Robust and One-Pass Parallel Computation of Correlation-Based Attacks at Arbitrary Order

Abstract

The protection of cryptographic implementations against higher-order attacks has risen to an important topic in the side-channel community after the advent of enhanced measurement equipment that enables the capture of millions of power traces in reasonably short time. However, the preprocessing of multi-million traces for such an attack is still challenging, in particular when in the case of (multivariate) higher-order attacks all traces need to be parsed at least two times. Even worse, partitioning the captured traces into smaller groups to parallelize computations is hardly possible with current techniques.

In this work we introduce procedures that allow iterative computation of correlation in a side-channel analysis attack at any arbitrary order in both univariate and multivariate settings. The advantages of our proposed solutions are manifold: (i) they provide stable results, i.e., by increasing the number of used traces high accuracy of the estimations is still maintained, (ii) each trace needs to be processed only once and at any time the result of the attack can be obtained (without requiring to reparse the whole trace pool when adding more traces), (iii) the computations can be efficiently parallelized, e.g., by splitting the trace pool into smaller subsets and processing each by a single thread on a multi-threading or cloud-computing platform, and (iv) the computations can be run in parallel to the measurement phase. In short, our constructions allow efficiently performing higher-order side-channel analysis attacks (e.g., on hundreds of million traces) which is of crucial importance when practical evaluation of the masking schemes need to be performed.

A Correlation from the Raw Moments

As [3] only includes the formulas for first-order and second-order bivariate CPA, we first transform the bivariate formulas to the univariate second-order case and extend the approach to higher orders. Recall that the correlation for the bivariate second-order attack is computed in [3] as

$$\begin{aligned} \rho = \frac{n\lambda _1 - \lambda _2s_3}{\sqrt{n\lambda _3-{\lambda _2}^2}\sqrt{n s_9-{s_3}^2}}, \end{aligned}$$

(37)

where n denotes the number of traces and \(\lambda _{\{1,2,3\}}\) are derived from the sums \(s_{\{1,\dots ,13\}}\).

For the univariate second-order correlation, some of these sums are equivalent. Therefore, in this special case it is possible to reduce the number of sums required to be computed. For that, we first denote the d-th order sums as

(38)

with \(s_3 = S_1^{(l)}\) and \(s_9 = S_2^{(l)}\). The remaining parameters are then derived as

$$\begin{aligned}&\lambda _1 = S_2^{(t,l)} - 2\frac{S_1^{(t)}S_1^{(t,l)}}{n} + \frac{S_1^{(t)}S_1^{(t)}S_1^{(l)}}{n^2},~~ \lambda _2 = S_2^{(t)} - \frac{S_1^{(t)}S_1^{(t)}}{n},\end{aligned}$$

(39)

$$\begin{aligned}&\lambda _3 = S_4^{(t)} - 4\frac{S_1^{(t)}S_3^{(t)}}{n} + 6\frac{S_1^{(t)}S_1^{(t)}S_2^{(t)}}{n^2} - 3\frac{S_1^{(t)}S_1^{(t)}S_1^{(t)}S_1^{(t)}}{n^3}. \end{aligned}$$

(40)

For the higher-order correlation the basic structure of Eq. (37) stays the same, and only the formulas for \(\lambda _{\{1,2,3\}}\) change. We provided all necessary formulas in the following subsections.

1.1 A.1 Third Order

$$\begin{aligned} \lambda _1 =&S_3^{(t,l)} - 3\frac{S_1^{(t)}S_2^{(t,l)}}{n} + 3\frac{\left( S_1^{(t)}\right) ^2S_1^{(t,l)}}{n^2} - \frac{\left( S_1^{(t)}\right) ^3S_1^{(l)}}{n^3},\end{aligned}$$

(41)

$$\begin{aligned} \lambda _2 =&S_3^{(t)} - 3\frac{S_1^{(t)}S_2^{(t)}}{n} + 2\frac{\left( S_1^{(t)}\right) ^3}{n^2},\end{aligned}$$

(42)

$$\begin{aligned} \lambda _3 =&S_6^{(t)} - 6\frac{S_1^{(t)}S_5^{(t)}}{n} + 15\frac{\left( S_1^{(t)}\right) ^2S_4^{(t)}}{n^2} - 20\frac{\left( S_1^{(t)}\right) ^3S_3^{(t)}}{n^3}\nonumber \\&+\, 15\frac{\left( S_1^{(t)}\right) ^4S_2^{(t)}}{n^4} - 5\frac{\left( S_1^{(t)}\right) ^6}{n^5} \end{aligned}$$

(43)

1.2 A.2 Fourth Order

$$\begin{aligned} \lambda _1 =&S_4^{(t,l)} - 4\frac{S_1^{(t)}S_3^{(t,l)}}{n} + 6\frac{\left( S_1^{(t)}\right) ^2S_2^{(t,l)}}{n^2} - 4\frac{\left( S_1^{(t)}\right) ^3S_1^{(t,l)}}{n^3} + \frac{\left( S_1^{(t)}\right) ^4S_1^{(l)}}{n^4},\end{aligned}$$

(44)

$$\begin{aligned} \lambda _2 =&S_4^{(t)} - 4\frac{S_1^{(t)}S_3^{(t)}}{n} + 6\frac{\left( S_1^{(t)}\right) ^2S_2^{(t)}}{n^2} - 3\frac{\left( S_1^{(t)}\right) ^4}{n^3},\end{aligned}$$

(45)

$$\begin{aligned} \lambda _3 =&S_8^{(t)} - 8\frac{S_1^{(t)}S_7^{(t)}}{n} + 28\frac{\left( S_1^{(t)}\right) ^2S_6^{(t)}}{n^2} - 56\frac{\left( S_1^{(t)}\right) ^3S_5^{(t)}}{n^3}\nonumber \\&+\, 70\frac{\left( S_1^{(t)}\right) ^4S_4^{(t)}}{n^4} - 56\frac{\left( S_1^{(t)}\right) ^5S_3^{(t)}}{n^5} + 28\frac{\left( S_1^{(t)}\right) ^6S_2^{(t)}}{n^6} - 7\frac{\left( S_1^{(t)}\right) ^8}{n^7} \end{aligned}$$

(46)

1.3 A.3 Fifth Order

$$\begin{aligned} \lambda _1 =&S_5^{(t,l)} - 5\frac{S_1^{(t)}S_4^{(t,l)}}{n} + 10\frac{\left( S_1^{(t)}\right) ^2S_3^{(t,l)}}{n^2} - 10\frac{\left( S_1^{(t)}\right) ^3S_2^{(t,l)}}{n^3}\nonumber \\&+\, 5\frac{\left( S_1^{(t)}\right) ^4S_1^{(t,l)}}{n^4} - \frac{\left( S_1^{(t)}\right) ^5S_1^{(l)}}{n^5},\end{aligned}$$

(47)

$$\begin{aligned} \lambda _2 =&S_5^{(t)} - 5\frac{S_1^{(t)}S_4^{(t)}}{n} + 10\frac{\left( S_1^{(t)}\right) ^2S_3^{(t)}}{n^2} - 10\frac{\left( S_1^{(t)}\right) ^3S_2^{(t)}}{n^3} + 4\frac{\left( S_1^{(t)}\right) ^5}{n^4},\end{aligned}$$

(48)

$$\begin{aligned} \lambda _3 =&S_{10}^{(t)} - 10\frac{S_1^{(t)}S_9^{(t)}}{n} + 45\frac{\left( S_1^{(t)}\right) ^2S_8^{(t)}}{n^2} - 120\frac{\left( S_1^{(t)}\right) ^3S_7^{(t)}}{n^3} + 210\frac{\left( S_1^{(t)}\right) ^4S_6^{(t)}}{n^4} \nonumber \\&- 252\frac{\left( S_1^{(t)}\right) ^5S_5^{(t)}}{n^5} + 210\frac{\left( S_1^{(t)}\right) ^6S_4^{(t)}}{n^6} -\, 120\frac{\left( S_1^{(t)}\right) ^7S_3^{(t)}}{n^7} + 45\frac{\left( S_1^{(t)}\right) ^8S_2^{(t)}}{n^8} \nonumber \\&-\, 9\frac{\left( S_1^{(t)}\right) ^{10}}{n^9} \end{aligned}$$

(49)