Time-Frequency Analysis for Second-Order Attacks

Abstract: Second-order side-channel attacks are used to break firstorder masking protections. A practical reason which often limits the efficiency of second-order attacks is the temporal localisation of the leaking samples. Several pairs of leakage samples must be combined which means high computational power. For second-order attacks, the computational complexity is quadratic. At CHES '04, Waddle and Wagner introduced attacks with complexity O(n log 2 n) on traces collected from a hardware cryptographic implementation,… Show more

“…A naturally expression (namely the overwriting of a look-up table address by the result) is indeed shown to leak, at first-order (despite the masks that are still there). The efficiency of such an attack is contrasted to second-order attacks [3]. In summary, this paper has shown that a universal verification of the implementation in practice is necessary due diligence, even for provable masking scheme (that are based on hypotheses that must be checked).…”

“…The mask values are chosen in such a way that the leakage caused by the masked variable X ⊕ S 1 depends on X only at degree 4. It is explained in [4] that such security can be reached if the masks are distributed as the 16 codewords of the [8,4,4] linear code, extension with one parity bit of the [7,4,3] Hamming code.…”

“…Belgarric et al prove in [3] that an straightforward second-order correlation attack using the centered product as a combination function [37] needs 300 traces to retrieve the key with probability greater than 80%. Then, the authors assume that the attacker does not know exactly the two leakage points to be combined.…”

“…As related works we should address three recently published articles [3,23,46] which made use of DPA Contest V4 measurements. Although all of these articles provide many useful discussions and analysis tools, none of them exploits the first-order leakage that we present here.…”

Detecting Hidden Leakages

“…A naturally expression (namely the overwriting of a look-up table address by the result) is indeed shown to leak, at first-order (despite the masks that are still there). The efficiency of such an attack is contrasted to second-order attacks [3]. In summary, this paper has shown that a universal verification of the implementation in practice is necessary due diligence, even for provable masking scheme (that are based on hypotheses that must be checked).…”

“…The mask values are chosen in such a way that the leakage caused by the masked variable X ⊕ S 1 depends on X only at degree 4. It is explained in [4] that such security can be reached if the masks are distributed as the 16 codewords of the [8,4,4] linear code, extension with one parity bit of the [7,4,3] Hamming code.…”

“…Belgarric et al prove in [3] that an straightforward second-order correlation attack using the centered product as a combination function [37] needs 300 traces to retrieve the key with probability greater than 80%. Then, the authors assume that the attacker does not know exactly the two leakage points to be combined.…”

“…As related works we should address three recently published articles [3,23,46] which made use of DPA Contest V4 measurements. Although all of these articles provide many useful discussions and analysis tools, none of them exploits the first-order leakage that we present here.…”

Detecting Hidden Leakages

“…Other preprocessing methods can be used before any dimensionality reduction such as reduction filtering using a Fourier or a Hartley transform [3]. However, when the transformation is linear and invertible, the covariance method applies in a strictly equivalent way.…”

Boosting Higher-Order Correlation Attacks by Dimensionality Reduction

Security Evaluation Against Side-Channel Analysis at Compilation Time