Higher-Order DCA against Standard Side-Channel Countermeasures

Abstract

At CHES 2016, Bos et al. introduced differential computational analysis (DCA) as an attack on white-box software implementations of block ciphers. This attack builds on the same principles as DPA in the classical side-channel context, but uses computational traces consisting of plain values computed by the implementation during execution. It was shown to be able to recover the key of many existing AES white-box implementations.

The DCA adversary is passive, and so does not exploit the full power of the white-box setting, implying that many white-box schemes are insecure even in a weaker setting than the one they were designed for. It is therefore important to develop implementations which are resistant to this attack. We investigate the approach of applying standard side-channel countermeasures such as masking and shuffling. Under some necessary conditions on the underlying randomness generation, we show that these countermeasures provide resistance to standard (first-order) DCA. Furthermore, we introduce higher-order DCA, along with an enhanced multivariate version, and analyze the security of the countermeasures against these attacks. We derive analytic expressions for the complexity of the attacks – backed up through extensive attack experiments – enabling a designer to quantify the security level of a masked and shuffled implementation in the (higher-order) DCA setting.

Appendices

A Success Probability of Higher-Order DCA (Proof of Theorem 1)

Consider a specific value \(w_j\) of the higher-order trace \(\varvec{w}\). Denote by \(\mathcal {A}\) the event that \(w_j\) corresponds to the combination of the correct shares. The probability of \(\mathcal {A}\) occurring, i.e. of choosing the correct d shares out of the t elements of the original computational trace \(\varvec{v}\), is \(p = \left( {\begin{array}{c}t\\ d\end{array}}\right) ^{-1}\).

Fix some plaintext and the corresponding trace. By the law of total probability, the probability that a value \(w_j\) of the d’th order trace is equal to a prediction \(s=\varphi (x,k)\) for some key guess k is

$$\begin{aligned} \Pr (w_j = s) = \Pr (w_j=s | \mathcal {A})\cdot \Pr (\mathcal {A})+ \Pr (w_j=s | \lnot \mathcal {A})\cdot \Pr (\lnot \mathcal {A}). \end{aligned}$$

For a wrong key guess, \(k^\times \ne k^*\), \(\Pr (w_j=s^{\times } | \mathcal {A}) = 0\), while for a right key guess \(\Pr (w_j=s^{*} | \mathcal {A}) = 1\). In both cases, we have \(\Pr (w_j=s | \lnot \mathcal {A}) = 1/|\mathcal {K}|\). In total:

$$\begin{aligned} p^\times&= \Pr (w_j = s^{\times }) = (1-p) / |\mathcal {K}|, \\ p^*&= \Pr (w_j = s^{*}) = p + (1-p) / |\mathcal {K}|. \end{aligned}$$

Thus, for N traces,

$$\begin{aligned} C_{k^\times }(\varvec{v}_{\phi (j)},(x_i)_i) \sim \text {Bin}(N,p^\times ) \end{aligned}$$

for a wrong key guess, and

$$\begin{aligned} C_{k^*}(\varvec{v}_{\phi (j)},(x_i)_i) \sim \text {Bin}(N,p^*) \end{aligned}$$

for a right key guess. Note that \(|\varvec{w}| = \left( {\begin{array}{c}t\\ d\end{array}}\right) \). Let \(X_1,\ldots ,X_{|\varvec{w}|}\) be distributed as \(\text {Bin}(N,p^{\times })\). Then \(\gamma _{k^\times } \sim \max X_i\), and we denote the CDF by \(F^\times _\text {max}(x)\). If the \(X_i\) were independent, we would have

$$\begin{aligned} F^{\times }_\text {max}(x)&= F(x;N,p^\times )^{\left( {\begin{array}{c}t\\ d\end{array}}\right) }. \end{aligned}$$

While the \(X_i\) are pairwise independent, they are not mutually independent. However, we find that in practice, the dependence is so weak that \(\gamma _{k^\times }\) approximately has CDF \(F_{\max }^\times \), even for small values of \(|\varvec{w}|\) and N. We define \(F^{*}_\text {max}(x)\) similarly.

The attack is successful if \(\gamma _{k^*} > \gamma _{k^\times }\) for all \(k^\times \). As there are \(|\mathcal {K}|-1\) wrong keys, and all \(\gamma _{k^\times }\) are independent and identically distributed, we have \(p_\text {succ} = \Pr ( \gamma _{k^*} > \gamma _{k^\times } ) ^ {|\mathcal {K}|-1}\), where

$$\begin{aligned} \Pr ( \gamma _{k^*} > \gamma _{k^\times } ) = \sum _{i=0}^N (F^*_\text {max}(i) - F^*_\text {max}(i-1)) \cdot F^{\times }_\text {max}(i-1). \end{aligned}$$

which concludes the proof.

B Proof of Proposition 1

Proof

By applying the Bayes’ rule, one gets (we skip random variables for the sake of clarity):

$$\begin{aligned} \Pr \big (k \mid (\varvec{v}_i)_i \wedge (x_i)_i \big ) = \frac{\Pr \big ((\varvec{v}_i)_i \mid k \wedge (x_i)_i \big ) \cdot \Pr \big (k \wedge (x_i)_i\big )}{\Pr \big ( (\varvec{v}_i)_i \wedge (x_i)_i\big )} \end{aligned}$$

(3)

By mutual independence of the \(X_i\)’s and K, we have \(\Pr \big (k \wedge (x_i)_i\big ) = \frac{1}{|\mathcal {K}|}\big (\frac{1}{|\mathcal {X}|}\big )^N\) for every \(k \in \mathcal {K}\). Moreover, \(\Pr \big ( (\varvec{v}_i)_i \wedge (x_i)_i\big )\) is constant with respect to k. We hence get

$$\begin{aligned} \Pr \big (k \mid (\varvec{v}_i)_i \wedge (x_i)_i \big ) \propto \Pr \big ((\varvec{v}_i)_i \mid k \wedge (x_i)_i \big ). \end{aligned}$$

(4)

By mutual independence of the \(\varvec{V}_i\)’s and the \(X_i\)’s we further deduce

$$\begin{aligned} \Pr \big ((\varvec{v}_i)_i \mid k \wedge (x_i)_i \big ) = \prod _{i=1}^N \Pr (\varvec{v}_i \mid k \wedge x_i). \end{aligned}$$

(5)

For the sake of simplicity we skip the index i in the following. By the law of total probability, we have

$$\begin{aligned} \Pr (\varvec{v}\mid k \wedge x) \, = \sum _{\phi (j)} \Pr (\mathcal {S}_{\phi (j)}) \cdot \Pr (\varvec{v}\mid k \wedge x \wedge \mathcal {S}_{\phi (j)}), \end{aligned}$$

(6)

where \(\mathcal {S}_{\phi (j)}\) denotes the event that the set \(\phi (j)\) is selected for the sharing of \(\varphi (X,K)\). By definition, we have

$$\begin{aligned} \Pr (\mathcal {S}_{\phi (j)}) = \frac{1}{\left( {\begin{array}{c}t\\ d\end{array}}\right) } \end{aligned}$$

(7)

and

$$\begin{aligned} \Pr (\varvec{v}\mid k \wedge x \wedge \mathcal {S}_{\phi (j)}) = {\left\{ \begin{array}{ll} \big (\frac{1}{|\mathcal {V}|}\big )^{t-1} &{} \text {if} \bigoplus \nolimits _{l\in \phi (j)} v_l = \varphi (x,k) \\ 0 &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

(8)

which finally gives

$$\begin{aligned} \Pr (\varvec{v}\mid k \wedge x) \propto C_k(\varvec{v},x) ~. \end{aligned}$$

(9)

C Probability of the Zero-Counter Event (Proof of Lemma 1)

We first define \(\mathcal {Z}_k\) as the zero-counter event for key k for a single computational trace \(\varvec{V}\). Formally,

The zero-counter event \(\mathcal {Z}_{k}\) occurs if and only if none of the \(q = \left( {\begin{array}{c}t\\ d\end{array}}\right) \) combinations \(\bigoplus _{i\in \phi (j)} V_i\) match the predicted value \(\varphi (X,k)\). As discussed, \(\mathcal {Z}_{k^*}\) never occurs for the correct key guess \(k^*\). For the incorrect key guess \(k^{\times }\), intuitively, the zero-counter probability \(\Pr (\mathcal {Z}_{k^{\times }})\) should quickly become negligible as the number of combinations q grows. While all q combinations are not strictly independent, we can approximate the probability of \(\mathcal {Z}_{k^{\times }}\) by:

$$\begin{aligned} \Pr (\mathcal {Z}_{k^{\times }}) \approx \Big (1 - \frac{1}{|\mathcal {V}|} \Big )^q. \end{aligned}$$

(10)

We verified this approximation by estimating the zero-counter probability over some sampled computation traces. As illustrated it Table 3, the obtained estimations match the approximation pretty well.

Table 3. Approximation and estimation of the zero-counter probability.

Then, by definition, the zero-counter event for N traces is the union

$$\begin{aligned} \mathcal {U}_{k} = \mathcal {Z}_k^{(1)} \vee \mathcal {Z}_k^{(2)} \vee \cdots \vee \mathcal {Z}_k^{(N)}, \end{aligned}$$

where \(\mathcal {Z}_k^{(i)}\) denotes the zero-counter event for k on trace \(\varvec{V}_i\). Taking the negation we obtain \(\lnot \, \mathcal {U}_{k^{\times }} = (\lnot \mathcal {Z}_k^{(1)}) \wedge (\lnot \mathcal {Z}_k^{(2)}) \wedge \cdots \wedge (\lnot \mathcal {Z}_k^{(N)})\), and since the zero events \(\mathcal {Z}_{k^{\times }}^{(i)}\) are mutually independent, we get

$$\begin{aligned} \Pr (\mathcal {U}_{k^{\times }}) = 1 - \prod _{i=1}^N \Pr (\lnot \mathcal {Z}_{k^{\times }}^{(i)}) = 1 - \big (1 - \Pr (\mathcal {Z}_{k^{\times }})\big )^N. \end{aligned}$$

This finishes the proof of Lemma 1.

D Success Probability with No Zero Counters (Proof of Lemma 2)

If the zero counter event does not occur, we can think of each trace \(\varvec{V}_i\) as a random variable uniformly distributed over \(\mathcal {V}^t\). Since the public input \(X_i\) is also random, the counters \(C_{k}(\varvec{V},X)\) follow some probability distribution. In order to prove Lemma 2, we first prove the following result regarding these distributions.

Lemma 3

Let \(k^*\) and \(k^\times \) be a right and wrong key guess. Let \(q=\left( {\begin{array}{c}t\\ d\end{array}}\right) \) and \(\kappa = (q-1)\frac{1}{|\mathcal {V}|}\). Then for a trace of length t and a d’th-order attack,

$$\begin{aligned} C_{k^*}(\varvec{V},X) \sim \mathcal {N}(\kappa +1 , \kappa ) ~~~ \text {and} ~~~ C_{k^\times }(\varvec{V},X) \sim \mathcal {N}(\kappa , \kappa ), \end{aligned}$$

where \(\mathcal {N}(\mu , \sigma ^2 )\) denotes the normal distribution with mean \(\mu \) and variance \(\sigma ^2\).

Proof

Let \(\delta : \mathcal {V}^2 \rightarrow \{0,1\}\) be the function defined as

$$\begin{aligned} \delta (v_1,v_2) = {\left\{ \begin{array}{ll} 1 &{} \text {if }v_1=v_2,\\ 0 &{} \text {otherwise}. \end{array}\right. } \end{aligned}$$

The counter \(C_{k}(\varvec{V},X)\) can be rewritten as a sum \(C_{k}(\varvec{V},X) = \sum _{j=1}^q\) \(\delta (W_j, \varphi (X,k))\), where the variables \((W_j)_j\) are defined as the \(q = \left( {\begin{array}{c}t\\ d\end{array}}\right) \) combinations \(\bigoplus _{i\in \phi (j)} V_i\). We recall that for one index j we have \(W_j = \varphi (X,k^*)\), whereas for the other indices the \(W_j\) are randomly distributed independently of X. The counter expectation then satisfies

$$\begin{aligned} \mathrm {E}\big (C_{k}(\varvec{V},X)\big ) = \sum _{j=1}^q \mathrm {E}\big (\delta (W_j, \varphi (X,k))\big ) = {\left\{ \begin{array}{ll} (q-1) \frac{1}{|\mathcal {V}|} &{}\text {if } k \ne k^*, \\ (q-1) \frac{1}{|\mathcal {V}|} +1 &{}\text {if } k = k^*. \\ \end{array}\right. } \end{aligned}$$

On the other hand, the counter variance can be expressed as:

$$\begin{aligned} \mathrm {Var}\big (C_{k}(\varvec{V},X)\big )&= \sum _{j=1}^q \mathrm {Var}\big (\delta (W_j, \varphi (X,k)) \big ) \\&+ 2 \sum _{1\le j < j' \le q} \mathrm {Cov}\big (\delta (W_j, \varphi (X,k)), \delta (W_{j'}, \varphi (X,k)) \big ). \end{aligned}$$

It can be checked that the covariances will be equal to 0 most of the time. Indeed, the covariances are non-zero only when \(W_j \oplus W_{j'} = \varphi (X,k^*)\), which never happens when d is odd and which happens for few pairs \((j,j')\) when d is even. Therefore these covariance terms will only have a small impact on the overall variance. Moreover, it can be checked that this impact is negative, i.e. it reduces the variance.³ Therefore we will ignore the sum of covariances, which yields a correct result when d is odd and a slight overestimation when d is even. We then have

$$\begin{aligned} \mathrm {Var}\big (\delta (W_j, \varphi (X,k)) \big ) = {\left\{ \begin{array}{ll} \frac{1}{|\mathcal {V}|} \big (1-\frac{1}{|\mathcal {V}|}\big ) &{}\text {if } j \ne j^*, \\ 0 &{}\text {if } j = j^*, \\ \end{array}\right. } \end{aligned}$$

where \(j^*\) denotes the index of the right combination matching \(\varphi (X,k^*)\). Combining the two above equations gives:

$$\begin{aligned} \mathrm {Var}\big (C_{k}(\varvec{V},X)\big ) = (q-1)\frac{1}{|\mathcal {V}|} \Big (1-\frac{1}{|\mathcal {V}|}\Big ) \approx (q-1)\frac{1}{|\mathcal {V}|}. \end{aligned}$$

Since the counter is defined as a sum of somewhat independent random variables, we can soundly approximate its distribution by a Gaussian, and setting \(\kappa = (q-1)\frac{1}{|\mathcal {V}|}\) concludes the proof.    \(\square \)

In the above proof, we use that the \(\delta (W_j, \varphi (X,k))\) are somewhat independent. By somewhat independent we mean that these variables are pairwise independent (for most or all of them, as discussed). Note that variants of the central limit theorem exist that take some form of dependence between the summed variables into account. We have experimentally verified that the Gaussian approximation is sound for various parameters (t, d).

Using Lemma 3, we can now prove Lemma 2. Following Remark 1, we will focus on the log-likelihood, i.e. we consider

$$\begin{aligned} \Pr (\ell _{k^*}> \ell _{k^\times } \mid \lnot \,\mathcal {U}_{k^\times })&= \Pr \big (\log \ell _{k^*} - \log \ell _{k^{\times }} > 0 \mid \lnot \,\mathcal {U}_{k^\times } \big ), \\ \log \ell _{k^*} - \log \ell _{k^{\times }}&= \sum _{i=1}^N \underbrace{\log {C_{k^*}(\varvec{V}_i,X_i)} - \log {C_{k^\times }(\varvec{V}_i,X_i)}}_{Y_i}. \end{aligned}$$

As introduced above, we denote by \(Y_i\) the difference between the log-counters for the trace \(\varvec{V}_i\). Since the \(Y_i\) are mutually independent and identically distributed, the central limit theorem implies that, for N sufficiently large,

$$\begin{aligned} \frac{1}{N} (\log \ell _{k^*} - \log \ell _{k^{\times }}) \sim \mathcal {N}\big (\mu _{Y}, \sigma _Y^2 N^{-1}\big ) ~~~ \text {with}~~ {\left\{ \begin{array}{ll} \mu _Y = \mathrm {E}(Y), \\ \sigma ^2_Y = \mathrm {Var}(Y), \end{array}\right. } \end{aligned}$$

for \(Y = \log {C_{k^*}(\varvec{V},X)} - \log {C_{k^\times }(\varvec{V},X)}\). Thus

$$\begin{aligned} \Pr (\ell _{k^*} > \ell _{k^\times } \mid \lnot \,\mathcal {U}_{k^\times }) = 1 - \varPhi _{\mu _Y, {\sigma ^2_Y}/N}(0) = \frac{1}{2} + \frac{1}{2} \mathrm {erf} \Big ( \frac{\sqrt{N} \,\mu _Y}{\sqrt{2} \, \sigma _Y}\Big ), \end{aligned}$$

(11)

where \(\varPhi _{\mu ,\sigma }\) is the CDF of \(\mathcal {N}(\mu ,\sigma ^2)\). By the heuristic assumption that \(C_{k^*}(\varvec{V},X)\) and \(C_{k^\times }(\varvec{V},X)\) are mutually independent, and using the Taylor expansion of the logarithm at , as well as Lemma 3, we have

$$\begin{aligned} \mu _Y \approx \log (\kappa +1) - \frac{\kappa }{2 (\kappa +1)^2} - \log \kappa + \frac{\kappa }{2 \kappa ^2} \approx \frac{1}{\kappa }, \quad \text {and} \quad \sigma ^2_Y \approx 2 \frac{\kappa }{\kappa ^2} = \frac{2}{\kappa }, \end{aligned}$$

where the approximation of the mean is sound if \(\kappa \) is large enough (e.g. \(\kappa > 10\)). Inserting these approximations into Eq. 11, remembering that \(\kappa = (q-1)\frac{1}{|\mathcal {V}|} \approx \frac{q}{|\mathcal {V}|}\), finishes the proof.