Skip to main content
SpringerLink
Log in

Comparing Approaches to Rank Estimation for Side-Channel Security Evaluations

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9514))

Abstract

Rank estimation is an important tool for side-channel evaluations laboratories. It allows determining the remaining security after an attack has been performed, quantified as the time complexity required to brute force the key given the leakages. Several solutions to rank estimation have been introduced in the recent years. In this paper, we first clarify the connections between these solutions, by organizing them according to their (maximum likelihood or weak maximum likelihood) strategy and whether they take as argument a side-channel distinguishers’ output or some evaluation metrics. This leads us to introduce new combinations of these approaches, and to discuss the use of weak maximum likelihood strategies for suboptimal but highly parallel enumeration. Next, we show that the different approaches to rank estimation can also be implemented with different mixes of very similar tools (e.g. histograms, convolutions, combinations and subsampling). Eventually, we provide various experiments allowing to discuss the pros and cons of these different approaches, hence consolidating the literature on this topic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Their “Polynomial Rank Outlining” algorithm can be viewed as similar to the FSE 2015 one, by considering the multiplication of two polynomials as the convolution of coefficient vectors, and the coefficient in the polynomials as histogram counts.

  2. 2.

    Quite naturally, metrics such as the subkey success rates also need to be sampled somehow. So the term “metric-based” only refers to the type of inputs provided to the rank estimation algorithms, to be compared with the sampling-based approach where the sampled probabilities output by a side-channel attack are used directly.

  3. 3.

    By contrast, one could typically imagine a scenario where the scores obtained from a CPA lead to a correlation 0.2 for a subkey that is known with high confidence and the same correlation of 0.2 for a subkey that is not know at all – because of different Signal-to-Noise Ratios. In this case, the key enumeration and rank estimation algorithms will not be able to list keys optimally. Quite naturally, it is possible to mitigate such issues by outputing the p-values of the CPA distinguisher, but this requires making additional assumptions on its distribution, and eventually corresponds to a type of profiling which would then allow evaluators to directly estimate probabilities. So in general, we believe it is advisable to directly use probability-based distinguishers for optimal key enumeration and rank estimation algorithms.

  4. 4.

    Together with its analog in [1] which would yield very similar performances.

  5. 5.

    The algorithm by Ye et al. could be used as a sightly more accurate alternative. However, as our proposal, it can only provide a lower bound on the success rate because it is based on a wML approach. We focused on the EUROCRYPT 2015 heuristic because of its simplicity and connections with the other solutions of Table 2.

References

  1. Bernstein, D.J., Lange, T., van Vredendaal, C.: Tighter, faster, simpler side-channel security evaluations beyond computing power. IACR Cryptol. ePrint Arch. 2015, 221 (2015)

    Google Scholar 

  2. Bogdanov, A., Kizhvatov, I., Manzoor, K., Tischhauser, E., Witteman, M.: Fast and memory-efficient key recovery in side-channel attacks. IACR Cryptol. ePrint Arch. 2015, 795 (2015)

    Google Scholar 

  3. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  4. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  5. Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015)

    Google Scholar 

  6. Durvaux, F., Standaert, F.-X., Veyrat-Charvillon, N.: How to certify the leakage of a chip? In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 459–476. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  7. Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 25–28, 2008, Philadelphia, PA, USA, pp. 293–302. IEEE Computer Society, October 2008

    Google Scholar 

  8. Glowacz, C., Grosso, V., Poussier, R., Schueth, J., Standaert, F.-X.: Simpler and more efficient rank estimation for side-channel security assessment. IACR Cryptol. ePrint Arch. 2014, 920 (2014)

    Google Scholar 

  9. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  10. Martin, D.P., O’Connell, J.F., Oswald, E., Stam, M.: How to enumerate your keys accurately and efficiently after a side channel attack. IACR Cryptol. ePrint Arch. 2015, 689 (2015)

    Google Scholar 

  11. Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  12. Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  13. Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  14. Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  15. Ye, X., Eisenbarth, T., Martin, W.: Bounded, yet sufficient? How to determine whether limited side channel information enables key recovery. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 215–232. Springer, Heidelberg (2015)

    Google Scholar 

Download references

Acknowledgements

F.-X. Standaert is a research associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.). This work has been funded in parts by the European Commission through the ERC project 280141 (CRASH).

Author information

Authors and Affiliations

  1. ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Louvain-la-neuve, Belgium

    Romain Poussier, Vincent Grosso & François-Xavier Standaert

Authors
  1. Romain Poussier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vincent Grosso
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. François-Xavier Standaert
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Romain Poussier .

Editor information

Editors and Affiliations

  1. Tohoku University, Sendai, Japan

    Naofumi Homma

  2. NXP Semiconductors, Gratkorn, Austria

    Marcel Medwed

A Bound from the Metric-Based Maximum Likelihood

A Bound from the Metric-Based Maximum Likelihood

We start from the observation that if the lists of probabilities obtained for each S-box are independent, \(rank(k_0)=d_0\), \(\dots \), \(rank(k_{N_s'})=d_{N_s'}\) and \(rank(k)=d\), then \(d\ge \prod _i d_i\). When estimating a master key success rate, it implies that:

$$\widehat{SR}[d] \le \sum _{d_i, \prod _i d_i\le d} \varDelta SR_0[d_0]\times \dots \times \varDelta SR_{N_s'}[d_{N_s'}].$$

Algorithm 4 just computes such a sum of products of derivative success rates.

Note that the independence condition for the S-box probabilities in this bound is not the same as the usual independent leakages considered, e.g. in leakage-resilience cryptography [7], which is a purely physical condition. Here, we only need that the adversary considers the subkeys independently.

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Poussier, R., Grosso, V., Standaert, FX. (2016). Comparing Approaches to Rank Estimation for Side-Channel Security Evaluations. In: Homma, N., Medwed, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2015. Lecture Notes in Computer Science(), vol 9514. Springer, Cham. https://doi.org/10.1007/978-3-319-31271-2_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31271-2_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31270-5

  • Online ISBN: 978-3-319-31271-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation