Two Sides of the Same Coin: Counting and Enumerating Keys Post Side-Channel Attacks Revisited

Motivated by the need to assess the concrete security of a device after a side channel attack, there has been a flurry of recent work designing both key rank and key enumeration algorithms. Two main competitors for key ranking can be found in the literature: a convolution based algorithm put forward by Glowacz et al. (FSE 2015), and a path counting based algorithm proposed by Martin et al. (Asiacrypt 2015). Both key ranking algorithms can be extended to key enumeration algorithms (Poussier et al. (CHES 2016) and Martin et al. (Asiacrypt 2015)). The two approaches were proposed independently, and have so far been treated as uniquely different techniques, with different levels of accuracy. However, we show that both approaches (for ranking) are mathematically equivalent for a suitable choice of their respective discretisation parameter. This settles questions about which one returns more accurate rankings. We then turn our attention to their related enumeration algorithms and determine why and how these algorithms differ in their practical performance.

[1]  Andrey Bogdanov,et al.  Fast and Memory-Efficient Key Recovery in Side-Channel Attacks , 2015, SAC.

[2]  Elisabeth Oswald,et al.  Quantum Key Search with Side Channel Advice , 2017, IACR Cryptol. ePrint Arch..

[3]  Elisabeth Oswald,et al.  Multi-target DPA Attacks: Pushing DPA Beyond the Limits of a Desktop Computer , 2014, ASIACRYPT.

[4]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[5]  Elisabeth Oswald,et al.  Counting Keys in Parallel After a Side Channel Attack , 2015, ASIACRYPT.

[6]  Jerry den Hartog,et al.  Improving DPA by Peak Distribution Analysis , 2010, Selected Areas in Cryptography.

[7]  Romain Poussier,et al.  Simpler and More Efficient Rank Estimation for Side-Channel Security Assessment , 2015, FSE.

[8]  Tanja Lange,et al.  Tighter, faster, simpler side-channel security evaluations beyond computing power , 2015, IACR Cryptol. ePrint Arch..

[9]  Stefan Mangard,et al.  One for all - all for one: unifying standard differential power analysis attacks , 2011, IET Inf. Secur..

[10]  François-Xavier Standaert,et al.  An optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks , 2012, IACR Cryptol. ePrint Arch..

[11]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[12]  Romain Poussier,et al.  Simple Key Enumeration (and Rank Estimation) Using Histograms: An Integrated Approach , 2016, CHES.

[13]  Benjamin Sach,et al.  How low can you go? Using side-channel data to enhance brute-force key recovery , 2016, IACR Cryptol. ePrint Arch..

[14]  Elisabeth Oswald,et al.  Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel Evaluations , 2016, IACR Cryptol. ePrint Arch..

[15]  Thomas Eisenbarth,et al.  Bounded, yet Sufficient? How to Determine Whether Limited Side Channel Information Enables Key Recovery , 2014, CARDIS.

[16]  François-Xavier Standaert,et al.  Security Evaluations beyond Computing Power , 2013, EUROCRYPT.

[17]  Stefan Mangard,et al.  One for All - All for One: Unifying Standard DPA Attacks , 2009, IACR Cryptol. ePrint Arch..