Towards Security Limits in Side-Channel Attacks

Transcription

1 Towards Securty Lmts n Sde-Channel Attacks (Wth an Applcaton to Block Cphers) F.-X. Standaert, E. Peeters, C. Archambeau, and J.-J. Qusquater UCL Crypto Group, Place du Levant 3, B-348 Louvan-la-Neuve, Belgum {fstandae, peeters, archambeau, qusquater}@dce.ucl.ac.be Abstract. In ths paper, we consder a recently ntroduced framework that nvestgates physcally observable mplementatons from a theoretcal pont of vew. The model allows quantfyng the effect of practcally relevant leakage functons wth a combnaton of securty and nformaton theoretc metrcs. More specfcally, we apply our evaluaton methodology to an exemplary block cpher. We frst consder a Hammng weght leakage functon and evaluate the effcency of two commonly nvestgated countermeasures, namely nose addton and maskng. Then, we show that the proposed methodology allows capturng certan non-trval ntutons, e.g. about the respectve effectveness of these countermeasures. Fnally, we justfy the need of combned metrcs for the evaluaton, comparson and understandng of sde-channel attacks. Introducton In [4], a formal practce-orented model for the analyss of cryptographc prmtves aganst sde-channel attacks was ntroduced as a specalzaton of Mcal and Reyzn s physcally observable cryptography paradgm [8]. The model s based on an theoretcal framework n whch the effect of practcally relevant leakage functons s evaluated wth a combnaton of securty and nformaton theoretc measurements. A central objectve of the model was to provde a far evaluaton methodology for sde-channel attacks. Ths objectve s motvated by the fact that sde-channel attacks may take advantage of dfferent statstcal tools (e.g. dfference of means [5], correlaton [2], Bayesan classfcaton [], stochastc models [3]) and are therefore not straghtforward to compare. Addtonally to the comparsons of sde-channel attacks, a more theoretcal goal was the understandng of the underlyng mechansms of physcally observable cryptography. Specfcally, [4] suggests to combne the average success rate of a (well specfed) adversary wth some nformaton theoretc metrcs n order to capture the ntuton summarzed n Fgure. Namely, an nformaton theoretc metrc should measure the average amount of nformaton that s avalable n some physcal observatons whle a securty metrc measures how effcently an actual adversary can turn ths nformaton nto a successful key recovery. Franços-Xaver Standaert s a post doctoral researcher funded by the FNRS (Funds for Natonal Scentfc Research, Belgum). L. Goubn and M. Matsu (Eds.): CHES 26, LNCS 4249, pp. 3 45, 26. c Internatonal Assocaton for Cryptologc Research 26

2 Towards Securty Lmts n Sde-Channel Attacks 3 securty metrc strong mplementaton good leakage model and enough queres (lttle nformaton avalable, turned nto a successful attack) nsecure mplementaton (some nformaton avalable, turned nto a successful attack) secure mplementaton (lttle nformaton avalable, not exploted by the adversary) weak mplementaton bad leakage model or not enough queres (some nformaton s avalable, not well exploted by the adversary) nformaton theoretc metrc Fg.. Summary of sde-channel evaluaton crtera In ths paper, we consequently study the relevance of the suggested methodology, by the analyss of a practcal case. For ths purpose, we nvestgate an exemplary block cpher and consder a Hammng weght leakage functon n dfferent attack scenaros. Frst, we consder an unprotected mplementaton and evaluate the nformaton leakages resultng from varous number of Hammng weght queres. We dscuss how actual block cpher components compare to random oracles wth respect to sde-channel leakages. Then, we evaluate the securty of two commonly admtted countermeasures aganst sde-channel attacks,.e. nose addton and maskng. Through these experments, we show that the proposed evaluaton crtera allows capturng certan non-trval ntutons about the respectve effectveness of these countermeasures. Fnally, we provde some expermental valdatons of our analyss and dscuss the advantages of our combnaton of metrcs wth respect to other evaluaton technques. Importantly, n our theoretcal framework, sde-channel analyss can be vewed as a classfcaton problem. Our results consequently tend to estmate the securty lmts of sde-channel adversares wth two respects. Frst, because of our nformaton theoretc approach, we am to evaluate precsely the average amount of nformaton that s avalable n some physcal observatons. Second, because we consder (one of) the most effcent classfcaton test(s), namely Bayesan classfcaton, t s expected that the computed success rates also correspond to the best possble adversaral strategy. However, we menton that the best evaluaton and comparson metrcs to use n the context of sde-channel attacks are stll under dscusson. Our results ntend to show that both are useful, but other smlar metrcs should stll be nvestgated and compared. 2 Model Specfcatons In general, the model of computaton we consder n ths paper s the one ntally presented n [8] wth the specalzatons ntroduced n [4]. In ths secton,

3 32 F.-X. Standaert et al. we frst descrbe our target block cpher mplementaton. Then, we specfy the leakage functon, the adversaral context and adversaral strategy that we consder n ths work. Fnally, we provde the defntons of our securty and nformaton theoretc metrcs for the evaluaton of the attacks n the next sectons. Both the adversaral classfcatons and the metrcs were ntroduced and detaled n [4]. 2. Target Implementaton Our target block cpher mplementaton s represented n Fgure 2. For convenence, we only represent the combnaton of a btwse key addton and a layer of substtuton boxes. We make a dstncton between a sngle block and a multple block mplementaton. Ths dfference refers to the way the key guess s performed by the adversary. In a sngle block mplementaton (e.g. typcally, an 8-bt processor), the adversary s able to guess (and therefore explot) all the bts n the mplementaton. In a multple block mplementaton (e.g. typcally, a hardware mplementaton wth data processed n parallel), the adversary s only able to guess the bts at the output of one block of the target desgn. That s, the other blocks are producng what s frequently referred to as algorthmc nose. P n X S Y P n X S S S S Y 2-nput functon 2-nput functon Fg. 2. Sngle block and multple block cpher mplementaton 2.2 Leakage Functon Our results consder the example of a Hammng weght leakage functon. Specfcally, we assume a sde-channel adversary that s provded wth the (possbly nosy) Hammng weght leakages of the S-boxes outputs n Fgure 2,.e. W H (Y ). Wth respect to the classfcaton ntroduced n [4], perfect Hammng weghts correspond to non-profled leakage functons whle nosy Hammng weghts relate to the context of devce profled (stochastc) leakage functons. In the latter one, the leakage functon ncludes a characterzaton of the nose n the target devce. For ths purpose, we assume a Gaussan nose dstrbuton. We note also that our exemplary leakage functons are unvarate snce they only consder one leakng pont n the mplementatons, namely the S-boxes outputs.

4 Towards Securty Lmts n Sde-Channel Attacks Adversaral Context We consder a non-adaptve known plantext adversary that can perform an arbtrary number of sde-channel queres to the target mplementaton of Fgure 2 but cannot choose ts queres n functon of the prevously observed leakages. 2.4 Adversaral Strategy We consder a sde-channel key recovery adversary wth the followng (hard) strategy: gven some physcal observatons and a resultng classfcaton of key canddates, select the best classfed key only. 2.5 Securty Metrc: of the Adversary The success rate of a sde-channel key recovery attack can be wrtten as follows. Let S and O be two random varables n the dscrete domans S and O, respectvely denotng the target secret sgnals and the sde-channel observatons. Let O S g be an observaton generated by a secret sgnal S g. Let fnally C(L(S),O S g ) be the statstcal tool used by the adversary to compare an actual observaton of a devce wth ts predcton accordng to a leakage functon L. Ths statstcal tool could be a dfference of mean test, a correlaton test, a Bayesan classfcaton, or any other tool, possbly nspred from classcal cryptanalyss. For each observaton O S g, we defne the set of keys selected by the adversary as: M S g = {ŝ ŝ = argmax C[L(S) OS g ]} S Then, we defne the result of the attack wth the ndex matrx: I S g,s = M f S M S g, else. The success rate of the adversary for a secret sgnal S g s estmated as: S R (S g )= E I,S g, () O and the average success rate of the adversary s defned as: S R = E E I,S g (2) O In the followng, we wll only consder a Bayesan classfer,.e. an adversary that selects the keys such that P[S OS g ] s maxmum, snce t corresponds to (one of) the most effcent way(s) to perform a sde-channel key recovery. Fnally, t s nterestng to remark that one can use the complete ndex matrx to buld a confuson matrx C,S = E O I,S. The prevously defned average success rate smply corresponds to the averaged dagonal of ths matrx. In our followng examples, L s the Hammng weght functon.

5 34 F.-X. Standaert et al. 2.6 Informaton Theoretc Metrc: Condtonal Entropy In addton to the average success rate, [4] suggests the use of an nformaton theoretc metrc to evaluate the nformaton contaned n sde-channel observatons. We note (agan) that dfferent proposals could be used for such evaluaton purposes and ther comparson s a scope for further research. In the present paper, we selected the classcal noton of Shannon condtonal entropy and nvestgate how one can take advantage of the approach to understand and evaluate sde-channel attacks. Let P[S OS g ] be the probablty vector of the dfferent key canddates S gvenanobservatonos g generated by a correct key S g. Smlarly to the confuson matrx of the prevous secton, we defne a probablty matrx: P,S = E O P[S OS g ] and an entropy matrx H,S = E O log 2 P[S OS g ]. Then, we defne the average probablty of the correct key as: And the condtonal entropy: P[S g O ]=E P,S g (3) H[S g O ]=E H,S g (4) We note that ths defnton s equvalent to Shannon condtonal entropy 2.We smply used the prevous notaton because t s convenent to compute the probablty (or entropy) matrces. For example, t allows to detect a good leakage functon,.e. a leakage functon such that max S H,S = H,S g.inthefollowng, the leakages wll be quantfed as condtonal entropy reductons that corresponds to the mutual nformaton I[S g ; O ]=H[S g ] H[S g O ]. It s mportant to observe that the average success rate fundamentally descrbes an adversary. In general, t has to be computed for dfferent number of queres n order to evaluate how much observatons are requred to perform a successful attack. By contrast, the nformaton theoretc measurement says nothng about the actual securty of an mplementaton but characterzes the leakage functon, ndependently of the number of queres. 3 Investgaton of Sngle Leakages In ths secton, we analyze a stuaton where an adversary s provded wth the observaton of one sngle Hammng weght leakage. Frst, we evaluate sngle block mplementatons. Then, we dscuss multple block mplementatons and key guesses. Fnally, we evaluate the effect of nose addton n ths context. 2 Snce: H[S g O]= E O E H[S g O ] = O P[O ] S g P[S g O ] log 2 (P[S g O ]) = O P[O ] P[O S g] P[S g] S g log P[O ] 2 (P[S g O ]) = O S g P[O S g] P[S g] log 2 (P[S g O ]) = S g O P[O S g] P[S g] log 2 (P[S g O ]) = S g P[S g] O P[O S g] log 2 (P[S g O ]) = E H,

6 3. Sngle Block Implementatons Towards Securty Lmts n Sde-Channel Attacks 35 Let us assume the followng stuaton: we have an n-bt secret key S g and an adversary s provded wth the leakage correspondng to a computaton Y = f(s g,p )=S(P S g ). That s, t obtans an observaton OS g = W H (Y )and we assume a sngle block mplementaton as the one n the left part of Fgure 2. Therefore, the adversary can potentally observe the n + Hammng weghts of Y. Snce the Hammng weghts of a random value are dstrbuted as bnomals, one can easly evaluate the average success rate of the adversary as: S R = E E I,S g = O ( n n ) h 2 n ( n ) = n + h 2 n (5) h= Ths equaton means that on average, obtanng the Hammng weght of a secret n-bt value ncreases the success rate of a key-recovery adversary from 2 to n+ n 2. n Smlar evaluatons wll be performed for the condtonal entropy n Secton Multple Blocks and Key Guesses Let us now assume a stuaton smlar to the prevous one, but the adversary tres to target a multple block mplementaton. Therefore, t s provded wth the Hammng weght of an n-bt secret value of whch t can only guess b bts, typcally correspondng to one block of the mplementaton. Such a key guess stuaton can be analyzed by consderng the un-exploted bts as a source of algorthmc nose approxmated wth a Gaussan dstrbuton. Ths wll be done n the next secton. The qualty of ths estmaton wll then be demonstrated n Secton 5, by relaxng the Gaussan estmaton. 3.3 Nose Addton Nose s a central ssue n sde-channel attacks and more generally n any sgnal processng applcaton. In our specfc context, varous types of nose are usually consdered, ncludng physcal nose (.e. produced by the envronment), measurement nose (.e. caused by the samplng process and tools), model matchng nose (.e. meanng that the leakage functon used to attack does possbly not perfectly ft to real observatons) or algorthmc nose (.e. produced by the untargeted values n an mplementaton). All these dsturbances smlarly affect the effcency of a sde-channel attack and ther consequence s that the nformaton delvered by a sngle leakage pont s reduced. For ths reason, a usually accepted method to evaluate the effect of nose s to assume that there s an addtve effect between all the nose sources and ther overall effect can be quantfed by a Gaussan dstrbuton. We note that ths assumpton may not be perfectly verfed n practce and that better nose models may allow to mprove the effcency of sde-channel attacks. However, ths assumpton s reasonable n a number of contexts and partcularly convenent for a frst nvestgaton.

7 36 F.-X. Standaert et al. In our experments, we wll consequently assume that the leakage functon s affected by some Gaussan nose such that the physcal observatons are represented by a varable: OS g = W H (Y )+N(,σ 2 ). It s then possble to estmate the average success rate of the adversary and the condtonal entropy as follows: ( n n ) + h S R = E E I,S g = O 2 n P[O h] I,S g do, (6) H[S g O ]=E H,S g = h= ( n n ) h 2 n h= + P[O h] log 2 (P[S g O ]) do, (7) (o h) 2 exp where P[O = o W H (Y )=h] = σ 2σ 2 and the a posteror probablty P[S g O ] can be computed thanks to Bayes s formula: P[S g O ] = 2π P[O S g] P[S g] P[O ],wthp[o sg ]= S P[O S g S] P[S]. As an llustraton, the average success rate and the mutual nformaton are represented n Fgure 3 for an 8-bt value, n functon of the observaton sgnal-to-nose rato (SNR= log ( ε2 σ ), 2 where ε and σ respectvely denote the standard devaton of the sgnal and the nose emanated from the mplementaton) / Mutual Informaton [bt] 2.5. / SNR= log (ε 2 /σ 2 ) SNR= log (ε 2 /σ 2 ) Fg. 3. Average success rate and mutual nformaton n functon of the SNR Note that the average success rate starts at 9/256,.e. the nose-free value computed wth Equaton (5) and tends to /256 whch bascally means that very lttle nformaton can be retreved from the leakage. The fgures also shows the correlaton between the nformaton avalable and the resultng success rate. 4 Investgaton of Multple Leakages In the prevous secton, we analyzed a stuaton n whch an adversary performs one sngle query to a leakng mplementaton and evaluated the resultng average success rate and mutual nformaton. However, lookng at Fgure 3, t s clear that such a context nvolves lmted success rates, even n case of hgh SNRs. As

8 Towards Securty Lmts n Sde-Channel Attacks 37 a matter of fact, actual adversares would not only perform one sngle query to the target devce but multple ones, n order to ncrease ther success rates. Ths secton consequently studes the problem of multple leakages. For ths purpose, let us consder the followng stuaton: we have an n-bt secret key S g and an adversary s provded wth the leakages correspondng to two computatons Y = f(s g,p )andy 2 = f(s g,p 2 ). That s, t obtans W H (Y ) and W H (Y 2 ) and we would lke to evaluate the average predctablty of S g. The consequence of such an experment (llustrated n Fgure 4) s that the key Y f ( P, Y ) Y Y 2 f 2 2 ( P, Y ) 2 Fg. 4. Multple pont leakages wll be contaned n the ntersecton of two sets of canddates obtaned by nvertng the 2-nput functons Y = f(s g,p )andy 2 = f(s g,p 2 ). The am of our analyss s therefore to determne how the keys wthn ths ntersecton are dstrbuted. Importantly, and contrary to the sngle query context, ths analyss requres to characterze the cryptographc functons used n the target mplementaton, snce they wll determne how the ntersecton between the sets of canddates behaves. Therefore, we wll consder two possble models for these functons. 4. Assumng Random S-Boxes A frst (approxmated) soluton s to consder the functons f (P,Y )tobehave randomly. As a consequence, each observed Hammng weght leakage h = W H (Y ) wll gve rse to a unform lst of canddates for the key S g of sze n = ( ) n h, wthout any partcular dependences between these sets but the key. Let us denote the sze of the set contanng S g after the observaton of q leakages respectvely gvng rse to these unform lsts of n canddates by a random varable I q (n,n 2,...,n q ). From the probablty densty functon of I q (gven n appendx A), t s straghtforward to extend the sngle leakage analyss of Secton 3. to multple leakages. The average success rate can be expressed as: S R = n n... h = h 2= n h q= ( n h ) 2 n ( n h2 ) 2 n... ( n hq ) 2 n P[I q = ] (8)

9 38 F.-X. Standaert et al. 4.2 Usng Real Block Cpher Components In order to valdate the prevous theoretcal predctons of the average success rate, we performed the experments llustrated n Fgure 5. In the frst (upper) experment, we generated a number of plantexts, observed the outputs of the functon f =S(P S g ) through ts Hammng weghts W H (Y ), derved lsts of n canddates for Y correspondng to these Hammng weghts and went through the nverted functon f (P,Y ) to obtan lsts of key canddates. In the second (lower) experment, a smlar procedure s appled but the n key canddates were selected from random lsts (ncludng the correct key). As a matter of fact, the frst experment corresponds to a sde-channel attack aganst a real block cpher (we used the AES Rjndael S-box) whle the second experment emulates the prevous random S-box estmaton. We generated a large number (namely P P f Y WH(Y ) [Y,Y2,,Yn ] [S,S2,,Sn] f - [Kg KR,KR2,KR3,,KRN] R Y WH(Y ) n [ SR,SR2, SRn- ] Fg. 5. Multple leakages experments: real S-boxes and random S-boxes smulaton ) of observatons and, for these generated observatons, derved the expermental average success rate n the two prevous contexts. Addtonally, we compared these experments wth the theoretcal predctons of the prevous secton. The results of our analyss are pctured n Fgure 6, where we can observe that the real S-box gves rse to lower success rates (.e. to less nformaton) than a random functon. The reason of ths phenomenon s that actual S-boxes random S boxes theoretcal predctons zoom.84 real S boxes Number of Leakages Obtaned Number of Leakages Obtaned Fg. 6. Multple leakages expermental results

10 Towards Securty Lmts n Sde-Channel Attacks 39 gve rse to correlated lsts of key canddates and therefore to less ndependence between consecutve observatons, as already suggested n [2, ]. These experments suggestthat even f not perfectly correct, the assumpton that block cpher components are reasonably approxmated by random functons wth respect to sde-channel attacks s acceptable. We note that ths assumpton s better verfed for large bt szes snce large S-boxes better approxmate the behavor of a random functon than small ones. 5 Investgaton of Masked Implementatons The prevous sectons llustrated the evaluaton of smple sde-channel attacks based on a Hammng weght leakage functon thanks to the average success rate and mutual nformaton. However, due to the smplcty of the nvestgated contexts, these notons appeared to be closely correlated. Therefore t was not clear how one could need both crtera for our evaluaton purposes. In ths secton, we consequently study a more complex case, namely masked mplementatons and hgher-order sde-channel attacks. Ths example s of partcular nterest snce t allows us to emphasze the mportance of a combnaton of securty and nformaton theoretc metrcs for the physcal securty evaluaton process of an mplementaton. As a result of our analyss, we provde (non-trval) observatons about the respectve effectveness of maskng and algorthmc nose addton that can be easly turned nto desgn crtera for actual countermeasures. P S Y = S(P ) Q R S Q Fg. 7. st order boolean maskng The maskng technque (e.g. [4]) s one of the most popular ways to prevent block cpher mplementatons from Dfferental Power Analyss. However, recent results suggested that t s not as secure as ntally thought. Orgnally proposed by Messerges [7], second and hgher-order power analyss attacks can be successfully mplemented aganst varous knds of desgns and may not requre more hypotheses than a standard DPA [9]. In [2], an analyss of hgher-order maskng schemes s performed wth respect to the correlaton coeffcent. In the followng, we ntend to extend ths analyss to the (more powerful but less flexble) case of a Bayesan adversary, as ntroduced n []. For the purposes of our analyss, we wll use the masked mplementaton llustrated n Fgure 7 n whch the plantext P s ntally XORed wth a random

11 4 F.-X. Standaert et al. mask R. We use two S-boxes S and S such that: S(P R S g )=S(P S g ) Q, wth Q =S (P R S g,r ). Accordng to the notatons ntroduced n [], t s partcularly convenent to ntroduce the secret state of the mplementaton as Σ g = S(P S g ) and assume an adversary that obtans (possbly nosy) observatons: OΣ g = W H [Σ g Q ]+W H [Q ]+N(,σ 2 ). Smlarly to a frstorder sde-channel attack, the objectve of an adversary s then to determne the secret state Σ g (t drectly yelds the secret key S g ). Because of the maskng, Σ g s not drectly observable through sde-channel measurements but ts assocated PDFs do, snce these PDFs only depend on the Hammng weght of the secret state W H (Σ g ). As an llustraton, we provde the dfferent dscrete PDFs (over the random mask values) for a 4-bt masked desgn n Fgure 8, n functon of the secret state Σ g. We also depct the shapes of the dscrete PDFs correspondng to an unmasked secret state affected by four bts of algorthmc nose (.e. we add 4 random bts to the 4-bt target and the PDF s computed over these random bts). Smlar dstrbutons can be obtaned for any bt sze. In general, knowng the probablty dstrbutons of the secret state, the average success rate and condtonal entropy can be straghtforwardly derved: 6/6 6/6 6/6 6/6 4/6 /6 4/6 /6 2/6 2/6 4/6 8/6 4/6 8/6 8/ WH(S(P S g ))= (a) 4-bt masked value 6/6 4/6 4/6 6/6 4/6 4/6 6/6 4/6 4/6 6/6 4/6 4/6 6/6 4/6 4/6 /6 /6 /6 /6 /6 /6 /6 /6 /6 / W H (S(P S g ))= (b) 4-bt value and 4 nosy bts Fg. 8. Exemplary dscrete leakage PDFs S R = E Σg ( n n ) + h E I Σg,Σ g = OΣg 2 n P[O Σg h] I Σg,Σ g do, h= (9) H[S g O ]= E Σg ( n n ) + h H Σg,Σ g = 2 n P[O Σg h] log 2 (P[Σ g O Σg ]) do, h= () where P[O Σg = o W H (Σ g )=h] can be computed as n Secton 3.3, assumng that the O Σg are dstrbuted as a mxture of Gaussans. In the followng, we llustrate these metrcs n dfferent contexts. Frst, we consder 2 nd and 3 rd order maskng schemes for 8-bt S-boxes. Then, we consder unmasked mplementatons where 8 (resp. 6) random bts of algorthmc nose are added to the secret sgnal S g, correspondng to the 2 nd (resp. 3 rd )ordermaskbts.

12 Towards Securty Lmts n Sde-Channel Attacks Mutual Informaton [bt] bt value and 8 nosy bts 8 bt value 8 masked bts and one 8 bt mask Mutual Informaton [bt] bt value and 6 nosy bts 8 bt value 8 masked bts and two 8 bt masks SNR= log (ε 2 /σ 2 ) (a) 2 nd order maskng SNR= log (ε 2 /σ 2 ) (b) 3 rd order maskng Fg. 9. Mutual nformaton of 2 nd,3 rd order maskng and equvalent algorthmc nose The frst (and somewhat surprsng) concluson of our experments appears n Fgure 9. Namely, lookng at the mutual nformaton for hgh SNRs, the use of a n-bt mask s less resstant (.e. leads to lower leakages) than the addton of n random bts to the mplementaton. Fortunately, beyond a certan amount of nose the maskng appears to be a more effcent protecton. The reason of ths behavor appears clearly when observng the evoluton of the PDFs assocated to each secret state n functon of the SNR, pctured n Appendx B, Fgures 3 and 4. Clearly, the PDFs of the masked mplementaton are very dfferent wth small nose values (e.g. n Fgure 3.a, the probablty that an observaton belong to both PDFs s very small) but becomes almost dentcal when the nose ncreases, snce they are all dentcally centered (e.g. n Fgure 3.b). Conversely, the means of each PDF n the unmasked mplementatons stay dfferent whatever the nose level (e.g. n Fgure 4.b). Therefore the Bayesan classfcaton s easer than n the masked case when nose ncreases. These observatons confrm the usually accepted fact that effcent protectons aganst sde-channel attacks requre to combne dfferent countermeasures. A practcally mportant consequence of our results s the possblty to derve the exact desgn crtera (e.g. the requred amount of nose) to obtan an effcent maskng. It s also nterestng to observe that Fgure 9 confrms that algorthmc nose s ncely modeled by Gaussans. Indeed, e.g. for the 2 nd order case, the mutual nformaton of an 8-bt value wth 8 nosy bts for hgh SNRs exactly corresponds to the one of an unprotected 8-bt value wth SRN=. The second nterestng concluson s that the average success rate after one query (pctured n Fgure ) does not follow an dentcal trend. Namely, the masked mplementatons and ther equvalent nosy counterparts do not cross over at the same SRN. Ths stuaton typcally corresponds to the ntutve category of weak mplementatons n Fgure. That s, some nformaton s avalable but the number of queres s too low to turn t nto a successful attack. If our nformaton theoretc measurement s meanngful, hgher number of queres should therefore confrm the ntuton n Fgure 9.

13 42 F.-X. Standaert et al bt value and 8 nosy bts 8 bt value 8 masked bts and one 8 bt mask bt value 8 bt value and 6 nosy bts 8 masked bts and two 8 bt masks SNR= log (ε 2 /σ 2 ) (a) 2 nd order maskng SNR= log (ε 2 /σ 2 ) (b) 3 rd order maskng Fg.. Avg. success rate of 2 nd,3 rd order maskng and equvalent algorthmc nose Success rates wth hgher number of queres for a 3 rd order maskng scheme (and nosy equvalent) were smulated n Fgures, 2. In Fgure, a very hgh SNR=2 s consdered. As a consequence, we observe that the masks brng much less protecton than ther equvalent n random bts, although the ntal value (for one sngle query) suggests the opposte. Fgure 2 performs smlar experments for two SNRs that are just next to the crossng pont. It llustrates the same ntuton that the effcency of the key recovery when ncreasng the number of queres s actually dependent on the nformaton content n the observatons. Importantly, these experments llustrate a typcal context where the combnaton of securty and nformaton theoretc metrcs s meanngful. Whle the average success rate s the only possble metrc for the comparson of dfferent sde-channel attacks (snce t could be evaluated for dfferent statstcal tools), the nformaton theoretc metrc allows to nfer the behavor of an attack when ncreasng the number of queres. As an llustraton, the correlaton-based analyss performed n [2] only relates to one partcular (sub-optmal) statstcal tool and was not able to lead to the observatons llustrated n Fgure masked bts and two 8 bt masks 8 bt value and 6 nosy bts masked bts and two 8 bt masks 8 bt value and 6 nosy bts.2.. Zoom Number of Leakages Obtaned (a) Comparson Number of Leakages Obtaned (b) Zoom Fg.. Avg. success rate of an 8-bt 3 rd order maskng scheme wth nosy counterpart

14 Towards Securty Lmts n Sde-Channel Attacks bt value and 6 nosy bts 8 masked bts.9 and two 8 bt masks masked bts and two 8 bt masks bt value and 6 nosy bts Number of Leakages Obtaned (a) SNR= Number of Leakages Obtaned (b) SNR= Fg. 2. Avg. success rate of an 8-bt 3 rd order maskng scheme wth nosy counterpart 6 Concludng Remarks Ths paper dscusses the relevance of a recently ntroduced theoretcal framework for the analyss of cryptographc mplementatons aganst sde-channel attacks. By the nvestgaton of a number of mplementaton contexts, we llustrate the nterest of a combnaton of securty and nformaton theoretc metrcs for the evaluaton, comparson and understandng of sde-channel attacks. Specfcally, n a well defned adversaral context and strategy, the average success rate would allow the comparson of dfferent usually consdered sde-channel attacks (e.g. DPA, correlaton analyss, template attacks). By contrast, ndependently of the statstcal tools used by the adversary, an nformaton theoretc metrc provdes theoretcal nsghts about the behavor and effects of a partcular leakage functon that can possbly be turned nto practcal desgn crtera. References. S. Char, J.R. Rao, P. Rohatg, Template Attacks, CHES 22, LNCS, vol. 965, pp E. Brer, C. Claver, F. Olver, Correlaton Power Analyss wth a Leakage Model, CHES 24, LNCS, vol 356, pp J.-S. Coron, P. Kocher, D. Naccache, Statstcs and Secret Leakage, Fnancal Crypto 2, LNCS, vol. 972, pp L. Goubn, J. Patarn, DES and Dfferental Power Analyss, CHES 999, LNCS, vol. 77, pp P. Kocher, J. Jaffe, B. Jun, Dfferental Power Analyss, CRYPTO 999, LNCS, vol. 666, pp S. Mangard, Hardware Countermeasures aganst DPA - a Statstcal Analyss of ther Effectveness, CT-RSA 24, LNCS, vol. 2964, pp T.S. Messerges, Usng Second-Order Power Analyss to Attack DPA Resstant Software., CHES 2, LNCS, vol. 2523, pp S. Mcal, L. Reyzn, Physcally Observable Cryptography (extended abstract)., TCC 24, LNCS, vol. 295, pp

15 44 F.-X. Standaert et al. 9. E. Oswald, S. Mangard, C. Herbst, S. Tllch, Practcal Second-Order DPA Attacks for Masked Smart Card Implementatons of Block Cphers., CT-RSA 26, LNCS, vol. 386, pp E. Peeters, F.-X. Standaert, N. Donckers, J.-J. Qusquater, Improved Hgher-Order Sde-Channel Attacks wth FPGA Experments, CHES 25, LNCS, vol. 3659, pp E. Prouff, DPA Attacks and S-Boxes, FSE 25, LNCS, vol. 3557, pp K. Schramm, C. Paar, Hgher Order Maskng of the AES, CT-RSA 26, LNCS, vol. 386, W. Schndler, K. Lemke, C. Paar, A Stochastc Model for Dfferental Sde-Channel Cryptanalyss, CHES 25, LNCS, vol 3659, pp F.-X. Standaert, T.G. Malkn, M. Yung, A Formal Practce-Orented Model For The Analyss of Sde-Channel Attacks, Cryptology eprnt Archve, Report 26/39, 26, A Probablty Densty Functon of the Varable I q We take an teratve approach and frst consder the ntersecton after two leakages. Assumng that the leakages respectvely gve rse to unform lsts of n and n 2 canddates and the the key space has sze N =2 n, t yelds P[I 2 = n,n 2 ]= ( ) ) n N n ( n 2 ( N n 2 ), where the bnomals are taken among sets of N possble elements snce there s one fxed key that s not chosen unformly. Then, assumng the knowledge of the dstrbuton of I q (n,n 2,..., n q ) and an addtonal leakage that gves rse to a unform lst of n new canddates, we can derve the dstrbuton of I q+ as follows: P[I q+ = j I q,n new ]= P[I q+ = j I q =, n new ] P[I q = ], wth: P[I q+ = j I q =, n new ]= ( ) ( ) j N nnew j ( ) N. nnew B Addtonal Fgures 2.8 W H (Σ)=..9 W H (Σ)= W H (Σ)=.6 W H (Σ)= P[O Σ] P[O Σ] Observaton: O (a) SNR= Observaton: O (b) SNR= 6 Fg. 3. Leakages PDFs n functon of the nose: masked mplementaton

16 Towards Securty Lmts n Sde-Channel Attacks W H (Σ)= W H (Σ)=.8.7 W H (Σ)= W H (Σ)=.2.6 P[O Σ] P[O Σ] Observaton: O Observaton: O (a) SNR= (b) SNR= 6 Fg. 4. Leakages PDFs n functon of the nose: unmasked mplementaton