A fair evaluation framework for comparing side-channel distinguishers

Whitnall, Carolyn; Oswald, Elisabeth

doi:10.1007/s13389-011-0011-1

Cited by 46 publications

(49 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unfortunately, this dependence on prior knowledge has been under-appreciated because of the apparent success of`arbitrary' work-arounds such as the practice of partitioning intermediate variables according to their 7 least signicant bits (sometimes called the 7LSB model). However, it is shown in [34] that this strategy is far from universally-applicable and only works to the extent that the seemingly indierent partition captures something meaningful about the leakage after all. For example, noise on top of a typical CMOS Hamming weight consumption distorts the trace measurements towards the 7LSB model suciently for MIA to succeed, but this is not the case in general (i.e in arbitrary leakage scenarios).…”

Section: Linear Regression (Lr)-based Methodsmentioning

confidence: 99%

See 1 more Smart Citation

The Myth of Generic DPA…and the Magic of Learning

Whitnall

Oswald

Standaert

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. A generic DPA strategy is one which is able to recover secret information from physically observable device leakage without any a priori knowledge about the device's leakage characteristics. Here we provide much-needed clarication on results emerging from the existing literature, demonstrating precisely that such methods (strictly dened) are inherently restricted to a very limited selection of target functions. Continuing to search related techniques for a`silver bullet' generic attack appears a bootless errand. However, we nd that a minor relaxation of the strict denitionthe incorporation of some minimal non-devicespecic intuitionproduces scope for generic-emulating strategies, able to succeed against a far wider range of targets. We present stepwise regression as an example of such, and demonstrate its eectiveness in a variety of scenarios. We also give some evidence that its practical performance matches that of`best bit' DoM attacks which we take as further indication for the necessity of performing proled attacks in the context of device evaluations.Keywords: side-channel analysis, dierential power analysis

show abstract

Section: Linear Regression (Lr)-based Methodsmentioning

confidence: 99%

“…For the purposes of evaluating the theoretic capabilities of generic emulating and related strategies, we will focus on rst-order asymptotic success, as captured by the (ideal) nearest-rival distinguishing margin (see [33,34]):…”

Section: Measuring Dpa Outcomesmentioning

confidence: 99%

The Myth of Generic DPA…and the Magic of Learning

Whitnall

Oswald

Standaert

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Following the example of [15] we wish to carry out our evaluations as far as possible from a theoretic perspective, computing underlying theoretic quantities from fully-specified leakage distributions so that our evaluations are not contingent on the quality of our chosen estimation procedures. This also removes the element of 'guesswork' which inevitably accompanies attempts to evaluate experimental results, where the true underlying distributions arise from a real device and are therefore unknown.…”

Section: Models For Inputs Vs Models For Intermediate Valuesmentioning

confidence: 99%

“…In an attempt to make unambiguous, like-for-like comparisons, which are not dependent on the estimation procedures used nor on the unknown underlying distributions arising in experimental scenarios, we follow the theoretic approach advocated in [15] in the context of non-profiled DPA. Namely, our analytic approach is (as far as possible) based on computed theoretic outcomes rather than estimated experimental outcomes, which entails focusing on fully-specified hypothetical leakage scenarios.…”

Section: Introductionmentioning

confidence: 99%

Profiling DPA: Efficacy and Efficiency Trade-Offs

Whitnall

Oswald

2013

Cryptographic Hardware and Embedded Systems - CHES 2013

Self Cite

View full text Add to dashboard Cite

Abstract. Linear regression-based methods have been proposed as efficient means of characterising device leakage in the training phases of profiled side-channel attacks. Empirical comparisons between these and the 'classical' approach to template building have confirmed the reduction in profiling complexity to achieve the same attack-phase success, but have focused on a narrow range of leakage scenarios which are especially favourable to simple (i.e. efficiently estimated) model specifications. In this contribution we evaluate-from a theoretic perspective as much as possible-the performance of linear regression-based templating in a variety of realistic leakage scenarios as the complexity of the model specification varies. We are particularly interested in complexity tradeoffs between the number of training samples needed for profiling and the number of attack samples needed for successful DPA: over-simplified models will be cheaper to estimate but DPA using such a degraded model will require more data to recover the key. However, they can still offer substantial improvements over non-profiling strategies relying on the Hamming weight power model, and so represent a meaningful middleground between 'no' prior information and 'full' prior information.

show abstract

“…[8,9,11,12,31]). In order to to compare and classify them, theoretical frameworks have then been introduced [11,22,35,39]. Their main purpose is to identify the attacks similarities and differences, and to exhibit contexts where one is better than another.…”

Section: Introductionmentioning

confidence: 99%

Behind the Scene of Side Channel Attacks

Lomné

Prouff

Roche

2013

Advances in Cryptology - ASIACRYPT 2013

View full text Add to dashboard Cite

Abstract. Since the introduction of side channel attacks in the nineties, a large amount of work has been devoted to their effectiveness and efficiency improvements. On the one side, general results and conclusions are drawn in theoretical frameworks, but the latter ones are often set in a too ideal context to capture the full complexity of an attack performed in real conditions. On the other side, practical improvements are proposed for specific contexts but the big picture is often put aside, which makes them difficult to adapt to different contexts. This paper tries to bridge the gap between both worlds. We specifically investigate which kind of issues is faced by a security evaluator when performing a state of the art attack. This analysis leads us to focus on the very common situation where the exact time of the sensitive processing is drown in a large number of leakage points. In this context we propose new ideas to improve the effectiveness and/or efficiency of the three considered attacks. In the particular case of stochastic attacks, we show that the existing literature, essentially developed under the assumption that the exact sensitive time is known, cannot be directly applied when the latter assumption is relaxed. To deal with this issue, we propose an improvement which makes stochastic attack a real alternative to the classical correlation power analysis. Our study is illustrated by various attack experiments performed on several copies of three micro-controllers with different CMOS technologies (respectively 350, 130 and 90 nanometers).

show abstract

A fair evaluation framework for comparing side-channel distinguishers

Cited by 46 publications

References 33 publications

The Myth of Generic DPA…and the Magic of Learning

The Myth of Generic DPA…and the Magic of Learning

Profiling DPA: Efficacy and Efficiency Trade-Offs

Behind the Scene of Side Channel Attacks

Contact Info

Product

Resources

About