A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks

Standaert, François‐Xavier; Malkin, Tal; Yung, Moti

doi:10.1007/978-3-642-01001-9_26

Cited by 673 publications

(595 citation statements)

References 28 publications

Supporting

Mentioning

591

Contrasting

Order By: Relevance

“…for modern smart cards. In this respect, profiled attacks are useful tools, since they can be used to approach their worst-case security level [24]. Such attacks essentially work in two steps: first a leakage model is estimated during a so-called profiling phase, then the leakage model is exploited to extract key-dependent information in an online phase.…”

Section: Introductionmentioning

confidence: 99%

Template Attacks vs. Machine Learning Revisited (and the Curse of Dimensionality in Side-Channel Analysis)

Lerman

Poussier

Bontempi

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Template attacks and machine learning are two popular approaches to profiled side-channel analysis. In this paper, we aim to contribute to the understanding of their respective strengths and weaknesses, with a particular focus on their curse of dimensionality. For this purpose, we take advantage of a well-controlled simulated experimental setting in order to put forward two important intuitions. First and from a theoretical point of view, the data complexity of template attacks is not sensitive to the dimension increase in side-channel traces given that their profiling is perfect. Second and from a practical point of view, concrete attacks are always affected by (estimation and assumption) errors during profiling. As these errors increase, machine learning gains interest compared to template attacks, especially when based on random forests.

show abstract

Section: Introductionmentioning

confidence: 99%

Template Attacks vs. Machine Learning Revisited (and the Curse of Dimensionality in Side-Channel Analysis)

Lerman

Poussier

Bontempi

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the past few years cryptographers have made tremendous progress toward modeling security in the face of such information leakage [22,31], and in constructing leakage-resilient cryptosystems secure even in case such leakage occurs. (There has also been corresponding work on reducing unwanted leakage by, e.g., building tamper-proof hardware; this is not the focus of our work.)…”

Section: Introductionmentioning

confidence: 99%

Signature Schemes with Bounded Leakage Resilience

Katz

Vaikuntanathan²

2009

Advances in Cryptology – ASIACRYPT 2009

174

189

View full text Add to dashboard Cite

A leakage-resilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (or possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n. We show a signature scheme tolerating (optimal) leakage of up to n − n ǫ bits of information about the secret key, and a more efficient one-time signature scheme that tolerates leakage of ( 1 4 − ǫ) · n bits of information about the signer's entire state. The latter construction extends to give a leakage-resilient t-time signature scheme. All these constructions are in the standard model under general assumptions.

show abstract

“…By carefully profiling a probabilistic model for the physical leakages, such attacks offer a direct path towards Bayesian subkey testing procedures. Template attacks are optimal from an information theoretic point of view, which makes them a prime tool for the worst-case security evaluation of leaking devices [35]. However, they also correspond to strong adversarial assumptions that may not be met in practice.…”

Section: Introductionmentioning

confidence: 99%

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

Veyrat-Charvillon

Gérard

Renauld

et al. 2013

Lecture Notes in Computer Science

Self Cite

102

View full text Add to dashboard Cite

Abstract. Methods for enumerating cryptographic keys based on partial information obtained on key bytes are important tools in cryptanalysis. This paper discusses two contributions related to the practical application and algorithmic improvement of such tools. On the one hand, we observe that modern computing platforms allow performing very large amounts of cryptanalytic operations, approximately reaching 2 50 to 2 60 block cipher encryptions. As a result, cryptographic key sizes for such ciphers typically range between 80 and 128 bits. By contrast, the evaluation of leaking devices is generally based on distinguishers with very limited computational cost, such as Kocher's Differential Power Analysis. We bridge the gap between these cryptanalytic contexts and show that giving side-channel adversaries some computing power has major consequences for the security of leaking devices. For this purpose, we first propose a Bayesian extension of non-profiled side-channel attacks that allows us to rate key candidates in function of their respective probabilities. Next, we investigate the impact of key enumeration taking advantage of this Bayesian formulation, and quantify the resulting reduction in the data complexity of the attacks. On the other hand, we observe that statistical cryptanalyses usually try to reduce the number and size of lists corresponding to partial information on key bytes, in order to limit the time and memory complexity of the key enumeration. Quite surprisingly, few solutions exist that allow an efficient merging of large lists of subkey candidates. We provide a new deterministic algorithm that significantly reduces the number of keys to test in a divide-and-conquer attack, at the cost of limited (practically tractable) memory requirements. It allows us to optimally enumerate key candidates from any number of (possibly redundant) lists of any size, given that the subkey information is provided as probabilities. As an illustration, we finally exhibit side-channel cryptanalysis experiments where the correct key candidate is ranked up to position 2 32 , in which our algorithm reduces the number of keys to test offline by an average factor 2 5 and a factor larger than 2 10 in the worst observed cases, compared to previous solutions. We also suggest examples of statistical attacks in which the new deterministic algorithm would allow improved results.

show abstract

A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks

Cited by 673 publications

References 28 publications

Template Attacks vs. Machine Learning Revisited (and the Curse of Dimensionality in Side-Channel Analysis)

Template Attacks vs. Machine Learning Revisited (and the Curse of Dimensionality in Side-Channel Analysis)

Signature Schemes with Bounded Leakage Resilience

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

Contact Info

Product

Resources

About