ASCA, SASCA and DPA with Enumeration: Which One Beats the Other and When?

We describe three contributions regarding the Soft Analytical Side-Channel Attacks SASCA introduced at Asiacrypt 2014. First, we compare them with Algebraic Side-Channel Attacks ASCA in a noise-free simulated setting. We observe that SASCA allow more efficient key recoveries than ASCA, even in this context favorable to the latter. Second, we describe the first working experiments of SASCA against an actual AES implementation. Doing so, we analyse their profiling requirements, put forward the significant gains they provide over profiled Differential Power Analysis DPA in terms of number of traces needed for key recoveries, and discuss the specificities of such concrete attacks compared to simulated ones. Third, we evaluate the distance between SASCA and DPA enhanced with computational power to perform enumeration, and show that the gap between both attacks can be quite reduced in this case. Therefore, our results bring interesting feedback for evaluation laboratories. They suggest that in several relevant scenarios e.g. attacks exploiting many known plaintexts, taking a small margin over the security level indicated by standard DPA with enumeration should be sufficient to prevent more elaborate attacks such as SASCA. By contrast, SASCA may remain the only option in more extreme scenarios e.g. attacks with unknown plaintexts/ciphertexts or against leakage-resilient primitives. We conclude by recalling the algorithmic dependency of the latter attacks, and therefore that our conclusions are specific to the AES.

[1]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[2]  Jean-Sébastien Coron,et al.  On The Broadcast and Validity-Checking Security of PKCS \#1 v1.5 Encryption , 2010, IACR Cryptol. ePrint Arch..

[3]  Ingrid Verbauwhede,et al.  Partition vs. Comparison Side-Channel Distinguishers: An Empirical Evaluation of Statistical Tests for Univariate Side-Channel Attacks against Two Unprotected CMOS Devices , 2009, ICISC.

[4]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[5]  Stefan Mangard,et al.  Hardware Countermeasures against DPA ? A Statistical Analysis of Their Effectiveness , 2004, CT-RSA.

[6]  François-Xavier Standaert,et al.  Algebraic Side-Channel Attacks , 2009, Inscrypt.

[7]  Judea Pearl,et al.  Reverend Bayes on Inference Engines: A Distributed Hierarchical Approach , 1982, AAAI.

[8]  Avishai Wool,et al.  Algebraic Side-Channel Analysis in the Presence of Errors , 2010, CHES.

[9]  Eric Peeters,et al.  Template Attacks in Principal Subspaces , 2006, CHES.

[10]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[11]  Avishai Wool,et al.  A New Framework for Constraint-Based Probabilistic Template Side Channel Attacks , 2014, CHES.

[12]  Elisabeth Oswald,et al.  Pragmatism vs. Elegance: Comparing Two Approaches to Simple Power Attacks on AES , 2014, COSADE.

[13]  Bart Preneel,et al.  Mutual Information Analysis , 2008, CHES.

[14]  Chester Rebeiro,et al.  Bitslice Implementation of AES , 2006, CANS.

[15]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[16]  Christof Paar,et al.  A Stochastic Model for Differential Side Channel Cryptanalysis , 2005, CHES.

[17]  Robert G. Gallager,et al.  Low-density parity-check codes , 1962, IRE Trans. Inf. Theory.

[18]  François-Xavier Standaert,et al.  Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA , 2009, CHES.

[19]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[20]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[21]  Tao Wang,et al.  MDASCA: An Enhanced Algebraic Side-Channel Attack for Error Tolerance and New Leakage Model Exploitation , 2012, COSADE.

[22]  Andrey Bogdanov,et al.  Fast and Memory-Efficient Key Recovery in Side-Channel Attacks , 2015, SAC.

[23]  Tao Wang,et al.  Exploiting the Incomplete Diffusion Feature: A Specialized Analytical Side-Channel Attack Against the AES and Its Application to Microcontroller Implementations , 2014, IEEE Transactions on Information Forensics and Security.

[24]  François-Xavier Standaert,et al.  An optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks , 2012, IACR Cryptol. ePrint Arch..

[25]  William P. Marnane,et al.  Unknown Plaintext Template Attacks , 2009, WISA.

[26]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[27]  François-Xavier Standaert,et al.  Unified and optimized linear collision attacks and their application in a non-profiled setting: extended version , 2012, Journal of Cryptographic Engineering.

[28]  François-Xavier Standaert,et al.  Representation-, Leakage- and Cipher-Dependencies in Algebric Sidde-Channel Attacks , 2010, ACNS 2010.

[29]  Stefan Mangard,et al.  One for all - all for one: unifying standard differential power analysis attacks , 2011, IET Inf. Secur..

[30]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[31]  Elisabeth Oswald,et al.  Multi-target DPA Attacks: Pushing DPA Beyond the Limits of a Desktop Computer , 2014, ASIACRYPT.

[32]  Avishai Wool,et al.  Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model , 2012, CHES.

[33]  François-Xavier Standaert,et al.  Masking and leakage-resilient primitives: One, the other(s) or both? , 2015, Cryptography and Communications.

[34]  Claude Carlet,et al.  Analysis of the algebraic side channel attack , 2012, Journal of Cryptographic Engineering.

[35]  David J. C. MacKay,et al.  Information Theory, Inference, and Learning Algorithms , 2004, IEEE Transactions on Information Theory.

[36]  Romain Poussier,et al.  Simpler and More Efficient Rank Estimation for Side-Channel Security Assessment , 2015, FSE.

[37]  François-Xavier Standaert,et al.  Soft Analytical Side-Channel Attacks , 2014, ASIACRYPT.

[38]  François-Xavier Standaert,et al.  Security Evaluations beyond Computing Power , 2013, EUROCRYPT.

[39]  Tanja Lange,et al.  Kangaroos in Side-Channel Attacks , 2014, CARDIS.

[40]  Annelie Heuser,et al.  Improved algebraic side-channel attack on AES , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[41]  Bart Preneel,et al.  Mutual Information Analysis A Generic Side-Channel Distinguisher , 2008 .