Deriving Optimal Distinguishers from Communication Theory

We find mathematically optimal side-channel distinguishers by looking at the side-channel as a communication channel. Our method- ology can be adapted to any given scenario (device, signal-to-noise ratio, noise distribution, leakage model, etc.). When the model is known and the noise is Gaussian, the optimal distinguisher outperforms CPA and covariance. However, we show that CPA is optimal when the model is only known on a proportional scale. For non-Gaussian noise, we obtain different optimal distinguishers, one for each noise distribution. When the model is imperfectly known, we consider the scenario of a weighted sum of the sensitive variable bits where the weights are unknown and drawn from a normal law. In this case, our optimal distinguisher per- forms better than the classical linear regression analysis.

[1]  R. Gallager Information Theory and Reliable Communication , 1968 .

[2]  Gustavus J. Simmons,et al.  Cycle Structures of the DES with Weak and Semi-Weak Keys , 1986, CRYPTO.

[3]  M.J.M. Pelgrom,et al.  Matching properties of MOS transistors , 1989 .

[4]  Paul Dischamp,et al.  Power Analysis, What Is Now Possible , 2000, ASIACRYPT.

[5]  Jean-Sébastien Coron,et al.  Statistics and Secret Leakage , 2000, Financial Cryptography.

[6]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[7]  Christophe Clavier,et al.  Optimal Statistical Power Analysis , 2003, IACR Cryptol. ePrint Arch..

[8]  Jean-Sébastien Coron,et al.  Statistics and secret leakage , 2000, TECS.

[9]  O. Kardaun,et al.  Classical Methods of Statistics , 2005 .

[10]  Christof Paar,et al.  A Stochastic Model for Differential Side Channel Cryptanalysis , 2005, CHES.

[11]  S. Nadarajah A generalized normal distribution , 2005 .

[12]  Moti Yung,et al.  A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks (extended version) , 2009, IACR Cryptol. ePrint Arch..

[13]  Matthieu Rivain,et al.  On the Exact Success Rate of Side Channel Analysis in the Gaussian Model , 2009, Selected Areas in Cryptography.

[14]  Stefan Mangard,et al.  One for All - All for One: Unifying Standard DPA Attacks , 2009, IACR Cryptol. ePrint Arch..

[15]  Christof Paar,et al.  A Comparative Study of Mutual Information Analysis under a Gaussian Assumption , 2009, WISA.

[16]  Jerry den Hartog,et al.  Improving DPA by Peak Distribution Analysis , 2010, Selected Areas in Cryptography.

[17]  Werner Schindler,et al.  A stochastic method for security evaluation of cryptographic FPGA implementations , 2010, 2010 International Conference on Field-Programmable Technology.

[18]  Emmanuel Prouff,et al.  Theoretical and practical aspects of mutual information-based side channel analysis , 2010, Int. J. Appl. Cryptogr..

[19]  François-Xavier Standaert,et al.  All for one-one for all: Unifying univariate DPA attacks , 2011 .

[20]  François-Xavier Standaert,et al.  Univariate side channel attacks and leakage modeling , 2011, Journal of Cryptographic Engineering.

[21]  Elisabeth Oswald,et al.  A fair evaluation framework for comparing side-channel distinguishers , 2011, Journal of Cryptographic Engineering.

[22]  Sylvain Guilley,et al.  Comparison between Side-Channel Analysis Distinguishers , 2012, ICICS.

[23]  Sylvain Guilley,et al.  On the Optimality of Correlation Power Attack on Embedded Cryptographic Systems , 2012, WISTP.

[24]  Emmanuel Prouff,et al.  Behind the Scene of Side Channel Attacks , 2013, ASIACRYPT.

[25]  Ingrid Verbauwhede,et al.  A Note on the Use of Margins to Compare Distinguishers , 2014, COSADE.

[26]  Elisabeth Oswald,et al.  The Myth of Generic DPA...and the Magic of Learning , 2014, CT-RSA.