented Security and Trust (HOST)

4 vote attac (B) succeeds asymptotically when nl log n K τ 2 = 0. (9) n 0 nk and also condition (7) is met. Comparing these two attacs, the majority vote attac (B) only needs a leaage signal τ 1 satisfying condition (7), which is much weaer than τ 0 satisfying condition (8) required by the maximum attac (A). However, it requires many leaage points at the order n 0 >O( n L ) derived from condition (9). Therefore, the maximum attac (A) is suitable for data sets with sparse leaage points but strong leaage signals. The majority vote attac (B) wors better when there are only wea leaage signals but at many leaage points. Note that the majority vote attac (B) does not require the majority leaage points to be real. In fact, the proportion of real leaage points can decrease to zero as n L increases, as long as its decrease is slower than O(1/ n L ). In these cases, the two attacs are much better than attacs using a direct sum of the leaage over all leaage points lie in previous attacs [1], [2]. IV. NUMERICAL RESULTS In this section, we apply our attacs on two data sets, our mased AES hardware implementation and DPA Contest V4 software implementation [20]. We show that the maximum attac and the majority vote attac wors better in different data sets, which confirms the theoretical conditions. We also illustrate the significant attac power improvement over the original x-corr attac [2]. A. Comparison of the Two Combination Attac For the data set of a hardware implementation, we collect 1, 400, 000 traces with 3, 125 points for each one. We attac the last round of AES operation. The round of operations are clearly visible in Fig. 1 of the power measurements. Hence we can set the windows for t 1 0 (leaage of the mas value) and t 2 0 (leaage of the mased last round value) at where these rounds of operations are performed. Thus the window size of 210 suffices. For DPA Contest V4 data (software), there are 100, 000 power traces with 435, 002 points for each one, and these points are almost for the first round operation. For empirical evaluation, we choose four different windows sizes: n w = {50, 200, 2000, 6000} around the two leaage points (t 1 0,t 2 0) similar to [2]. Fig. 1: One power trace of the hardware implementation data. We apply the two combination methods, maximum attac and majority vote attac, on both hardware and software data sets. They perform differently on different data sets. For illustration, we plot the performance of correlation ρ i for one trial when the success rates of the majority vote attac on the hardware implementation (n w = 210) and the maximum attac on the software implementation (n w = 200) both achieve 80% success rates, shown in Fig. 2 and Fig. 3. The empirical success rate is found by repeatedly selecting the n tr traces randomly for a larger number of attacs, and calculating the proportion of attacs that result in the correct ey [11], [12]. ρ ρ Fig. 2: ρ i =max ρ i, on hardware and software implementations data for one trial. Fig. 2 shows the correlations ρ i sorted by i,max.wecan see from Fig. 2(b) that correlation values for the true ey are much higher than those under other eys in the software implementation, but not so in the hardware implementation. Hence, the maximum attac performs better in the software implementation of DPA Contest V4 data set than in the hardware implementation. Fig. 3: Frequency of chosen-ey on hardware and software implementations data for one trial. Fig. 3 shows the different frequencies of different eys on all the leaage candidates. The correct ey is chosen most often in the hardware implementation but not in the software implementation. The majority vote attac performs better in the hardware implementation data, in contrast to the maximum attac. In practical attacs, we would not now which of these two methods wors better a priori. Therefore, we should try both attacs on the available data with limited number of traces and the one that suits the implementation better would retrieve the ey more efficiently IEEE International Symposium on Hardware Oriented Security and Trust (HOST) 121

5 Since each of the data set suits a different attac, we can chec their characteristics to verify our theoretical conditions in section II-B. We first plot the real correlation ρ 0 at all leaage points (calculated with all available power traces in the data set under the correct ey) in Fig. 4. Fig. 4(a) shows ρ ρ Fig. 4: ρ 0 on hardware (n w = 210,n L = 3150) and software (n w = 200,n L = 3000) implementations data for one trial. Red lines denote the position with one fifth of max{ρ 0 }. that there are multiple leaage points with unequal strength of leaage signals. The model in section II-B is idealized to n 0 real leaage points with equal signal ρ 0. To match with the simple model, we do some approximation by setting ρ 0 as the largest true correlation under correct ey among all leaage points. We define n 0 as the number of leaage points with true correlations exceeding one fifth of ρ 0 (those to the right of the red vertical line). Clearly ρ 0 is much bigger in software implementation (the scales differ by a factor of 10 in the two graphs), while n 0 is much bigger in the hardware implementation. We further present in TABLE I the values of the various quantities in the success conditions (8) versus (7) and (9) in the two data sets. For each window size n w, we present these values for n tr that achieves 80% success rate. The majority vote attac wors with very small τ 2 in condition (9), in the hardware implementation and in the software implementation with small windows size (n w =50). Then τ suffices for the attac to succeed. As window size increases (n w 200), τ 2 is bigger so that majority vote attac fails even with smaller τ 1. The maximum attac wors better, but needs τ 0 in (8) to be smaller (τ ). This is in contrast to a value of τ 0 =0.85 in the hardware implementation. TABLE I: Comparison of required conditions on two data sets Attac Majority vote attac Maximum attac Data Hardware Software Software n w n L K 150K n tr 480K n K ρ n τ τ τ B. Empirical Success Rates and Computation Times Table II shows the computing time of three attacs, x-corr attac in [2], our maximum attac, and n 2 w-2o-cpa on the software implementation under windows size and trace numbers (n w,n tr ) = {(50, 500), (200, 1000), (2000, 1500), (6000, 2500)}. Here we use n 2 w-2o-cpa to denote the exhaustive search over all n 2 w 2nd-order CPAs. As the window size increases, the exhaustive search requires much larger computation than the other two attacs and becomes infeasible for n w = The majority vote attac taes about the same time as the maximum attac and was not shown in the table. TABLE II: Computing time (s) of different attacs n w x-corr attac maximum attac n 2 w-2o-cpa Unnown We compare the number of traces needed to achieve the success rate of 80% for the four different window sizes as done in [2]. Fig. 5 plots the number of traces needed for the x-corr attac, our maximum attac, and our majority vote attac. For small window size n w =50, 200, maximum attac achieves 80% success rate with the number of traces n tr < 500. While our maximum attac also requires slightly more traces as the window size increases, it needs significantly fewer than those required by the x-corr attac. As the window size increases to n w =6, 000, x-corr attac requires n tr > 10, 000 traces to achieve 80% success rate, but our attac only needs n tr 1, 400 traces. In practice, large window size is typical for attacs as they generally do not have precise information on the leaage points location. For this implementation, the majority vote attac does not scale well. Fig. 5: Sample size for achieving SR 0.8 for different window sizes on the software data. The arrows mean more traces needed. On the hardware implementation data, the window size is fixed at n w = 210. We plot the success rate curves for x-corr attac, our majority attac, our maximum attac, and the 2nd-order CPA at the strongest leaage points (found by profiling all traces with extra nowledge of the mas values). Our majority attac significantly improves the analysis power over the x-corr attac. The attac power is lower than 2ndorder CPA which is an idealistic theoretical attac. This is IEEE International Symposium on Hardware Oriented Security and Trust (HOST)

6 reasonable as our attac does not assume nowledge of the exact location. The maximum attac does not wor well for this type of implementation. Fig. 6: Empirical success rates when two windows (n w = 210) are selected on hardware implementation data. V. CONCLUSION In this paper, we propose an efficient 2nd-order attac with two combination methods that significantly improves the power over the FFT-based attacs while eeping the computational complexity at (O(n w log(n w ))). We provide theoretical studies on two combination methods for attacs at multiple leaage points. The theoretical conditions are shown to agree with the patterns observed in two real data sets. In practice, we can try both combination attacs which result in two ey guesses and choose the correct ey between them. In the next wor, we aim to develop a data-adaptive rule to automatically choose between the maximum attac and majority vote attac. Acnowledgements. This wor is supported in part by the National Science Foundation under grants CNS and CNS REFERENCES [1] J. Waddle and D. Wagner, Towards efficient secondorder power analysis, in Int. Wsp on Cryptographic Hardware & Embedded Systems, 2004, pp [2] P. Belgarric, S. Bhasin, N. Bruneau, J.-L. Danger, N. Debande, S. Guilley, A. Heuser, Z. Najm, and O. Rioul, Time-frequency analysis for second-order attacs, in Smart Card Research & Advanced Applications, 2014, pp [3] P. C. Kocher, J. Jaffe, and B. Jun, Differential power analysis, in Proc. Int. Cryptology Conf. on Advances in Cryptology, 1999, pp [4] E. Brier, C. Clavier, and F. Olivier, Correlation power analysis with a leaage model, in Int. Wsp on Cryptographic Hardware & Embedded Systems, 2004, pp [5] B. Gierlichs, L. Batina, P. Tuyls, and B. Preneel, Mutual information analysis, in Int. Wsp on Cryptographic Hardware & Embedded Systems, 2008, pp [6] S. Chari, J. Rao, and P. Rohatgi, Template attacs, in Int. Wsp on Cryptographic Hardware & Embedded Systems, 2003, pp [7] S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi, Towards sound approaches to counteract power-analysis attacs, in Advances in Cryptology CRYPTO, 1999, pp [8] T. Messerges, Using second-order power analysis to attac DPA resistant software, in Int. Wsp on Cryptographic Hardware & Embedded Systems, 2000, pp [9] E. Prouff, M. Rivain, and R. Bevan, Statistical analysis of second order differential power analysis. IEEE Trans.on Computers, pp , [10] F.-X. Standaert, N. Veyrat-Charvillon, E. Oswald, B. Gierlichs, M. Medwed, M. Kasper, and S. Manyard, The world is not enough: Another loo on second-order DPA, in Advances in cryptology - AsiaCrypt, [11] A. A. Ding, L. Zhang, Y. Fei, and P. Luo, A statistical model for multivariate DPA on mased devices, in Int. Wsp on Cryptographic Hardware & Embedded Systems, 2014, pp [12] V. Lomné, E. Prouff, M. Rivain, T. Roche, and A. Thillard, How to estimate the success rate of higherorder side-channel attacs, in Int. Wsp on Cryptographic Hardware & Embedded Systems, 2014, pp [13] O. Reparaz, B. Gierlichs, and I. Verbauwhede, Selecting time samples for multivariate dpa attacs, in Int. Worshop on Cryptographic Hardware and Embedded Systems, 2012, pp [14] C. Rechberger and E. Oswald, Practical template attacs, in Information Security Applications, 2005, pp [15] C. Archambeau, E. Peeters, F.-X. Standaert, and J.-J. Quisquater, Template attacs in principal subspaces, in Int. Worshop on Cryptographic Hardware and Embedded Systems, 2006, pp [16] M. Bär, H. Drexler, and J. Pulus, Improved template attacs, in Int. Wshp on Constructive Side-Channel Analysis & Secure Design, [17] F.-X. Standaert and C. Archambeau, Using subspacebased template attacs to compare and combine power and electromagnetic information leaages, in Int. Worshop on Cryptographic Hardware and Embedded Systems, 2008, pp [18] M. Elaabid, O. Meynard, S. Guilley, and J.-L. Danger, Combined side-channel attacs, in Information Security Applications, 2011, pp [19] M.-L. Aar and C. Giraud, An implementation of des and aes, secure against some attacs, in Int. Worshop on Cryptographic Hardware and Embedded Systems, 2001, pp [20] TELECOM ParisTech SEN research group, Dpa contest (4th edition), [Online]. Available: IEEE International Symposium on Hardware Oriented Security and Trust (HOST) 123